The Dutch security group that informed Kaseya of vulnerabilities said the company’s response was ‘on point and timely’.
Kaseya had known about vulnerabilities in its software and was in the process of patching them when a major cyberattack occurred last week (2 July).
The ransomware attack, which infected the company’s VSA software, has since impacted as many as 1,500 businesses worldwide.
According to the Dutch Institute for Vulnerability Disclosure, Kaseya was informed of a number of vulnerabilities in early April.
In a blogpost, Frank Breedijk of the Dutch Institute for Vulnerability Disclosure said Kaseya’s response to the disclosure was “on point and timely”.
“They listened to our findings and addressed some of them by releasing a patch resolving a number of these vulnerabilities. Followed by a second patch resolving even more,” he said.
“Unfortunately, the worst-case scenario came true on Friday [2 July]. Kaseya VSA was used in an attack to spread ransomware, and Kaseya was compelled to use the nuclear option: shutting down their Kaseya Cloud and advising customers to turn off their on-premise Kaseya VSA servers. A message that unfortunately arrived too late for some of their customers.”
The Dutch Institute for Vulnerability Disclosure said one of the two vulnerabilities used in the attack was one it had previously disclosed to Kaseya.
Responsibility for the attack was claimed by cybercrime gang REvil, which demanded $70m in ransom for a universal decryption tool. Businesses affected by the attack include a large Swedish grocery chain, a small number of schools in New Zealand and a limited number of UK businesses.
The Dutch security group explained that it is best practice not to publicly disclose details of vulnerabilities discovered for fear of tipping off malicious actors before a company has had a chance to fix the problem.
However, that doesn’t prevent cybercriminals from independently discovering the same flaw that a security researcher can find, allowing them to exploit it.
Breedijk explained that given the serious nature of the vulnerabilities, it will not disclose the full details of the vulnerabilities until Kaseya has released a patch.
“We have no indication that Kaseya is hesitant to release a patch,” he added. “Instead, they are still working hard to make sure that after their patch the system is as secure as possible, to avoid a repeat of this scenario.”
Kaseya is still working on getting systems back up and running. On Wednesday (6 July), the company discovered an issue that has blocked its latest security release. In an update yesterday (7 July), Kaseya said it is resolving the issue and plans to begin restoring SaaS services no later than this evening.
The Miami-based software company previously received backing from the Ireland Strategic Investment Fund (ISIF), which invested €19m in 2017. The investment was part of a wider funding round and, at the time, Kaseya planned to create 130 jobs at its Dublin office.
According to The Irish Times, the ISIF does not use the company’s technology and there is no indication that any Irish businesses have been impacted by the cyberattack.