systems until their owners paid up. But it
similarly relied on Kaseya’s Virtual System
Administrator product, or VSA, as a vehicle to
get access to the companies that rely on it.
A 2019 ransomware attack also rode into
computers through another company’s add-on
software component to the Kaseya VSA, causing
more limited damage than the recent attack.
Some experts have tied that earlier assault to
some of the same hackers who later formed
REvil, the Russian-language syndicate blamed
for the latest attack.
And in 2014, Kaseya’s own founders sued the
company in a dispute over responsibility for
a VSA security flaw that allowed hackers to
launch a separate cryptocurrency scheme.
The court case does not appear to have been
previously reported outside of a brief 2015
mention in a technical blog post. At the time,
the founders denied responsibility for the
vulnerability, calling the company’s charges
against them a “bogus assertion.”
Nearly all of Kaseya’s security problems
have as their root cause well-understood
coding vulnerabilities that should have been
addressed earlier, said cybersecurity expert
Katie Moussouris, the founder and CEO of
Luta Security.
“Kaseya needs to shape up, as does the entire
software industry,” she said. “This is a failure to
incorporate the lessons the bugs were teaching
you. Kaseya, like a lot of companies, is failing to
learn those lessons.”
Many of the attacks relied at least in part on
what’s known as a SQL injection, a technique
hackers use to inject malicious code into web