Cybersecurity Flaws Flagged for Years
Five former Kaseya employees disclosed to Bloomberg that, between 2017 and 2020, they had warned their superiors repeatedly about a wide-range of security flaws in the company’s Virtual System Administrator (VSA) software. Kaseya VSA is a cloud-based IT management and remote monitoring solution. It is used worldwide by businesses of all sizes across various industries. Despite repeated warnings, the company decided not to act. Not much is known about the former employees. They want their names kept secret, because, in the past, they had signed a non-disclosure agreement (NDA) with Kaseya. In addition, they do not want their future working careers to be jeopardized.
Sales More Important Than Maintenance
Among the most glaring issues was software with outdated code, the use of weak encryption and weak passwords in Kaseya’s products and servers, as well as failure to adhere to basic cybersecurity measures such as software patching. Moreover, the company’s focus was on sales. According to the former employees, security was not a top priority. One of the former employees also revealed that he wrote a 40-page memo in 2019 expressing concerns about the security of Kaseya products. Two weeks later he was fired. Apparently, the reason why the company let him go was unclear. The employee himself suspects that he was sacked because of his report and many previous attempts to flag security problems.
Software and Servers Rarely Patched
Another employee admitted that Kaseya rarely updated software and servers. Furthermore, customer’s passwords were allegedly saved in a clear text file on third-party platforms. This means that their passwords were not protected and anyone with or who gained access could see them. Together with a colleague, he shared the opinion that the VSA software was outdated and plagued with problems. In their view, the software had to be replaced. Their superiors, however, refused to intervene. To make things worse, Kaseya outsourced some of their work to software developers in Belarus, a country with close ties to Russia. This was also flagged as a security issue.
Likely Not the Last
REvil, the hacking group that eventually hacked Kaseya, is thought to be based in Russia. They infected a genuine Kaseya software update with ransomware. REvil, also known as Sodin, is a notorious gang. They are one of six ransomware groups that compromised hundreds of organizations in the first couple of months of this year alone. Moreover, it’s not the first, and most likely not the last time, that security issues flagged by employees lead to cybersecurity incidents. Other examples are the Twitter bitcoin scam, the SolarWinds Breach, and the JBS ransomware attack, to name just a few. Apparently, Kaseya themselves even fell victim to a ransomware attack before, in 2019. Nevertheless, even back then, the company saw no reason to take extra security measures.
Security Experts Also Warned Kaseya
Security specialists and ethical hackers from the Netherlands almost managed to prevent the attack. They discovered a number of critical security vulnerabilities in April 2021 and, consequently, contacted Kaseya. Together they looked for a solution to fix these vulnerabilities. Unfortunately, the supply chain attack happened before they had a chance to roll it out. In only a few hours, a Swedish cybersecurity company, TrueSec, discovered multiple severe and exploitable vulnerabilities that clearly go against basic security principles. The firm organized a webinar last week to explain how the ransom was made possible, what the implications are, how the malware was deployed and what it actually did.
Security Patch Released
In the meanwhile, Kaseya has released a patch to its VSA customers. The restoration of services is progressing, with 95% of their SaaS customers live and servers coming online for the rest of their customers in the coming hours.