DIVD gives full disclosure in Kaseya case
Say Kaseya VSA and any IT specialist will know what you’re talking about. It was one of the most high-profile incidents of 2021. Almost a year later, the researchers of the Dutch Institute for Vulnerability Disclosure (DIVD) provide full disclosure in release the full technical details of the bugs they found
It is now safe to fully explain what exactly was vulnerable and how it could be abused, says Frank Breedijk, Manager CSIRT at DIVD. “If you haven’t patched by now, you’re a pancake.”
How it started
In April 2021, DIVD researcher Wietse Boonstra discovered several previously undiscovered vulnerabilities, zero days, in Kaseya VSA software. The vulnerabilities were reported and the volunteer specialists worked together with Kaseya for weeks on a patch. Only just before the finish did REvil’s cybercriminals overtake them with all the consequences that entailed. Until now only limited details have been released
What we are disclosing
The details released in the full disclosure indicate that the ransomware attack is due to a serious design flaw when it comes to how Kaseya’s VSA client authenticated to the server. In addition, there was a lot of technical debt. The full disclosure also reveals the details of CVE-2021-30118, which would have allowed REvil to execute its attack even more efficiently and effectively. REvil infected more than 1,500 organizations worldwide with ransomware through the Kaseya vulnerabilities.
A peek behind the scenes
When the Kaseya VSA crisis happened, Gerard Janssen, was writing his book Hackers and he wrote an entire chapter on this case of which a translation is available as background report on this site.
Last modified: 23 Nov 2022 21:17