With Kaseya patch, IT teams begin the long slog to recovery

Join AI & data leaders at Transform 2021 on July 12th for the AI/ML Automation Technology Summit. Register today.


For organizations affected by the ransomware attack using Kaseya’s IT management platform, there is some good news: the company released a patch for the on-premise version of its IT management software on Sunday, along with a hardening guide and runbook.

Kaseya is still working to bring its software-as-a-service version of the Virtual System/Server Administrator (VSA) product back online for all customers, although access has been restored for the majority of the customers as of Monday morning. The original plan was to finish the rollout for the SaaS version before releasing the on-premise server patch, but deployment issues delayed the process.

“The restoration of services is progressing, with 95% of our SaaS customers live and the remaining servers coming online for the rest of our customers in the coming hours,” Kaseya said in its rolling updates.

The new version added “extra layers of protection to guard against things we could not foresee,” Kaseya CEO Fred Voccola said in a video message, promising the VSA would be “exponentially more secure” with all the work underway to harden it.

Slow data recovery

Ten days after the company warned of a cyberattack exploiting vulnerabilities in its software to launch ransomware attacks, the disruption continues. Approximately 60 direct customers — less than 0.1% of the company’s customers — and 800 to 1,500 downstream customers were affected by ransomware. It’s possible the number of victims would have been higher had Kaseya not instructed customers to immediately shut down the servers.

The number of vulnerable Kaseya servers online, visible, and open to attackers dropped by 96% from roughly 1,500 on July 2, when the attacks began, to just 60 on July 8, according to statistics collected by Palo Alto Networks.

Cyberattacks, by definition, disrupt business operations but ransomware is particularly effective because it targets the organization’s data. It doesn’t matter whether the systems are up and running if the data itself is unavailable. IT teams have the choice of negotiating with the ransomware gangs to pay for the decryption key to recover the data or attempt to restore from backups. Neither choice is cheap or easy.

Complicating the recovery is the fact that a spam campaign is capitalizing on this attack by sending email messages pretending to be a security update. Clicking on the link in the message would download Cobalt Strike, a tool used to move laterally through a network, onto the recipient’s machine, according to Malwarebytes Threat Intelligence team. While Cobalt Strike is a legitimate tool used by network penetration testers, it is also popular among cybercriminals who use it to find sensitive information or deliver additional malware payloads.

“Spammers are using the news about the Kaseya Incident to send out fake email notifications that appear to be Kaseya updates,” the company warned. “Do not click on any links or download any attachments claiming to be a Kaseya advisory.”

Need more than a patch

Just because the patch is available doesn’t mean organizations can be up and running right away. Kaseya published a lengthy runbook — a series of instructions and routines for IT teams to execute as part of the process to restore on-premise services — and a guide with recommendations on hardening the servers. Customers are instructed to follow the runbook before proceeding with the update.

Adopting the recommendations and requirements will be non-trivial. That is on top of any testing IT teams will need to perform on their own before resuming operations. The runbook covers instructions for ensuring the VSA server is isolated from the rest of the network, checking for indicators of compromise, patching the underlying operating system, using URL rewrite to control access through the IIS server, installing the FireEye Agent remote access tool, and removing pending scripts and jobs. There is a separate runbook and hardening guide for SaaS customers.

The hardening recommendations includes limiting network access to the VSA by blocking all inbound traffic except for port 5721 (the agent port) and IP whitelisting, enabling multi-factor authentication on all accounts, applying the principle of least privilege to restrict administrative access to only authorized users, regularly auditing product logs. Kaseya is providing FireEye’s service for free to all customers to monitor the servers.

VSA functionality changed

The attackers exploited vulnerabilities in Kaseya VSA remote monitoring software to trigger authentication and code execution flaws. The release notes for both VSA on-prem and SaaS deployments include fixes for three CVE-issued vulnerabilities: a credentials leak and business logic flaw (CVE-2021-30116), a cross-site scripting (XSS) bug (CVE-2021-30119), and a two-factor authentication bypass (CVE-2021-30120).

Organizations will need to change their password once they have installed the patch and logged into the latest build. Kaseya has implemented a new authentication policy to enforce minimum password length (cannot be less than 16 characters) and complexity rules.

Along with fixing the specific vulnerabilities in the software, Kaseya’s team also implemented new security controls and redesigned some functionality. Some features — such as API endpoints — have been temporarily disabled. The API calls are being redesigned for the “highest level of security,” the company said, before promising the functions will be restored later in the year. The ability to download agent installer packages without authentication to VSA and the User Portal Page has been temporarily removed.

“This will impact some legitimate use cases where an agent is deployed to end-users by providing a download link, such as when using Live Connect on-Demand to provide ad-hoc remote support,” the company said. The release notes list all of the features that have been removed.

In the SaaS version, certain API responses contained a password hash, which could potentially expose weak passwords to brute force attacks, Kaseya said. The password value is now masked completely.

VentureBeat

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact.

Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:

  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more

Become a member

Leave a Comment