The Miami-based technology firm at the center of the worldwide security breach carried out by Russia-linked hackers was warned in early April of the cybersecurity vulnerability that was ultimately taken advantage of by the cyber criminal gang. A breach of the Florida technology firm Kaseya last week resulted in hundreds of companies around the world being immobilized, with schools, businesses, public sector groups and credit unions among the firms who have been affected. The Dutch Institute for Vulnerability Disclosure (DIVD) said in blog posts this week that it had discovered seven vulnerabilities in Kaseya’s system in April and confidentially informed the company. “When we discovered the vulnerabilities in early April, it was evident to us that we could not let these vulnerabilities fall into the wrong hands,” DIVD said in a blog post on Wednesday. “After some deliberation, we decided that informing the vendor and awaiting the delivery of a patch was the right thing to do. We hypothesized that, in the wrong hands, these vulnerabilities could lead to the compromise of large numbers of computers managed by Kaseya VSA.” Some sources have reported that Kaseya was in the process of developing a patch for the vulnerability but had not yet released the patch at the time of the mass ransomware attack against its clients.
If vulnerabilities are reported by security researchers, it is important to take them seriously and try to fix them in a timely manner. If they can be found by outside researchers, they can be found by skilled cyber criminals. Any company that develops software or hosts web-based services should have an established policy and procedure in place for security researchers to contact the right person in the company to receive vulnerability reports. Some companies establish bug bounty programs to encourage researchers to work on finding vulnerabilities, but even if there is no monetary reward, it should at least be straightforward to find the right point of contact to report security concerns. Writing security patches is more time consuming than patch management, so it’s best to get started as soon as you are aware that there are serious vulnerabilities that could cause compromise.