REvil Attack on Kaseya Was Possible Because of Known Problems That Stem Several Years Back

REvil Attack on Kaseya Was Possible Because of Known Problems That Stem Several Years Back

For 21 years, Kaseya, the company whose software was compromised in a recent much-publicized ransomware attack by REvil, was largely unknown. Experts say the REvil attack was possible because of the unsolved problems with the company’s product that stem several years back.

The Miami-based company had a history of security breaches revealed by researchers that hit its core product, Virtual System Administrato (VSA), a platform that IT teams use to monitor and administer workplace computer systems and other devices.

In 2018, the hackers were able to exploit the vulnerability in the Kaseya’s tool to mine cryptocurrency without the victims’ knowledge. The attack was not as severe as the recent ransomware attack, but it was similarly tied to Kaseya’s VSA product.

In 2019, attackers targeted a different company’s add-on with ransomware. It caused less damage than the previous attack, too, but some expertsbelieve it was performed by the same hackers who later formed Russian REvil gang.

Then in 2014, there was another cryptocurrency operation launched by hackers.

Nearly all of Kaseya’s security issues are well-documented coding vulnerabilities and should have been addressed before, said cybersecurity expert Katie Moussouris, founder and CEO of Luta Security.

“Kaseya needs to shape up, as does the entire software industry,” she said to Associated Press. “This is a failure to incorporate the lessons the bugs were teaching you. Kaseya, like a lot of companies, is failing to learn those lessons.”

A key component of many of the attacks was a technique called SQL injection. It’s a well-known technique that has been considered a “solved problem,” Mellen said.

“It points to a chronic product security issue in Kaseya’s software that remains unaddressed seven years later,” she said. “When organizations choose to brush over security challenges, the incidents continue, and, as in this case, get worse.”

Kaseya says it has been a lucrative target for many years because it serves as a platform for managed services providers.

“In the business we’re in, and the number of endpoints we manage around the world, as you might expect, we take security extremely seriously,” Ronan Kirby, president of the company’s European arm, said at a Belgian cybersecurity conference on Thursday. “You attack a company, you get into the company. You attack a service provider, you get into all their customers. You get into Kaseya, that’s a very different proposition. So obviously we’re an attractive target.”

Kaseya declined to answer AP’s questions about the past hacks.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.