Kasya on-premises users will have to wait longer for patch against ransomware

IT administrators with a vulnerable on-premises version of Kasia's VSA remote networking monitoring and IT management application may have to wait until Wednesday before their systems can be patched and brought back online.

Update: Tuesday afternoon the company said it will begin restoring VSA SaaS service at 4 p.m. Eastern, a process that could take up to 7 pm. It is expected to get the patch for on-premises installation within 24 hours. “We are focused on making this time frame as short as possible,” the company said in a statement, “but if any issues are found during the SaaS spin-up, we will be able to avoid bringing in our on-premises customers.” will be able." Want to fix them first. UP."

Update: 7:30 pm. The Eastern company said that work on the SaaS service is underway. This involves changing the underlying IP address of the Kasia VSA server (the domain name/url will not change) For almost all clients, this change will be transparent. However if - and only if - you have whitelisted your Kasia VSA server in your firewall, you will need to update the IP whitelist. The new IP addresses can be found at: https://www.cloudflare.com/ips/

Update: 10pm Eastern Kasia said a problem was detected during its work that prevented the return of VSA SaaS service until it was resolved. The company is not expected to say anything more until Wednesday morning.

Until the patch is released, the company warned, the on-premises version of VSA should remain offline.

When restored, the SaaS service will include new security features including a 24/7 independent SoC for each VSA, with the ability to quarantine and isolate files and entire VSA servers; A Complementary Content Delivery Network (CDN) with a web application firewall for each VSA. The goal is "to reduce the attack surface of the Kasia VSA overall."

In addition, the company said that as of last night less than 60 Kasia customers — all of whom were using the VSA on-premises suite — were directly compromised, following the initial ransomware attack on Kasia by Reville Group. Happened after. Many of them are managed service providers. After compromising these providers, the attackers spread the ransomware to their customers. Kasia determined that "fewer than 1,500" end user customers were the victims. There is no evidence that any of the SaaS customers were compromised.

Kaspersky said on Monday it had seen 5,000 attack attempts in 22 countries.

Reville claimed that more than a million personal devices were infected. It is selling a universal decryptor for $70 million in bitcoin to all victims of the attack.

Kasia said there have been no new reports of VSA customers being compromised since Saturday, July 3.

step display

When the SaaS version comes back online its functionality will be staged to bring the services back soon. The first release will block access to certain functions - Classic Ticketing, Classic Remote Control (not LiveConnect) and User Portal - but the company said these are used by a small number of customers.

Kasia also said that it has discussed with the FBI and the US Cyber Security Infrastructure and Security Agency (CISA) how systems and networks can be hardened before service restoration for both SaaS and on-premises customers. A set of requirements will be posted prior to a service restart to give customers time to implement these counter-measures in anticipation of a return to service on July 6.

Finally, the company said that a new version of its patch detection tool has been released.

Kasia discovered a cyberattack on the afternoon of Friday, July 2. Researchers at Huntress, who observed the compromised servers, described the attack, saying, "They are very confident that the threat actor used authentication bypass to gain authentication in the web interface. Kasia VSA." session, upload the original payload, and then execute the command via SQL injection. We can confirm that's how SQL injection actors initiate code execution." Sophos said the settlement with the company came after on-premises customers were made victims of a malicious software update that caused VSA agents running on managed Windows devices. spread across applications.

“It appears that this was achieved using a zero-day exploit of the server platform,” Sophos said (a conclusion confirmed by Cassia). “This gave Revil cover in a number of ways: it allowed early settlement via a trusted channel, and the leverage in the VSA agent code is reflected in the trust-anti-malware software exclusions that Kasia has to “work” on the application. And the agent. folder requires set-up. Anything executed by the Cassia Agent Monitor is ignored because of the deprecation - which left Revil unnoticed.

Canadian Cyber Center Advice

The federal government's Canadian Center for Cyber Security urged managed service providers using Kasia VSAs and enterprise users of the on-premises version to download and run the company's Compromise Detection Tool to see if there is a compromise. There are no signs.

In addition, any organization using remote monitoring and management applications must implement a permission-list to limit the application's communications to only known IP address pairs; And the administrative interfaces of these applications must be placed behind a virtual private network (VPN) or firewall on a dedicated administrative network.

Finally, all organizations are urged to require multi-factor authentication (MFA) on all employee and partner accounts and, where possible, for customer-oriented services.

lost the race to the patch

Many information security experts believe that it was no coincidence that the ransomware attack, which began as the long Independence Day holiday in the US, could have been prevented by some luck. The Dutch Institute for Vulnerability Disclosure (DIVD) said it had discovered and notified Kasia of the vulnerabilities (now called CVE-2021-30116) that the company was working to resolve. Obviously, it wasn't fast enough, because, DIVD said, these vulnerabilities were exploited.

The DVD doesn't blame Cassia.

"Kasia has been very cooperative," it said. “Once Kasia became aware of our reported vulnerabilities, we have been in constant contact and cooperation with them. When the items in our report were unclear, they asked the right questions. Plus, partial patches were shared with us to testify their effectiveness. Throughout the process, Kasia has shown that they were ready to put in maximum effort and initiative to fix the issue and patch their customers in this matter. He showed a genuine commitment to doing the right thing. Unfortunately, we lost out to Revil in the last sprint, because they could exploit vulnerabilities even before customers could patch them.