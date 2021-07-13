Firm hacked to spread ransomware had previous security flaws

FILE - This Feb 23, 2019, file photo shows the inside of a computer. For 21 years, the software company Kaseya labored in relative obscurity, at least until cybercriminals exploited it in early July 2021 for a massive ransomware attack that snarled businesses around the world and escalated U.S.-Russia diplomatic tensions. (AP Photo/Jenny Kane, File)
MATT O'BRIEN
·6 min read

For 21 years, the software company Kaseya labored in relative obscurity — at least until cybercriminals exploited it in early July for a massive ransomware attack that snarled businesses around the world and escalated U.S.-Russia diplomatic tensions.

But it turns out that the recent hack wasn't the first major cybersecurity problem to hit the Miami-based company and its core product, which IT teams use to remotely monitor and administer workplace computer systems and other devices.

“It feels a little like déjà vu,” said Allie Mellen, a security analyst at Forrester Research.

In 2018, for instance, hackers managed to infiltrate Kaseya's tool in 2018 to run a “cryptojacking” operation, which channels the power of afflicted computers to mine cryptocurrency — often without its victims noticing. It was a less harmful breach than the recent ransomware attack, which was impossible to miss since it crippled affected systems until their owners paid up. But it similarly relied on Kaseya's Virtual System Administrator product, or VSA, as a vehicle to get access to the companies that rely on it.

A 2019 ransomware attack also rode into computers through another company's add-on software component to the Kaseya VSA, causing more limited damage than the recent attack. Some experts have tied that earlier assault to some of the same hackers who later formed REvil, the Russian-language syndicate blamed for the latest attack.

And in 2014, Kaseya’s own founders sued the company in a dispute over responsibility for a VSA security flaw that allowed hackers to launch a separate cryptocurrency scheme. The court case does not appear to have been previously reported outside of a brief 2015 mention in a technical blog post. At the time, the founders denied responsibility for the vulnerability, calling the company's charges against them a “bogus assertion.”

Nearly all of Kaseya's security problems have as their root cause well-understood coding vulnerabilities that should have been addressed earlier, said cybersecurity expert Katie Moussouris, the founder and CEO of Luta Security.

“Kaseya needs to shape up, as does the entire software industry," she said. “This is a failure to incorporate the lessons the bugs were teaching you. Kaseya, like a lot of companies, is failing to learn those lessons.”

Many of the attacks relied at least in part on what's known as a SQL injection, a technique hackers use to inject malicious code into web queries. It's an old technique that Mellen said has been considered a “solved problem” in the cybersecurity world for a decade.

“It points to a chronic product security issue in Kaseya’s software that remains unaddressed seven years later," she said. “When organizations choose to brush over security challenges, the incidents continue, and, as in this case, get worse."

Kaseya has noted that it's long been a target because many of its direct customers are “managed-services providers” that host IT infrastructure for hundreds, if not thousands, of other businesses.

“In the business we’re in, and the number of endpoints we manage around the world, as you might expect, we take security extremely seriously," Ronan Kirby, president of the company's European operations, said at a Belgian cybersecurity conference Thursday. “You attack a company, you get into the company. You attack a service provider, you get into all their customers. You get into Kaseya, that’s a very different proposition. So obviously we’re an attractive target.”

Kaseya declined to answer questions from The Associated Press about the previous hacks or the legal dispute involving its founders.

Mark Sutherland and Paul Wong co-founded Kaseya in California in 2000. They had previously worked together on a project protecting the email accounts of U.S. intelligence workers at the National Security Agency, according to an account on the company's website.

But more than a year after selling Kaseya in June 2013, court records show that Sutherland, Wong and two other former top executives sued the company to recoup $5.5 million in stock buybacks they said they were unfairly denied.

At the heart of the dispute was an attack by hackers who used Kaseya's VSA as a conduit to deploy “Litecoin" mining malware, which secretly hijacks a victim computer's power to make money for the hacker by processing new cryptocurrency payments.

Kaseya publicly disclosed the attacks in a March 2014 notice to customers. Privately, it was blaming the company's previous leadership for not warning about “serious vulnerabilities” in Kaseya's software. It sought to deprive them of the final $5.5 million of the acquisition price to compensate for the loss of business and damaged reputation.

The founders, in turn, blamed the new leadership for scaling back on coding expertise and eliminating a “hotfix” system for rapidly fixing bugs, according to the lawsuit from Sutherland, Wong, former CEO Gerald Blackie and former Chief Operating Officer Timothy McMullen.

They also argued that the SQL injection technique used by the hackers was highly common and “inherent in any computer code" that uses the SQL programming language.

“Ensuring that each and every piece of database access code is immune to SQL injection is essentially impossible," said their lawsuit. Mellen and Moussouris both rejected that assertion.

“That is a bold statement and provably false,” Moussouris said. “It highlights the fact they lacked the security knowledge and sophistication to protect their users.”

None of the plaintiffs or their lawyers responded to requests for comment. They agreed to dismiss the case in December 2013, just a month after they filed it. It's not clear how it was settled. Kaseya is privately held.

LinkedIn profiles for Sutherland and Wong list them as retired, with Sutherland also growing wine grapes. Blackie went on to become CEO of another Miami-based provider of remote-control software, Pilixo, where he was joined by McMullen. Pilixo didn't return a request for comment.

New vulnerabilities affecting Kaseya's VSA — including the one exploited by the REvil ransomware gang — were discovered this year by a Dutch cybersecurity research group that says it confidentially warned Kaseya in early April. "In the wrong hands, these vulnerabilities could lead to the compromise of large numbers of computers managed by Kaseya VSA,” the Dutch Institute for Vulnerability Disclosure said in a blog post last week explaining the timeline of its actions.

Some of those Kaseya fixed by May, including another SQL injection flaw, but the Dutch group said others were still unpatched when ransomware started hitting hundreds of businesses in early July. Kaseya has said up to 1,500 businesses have been compromised as a result of the attack. Kaseya on Sunday rolled out patches to the vulnerabilities used in the REvil attack.

Moussouris said there's a pattern of ransomware syndicates going after easily detectable software flaws.

“It’s collective technical debt around the world and the ransomware gangs are technical debt collectors,” she said. “They’re coming after organizations like Kaseya" and others that haven't invested in better security.

___

This article has been corrected to note that news of a court case involving Kaseya and its founders was previously described in a 2015 technical blog post.

Our goal is to create a safe and engaging place for users to connect over interests and passions. In order to improve our community experience, we are temporarily suspending article commenting

Recommended Stories

  • Ken Starr helped Jeffrey Epstein with ‘scorched-earth’ campaign, book claims

    Book by Miami Herald journalist details extraordinary efforts by special prosecutor who hounded Bill Clinton to aid sex trafficker Ken Starr was a ‘fixer’ who ‘used his political connections in the White House to get the Justice Department to review Epstein’s case’, according to Perversion of Justice. Photograph: Rex/Shutterstock Ken Starr, the lawyer who hounded Bill Clinton over his affair with Monica Lewinsky, waged a “scorched-earth” legal campaign to persuade federal prosecutors to drop a s

  • How to Plan for a Debt-Free Vacation

    Leaving all of your cares behind to go on vacation is something that most of us love to do. But if you’re not careful, that relaxing trip can create of lot of stress in your life once it’s over. If you go into debt to finance your vacation plans, your budget and credit scores could …

  • Beef is hard to get at a Lexington food bank. How a priest got 1,000 pounds to give.

    On Tuesday, Rev. Jim Sichko will donate 1,000 pounds of meat to God’s Pantry food bank.

  • 25 Fall Door Decorations That Are Anything but Cheesy

    There's so much more than corn and wreaths.

  • Iranian hackers posed as British-based academic

    A group in Iran pretended to be a British-based academic and compromised a London university website.

  • The Pentagon Tried to Take Down These Hackers. They’re Back.

    Photo Illustration by The Daily Beast/GettyLast fall, on the eve of the elections, the U.S. Department of Defense tried to throttle a transnational cybercrime group. But the hackers have rebuilt much of their operations. It’s become clear in recent months that the gang is very much alive and well.The Russian-speaking hacking group, sometimes referred to by the name of the malware it uses, Trickbot, has gone after millions of victims around the globe, stealing victims’ banking credentials and fac

  • Jada Pinkett Smith Talks About Past Alcohol Abuse & the Dangers of Mommy Wine Culture

    Did you know that for the first time in history, women are drinking as much as men? That’s a tidbit that Jada Pinkett Smith shared on the latest broadcast of her Red Table Talk where she revealed her personal past with alcohol abuse, the increase in alcohol use in women (especially casual drinking since the […]

  • Veteran politician becomes Nepal prime minister for 5th time

    A veteran politician was appointed Nepal's prime minister for the fifth time on Tuesday, a day after the Supreme Court reinstated the House of Representatives and upheld his claim to be the new leader. President Bidhya Devi Bhandari's office said Sher Bahadur Deuba, who leads the Nepali Congress party, was appointed the new prime minister. Deuba will lead the Himalayan nation as it struggles with political divisions and the coronavirus.

  • Has Apple stock peaked?

    The technicals on Apple should be a red flag to traders, says one veteran strategist.

  • Virgin Galactic: Sir Richard Branson rockets to the edge of space

    The UK businessman realises a lifetime's ambition by riding a rocket plane high into the sky.

  • Plastic surgery booming in China despite the dangers

    Young people are using social media apps to plan cosmetic procedures which don't always meet expectations.

  • Mayor: Death toll in building collapse now at 90

    Authorities searching for victims of a deadly collapse in Florida said Sunday they hope to conclude their painstaking work in the coming weeks. Miami-Dade County Mayor Daniella Levine Cava said 90 deaths have now been confirmed. (July 11)

  • Obscure Cyber Agency Becomes Nemesis of China's Tech Giants

    (Bloomberg) -- In its earliest iteration, the Cyberspace Administration of China used to police the country’s internet for pornography and sensitive content online. Now, the low-profile agency holds the future of IPO-hungry tech firms in its hands.Around since 2011, the CAC has burst into prominence over the past two weeks, doing what powerful financial regulators could not by extending its oversight to overseas initial public offerings, all with the backing of the governing State Council. Under

  • WHO warns against people mixing and matching COVID vaccines

    GENEVA (Reuters) -The World Health Organization's chief scientist on Monday advised against people mixing and matching COVID-19 vaccines from different manufacturers, calling it a "dangerous trend" since more data is needed about the health impact. "It's a little bit of a dangerous trend here," Soumya Swaminathan told an online briefing. Swaminathan called mixing a "data-free zone" on Monday but the WHO clarified on Tuesday that some data was available and more was expected.

  • US immigration judges considering asylum for unaccompanied minors are 'significantly influenced' by politics

    Unaccompanied immigrant minors wait on July 2, 2019 in Los Ebanos, Texas to be transported to a U.S. Border Patrol processing center after entering the U.S. to seek political asylum. John Moore/Getty ImagesThe news over the past months has been saturated with stories about another “surge” of unaccompanied minors crossing the southern border of the U.S. In March 2021, the number of unaccompanied minors apprehended in the U.S. reached an all-time monthly high of 18,890. This surpassed the previous

  • What is the link between Guillain–Barré syndrome and Covid vaccines?

    Out of the 13 million vaccines administered, almost a 100 cases of GBS were found

  • Predators goaltender Pekka Rinne retiring after 15 seasons

    Nashville Predators goaltender Pekka Rinne, the 2018 Vezina Trophy winner, is retiring after 15 seasons. The Predators have a previously scheduled news conference later in the day. “For more than 15 years, I’ve been on an incredible, life-changing journey with the Nashville Predators that has taken me to more places than I could have ever imagined and given me more than I could ever hope to give back,” Rinne said in a statement.

  • Nintendo won’t say if the OLED Switch fixes the console’s worst problem

    Nintendo announced a new Nintendo Switch model with a 7-inch OLED screen, enhanced audio, and a wider kickstand last Tuesday. While these are all welcome upgrades, it wasn’t the Switch Pro many fans were anticipating. Rumors prior to the reveal suggested the OLED model would be more powerful and potentially even support 4K graphics. Those … The post Nintendo won’t say if the OLED Switch fixes the console’s worst problem appeared first on BGR.

  • The first major Galaxy S22 leak reveals the flagship phone’s release date

    It’s still only Monday, but this has already been quite a week for Samsung leaks. Earlier today, we posted a series of leaks that Evan Blass shared on Twitter this weekend. Virtually everything that Samsung is bringing to its next Unpacked event was spoiled. We got early looks at the Galaxy Z Fold 3, Galaxy … The post The first major Galaxy S22 leak reveals the flagship phone’s release date appeared first on BGR.

  • Hide your shame with this Google trick that deletes embarrassing searches

    A few months ago, Google introduced a new way for users to quickly delete the last 15 minutes of their browser history on Chrome. Dubbed Quick Delete, the feature was unveiled at Google I/O this past May and comes in handy if you embarked on a sensitive search without first going into incognito mode. What … The post Hide your shame with this Google trick that deletes embarrassing searches appeared first on BGR.