The vast majority of users running the software-as-a-service (SaaS) version of Kaseya’s VSA endpoint and network management product should by now have had their services restored as the company recovers from a 2 July REvil ransomware attack.
Kaseya released a patch for the vulnerabilities exploited by REvil to its on-premise customers slightly ahead of schedule on the afternoon of Sunday 11 July, and began the process of deploying to its SaaS infrastructure.
As of early on the morning of Monday 12 July, said Kaseya, the process was well in hand. In a statement, the company said: “The restoration of services is progressing, with 95% of our SaaS customers live and servers coming online for the rest of our customers in the coming hours. Our support teams are working with VSA On-Premises customers who have requested assistance with the patch.”
The patch, VSA 9.5.7.a release fixes three disclosed common vulnerabilities and exposures (CVEs). These are CVE-2021-30116, a credential leakage and business logic flaw; CVE-2021-30119, a cross-site scripting vulnerability; and CVE-2021-30120, a two-factor authentication bypass.
It also fixes three separate issues, one where the secure flag was not used for user portal session cookies; one where certain API responses would contain a password hash that could potentially expose weak passwords to a brute force attack; and one that could have allowed the unauthorised upload of files to the VSA server.
A full breakdown of the patch, including additional instructions for on-premises users, and more details of changes to authentication policy, agent packages and procedures, and some features that must remain temporarily unavailable pending further attention, can be found here.
Analysts at Huntress have confirmed that on application of the patch, the proof-of-concept exploit fails and thus the attack vector does appear to have been eliminated. However, for some users of the on-premise servers, there may still be some concerns that their powered-off systems may still have pending jobs queued to ransom more endpoints once they are back online. Users should therefore be sure to clear these out.
Meanwhile, as Kaseya begins the process of moving forward, the company is facing allegations from former staffers that it had invited trouble by prioritising product and feature upgrades over cyber security.
According to Bloomberg, which spoke to some of the disaffected employees, some apparently quit out of frustration, while another who supposedly provided the company’s leadership with a 40-page memo detailing problems with VSA, says that they were fired a fortnight later.
Among the allegations are claims Kaseya was using outdated code, failing to implement proper encryption, and not routinely patching its products. The employees also said that the REvil attack was not the first time Kaseya products had been exploited by ransomware gangs.
In a statement provided to Gizmodo, Kaseya said it was focused on its investigation and assisting customers affected by the attack, not on “random speculation”.