One of the vulnerabilities found in Kaseya’s IT management software was reported to the vendor earlier this year in April. However, there was not enough time to get a patch ready, and subsequently, the bug ended up being exploited by attackers who managed to affect up to 1,500 businesses.
As many publications have indicated in their coverage this week, deployments of Kaseya’s flagship VSA (virtual system administrator) were hijacked at the beginning of this month to inject REvil ransomware into networks across the globe.
The Kaspersky Lab said it saw evidence of 5,000 infections attempted in 22 countries within three days of the attack’s discovery.
A massive attack
Kaseya had to ‘unplug’ the VSA which is offered as software-as-a-service and urged all customers to switch off their VSA servers to avoid being hit by the ransomware. Kaseya’s customers are usually managed service providers looking after their own IT assets and customers.
By compromising the VSA deployments, these criminals have managed to hijack a staggering number of systems downstream.
Let’s go back to April when the Dutch Institute for Vulnerability Disclosure (DIVD) privately reported seven security bugs in VSA to Kaseya. Four were patched but three were going to be fixed in the 9.5.7 release.
A lost race
The unfortunate thing is that one of the unpatched bugs, designated CVE-2021-30116, was exploited by the attackers before its fix could be released. The bug is a logic flaw that could leak credentials.
Victor Gevers, the chairman of DIVD, praised the response by Kaseya, saying that once the company was made aware of the problem, they cooperated with the institute to solve it.
Kaseya showed that it was proactive and willing to cooperate, according to Gevers. However, it was beaten to the finishing line by the REvil ransomware, which exploited the bugs before a patch could be applied.
Also read: Hackers demand $70 million to restore their victims’ data