By CYFIRMA Research
First Published on 6 August 2021
REvil ransomware has set a price for decrypting all systems locked during the Kaseya supply-chain attack and has exploited zero-day vulnerability CVE-2021-30116.
As several organizations, leverage Managed Service Providers (MSPs) as part of operational procedures and having third-party vendors as part of the organization’s ecosystem – they could potentially be targeted by such ransomware attackers.
The vulnerability is considered the critical one as it bypasses security mechanisms and has been exploited by cybercriminals/ransomware operators in the wild.
Based on the analysis and research carried out, CYFIRMA observed suspected Russian cybercriminals TA505 could possibly be collaborating with REvil ransomware groups or operating them to potentially exploit this vulnerability to gain access into the system, laterally move across the organization and implant customized malware to exfiltrate sensitive information.
CYFIRMA recommends using reported IOC details for measures against this campaign and threat hunting within your environment.
CYFIRMA Risk Rating for this Research is Critical.
NOTE: This is a developing story, more insights will be shared in due course as developments continue to happen. The vulnerability has been reported as situational awareness intelligence. CYFIRMA would like to highlight the potential risk and indicators observed which may be leveraged by nation-state threat actors in exploiting the vulnerability to gain a foothold and exfiltrate sensitive information from the target organizations.
Security Bypass Vulnerability in Kaseya VSA Servers
CVSS Score: 9.8
Exploit Details: This zero-day vulnerability is being exploited in the wild and has been leveraged by REvil Ransomware Group.
Kaseya VSA servers could allow a remote attacker to bypass security restrictions, caused by improper authentication validation by the web panel. By sending specially-crafted SQL commands, an attacker could exploit this vulnerability to deploy arbitrary programs to all connected clients.
Successful exploitation of the vulnerability could allow an attacker to compromise the affected system.
The vulnerability exists due to unspecified errors and could be exploited by a remote non-authenticated attacker via the Internet.
The CWE is CWE-20, and the vulnerability has an impact on confidentiality, integrity, and availability.
Kaseya VSA (All on-premise Kaseya VSA versions).
Currently, NO patch is available for this vulnerability.
To download the full report, write to [email protected]