Kaseya has successfully deployed security patches to the cloud and on-premises versions of its VSA remote IT monitoring platform to fight a ransomware attack, with no reports of serious issues.
As of 8 a.m. Eastern time Monday morning the company said the restoration of services is progressing, with all of its software-as-a-service customers live and servers expected to come online for the rest of its customers in the coming hours. Meanwhile, support teams are working with VSA on-prem customers who have requested assistance with the patch.
UPDATE: The company had to take the cloud system offline at mid-day Eastern time for about 20 minutes to make configuration changes because the large number of users quickly coming back online since yesterday created some performance issues.
Kaseya began deploying the fixes as promised around 4 p.m. Eastern yesterday.
On-prem users are asked to follow the instructions in Kaseya’s “On-Premises VSA Startup Readiness Guide” and its hardening and best practice guide before installing the VSA 9.5.7a Release. Subscribers to the cloud service were asked to follow instructions in a VSA SaaS startup guide and read a SaaS security best practices guide.
SaaS users will be required by the update to change their login passwords.
In addition, to toughen authentication, passwords of all VSA users will have to be at least 16 characters long to blunt brute force attacks. Other rules affect password change requirements. All complexity rules will be enforced by the system.
It will no longer be possible to disable Agent Procedure signing and approval. All agent procedure changes must now be approved by a Master administrator.
The updates fix three recent vulnerabilities:
- Credentials leak and business logic flaw: CVE-2021-30116
- Cross-Site Scripting vulnerability: CVE-2021-30119
- 2FA bypass: CVE-2021-30120
They also fix four recent vulnerabilities that on-prem users should have patched before July 2:
- Remote Code Execution vulnerability: CVE-2021-30118
- SQL injection vulnerability: CVE-2021-30117
- Local File Inclusion vulnerability: CVE-2021-30121
- XML External Entity vulnerability: CVE-2021-30201
Now comes time for analysis of exactly how the REvil group, or one of its affiliate criminal groups, learned of and exploited the vulnerabilities used to knock the company offline on July 2, and what damage the attack will have on its brand and bottom line. Kaseya has promised “direct financial assistance for those who have been crippled” by the attack.
As a vital IT infrastructure management provider, Kaseya would be a tempting target for cyber attackers increasingly interested in going after third-party suppliers. Kaseya believes some 60 of its direct customers, largely managed service providers, and 1,500 customers of theirs, were hit by ransomware. For some reason, none of them, apparently, had their data stolen. That has led to speculation the attack was orchestrated by an affiliate that decided to stick strictly to ransomware for this attack.
The Dutch Institute for Vulnerability Disclosure (DIVD) had warned Kaseya of the vulnerabilities in April and was working with the company on patches just before the crisis. Kaseya had released fixes for several of them before July 2nd. (For a more detailed history see this story and podcast.)
But according to Bloomberg News, Kaseya has been slow in the past to react to issues. Employees told the news service that several times between 2017 and 2020 wide-ranging cybersecurity concerns had been flagged to company leaders. But, they alleged, those issues often weren’t fully addressed.
“Among the most glaring problems was software underpinned by outdated code, the use of weak encryption and passwords in Kaseya’s products and servers, a failure to adhere to basic cybersecurity practices such as regularly patching software and a focus on sales at the expense of other priorities,” Bloomberg says the employees told it.
In an email, Forrester Research analyst Allie Mellen said steps Kaseya took to recover and to help their customers recover from this attack, including providing a runbook and recommendations on hardening their servers, among others, are a positive. “That kind of support should be provided by any third party hit with a ransomware attack. It is also great news they have issued this on-prem patch. However, this does not mean every affected business is back up and running, as even the installation of the patch is a lengthy process and some organizations are still affected by the ransomware. What’s most important here is to get visibility into why this happened and what steps Kaseya is taking to prevent it from happening in the future. Total transparency on their product security efforts is crucial if they want to maintain or rebuild trust with their current customers and prospects.”