Kaseya Case Update 2 | DIVD CSIRT Skip to the content. Home / Blog / Kaseya case update 2 DIVD CSIRT Making the internet safer through Coordinated Vulnerability Disclosure Menu Home DIVD CSIRT Cases DIVD-2021-00015 Telegram group shares stolen credentials.... DIVD-2021-00014 DIVD recommends not exposing the on-premise Kaseya Unitrends servers to the... DIVD-2021-00012 Botnet stolen credentials... DIVD-2021-00011 Multiple vulnerabilities discovered in Kaseya VSA.... DIVD-2021-00010 A PreAuth RCE vulnerability has been found in vCenter Server... DIVD-2021-00005 A PreAuth RCE vulnerability has been found in Pulse Connect Secure... DIVD-2021-00004 A list of credentials that phishers gained from victims has leaked and has ... DIVD-2021-00002 Kaseya recommends disabling the on-premise Kaseya VSA servers immediately.... DIVD-2021-00001 On-prem Exchange Servers targeted with 0-day exploits... DIVD-2020-00014 SolarWinds Orion API authentication bypass... DIVD-2020-00013 A list of credentials that phishers gained from victims has leaked and has ... DIVD-2020-00012 A list of 49 577 vulnerable Fortinet devices leaked online... DIVD-2020-00011 Four critical vulnerabilities in Vembu BDR... DIVD-2020-00010 WordPress Plugin wpDiscuz has a vulnerability that alllows attackers to tak... DIVD-2020-00009 Data dumped from compromised Pulse Secure VPN enterprise servers.... DIVD-2020-00008 313 000 .NL domains running Wordpress scanned.... DIVD-2020-00007 Citrix ShareFile storage zones Controller multiple security updates... DIVD-2020-00006 SMBv3 Server Compression Transform Header Memory Corruption... DIVD-2020-00005 Apache Tomcat AJP File Read/Inclusion Vulnerability... DIVD-2020-00004 List of Mirai botnet victims published with credentials... DIVD-2020-00003 Exploits available for MS RDP Gateway Bluegate... DIVD-2020-00002 Wildcard Certificates Citrix ADC... DIVD-2020-00001 Citrix ADC... CVEs CVE-2021-30201 - Authenticated XML External Entity vulnerability in Kaseya VS... CVE-2021-30121 - Authenticated local file inclusion in Kaseya VSA < v9.5.6... CVE-2021-30120 - 2FA bypass in Kaseya VSA CVE-2021-30119 - Authenticated Authenticated reflective XSS in Kaseya VSA CVE-2021-30118 - Unautheticated RCE in Kaseya VSA < v9.5.5... CVE-2021-30117 - Autheticated SQL injection in Kaseya VSA < v9.5.6... CVE-2021-30116 - Unautheticated credential leak and business logic flaw in Ka... CVE-2021-26474 - Unauthenticated server side request forgery in Vembu product... CVE-2021-26473 - Unauthenticated arbitrary file upload and command execution ... CVE-2021-26472 - Unauthenticated remote command execution in Vembu products... Blog 2021-07-07 : Kaseya VSA Limited Disclosure... 2021-07-06 : Kaseya Case Update 3... 2021-07-04 : Kaseya Case Update 2... 2021-07-03 : Kaseya Case Update... 2021-07-02 : Kaseya VSA Advisory... 2021-06-06 : vCenter Server PreAuth RCE... 2021-06-03 : Warehouse Botnet... 2021-05-14 : Closing ProxyLogon case / Case ProxyLogon gesloten... 2021-05-11 : Vembu Zero Days... 2021-05-10 : Pulse Secure PreAuth RCE... More... Donate RSS Contact Kaseya Case Update 2 04 Jul 2021 - Victor Gevers English below During the last 48 hours, the number of Kaseya VSA instances that are reachable from the internet has dropped from over 2.200 to less than 140 in our last scan today. And, by working closely with our trusted partners and national CERTs, the number of servers in The Netherlands has dropped to zero. A good demonstration of how a cooperative network of security-minded organizations can be very effective during a nasty crisis. By now, it is time to be a bit more clear on our role in this incident. First things first, yes, Wietse Boonstra, a DIVD researcher, has previously identified a number of the zero-day vulnerabilities [CVE-2021-30116] which are currently being used in the ransomware attacks. And yes, we have reported these vulnerabilities to Kaseya under responsible disclosure guidelines (aka coordinated vulnerability disclosure). Our research into these vulnerabilities is part of a larger project in which we investigate vulnerabilities in tools for system administration, specifically the administrative interfaces of these applications. These are products like Vembu BDR, Pulse VPN, Fortinet VPN, to name a few. We are focusing on these types of products because we spotted a trend where more and more of the products that are used to keep networks safe and secure are showing structural weaknesses. After this crisis, there will be the question of who is to blame. From our side, we would like to mention Kaseya has been very cooperative. Once Kaseya was aware of our reported vulnerabilities, we have been in constant contact and cooperation with them. When items in our report were unclear, they asked the right questions. Also, partial patches were shared with us to validate their effectiveness. During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched. They showed a genuine commitment to do the right thing. Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch. After the first reports of ransomware occurred, we kept working with Kaseya, giving our input on what happened and helping them cope with it. This included giving them lists of IP addresses and customer IDs of customers that had not responded yet, which they promptly contacted by phone. So, in summary: DIVD has been in a Coordinated Vulnerability Disclosure process with Kaseya, who was working on a patch. Some of these vulnerabilities were used in this attack. Kaseya and DIVD collaborated to limit the damage wherever possible. As more details become available, we will report them on our blog and case file. Updated statistics:  Twitter  Facebook  LinkedIn