IT management solutions provider Kaseya has released patches for the vulnerabilities exploited in the recent ransomware attack, and the company has also started restoring SaaS services.
Kaseya shut down its VSA remote monitoring and management product on July 2, shortly after learning of a ransomware attack targeting the company and its customers. The attackers exploited zero-day vulnerabilities in VSA to deliver REvil ransomware to the MSPs that use the product, as well as to their customers — it’s currently estimated that between 800 and 1,500 organizations were hit.
While only on-premises VSA installations were targeted, Kaseya also shut down SaaS services as a precaution. After its initial attempt to restore services failed, the company over the weekend released patches for the on-premises product and started restoration of SaaS services.
The latest update, provided by the company early on Monday morning, said SaaS services had been restored for 95% of customers.
As for the patch for on-premises installations, VSA 9.5.7a fixes a total of six security holes: a credentials leak and business logic flaw (CVE-2021-30116), an XSS vulnerability (CVE-2021-30119), a 2FA bypass issue (CVE-2021-30120), an issue related to secure flags not being used for user portal session cookies, a password hash exposure issue that could be useful for brute-force attacks, and an unauthorized file upload vulnerability.
The flaws that have been assigned a CVE identifier are three of the seven issues reported to Kaseya in April by the Dutch Institute for Vulnerability Disclosure (DIVD). Kaseya had patched some of the vulnerabilities before the REvil ransomware attack was launched, but some remained unfixed, enabling the attackers to exploit them to achieve their goals.
[Continuous Updates: Everything You Need to Know About the Kaseya Ransomware Attack]
It’s still unclear exactly which vulnerabilities were exploited, but DIVD said the attack involved two flaws, including one reported by its researchers.
According to managed detection and response company Huntress, which has monitored the attack and developed a proof-of-concept (PoC) exploit for the vulnerabilities used in the attack, the patch does appear to prevent exploitation. Huntress’ PoC is designed to exploit authentication bypass, arbitrary file upload and command injection vulnerabilities, but the firm noted that the attackers did not actually deliver an implant with their exploit, as its PoC does.
In addition to the actual patches, Kaseya has released a tool for on-premises customers that can be used to “clear any procedures that have accumulated prior to starting restarting your VSA.” The company has also released runbooks designed to help customers prepare for the rollout and restoration of services.
Bloomberg reported over the weekend that several former Kaseya employees claimed the company had poor security practices and often failed to fully address vulnerabilities. Some of the ex-employees also claimed that Kaseya products were abused to deploy ransomware on at least two occasions between 2018 and 2019.