White hats reported key Kaseya VSA flaw months ago

One of the vulnerabilities in Kaseya's IT management software VSA that was exploited by miscreants to infect up to 1,500 businesses with ransomware was reported to the vendor in April – and the patch just wasn't ready in time.Sources said, deployments of Kaseya's flagship Virtual System Administrator (VSA) product were hijacked at the start of the month to inject REvil extortionware into networks around the world. Kaspersky Lab said it saw evidence of 5,000 infection attempts in 22 countries in the three days since the first attack was spotted.

Rewind to April, and the Dutch Institute for Vulnerability Disclosure (DIVD) had privately reported seven security bugs in VSA to Kaseya. Four were fixed and patches released in April and May. Three were due to be fixed in an upcoming release, version 9.5.7.

Unfortunately, one of those unpatched bugs – CVE-2021-30116, a credential-leaking logic flaw discovered by DIVD's Wietse Boonstra – was exploited by the ransomware slingers before its fix could be emitted.

Hackers infiltrated Kaseya, accessed its customers’ data, and demanded ransom for the data’s return. Making the hack particularly grave and Kaseya regularly pushes out updates to its customers meant to ensure the security of their systems. But in this case, those safety features were subverted to push out malicious software to customers’ systems.

Victor Gevers, chairman of DIVD, praised Kaseya's response to the bug reports, blogging: "Once Kaseya was aware of our reported vulnerabilities, we have been in constant contact and cooperation with them. When items in our report were unclear, they asked the right questions. Also, partial patches were shared with us to validate their effectiveness.

Kaseya has said that between 800 and 1,500 businesses were affected by the hack, although independent researchers have pegged the figure at closer to 2,000. There are at least 145 victims in the US, according to an outside analysis from Sophos Labs, including local and state governments and agencies as well as small and medium-sized businesses.

Cyberattacks and threats have increased as hackers have taken advantage of the shift to remote and hybrid work, and this survey confirms that there is a growing shift towards cloud-based security and SASE solutions. As organizations enable their employees to access corporate resources remotely, the SASE model addresses the limitations of traditional network architectures, converging networking and security in the cloud.

The shift to remote and hybrid work is one of the most important changes to have taken place as a result of the Covid-19 pandemic. Many organizations have had to compromise network performance and protection across their distributed environments because they use multiple different point products, which leads to management complexity and fragmented threat visibility,” said Rafi Kretchmer, VP of Product Marketing at Check Point Software.

“This survey confirms that many organizations are feeling more at risk and there is a growing shift towards cloud-based security. The SASE framework consolidates cloud services to minimize attack surfaces and improve the user experience.”