Kaseya to meet on Monday to determine fate of SaaS VSA tool
Kaseya announced Sunday Tonight on his blog that his management team would meet on Monday to discuss bringing the software’s remote monitoring and management tool back online as a VSA service. The company also said Monday will be the day it discloses a timeline for the release of a patched VSA product.
The SaaS version of VSA was taken offline as a precaution on Friday after a REvil ransomware affiliate began hacking into managed service providers using on-premises installations of VSA. Kaseya warned on-site customers on Friday to turn off the VSA servers.
Click here for all the latest news on the Kaseya Cyber Attack.
The board will meet between 4:00 a.m. and 8:00 a.m. ET, to discuss catering for European and Asian / Pacific servers. They will discuss the servers in the United States between 5 p.m. and 8 p.m.
Kaseya said it will reopen SaaS servers one by one and warned users to expect a change of IP addresses as part of a security upgrade.
“If you believe that your systems have been compromised as a result of the Kaseya ransomware incident, we encourage you to use all recommended mitigation measures, follow the instructions of Kaseya and the Cybersecurity and Infrastructure Security Agency (CISA ) to immediately shut down your VSA servers, and report your compromise to the FBI at ic3.gov, ”the FBI said in a statement.
Huntress Labs, the organization including the Reddit thread The response to the live blogging incidents was largely responsible for raising the alarm bells regarding the ransomware, providing more clarity on the path of the attack. Hackers, who routed parts of their operation through AWS servers, would exploit an authentication bypass logic flaw in the “dl.asp” file. This workaround allowed them to access KUpload.dll and download the malicious “agent.crt” and “Screenshot.jpeg” files.
Finally, the attackers accessed “userFilterTableRpt.asp” which contained, according to Huntress, “a significant amount of potential SQL injection vulnerabilities, which would provide an attack vector for code execution and the possibility of compromising the server. VSA “.
The DIVD company claimed in a blog post that “Wietse Boonstra, a DIVD researcher, has already identified a number of zero-day vulnerabilities [CVE-2021-30116] which are currently used in ransomware attacks. And yes, we reported these vulnerabilities to Kaseya under Responsible Disclosure Guidelines (aka Coordinated Vulnerability Disclosure).
Kaseya did not confirm DIVD’s claims, citing the active FBI investigation, but said DIVD was “a valuable partner” and “more companies should work with them.”