The Unfixed Flaw at the Heart of REvil’s Ransomware Spree

Security researchers warned Kaseya about its IT management software in April, but the patches didn't come fast enough to avert last week's disaster.
tape
Kaseya still hasn't released a patch for the vulnerability that REvil used to spread ransomware to as many as 1,500 companies.Photograph: MirageC/Getty Images

on April 1, researchers from the Dutch Institute for Vulnerability Disclosure identified the first of what they quickly found to be seven vulnerabilities—all easy to spot, some potentially catastrophic—in an IT management system known as the Virtual System Administrator. By April 6, they had found 2,200 vulnerable systems and disclosed their findings to Kaseya, the company behind VSA. Kaseya patched four of the seven in the ensuing days and weeks, but three remained. What happened next was one of the most significant ransomware attacks in history.

On July 2, just days before the 90-day disclosure deadline the DIVD had given Kaseya, hackers associated with the ransomware gang REvil exploited one of three remaining VSA vulnerabilities along with an additional flaw, ultimately spreading malware to as many as 1,500 businesses and organizations around the world. Kaseya hadn't neglected those remaining bugs entirely. It had continued to work with the Dutch researchers to fix them—just not fast enough to prevent the worst. 

“I really believe they were making their best effort,” says Victor Gevers, head of the DIVD. “They were posting job listings, hiring new security specialists, hiring outside security companies, doing source code review, checking their perimeters, really working on their security posture. But it was a lot at once.”

A Kaseya spokesperson declined to comment for this story, citing the company's ongoing investigation into the incident. Since July 2, though, the company has repeatedly said that the remaining patches are being prepared for release. Nearly a week after the initial attack, though, those fixes haven't materialized.

That doesn't mean Kaseya has been idle in response to the attack. The company quickly shut down its cloud offerings as a precaution and began urgently encouraging customers who run “on-premises” VSA servers to do the same to limit the fallout. The number of exposed VSA servers publicly accessible online dropped to roughly 1,500 on July 2, fewer than 140 as of July 4, and 60 as of today

But while fewer vulnerable systems certainly keeps the scale of the attack from increasing, it doesn't help victims whose systems remain locked up.

“Kaseya had opportunities for years to comprehensively address low-hanging-fruit vulnerabilities like the one that allowed REvil to savage its customers,” says Katie Moussouris, founder of Luta Security and a longtime vulnerability disclosure researcher. 

Vulnerability disclosure programs and bug bounties like those offered by Kaseya are a valuable tool, says Moussouris, for companies looking to strengthen their digital security. But these programs alone can't offer adequate defense if the company doesn't also invest in its internal security and staffing.

"We can't fight ransomware one disclosure at a time," says Moussouris.

Many companies are much less responsive and collaborative on patching vulnerabilities than Kaseya was. But the managed service providers who use Kaseya's software are known, valuable targets of ransomware attacks; Kaseya itself tried to raise awareness about the issue in 2019. The longer Kaseya took to patch, especially given how easy the vulnerabilities were to discover, the more likely it was that someone else might find them.

The consequences of Kaseya's lapse are still playing out. REvil claims to have encrypted more than a million systems as part of the attack, but the hackers seem to be having a difficult time actually coaxing payments from victims. The group requested tailored ransoms in the tens of thousands of dollars from many targets but also said it would call off the whole attack for $70 million. Then it lowered the blanket ransom demand to $50 million. The group's negotiation portal has also suffered outages.

For its part, the DIVD's Gevers says that the group will use this incident as a learning experience to understand what else it could have done to get patches out more quickly. In the meantime, DIVD continues to get word to vulnerable VSA users about the possibility of further attacks and potential temporary mitigations.

“DIVD is five people and we work on about 100 or 200 cases like this per year,” Gevers says. “This is the only case to fall through the cracks—to fail. We were not in time to mitigate the danger, and this failure meant there were many victims, which is exactly what we’re trying to prevent. It hurts.”

Gevers says that the DIVD released an alert in the Netherlands on April 6 that VSA users should be cautious and await patches. The warning seems to have been effective at averting crisis for VSA users in the Netherlands, but Gevers adds that something went wrong in the process of distributing the alert to international vulnerability disclosure partners, or Information Sharing and Analysis Centers, and many organizations did not receive it or pass it on. That type of warning can also tip off hackers as to where they might want to dig for critical vulnerabilities, making quick patching all the more important. (It's not clear how or when REvil decided to target Kaseya, and the group has gone after MSPs before.)

After collaborating for months with Kaseya to remediate the flaws, the DIVD team has assisted the company's incident response, working around the clock to help mitigate the fallout. Even when the situation is resolved, Gevers cautions that other IT management software companies could have similar weaknesses to Kaseya that haven't been fixed. The next ransomware meltdown or worse could be one bug away. 

“It's an ongoing battle, and I hope we are in time the next time," Gevers says. “I really hope it.”


More Great WIRED Stories