Firm hacked to spread ransomware had previous security flaws

Jul 13, 2021, 7:27 AM | Updated: Jul 15, 2021, 7:12 pm

For 21 years, the software company Kaseya labored in relative obscurity — at least until cybercriminals exploited it in early July for a massive ransomware attack that snarled businesses around the world and escalated U.S.-Russia diplomatic tensions.

But it turns out that the recent hack wasn’t the first major cybersecurity problem to hit the Miami-based company and its core product, which IT teams use to remotely monitor and administer workplace computer systems and other devices.

“It feels a little like déjà vu,” said Allie Mellen, a security analyst at Forrester Research.

In 2018, for instance, hackers managed to infiltrate Kaseya’s remote tool to run a “cryptojacking” operation, which channels the power of afflicted computers to mine cryptocurrency — often without its victims noticing. It was a less harmful breach than the recent ransomware attack, which was impossible to miss since it crippled affected systems until their owners paid up. But it similarly relied on Kaseya’s Virtual System Administrator product, or VSA, as a vehicle to get access to the companies that rely on it.

A 2019 ransomware attack also rode into computers through another company’s add-on software component to the Kaseya VSA, causing more limited damage than the recent attack. Some experts have tied that earlier assault to some of the same hackers who later formed REvil, the Russian-language syndicate blamed for the latest attack.

And in 2014, Kaseya’s own founders sued the company in a dispute over responsibility for a VSA security flaw that allowed hackers to launch a separate cryptocurrency scheme. The court case does not appear to have been previously reported outside of a brief 2015 mention in a technical blog post. At the time, the founders denied responsibility for the vulnerability, calling the company’s charges against them a “bogus assertion.”

Nearly all of Kaseya’s security problems have as their root cause well-understood coding vulnerabilities that should have been addressed earlier, said cybersecurity expert Katie Moussouris, the founder and CEO of Luta Security.

“Kaseya needs to shape up, as does the entire software industry,” she said. “This is a failure to incorporate the lessons the bugs were teaching you. Kaseya, like a lot of companies, is failing to learn those lessons.”

Many of the attacks relied at least in part on what’s known as SQL injection, a technique hackers use to inject malicious code into web queries. It’s an old technique that Mellen said has been considered a “solved problem” in the cybersecurity world for a decade.

“It points to a chronic product security issue in Kaseya’s software that remains unaddressed seven years later,” she said. “When organizations choose to brush over security challenges, the incidents continue, and, as in this case, get worse.”

Kaseya has noted that it’s long been a target because many of its direct customers are “managed-services providers” that host IT infrastructure for hundreds, if not thousands, of other businesses.

“In the business we’re in, and the number of endpoints we manage around the world, as you might expect, we take security extremely seriously,” Ronan Kirby, president of the company’s European operations, said at a Belgian cybersecurity conference Thursday. “You attack a company, you get into the company. You attack a service provider, you get into all their customers. You get into Kaseya, that’s a very different proposition. So obviously we’re an attractive target.”

Kaseya declined to answer questions from The Associated Press about the previous hacks or the legal dispute involving its founders.

Mark Sutherland and Paul Wong co-founded Kaseya in California in 2000. They had previously worked together on a project protecting the email accounts of U.S. intelligence workers at the National Security Agency, according to an account on the company’s website.

But more than a year after selling Kaseya in June 2013, court records show that Sutherland, Wong and two other former top executives sued the company to recoup $5.5 million in stock buybacks they said they were unfairly denied.

At the heart of the dispute was an attack by hackers who used Kaseya’s VSA as a conduit to deploy Litecoin mining malware that secretly hijacks a victim computer’s power to make money for the hacker by processing cryptocurrency payments.

Kaseya publicly disclosed the attacks in a March 2014 notice to customers. Privately, it was blaming the company’s previous leadership for not warning about “serious vulnerabilities” in Kaseya’s software. It sought to deprive them of the final $5.5 million of the acquisition price to compensate for the loss of business and damaged reputation.

The founders, in turn, blamed the new leadership for scaling back on coding expertise and eliminating a “hotfix” system for rapidly fixing bugs, according to the lawsuit from Sutherland, Wong, former CEO Gerald Blackie and former Chief Operating Officer Timothy McMullen.

They also argued that the SQL injection technique used by the hackers was highly common and “inherent in any computer code” that uses the SQL programming language.

“Ensuring that each and every piece of database access code is immune to SQL injection is essentially impossible,” said their lawsuit. Mellen and Moussouris both rejected that assertion.

“That is a bold statement and provably false,” Moussouris said. “It highlights the fact they lacked the security knowledge and sophistication to protect their users.”

None of the plaintiffs or their lawyers responded to requests for comment. They agreed to dismiss the case in December 2013, just a month after they filed it. It’s not clear how it was settled. Kaseya is privately held.

LinkedIn profiles for Sutherland and Wong list them as retired. Blackie went on to become CEO of another Miami-based provider of remote-control software, Pilixo, where he was joined by McMullen. Pilixo didn’t return a request for comment.

New vulnerabilities affecting Kaseya’s VSA — including the one exploited by the REvil ransomware gang — were discovered this year by a Dutch cybersecurity research group that says it confidentially warned Kaseya in early April. “In the wrong hands, these vulnerabilities could lead to the compromise of large numbers of computers managed by Kaseya VSA,” the Dutch Institute for Vulnerability Disclosure said in a blog post last week explaining the timeline of its actions.

Some of those Kaseya fixed by May, including another SQL injection flaw, but the Dutch group said others were still unpatched when ransomware started hitting hundreds of businesses in early July. Kaseya has said up to 1,500 businesses have been compromised as a result of the attack. Kaseya on Sunday rolled out patches to the vulnerabilities used in the REvil attack.

With Kaseya in the spotlight, a cybersecurity responder assisting clients stricken by the July 2 ransomware attack discovered what he called a glaring Kaseya security omission: a vulnerability in a public-facing customer portal that had been identified in 2015 but left unpatched.

Alex Holden of Hold Security said he notified Kaseya and that the portal was quickly taken down. But the vulnerability troubled him, he said, because it granted unauthenticated users access to a configuration file that is highly protected on Microsoft web servers — one that often contains passwords and can grant access to core functions.

Moussouris said there’s a pattern of ransomware syndicates going after easily detectable software flaws.

“It’s collective technical debt around the world and the ransomware gangs are technical debt collectors,” she said. “They’re coming after organizations like Kaseya” and others that haven’t invested in better security.

___

This article has been corrected to note that news of a court case involving Kaseya and its founders was previously described in a 2015 technical blog post.

___

AP technology reporter Frank Bajak contributed to this article.

Copyright © The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

AP

British Prime Minister Boris Johnson, right, attends a meeting with New Zealand Prime Minister Jaci...
Associated Press

New Zealand leader makes first trip to UK since trade deal

LONDON (AP) — New Zealand Prime Minister Jacinda Ardern on Friday made her first visit to the U.K. since both countries signed a free trade agreement, meeting with British Prime Minister Boris Johnson to boost bilateral ties and discuss Russia’s war in Ukraine. The trip came after both leaders attended the NATO summit in Madrid. […]
7 hours ago
Associated Press

COVID cases up by more than 30% in Britain last week

LONDON (AP) — The number of new coronavirus cases across Britain has surged by more than 30% in the last week, new data showed Friday, with cases largely driven by the super infectious omicron variants. Data released by Britain’s Office for National Statistics showed that more than 3 million people in the U.K. had COVID-19 […]
7 hours ago
Associated Press

Chicago shooting during dispute leaves 2 dead, 3 wounded

CHICAGO (AP) — A person opened fire during a verbal dispute early Friday in downtown Chicago, killing two men and wounding three other people, police said. The five who were shot were leaving a business about 1:45 a.m. when the person they were in a dispute with opened fire with a handgun, police said in […]
7 hours ago
Zabiullah Mujahid, the spokesman for the Taliban government, speaks during a press conference in Ka...
Associated Press

Taliban supreme leader prays for Afghanistan’s quake victims

ISLAMABAD (AP) — The Taliban’s supreme leader offered prayers Friday for Afghanistan’s earthquake victims during a speech to Islamic clerics in Kabul. The tremor in June killed more than 1,000 people in the eastern part of the country. State radio aired Haibatullah Akhundzada’s speech live Friday from the gathering in Kabul, where thousands of Islamic […]
7 hours ago
In this photo provided by the Ukrainian Emergency Service, a damaged residential building is seen i...
Associated Press

Russian missiles kill at least 19 in Ukraine’s Odesa region

POKROVSK, Ukraine (AP) — Russian missile attacks on residential areas killed at least 19 people in a Ukrainian town near Odesa early Friday, authorities reported. The airstrikes pierced the cautious relief expressed a day earlier after Russian forces withdrew from a Black Sea island where they could have staged an assault on the city with […]
7 hours ago
CORRECTS THAT CHRIS HEATON-HARRIS IS NOT IN PICTURE - File photo of Chris Pincher in Downing Street...
Associated Press

UK government faces new boozy scandal as deputy whip quits

LONDON (AP) — Britain’s government is dealing with another boozy scandal after the deputy chief whip resigned from his post following a drunken incident and Prime Minister Boris Johnson faced calls Friday to expel the lawmaker from the Conservative Party. Chris Pincher, whose role was to maintain discipline among Tory members of Parliament, submitted a […]
7 hours ago

Sponsored Articles

...
Carla Berg, MHS, Deputy Director, Public Health Services, Arizona Department of Health Services

Vaccines are safe if you are pregnant or breastfeeding

Are you pregnant? Do you have a friend or loved one who’s expecting?
...
Carla Berg, MHS, Deputy Director, Public Health Services, Arizona Department of Health Services

Update your child’s vaccines before kindergarten

So, your little one starts kindergarten soon. How exciting! You still have a few months before the school year starts, so now’s the time to make sure students-to-be have the vaccines needed to stay safe as they head into a new chapter of life.
...
Christina O’Haver

BE FAST to spot a stroke

Every 40 seconds—that’s how often someone has a stroke in the United States. It’s the fifth leading cause of death among Americans, with someone dying of a stroke every 3.5 minutes.
Firm hacked to spread ransomware had previous security flaws