Ex-workers: Victim of cyberattack did not address security
Executives at Miamibased Kaseya Ltd. were warned of critical security flaws in its software before a ransomware attack this month that affected as many as 1,500 companies, according to five former employees.
On several occasions from 2017 to 2020, employees at Kaseya’s offices in the U.S. said they flagged wideranging cybersecurity concerns to company leaders. But those issues often weren’t fully addressed, according to the workers, who were employed in software engineering and development at Kaseya, and asked not to be identified.
Among the most glaring problems was software underpinned by outdated code, the use of weak encryption and passwords in Kaseya’s products and servers, a failure to adhere to such basic cybersecurity practices as regularly patching software and a focus on sales at the expense of other priorities, the employees said.
A Kaseya spokesperson declined to address the accusations, citing a policy of not commenting on matters involving personnel or the ongoing criminal investigation into the hack.
A Russia-linked criminal gang called REvil took credit for launching one of the farthest reaching ransomware attacks on record beginning July 2 and demanded $70 million in Bitcoin for a universal decryptor. The group used Kaseya’s software as a launching pad to infect the company’s customers, managed service providers that offer technology and cybersecurity services to small and medium-sized businesses. Kaseya said its “technical teams and their partners have been working around the clock to help affected customers get back up and running.”
One of the former employees said that, in early 2019, he sent company leaders a 40-page memo detailing security concerns and was fired about two weeks later, an act he believed was related to his repeated efforts to flag the problems. Another employee said Kaseya rarely patched its software or servers and stored customer passwords in clear text — meaning they were unencrypted — on thirdparty platforms, practices the employee described as glaring security flaws.
That employee and another said executives were told that Kaseya’s Virtual System Administrator software, known as VSA, was so antiquated and riddled with problems that it should be replaced. That was the vehicle REvil used to stage its attack.
Throughout Kaseya’s products, there were multiple violations of basic cybersecurity practices that would make a hacker’s job easy, according to the employee who was fired.
The alleged problems outlined by the former employees echo similar issues raised after other major hacks, including those at Twitter Inc., SolarWinds Corp., Verkada Inc. and JBS SA. In each of those instances, former employees have said the companies were warned of cybersecurity problems and failed to adequately address them.
Some engineers and developers at the company said employees quit over frustration that new features and products were being prioritized over fixing problems. Others were laid off in 2018, when Kaseya began moving jobs to Minsk, Belarus, where it recruited more than 40 people to do software development work that had previously been carried out in the U.S., according to two of the former employees familiar with the matter. Four of the ex-workers said they viewed the outsourcing of work to Belarus as a potential security issue, given the country’s close political allegiance with the Russian government.
In April, security researchers working for the Dutch Institute for Vulnerability Disclosure notified Kaseya of security holes in its software. The company was “very cooperative” and “showed a genuine commitment to do the right thing,” according to the Dutch researchers. Kaseya released an update to fix some of the holes, but not all of them had been patched by the time the company was attacked.
Marcus Murray, founder of Truesec Inc., a Swedenbased cybersecurity services firm that assisted multiple clients with the Kaseya breach, said his company’s review of VSA software found “severe and exploitable vulnerabilities” in only a few hours of research. The code contains a mixture of programming languages, some of which was outdated and unsuitable for a modern remote IT-management platform, he said.