Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe
  • Twitter
  • Facebook
  • LinkedIn

CVE-2021-30116: Multiple Zero-Day Vulnerabilities in Kaseya VSA Exploited to Distribute REvil Ransomware

CVE-2021-30116: Multiple Zero-Day Vulnerabilities in Kaseya VSA Exploited to Distribute REvil Ransomware

Zero-day vulnerabilities in popular remote monitoring and management software targeted by threat actors to distribute ransomware to reportedly over one million systems.

Update July 22, 2021: Kaseya says they've received a universal decryptor from a "trusted third party" and that are providing it to affected customers. 

Update July 12, 2021: The Solutions section has been updated to confirm the availability of a patch for on-premises versions of Kaseya VSA to address three zero-day vulnerabilities.

Update July 9, 2021: The Analysis section has been updated to reflect new information about the vulnerabilities discovered and disclosed by DIVD CSIRT, including CVE-2021-30119 and CVE-2021-30120, as well as updates to the Solutions section.

Update July 6, 2021: Tenable is not impacted by the recent supply chain ransomware attack. We do not use Kaseya VSA, so our products and infrastructure are not vulnerable to the zero days used in the attack.

Background

On July 2, reports emerged that a number of companies whose networks are administered by managed service providers (MSPs) using Kaseya Virtual System Administrator (VSA), a remote monitoring and management (RMM) software from Kaseya Limited, became the victims of a large-scale ransomware attack.

The attacks have been attributed to REvil, also known as Sodinokibi, one of the most active ransomware groups today. REvil operates as ransomware-as-a-service (RaaS), whereby they develop the ransomware payload itself and provide the infrastructure for managing victim communications for negotiating payment and distributing decryption tools after payment.

Image Source: Mark Loman (Twitter)

REvil does not attack organizations directly, rather they rely on affiliates, who do the dirty work to break into networks and deploy the ransomware. Affiliates receive a large portion of the ransom payment, while REvil takes a percentage for providing the ransomware and supporting infrastructure.

Similar to many other ransomware groups, REvil operates a leak website, where they publish the names of their victims along with a sampling of files they exfiltrated from the victim’s network. This is part of a tactic known as double extortion, which was pioneered by the Maze ransomware group in late 2019. Through double extortion, ransomware groups have seen their profits skyrocket, which has led to more activity in the space, and subsequently fueled the number of attacks.

Analysis

On July 5, Kaseya confirmed that multiple zero-day vulnerabilities were used to target vulnerable VSA server instances, including an authentication bypass flaw and an arbitrary command execution vulnerability. No specific details about the vulnerabilities were shared at the time and no additional CVEs have been reported.

Separately, through investigations into attacks against their clients, researchers at Huntress Labs and TrueSec identified three zero-day vulnerabilities:

  1. Authentication Bypass Vulnerability
  2. Arbitrary File Upload Vulnerability
  3. Code Injection Vulnerability

Huntress Labs, for example, believes the attackers were able to gain access to VSA servers through the use of the authentication bypass flaw.

“[...] we have high confidence that the threat actor used an authentication bypass in the web interface of Kaseya VSA to gain an authenticated session, upload the original payload, and then execute commands via code injection.”

In a later update from Huntress Labs, new evidence suggests that SQL injection may not have been the complete attack vector leading to code execution and another injection attack may be part of the attack chain.

Coordinated disclosure of zero-day vulnerabilities

On July 4, researchers at the Dutch Institute for Vulnerability Disclosure (DIVD) Computer Security Incident Response Team (CSIRT) published a blog post saying they’ve been working with Kaseya to coordinate the disclosure of “a number of zero-day vulnerabilities” in Kaseya VSA. They highlighted CVE-2021-30116, a vulnerability that they say is being used in these ransomware attacks, though they did not provide any further details about the other vulnerabilities. We suspect that these include the arbitrary file upload and code injection flaws.

On July 7, DIVD CSIRT published a follow-up blog providing a “limited” disclosure about their discoveries in Kaseya VSA. Several of the vulnerabilities listed in this limited disclosure have already been patched in previous versions of VSA, while three vulnerabilities have yet to be patched. These three vulnerabilities are expected to be addressed in the next on-premises release of Kaseya VSA, which has been scheduled for Sunday, July 11 at 4pm EDT. The following table breaks down each of the vulnerabilities reported by DIVD CSIRT.

CVE Description Patched Patch Release
CVE-2021-30118 Remote Code Execution Vulnerability Yes 9.5.5
CVE-2021-30117 SQL Injection Vulnerability Yes 9.5.6
CVE-2021-30121 Local File Inclusion Vulnerability Yes 9.5.6
CVE-2021-30201 XML External Entity Vulnerability Yes 9.5.6
CVE-2021-30116 Credentials Leak and Business Logic Vulnerability Yes 9.5.7a
CVE-2021-30119 Cross-Site Scripting Vulnerability Yes 9.5.7a
CVE-2021-30120 Two-Factor Authentication Bypass Vulnerability Yes 9.5.7a

REvil publishes notice on their leak website

On July 4, REvil published a post to their leak website, confirming that they were behind the attack against Kaseya.

In the posting, REvil claims they have infected “more than a million systems” through this campaign and that they are willing to offer a universal decryptor tool for $70 million in Bitcoin, which could be used by any organization to decrypt files on systems that were struck by the REvil ransomware. If the number of systems infected is confirmed to be true, this attack would be considered the largest ransomware attacks ever conducted since the WannaCry ransomware attack in 2017.

Not the first time RMM tools have been targeted by ransomware groups

Over the last few years, threat actors have identified MSPs and RMMs as valuable targets for distributing ransomware to an MSP’s downstream customers. In February 2019, the GandCrab ransomware group exploited a two-year old vulnerability in the ConnectWise plugin for Kaseya VSA, which affected 126 Kaseya customers.

In December 2019, threat actors targeted an MSP and used the ConnectWise Control RMM software to distribute the Zeppelin Ransomware to the MSP’s downstream customers.

Because many organizations rely on MSPs to remotely monitor and manage their IT systems, and with the impact the attack against Kaseya VSA has had, we believe other ransomware groups will continue to look for flaws in other RMM software.

Proof of concept

At the time this blog post was published, there were no public proof-of-concept exploits for any of the vulnerabilities in Kaseya VSA.

Vendor response

Following the discovery of the vulnerability, Kaseya has been sharing updates for customers and other interested parties on their website. Kaseya proactively shut down their software-as-a-service (SaaS) servers while they investigated the attack, though they do not believe the attackers targeted SaaS customers. It appears the impacted organizations used Kaseya VSA on-premises.

Solution

At the time this blog post was published, there were no patches available for three zero-day vulnerabilities in Kaseya VSA. On July 11, 2021, Kaseya released VSA 9.5.7a (9.5.7.2994) for on-premises customers, which addresses the following vulnerabilities:

CVE Description
CVE-2021-30116 Credentials Leak and Business Logic Vulnerability
CVE-2021-30119 Cross-Site Scripting Vulnerability
CVE-2021-30120 Two-Factor Authentication Bypass Vulnerability

Customers are advised to follow Kaseya’s on-premises hardening and best practice guide prior to applying this patch.

Kaseya also deployed the patch to the SaaS platform prior to restoring the service, which should now be available for SaaS customers.

Identifying affected systems

Tenable has released a local Windows detection for Kaseya agents as well as a remote detection plugin for Kaseya VSA

A version check plugin for Kaseya VSA 9.5.7a will appear here once it has been released.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try for Free Buy Now
Tenable.io FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.