Kaseya's Unitrends Technology Has Zero-Day FlawsResearchers Warn: Do Not Expose Technology to the Internet
Researchers are warning of three zero-day vulnerabilities in Kaseya's Unitrends cloud-based enterprise backup and disaster recovery technology.
The news comes after a July 2 ransomware attack exploiting flaws in Kaseya's Virtual System Administrator software had a major impact, affecting about 60 managed service provider customers and up to 1,500 of their clients.
In a public advisory, the Dutch Institute for Vulnerability Disclosure says the three zero-day flaws in Unitrends are in versions earlier than 10.5.2. DIVD Chairman Victor Gevers told Information Security Media Group that the organization advises users: "Do not expose the Unitrends servers or the clients (running default on ports 80, 443, 1743, 1745) directly to the internet until Kaseya has patched these vulnerabilities."
DIVD did not reveal the exact nature of the flaws in Kaseya Unitrends, though Gevers told ISMG: "At this moment, we cannot share more details because we are busy monitoring the progress. There will be an update coming soon. The researchers shared their findings with 68 government CERTs under a coordinated disclosure,Bleeping Computer reports.
Kaseya did not immediately respond to Information Security Media Group's requests for further information on the nature of the flaws and whether they have been exploited.
Detecting Vulnerable Servers
DIVD says it discovered the Unitrends vulnerabilities on July 2 and reported them to Kaseya the next day. It began scanning the internet July 14 for exposed Kaseya Unitrends installations.
"The Dutch Institute for Vulnerability Disclosure performs a daily scan to detect vulnerable Kaseya Unitrends servers and notify the owners directly or via the known abuse channels, Gov-CERTs and CSIRTs, and other trusted channels," the advisory from DIVD states.
Earlier Ransomware Attack
On July 11, Kaseya issued patches for its VSA software that was targeted by the July 2 ransomware attack (see: Kaseya Says Software Fully Patched After Ransomware Attack).
Kaseya first learned of those VSA flaws after being notified by DVID in April (see: Kaseya Raced to Patch Before Ransomware Disaster).
Earlier this week, Kaseya said it obtained the ability to decrypt all systems for victims without paying the REvil gang attackers a ransom. It's working with customers to restore systems (see: Kaseya Says It Paid No Ransom to Obtain Universal Decryptor).