Kaseya says it's seen no sign of supply chain attack, sets SaaS restoration target of Tuesday afternoon, on-prem fix to follow Kaseya has said it’s been unable to find signs its code was maliciously modified, and offered its users a ray of hope with news that it is testing a patch for its on-prem software and is considering restoring its SaaS services on Tuesday, US Eastern Daylight Time (EDT). The beleaguered IT for service providers company is …
That in itself is understandable. Complex products like network supervisors must be difficult to code, and a zero day attack is not a buffer overflow issue.
Kaseya still doesn't get a free pass, though. They need to improve their network security and be more aware of possible venues of attack.
What this whole affair underscores is the importance of staying on the ball when your company is providing critical software that other companies require to stay in business.
Whoah. Hold on there.. That's too mild.
“The attackers were able to exploit zero-day vulnerabilities in the VSA product to bypass authentication and run arbitrary command execution,” the explanation states. .
This means that;
1) There were Zero day vulnerabilities (OK stuff happens and big software jobs will have nasties lurking down below- anyone reading El Reg will have the knowledge and experience to know that) and....
2) The bad guys were able to find these and use them, but....
3) Kaseya either weren't able to find their own bugs, didn't look for them, or didn't fix them.
This is software that gives intimate access to users and users' customers. There is no excuse for the above. It's not just a software product, it's an invasive software product. The IT equivalent of a finger up the bum.
So no sophisticated attack to sign malicious dll's and such via microsoft ala solarwinds, they just gang raped their platform and all downstream customers with blatant insecurity. Some 60 direct customers, and 1500 downstream customers. Nothing to see here, now move along, remember to pay your renewals, particularly the cyber insurance parts to pay off the gross incompetence all around by customer and choice in vendor.
Look at the URLs in the log file extract and you can see a good indication of why they've got trouble... Sounds awfully like a Classic ASP app to me. Classic ASP, a technology that was deprecated in 2002 and was always tricky to secure, because it provided very little in the way of security functionality and left individual developers to figure it out.
The question I'd have is, how did Kaseya miss these flaws for the presumably 10+ years that these files have been a part of their software. You'd *hope* they're not still developing in classic ASP, so these files are probably legacy code which hadn't been removed.
At the very least I'd have expected any properly scoped pentest to have flagged up the use of Classic ASP as a possible risk, and at some point since the code was written you'd have hoped a code review would have caught this.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
