According to reporting in Data Breach Today, Kaseya was aware of vulnerabilities in its VSA solutions and worked for months to patch those security flaws.
Those vulnerabilities came to light over the July 4 holiday weekend when Kaseya disclosed that it had to disable its VSA solution in response to a coordinated ransomware attack on its customers.
The reporting describes how researchers with the Dutch Institute of Vulnerability Disclosure, or DIVD, found seven vulnerabilities, six of which affected the software-as-a-service and on-premises versions of VSA and one of which only affected the on-premises version.
DIVD claims that it notified Kaseya of the vulnerabilities on April 6 and that Kaseya began developing and implementing security patches in May and June.
Frank Breedijk, one of the DIVD researchers, was complimentary of Kaseya's actions, saying, "Kaseya’s response to our disclosure has been on point and timely." Nevertheless, DIVD's publication of its research notes is important because it shows Kaseya's awareness of the vulnerabilities of its products for nearly two months before the ransomware attack became public.
/Passle/5fe0c4f453548a10fc881e09/SearchServiceImages/2024-02-06-16-16-46-327-65c25b6e9e14f56dc129e31c.jpg)
/Passle/5fe0c4f453548a10fc881e09/SearchServiceImages/2024-04-25-13-20-13-103-662a588d0a007d32978e51c8.jpg)
/Passle/5fe0c4f453548a10fc881e09/SearchServiceImages/2024-04-22-14-46-40-757-662678501f76e96e68653bb3.jpg)
/Passle/5fe0c4f453548a10fc881e09/SearchServiceImages/2024-04-24-13-56-34-707-66290f92521e45eda26baa15.jpg)