Threat Management, Malware, Managed Services, Ransomware

Kaseya offers pre-patch instructions for on-prem VSA customers

IIS malware was first identified in 2013, but was most recently a component of the Halfnium Exchange campaign.
(“Server room” by torkildr is licensed with CC BY-SA 2.0. To view a copy of this license, visit
Kaseya releases pre-patch instructions to prepare on-premises clients for access once a patch is released following a widespread ransomware attack. (by torkildr is licensed under CC BY-SA 2.0)

Though Kaseya was unable to start relaunching the software-as-a-service VSA remote management product or provide a patch for its on-premises VSA customers Wednesday, the company did release pre-patch instructions to prepare on-premises clients for the coming update.

"We are in the process of resetting the timelines for VSA SaaS and VSA On-Premises deployment. We apologize for the delay and changes to the plans as we work through this fluid situation," Kasaya wrote in several seperate posts throughout the day.

Kaseya has been dealing with restoring service after a flurry of REvil ransomware installations in its on-premises VSA product Friday. The SaaS servers were shut down as a precautionary measure.

Kaseya suggested throughout the week that SaaS servers might be back online as early as Tuesday, July 6, and that a patch could have been released late Wednesday. Neither timeframe was met.

There were hints that SaaS very nearly was restored Wednesday morning. Early morning, the Cybersecurity and Infrastructure Security Agency (CISA) published advice for customers returning to VSA SaaS, written as if service had been restored, with links to Kaseya guidance that was never posted. CISA quickly removed the post.

But Kaseya was able to publish instructions for on-prem customers to prepare for the update.

Those instructions include isolating the server and checking for indicators of compromise to allow the servers to safely reconnect to the internet. From there, those systems need to update Windows and SQL server. Following that, VSA clients need to restrict access to a corporate LAN or VPN. VSA then says to install FireEye agent, which Kaseya is providing a complimentary license for, and cancel all pending instructions that accumulated since shutdown.

Also on Wednesday, DIVD provided additional evidence to support its claim it had disclosed the VSA bugs to Kaseya, revealing that it first contacted the company in April. The blog post lists seven separate CVEs, four of which had already been patched. The three that had not been patched are a credentials leak and business logic flaw (CVE-2021-30116), a cross-site scripting vulnerability (CVE-2021-30119) and a two-factor identification vulnerability (CVE-2021-30120). While DIVD was vague in describing the vulnerabilities, citing a desire not to cause more damage, one unpatched vulnerability may be at least notionally similar to an authentication flaw described by researchers at the early stage of the ransomware attack.

Additionally of note, one of the already-patched vulnerabilities from DIVD was a SQL flaw. Though that may have been fixed, researchers at Huntress have said any one of “a significant amount of potential SQL injection vulnerabilities, which would offer an attack vector for code execution and the ability to compromise the VSA server" may have been leveraged in the attack.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.