One of the vulnerabilities in Kaseya's IT management software VSA that was exploited by miscreants to infect up to 1,500 businesses with ransomware was reported to the vendor in April – and the patch just wasn't ready in time.
As we've covered this week, deployments of Kaseya's flagship Virtual System Administrator (VSA) product were hijacked at the start of the month to inject REvil extortionware into networks around the world. Kaspersky Lab said it saw evidence of 5,000 infection attempts in 22 countries in the three days since the first attack was spotted.
Kaseya pulled the plug on its software-as-a-service offering of VSA, and urged all of its customers to switch off their VSA servers to avoid being hit by the ransomware. Kaseya's customers are primarily managed service providers looking after the IT estates of their own customers, and so by compromising VSA deployments, miscreants can hijack large numbers of downstream systems.
Rewind to April, and the Dutch Institute for Vulnerability Disclosure (DIVD) had privately reported seven security bugs in VSA to Kaseya. Four were fixed and patches released in April and May. Three were due to be fixed in an upcoming release, version 9.5.7.
Unfortunately, one of those unpatched bugs – CVE-2021-30116, a credential-leaking logic flaw discovered by DIVD's Wietse Boonstra – was exploited by the ransomware slingers before its fix could be emitted.
Victor Gevers, chairman of DIVD, praised Kaseya's response to the bug reports, blogging: "Once Kaseya was aware of our reported vulnerabilities, we have been in constant contact and cooperation with them. When items in our report were unclear, they asked the right questions. Also, partial patches were shared with us to validate their effectiveness.
"During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched. They showed a genuine commitment to do the right thing. Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch."
- Report shines light on REvil's depressingly simple tactics: Phishing, credential-stuffing RDP servers... the usual
- Kaseya's VSA SaaS restart fails, service restoration delayed by at least ten hours
- Ransomware-hit law firm gets court order asking crooks not to publish the data they stole
- Kaseya says it's seen no sign of supply chain attack, sets SaaS restoration target of Tuesday afternoon, on-prem fix to follow
Infosec outfit Tenable rounded up industry statements and research suggesting that REvil's initial access brokers had used a combination of as many as three zero-days to target VSA: an authentication bypass vuln, an arbitrary file upload bug, and a code injection vuln.
Presumably, the auth bypass hole is CVE-2021-30116, and to us it seems quite likely the other two bugs couldn't be successfully exploited without the first. One would chain exploits for these holes to commandeer a server and push ransomware to managed endpoints.
A fix for '30116 is not yet available. Overnight, Kaseya said it had "published a runbook of the changes to make to your on-premises environment so customers can prepare for the patch release." That documentation can be found here.
Palo Alto Networks' Unit 42 infosec research arm published a report on Wednesday setting out REvil's known methods, including its use of Cobalt Strike beacons, PowerShell scripts designed to obfuscate its presence on a targeted network, and indicators of compromise in the early stages of a network intrusion. ®