On the night of the 2nd of July, one of the largest ransomware attacks in history took place. Kaseya, a global software provider, announced it had been hacked. Kaseya’s Response team detected a potential threat and took immediate actions to protect their clients. They started following the response protocol, shutting down their Saas services, and advised their clients to turn off their VSA servers as a precautionary measure. Unfortunately, by then around 1500 customers were already affected.
What you might not know is that the Dutch Institute for Vulnerability Disclosure (DIVD) discovered some vulnerabilities in Kaseya 3 months before the attack. They started the Coordinated Responsible Disclosure process and tried to help the IT provider with all the needed information and solutions. But it was too late.
First of all, what is DIVD? DIVD is a non-profit organisation run by a team of 30+ volunteers (including our CE2 Edwin van Andel, and triage office, Lennaert Oudshoorn) that “aim to make the digital world safer by reporting vulnerabilities they find in digital systems to the people who can fix them.” They scan the internet for vulnerabilities, report the findings to the person in charge and they don't expect any monetary compensation back. They are only doing this because they "perceive vulnerability disclosure as a societal need."(DIVD website)
We sat down with two of the DIVD volunteers, Victor Gevers and Wietse Boonstra, and discussed the incident, its consequences, and how it can be prevented in the future.
Thank you for taking the time to meet with us. Let’s discuss what happened.
Wietse: Sh*t hit the fan; A large Managed Service Provider(MSP) software developers application got breached.
Victor: Wietse found multiple vulnerabilities in Kaseya at the start of April. We entered the CVD process with them, but attackers beat us to the punch and launched a large ransomware attack on the weekend of the 4th of July.
How did you first find these vulnerabilities?
Wietse: While working on a pentest, I discovered a tool that was used by a customer and it made my spidey senses tingle. The only problem was that I didn’t have much time to investigate this during the time period we had agreed upon. So I started fiddling around in my spare time, and due to Covid, I had plenty. After a while, I discovered some issues and started to try and see if I could leverage these to show the impact.
Victor: Wietse first found these vulnerabilities. After that, the rest of our team, Frank, Lennaert, and I got involved in the process of disclosing them and scanning the internet for vulnerable systems with the intention to notify customers once a patch was available.
What made you want to look deeper into this product?
Wietse: In the beginning, just for fun. I just like taking things apart and seeing how it works.
Victor: Kaseya is one of the most known names in the MSP marketplace next to SolarWinds which is also known for having a lot of (zero-day) vulnerabilities which have been abused by numerous threat actors.
How was the process of contacting Kaseya and working with them?
Wietse: From past experience, contacting a vendor and telling them there is a problem with their product mostly ends up hitting a brick wall. But with Kaseya it was different. Within a day or so, we (DIVD) had a meeting with the CTO, we explained what we had found and started to share information. We also retested after they released a patch.
Victor: Kaseya was very willing to have the CVD process going as smoothly as possible. They were also willing to continue working with us without a signed NDA, which showed their goodwill from the get-go.
Do you think this process could be made easier / improved, and if so, how?
Wietse: In order to get in touch with them, we had to look on their website to find an RD page. That was not clear and I could imagine that this would sometimes prevent RD.
Victor: Yes, active triage would have made this process even smoother, it gives a timeline, steady progress, and updates. Besides that, it gives more expectation management and a clear overview of the interests of all parties involved.
Does a clear and actively managed RD policy make it easier for you while trying to report problems to companies?
Wietse: Absolutely, Absolutely, Absolutely
Victor: Vendors should have a clear way of securely communicating with researchers. This keeps the disclosure chain safe and makes sure vulnerabilities don’t leak out before all parties are ready to disclose.
What are the consequences of this incident?
Wietse: In this case, the companies that got hit with the ransomware have no reliable data anymore, and their infrastructure needs to be rebuilt/reinstalled. That will cost a lot of time and money.
Victor: Over 1500 MSPs were hit, with many more customers behind them of course. Some media have reported this as the largest ransomware attack to date. A far bigger awareness about the architectural flaws in MSP products, a general sense that this industry’s security maturity is not up to par.
What do you feel are the main takeaways from this incident?
Wietse: This is not a one-man job. It takes a team to get this to the desired level.
Victor: MSP software has proven to be a very lucrative target for cybercriminals, and the chances are high that we will see more attacks on this industry in the near future. For ourselves, a lesson learned is that we need to communicate even better, meaning we need better ways of sharing information with relevant parties.
How can this be avoided/prevented in the future?
Wietse: Make sure that you take security seriously within your development, do pentest, code reviews.
Victor: The CVD process of vendors needs to improve because this should be picked up faster and better. Active triage and expectation management are needed to quickly resolve these kinds of issues and prevent these incidents.
Do you think bug bounty programs would help companies find these kinds of issues earlier?
Wietse: For sure.
Victor: Yes, bug bounty programs and CVD policies would have absolutely picked up a lot of these vulnerabilities before. Having these kinds of programs also helps vendors market their products as more secure. In case of an incident, it will help them prove they did the most they could to secure their product.
"Many of the found vulnerabilities would have been discovered a lot earlier in a bug bounty program. Of course, a program might miss very complex bugs, but this wouldn’t have been the case here. To us, it is clear that many vendors have not tested their products sufficiently."
You can read more about this case on the DIVD blog. Also, we encourage you to take a look at our Coordinated Responsible Disclosure page and Bug Bounty page if you would like to know more about the advantages of these programs.