14 DAY TRIAL // On Sunday, Kaseya issued software updates to address major vulnerabilities in its Virtual System Administrator (VSA), according to The Hacker News. The flaws were used as a launchpad for attacks on over 1,500 companies globally in what may be the most aggressive supply chain ransomware attack to date.
At the time of the attack, Kaseya had no choice but to ask its customers to shut down their servers until the problem was fixed. The updated version of the VSA (9.5.7.2994) fixes three new vulnerabilities: CVE-2021-30120 - two-factor authentication bypass, CVE-2021-30119 - cross-site scripting vulnerability, CVE-2021-30116 - credential leak, and business logic flaw.
The new version also resolves a few additional issues, including a vulnerability that could be used to gain unauthorized access to VSA files and a problem that revealed weak password hashes in several API replies to brute-force assaults.
According to Blomberg's reports, five former Kaseya workers expressed concerns about visible security flaws in the company's software over a period of five years until last year, but their warnings were ignored.
The report reads "Among the most glaring problems was software underpinned by outdated code, the use of weak encryption and passwords in Kaseya's products and servers, a failure to adhere to basic cybersecurity practices such as regularly patching software and a focus on sales at the expense of other priorities,"
Kaseya strengthens its infrastructure in terms of cybersecurity
The company has not only completed the rollout of the patch for its VSA remote monitoring and management software in the on-premises versions, but also the recommissioning of the VSA SaaS infrastructure.
Earlier this week, Kaseya warned that spammers are using the current ransomware situation by sending scam emails that appear identical to Kaseya updates notifications, infecting clients with Cobalt Strike payloads that enable them to backdoor into their systems and deploy the next step of malware.
Kaseya recommends its customers to block incoming port 443 on their routers or firewalls so that only local IP addresses have access to the VSA Web GUI.