Earlier this month, Kaseya MSP solutions supplier clients suffered from a large-scale Revil (Sodinokiobi) encryption attack, now Kaseya has fixed a vulnerabilities.
Hackers used 0-day vulnerability in the company’s product (VSA) and attacked Kaseya customers.The problem is that most of the victims of VSA servers were used by MSP providers, that is, by companies that manage the infrastructure of other clients. So, the attackers unfolded an encrypter in thousands of corporate networks.
According to official data, the compromise touched about 60 KASEYA customers, through the infrastructure of which hackers were able to encrypt about 800-1500 corporate networks.
Kaseya VSA is a solution for remote control and monitoring, which is commonly used by MSP providers to support its customers. The company can deploy VSA locally using its own servers, and can use the Kaseya cloudy SAAS solution.
Previously, the Dutch Institute for Vulnerability (Divd) reported that they discovered seven vulnerabilities in
Kaseya products:
- CVE-2021-30116: Discussion leakage and business logic problem, the patch will be included in 9.5.7;
- CVE-2021-30117: SQL injection, fixed by a patch of May 8, 2021;
- CVE-2021-30118: RCE vulnerability, eliminated April 10, 2021;
- CVE-2021-30119: XSS vulnerability, the patch will be included in 9.5.7;
- CVE-2021-30120: Bypassing two-factor authentication, the patch will be included in 9.5.7;
- CVE-2021-30121: Vulnerability of Local File Inclusion, fixed by a patch of May 8, 2021;
- CVE-2021-30201: Vulnerability of the XML External Entity type, fixed by a patch of May 8, 2021.
As can be understand from the list above, Kaseya has already implemented corrections for most vulnerabilities in the SAAS version of VSA, but did not have time to complete the release of patches for the local version of the product than and the Revil operators used. It is not known what vulnerabilities were exploited by the hackers, but it is assumed that it was one of the vulnerabilities of CVE-2021-30116, CVE-2021-30119 and CVE-2021-30120, or their combination.
After the attack, Kaseya urged customers to disable VSA until the corrections were ready. Now, after almost ten days after the incident, the company finally issued an updated version of VSA 9.5.7A (9.5.7.2994), which eliminated the last bugs used by Revil (CVE-2021-30116, CVE-2021-30119 and CVE-2021-30120).
In this version also were fixed other problems:
- Fixed a bug due to which the security flag was not used for Cookie User Portal files;
- Fixed a problem due to which some API responses contained hash passwords, potentially exposing any weak pairs of bruthent attacks;
- Fixed a vulnerability that admitted unauthorized loading of files to the VSA server.
The company emphasizes that local VSA servers in no case should be available from the Internet when installing the correction. Also, Kaseya developers are calling for customers to use the Compromise Detection Tool (a set of PowerShell scripts that helps determine whether the VSA server or endpoints was hacked).