The uncorrected flaw at the heart of the REvil ransomware wave – .

The uncorrected flaw at the heart of the REvil ransomware wave – .

the 1st of April researchers at the Netherlands Institute for Vulnerability Disclosure identified the first of what they quickly found to be seven vulnerabilities – all easy to spot, some potentially catastrophic – in an IT management system known as an administrator virtual system. By April 6, they had found 2,200 vulnerable systems and disclosed their findings to Kaseya, the company behind VSA. Kaseya corrected four of the seven in the days and weeks that followed, but three stayed. What happened next was one of the biggest ransomware attacks in history.

On July 2, just days before the 90-day disclosure deadline the DIVD gave Kaseya, hackers associated with the REvil ransomware gang exploited one of the three remaining VSA vulnerabilities along with an additional flaw, spreading eventually malware to up to 1,500 companies and organizations. around the world. Kaseya hadn’t completely overlooked these remaining bugs. He had continued to work with Dutch researchers to fix them, but not fast enough to avoid the worst.

“I really believe they were doing their best,” said Victor Gevers, head of DIVD. “They were posting jobs, hiring new security specialists, hiring outside security companies, doing a source code review, checking their perimeters, really working on their security posture. But it was a lot at the same time.

A spokesperson for Kaseya declined to comment for this story, citing the company’s ongoing investigation into the incident. Since July 2, however, the company has repeatedly stated that the remaining fixes are being prepared for release. Almost a week after the initial attack, however, these fixes have not materialized.

This does not mean that Kaseya remained inactive in response to the attack. The company quickly shut down its cloud offerings as a precaution and began urgently encouraging customers who run “on-premises” VSA servers to do the same to limit the fallout. The number of publicly available exposed VSA servers online fell to around 1,500 on July 2. less than 140 to July 4 and 60 to date.

But while fewer vulnerable systems certainly prevent the scale of the attack from increasing, it does not help victims whose systems remain locked.

“Kaseya has had the opportunity for years to comprehensively address vulnerabilities at their fingertips like the one that allowed REvil to ravage its customers,” says Katie Moussouris, founder of Luta Security and long-time disclosure researcher vulnerabilities.

Vulnerability disclosure programs and bug bounties like those offered by Kaseya are a valuable tool, Moussouris says, for companies looking to bolster their digital security. But these programs alone cannot provide adequate defense if the company does not also invest in internal security and personnel.

“We can’t fight ransomware one disclosure at a time,” says Moussouris.

Many companies are much less responsive and collaborative on patching vulnerabilities than Kaseya was. But managed service providers who use Kaseya’s software are prime targets for ransomware attacks; Kaseya herself tried to sensitize about the issue in 2019. The longer it took Kaseya to fix, especially given how easily vulnerabilities were to be discovered, the more likely it was that someone else could find them.

The consequences of Kaseya’s failure are still being felt. REvil claims to have encrypted over a million systems as part of the attack, but hackers appear to be struggling to secure payments from victims. The group demanded bespoke ransoms of tens of thousands of dollars from numerous targets, but also said it would call off the entire attack for $ 70 million. Then he lowered the overall ransom demand to $ 50 million. The group’s trading portal also suffered breakdowns.


Please enter your comment!
Please enter your name here