Threat Management, Malware, Managed Services, Ransomware

Kaseya to meet Monday to determine fate of SaaS VSA tool

Staff work in a data center and server farm  in Switzerland. (Dean Mouhtaropoulos/Getty Images)

Kaseya announced Sunday evening on its blog that its executive team would meet Monday to discuss bringing the software-as-a-service VSA remote monitoring and management tool back online. The company also said Monday would be the day it disclosed a timeline for the release of a patched on-premises VSA product.

The SaaS version of VSA was taken offline as a cautionary measure on Friday after a REvil ransomware affiliate started hacking managed service providers using on-premises installations of VSA. Kaseya warned on-premises customers Friday to turn off VSA servers.

Click here for all of the latest news on the Kaseya cyberattack.

The executive board will meet between 4 a.m. and 8 a.m. ET, to discuss restoring European and Asian/Pacific servers. They will discuss the United States servers between 5 p.m. and 8 p.m.

Kaseya said it will reopen SaaS servers one at a time, and warned users to expect a change in IP addresses as part of a security upgrade.

On Sunday, the FBI, CISA and White House National Security council all advised VSA users to follow Kaseya's mitigation advice.

"If you feel your systems have been compromised as a result of the Kaseya ransomware incident, we encourage you to employ all recommended mitigations, follow guidance from Kaseya and the Cybersecurity and Infrastructure Security Agency (CISA) to shut down your VSA servers immediately, and report your compromise to the FBI at ic3.gov," said the FBI in a statement.

Huntress Labs, the organization whose Reddit thread live blogging incident response was largely responsible for sounding the alarm about the ransomware, provided more clarity about the pathway of the attack. The hackers, who routed parts of their operation through AWS servers, would exploit an authentication bypass logic flaw in the file "dl.asp." That bypass allowed them to access KUpload.dll and upload the malicious "agent.crt" and "Screenshot.jpeg" files.

Finally, the attackers accessed "userFilterTableRpt.asp" which contained, per Huntress, "a significant amount of potential SQL injection vulnerabilities, which would offer an attack vector for code execution and the ability to compromise the VSA server."

The company DIVD claimed in a blog post that "Wietse Boonstra, a DIVD researcher, has previously identified a number of the zero-day vulnerabilities [CVE-2021-30116] which are currently being used in the ransomware attacks. And yes, we have reported these vulnerabilities to Kaseya under responsible disclosure guidelines (aka coordinated vulnerability disclosure)."

Kaseya would not confirm the DIVD's claims, citing the active FBI investigation, but said DIVD were "a valuable partner," and that "more companies should work with them."

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.