Kaseya Was Warned In April Of Vulnerability Exploited By REvil Gang
‘Last weekend, we found ourselves in the middle of a storm. A storm created by the ransomware attacks executed via Kaseya VSA using a vulnerability which we confidentially disclosed to Kaseya,’ says Dutch Institute for Vulnerability Disclosure’s Frank Breedijk.
Researchers warned Kaseya April 6 about one of the vulnerabilities that REvil ended up exploiting nearly three months later in a crippling ransomware attack.
The Dutch Institute for Vulnerability Disclosure (DIVD) said that researcher Wietse Boonstrain in April discovered seven vulnerabilities in Kaseya’s VSA remote monitoring and management product and notified the New York- and Miami-based IT service management vendor about the flaws less than a week later. Eighty-seven days later, REvil took advantage of a flaw flagged by DIVDthat still wasn’t resolved.
“Last weekend, we found ourselves in the middle of a storm,” DIVDresearcher Frank Breedijk wrote Wednesday. “A storm created by the ransomware attacks executed via Kaseya VSA using a vulnerability which we confidentially disclosed to Kaseya. … Unfortunately, the worst-case scenario came true.”
[Related: 10 Big Things To Know About The Kaseya Cyberattack]
Kaseya told CRN late Wednesday that because of the FBI’s ongoing criminal investigation it couldn’t comment on why some of the vulnerabilities disclosed by DIVDwere still exploitable months later. Kaseya resolved four of the vulnerabilities disclosed by DIVDthrough patches released April 10 and May 8, but three vulnerabilities remained unresolved heading into late June, according to DVID.
On June 26, Kaseya started deploying version 9.5.7 of its VSA SaaS product, which DIVDsaid would resolve both a credentials leak and business logic flaw as well as a cross-site scripting vulnerability. Kaseya VSA 9.5.7 was slated to be generally available to Kaseya’s on-premises customers July 7. But five days earlier, REvil exploited the credentials leak and business logic flaw to compromise on-premises VSA.
“We were in a coordinated vulnerability disclosure process with the vendor while this happened,” DIVD’s Victor Gevers wrote on Twitter Saturday night. “The CVEs [descriptions of the vulnerabilities] were ready to be published; the patches were made and prepared for distribution; and we mapped all online instances to help speed up the process.”
DIVDwent into more detail Wednesday about its work with Kaseya, disclosing both a timeline of its work with the company as well as limited details on the seven security issues it had flagged. The final vulnerability identified by DVID—a two-factor authentication bypass—was to be resolved by Kaseya VSA 9.5.7, but DIVDdidn’t indicate in its timeline that the June 26 VSA SaaS release addressed the matter.
“Given the serious nature of these vulnerabilities and the obvious consequences of abuse of Kaseya VSA, we will not disclose the full details of the vulnerabilities until such time that Kaseya has released a patch and this patch has been installed on a sufficient number of systems,” Breedijk wrote Wednesday.
Since Kaseya was in the process of fixing the vulnerability that was ultimately exploited in the cyberattack, some researchers have speculated that REvil might have been monitoring the company’s communications from the inside. But DVID’s Gevers suggested in a tweet that the vulnerability was easy to exploit.
“If I would show you the PoC [Proof of Concept], you would know how and why [REvil found the vulnerability]. Instantly,” Gevers wrote on Twitter at 8:14 p.m. ET Saturday.
Kaseya initially planned to restore service for its VSA SaaS product Saturday night, but the restart got pushed back then delayed indefinitely late Tuesday after an issue was discovered during deployment. A Kaseya spokesperson told CRN Wednesday afternoon that agency and private groups testing VSA SaaS recommended the company take additional steps before making the product available online again.
“Kaseya’s response to our disclosure has been on point and timely, unlike other vendors we have previously disclosed vulnerabilities to,” DVID’s Breedijk wrote Wednesday. “We have no indication that Kaseya is hesitant to release a patch. Instead, they are still working hard to make sure that after their patch, the system is as secure as possible to avoid a repeat of this scenario.”