Security Failures at Kaseya VSA: Consequences for Breach

Security Failures at Kaseya VSA: Consequences for Breach
Table of Contents
Another large-scale cyber-attack has been witnessed around the world. Kaseya, an IT Systems Management Software company, reported a security breach that affected their on-premises version Kaseya Virtual System Administrator (VSA). It was estimated that up to 1500 companies were held hostage by a ransom demand.
These incidents are becoming more common. As a result, attackers are focusing more on exploiting zero-day vulnerabilities in system administrator software. Remote monitoring and management (RMM), tools such as Kaseya VSA or Solarwinds, are making the situation worse. This allows attackers to penetrate customer networks and operate with implicit and unspoken trust, initiating commands, and deploying malware.
Most security vendors recommend that RMM users allowlist (formerly known as whitelisting), specific folders or executables in order to prevent disruptions in service due to false positive detection. These folders and executables are trusted. Allowlisting can lead to the initial bypassing endpoint security protection systems that depend on detecting suspicious activities before blocking actions can be taken. Comodo Threat Research Labs has (CTRL) analysed the VSA attack. Below is analysis to show how Comodo Active Breach Protection protects endpoints against sophisticated attacks, even if all attack vectors are trusted.
Our analysis first identified the exploit of a zero day vulnerability [CVE-2021-30116]. Credit goes to Wietse Boronstra, a researcher at the Dutch Institute for Vulnerability Disclosure, who discovered and reported this vulnerability under responsible disclosure guidelines to Kaseya. We don’t have enough information about the exploit. We do know that attackers used an authentication bypass in Kaseya VSA’s web interface to gain an authenticated session, upload ransomware payload, then execute commands via Kaseya agents by using a SQL injection vulnerability from Kaseya VSA.
Although the attack was limited to Kaseya VSA servers on-premises, SaaS services were also affected. Kaseya advised that all VSA servers be shut down immediately after the incident. However, as of this post, SaaS services were still offline and they are working on patches for both SaaS servers and on-prem servers. Kaseya published a Compromise Detection tool to determine if there are indicators of compromise (IoC). CISA and FBI released guidance for MSPs and their customers affected: ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa
We created a map of the Kaseya VSA attack on the Mitre ATT&CK framework to further analyze the breach.
Reconnaissance – Weaponization
We don’t know much about this first step. It is clear that the attackers, identified by REvil (aka Sodinokibi), the same group behind the May 1, 2021, JBS Food Processing Ransomware Attack, exploited a zero day vulnerability in Kaseya VSA which is an asp.net app. In this reddit post, HuntressLabs Team analyzed one of the compromised servers and suspect dl.asp has an authentication vulnerability granting a user a valid session and allowing the user to access files that typically require authentication, specifically KUpload.dll and userFilterTableRpt.asp.
KUpload.dll allows upload functionality that bypasses authentication. This allows attackers to upload malicious executables to the victim’s system. We also found userFilterTableRpt.asp was susceptible to an SQL injection vulnerability, allowing remote code execution and initial compromise of the VSA server.
Delivery
The delivery method is concealed behind a Kaseya VSA agent Hot-fix package. This package contains agent.crt and Screenshot.jpg files. They are then written to the c.kworking folder. This folder is o