Three new Kaseya zero-day vulnerabilities were just disclosed in Kaseya Unitrends, including an RCE and an authenticated privilege escalation on the client-side.
According to a recently released public advisory warning, the Kaseya service should be kept off the internet until a patch is made available. “Do not expose this service or the clients directly to the internet until Kaseya has patched these vulnerabilities,” DIVD CSIRT’s recommendation reads.
What is Kaseya Unitrends? It is a cloud-based enterprise backup and disaster recovery technology that comes wither as a disaster recovery-as-a-service, shortly known as DRaS, or as an add-on for the Kaseya Virtual System remote management platform. The vulnerabilities affect versions earlier than 10.5.2.
How were the three Kaseya Unitrends flaws discovered?
“The Dutch Institute for Vulnerability Disclosure (DIVD) performs a daily scan to detect vulnerable Kaseya Unitrends servers and notify the owners directly or via the known abuse channels, Gov-CERTs and CSIRTs, and other trusted channels,” the advisory said.
It is noteworthy that Kaseya recently obtained the universal decryption key for the Revil attack that hit its systems. “On 7/21/2021, Kaseya obtained a decryptor for victims of the REvil ransomware attack, and we’re working to remediate customers impacted by the incident,” the official statement said.
The company says the tool came from a third party. Approximately 1,500 systems were victimized by the attack. Kaseya also said the attack was not supply chain ruling out the possibility of access to its backend infrastructure, but it is rather based on the CVE-2021-30116 zero-days. The zero-days were leveraged in a way that successfully pushed the REvil ransomware on vulnerable systems.