DIVD gives full disclosure in Kaseya case

DIVD gives full disclosure in Kaseya case

04 April 2022, by Lucinda Sterk

Say Kaseya VSA and any IT specialist will know what you’re talking about. It was one of the most high-profile incidents of 2021. Almost a year later, the researchers of the Dutch Institute for Vulnerability Disclosure (DIVD) provide full disclosure in release the full technical details of the bugs they found

It is now safe to fully explain what exactly was vulnerable and how it could be abused, says Frank Breedijk, Manager CSIRT at DIVD. “If you haven’t patched by now, you’re a pancake.”

In the podcast episode #6 of The Ransomware Files podcast he and DIVD leader Victor Gevers talk extensively about this case.

How it started

In April 2021, DIVD researcher Wietse Boonstra discovered several previously undiscovered vulnerabilities, zero days, in Kaseya VSA software. The vulnerabilities were reported and the volunteer specialists worked together with Kaseya for weeks on a patch. Only just before the finish did REvil’s cybercriminals overtake them with all the consequences that entailed. Until now only limited details have been released

What we are disclosing

The details released in the full disclosure indicate that the ransomware attack is due to a serious design flaw when it comes to how Kaseya’s VSA client authenticated to the server. In addition, there was a lot of technical debt. The full disclosure also reveals the details of CVE-2021-30118, which would have allowed REvil to execute its attack even more efficiently and effectively. REvil infected more than 1,500 organizations worldwide with ransomware through the Kaseya vulnerabilities.

A peek behind the scenes

When the Kaseya VSA crisis happened, Gerard Janssen, was writing his book Hackers and he wrote an entire chapter on this case of which a translation is available as background report on this site.

Last modified: 23 Nov 2022 21:17