Software vendor Kaseya has released a security update that patches the VSA (Virtual System Administrator) zero-day vulnerability used in the recent REvil ransomware attack. The patch comes more than a week after over 60 managed service providers (MSP) and 1500 of their customers were impacted by a ransomware attack, the source of which was soon identified to be Kaseya’s VSA.
Attackers, now known to be the notorious REvil gang, used a vulnerability in Kaseya’s VSA remote monitoring and management software package to distribute a malicious payload through hosts that are managed by the software. The end result was 60 MSPs and over 1500 companies affected by ransomware attacks.
The vulnerabilities in Kaseya’s VSA were discovered in April by researchers at the Dutch Institute for Vulnerability Disclosure (DIVD). According to DIVD, they disclosed the vulnerabilities to Kaseya soon after, allowing the software company to release patches to resolve a number of them before they could be misused. Unfortunately, while DIVD praises Kaseya for their on-point and timely response to the disclosure, malicious parties were able to use the unpatched vulnerabilities in their ransomware attack.
The vulnerabilities disclosed to Kaseya by DIVD in April are the following:
- CVE-2021-30116 – A credentials leak and business logic flaw, resolved in July 11 patch.
- CVE-2021-30117 – An SQL injection vulnerability, resolved in May 8th patch.
- CVE-2021-30118 – A Remote Code Execution vulnerability, resolved in April 10th patch. (v9.5.6)
- CVE-2021-30119 – A Cross Site Scripting vulnerability, resolved in July 11 patch.
- CVE-2021-30120 – 2FA bypass, resolved in July 11 patch.
- CVE-2021-30121 – A Local File Inclusion vulnerability, resolved in May 8th patch.
- CVE-2021-30201 – A XML External Entity vulnerability, resolved in May 8th patch.
Failing to patch 3 of the vulnerabilities on time allowed REvil to utilize them for a large-scale attack that impacted 60 managed service providers using VSA and their 1500 business customers. As soon as Kaseya noticed what was going on, it warned on-premise VSA customers to immediately shut down their servers until it released a patch. Unfortunately, many companies still became victims of a ransomware attack whose perpetrators demanded up to $5 million in ransom. The REvil gang later offered a universal decryptor for $70 million, the largest ever ransom demand.
The VSA 9.5.7a (188.8.131.5294) update fixes vulnerabilities used during the REvil ransomware attack
On July 11, Kaseya released the VSA 9.5.7a (184.108.40.20694) patch to fix the remaining vulnerabilities which were used in the ransomware attack.
The VSA 9.5.7a (220.127.116.1194) update patches the following:
- Credentials leak and business logic flaw: CVE-2021-30116
- Cross-Site Scripting vulnerability: CVE-2021-30119
- 2FA bypass: CVE-2021-30120
- Fixed an issue where the secure flag was not being used for User Portal session cookies.
- Fixed an issue where certain API responses would contain a password hash, potentially exposing any weak passwords to brute force attack. The password value is now masked completely.
- Fixed a vulnerability that could allow the unauthorized upload of files to the VSA server.
However, Kaseya cautions that to avoid any more issues, the “On Premises VSA Startup Readiness Guide” should be followed.
Before admins proceed to restore full connectivity between Kaseya VSA server(s) and deployed agents, they should do the following:
- Ensure your VSA server is isolated.
- Check System for Indicators of Compromise (IOC).
- Patch the Operating Systems of the VSA Servers.
- Using URL Rewrite to control access to VSA through IIS.
- Install FireEye Agent.
- Remove Pending Scripts/Jobs.
The REvil gang appears to have gone dark
The REvil ransomware gang were pretty quickly identified as the perpetrators behind the attack. After initially offering a universal decryptor for $70 million, they lowered the price to $50 million. It now appears that REvil’s infrastructure and websites have been taken offline, though the reasons are not entirely clear. REvil’s infrastructure is made up of both clear and dark web sites that are used for purposes such as leaking data and negotiating the ransom. However, the sites are no longer reachable.
It’s not yet clear whether REvil decided to shut down its infrastructure due to technical reasons or because of the increased scrutiny by law enforcement and the US government. REvil is known to operate from Russia, and US President Biden has been in talks with Russia’s President Putin about the attacks, warning that if Russia does not take action, the US will. Whether that has anything to do with REvil’s apparent shutdown is not yet clear.