For 21 years, the software company Kaseya worked in relative darkness – at least until cybercriminals took advantage of it in early July for a massive ransomware attack that disrupted companies around the world and escalated diplomatic tensions between the US and Russia.
However, it turns out that the recent hack wasn’t the first major cybersecurity problem to hit the Miami-based company and its core product, which IT teams use to remotely monitor and manage computer systems and other devices in the workplace.
“It feels a bit like déjà vu,” said Allie Mellen, security analyst at Forrester Research.
In 2018, for example, hackers managed to infiltrate Kaseya’s remote tool to perform a “cryptojacking” operation that channels the performance of affected computers to mine cryptocurrencies – often without the victims noticing. It was a less damaging attack than the most recent ransomware attack that couldn’t be missed as it crippled affected systems until their owners paid. But it similarly relied on Kaseya’s Virtual System Administrator (VSA) product to gain access to the companies that depend on it.
A 2019 ransomware attack also infiltrated computers through another company’s add-on software component to the Kaseya VSA, causing less damage than the most recent attack. Some experts have linked this earlier attack to some of the same hackers who later founded REvil, the Russian-speaking syndicate that was blamed for the most recent attack.
And in 2014, Kaseya’s own founders sued the company over responsibility for a VSA vulnerability that allowed hackers to launch a separate cryptocurrency system. Aside from a brief mention from 2015 in a technical blog post, the court case appears to have not been previously reported. At the time, the founders denied responsibility for the vulnerability and called the company’s allegations against them a “false claim”.
Almost all of Kaseya’s security problems are rooted in well-understood coding vulnerabilities that should have been fixed sooner, said cybersecurity expert Katie Moussouris, founder and CEO of Luta Security.
“Kaseya has to evolve, as does the entire software industry,” she said. “This is a failure to take into account the lessons the mistakes taught you. Kaseya, like many companies, fails to learn these lessons. “
Many of the attacks were based at least in part on so-called SQL injection, a technique that hackers use to inject malicious code into web queries. It’s an ancient technique that Mellen said has been considered a “problem solved” in the cybersecurity world for a decade.
“It indicates a chronic product safety issue in Kaseya’s software that was not resolved seven years later,” she said. “When companies ignore security challenges, incidents continue and, as in this case, get worse.”
Kaseya has found it to be a long-term goal because many of its direct customers are “managed services providers” who host the IT infrastructure for hundreds, if not thousands, of other companies.
“In the business we’re in and with the number of endpoints we manage around the world, as you’d expect, we take security very seriously,” said Ronan Kirby, president of the company’s European business, on a Belgian Cyber security conference on Thursday. “You attack a company, you penetrate the company. If you attack a service provider, you penetrate all of their customers. If you penetrate Kaseya, that’s a whole different matter. So we’re obviously an attractive target.”
Kaseya declined to answer questions from The Associated Press about the previous hacks or litigation over its founders.
Mark Sutherland and Paul Wong founded Kaseya in California in 2000. They had previously worked together on a project to protect the email accounts of US intelligence officials at the National Security Agency, according to a report on the company’s website.
But more than a year after Kaseya was sold in June 2013, court records show that Sutherland, Wong, and two other former top executives sued the company for $ 5.5 million in share buybacks that they were wrongly denied.
At the center of the dispute was an attack by hackers using Kaseya’s VSA as a channel to deliver Litecoin mining malware that secretly hijacks the power of a victim’s computer to make money for the hacker by processing cryptocurrency payments.
Kaseya made the attacks public in a March 2014 notice to customers. Privately, it blamed the company’s previous leadership for not warning of “serious security vulnerabilities” in Kaseya’s software. She wanted to withhold the last $ 5.5 million of the purchase price from them to make up for the loss of business and damage to reputation.
The founders, in turn, blamed the new leadership for scaling back their programming skills and removing a “hotfix” system to quickly fix bugs, according to lawsuits brought by Sutherland, Wong, former CEO Gerald Blackie and former Chief Operating Officer Timothy McMullen.
They also argued that the SQL injection technique used by the hackers was widespread and “inherent in any computer code” that uses the SQL programming language.
“It is virtually impossible to ensure that every single piece of database access code is immune to SQL injection,” said their lawsuit. Mellen and Moussouris both denied this claim.
“That is a bold statement and has been proven to be wrong,” said Moussouris. “It underscores the fact that they lacked the security knowledge and sophistication to protect their users.”
None of the plaintiffs or their lawyers responded to requests for comment. They agreed to dismiss the case in December 2013, just a month after they filed it. It is not clear how it was regulated. Kaseya is privately owned.
LinkedIn profiles for Sutherland and Wong list them as retired. Blackie became CEO of another Miami-based remote control software provider, Pilixo, where he was assisted by McMullen. Pilixo has not returned a request for comment.
New vulnerabilities affecting Kaseya’s VSA – including those exploited by the REvil ransomware gang – were discovered earlier this year by a Dutch cybersecurity research group that Kaseya privately warned in early April. “In the wrong hands, these vulnerabilities could compromise a large number of computers managed by Kaseya VSA,” said the Dutch Vulnerability Disclosure Institute last week in a blog post detailing the timing of its actions.
Some of these were fixed by Kaseya by May, including another SQL injection bug, but the Dutch group said others weren’t patched when ransomware hit hundreds of companies in early July. Kaseya said up to 1,500 companies were compromised in the attack. Kaseya rolled out patches on Sunday for the vulnerabilities used in the REvil attack.
With Kaseya in the spotlight, a cybersecurity responder helping customers affected by the July 2 ransomware attack discovered what he called what he called Kaseya’s glaring vulnerability: a vulnerability in a public customer portal identified in 2015 but has not been patched.
Hold Security’s Alex Holden said he notified Kaseya and that the portal was quickly dismantled. But the vulnerability worries him, he said, because it gives unauthenticated users access to a configuration file that is highly protected on Microsoft web servers – one that often contains passwords and can provide access to core functionality.
Moussouris said there is a pattern of ransomware syndicates tracking down easily identifiable software bugs.
“It’s collective technical debt around the world and the ransomware gangs are technical debt collectors,” she said. “They are after organizations like Kaseya” and others who haven’t invested in better security.
Corrected this article to indicate that news of a lawsuit involving Kaseya and its founders was previously described in a 2015 technical blog post.
AP technology reporter Frank Bajak contributed to this article.
Copyright 2021 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed in any way without permission.
#Company #hacked #spread #ransomware #previous #vulnerabilities