Dutch Institute Exposes Flaws in Kaseya – VSA Platform

In the wake of the recent catastrophic attack on its VSA platform, Kaseya collaborated with scientists to fix a bug that hackers have been using to deliver ransomware to numerous firms. 

A group of researchers at the Dutch Institute of Vulnerability Disclosure published a couple of articles explaining how and when they discovered a series of vulnerabilities in the tools Kaseya provides to managed service providers (MSPs). As per the DIVD, one of the seven problems that the team had discovered in the Kaseya VSA software was the vulnerability known as CVE-2021-30116. 

The bypass authentication vulnerability was one of the two vulnerabilities exploited by cybercriminals when they got into the VSA service and utilized the affected site to distribute consumers a payload of REvil ransomware. The DIVD didn’t indicate that attackers were using the second vulnerability. 

According to the report by DIVD, since April it was privately contacted by Kaseya in reporting the seven issues detected in the internet-facing services and apps of the MSP software provider. In April and May, some had already been patched, and others were in the process of fixing the attack on the VSA. 

In addition to CVE-2021-30116, the DIVD says the team has uncovered a SQL injecting flaw CVE-2021-30117 patched in May; CVE-2021-30118, remote code execution flaw patched in April; CVE-2021-30119, which has a patch underway; the CVE-2021-30120 by-pass, to be patched in the upcoming VSA release 9.5.7; a local file included vulnerability CVE-2021-30121, patched in May; and an XML external entity bug, CVE-2021-30201, patched in May. 

“When we discovered the vulnerabilities in early April, it was evident to us that we could not let these vulnerabilities fall into the wrong hands,” Breedijk wrote. “After some deliberation, we decided that informing the vendor and awaiting the delivery of a patch was the right thing to do. We hypothesized that, in the wrong hands, these vulnerabilities could lead to the compromise of large numbers of computers managed by Kaseya VSA.” 

Regrettably, in what Breedijk called the “worst-case scenario,” flaws could not be addressed until criminal hackers could identify and use one of them, stated DIVD. The investigators noted that Kaseya responds to their reports and worked extremely hard to solve the problems. 

However, the confidentiality and hard labor ended up not being felt as the criminals launched their ransomware attack in return for the decryption key on July 2, asking for a $70 million cryptocurrency payment. 

The DIVD’s recent research suggests that the attack could have resulted from a leak in the privacy process, especially if combined with the attackers’ knowledge that specific VSA folders have been free from anti-virus protective measures.