The entire idea behind modern network security is that zero-days happen regularly. You should design your security controls around this fact, defense in depth, least privilege, etc etc

"The attackers were able to exploit zero-day vulnerabilities in the VSA product to bypass authentication and run arbitrary command execution," the Miami-headquartered company noted in the incident analysis. "This allowed the attackers to leverage the standard VSA product functionality to deploy ransomware to endpoints. There is no evidence that Kaseya's VSA codebase has been maliciously modified."

This is very likely not the full story, unless the 0day in VSA was somehow wormable. That "deployment" is doable through overly permissive IAM and everything else that enables privesc.

There are two parts to these vulns. Whatever gets the foothold, and whatever allows privilege escalation. Audits do a great job in catching the misconfigs that allow privesc.

The tragic thing about these attacks is often the blast radius can be contained fairly easily by asking the right questions... If you're someone who has passed these audits, or done these audits, it becomes pretty easy to see how many unforced errors go into these catastrophic attacks.

If https://old.reddit.com/r/msp/comments/ocggbv/crticial_ransom... is correct a compentent web application security review (white box or black box) which was correctly scoped to include the affected files would likely have found the SQLi and authentication bypass issues (mentioned in update 12)

Without seeing the codebase in question, you can't be sure, but having been a web app pentester for 10+ years, these are the kind of issues that were found regularly, and whenever I saw classic ASP in tests, they were the kind of issues I'd be looking for, knowing the inherent weaknesses in the platform.

Did the RMM box really have to be on the open internet? In infra I run, anything with a public IP is behind numerous layers of FWs and VPNs, why not the same here?