Former employees of ICT service provider Kaseya warned their executives about serious security vulnerabilities in the VSA software. As a result, REvil was able to launch a global supply chain attack earlier this month, in which hundreds of victims were killed. Despite repeated warnings between 2017 and 2020, the company decided not to act on it.
That’s what five former employees tell Bloomberg . They want their names to be kept secret because they have signed a non-disclosure agreement or NDA. In addition, they do not want their working career to be endangered.
Among the most glaring problems, according to the former employees, were software with outdated code, the use of weak encryption and passwords in Kaseya’s products and servers, and failure to adhere to basic cybersecurity measures such as software patching. Furthermore, the emphasis was on the sale of products and services, so security was not a top priority.
One of the former employees says he wrote a 40-page memo in 2019 expressing concerns about the security of Kaseya products. Two weeks later he was suddenly on the street. He suspects it was because of his report.
Another employee says he almost never updated Kaseya’s software and servers. He also saved customer passwords in a clear text file, which means that the passwords were not protected. Together with a colleague, he shared that the Virtual System Administrator software (VSA) was outdated and plagued with problems. In their view, the software had to be replaced.
The former employees paint the picture that everything was wrong at Kaseya in the field of cybersecurity. They, therefore, do not find it strange that hackers were able to make their move without too many problems. Bloomberg says similar problems arose at major tech companies after employees sounded the alarm but management refused to intervene. As an example, the news agency cites the bitcoin scam at Twitter, the chain attack on SolarWinds, access to security cameras at Verkada and the ransomware attack on JBS.
Frustrated that new features and products were prioritized over fixing existing issues, employees have resigned in the past. Others were fired after Kaseya outsourced their work to developers in Belarus. Four out of five former employees Bloomberg spoke to saw this outsourcing as a potential security issue. This had everything to do with the close political ties between the country and Russia.
The global supply chain attack that took place via VSA software was not the first time hackers abused Kaseya’s software to carry out attacks. In February and June 2019, it also happened to distribute ransomware, which was also known as GandCrab. Despite these events, the company saw no reason to take security measures.
Bloomberg approached Kaseya to discuss the allegations made by the five former employees. Rather than take the opportunity to defend itself, a spokesperson said the company has a policy of not disclosing its employees. He also declined to comment on the criminal investigation into the supply chain attack.
Friday evening 2 July Dutch time, the Russian hacker collective REvil launched a supply chain attack on hundreds of companies worldwide. In doing so, they made good use of the security holes in VSA. VSA is software that customers use to remotely manage customers’ servers and computer systems. The zero-day exploits allowed the attackers to install ransomware or ransomware. It is estimated that this happened at 800 to 1,500 companies and organizations.
Security specialists and ethical hackers from our country almost prevented the attack. They discovered a number of critical security vulnerabilities in April and contacted Kaseya. Together they looked for a solution to fix these vulnerabilities. But before they had a chance to roll it out, the chain attack happened. “If we had had a little more time, we would have succeeded,” said Wietse Boonstra and Frank Breedijk of the Dutch Institute for Vulnerability Disclosure (DIVD) last week. In order to find out more about REvil’s working methods and to track down the perpetrators, the Dutch police made an appeal to report the crime.
Meanwhile, there is a message circulating about a so-called security update for the problem. Included in the email is an attachment called ‘SecurityUpdates.exe’, as well as a link to a security update purportedly from Microsoft. In reality, this allows victims to retrieve a Cobalt Strike payload that adds a backdoor to the corporate network. For example, hackers and cybercriminals can watch unnoticed, steal data and install ransomware or other malware.
Catch up on more articles here
Follow us on Twitter here