April 1, researchers from the Dutch Vulnerability Detection Institute have identified the first of seven quickly vulnerable things – all easy to spot and some potentially catastrophic – in an information technology management system known as the Virtual System Administrator. By April 6, they had found 2,200 vulnerable systems and disclosed their findings to Kaseya, the company behind the VSA. Kaseya patched four of the seven in the following days and weeks, but three remained. What happened next was one of the most significant ransomware attacks in history.
On July 2, just days before the 90-day deadline for the DIVD to reveal to Kasey, hackers linked to ransomware gang REvil exploited one of the three remaining VSA vulnerabilities along with an additional flaw, which ultimately spreads malware to as many as 1,500 businesses and organizations worldwide. Kaseya did not completely ignore those remaining bugs. He continued to work with Dutch researchers to fix them – just not fast enough to prevent the worst.
“I really believe they did their best,” says Victor Gevers, head of DIVD. “They published job lists, hired new security experts, hired external security companies, did a source code review, checked their scope, really worked on their security position. But it was a lot at once. ”
A Kaseya spokesman declined to comment on the story, citing the company’s ongoing investigation into the incident. However, as of July 2, the company has repeatedly said to prepare the remaining patches for publication. Almost a week after the initial attack, however, these repairs have still not been made.
That doesn’t mean Kaseya is idle in response to the attack. As a precaution, the company quickly discontinued its cloud offering and began to urgently encourage customers using “local” VSA servers to do the same to limit outages. The number of exposed VSA servers publicly available online fell to approximately 1,500 July 2, less than 140 from July 4 and 60 from today.
But while less vulnerable systems certainly prevent an increase in the scale of attacks, it does not help victims whose systems remain locked.
“Kaseya has had the opportunity to comprehensively address low-hanging vulnerabilities over the years, such as the one that allowed REvil to rampage its customers,” says Katie Moussouris, founder of Luta Security and a longtime vulnerability detection researcher.
Vulnerability and benefit detection programs like those offered by Kaseya are a valuable tool, Moussouris says, for companies looking to strengthen their digital security. But these programs alone cannot provide adequate defense if the company also does not invest in its internal security and staff.
“We can’t fight redeemers one by one revelation,” Moussouris says.
Many companies are much less responsive and collaborative on fixing vulnerabilities than Kaseya was. But well-known service providers using Kasey’s software are valuable targets for ransomware attacks; Kaseya tried it herself raise awareness about the 2019 edition. The longer Kaseya needed to patch, especially given how easy it was to detect vulnerabilities, the more likely it was someone else might find them.
The consequences of Kasey’s downfall continue to be played out. REvil claims to have encrypted more than a million systems as part of the attack, but hackers appear to have hard time actually persuading payments from victims. The group demanded customized ransoms in the tens of thousands of dollars from many targets, but also said it would cancel the entire attack for $ 70 million. Then that lowered the blanket demand for redemption at $ 50 million. The group’s negotiating portal also suffered interruptions.