Kaseya Ransomware Attack Could Have Been Prevented: Report
Kaseya employees had sounded the alarm of critical cybersecurity vulnerabilities for years, but nothing was fully addressed before this month’s massive ransomware attack, according to a new report.
As Kaseya restores its VSA software with customers officially coming back online today — nearly 10 days after Kaseya was initially hacked — some former employees say the massive ransomware attack could, and should have, been prevented.
Former Kaseya software engineering and developers said they had warned Kaseya leaders for years of dangerous security flaws in its products but those concerns were never fully addressed, according to a report by Bloomberg. Additionally, Bloomberg said some employees who flagged Kaseya’s security issues quit over frustration that newer features and products were prioritized over fixing the problems or were fired over inaction.
Some of the largest security problems within Kaseya included outdated code, weak encryption and passwords in products, as well as the general failure to meet basic cybersecurity requirements including continuous patching of its software and servers, according to Bloomberg who declined to identify the former employees due to non-disclosure agreements.
Kaseya declined to address Bloomberg’s accusations, saying it does not comment on ongoing investigations or personnel matters.
“This [Bloomberg report] is definitely damaging to Kaseya,” said one CEO from an MSP that has dozens of Kaseya customers who declined to be named. “We know these attacks can hit anyone. Tomorrow it could be N-able or Atera or Datto or another SolarWinds … but these allegations from the former staff are concerning in that, basically, nothing was fixed or updated when it should have been.”
None of the CEO’s customers were hit with the VSA ransomware as all are cloud-based Kaseya customers. The MSP is working today on making sure all of his Kaseya customers are now back online after approximately 10 days of being without Kaseya. “This has been a long, hard lesson for Kaseya,” he said. “We still plan on using them, we’re not going to a competitor just yet. … We are still waiting for the official report to make our final judgment.”
Several cybersecurity research firms detected several security flaws and potential breach vulnerabilities in Kaseya in 2018, 2019 and even 2021.
Most recently, Dutch Institute for Vulnerability Disclosure (DIVD) said that researcher Wietse Boonstrain in April discovered seven vulnerabilities in Kaseya’s VSA remote monitoring and management product and notified the New York- and Miami-based IT service management vendor about the flaws less than a week later.
However, a few months later, the REvil ransomware group took advantage of the flaw flagged by DIVD which still wasn’t fixed.
“Last weekend, we found ourselves in the middle of a storm,” DIVD researcher Frank Breedijk wrote on Wednesday. “A storm created by the ransomware attacks executed via Kaseya VSA using a vulnerability which we confidentially disclosed to Kaseya. … Unfortunately, the worst-case scenario came true.”
Kaseya resolved four of the vulnerabilities disclosed by DIVD through patches released April 10 and May 8, but three vulnerabilities remained unresolved heading into late June, according to DVID.
The top-notch cybersecurity prevention, detection and response firm Huntress reported an incident in 2018 where crypto-coin miners were installed on hundreds of businesses via an MSP supply chain style attack against VSA. In 2019, Huntress also discovered a Kaseya VSA plugin vulnerability that was hacked to deploy Gandcrab ransomware to all compromised MSPs customers.
In an interview with CRN this month, Huntress CEO and co-founder Kyle Hanslovan said he doesn’t expect massive cyberattacks that effect MSPs and their customers to slow down anytime soon.
“We are going to see this even more in the future,” said Hanslovan. “It is REvil today. But there are a dozen other ransomware as-a-service groups that will copy this.”
On July 2, the REvil ransomware group unveiled it exploited a vulnerability in Kaseya’s on-premises VSA tool to compromise nearly 60 MSPs and encrypt the data from up to 1,500 of their end-user customers. REvil demanded $70 million in ransomware payments.
On July 11, Kaseya released a VSA On-Premises patch with restoration of VSA SaaS infrastructure underway.
As of 8 a.m. ET on Monday, Kaseya said the restoration of services is now complete, with 100 percent of its SaaS customers live. “Our support teams continue to work with VSA On-Premises customers who have requested assistance with the patch,” Kaseya said.
“Imagine if instead of it being [60] MSPs it was 17,000 MSPs,” said Huntress CEO Hanslovan. “Left unchecked, the worst is yet to come.”