Companies hacked by ransomware criminals previously had security vulnerabilities
Software company Kaseya has been operating in a relatively ambiguous state for 21 years. Until at least early July, cybercriminals abused it to abuse companies around the world and launch large-scale ransomware attacks that exacerbated tensions in US-Russian diplomacy.
However, recent hacks turned out not to be the first major cybersecurity problem to hit a Miami-based company and its commodities. IT teams use it to remotely monitor and manage computer systems and other devices in the workplace.
Allie Mellen, Security Analyst at Forrester Research, said:
For example, in 2018, a hacker broke into Kaseya’s tools in 2018 to perform an “encryption grab” operation. This operation uses the power of the ailing computer to mine cryptocurrencies without the victim noticing. This was a less damaging violation than a recent ransomware attack, but it could not be ignored as the affected system stopped working until the owner paid for it. But it also relied on Kaseya’s Virtual System Administrator (VSA) product to access the businesses that depended on it.
The 2019 ransomware attack also broke into the computer via a third-party add-on software component to Kaseya VSA, causing more limited damage than recent attacks. Some experts have linked previous attacks to some of the same hackers who went on to form REvil. The latest attack is blamed on a Russian union.
And in 2014, Kaseya’s own founder sued the company for a VSA security breach that allowed hackers to launch another cryptocurrency scheme. The procedures do not appear to have been reported before, except for a brief reference in 2015 in a technical blog post. At that time, the founders denied any responsibility for the vulnerability and called the company’s accusations against them a “false claim.”
Katie Moussouris, Founder and CEO of Luta Security, an expert in cybersecurity, said almost all of Kaseya’s security issues have well-understood coding vulnerabilities that must be addressed first as a root cause. It indicates that it is.
“Kaseya has to be shaped, just like the entire software industry,” she said. “It’s a failure to incorporate the lessons Bug taught. Like many businesses, Kaseya was unable to learn these lessons.
Most of the attacks relied, at least in part, on something called SQL injection, a technique used by hackers to inject malicious code into web requests. This is an old method that Melen says has been considered a “problem solved” in the cybersecurity world for a decade.
“This represents a chronic product security issue for Kaseya’s software that has not been resolved after seven years,” she said. “If an organization chooses to overcome security challenges, the incident will continue and escalate, as in this case. “
Kaseya says many of its direct customers have long been targeted as “managed service providers” that host the IT infrastructure of hundreds if not thousands of other businesses. I am.
Ronan Kirby, president of the company’s European activities, said at the Belgian cybersecurity conference Thursday: “You attack the company and enter the company. You attack the provider and you enter all of their customers. You enter Kaseya, it’s a very different proposition. So obviously we are an attractive target. “
Kaseya declined to answer questions from The Associated Press about previous hacks and legal disputes involving the founders.
Mark Sutherland and Paul Wong co-founded Kaseya in California in 2000. According to testimony posted on the company’s website, they were previously working on a project to protect the email accounts of US National Security Agency intelligence officers.
But more than a year after Kaseya’s sale in June 2013, court records show Sutherland, Wong and two other former executives were unfairly denied $ 5.5 million. I sued the company to recover its share buyback.
At the heart of the controversy was an attack by a hacker who used Kaseya’s VSA as a means of deploying “Litecoin” mining malware. It secretly hijacks the power of the victim’s computer and makes money for hackers by processing new cryptocurrency payments.
Kaseya announced the attack in a March 2014 advisory. Personally, I criticized the previous management of the company for failing to warn of “severe vulnerabilities” in Kaseya’s software. They sought to steal the final purchase price of $ 5.5 million from them to compensate for the loss of business and loss of reputation.
The founders blamed the new management for reducing their coding expertise and eliminating the “hotfix” system to fix bugs quickly.
They also argued that the SQL injection techniques used by hackers were very common and “specific to any computer code” using the SQL programming language.
“It is essentially impossible to keep all parts of the database access code unaffected by SQL injection,” the procedure said. Both Melen and Musliss denied the request.
“This is a bold statement, possibly untrue,” Musuris said. “This highlights the fact that we lack the security knowledge and sophistication to protect our users. “
None of the plaintiffs or their lawyers responded to requests for comment. They agreed to dismiss the procedure in December 2013, just one month after the procedure was filed. It is not known how this was resolved. Kaseya is private.
Sutherland and Wong’s LinkedIn profile says they’re retired, and Sutherland also grows wine grapes. Blackie became CEO of Pilixo, another Miami-based remote control software provider, with the addition of McMullen. Pilixo did not return a request for comment.
This year, new vulnerabilities affecting Kaseya’s VSA, including those exploited by the ransomware gang REvil, were discovered by a Dutch cybersecurity research group who said they secretly alerted Kaseya in early April. It was. “Unfortunately, these vulnerabilities can lead to the breach of a large number of computers managed by Kaseya VSA,” the Netherlands Institute for Vulnerability Disclosure said in a blog post last week on the timeline of its actions. I have explained.
Some of Kaseya’s fixes in May also included another SQL injection flaw, but the Dutch group was still in early July when the ransomware launched attacks against hundreds of companies. Said the patch was not applied. Kaseya says up to 1,500 businesses have been compromised as a result of the attack. Kaseya released a patch for the vulnerability used in the REvil attack on Sunday.
Musliss said that there is a ransomware syndication model that tracks software flaws that are easy to detect.
“It’s a collective technical debt around the world, and ransomware gangs are technical debt collectors,” she said. “They’re suing organizations like Kaseya and others that don’t invest in better security.
Copyright 2021 AP communication. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.
Source link Companies hacked by ransomware criminals previously had security vulnerabilities