Ransomware attacks are becoming increasingly common as technology becomes a ubiquitous fixture in the modern workplace. Cybersecurity has become an essential part of any business infrastructure. The consequences of sub-par cybersecurity can be devastating. While cybercriminals have sophisticated techniques to carry out ransomware attacks, software flaws can also be at fault. What happened to Kaseya and the companies that used the software provides an excellent case study of the damage software flaws can do to your organization.
Massive ransomware attack on software supplier ‘Kaseya’
Kaseya is a 21-year-old Miami-based software company operating in relative obscurity until very recently. In July of 2021, they were the target of a mass ransomware attack that not only damaged their operations, scaring every other company in the world but also managed to strain US-Soviet relations. In early July, an affiliate of the notorious REvil gang infected countless organizations in at least 17 countries, mainly targeting firms that remotely manage IT infrastructure for multiple customers, including Kaseya. They offered a universal decryption software key through their dark website to decode all affected machines in exchange for a ransom of $70 million, paid in cryptocurrency.
The attack didn’t come out of the blue. It just so happens that the recent, major hack wasn’t the first cybersecurity problem the company and its core product faced. In 2014, Kaseya’s own founders sued the company in a dispute over responsibility for a VSA security flaw that allowed hackers to launch a separate cryptocurrency scheme. At the time, the founders denied responsibility for the vulnerability and called the charges against them a “bogus assertion.”
Internal software flaws
Katie Moussouris, a cybersecurity expert, stated that Kaseya’s security problems were rooted in the software’s basic coding vulnerabilities that they had a responsibility to address far sooner. In 2018, hackers penetrated Kaseya’s remote tool to carry out a crypto-jacking operation meant to mine cryptocurrency without the targets noticing. In 2019 Kaseya was hit with a ransomware attack that accessed their computers through another company’s add-on software component. Some experts have tied that earlier hack to a few of the same attackers responsible for the 2021 attack, who were members of the Russian syndicate REvil. The breaches, however, were much less harmful than the recent ransomware attack, which crippled the systems it infected until their owners paid the set ransom.
The latest attack exploited Kaseya’s Virtual System Administrator product, known as VSA, as a vehicle to access the firms who rely on it. A Dutch cybersecurity research group identified the vulnerabilities affecting Kaseya’s VSA and insists it tried to warn Kaseya in early April. A quote attributed to one of the researchers, Victor Gevers, says, “More and more of the products used to keep networks safe and secure are showing structural weaknesses,” in reference to Kaseya’s VSA.
The Dutch Institute for Vulnerability Disclosure had alerted Kaseya to a weakness in their software that the hackers eventually exploited. It was working with the company on fixes when the ransomware was deployed. They also insisted that “Kaseya showed a genuine commitment to do the right thing. Unfortunately, REvil beat us in the final sprint, as they could exploit the vulnerabilities before customers could even patch it”.
Kaseya claims that the attack only affected on-premise customers, which are businesses that manage their own data centres. The company’s cloud-based services, which runs software for customers, were not affected, though it did shut down those servers as a precaution. Kaseya called on customers to shut down their VSA servers immediately. Out of an abundance of caution, Kaseya’s Incident Response Team opted to shut down its SaaS servers and bring its data centres offline during the investigation. By the 4th of July, the company had revised its statement on the severity of the incident, calling themselves the “victim of a sophisticated cyberattack.”
The Modus Operandi
The attackers chose the 4th of July to launch their attacks because it was a holiday weekend, and they knew the offices would be lightly staffed. Even with the holiday consideration, Kaseya’s software flaws are too significant to be ignored, as the flaws played in the company falling victim to the ransomware attack. Kaseya’s customers include companies that provide remote IT support and cybersecurity services for small and medium-sized businesses. Infecting IT support organizations allowed the malicious software to pass on to their customers, multiplying the impact.
The situation is still ongoing, but this attack teaches great lessons. It’s crucial for any organization, especially a software provider such as Kaseya, to never let their guard down and focus on strengthening their cybersecurity regardless of the type of ransomware, whether locker ransomware or crypto-ransomware, timely data backups and security software penetration testing can considerably lessen the severity of an attack or prevent it all together.
Talk to our cybersecurity experts at Packetlabs for support on how to keep your systems and applications secure. Attackers are always looking for any software flaws or vulnerabilities they can exploit, and this is a case where prevention works far better than a cure.
10 January - Blog
Your Guide to Objective-Based Penetration Testing
14 December - Blog
2022 in Review and Our Predictions for 2023: Cyber-Threat Landscape
05 December - Blog
Choosing a Penetration Testing Company: Methodology & Certifications