Connect with Us!
Subscribe to receive new blog post from PureID in your mail box
The world was recovering from the jolt of Solarwinds, and we have this… face off with another supply chain attack shaking the world. This time it is Kaseya.
Kaseya provides unified IT management softwares used by IT teams and Managed service providers (MSPs). VSA is their popular remote monitoring and endpoint management product which sits deep inside clients' networks and has access + high privileges to almost all of enterprise assets.
On 2 July 2021, Kaseya published a notification advising its customers and MSPs to disable their on-premise Kaseya VSA servers immediately.
Also they announced that Kaseya had become the victim of a cyberattack & many of its customers & MSPs were affected by ransomware attack which exploited a 0 day vulnerability in VSA software.
Very limited information of the attack & the 0-day vulnerability is out at this point in time, but many security companies studying the matter closely mentioned with high confidence that the attack was triggered via an authentication bypass vulnerability in the Kaseya VSA web interface.
This is corroborated by the CVE-2021-30116 disclosed by Kasea. The CVE is about credentials leak and business logic flaw for which the resolution was in progress, hence the details were withheld.
In its limited disclosure blog post Kaseya team published the following 7 sets of CVE.
Out of the above listed 7 CVE’s the 2 CVE-2021-30116 & CVE-2021-30120 are noteworthy, since they directly relate to authentication and bypassing the access controls.
We have seen such incidents with various VPN servers in the past, where attackers used vulnerabilities like CVE-2021-30116 to leak the system credentials. Leaked credentials were then stuffed to VPNs to gain unauthorized access.
The resistance posed by 2FA/MFA vanishes if you have vulnerabilities like CVE-2021-30120.
PureID has been consistently advising about the risk of having credentials on the server and its leakage due to various flaws or operational gaps. There has been drastic increase in 2FA/MFA bypassing attacks, which puts enterprises at grave a risk, as mentioned in Auth0 report
Just like previous high profile attacks like Solarwinds & Colonial Pipeline, we have another incident which involves Passwords & we have clearly seen that 2FA/MFA can be bypassed.
No doubt we will continue to see more such attacks as long as business applications continue to use risky passwords and bypassable 2FA/MFAs.
Going passwordless can drastically reduce enterprise attack surface and makes systems more resilient.
Subscribe to receive new blog post from PureID in your mail box