The VSA zero-day vulnerabilities were used by the REvil ransomware gang to attack MSPs and their clients, and Kaseya has published security patches for them.
Kaseya VSA is a remote management and monitoring solution that managed service companies typically used to manage their customers. MSPs can either install VSA on their own servers or use Kaseya’s cloud-based SaaS service.
Kaseya was notified of seven vulnerabilities by the Dutch Institute for Vulnerability Disclosure (DIVD) in April:
- CVE-2021-30116 – A credentials leak and business logic flaw, to be included in 9.5.7
- CVE-2021-30117 – An SQL injection vulnerability, resolved in May 8th patch.
- CVE-2021-30118 – A Remote Code Execution vulnerability, resolved in April 10th patch. (v9.5.6)
- CVE-2021-30119 – A Cross Site Scripting vulnerability, to be included in 9.5.7
- CVE-2021-30120 – 2FA bypass, to be resolved in v9.5.7
- CVE-2021-30121 – A Local File Inclusion vulnerability, resolved in May 8th patch.
- CVE-2021-30201 – A XML External Entity vulnerability, resolved in May 8th patch.
Kaseya implemented patches for the majority of the vulnerabilities on their VSA SaaS service, but the patches for the on-premise version of VSA were not completed.
The REvil ransomware gang used these flaws to execute a major attack against around 60 MSPs and 1,500 business clients using on-premise VSA servers.
Although the exact vulnerabilities exploited in the attack are unknown, it is thought that one or more of CVE-2021-30116, CVE-2021-30119, and CVE-2021-30120 were used.
Kaseya has advised on-premise VSA customers to turn off their servers until a patch is available.
Kaseya has issued the VSA 9.5.7a (9.5.7.2994) update to patch the vulnerabilities exploited in the REvil ransomware attack, almost 10 days after the attacks began.
Kaseya has fixed the following vulnerabilities in its most recent security update:
- Credentials leak and business logic flaw: CVE-2021-30116
- Cross Site Scripting vulnerability: CVE-2021-30119
- 2FA bypass: CVE-2021-30120
- Fixed an issue where secure flag was not being used for User Portal session cookies.
- Fixed an issue where certain API responses would contain a password hash, potentially exposing any weak passwords to brute force attack. The password value is now masked completely.
- Fixed a vulnerability that could allow unauthorized upload of files to the VSA server.
Kaseya recommends that customers follow the steps in the ‘On Premises VSA Startup Readiness Guide’ before installing the update to avoid further breaches and ensure that devices have not previously been hacked.
Before restarting VSA servers and reconnecting them to the Internet, administrators must complete the following steps:
- Ensure the VSA server is isolated
- Check System for Indicators of Compromise (IOC)
- Patch the Operating Systems of the VSA Servers
- Using URL Rewrite to control access to VSA through IIS
- Install FireEye Agent
- Remove Pending Scripts/Jobs
To avoid compromise when installing the patch, the on-premise VSA servers must not be publicly accessible from the Internet.
Customers should also use their “Compromise Detection Tool,” which is a set of PowerShell scripts for detecting whether a VSA server or endpoints has been compromised.
The REvil affiliate distributed the REvil ransomware executable via the agent.crt and agent.exe files.
It is also suggested that users update their password after installing the patch.
You might also like:
Kaseya supply-chain attack: Firms hit by REvil ransomware
Kaseya Supply-Chain attack: REvil ransomware gang demands $70 million