
By Byron V. Acohido
It was bound to happen: a supply-chain compromise, ala SolarWinds, has been combined with a ransomware assault, akin to Colonial Pipeline, with devasting implications.
Related: The targeting of supply chains
Last Friday, July 2, in a matter of a few minutes, a Russian hacking collective, known as REvil, distributed leading-edge ransomware to thousands of small- and mid-sized businesses (SMBs) across the planet — and succeeded in locking out critical systems in at least 1,500 of them. This was accomplished by exploiting a zero-day vulnerability in Kaseya VSA, a network management tool widely used by managed service providers (MSPs) as their primary tool to remotely manage IT systems on behalf of SMBs.
REvil essentially took full control of the Kaseya VSA servers at the MSP level, then used them for the singular purpose of extorting victimized companies — mostly SMBs — for payments of $45,000, payable in Minera. In a few instances, the attackers requested $70 million, payable in Bitcoin, for a universal decryptor.
Like SolarWinds and Colonial Pipeline, Miami-based software vendor, Kaseya, was a thriving entity humming right along, striving like everyone else to leverage digital agility — while also dodging cybersecurity pitfalls. Now Kaseya and many of its downstream customers find themselves in a crisis recovery mode faced with shoring up their security posture and reconstituting trust. Neither will come easily or cheaply.
There are profound takeaways for everyone. Last Watchdog reached out to a roundtable of cybersecurity experts to hash over what happened — and discuss what’s likely to happen next. Here’s what they had to say, edited for clarity and length:
Vikram Asnani, senior director – solution architecture, CyberGRX
Attackers exploited the zero-day vulnerability to distribute a malicious payload to vulnerable Kaseya VSA servers used by the MSPs. These VSA servers have a trusted relationship with their extension, the VSA agents running on the Windows devices of the customers of those MSPs . . . VSA ‘working folders’ typically operate within a ‘trust wall,’ which means malware scanners and other security tools are instructed to ignore whatever they’re doing.
The hackers were thus able to deposit the malware and run a series of commands to hide the malicious activity from the malware-scanning tools. From there, the malware began encrypting files on the victim’s machine. It even took steps to make it harder for victims to recover from data backups.
Anthony Merry, senior director of product management, Sophos
This attack was very fast. From what we can see from the telemetry, they reached everyone that they could reach, globally, within two to three minutes. And then the encryption attack also was completed within minutes . . . There was no warning that this attack was about to start because it came in through a trusted channel. And then if your defenses didn’t stop it, you were owned very quickly . . . the tactics used – evading malware protection, poisoning the supply chain, taking advantage of an otherwise benign Microsoft code-signing process — these are all very sophisticated steps . . . This is a timely reminder of the need for multiple layers of security.
Alexa Slinger, identity management expert, OneLogin:
REvil hit Kaseya at the start of America’s Independence Day holiday weekend, ensuring that US offices would be lightly staffed and therefore slower to respond. Also, Kaseya intended to release a software update to secure the zero-day vulnerability on Saturday, July 3rd, the day after REvil’s successful attack . . . The Kaseya attack illustrates the high value of MSPs as targets for cybercriminals, and opens the doorway for other hackers to follow REvil’s approach. There’s no guarantee that REvil would provide said decryption key and paying a ransom request will certainly cause other hacking groups to sit up and take notice of REvil’s strategy.
Jayesh Patel, senior threat analyst, Versa Networks
This exploit disables Microsoft Defender which shows that MSPs, and their downstream customers, should be wary of bundled security; for instance, Microsoft Defender is usually bundled with other Microsoft products – like their XDR solution . . .The attack leveraged a zero-day that bypassed authentication on the Kaseya VSA web interface to deploy ransomware to endpoints. What many hackers are learning is that much of our web apps are vulnerable and it’s very easy to exploit.
Bryson Bort, CEO, SCYTHE
We quibble a lot in our space on what connotes ‘sophisticated.’ In general, most of the attack reflected common ransomware tactics and tooling, except for the use of a zero-day vulnerability. And the timing: Kaseya was in the process of working through a coordinated disclosure of the vulnerability when, coincidentally, REvil got access to the same vulnerability. Where there is smoke, there is fire . . . Ransomware already is front and center. And it’s now metastasizing into supply chains where it can capture ever greater numbers with minimal effort. There will be more.
Tonia Dudley, strategic advisor, Cofense
Post-incident follow up will allow organizations to fully understand how to enhance mitigating controls to monitor for an incident like this attack. Once the postmortem is complete, we’ll be able to understand if the recent Executive Order SBOM will have an impact . . . While in this case the attack was propagated via a software vulnerability, in the majority of cases ransomware begins with an email bearing malware. Conditioning employees to be aware of this threat is key. It’s the difference between an organization experiencing an infection or two at worst, and a widespread ransomware attack.
Sascha Fahrbach, cybersecurity evangelist, Fudo Security:
This attack is significant in its scale: 17 countries are affected, and organizations in many industries have been impacted with their vital data now at the mercy of criminals . . . Furthermore since this is being seen as a supply chain ransomware attack, it does beg the question on how secure these organizations are. How do they view their own cyber hygiene? There is still conflicting information on how many MSP vendors are impacted but the figure stands at around 40. Though even one compromised MSP could already expose thousands of endpoints.
Dom Glavach, CSO and chief strategist, CyberSN
The companies impacted by the attack trust their MSP for support and now face a crippling ransomware attack delivered through software the MSP enabled to support their needs. The impacted companies have nowhere to turn except back to the MSP, ultimately increasing the payment decision in favor of the threat actors . . . Lastly, the reports that a zero-day exploit was leveraged to propagate the attack illustrates that criminal organizations have enough funding, resources and organization similar to nation-state adversaries. This magnifies the risk of similar attacks targeting any industry, all sizes and even individuals, such as celebrities, CEOs, government officials, etc.
Chris Clements, VP of solutions architecture, Cerberus Sentinel
Yesterday it was SolarWinds, today is Kaseya, but there are dozens of other management and monitoring tools that have complete control of all systems and data on networks they are deployed on. These tools can provide management productivity boosts, but by their very nature introduce massive risk. It is incumbent on organizations to recognize this trade off and conduct an in-depth security evaluation as part of the acquisition of these products and services. It must be part of your threat monitoring.
Garret Grajek, CEO, YouAttest:
This is an attack that keeps on attacking. It’s not a single attack, it was an attack on the eco-system of software that is deployed into managing enterprises. Much like the Solarwinds attack – Kaseya hits us at the ‘software update’ software – that is, the tools that are supposed to be helping us fight these attacks . . . It’s a wake-up that MSPs are just as vulnerable as every other institution – if not more so, since one attack on them has repeated value to the attackers who can then possibly gain access to multiple clients. MSPs are force multipliers for threat actors.
Demi Ben-Ari, CTO, Panorays
This is unquestionably one of the most serious supply chain attacks in history. It could even very well turn out to be a much larger incident than the SolarWinds breach, since some of its victims are Managed Service Providers (MSPs) that may each work with hundreds of businesses . . . Moreover, it should be noted that the Russian-based REvil hacker group has been active since April 2019 and provides ransomware as a service. That is, it develops software that paralyzes networks and sells it to affiliates, who earn the bulk of the ransom.
Gary Phipps, VP of solution architecture, CyberGRX
The ongoing concern is that pre-contract due diligence, in its oft adopted format, is next to useless — unless your goal is to pass a bank exam. What I would love to hear is a LinkedIn story from someone who says, ‘We weren’t impacted and here’s how and why.’ Did someone out there find a way to perform due diligence in a fashion that identified the threat before it was contracted? Did a risk or security analyst out there have enough political capital to recommend avoiding the service provider to a business owner who actually took the advice? I’m not picking on Kesaya; I’m picking on the due diligence process that is in dire need of disruption.”
James McQuiggan, security awareness advocate, KnowBe4
These attacks have evolved and now involve injecting a ransomware attack within the code to leverage the trusted connections of the targeted organization . . . Cyber organizations need to be transparent about large-scale supply chain attacks; when organizations are informed about a zero-day vulnerability by security researchers or other third parties, communication and repeatable response plans must be implemented to mitigate the risk and make the corrected update available as soon as possible.
Bill Lawrence, CISO, SecurityGate.io
Kaseya was a ‘patient zero day’ – other MSPs need to do all they can to avoid being the first and most connected in a chain of cyber security attacks on their customers. Risk assessments need to be unflinching, thorough, and repeated . . . The attackers are reportedly from the Russia-linked REvil APT group. Whatever diplomacy or deterrence already in place is still not working. Calls for Russia to be treated like a pirate state seem prescriptive and appropriate. And overdue.
Eddy Bobritsky, CEO, Minerva Labs
Like the SolarWinds attack, it is another case of attack where a trusted tool, that was aimed to help the security level of the network, was maliciously exploited by threat actors. It creates a trust problem between MSPs and their clients, and between MSPs and their security tools providers . . . All sides need to think of a way to prevent this kind of exploit in the future, and find ways to be one step ahead without the need to know who will be the attacker, how will the attack be done and what will be the purpose of the attack.
Dave Cundiff, VP of member success, Cyvatar
MSPs and vendors alike have an obligation to continually review their processes and toolsets to do everything reasonable to prevent or mitigate as much as possible these types of attacks from impacting their customers. Unfortunately for a number of reasons, ongoing reviews are not performed adequately or continuously enough by most MSPs . . . All security professionals have a responsibility to provide awareness to those impacted, whether through responsible disclosure of findings to vendors or providing other means of protection to the community at large.
Saumitra Das, CTO, Blue Hexagon
VPNs, firewalls, email gateways have all been misused recently to gain a foothold with privilege inside an organization’s network without having to phish a user or hope for open RDP to compromise . . . MSPs need to spend a lot more effort on internal security and handling customer data and networks. Invest in detection and response and look for tainted binaries in their software development life cycle (SDLC) processes. Attackers are targeting anyone who gives them a foothold into multiple organizations’ networks.
Richard Blech, founder, XSOC Corp.
MSPs were entrusted by other businesses to have the security of their environments protected. The MSPs failed terribly. MSPs should never be caught off guard, and if such an attack like this is successful, they need to have a ready-to-deploy plan in place other than, ‘Let’s just pay the ransom’ . . . MSPs should be ready to immediately deploy a backup network from a shadow copy and be prepared to bring back the network to at least minimal operating conditions.
Tom Garrubba, CISO, Shared Assessments.
Ransomware was, until this incident, a targeted approach to affect a single company. What makes this different is that many IT shops utilize Kaseya’s offerings and thus, the ransomware has propagated onto those systems . . . . This is a HUGE wakeup call. Understanding the risks associated with outsourcing critical processes is a primary concern; proper due diligence of the cyber and privacy hygiene of any organization with access to your data is a must.
Jim Gogolinski, VP of research and intelligence, iboss
REvil is claiming to have impacted over a million systems with this latest attack. In another first, REvil is asking for the highest reported payment of $70 million . . . This attack continues to drive home the point that ransomware groups continue to evolve their tactics as well as their business plans. Ransomware attacks are increasing in both volume and complexity and companies need to remain vigilant and have a tested plan in place.
Acohido
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.