The software solutions provider, which counts managed service providers (MSPs) among its client base, was the subject of a ransomware outbreak on July 2. Kaseya said the threat group responsible, REvil, exploited unpatched vulnerabilities in the firm’s VSA remote monitoring software to trigger both bypass authentication and code execution, allowing them to deploy ransomware on customer endpoints. It is estimated that between 800 and 1500 businesses have been impacted. REvil has demanded $70 million for a universal decryption key. Kaseya pulled its SaaS systems offline and urged customers to shut down their VSA servers when the first reports of cyberattacks came in. Initial attempts to relaunch SaaS servers were made and set for July 6, however, technical problems prompted a further delay. According to Kaseya, the decision was made by CEO Fred Voccola in order to give the company the time to bolster existing security mechanisms. On Sunday, the tech giant said that the rollout is underway and going “according to plan.” In total, 95% of the company’s SaaS customers are now live, with servers “coming online for the rest of our customers in the coming hours.” On-premise clients now have access to the VSA patch, too, and support teams are working with organizations that need assistance in applying the security update. The release notes for both VSA on-prem and SaaS deployments include fixes for three CVE-issued vulnerabilities: a credentials leak and business logic flaw (CVE-2021-30116), a cross-site scripting (XSS) bug (CVE-2021-30119), and a two-factor authentication bypass (CVE-2021-30120). In addition, Kaseya has resolved a secure flag problem in User Portal session cookies, an API response process that could expose weak credentials to brute-force attacks, and an unauthorized file upload vulnerability impacting VSA servers. Due to the speed necessary in deploying the patch, some VSA functionality has been disabled temporarily – including some API endpoints. “Out of an abundance of caution, these API calls are being redesigned for the highest level of security,” Kaseya says. “Individual functions will be restored in later releases this year.” Kaseya has also temporarily removed the ability to download agent installer packages without authentication to VSA and the User Portal page. A number of legacy functions have been permanently removed. Clients will need to change their password once they have installed and logged in to the latest build. Kaseya has also provided VSA SaaS and on-premise hardening and best practice guides. Bloomberg reports that in the past, former employees sounded the alarm on cybersecurity worries including outdated code, weak encryption, and a lack of robust patching processes. However, the ex-staff members claimed their concerns were not fully addressed.
Previous and related coverage
Kaseya ransomware attack updates: Your questions answeredShould Kaseya pay REvil ransom? Experts are tornScam artists exploit Kaseya security woes to deploy malware
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0