In the weeks leading up to the disastrous attack on its VSA platform, Kaseya was working with researchers to fix the authentication bypass bug that hackers were exploiting to deliver ransomware to hundreds of businesses.
A team of researchers from the Netherlands Institute for Vulnerability Disclosure (DIVD) published a pair of papers describing how and when they discovered a range of vulnerabilities in the tools provided by Kaseya for managed service providers (MSP). According to DIVD, the vulnerability that would become known as CVE-2021-30116 was one of the seven bugs his team had discovered in the Kaseya VSA software.
The authentication bypass flaw was one of two vulnerabilities exploited by attackers when they broke into the VSA Update Service and used the compromised site to send clients a payload of REvil ransomware. The DIVD did not specify which was the second vulnerability exploited by the attackers.
“Last weekend we found ourselves in the middle of a storm,” wrote DIVD-CERT director Frank Breedijk in a limited disclosure publication on Kaseya vulnerabilities. “A storm created by ransomware attacks executed through Kaseya VSA, using a vulnerability we have confidentially disclosed to Kaseya, along with six other vulnerabilities.”
According to the DIVD account of events, he had been in private contact with Kaseya since April to report the seven bugs he found in the Internet services and applications of software provider MSP. Some had already been fixed in April and May, while others were under repair when the attack on VSA occurred.
In addition to CVE-2021-30116, DIVD says its team has discovered a SQL injection flaw, CVE-2021-30117, corrected in May; a remote code execution error, CVE-2021-30118, fixed in April; a cross-site script error, CVE-2021-30119, for which a fix is in progress; a two-factor authentication bypass, CVE-2021-30120, to be fixed in the next version 9.5.7 of VSA; a local file inclusion vulnerability, CVE-2021-30121, fixed in May; and an XML external entity bug, CVE-2021-30201, fixed in May.
Researchers said they had remained silent on the vulnerabilities, fearing that announcing the bug could open the door to attacks.
“When we discovered the vulnerabilities in early April, it was obvious to us that we couldn’t let these vulnerabilities fall into the wrong hands,” wrote Breedijk. “After some deliberation, we decided that notifying the vendor and waiting for a patch to be delivered was the right thing to do. We speculated that, in the wrong hands, these vulnerabilities could lead to the compromise of a large number of computers managed by Kaseya VSA. “
Unfortunately, the DIVD said, it was unable to fix the bugs before criminal hackers could spot and exploit one of them, in what Breedijk called the “worst case scenario”. Researchers noted that Kaseya responded to his reports and was working diligently to get the fixes.
Secrecy and hard work, however, ended up being in vain as, on July 2, the criminals launched their ransomware attack, demanding a ransom of $ 70 million in cryptocurrency in exchange for decryption keys. There is no indication to date that a payment has been made.
The new DIVD information raises the possibility that the attack could have been the result of a leak in the confidential disclosure process, especially when combined with the attackers knowing that specific VSA directories had been exempted from the antivirus protections. Earlier this year, Microsoft investigated a possible leak of several high-profile zero-day bugs in its Exchange Server software; vulnerabilities were exploited by nation-state threat actors prior to their public disclosure and remediation.