Kaseya failed to address security before hack, ex-employees say

Executives at Miami-based Kaseya Ltd. were warned of critical security flaws in its software before a ransomware attack this month that affected as many as 1,500 companies, according to five former employees.

On several occasions from 2017 to 2020, employees at Kaseya's offices in the U.S. said they flagged wide-ranging cybersecurity concerns to company leaders. But those issues often weren't fully addressed, according to the workers, who were employed in software engineering and development at Kaseya and asked not to be identified because they had signed non-disclosure agreements or feared professional retribution.

Also read: Looking for a smartphone? Check Mobile Finder here.

Among the most glaring problems was software underpinned by outdated code, the use of weak encryption and passwords in Kaseya's products and servers, a failure to adhere to basic cybersecurity practices such as regularly patching software and a focus on sales at the expense of other priorities, the employees said.

A Kaseya spokesperson declined to address the accusations, citing a policy of not commenting on matters involving personnel or the ongoing criminal investigation into the hack.

A Russia-linked criminal gang called REvil took credit for launching one of the farthest reaching ransomware attacks on record beginning July 2 and demanded $70 million in Bitcoin for a universal decryptor. The group used Kaseya's software as a launching pad to infect the company's customers, managed service providers that offer technology and cybersecurity services to small- and medium-sized businesses. Kaseya said its “technical teams and their partners have been working around the clock to help affected customers get back up and running.”

One of the former employees said that in early 2019 he sent company leaders a 40-page memo detailing security concerns and was fired about two weeks later, which he believed was related to his repeated efforts to flag the problems. Another employee said Kaseya rarely patched its software or servers and stored customer passwords in clear text -- meaning they were unencrypted -- on third-party platforms, practices the employee described as glaring security flaws.

That employee and another said executives were told that Kaseya's Virtual System Administrator software, known as VSA, was so antiquated and riddled with problems that it should be replaced. That was the vehicle REvil used to stage its attack.

Throughout Kaseya's products, there were multiple violations of basic cybersecurity practices that would make a hacker's job easy, according to the employee who was fired.

The alleged problems outlined by the former employees echo similar issues raised after other major hacks, including those at Twitter Inc., SolarWinds Corp., Verkada Inc. and JBS SA. In each of those instances, former employees have said the companies were warned of cybersecurity problems and failed to adequately address them.

Some engineers and developers at the company said employees quit over frustration that new features and products were being prioritized over fixing problems. Others were laid off in 2018, when Kaseya began moving jobs to Minsk, Belarus, where it recruited more than 40 people to do software development work that had previously been carried out in the U.S., according to two of the former employees familiar with the matter. Four of the ex-workers said they viewed the outsourcing of work to Belarus as a potential security issue, given the country's close political allegiance with the Russian government.

In April, security researchers working for the Dutch Institute for Vulnerability Disclosure notified Kaseya of security holes in its software. The company was “very cooperative” and “showed a genuine commitment to do the right thing,” according to the Dutch researchers. Kaseya released an update to fix some of the holes but not all of them had yet been patched by the time the company was attacked.

Marcus Murray, founder of Truesec Inc., a Sweden-based cybersecurity services firm that assisted multiple clients with the Kaseya breach, said his company's review of VSA software found “severe and exploitable vulnerabilities” in only a few hours of research. The code contains a mixture of programming languages and some of it was outdated and not suitable for a modern remote IT-management platform, he said.

“We found many different categories of exploitable vulnerabilities in the Kaseya VSA product that indicates a lack of understanding when it comes to basic security principles in software development,” Murray said.

This month's incident wasn't the first time Kaseya's system has been targeted by ransomware groups. According to three former Kaseya employees, hackers used Kaseya's software as a means to deploy ransomware on at least two prior occasions between 2018 and 2019. In February and June 2019, ransomware hackers using the names Gandcrab and Sodinokibi -- an alternate name for REvil -- utilized Kaseya's VSA tool to distribute ransomware. Following the incidents, however, the company's cybersecurity posture didn't markedly change, the employees said, leaving them open to further attack.

Brian Weiss, chief executive officer of ITECH Solutions, a California-based managed services provider, said his company was hit by ransomware in March 2018 after hackers exploited a vulnerability in Kaseya's VSA software platform, which his company was operating at the time. The hackers then used ITECH's computers to stage further attacks, targeting 35 of the company's customers and encrypting data held on about 250 computers with a strain of ransomware known as WannaCry.

After studying database log files, Weiss said he proved to Kaseya that its software was the vector the hackers had used to target his company.

“They didn't assign anyone to my account or even follow up to make sure everything was going OK,” he said. “I felt like I was on my own.” He subsequently terminated his contract with Kaseya.

On July 6, Kaseya Chief Executive Officer Fred Voccola said in a video posted on YouTube that 50 of the company's customers had been directly affected by the breach, with a further 800 to 1,500 other “downstream” businesses also impacted because they were customers of Kaseya's clients.

Voccola said that following the attack, Kaseya had received help from the Department of Homeland Security, the Federal Bureau of Investigation and the White House.