Dutch researchers shed new light on Kaseya vulnerabilities

In the weeks leading up to the disastrous attack on its VSA platform, Kaseya was working with researchers to patch the authentication bypass bug hackers exploited to deliver ransomware to hundreds of companies.

A team of researchers at the Dutch Institute for Vulnerability Disclosure posted a pair of articles outlining how and when they found a series of vulnerabilities in the tools Kaseya provides to managed service providers (MSPs). According to the DIVD, the vulnerability that would become known as CVE-2021-30116 was one of seven bugs its team had uncovered in the Kaseya VSA software.

The authentication bypass flaw was one of two vulnerabilities attackers exploited when they broke into the VSA update service and used the compromised site to send customers a REvil ransomware payload. The DIVD did not say what the second vulnerability was that attackers exploited.

"Last weekend we found ourselves in the middle of a storm," wrote DIVD-CSIRT manager Frank Breedijk in a limited disclosure post on the Kaseya vulnerabilities. "A storm created by the ransomware attacks executed via Kaseya VSA, using a vulnerability which we confidentially disclosed to Kaseya, together with six other vulnerabilities."

According to the DIVD's account of events, it had privately been in touch with Kaseya since April to report the seven bugs it found in the MSP software vendor's internet-facing services and applications. Some had already been patched back in April and May, while others were in the process of being fixed when the attack on VSA occurred.

In addition to CVE-2021-30116, the DIVD says its team uncovered a SQL injection flaw, CVE-2021-30117, patched in May; a remote code execution vulnerability, CVE-2021-30118, patched in April; a cross-site scripting error, CVE-2021-30119, for which a patch is in progress; a two-factor authentication bypass, CVE-2021-30120, to be patched in the upcoming VSA version 9.5.7; a local file inclusion vulnerability, CVE-2021-30121, patched in May; and an XML external entity bug, CVE-2021-30201, patched in May.

The researchers said they had stayed quiet about the vulnerabilities out of concern that giving word of the bug would open the door to attacks.

"When we discovered the vulnerabilities in early April, it was evident to us that we could not let these vulnerabilities fall into the wrong hands," Breedijk wrote. "After some deliberation, we decided that informing the vendor and awaiting the delivery of a patch was the right thing to do. We hypothesized that, in the wrong hands, these vulnerabilities could lead to the compromise of large numbers of computers managed by Kaseya VSA."

The new information from the DIVD raises the possibility that the attack might have been the result of a leak in the confidential disclosure process.

Unfortunately, the DIVD said, it was unable to get the bugs patched before criminal hackers spotted and exploited one of them, in what Breedijk called a "worst-case scenario." The researchers did note that Kaseya had been responsive to its reports and was working diligently to get the fixes out.

The secrecy and hard work, however, ended up being all for naught as, on July 2, the criminals launched their ransomware attack, demanding a $70 million cryptocurrency ransom in exchange for decryption keys. There is no indication so far that any payment has been made.

The new information from the DIVD raises the possibility that the attack might have been the result of a leak in the confidential disclosure process, particularly when combined with the fact that the attackers were aware that specific VSA directories had been exempted from antivirus protections. Earlier this year, Microsoft investigated a possible leak of several high-profile zero-day bugs in its Exchange Server software; the vulnerabilities were exploited by nation-state threat actors prior to their public disclosure and patching.