The zero-day vulnerability used to breach on-premise Kaseya VSA servers was in the process of being fixed, just as the REvil ransomware gang used it to perform a massive Friday attack.
The vulnerability had been previously disclosed to Kaseya by security researchers from the Dutch Institute for Vulnerability Disclosure (DIVD), and Kaseya was validating the patch before they rolled it out to customers.
However, in what can only be seen as a case of bad timing, the REvil ransomware gang beat Kaseya and used the same zero-day to conduct their Friday night attack against managed service providers worldwide and their customers.
“After this crisis, there will be the question of who is to blame. From our side, we would like to mention Kaseya has been very cooperative. Once Kaseya was aware of our reported vulnerabilities, we have been in constant contact and cooperation with them. When items in our report were unclear, they asked the right questions,” said DIVD Victor Gevers in a blog post today.
“Also, partial patches were shared with us to validate their effectiveness. During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched.”
“They showed a genuine commitment to do the right thing. Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch.”
Kaseya has confirmed with BleepingComputer that they are working closely with DIVD.
Little is known about the zero-day
The zero-day Kaseya vulnerability was discovered by DIVD researcher Wietse Boonstra and was assigned the CVE-2021-30116 identifier.
When questioned regarding how REvil learned of the vulnerability as it was being fixed, Gevers indicated in a tweet that the vulnerability was simple to exploit.
If I would show you the PoC, you would know how and why. Instantly.
— Victor Gevers (@0xDUDE) July 4, 2021
Gevers told BleepingComputer that the vulnerability disclosure was “within the industry-standard time for coordinated vulnerability disclosure,” and they would provide more information in a future advisory.
In our queries to…