Follow-up to the Kaseya supply chain attack

Sicherheit (Pexels, allgemeine Nutzung)[German]At the beginning of July 2021, there was a supply chain attack on Kaseya VSA, a remote management and monitoring (RMM) software, so malware was delivered. As a result, the REvil Ransomware group's encryption Trojan struck, encrypting the IT systems of approximately 1,500 companies worldwide. Gradually, more details are becoming known. For example, the vulnerability exploited for the attack was reported to Kaseya in April 2021 – and a vulnerability known since 2015 is still open in their management software.


The Kaseya supply chain attack

Et's a nightmare come true, the REvil ransomware group has managed to launch a supply chain attack on the VSA platform of US vendor Kaseya. With this, the remote management and monitoring software (RMM) Kaseya VSA delivered a dropper as a legitimate update, which reloaded an encryption Trojan from the REvil ransomware group. I had reported on Kaseya VSA and Management Service Provider (MSP) in the blog post REvil Ransomware attack at 200 Companies via Kaseya VSA and Management Service Provider (MSP). Cyble published more details here – an interview with the REvil group is available here.

As a result, about 1,500 companies worldwide were affected by the ransomware attack. The most prominent European victim is Coop-Sweden, which had to close stores because a payment service provider for their point-of-sale systems failed (see Coop-Sweden closes 800 stores after Kaseya VSA supply chain attack by REvil gang). The whole thing is something like the SolarWinds supply chain attack on their Orion software, only this time it was ransomware (instead of an espionage operation) that struck.

Vulnerability reported in early April 2021

Now the discoverers of the vulnerabilities in the Kaseya VSA software, Dutch security researchers DIVD, have disclosed some (but not all details) about the case in this blog post. The vendor was notified of the following vulnerabilities in its platform on April 6, 2021.

  • CVE-2021-30116 – A credentials leak and business logic flaw, resolution in progress.
  • CVE-2021-30117 – An SQL injection vulnerability, resolved in May 8th patch.
  • CVE-2021-30118 – A Remote Code Execution vulnerability, resolved in April 10th patch. (v9.5.6)
  • CVE-2021-30119 – A Cross Site Scripting vulnerability, resolution in progress.
  • CVE-2021-30120 – 2FA bypass, resolution in progress.
  • CVE-2021-30121 – A Local File Inclusion vulnerability, resolved in May 8th patch.
  • CVE-2021-30201 – A XML External Entity vulnerability, resolved in May 8th patch.

The list shows that the manufacturer has already fixed some of these vulnerabilities with updates in May 2021. The first updates were already provided in April 2021, and others were closed in June 2021. But vulnerabilities remained open to be patched in July 2021 – there was an exchange between the vendor and security researchers to verify that the patches were working. Then, on July 2, 2021, the supply chain attack on the Kaseya VSA platform by the REvil Group occurred, exploiting vulnerabilities that had not yet been closed.

Security researchers have not disclosed details of the vulnerabilities. However, given the timing, it makes me wonder if the REvil group was aware via espionage activity that there were patches being prepared to close the vulnerability. This reminds me of the March 2021 Exchange hack by the Hafnium group, where the hacker managed it to intruse before a patch was rolled out.

Kaseya customer/billing portal with vulnerability

In this context, it's interesting to note a tweet from Brian Krebs pointing out a vulnerability in this vendor's customer/billing portal that has existed since 2015. The detail may be read in this article.


Kaseya vulnerability

Kaseya then shut down this portal on July 3, 2021. I can't evaluate it definitively, but the message is actually that at the US manufacturer Kaseya, security at least took quite a bit of time before vulnerabilities were patched. No idea if the company will survive that. But this cases shows again, that security in IT is simply broken.

Management has been warned internally

Addendum: I had something like "sloppiness led to disaster" on the tip of my tongue while writing this, but then dropped it for lack of knowledge. Now Bloomberg reports that executives at Miami-based Kaseya Ltd. have been warned about critical security vulnerabilities in the company's software. Bloomberg is referring to five former employees of the company.

Bloomberg quotes the former employees, who wish to remain unnamed, as saying that on several occasions between 2017 and 2020 at Kaseya offices in the U.S., they alerted company management to widespread cybersecurity problems. But those problems often were not fully addressed, he said.

The most glaring problems listed included software that was underpinned with outdated code. But the use of weak encryption and passwords in Kaseya's products and servers are also on the agenda. Failure to adhere to basic cybersecurity practices, such as regularly patching software, was also cited.

Management was concerned with focusing on selling products at the expense of other priorities, employees said. It's something you've heard before or think you've heard elsewhere. Nothing changes: glossy brochures in the front, but if you dig a little, you only come across a pile of dirt. The Bloomberg report fits in well with this German comment from a blog reader, who gives a bit of background on the Kaseya software.

The pdf glossy brochure from kaseya promises more than the software delivers! The base is from the 90s and that's how the software behaves in everyday use.

The damage is devastating!
May this group think about it, if they have not shot themselves in the neck.

It is also devastating how simple the exploit was integrated. After my so far not by Kaseya confirmed knowledge, it was enough to use IIs api created procedures in the data base, to trigger the roll out the commands to inject the malware. The injection on the VSA took less than 30 seconds.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *