dienw4149 | 4 years ago | on: US companies hit by 'colossal' cyber-attack
I worked for an MSP that used Kaseya VSA. First used the SaaS version. Their "SSO" is not claims-based but an agent that may just run on a DC and copy NTLM hashes to the SaaS instance. Had an admin account compromised. Asked for logs from Kaseya. Attacker traffic came from a Tor exit node. They did zero ingress filtering. Much of their codebase is Classic ASP riddled with comments like "'fixed SQL injection." Beyond the bizarre HTTP traffic, the agent communication protocol is a black box with some VNC. Logging goes to SQL so you have to do custom work to parse or push that to a SIEM. Terrified. Moved to on-prem and stuck a bunch of mitigating controls (blocking known Tor exit nodes, blocking egregious injection attempts, etc.). Wrote custom scripts to ingest logs. I'd like to see a professional penetration test report against their software. It does not look good.