Kaseya Patches VSA

THE THREAT

On July 11th, 2021, Kaseya released security patches for multiple vulnerabilities impacting the Kaseya VSA product, that was actively exploited in the recent REvil ransomware campaign. Kaseya’s Cloud offering, Kaseya SaaS VSA, was brought back online at the same time as security patches were released.

Organizations are recommended to review the Kaseya playbook for patching, and after performing a business impact review, apply the relevant security patches.

What we’re doing about it

• eSentire has performed indicator sweeps for esENDPOINT and esLOG customers
• On the day of the ransomware attack, hashes associated with the REvil ransomware dropper were banned for esENDPOINT customers
• Known infrastructure associated with the REvil Ransomware group has been blocked via esNETWORK
• MVS will automatically add the relevant plugins for these vulnerabilities once details are made available
• eSentire security teams are tracking this threat for additional details and detection opportunities

What you should do about it

• Review the On Premises VSA Startup Readiness Guide
• After performing a business impact review, apply the relevant security patches [9.5.7a (9.5.7.2994)]
  • After installing the patch all users will be required to change their passwords on login
• If patches cannot be applied, organizations are recommended to shutdown VSA servers

Additional information

This incident was initially speculated to be caused by a supply-chain attack against Kaseya but has since been traced back to a chain of zero-day vulnerabilities in the Kaseya platform. Patched vulnerabilities are as follows:

• CVE-2021-30116: Credentials leak and business logic flaw
• CVE-2021-30119: Cross-Site Scripting vulnerability
• CVE-2021-30120: Two Factor Authentication (2FA) bypass

Three additional issues were fixed but did not receive CVE designations:

• Secure flag was not being used for User Portal session cookies
• Certain API responses would contain a password hash
• Unauthorized upload of files to the VSA server

To date, the REvil attack on Kaseya products resulted in approximately 60 Kaseya customers, including MSPs, being impacted. Including MSP’s customers, approximately 1,500 organizations total were impacted by REvil ransomware.

References:

[1] https://www.kaseya.com/potential-attack-on-kaseya-vsa/
[2] https://helpdesk.kaseya.com/hc/en-gb/articles/4403709150993incident-response
[3] https://helpdesk.kaseya.com/hc/en-gb/articles/4403785889041