Ward Off Ransomware, Kaseya Launches Client Software Repair

Fred Voccola, CEO of Kaseya believes he is used to dealing with REviL group attacks. (photo: doc. kaseya)

JAKARTA - Miami-based software company Kaseya released a patch on Sunday, July 11 to monitor its software and management being exploited by the ransomware group.

Kaseya has released a fix for the local version of the Virtual System Administrator (VSA) software. Kaseya said they expect the software-as-a-service version of VSA, which has also been patched, to gradually return online.

The latest version of the local version and SaaS is VSA 9.5.7a. Kaseya has updated guidance for organizations to safely restart using VSA and has support staff on hand to assist customers, said Mike Sanders, executive vice president, in an earlier video update on Sunday, July 11.

New version CVE-2021-30116, fixes credential leaks and business logic flaws; CVE-2021-30119, fixed cross-site scripting vulnerability; and CVE-2021-30120, a vulnerability that allows two-factor authentication to be bypassed. “The update also fixes three other issues,” said Fred Voccola, CEO of Kaseya.

Kaseya describes one issue after another where secure tokens were not used for user portal session cookies. Another fix stops an issue where password hashes are exposed, as well as increases the chances of a successful brute force attack. The last patch fixes a bug that allowed unauthorized file uploads to VSA servers.

The three vulnerabilities are the last of seven vulnerabilities that Kaseya has fixed since last April. It was first warned by Dutch researchers about a problem in its VSA software.

The vulnerability was discovered by Wietse Boonstra, a researcher from the Dutch Institute of Vulnerability Disclosure (DIVD), which is a group of volunteer security researchers. DIVD notified Kaseya on April 6 about the vulnerability in VSA.

DIVD discovered seven vulnerabilities, six of which affected the SaaS version of VSA. Kaseya is still working on a fix for the issue when actors affiliated with the REvil ransomware group attacked on July 2.

VSA is software used by managed service providers to manage their clients' IT infrastructure. This VSA is designed to allow remote administrators to update, customize, and deliver software, so attackers use VSA as intended, enabling mass ransomware attacks.

Kaseya said that so far 60 of his own customers have been infected, bringing the total to 1,500 clients in the organization. That includes small businesses like accounting offices and restaurants, but also much larger companies like Swedish grocery chain Coop, whose point-of-sale devices were infected via its own Kaseya MSP software.