Kaseya Supply Chain Attack & Passwords
Ajit Hatti July 14, 2021 Credential Stealing
The world was recovering from the jolt of Solarwinds, and we have this… face off with another supply chain attack shaking the world. This time it is Kaseya.
Kaseya provides unified IT management softwares used by IT teams and Managed service providers (MSPs). VSA is their popular remote monitoring and endpoint management product which sits deep inside clients' networks and has access + high privileges to almost all of enterprise assets.
What happened at Kaseya?
On 2 July 2021, Kaseya published a notification advising its customers and MSPs to disable their on-premise Kaseya VSA servers immediately.
Also they announced that Kaseya had become the victim of a cyberattack & many of its customers & MSPs were affected by ransomware attack which exploited a 0 day vulnerability in VSA software.
Very limited information of the attack & the 0-day vulnerability is out at this point in time, but many security companies studying the matter closely mentioned with high confidence that the attack was triggered via an authentication bypass vulnerability in the Kaseya VSA web interface.
This is corroborated by the CVE-2021-30116 disclosed by Kasea. The CVE is about credentials leak and business logic flaw for which the resolution was in progress, hence the details were withheld.
In its limited disclosure blog post Kaseya team published the following 7 sets of CVE.
- CVE-2021-30116 - A credentials leak and business logic flaw, resolution in progress.
- CVE-2021-30117 - An SQL injection vulnerability, resolved in May 8th patch.
- CVE-2021-30118 - A Remote Code Execution vulnerability, resolved in April 10th patch. (v9.5.6)
- CVE-2021-30119 - A Cross Site Scripting vulnerability, resolution in progress.
- CVE-2021-30120 - 2FA bypass, resolution in progress.
- CVE-2021-30121 - A Local File Inclusion vulnerability, resolved in May 8th patch.
- CVE-2021-30201 - A XML External Entity vulnerability, resolved in May 8th patch.
We have seen such incidents with various VPN servers in the past, where attackers used vulnerabilities like CVE-2021-30116 to leak the system credentials. Leaked credentials were then stuffed to VPNs to gain unauthorized access.
The resistance posed by 2FA/MFA vanishes if you have vulnerabilities like CVE-2021-30120.
PureID has been consistently advising about the risk of having credentials on the server and its leakage due to various flaws or operational gaps. There has been drastic increase in 2FA/MFA bypassing attacks, which puts enterprises at grave a risk, as mentioned in Auth0 report
No doubt we will continue to see more such attacks as long as business applications continue to use risky passwords and bypassable 2FA/MFAs.
Going passwordless can drastically reduce enterprise attack surface and makes systems more resilient.