Kaseya: Decryption key revealed, backup update closes vulnerabilities

Sicherheit (Pexels, allgemeine Nutzung)[German]Small article at the end of the week, concerning the US vendor Kaseya. After the supply chain attack on Kaseya RMI software and encryption of numerous customer systems, a decryption key has surfaced in an underground forum. In addition, a blog reader alerted me to an update that closes various security holes in a Kaseya product.


Backstory to the supply chain attack

In early July 2021, there was a successful supply chain attack on Kaseya VSA. This is remote management and monitoring (RMM) software used by many managed service providers (MSPs). The supply chain attack delivered malware to all customer systems where VSA was in use. I had reported here on the blog (see links at the end of the article).

The Swedish Coop Group even had to close all 800 stores because a payment processor was affected by the ransomware attack on its servers through the Kaseya vulnerability. There was hope for affected people that the encrypted files could be saved because the vendor had received a decryption tool (see Kaseya received universal decryption tool after ransomware attack). However, the REvil group responsible for the attack had stopped its operation and shut down the infrastructure (see REvil Ransomware Group server and infrastructure is shut down). 

Decryption key in hacker forum

My last information on the Kaseya supply chain attack was that customers had to sign a non-disclosure agreement to get the decryption key (see Kaseya allegedly demands NDA against decryption tool).

Kaseya Entschlüsselungs-Key

Now Bleeping Computer colleagues report that the universal decryption key for the REvil attack on Kaseya customers has surfaced on a hacker forum. The article refers to above tweet from a security researcher who contacted Bleeping Computer. This key probably only works for victims of the Kaseya hack, and is not a universal decryptor key for other REvil ransomware cases. Bleeping Computer was able to use the key to decrypt a VM encrypted with the Kaseya malware. Details can be found in this article.


Unitrends Backup Software Update 10.5.5

Blog reader Stefan A. emailed me to let me know that update 10.5.5 is available for Kaseya's Unitrends Backup Software. The release notes state that some vulnerabilities (e.g. SQL injection, privilege escalation etc.) have been fixed, which were discovered by the Dutch Institute for Vulnerability Disclosure (DIVD). 

Similar to what Stefan mentioned in his email, I also stumbled across an article on Bleeping Computer in late July 2021. There, security researchers warned about unpatched Kaseya Unitrends backup vulnerabilities. Stefan writes about this:

I stumbled across this article on Bleeping Computer some time ago. However, I never really understood the warning. The warning says that versions lower than 10.5.2 are affected. But at the time, version 10.5.4 was already out. At the same time it was said that there is no update for this yet (see).

Anyway, now something has happened. Maybe one or the other reader has the software in use and they could just point it out.

At this point my thanks to Stefan for the information. If someone of you has the Kaseya software in use, check whether it is available in current form.

Similar articles:
REvil Ransomware attack at 200 Companies via Kaseya VSA and Management Service Provider (MSP)
Coop-Sweden closes 800 stores after Kaseya VSA supply chain attack by REvil gang
Follow-up to the Kaseya supply chain attack
Kaseya received universal decryption tool after ransomware attack
Kaseya allegedly demands NDA against decryption tool

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Software and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *