Enterprise tech firm Kaseya has confirmed that around 1,500 businesses were impacted as a result of an attack on its remote device management software, which was used to spread ransomware.
It appears that the attackers believed to be REvil carried out a supply chain ransomware attack by leveraging a vulnerability in Kaseya’s VSA software against multiple managed service providers (MSP) and their customers.
VSA is remote monitoring and management software, which is used to manage endpoints, such as PCs, servers, and cash registers, as well as manage patching and security vulnerabilities.
On Sunday, the actors asked for $70 million in exchange for a universal decryption tool.
Hitesh Sheth, CEO, Vectra AI said that the Kaseya attack hit thousands of victims, most being smaller organizations with thinner wallets, including “dental practices, architecture firms, plastic surgery centers, libraries, things like that.”
“It nonetheless made economic sense for the attackers because Kaseya served as an efficient distribution hub for their poison-pill software. Kaseya VSA, the company’s widely used IT automation SaaS offering, became the unwitting delivery system at the service of the black hats.”
What do the experts say?
Lior Div, CEO and Co-founder, Cybereason commented:
“The global Kaseya attack is a reminder that the public and private sector need to change the way cyber conflict is fought. The goal isn’t to block and prevent all attacks but rather to quickly detect suspicious or malicious activity, and ensure you have the visibility, intelligence, and context to understand and remove the threat.”
“Cybereason and other modern security companies have technologies like EDR (Endpoint Detection & Response) that can disrupt these operations at the earliest stages of attacks through behavioral detections.”
“This newest attack will once again start the debate about whether it makes sense to rip and replace legacy computer networks used by public and private sector organizations. That simply isn’t going to fix the problem. We have spent trillions of dollars on cybersecurity over the past 20 years. And in many ways, we’re no safer today. What matters is how the money is spent.”
“In general, it doesn’t pay to pay ransoms. A recent Cybereason global research study found that 90% of UAE companies that paid a ransom were hit a second time. But, in those rare life or death situations, paying a ransom could very well be the right decision.”
Ben Carr, CISO at Qualys said:
“MSPs are a high-value target. As an MSP, you have a ton of data from multiple customers much of it mission-critical. Supply chain attacks should be top of mind for all companies, including those using MSPs. It’s essential to do due diligence on who is hosting and managing your data. While you can outsource the work, you can’t outsource the risk.”
“Companies need to make sure they have the proper protocols and robust third-party risk assessments in place ahead of these attacks so they can respond efficiently. This way, if there is an attack, you have options for redundancies ready to be put in place, and you can pivot to an alternative solution with minimum impact on your business.”
Sheth of Vectra AI added that the Kaseya attack “extends a clear pattern we’ve been too slow to recognize. Because SolarWinds was so successful, we should have seen a rerun coming.”
“I hope this attack prompts hard questions from customers of MSPs or SaaS vendors. When more businesses outsource critical functionality to the cloud, the Kaseya case suggests heightened risk.”
“How much do these businesses really understand about their vendors’ security posture? Is there sufficient emphasis on rapid attack detection?” Sheth asked.
For his part, Oliver Tavakoli, CTO, Vectra AI, elaborated on the ongoing patchwork saying “Kaseya appears to be following a coherent incident response plan to get the overall VSA infrastructure back up and running.”
“Given the cascade of updates, whereby software updates typically flow from Kaseya SaaS to on-prem VSA servers (with “on-prem” referring mostly to MSPs’ premises) to agents which are then pushed to downstream endpoints (in this case, endpoints belonging to the affected MSPs’ customers), this sequence makes sense.”
“Once a hardened version of the SaaS service is up and running, the on-prem VSA servers will be provided with additional protections (24×7 SOC coverage and a CDN-delivered WAF). Then the process of opening up uncompromised VSA servers to patches from Kaseya’s SaaS begins, while compromised VSA servers will need to be re-installed and subscriber data must be restored from backups before the patches can flow.”
“One of the key lessons of this entire attack is that internet-accessible on-prem services (typically referred to as DMZ services) are incredibly valuable attack vectors. Keep them patched.”
Sheth added: “It’s hard to fault Kaseya for taking an extra precautionary step when so many organizations take too few. In retrospect, the attack may have prioritized on-premises hardware. But in the thick of the emergency with damage reports still rolling in, I would have taken the SaaS servers offline too. We’re paying a stiff price for complacent overreliance on endpoint defense.”
Meanwhile, Craig Sanderson, VP of Product Management, Infoblox said:
“The Kaseya attack, which paralyzed companies such as the supermarket chain Coop in Sweden, shows that anyone can be targeted. Because attackers commonly use DNS for communicating with malicious domains, DNS security can help block those communications while providing indispensable visibility into the activity of impacted machines, helping customers understand the scope of a breach for quick response.”