On July 3, the ransomware affiliate program REvil began using a zero-day security vulnerability (CVE-2021-30116) to deploy ransomware to hundreds of IT management companies running the remote management software of Kaseya, known as Kaseya Virtual System Administrator (VSA).
According to this entry for CVE-2021-30116, the security vulnerability that powers Kaseya VSA zero-day was assigned a vulnerability number on April 2, 2021, indicating that Kaseya had approximately three months to resolve the bug before it is exploited in the wild. .
Also on July 3, the security incident response company client informed Kaseya that their billing and customer support site –portail.kaseya.net – was vulnerable to CVE-2015-2862, a “directory traversal” vulnerability in Kaseya VSA that allows remote users to read any file on the server using a simple web browser.
As the name suggests, CVE-2015-2862 was released in July 2015. Six years later, Kaseya’s customer portal was still exposed to weak data leakage.
Mandiant informed Kaseya after hearing about it from Alex Holden, Founder and CTO of Milwaukee-based cyber intelligence firm, Hold Security. Holden said the 2015 vulnerability was present on Kaseya’s customer portal until Saturday afternoon, allowing it to download the site’s “web.config” file, a server component that often contains sensitive information such as usernames and passwords and the location of key databases.
“It’s not like they forgot to fix something Microsoft fixed years ago,” Holden said. “It’s a fix for their own software. And it’s not day zero. It’s from 2015!
The official description of CVE-2015-2862 states that a potential attacker would have to already be authenticated on the server for the exploit to work. But Holden said that was not the case with the Kaseya Portal vulnerability he reported via Mandiant.
“It’s worse because the CVE calls an authenticated user,” Holden said. ” This was not the case. “
Michael Sanders, executive vice president of account management at Kaseya, confirmed that the customer portal was taken offline in response to a vulnerability report. Sanders said the portal was phased out in 2018 in favor of a more modern customer support and ticketing system, but the old site was still available online.
“It was obsolete but left in place,” Sanders said.
In a written statement shared with KrebsOnSecurity, Kaseya said that in 2015, CERT reported two vulnerabilities in its VSA product.
“We have worked with CERT on Responsible Disclosure and released fixes for VSA V7, R8, R9 and R9 as well as Public Disclosure (CVE) and Customer Notifications. Portal.kaseya.net was not considered by our team to be part of the VSA shipping product and was not part of the VSA product patch in 2015. It does not have access to customer endpoints and has been stopped – and will no longer be activated or used by Kaseya.
“At this time, there is no evidence that this portal was involved in the VSA product security incident,” the statement continued. “We continue to do forensic analysis on the system and investigate the data that is actually there. “
Ransomware group REvil said the organizations involved could negotiate independently with them for a decryption key, or that someone could pay $ 70 million in virtual currency to purchase a key that works to decrypt all systems compromised in this. attack.
But Sanders said all ransomware experts Kaseya consulted so far have advised against negotiating a one-time ransom to unblock all victims.
“The problem is, they don’t have our data, they have our customers’ data,” Sanders said. “We have been advised not to do this by all of the ransomware trading companies we have dealt with. They said that with the number of individual machines being hacked and ransomed, it would be very difficult for all of these systems to be fixed at the same time.
In a video posted to Youtube on July 6, the CEO of Kaseya Fred Voccola said the ransomware attack was “of limited impact, with only around 50 of the more than 35,000 Kaseya customers being violated.”
“Although every customer impacted is one too many, the impact of this highly sophisticated attack has fortunately been largely overestimated,” said Voccola.
The zero-day vulnerability that led Kaseya’s customers (and those customers’ customers) to obtain a ransom was discovered and reported to Kaseya by Wietse Boonstra, a researcher from Dutch Institute for Vulnerability Disclosure (DIVD).
In a July 4 blog post, DIVD Victor Gevers wrote that Kaseya was “very cooperative” and “asked the right questions”.
“Additionally, partial fixes have been shared with us to validate their effectiveness,” Gevers wrote. “Throughout the whole process Kaseya has shown that they are willing to put the maximum effort and initiative into this matter, both to resolve this issue and to correct their customers. They have shown a real commitment to doing the right thing. Unfortunately, we were beaten by REvil in the final sprint because they could exploit the vulnerabilities before customers could even fix them.
Yet Kaseya has yet to release an official fix for the flaw reported by Boonstra in April. Kaseya told customers on July 7 that he was working “all night” to release an update.
Gevers said the Kaseya vulnerability was discovered as part of DIVD’s larger effort to find serious flaws in a wide range of remote network management tools.
“We are focusing on these types of products because we have spotted a trend where more and more products used to provide network security have structural weaknesses,” he wrote.