Firm hacked to spread ransomware had previous security flaws
For 21 years, the software company Kaseya labored in relative obscurity — at least until cybercriminals exploited it in early July for a massive ransomware attack that snarled businesses around the world and escalated U.S.-Russia diplomatic tensions.
But it turns out that the recent hack wasn’t the first major cybersecurity problem to hit the Miami-based company and its core product, which IT teams use to remotely monitor and administer workplace computer systems and other devices.
“It feels a little like déjà vu,” said Allie Mellen, a security analyst at Forrester Research.
In 2018, for instance, hackers managed to infiltrate Kaseya’s remote tool to run a “cryptojacking” operation, which channels the power of afflicted computers to mine cryptocurrency — often without its victims noticing. It was a less harmful breach than the recent ransomware attack, which was impossible to miss since it crippled affected systems until their owners paid up. But it similarly relied on Kaseya’s Virtual System Administrator product, or VSA, as a vehicle to get access to the companies that rely on it.
A 2019 ransomware attack also rode into computers through another company’s add-on software component to the Kaseya VSA, causing more limited damage than the recent attack. Some experts have tied that earlier assault to some of the same hackers who later formed REvil, the Russian-language syndicate blamed for the latest attack.
And in 2014, Kaseya’s own founders sued the company in a dispute over responsibility for a VSA security flaw that allowed hackers to launch a separate cryptocurrency scheme. The court case does not appear to have been previously reported outside of a brief 2015 mention in a technical blog post. At the time, the founders denied responsibility for the vulnerability, calling the company’s charges against them a “bogus assertion.”
Nearly all of Kaseya’s security problems have as their root cause well-understood coding vulnerabilities that should have been addressed earlier, said cybersecurity expert Katie Moussouris, the founder and CEO of Luta Security.
“Kaseya needs to shape up, as does the entire software industry,” she said. “This is a failure to incorporate the lessons the bugs were teaching you. Kaseya, like a lot of companies, is failing to learn those lessons.”
Many of the attacks relied at least in part on what’s known as SQL injection, a technique hackers use to inject malicious code into web queries. It’s an old technique that Mellen said has been considered a “solved problem” in the cybersecurity world for a decade.
“It points to a chronic product security issue in Kaseya’s software that remains unaddressed seven years later,” she said. “When organizations choose to brush over security challenges, the incidents continue, and, as in this case, get worse.”
Kaseya has noted that it’s long been a target because many of its direct customers are “managed-services providers” that host IT infrastructure for hundreds, if not thousands, of other businesses.
“In the business we’re in, and the number of endpoints we manage around the world, as you might expect, we take security extremely seriously,” Ronan Kirby, president of the company’s European operations, said at a Belgian cybersecurity conference Thursday. “You attack a company, you get into the company. You attack a service provider, you get into all their customers. You get into Kaseya, that’s a very different proposition. So obviously we’re an attractive target.”
Kaseya declined to answer questions from The Associated Press about the previous hacks or the legal dispute involving its founders.
Mark Sutherland and Paul Wong co-founded Kaseya in California in 2000. They had previously worked together on a project protecting the email accounts of U.S. intelligence workers at the National Security Agency, according to an account on the company’s website.
But more than a year after selling Kaseya in June 2013, court records show that Sutherland, Wong and two other former top executives sued the company to recoup $5.5 million in stock buybacks they said they were unfairly denied.
At the heart of the dispute was an attack by hackers who used Kaseya’s VSA as a conduit to deploy Litecoin mining malware that secretly hijacks a victim computer’s power to make money for the hacker by processing cryptocurrency payments.
Kaseya publicly disclosed the attacks in a March 2014 notice to customers. Privately, it was blaming the company’s previous leadership for not warning about “serious vulnerabilities” in Kaseya’s software. It sought to deprive them of the final $5.5 million of the acquisition price to compensate for the loss of business and damaged reputation.
The founders, in turn, blamed the new leadership for scaling back on coding expertise and eliminating a “hotfix” system for rapidly fixing bugs, according to the lawsuit from Sutherland, Wong, former CEO Gerald Blackie and former Chief Operating Officer Timothy McMullen.
They also argued that the SQL injection technique used by the hackers was highly common and “inherent in any computer code” that uses the SQL programming language.
“Ensuring that each and every piece of database access code is immune to SQL injection is essentially impossible,” said their lawsuit. Mellen and Moussouris both rejected that assertion.
“That is a bold statement and provably false,” Moussouris said. “It highlights the fact they lacked the security knowledge and sophistication to protect their users.”
None of the plaintiffs or their lawyers responded to requests for comment. They agreed to dismiss the case in December 2013, just a month after they filed it. It’s not clear how it was settled. Kaseya is privately held.
LinkedIn profiles for Sutherland and Wong list them as retired. Blackie went on to become CEO of another Miami-based provider of remote-control software, Pilixo, where he was joined by McMullen. Pilixo didn’t return a request for comment.
New vulnerabilities affecting Kaseya’s VSA — including the one exploited by the REvil ransomware gang — were discovered this year by a Dutch cybersecurity research group that says it confidentially warned Kaseya in early April. “In the wrong hands, these vulnerabilities could lead to the compromise of large numbers of computers managed by Kaseya VSA,” the Dutch Institute for Vulnerability Disclosure said in a blog post last week explaining the timeline of its actions.
Some of those Kaseya fixed by May, including another SQL injection flaw, but the Dutch group said others were still unpatched when ransomware started hitting hundreds of businesses in early July. Kaseya has said up to 1,500 businesses have been compromised as a result of the attack. Kaseya on Sunday rolled out patches to the vulnerabilities used in the REvil attack.
With Kaseya in the spotlight, a cybersecurity responder assisting clients stricken by the July 2 ransomware attack discovered what he called a glaring Kaseya security omission: a vulnerability in a public-facing customer portal that had been identified in 2015 but left unpatched.
Alex Holden of Hold Security said he notified Kaseya and that the portal was quickly taken down. But the vulnerability troubled him, he said, because it granted unauthenticated users access to a configuration file that is highly protected on Microsoft web servers — one that often contains passwords and can grant access to core functions.
Moussouris said there’s a pattern of ransomware syndicates going after easily detectable software flaws.
“It’s collective technical debt around the world and the ransomware gangs are technical debt collectors,” she said. “They’re coming after organizations like Kaseya” and others that haven’t invested in better security.