back to article Kaseya says it's seen no sign of supply chain attack, sets SaaS restoration target of Tuesday afternoon, on-prem fix to follow

Kaseya has said it’s been unable to find signs its code was maliciously modified, and offered its users a ray of hope with news that it is testing a patch for its on-prem software and is considering restoring its SaaS services on Tuesday, US Eastern Daylight Time (EDT). The beleaguered IT for service providers company is …

  1. Potemkine! Silver badge

    "Fewer than"

    PR BS detected!

    Kaseya says it's seen no sign of supply chain attack

    The beleaguered IT for service providers company is fighting a supply chain attack

    So, did the attack come from the supply chain or not? :-~

    1. Filippo Silver badge

      Re: "Fewer than"

      It sounds to me like Kaseya's customers have been attacked, through their supply chain - i.e. Kaseya.

  2. Pascal Monett Silver badge

    They had zero-day vulns in their product

    That in itself is understandable. Complex products like network supervisors must be difficult to code, and a zero day attack is not a buffer overflow issue.

    Kaseya still doesn't get a free pass, though. They need to improve their network security and be more aware of possible venues of attack.

    What this whole affair underscores is the importance of staying on the ball when your company is providing critical software that other companies require to stay in business.

    1. Terry 6 Silver badge

      Re: They had zero-day vulns in their product

      Whoah. Hold on there.. That's too mild.

      “The attackers were able to exploit zero-day vulnerabilities in the VSA product to bypass authentication and run arbitrary command execution,” the explanation states. .

      This means that;

      1) There were Zero day vulnerabilities (OK stuff happens and big software jobs will have nasties lurking down below- anyone reading El Reg will have the knowledge and experience to know that) and....

      2) The bad guys were able to find these and use them, but....

      3) Kaseya either weren't able to find their own bugs, didn't look for them, or didn't fix them.

      This is software that gives intimate access to users and users' customers. There is no excuse for the above. It's not just a software product, it's an invasive software product. The IT equivalent of a finger up the bum.

    2. iron Silver badge

      Re: They had zero-day vulns in their product

      > a zero day attack is not a buffer overflow issue

      If it is unknown before being used maliciously then a buffer overflow is a zero day attack.

      1. Pascal Monett Silver badge

        I discount buffer overflow attacks because, if I'm not mistaken, these are exclusively due to lazy coding.

        Any coder worth the name writes code that is not susceptible to buffer overflow. And he validates his input data before treating it.

        1. Yes Me Silver badge

          Any coder worth the name...

          People make mistakes. It isn't the code writing that's to blame. It's the code walkthroughs, the testing harness, using some competent white hats, the regression testing after every fix, and so on.

  3. mikus

    So no sophisticated attack to sign malicious dll's and such via microsoft ala solarwinds, they just gang raped their platform and all downstream customers with blatant insecurity. Some 60 direct customers, and 1500 downstream customers. Nothing to see here, now move along, remember to pay your renewals, particularly the cyber insurance parts to pay off the gross incompetence all around by customer and choice in vendor.

  4. raesene

    Look at the URLs in the log file extract and you can see a good indication of why they've got trouble... Sounds awfully like a Classic ASP app to me. Classic ASP, a technology that was deprecated in 2002 and was always tricky to secure, because it provided very little in the way of security functionality and left individual developers to figure it out.

    The question I'd have is, how did Kaseya miss these flaws for the presumably 10+ years that these files have been a part of their software. You'd *hope* they're not still developing in classic ASP, so these files are probably legacy code which hadn't been removed.

    At the very least I'd have expected any properly scoped pentest to have flagged up the use of Classic ASP as a possible risk, and at some point since the code was written you'd have hoped a code review would have caught this.

    1. iron Silver badge

      That is the attackers trying to hit ASP endpoints with known vulnerabilities, it doesn't mean the Kaseya product is written in classic ASP. Probably the attakers realised Kaseya were running IIS and hit them with all the usual IIS exploits.

      1. raesene

        Nah it really is classic ASP you can look here for the details

        https://old.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/

        Update 12 in that thread shows the exact activity and vulnerabilities that were exploited.

  5. Omnipresent

    Hopefully they recover the bitcoins.

    Good chance the pause was while they brought in the Gov.

    Also a good chance they got them, or got close to them this time.

    Also, the fact that this happened over the Fourth of July says a whole lot about who is behind it.

  6. Anonymous South African Coward Silver badge

    /me goes off to reddit to look for rants from sysadmins whose 4th was ruined

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021