The overwhelming majority of customers working the software-as-a-service (SaaS) model of Kaseya’s VSA endpoint and community administration product ought to by now have had their companies restored as the corporate recovers from a 2 July REvil ransomware assault.
Kaseya launched a patch for the vulnerabilities exploited by REvil to its on-premise prospects barely forward of schedule on the afternoon of Sunday 11 July, and commenced the method of deploying to its SaaS infrastructure.
As of early on the morning of Monday 12 July, stated Kaseya, the method was effectively in hand. In an announcement, the corporate stated: “The restoration of companies is progressing, with 95% of our SaaS prospects stay and servers coming on-line for the remainder of our prospects within the coming hours. Our help groups are working with VSA On-Premises prospects who’ve requested help with the patch.”
The patch, VSA 9.5.7.a launch fixes three disclosed frequent vulnerabilities and exposures (CVEs). These are CVE-2021-30116, a credential leakage and enterprise logic flaw; CVE-2021-30119, a cross-site scripting vulnerability; and CVE-2021-30120, a two-factor authentication bypass.
It additionally fixes three separate points, one the place the safe flag was not used for consumer portal session cookies; one the place sure API responses would comprise a password hash that might probably expose weak passwords to a brute power assault; and one that might have allowed the unauthorised add of recordsdata to the VSA server.
A full breakdown of the patch, together with further directions for on-premises customers, and extra particulars of modifications to authentication coverage, agent packages and procedures, and a few options that should stay quickly unavailable pending additional consideration, will be discovered right here.
Analysts at Huntress have confirmed that on utility of the patch, the proof-of-concept exploit fails and thus the assault vector does seem to have been eradicated. Nonetheless, for some customers of the on-premise servers, there should still be some considerations that their powered-off programs should still have pending jobs queued to ransom extra endpoints as soon as they’re again on-line. Customers ought to due to this fact you’ll want to clear these out.
In the meantime, as Kaseya begins the method of transferring ahead, the corporate is going through allegations from former staffers that it had invited bother by prioritising product and have upgrades over cyber safety.
In keeping with Bloomberg, which spoke to a few of the disaffected staff, some apparently give up out of frustration, whereas one other who supposedly supplied the corporate’s management with a 40-page memo detailing issues with VSA, says that they had been fired a fortnight later.
Among the many allegations are claims Kaseya was utilizing outdated code, failing to implement correct encryption, and never routinely patching its merchandise. The staff additionally stated that the REvil assault was not the primary time Kaseya merchandise had been exploited by ransomware gangs.
In an announcement supplied to Gizmodo, Kaseya stated it was targeted on its investigation and helping prospects affected by the assault, not on “random hypothesis”.