Software Firm at Center of Ransomware Attack Warned of Cyber Flaw in April

The software company linked to a massive ransomware spree that began last week and has impacted hundreds of organizations across the globe was notified in early April of a cybersecurity vulnerability used in the attack, according to the Dutch security researcher group that discovered the issue.

Kaseya Ltd., a Miami-based software supplier that helps technology-service providers manage computer networks, was told of a serious cybersecurity hole in its Kaseya VSA software on April 6, Victor Gevers, chairman of the Dutch Institute for Vulnerability Disclosure, said Wednesday. Mr. Gevers’s organization, which is a volunteer-run security group, discovered the flaw.

“When we discovered the vulnerabilities in early April, it was evident to us that we could not let these vulnerabilities fall into the wrong hands,” Mr. Gevers said in a blog post. “After some deliberation, we decided that informing the vendor and awaiting the delivery of a patch was the right thing to do.”

The flaw reported by the Dutch group was one of seven vulnerabilities that hackers exploited to distribute their ransomware, Mr. Gevers said.

A spokeswoman for Kaseya said she couldn’t immediately respond to a request for comment.

Security researchers who uncover flaws in software frequently alert the companies discreetly before announcing any problems publicly in order to allow for a patch before hackers are made aware of them. But sometimes hackers independently detect the same security flaws before they are fixed.

Mr. Gevers said Kaseya responded with urgency once it was notified of the vulnerabilities in its software and worked to quickly issue two patches—one in April and another in May—that addressed some of the security issues.

But Kaseya is still working to fully patch its VSA software. In an update on its blog Wednesday, Kaseya said it had been unable to resolve an unidentified issue that blocked the release of its latest security update intended to address the ransomware attack.

“We have no indication that Kaseya is hesitant to release a patch,” Mr. Gevers said. “Instead they are still working hard to make sure that after their patch the system is as secure as possible, to avoid a repeat of this scenario.”

The ransomware cyberattack that began Friday—for which a prolific ransomware gang based in Russia known as REvil has claimed responsibility—is estimated to have hit hundreds of mostly small and medium-size businesses. It led to the shutdown of some locations of a supermarket chain in Sweden and created disruptions for schools in New England. On Tuesday, President Biden said the impact on U.S. businesses appeared to be minimal.

Mr. Biden is expected to meet with senior officials from across his administration Wednesday to discuss the recent deluge of ransomware attacks that have been traced back to Russia-based criminal groups.

More broadly, Russian cyberattacks, whether carried out by Russian intelligence agencies or criminal groups operating within Russia’s borders, have become a top national security challenge for the Biden administration. On Tuesday, the Republican National Committee disclosed that one of its contractors, Synnex, had been breached by hackers, but said that “after a thorough investigation, no RNC data was accessed.”

Hackers affiliated with the S.V.R., Russia’s foreign intelligence service, are believed to be responsible for the Synnex breach, which was part of a larger espionage operation recently highlighted in a June alert by Microsoft Corp., according to people familiar with the matter.

The Russian embassy in Washington didn’t immediately respond to a request for comment. Russia has historically denied accusations made by the U.S. about engaging in cyberattacks.

An attempted breach of the RNC for intelligence collection purposes would likely be viewed by most experts and security officials as a form of nation-state hacking that is not uncommon between adversaries. But the S.V.R has been especially active in cyber espionage campaigns in recent weeks despite last month’s summit between Mr. Biden and Russian President Vladimir Putin, in which Mr. Biden raised the issue of cyberattacks, one of the people said.

The use of trusted partners like software makers or service providers like Kaseya to identify and compromise new victims often called a supply-chain attack, is unusual in cases of ransomware, in which hackers shut down the systems of institutions and demand payment to allow them to regain control. Security researchers said the Kaseya incident appears to be the largest and most significant such attack to date.

REvil asked for $70 million to unlock all the affected systems in its widespread hack but has also said victims of the group can pay amounts varying between $25,000 and $5 million directly to unlock their systems. It is unclear how many impacted entities have paid or plan to pay ransoms. REvil is the same hacking group that was responsible for the recent ransomware attack on food processor JBS SA, which earned the group an $11 million payment.

Kaseya said Tuesday that it was aware of fewer than 60 customers who were “directly compromised by this attack.” The firm added that while many of the customers provided technology service to multiple other companies, “we understand the total impact thus far to be fewer than 1,500 downstream businesses.”

In his post, Mr. Gevers said his group was refraining from sharing full details about the underlying vulnerabilities used in the attack due to their serious nature and the possibility that doing so could lead to further abuse.

“We will not disclose the full details of the vulnerabilities until such time that Kaseya has released a patch and this patch has been installed on a sufficient number of systems,” Mr. Gevers said.

Source: Wall street journal

Back to top button