Tag Archive for: Kaseya

Kaseya left a customer portal vulnerable to its own software flaws in 2015 – Security Krebs


Last week, cybercriminals deployed ransomware to 1,500 organizations, including many that provide IT security and technical support to other companies. An attacker has exploited a software vulnerability. KasayaA Miami-based company offering products that help system administrators manage large networks remotely. Today, Kaseya’s customer service portal appears to have remained vulnerable until last week to a data breach security flaw that was first identified in the same software six years ago.

July 3, REvil Ransomware Affiliate Program Started using zero-day security holes (CVE-2021-30116) Deploy ransomware to hundreds of IT management companies running Kaseya’s remote management software Kaseya virtual system administrator (VSA).

according to This entry for CVE-2021-30116, A security flaw affecting a zero-day attack on the Kaseya VSA was assigned to the vulnerability number on April 2, 2021 and indicates Kaseya. It took about 3 months to address the bug before it was actually exploited..

Also, on July 3rd, a security incident response company Mandiant Notified Kaseya of their billing and customer support site —portal.kaseya.net — Was vulnerable CVE-2015-2862, Kaseya VSA’s “directory traversal” vulnerability. Remote users can read any file on the server using only a web browser.

As the name implies, CVE-2015-2862 was published in July 2015. Six years later, Kaseya’s customer portal was still vulnerable to data breaches.

Kaseya Customer Support and Billing Portal. Image: Archive.org.

Mandiant notified Caseya after hearing from Alex Holden, Founder and Chief Technology Officer of Milwaukee-based cyber intelligence company Keep security..According to Holden, the 2015 vulnerability was present on Kaseya’s customer portal until Saturday afternoon, on the site. “Web.config” fileA server component that often contains sensitive information such as usernames and passwords, and the location of major databases.

“I haven’t forgotten to patch what Microsoft fixed many years ago,” Holden said. “It’s a patch for their own software. And it’s not a zero-day. It’s from 2015!”

According to the official description of CVE-2015-2862, a potential attacker user…

Source…

Kaseya Ransomware Attack Triggers Race to Hack Other Managed Services Providers


A ransomware attack in July that paralyzed as many as 1,500 organizations by compromising tech-management software from a company called Kaseya has set off a race among criminals looking for similar vulnerabilities, cyber security experts said.

An affiliate of a top Russian-speaking ransomware gang known as REvil used two gaping flaws in software from Florida-based Kaseya to break into about 50 managed services providers (MSPs) that used its products, investigators said.

Now that criminals see how powerful MSP attacks can be, “they are already busy, they have already moved on and we don’t know where,” said Victor Gevers, head of the non-profit Dutch Institute for Vulnerability Disclosure, which warned Kaseya of the weaknesses before the attack.

“This is going to happen again and again.”

Gevers said his researchers had discovered similar vulnerabilities in more MSPs. He declined to name the firms because they have not yet fixed all the problems.

Managed service providers include companies such as IBM and Accenture offering cloud versions of popular software and specialist firms devoted to specific industries. They typically serve small and medium-sized firms that lack in-house technology capabilities and often boost security.

But MSPs also make an efficient vehicle for ransomware because they have wide access inside many of their customers’ networks. Kaseya’s software serves many MSPs, so the attacks multiplied before Kaseya could warn everyone, rapidly encrypting data and demanding ransoms of as much as $5 million per victim.

The business of MSPs has boomed during the coronavirus pandemic alongside the rapid increase in remote work.

“That’s where you find the trusted access to customers’ systems,” said Chris Krebs, the first leader of the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), which has made ransomware a top priority. “It’s a much more economical approach to launch a breakout attack. And it’s hard for the customer to defend.”

Bugcrowd Inc, one of several platforms where researchers can report vulnerabilities, has also seen security flaws as bad as Kaseya’s, said Bugcrowd Chief…

Source…

Kaseya fixes VSA. REvil disappears. Facebook takes down Iranian hacking campaign.


Kaseya fixes VSA (and the US wants Russian action against REvil).

Kaseya this past Sunday afternoon pushed fixes for VSA’s on-premises and SaaS versions. At 8:00 AM the company’s update indicated that patching was proceeding quickly:

“As posted in the previous update we released the patch to VSA On-Premises customers and began deploying to our VSA SaaS Infrastructure prior to the 4:00 PM target. The restoration of services is now complete, with 100% of our SaaS customers live as of 3:30 AM US EDT. Our support teams continue to work with VSA On-Premises customers who have requested assistance with the patch.”

The general consensus is that REvil operates with at the least the knowledge of, and probably with the tacit approval and encouragement, of the Russian government. The joint enforcement action the US has requested of Russia has not materialized, GovInfoSecurity notes. Moscow is standing on ceremony as it expresses its commitment to the rule of law (as the Register puts it, “with a straight face”) but so far there are few if any signs of Russian authorities taking action against the gangs that operate with impunity from its territory.

In an hour-long phone call on Friday, July 9th, US President Biden communicated his expectations concerning ransomware operations to Russian President Putin. Reuters reports that in President Biden’s estimation the call “went well,” and that he expects Russian cooperation against gangs like REvil. Should expected Russian cooperation not be forthcoming, President Biden said the US was prepared to take certain actions on its own. He and Administration officials declined to say what such actions might be. At the White House daily press conference on Friday, Press Secretary Psaki said President Biden “underscored the need for President Putin to take action to disrupt these ransomware groups.”

The CyberWire’s coverage of the incident so far may be found here:

REvil disappears.

REvil’s disappearance early Tuesday morning from its usual online haunts (including the HappyBlog) remains unexplained. The New York Times and others note that the vanishing followed a US request that Russia do something about ransomware gangs operating from its territory, but it’s…

Source…

Hillicon Valley: Russian hacking group believed to be behind Kaseya attack goes offline | DHS funding package pours millions into migrant surveillance


Welcome to Hillicon Valley, The Hill’s newsletter detailing all you need to know about the tech and cyber news from Capitol Hill to Silicon Valley. If you don’t already, be sure to sign up for our newsletter by clicking HERE.



a screen shot of a computer: Hillicon Valley: Russian hacking group believed to be behind Kaseya attack goes offline | DHS funding package pours millions into migrant surveillance | Jen Easterly sworn in as director of DHS cyber agency


© istock
Hillicon Valley: Russian hacking group believed to be behind Kaseya attack goes offline | DHS funding package pours millions into migrant surveillance | Jen Easterly sworn in as director of DHS cyber agency

Welcome and Happy Tuesday! Follow our cyber reporter, Maggie Miller (@magmill95), and tech team, Chris Mills Rodrigo (@millsrodrigo) and Rebecca Klar (@rebeccaklar_), for more coverage.

Loading...

Load Error

Websites used by the cyber criminal group known as REvil went dark Tuesday, just over a week after the group was linked by cybersecurity experts to the ransomware attack on software company Kaseya. While it is unknown why the websites went dark, President Biden last week urged Russian President Vladimir Putin to take further steps against hackers based in his country, and hinted to reporters that the U.S. had the option of disrupting the hackers’ servers.

Meanwhile on Capitol Hill, the House Appropriations Committee marked up the annual Department of Homeland Security appropriations bill, approving a proposal that included millions to pay for technologies that surveil immigrants.

SUSPICIOUS TIMING FOR A HOLIDAY: Websites on the dark web used by a criminal hacking group believed to be behind the recent massive ransomware attack on software company Kaseya went offline Tuesday.

The hacking group, REvil, is believed to be based in Russia, and has been linked by the FBI to the ransomware attack in May on JBS USA, the nation’s largest beef producer. The more recent attack on Kaseya impacted up to 1,500 companies, many of them small businesses.

According to The New York Times, the websites on the dark web used by REvil to negotiate payment with victims and lists of companies it had targeted went dark early on Tuesday morning.

John Hultquist, the vice president of Analysis at cybersecurity group FireEye’s Mandiant Threat Intelligence, confirmed the takedown, saying in a statement provided to The Hill Tuesday that “at the time of analysis…

Source…