4. Kaseya Nearly Fixed The Flaw REvil Exploited
The zero-day vulnerability exploited by REvil had previously been disclosed to Kaseya by researchers from the Dutch Institute for Vulnerability Disclosure (DIVD), and the company was validating a patch before rolling it out to customers. But REvil beat Kaseya to the punch and used that same vulnerability to compromise MSPs using the on-premises version of the company’s VSA product.
“During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched,” wrote DIVD’s Victor Gevers. “They showed a genuine commitment to do the right thing. Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch.”
Since Kaseya was in the process of fixing the same vulnerability that was exploited by the hackers, researchers speculated that REvil might‘ve been monitoring the company’s communications from the inside. But Voccola told Reuters that Kaseya doesn’t believe REvil was in the company’s network prior to the attack, while Gevers said on Twitter that the vulnerability in question was simple to exploit.