Kaseya, the software company hacked to distribute ransomware, already had security vulnerabilities
For 21 years, software company Kaseya worked in relative obscurity – at least until cybercriminals exploited it in early July for a massive ransomware attack that harassed businesses around the world and escalation of US-Russian diplomatic tensions.
But it turns out that the recent hack wasn’t the first major cybersecurity problem to hit the Miami-based company and its core product, which IT teams use to remotely monitor and administer computer systems and other devices. At work.
“It sounds a bit like déjà vu,” said Allie Mellen, security analyst at Forrester Research.
In 2018, for example, hackers managed to infiltrate Kaseya’s remote tool to perform a “cryptojacking” operation, which channels the power of affected computers to mine for cryptocurrency, often without its victims breaking out. account for it. This was a less damaging breach than the recent ransomware attack, which was impossible to miss as it crippled affected systems until their owners paid. But it has also relied on Kaseya’s Virtual System Administrator, or VSA, product as a means of accessing the businesses that depend on it.
A 2019 ransomware attack also spread to computers through another company’s add-on software component for Kaseya VSA, causing more limited damage than the recent attack. Some experts have linked this earlier assault to some of the same hackers who went on to form REvil, the Russian-speaking union blamed for the latest attack.
And in 2014, Kaseya’s own founders sued the company in a dispute over responsibility for a VSA security breach that allowed hackers to launch a separate cryptocurrency scheme. The court case does not appear to have been previously reported outside of a brief mention 2015 in a technical blog post. At the time, the founders denied responsibility for the vulnerability, calling the charges against them a “false claim.”
Almost all of Kaseya’s security issues are rooted in well-understood coding vulnerabilities that should have been addressed earlier, said Katie Moussouris, cybersecurity expert, founder and CEO of Luta Security.
“Kaseya needs to get in shape, like the entire software industry,” she said. “It’s a failure to integrate the lessons the insects were teaching you. Kaseya, like many businesses, cannot learn these lessons. “
Many attacks relied at least in part on what is known as SQL injection, a technique used by hackers to inject malicious code into web requests. It’s an old technique that Mellen says has been viewed as a “solved problem” in the cybersecurity world for a decade.
“This indicates a chronic product safety issue in Kaseya’s software that remains unanswered seven years later,” she said. “When organizations choose to overcome security concerns, incidents continue and, as in this case, escalate. “
Kaseya noted that this has been a long-standing target, as many of its direct customers are “managed service providers” that host the IT infrastructure of hundreds if not thousands of other businesses.
“In the industry we are in and the number of terminals we manage around the world, as you might expect, we take security very seriously,” said Ronan Kirby, president of the company’s European operations, during of a Belgian cybersecurity conference on Thursday. “You attack a business, you enter the business. You attack a service provider, you break into all of their customers. You walk into Kaseya, it’s a very different proposition. We are therefore obviously an attractive target.
Kaseya declined to answer questions from The Associated Press about previous hacks or the legal dispute involving its founders.
Mark Sutherland and Paul Wong co-founded Kaseya in California in 2000. They had previously worked together on a project to protect the email accounts of US intelligence officers at the National Security Agency, according to an account on the company’s website.
But more than a year after Kaseya’s sale in June 2013, court records show Sutherland, Wong and two other former senior executives sued the company to recover $ 5.5 million in share buybacks they said they were unfairly denied.
At the heart of the dispute was an attack by hackers who used Kaseya’s VSA as a means to deploy Litecoin mining malware that secretly hijacks the power of a victimized computer to earn money for the hacker by dealing cryptocurrency payments.
Kaseya publicly disclosed the attacks in a March 2014 notice to customers. Privately, he criticized the company’s previous management for failing to warn of “serious vulnerabilities” in Kaseya’s software. He sought to deprive them of the final $ 5.5 million of the purchase price to compensate for the loss of business and damage to reputation.
The founders, in turn, criticized the new management for reducing coding expertise and eliminating a “fix” system to quickly fix bugs, according to the lawsuit of Sutherland, Wong, the former CEO Gerald Blackie and former COO Timothy McMullen.
They also argued that the SQL injection technique used by hackers was very common and “inherent in all computer code” using the SQL programming language.
“Ensuring that every piece of database access code is immune to SQL injection is essentially impossible,” their lawsuit said. Mellen and Moussouris both rejected this claim.
“This is a bold and provably false statement,” Moussouris said. “This highlights the fact that they lacked the security knowledge and sophistication to protect their users.”
None of the plaintiffs or their lawyers responded to requests for comment. They agreed to close the case in December 2013, just a month after filing it. We do not know how this was resolved. Kaseya is a private company.
Sutherland and Wong’s LinkedIn profiles list them as retirees. Blackie became CEO of another Miami-based remote control software provider, Pilixo, where he was joined by McMullen. Pilixo did not return a request for comment.
New vulnerabilities affecting Kaseya’s VSA – including the one exploited by the ransomware gang REvil – were discovered this year by a Dutch cybersecurity research group that says it confidentially notified Kaseya in early April. “In the wrong hands, these vulnerabilities could lead to the compromise of a large number of computers managed by Kaseya VSA,” the Netherlands Institute for Vulnerability Disclosure said in a blog post last week explaining the timeline of his actions.
Some of these Kaseya were patched in May, including another SQL injection flaw, but the Dutch group said others still weren’t patched when the ransomware started hitting hundreds of businesses in early July. . Kaseya said up to 1,500 businesses were compromised as a result of the attack. Kaseya deployed patches for vulnerabilities used in the REvil attack on Sunday.
With Kaseya in the spotlight, a cybersecurity worker helping customers affected by the July 2 ransomware attack discovered what he called a blatant Kaseya security omission: a vulnerability in a publicly accessible customer portal that had was identified in 2015 but not corrected.
Hold Security’s Alex Holden said he informed Kaseya and the portal was quickly taken down. But the vulnerability troubled him, he said, as it allowed unauthenticated users to access a highly protected configuration file on Microsoft’s web servers, which often contains passwords and can grant access. to the main functions.
Moussouris said there is a pattern of ransomware syndicates looking for easily detectable software flaws.
“It’s a collective technical debt around the world and ransomware gangs are technical debt collectors,” she said. “They’re going after organizations like Kaseya” and others that haven’t invested in better security.