Software company Kaseya has been working in a relatively ambiguous state for 21 years. Until at least in early July, cybercriminals abused it to abuse companies around the world and launch large-scale ransomware attacks that heightened tensions in US-Russian diplomacy.
However, recent hacks turned out not to be the first major cybersecurity issue that hit a Miami-based company and its core products. IT teams use it to remotely monitor and manage computer systems and other devices in the workplace.
Allie Mellen, a security analyst at Forrester Research, said:
For example, in 2018, a hacker broke into Kaseya’s tools in 2018 to perform an “encryption jack” operation. This operation uses the power of the suffering computer to mine cryptocurrencies unnoticed by the victim. It was a less harmful breach than a recent ransomware attack, but it couldn’t be overlooked because the affected system stopped working until the owner paid for it. But it also relied on Kaseya’s Virtual System Administrator product (VSA) as a way to access the companies that depended on it.
The 2019 ransomware attack also broke into the computer through a third-party add-on software component to Kaseya VSA, causing more limited damage than recent attacks. Some experts have linked previous attacks to some of the same hackers who later formed REvil. This is a Russian syndicate blaming the latest attack.
And in 2014, Kaseya’s own founder sued the company for liability for a VSA security flaw that allowed hackers to launch another cryptocurrency scheme. The proceedings have not been previously reported. At that time, the founders denied liability for the vulnerability and called the company’s accusations against them a “fake claim.”
Katie Moussouris, founder and CEO of Luta Security, a cybersecurity expert, said that almost all of Kaseya’s security issues have well-understood coding vulnerabilities that need to be addressed before as the root cause. It states that it is.
“Kaseya needs to be shaped, as is the entire software industry,” she said. “This is a failure to incorporate the lessons that Bug taught. Like many companies, Kaseya has not been able to learn those lessons.”
Many of the attacks relied, at least in part, on what is called SQL injection, a technique that hackers use to inject malicious code into web queries. This is an old method that Melen said has been considered a “solved problem” in the cybersecurity world for a decade.
“This represents a chronic product security issue for Kaseya’s software that hasn’t been addressed after seven years,” she said. “If an organization chooses to overcome security challenges, the incident will continue and be exacerbated, as in this case.”
Kaseya says many of its direct customers have long been targeted because they are “managed service providers” that host the IT infrastructure of hundreds, if not thousands, of other businesses. I am.
Ronan Kirby, president of the company’s European business, said at the Belgian cybersecurity conference Thursday: “You attack the company and enter the company. You attack the service provider and you enter all their customers. You enter Kaseya, it’s a very different proposal. So obviously We are an attractive target. “
Kaseya refused to answer questions from the Associated Press about previous hacks and legal disputes involving the founders.
Mark Sutherland and Paul Wong co-founded Kaseya in California in 2000. According to accounts on the company’s website, they were previously working on a project to protect the email accounts of US intelligence officers from the National Security Agency.
But more than a year after selling Kaseya in June 2013, court records show that Sutherland, Wong, and two other former executives were unfairly denied $ 5.5 million. I sued the company to regain its share buyback.
At the heart of the controversy was an attack by a hacker who used Kaseya’s VSA as a conduit for deploying “Litecoin” mining malware. It secretly hijacks the power of the victim’s computer and makes money for hackers by processing new cryptocurrency payments.
Kaseya announced the attack in a March 2014 notice. Personally, I blamed the company’s previous leadership for not warning about “serious vulnerabilities” in Kaseya’s software. They sought to rob them of the final $ 5.5 million acquisition price to make up for the loss of business and the loss of reputation.
The founders blamed the new leadership by reducing their coding expertise and eliminating the “hotfix” system for quickly fixing bugs.
They also argued that the SQL injection techniques used by hackers were very common and “specific to any computer code” using the SQL programming language.
“It is essentially impossible to keep all parts of the database access code unaffected by SQL injection,” the proceedings said. Both Melen and Musliss rejected the claim.
“It’s a bold statement, probably wrong,” Musuris said. “This highlights the fact that we lack the security knowledge and sophistication to protect our users.”
None of the plaintiffs or their lawyers responded to requests for comment. They agreed to dismiss the proceedings in December 2013, just one month after the proceedings were filed. It is not clear how it was resolved. Kaseya is private.
Sutherland and Wong’s LinkedIn profile states that they are retired, and Sutherland also grows wine grapes. Blackie has become CEO of Pilixo, another Miami-based remote control software provider, with the addition of McMullen. Pilixo did not return a request for comment.
New vulnerabilities affecting Kaseya’s VSA, including those exploited by the REvil ransomware gang, were discovered this year by a Dutch cybersecurity research group that said they secretly warned Kaseya in early April. “Maliciously, these vulnerabilities can lead to the breach of a large number of computers managed by Kaseya VSA,” the Dutch Institute for Vulnerability Disclosure said in a blog post last week on the timeline of its actions. I explained.
Some of Kaseya’s fixes by May also included another SQL injection flaw, but the Dutch group was still in early July when ransomware launched attacks on hundreds of companies. Said that the patch has not been applied. Kaseya states that up to 1,500 companies have been compromised as a result of the attack. Kaseya released a patch on Sunday for the vulnerability used in the REvil attack.
Musliss said there is a pattern of ransomware syndication that tracks software flaws that are easy to detect.
“It’s a collective technical debt around the world, and ransomware gangs are technical debt collectors,” she said. “They are chasing organizations like Kaseya and other organizations that are not investing in better security.