Software provider Kaseya announced that the company was targeted by a gang using the REvil ransomware service and Russia-linked REvil cybercrime behind the breach was demanding $70 million in BTC for the decryption tool. VSA solution is using by 1,500 businesses around the world. Because of this widespread zero-day attack, the company wanted its VSA customers to shut down their servers until a patch was available.
Guide for the latest patch
Nearly 10 days after the attack, Kaseya released VSA version 9.5.7a (220.127.116.1194) with fixes for three new security flaws, including credentials leak and business logic flaw (CVE-2021-30116), cross-site scripting vulnerability (CVE-2021-30119), two-factor authentication bypass (CVE-2021-30120).
Fred Voccola, CEO of Kaseya, first declared the attack in a statement, saying,
“Beginning around mid-day (EST/US) on Friday, July 2, 2021, Kaseya’s Incident Response team learned of a potential security incident involving our VSA software.”
The company also published a guide for the VSA release patch, which contains critical security fixes. The company recommended its users follow some steps before restoring full connectivity between Kaseya VSA server and deployed agents:
- Ensure your VSA server is isolated
- Check System for Indicators of Compromise (IOC)
- Patch the Operating Systems of the VSA Servers
- Using URL Rewrite to control access to VSA through IIS
- Install FireEye Agent
- Remove Pending Scripts/Jobs
The Dutch Institute for Vulnerability Disclosure (DIVD) discovered and reported security seven vulnerabilities earlier in April. Four other weaknesses were remediated in previous releases. These are SQL injection vulnerability (CVE-2021-30117), remote code execution vulnerability (CVE-2021-30118), local file inclusion vulnerability (CVE-2021-30121), XML external entity vulnerability (CVE-2021-30201).
Kaseya also warned all users to mandatorily change their passwords post login to meet new password requirements. Finally, the restoration of services is progressing, with 95% of its SaaS customers live and the remaining servers coming online for the rest of our customers in the coming hours. Support teams are helping VSA On-Premises customers who have requested assistance with the patch.