Three Zero-Day Bugs Plague Kaseya Unitrends Backup Servers – Threatpost

Newsletter
Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Share this article:
The unpatched flaws include RCE and authenticated privilege escalation on the client-side: Just the latest woe for the ransomware-walloped MSP.
There are three new, unpatched zero-day vulnerabilities in Kaseya Unitrends that include remote code execution (RCE) and authenticated privilege escalation on the client-side.
The Dutch Institute for Vulnerability Disclosure (DIVD) on Monday issued a public advisory warning that the service and clients should be kept off the internet until there’s a patch.
Kaseya Unitrends is a cloud-based enterprise backup and disaster recovery technology that’s delivered as either disaster recovery-as-a-service (DRaaS) or as an add-on for the Kaseya Virtual System/Server Administrator (VSA) remote management platform. The flaws are in versions earlier than 10.5.2.

Do not expose this service or the clients (running default on ports 80, 443, 1743, 1745) directly to the internet until Kaseya has patched these vulnerabilities. —DIVD advisory
DIVD experts disclosed the three flaws last week.
DIVD Chairman Victor Gevers told BleepingComputer that it’s only found a small number of vulnerable servers, but those vulnerable instances are located “in sensitive industries.”
Gevers explained the advisory was originally shared with 68 government CERTs as an amber alert under a coordinated disclosure. One of the recipients went on to share it with an organization’s Financial Services service desk. From there, an employee published DIVD’s amber alert on an online analyzing platform, where it became public.
“An employee uploaded the TLP: AMBER labeled directly to an online analyzing platform and shared its content to all participants of that platform,” Gevers told the outlet. “Because we do not have an account on that platform, we immediately requested removing this file.”
DIVD discovered the flaws on July 2 and reported them to Kaseya on July 3.
On July 14, the DIVD started daily scans to detect vulnerable Kaseya Unitrends servers. Once it finds vulnerable systems, the DIVD will notify server owners, either directly or via Gov-CERTs, CSIRTs and other trusted channels.
Threatpost has reached out to Kaseya to find out when we can expect a patch. BleepingComputer did the same but hadn’t heard back as of Tuesday morning.
This is only the latest woe for Kaseya, a managed service provider (MSP), and its customers: It’s had a hellishly hot July that’s included a massive ransomware attack by the REvil cybergang.
Woe begets woe nelly: Following the ransomware attack, threat actors were malspamming a bogus Microsoft security update that dropped Cobalt Strike backdoors.
As Kaseya rushed to restore the software-as-a-service (SaaS) version of its ransomware-clobbered VSA, the SaaS deployment, as well as the patch for the on-premises version, hit a snag and was delayed.
On-premises customers were the main targets of the ransomware attacks: As of July 7, those attacks had led to the encryption of files for around 60 of Kaseya’s customers that use the on-premises version of the platform – many of which are MSPs themselves that use VSA to manage the networks of other businesses.
Kaseya finally caught a break last week when it got its hands on a universal decryptor for REvil ransomware.
Hopefully, the uptick in the luck chart will keep trending up to cover these new zero days.Worried about where the next attack is coming from? We’ve got your back. REGISTER NOW for our upcoming live webinar, How to Think Like a Threat Actor, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on Aug. 17 at 11AM EST for this LIVE discussion.
Share this article:
Expect many more zero-day exploits in 2022, and cyberattacks using them being launched at a significantly higher rate, warns Aamir Lakhani, researcher at FortiGuard Labs.
Researchers from CrowdStrike disrupted an attempt by the threat group to steal industrial intelligence and military secrets from an academic institution.
Jason Kent, hacker-in-residence at Cequence Security, discusses sneaky shopping bot tactics (i.e., domain parking) seen in a mass campaign, and what retail security teams can do about them.

This site uses Akismet to reduce spam. Learn how your comment data is processed.
Join thousands of people who receive the latest breaking cybersecurity news every day.
1.8M+ attacks, against half of all corporate networks, are attempting to exploit #Log4Shell, including with a new r… https://t.co/dDky1faadm
2 weeks ago
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.

source

spot_img

LEAVE A REPLY

Please enter your comment!
Please enter your name here