“Seven or eight” zero-days: The failed race to fix Kaseya VSA, with Victor Gevers, Lock and Code S02E13
Kaseya VSA included at least “seven or eight” privately known zero-day vulnerabilities before it suffered a widespread ransomware attack that impacted hundreds of businesses, said Victor Gevers, chair of the Dutch Institute for Vulnerability Disclosure, or DIVD, a volunteer-run organization that found a remote code execution flaw in Kaseya VSA on April 1, 2021.
In speaking with Malwarebytes for its Lock and Code podcast (embedded below), Gevers revealed that Kaseya VSA’s vulnerabilities represent just one data point in a far larger and more worrying trend—that Internet-facing remote administration tools are rife with flaws and that, as organizations increasingly rely on such tools for working-from-home environments, cybercriminals will increasingly discover, target, and exploit those flaws.
“We are seeing these signals very clearly that the quality of products that are online and are exposed to the Internet are not up to par for the current situation that we are in,” Gevers said. “For attackers, this is the best way in—next to, of course, sending phishing emails. That will always exist because we cannot learn to stop [clicking on things]. But this second thing, this is going to screw us over in the long term.”
The ransomware attack against Kaseya VSA on July 2 has quickly become recognized as one of the most significant cyberattacks in recent history. In the attack, members of the REvil ransomware gang pushed malicious Kaseya VSA updates that locked up machines and networks after first disabling several protective features in Microsoft Defender, the default anti-malware software packaged with most Windows machines today. The impact of the attack, however, extended much further, because Kaseya VSA is one of the more popular remote monitoring and management tools used by Managed Service Providers. The MSPs that were hit by the attack saw not only their systems encrypted, but also the systems of the clients that they support.
Essentially, the attack cascaded down, first hitting Kaseya VSA users—MSPs—and then hitting the businesses that relied on those MSPs for day-to-day IT support.
Reportedly hundreds of businesses were hit. Schools in New Zealand warned their staff that their computers might be inaccessible. The Swedish grocery chain Coop closed roughly 500 stores for multiple days. Two small towns in Maryland saw their systems lock up. The scale helped prompt Kaseya’s CEO into publicly releasing a statement.
For Gevers, the number of victims is frustrating, largely because he and his team were working with Kaseya to patch the VSA vulnerabilities for months prior. Within a day of discovering a remote code execution vulnerability on April 1, DIVD built up a team to investigate further, Gevers said.
“We open a case, we get some other security engineers on board. If we can find a copy [of Kaseya VSA], then we get our own copy of it, a trial version to run. We set up a lab. Then we have to go through the process of creating a fingerprint, because we want to scan the entire Internet—we want to look to every web server in the world to have that specific fingerprint, so we know where those panels are, exactly,” Gevers said. “Within a day, we were able to scan all Internet-facing instances of that thing, and it took us two days to start identification of the possible victims that had the on-prem version.”
DIVD compiled a report that showed “all on-prem implementation[s],” along with unique customer ID codes, delivering the report to Kaseya on April 6, just days after first discovering the vulnerability.
Kaseya took responsibility for the vulnerability and began developing a patch, Gevers said, which DIVD helped test for effectiveness. During this time, DIVD was also offered a version of Kaseya VSA to test more extensively, and in those tests, Gevers said, a researcher found additional flaws.
“We finally had our version running in our test lab,” Gevers said. “This is how it went from one zero-day [to] seven or eight, eventually.”
While Kaseya managed to quickly test its patches on SaaS implementations of Kaseya VSA, it had more trouble with customers who still relied on the on-premises versions, Gevers said. But in the middle of that testing, it became too late:
“It took them quite a lot of effort and time, and more and more expertise to get the right patch out—to get it tested, to get it through quality assurance. And then, disaster struck.”
The fallout of the attack is both external and internal.
Internally, Gevers said that DIVD is already considering how to improve coordinated vulnerability disclosure—as a process—because, despite issuing a confidential warning as far back as April 6, some systems remained vulnerable. While many potential victims were saved by DIVD and Kaseya’s months-long work, Gevers said he would have preferred to see no victims at all.
Externally—beyond the immediate damage of the ransomware attack itself—Gevers said that security administrators can no longer look away from a growing problem that affects the very tools they rely on every day.
“We understand that it is convenient to have your administrative panels, your RDP, your VNC, your shared hosting panels… all that kind of things for doing maintenance and administrative, to have it directly connected to the Internet, we understand,” Gevers said. “But it is simply not safe, because there is always, there is always an issue with the software.”
Critically, Gevers said that these flaws are neither isolated, or complex:
“This is not just to hit on Kaseya. With Vembu, it was the same. The latest Citrix bug, you know, that caused an outage. With Pulse VPN. I am sorry, but these vulnerabilities—these are not advanced. Not advanced at all.”
For Gevers, there is a clear path forward: Fix today’s vulnerabilities as soon as possible, and prevent future, similarly-flawed products from ever entering the market.
In the short term, Gevers called for more security volunteers. At DIVD, the team is too small and not geographically dispersed enough to handle worldwide cyberattacks. For instance, having a volunteer in Miami, Florida, near Kaseya’s headquarters, could have helped DIVD, Gevers said.
In the long term, Gevers stressed that software vendors take greater responsibility of their products. He asked vendors to invite third party reviewers to analyze software code, and to step away from meaningless marketing language. By giving consumers more information from trusted analysts about how a product performs and what vulnerabilities it may have, Gevers said the market will then hopefully reward secure, transparent software. Finally, Gevers said that countries around the world should better incentivize independent security research so that cybersecurity researchers do not feel intimidated or afraid to report their findings.
The future, Gevers said, is at stake:
“It’s our duty to do something to make sure that the Internet stays safe enough for the next generation… because we are always leaving the next generation with political challenges, challenges in society, environmental challenges, economical challenges. Can we please leave a communications network behind that I can still trust to work on?”
Listen to the full Lock and Code podcast, with host David Ruiz, below.