Kaseya VSA vulnerabilities reported three months ago

A group of Dutch researchers reported vulnerabilities in the Kaseya VSA platform in April. The Florida company has released patches for some of them, but three bugs have not yet been fixed. One of them was used to carry out the ransomware attack 2nd of July. As is often the case in these cases, some bad guys have started one spam campaign to distribute malware. Kaseya has known everything since April Dutch researchers discovered seven vulnerabilities in Kaseya VSA during a search started in early April. The US company was notified on April 6. Four bugs were correct between 10 April and 8 May. For the other three you will have to wait for the software version 9.5.7. The vulnerability identified with CVE-2021-30120 is the one exploited by the REvil group to bypass two-factor authentication and install the ransomware. The researchers did not disclose any details on the vulnerabilities, following the so-called “responsible disclosure”. This will only happen after all patches have been deployed and installed on as many systems as possible. Kaseya has press release that there was a problem releasing one of the patches, so the procedure was aborted. The company has published a “runbook” to indicate the sequence of steps to follow before installing the patches and therefore before restarting the VSA software. Meanwarebytes has in the meantime discovered a spam campaign that takes advantage of the situation. Some Kaseya customers have received an email with an alleged Microsoft patch attached to the Kaseya VSA vulnerabilities. It is actually the Cobalt Strike tool that allows remote access to computers.

Categories:   Security