Managed security, Ransomware

Kaseya to meet Monday to determine fate of SaaS VSA tool

Staff work in a data center and server farm in Switzerland. The SaaS version of Kaseya VSA was taken offline as a cautionary measure on Friday after a REvil ransomware affiliate started hacking managed service providers using on-premises installations of VSA.(Dean Mouhtaropoulos/Getty Images)

Kaseya announced Sunday evening on its blog that its executive team would meet Monday to discuss bringing the software-as-a-service VSA remote monitoring and management tool back online. The company also said Monday would be the day it disclosed a timeline for the release of a patched on-premises VSA product.

The SaaS version of VSA was taken offline as a cautionary measure on Friday after a REvil ransomware affiliate started hacking managed service providers using on-premises installations of VSA. Kaseya warned on-premises customers Friday to turn off VSA servers.

Click here for all of the latest news on the Kaseya cyberattack.

The executive board will meet between 4 a.m. and 8 a.m. ET, to discuss restoring European and Asian/Pacific servers. They will discuss the United States servers between 5 p.m. and 8 p.m.

Kaseya said it will reopen SaaS servers one at a time, and warned users to expect a change in IP addresses as part of a security upgrade.

On Sunday, the FBI, CISA and White House National Security council all advised VSA users to follow Kaseya's mitigation advice.

"If you feel your systems have been compromised as a result of the Kaseya ransomware incident, we encourage you to employ all recommended mitigations, follow guidance from Kaseya and the Cybersecurity and Infrastructure Security Agency (CISA) to shut down your VSA servers immediately, and report your compromise to the FBI at ic3.gov," said the FBI in a statement.

Huntress Labs, the organization whose Reddit thread live blogging incident response was largely responsible for sounding the alarm about the ransomware, provided more clarity about the pathway of the attack. The hackers, who routed parts of their operation through AWS servers, would exploit an authentication bypass logic flaw in the file "dl.asp." That bypass allowed them to access KUpload.dll and upload the malicious "agent.crt" and "Screenshot.jpeg" files.

Finally, the attackers accessed "userFilterTableRpt.asp" which contained, per Huntress, "a significant amount of potential SQL injection vulnerabilities, which would offer an attack vector for code execution and the ability to compromise the VSA server."

The company DIVD claimed in a blog post that "Wietse Boonstra, a DIVD researcher, has previously identified a number of the zero-day vulnerabilities [CVE-2021-30116] which are currently being used in the ransomware attacks. And yes, we have reported these vulnerabilities to Kaseya under responsible disclosure guidelines (aka coordinated vulnerability disclosure)."

Kaseya would not confirm the DIVD's claims, citing the active FBI investigation, but said DIVD were "a valuable partner," and that "more companies should work with them."

prestitial ad