Firm hacked to spread ransomware had previous security flaws

Jul 13, 2021, 7:27 AM | Updated: Jul 15, 2021, 7:12 pm

For 21 years, the software company Kaseya labored in relative obscurity — at least until cybercriminals exploited it in early July for a massive ransomware attack that snarled businesses around the world and escalated U.S.-Russia diplomatic tensions.

But it turns out that the recent hack wasn’t the first major cybersecurity problem to hit the Miami-based company and its core product, which IT teams use to remotely monitor and administer workplace computer systems and other devices.

“It feels a little like déjà vu,” said Allie Mellen, a security analyst at Forrester Research.

In 2018, for instance, hackers managed to infiltrate Kaseya’s remote tool to run a “cryptojacking” operation, which channels the power of afflicted computers to mine cryptocurrency — often without its victims noticing. It was a less harmful breach than the recent ransomware attack, which was impossible to miss since it crippled affected systems until their owners paid up. But it similarly relied on Kaseya’s Virtual System Administrator product, or VSA, as a vehicle to get access to the companies that rely on it.

A 2019 ransomware attack also rode into computers through another company’s add-on software component to the Kaseya VSA, causing more limited damage than the recent attack. Some experts have tied that earlier assault to some of the same hackers who later formed REvil, the Russian-language syndicate blamed for the latest attack.

And in 2014, Kaseya’s own founders sued the company in a dispute over responsibility for a VSA security flaw that allowed hackers to launch a separate cryptocurrency scheme. The court case does not appear to have been previously reported outside of a brief 2015 mention in a technical blog post. At the time, the founders denied responsibility for the vulnerability, calling the company’s charges against them a “bogus assertion.”

Nearly all of Kaseya’s security problems have as their root cause well-understood coding vulnerabilities that should have been addressed earlier, said cybersecurity expert Katie Moussouris, the founder and CEO of Luta Security.

“Kaseya needs to shape up, as does the entire software industry,” she said. “This is a failure to incorporate the lessons the bugs were teaching you. Kaseya, like a lot of companies, is failing to learn those lessons.”

Many of the attacks relied at least in part on what’s known as SQL injection, a technique hackers use to inject malicious code into web queries. It’s an old technique that Mellen said has been considered a “solved problem” in the cybersecurity world for a decade.

“It points to a chronic product security issue in Kaseya’s software that remains unaddressed seven years later,” she said. “When organizations choose to brush over security challenges, the incidents continue, and, as in this case, get worse.”

Kaseya has noted that it’s long been a target because many of its direct customers are “managed-services providers” that host IT infrastructure for hundreds, if not thousands, of other businesses.

“In the business we’re in, and the number of endpoints we manage around the world, as you might expect, we take security extremely seriously,” Ronan Kirby, president of the company’s European operations, said at a Belgian cybersecurity conference Thursday. “You attack a company, you get into the company. You attack a service provider, you get into all their customers. You get into Kaseya, that’s a very different proposition. So obviously we’re an attractive target.”

Kaseya declined to answer questions from The Associated Press about the previous hacks or the legal dispute involving its founders.

Mark Sutherland and Paul Wong co-founded Kaseya in California in 2000. They had previously worked together on a project protecting the email accounts of U.S. intelligence workers at the National Security Agency, according to an account on the company’s website.

But more than a year after selling Kaseya in June 2013, court records show that Sutherland, Wong and two other former top executives sued the company to recoup $5.5 million in stock buybacks they said they were unfairly denied.

At the heart of the dispute was an attack by hackers who used Kaseya’s VSA as a conduit to deploy Litecoin mining malware that secretly hijacks a victim computer’s power to make money for the hacker by processing cryptocurrency payments.

Kaseya publicly disclosed the attacks in a March 2014 notice to customers. Privately, it was blaming the company’s previous leadership for not warning about “serious vulnerabilities” in Kaseya’s software. It sought to deprive them of the final $5.5 million of the acquisition price to compensate for the loss of business and damaged reputation.

The founders, in turn, blamed the new leadership for scaling back on coding expertise and eliminating a “hotfix” system for rapidly fixing bugs, according to the lawsuit from Sutherland, Wong, former CEO Gerald Blackie and former Chief Operating Officer Timothy McMullen.

They also argued that the SQL injection technique used by the hackers was highly common and “inherent in any computer code” that uses the SQL programming language.

“Ensuring that each and every piece of database access code is immune to SQL injection is essentially impossible,” said their lawsuit. Mellen and Moussouris both rejected that assertion.

“That is a bold statement and provably false,” Moussouris said. “It highlights the fact they lacked the security knowledge and sophistication to protect their users.”

None of the plaintiffs or their lawyers responded to requests for comment. They agreed to dismiss the case in December 2013, just a month after they filed it. It’s not clear how it was settled. Kaseya is privately held.

LinkedIn profiles for Sutherland and Wong list them as retired. Blackie went on to become CEO of another Miami-based provider of remote-control software, Pilixo, where he was joined by McMullen. Pilixo didn’t return a request for comment.

New vulnerabilities affecting Kaseya’s VSA — including the one exploited by the REvil ransomware gang — were discovered this year by a Dutch cybersecurity research group that says it confidentially warned Kaseya in early April. “In the wrong hands, these vulnerabilities could lead to the compromise of large numbers of computers managed by Kaseya VSA,” the Dutch Institute for Vulnerability Disclosure said in a blog post last week explaining the timeline of its actions.

Some of those Kaseya fixed by May, including another SQL injection flaw, but the Dutch group said others were still unpatched when ransomware started hitting hundreds of businesses in early July. Kaseya has said up to 1,500 businesses have been compromised as a result of the attack. Kaseya on Sunday rolled out patches to the vulnerabilities used in the REvil attack.

With Kaseya in the spotlight, a cybersecurity responder assisting clients stricken by the July 2 ransomware attack discovered what he called a glaring Kaseya security omission: a vulnerability in a public-facing customer portal that had been identified in 2015 but left unpatched.

Alex Holden of Hold Security said he notified Kaseya and that the portal was quickly taken down. But the vulnerability troubled him, he said, because it granted unauthenticated users access to a configuration file that is highly protected on Microsoft web servers — one that often contains passwords and can grant access to core functions.

Moussouris said there’s a pattern of ransomware syndicates going after easily detectable software flaws.

“It’s collective technical debt around the world and the ransomware gangs are technical debt collectors,” she said. “They’re coming after organizations like Kaseya” and others that haven’t invested in better security.


This article has been corrected to note that news of a court case involving Kaseya and its founders was previously described in a 2015 technical blog post.


AP technology reporter Frank Bajak contributed to this article.

Copyright © The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.


Arizona and New York attorneys feud over extraditing suspect...

Associated Press

Why Alvin Bragg and Rachel Mitchell are fighting over extraditing suspect in New York hotel killing

Maricopa County Attorney Rachel Mitchell says she isn't into extraditing a suspect due to her lack of faith in Manhattan’s top prosecutor.

3 days ago

A Gila monster is displayed at the Woodland Park Zoo in Seattle, Dec. 14, 2018. A 34-year-old Color...

Associated Press

Colorado man dies after being bitten by pet Gila monster

A Colorado man has died after being bitten by his pet Gila monster in what would be a rare death by one of the desert lizards if the creature's venom turns out to have been the cause.

4 days ago

Police clear the area following a shooting at the Kansas City Chiefs NFL football Super Bowl celebr...

Associated Press

1 dead, many wounded after shooting at Kansas City Chiefs’ Super Bowl victory parade

One person died after 22 people were hit by gunfire in a shooting at the end of the Kansas Chiefs' Super Bowl victory celebration Wednesday.

11 days ago

This image from House Television shows House Speaker Mike Johnson of La., banging the gavel after h...

Associated Press

GOP-led House impeaches Homeland Security Secretary Mayorkas — by one vote — over border management

Having failed to impeach Homeland Security Secretary Alejandro Mayorkas the first time, House Republicans are determined to try again Tuesday.

12 days ago

Defense Secretary Lloyd Austin, right, and Kenya's Defense Minister Aden Duale, left, listen during...

Associated Press

Defense Secretary Lloyd Austin hospitalized with bladder issue

Defense Secretary Lloyd Austin has been hospitalized following symptoms pointing to an “emergent bladder issue."

14 days ago

Joel Osteen, the pastor of Lakewood Church, stands with his wife, Victoria Osteen, as he conducts a...

Associated Press

Woman firing rifle killed by 2 off-duty officers at Houston’s Lakewood Church run by Joel Osteen

A woman entered the Texas megachurch of Joel Osteen and started shooting with a rifle Sunday and was killed by two off-duty officers.

14 days ago

Sponsored Articles


Midwestern University

Midwestern University Clinics: transforming health care in the valley

Midwestern University, long a fixture of comprehensive health care education in the West Valley, is also a recognized leader in community health care.


Fiesta Bowl Foundation

The 51st annual Vrbo Fiesta Bowl Parade is excitingly upon us

The 51st annual Vrbo Fiesta Bowl Parade presented by Lerner & Rowe is upon us! The attraction honors Arizona and the history of the game.


Collins Comfort Masters

Avoid a potential emergency and get your home’s heating and furnace safety checked

With the weather getting colder throughout the Valley, the best time to make sure your heating is all up to date is now. 

Firm hacked to spread ransomware had previous security flaws