Kaseya’s Unitrends Technology Has Zero-Day Flaws

Business Continuity Management / Disaster Recovery , Governance & Risk Management , Patch Management

Researchers Warn: Do Not Expose Technology to the Internet

Kaseya's Unitrends Technology Has Zero-Day Flaws

Researchers are warning of three zero-day vulnerabilities in Kaseya’s Unitrends cloud-based enterprise backup and disaster recovery technology.

See Also: Live Webinar | Improve Cloud Threat Detection and Response using the MITRE ATT&CK Framework

The news comes after a July 2 ransomware attack exploiting flaws in Kaseya’s Virtual System Administrator software had a major impact, affecting about 60 managed service provider customers and up to 1,500 of their clients.

In a public advisory, the Dutch Institute for Vulnerability Disclosure says the three zero-day flaws in Unitrends are in versions earlier than 10.5.2. DIVD warns users not to expose Unitrends servers or the clients – running default on ports 80, 443, 1743, 1745 – directly to the internet until Kaseya issues patches.

DIVD did not reveal the exact nature of the flaws in Kaseya Unitrends. But the researchers shared their findings with 68 government CERTs under a coordinated disclosure, Bleeping Computer reports.

DIVD and Kaseya did not immediately respond to Information Security Media Group’s requests for further information on the nature of the flaws and whether they have been exploited.

Detecting Vulnerable Servers

DIVD says it discovered the Unitrends vulnerabilities on July 2 and reported them to Kaseya the next day. It began scanning the internet July 14 for exposed Kaseya Unitrends installations.

“The Dutch Institute for Vulnerability Disclosure performs a daily scan to detect vulnerable Kaseya Unitrends servers and notify the owners directly or via the known abuse channels, Gov-CERTs and CSIRTs, and other trusted channels,” the advisory from DIVD states.

Earlier Ransomware Attack

On July 11, Kaseya issued patches for its VSA software that was targeted by the July 2 ransomware attack (see: Kaseya Says Software Fully Patched After Ransomware Attack).

Kaseya first learned of those VSA flaws after being notified by DVID in April (see: Kaseya Raced to Patch Before Ransomware Disaster).

Earlier this week, Kaseya said it obtained the ability to decrypt all systems for victims without paying the REvil gang attackers a ransom. It’s working with customers to restore systems (see: Kaseya Says It Paid No Ransom to Obtain Universal Decryptor).