fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Kaseya patches VSA vulnerabilities used in REvil ransomware attack

Kaseya patches VSA vulnerabilities used in REvil ransomware attack

Kaseya

Kaseya has released a security update for the VSA zero-day vulnerabilities used by the REvil ransomware gang to attack MSPs and their customers.

Kaseya VSA is a remote management and monitoring solution commonly used by managed service providers to support their customers. MSPs can deploy VSA on-premise using their servers or utilize Kaseya’s cloud-based SaaS solution.

In April, the Dutch Institute for Vulnerability Disclosure (DIVD) disclosed seven vulnerabilities to Kaseya:

  • CVE-2021-30116 – A credentials leak and business logic flaw, to be included in 9.5.7
  • CVE-2021-30117 – An SQL injection vulnerability, resolved in May 8th patch.
  • CVE-2021-30118 – A Remote Code Execution vulnerability, resolved in April 10th patch. (v9.5.6)
  • CVE-2021-30119 – A Cross Site Scripting vulnerability, to be included in 9.5.7
  • CVE-2021-30120 – 2FA bypass, to be resolved in v9.5.7
  • CVE-2021-30121 – A Local File Inclusion vulnerability, resolved in May 8th patch.
  • CVE-2021-30201 – A XML External Entity vulnerability, resolved in May 8th patch.

Kaseya had implemented patches for most of the vulnerabilities on their VSA SaaS service but had not completed the patches for the on-premise version of VSA.

Unfortunately, the REvil ransomware gang beat Kaseya to the finish line and utilized these vulnerabilities to launch a massive attack on July 2nd against approximately 60 MSPs using on-premise VSA servers and 1,500 business customers.

It is unclear which vulnerabilities were used in the attack, but it is believed to be one or a combination of CVE-2021-30116, CVE-2021-30119, and CVE-2021-30120.

Also Read: The 5 Phases of Penetration Testing You Should Know

Kaseya releases security updates

Since the attack, Kaseya has urged on-premise VSA customers to shut down their servers until a patch is ready.

Almost ten days after the attacks, Kaseya has released the VSA 9.5.7a (9.5.7.2994) update to fix the vulnerabilities used in the REvil ransomware attack.

With this release, Kaseya has fixed the following vulnerabilities:

  • Credentials leak and business logic flaw: CVE-2021-30116 
  • Cross Site Scripting vulnerability: CVE-2021-30119 
  • 2FA bypass: CVE-2021-30120 
  • Fixed an issue where secure flag was not being used for User Portal session cookies. 
  • Fixed an issue where certain API responses would contain a password hash, potentially exposing any weak passwords to brute force attack. The password value is now masked completely. 
  • Fixed a vulnerability that could allow unauthorized upload of files to the VSA server. 

However, Kaseya is urging customers to follow the ‘On Premises VSA Startup Readiness Guide‘ steps before installing the update to prevent further breaches and make sure devices are not already compromised.

Below are the basic steps that admins should perform before starting up VSA servers again and connecting them to the Internet:

  • Ensure your VSA server is isolated 
  • Check System for Indicators of Compromise (IOC)  
  • Patch the Operating Systems of the VSA Servers 
  • Using URL Rewrite to control access to VSA through IIS 
  • Install FireEye Agent 
  • Remove Pending Scripts/Jobs

Of these steps, it is critical that on-premise VSA servers not be publicly accessible from the Internet to prevent compromise while installing the patch.

Kaseya also urges customers to utilize their “Compromise Detection Tool,” a collection of PowerShell scripts to detect whether a VSA server or endpoints have been compromised.

The scripts will check VSA servers for the presence of ‘Kaseya\webpages\managedfiles\vsaticketfiles\agent.crt’ and ‘Kaseya\webpages\managedfiles\vsaticketfiles\agent.exe,’ and ‘agent.crt’ and ‘agent.exe’ on endpoints. 

The REvil affiliate used the agent.crt and agent.exe files to deploy the REvil ransomware executable.

For additional security, Kaseya is also suggesting on-premise VSA admin restrict access to the web GUI to local IP addresses and those known to be used by security products.

“For VSA On-Premises installations, we have recommended limiting access to the VSA Web GUI to local IP addresses by blocking port 443 inbound on your internet firewall.  Some integrations may require inbound access to your VSA server on port 443.  Below are a list of IP addresses you can whitelist in your firewall (allow 443 inbound to FROM ), if you are using these integrations with your VSA On-Premises product.” explains Kaseya.

After installing the patch, all users will be required to change their password to one using new password requirements.

Also Read: How Does Ransomware Work? Examples and Defense Tips

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us