CVE-2021-30116: Multiple Zero-Day Vulnerabilities in Kaseya VSA Exploited to Distribute REvil Ransomware
Disclaimer: Gulf-Pointe Solutions is not impacted by the recent supply chain ransomware attack. We do not use Kaseya VSA, so our products and infrastructure are not vulnerable to the zero days used in the attack.
On July 2, reports emerged that a number of companies whose networks are administered by managed service providers (MSPs) using Kaseya Virtual System Administrator (VSA), a remote monitoring and management (RMM) software from Kaseya Limited, became the victims of a large-scale ransomware attack.
The attacks have been attributed to REvil, also known as Sodinokibi, one of the most active ransomware groups today. REvil operates as a ransomware-as-a-service (RaaS), whereby they develop the ransomware payload itself and provide the infrastructure for managing victim communications for negotiating payment and distribution of decryption tools for victims post payment.
REvil does not attack organizations directly, rather they rely on affiliates, who do the dirty work to break into networks and deploy the ransomware. Affiliates receive a large portion of the ransom payment, while REvil takes a percentage for providing the ransomware and supporting infrastructure.
Similar to many other ransomware groups, REvil operates a leak website, where they publish the names of their victims along with a sampling of files they exfiltrated from the victim’s network. This is part of a tactic known as double extortion, which was pioneered by the Maze ransomware group in late 2019. Through double extortion, ransomware groups have seen their profits skyrocket, which has led to more activity in the space, and subsequently fueled the number of attacks.
On July 5, Kaseya confirmed that multiple zero-day vulnerabilities were used to target vulnerable VSA server instances, including an authentication bypass flaw and an arbitrary command execution vulnerability. No specific details about the vulnerabilities were shared at the time and no additional CVEs have been reported.
- Authentication Bypass Vulnerability
- Arbitrary File Upload Vulnerability
- Code Injection Vulnerability
Huntress Labs, for example, believes the attackers were able to gain access to VSA servers through the use of the authentication bypass flaw.
“[...] we have high confidence that the threat actor used an authentication bypass in the web interface of Kaseya VSA to gain an authenticated session, upload the original payload, and then execute commands via code injection.”
In a later update from Huntress Labs, new evidence suggests that SQL injection may not have been the complete attack vector leading to code execution and another injection attack may be part of the attack chain.
Coordinated disclosure of zero-day vulnerabilities
On July 4, researchers at the Dutch Institute for Vulnerability Disclosure (DIVD) Computer Security Incident Response Team (CSIRT) published a blog post saying they’ve been working with Kaseya to coordinate the disclosure of “a number of zero-day vulnerabilities” in Kaseya VSA. They highlighted CVE-2021-30116, a vulnerability that they say is being used in these ransomware attacks, though they did not provide any further details about the other vulnerabilities. We suspect that these include the arbitrary file upload and code injection flaws.
While there has not been a direct confirmation, we assume that CVE-2021-30116 may be the authentication bypass vulnerability called out by Huntress Labs and TrueSec.
REvil publishes notice on their leak website
On July 4, REvil published a post to their leak website, confirming that they were behind the attack against Kaseya.
Proof of concept
At the time this blog post was published, there were no public proof-of-concept exploits for any of the vulnerabilities in Kaseya VSA.
Following the discovery of the vulnerability, Kaseya has been sharing updates for customers and other interested parties on their website. Kaseya proactively shut down their software-as-a-service (SaaS) servers while they investigated the attack, though they do not believe the attackers targeted SaaS customers. It appears the impacted organizations used Kaseya VSA on-premises.
Kaseya has stated that a patch has been developed and is undergoing “testing and validation” prior to being released to customers. SaaS servers are expected to be brought back online on July 6th between 2:00 PM – 5:00 PM EDT and the patch for on-premise customers is expected to be released within 24 hours after their SaaS servers are online. For the most up-to-date information, please refer to Kaseya's update page.
Because the attack appears to have impacted Kaseya VSA on-premise customers, Kaseya has instructed those customers to shut down their VSA servers until a patch is available,