Managed service providers (MSPs) have long relied on third-party software to manage clients’ IT infrastructure, but a massive ransomware attack launched over the weekend at customers of Kaseya will likely cause MSPs to take a harder look at the security of their IT suppliers.
Kaseya revealed late Friday night that a zero-day vulnerability in its VSA on-premises servers resulted in 60 clients being directly compromised, impacting a pool of 1,500 downstream businesses. After a series of highly publicized ransomware attacks this spring, the Kaseya attack most resembles the compromise of SolarWinds in late 2020.
Like SolarWinds, both companies serve large B2B audiences, where Kaseya’s products produce hundreds of end products and services. And therein lies why third-party and supply chain attacks are so daunting. Instead of targeting a single company, threat actors attacking broadly used IT tools like Kaseya or SolarWinds can infiltrate an umbrella of companies. Kaseya’s access to a network of SMB IT vendors and managed service providers (MSP) is a dangerous prospect in malicious hands.
The question now is – how can organizations trust third-party software?
As industry analysts consider the next zero-day threats and the implications of more ransomware and supply chain attacks, we look at the attacks and what organizations can do to defend themselves against advancing threats.
VSA server breached
Kaseya’s flagship product is a remote monitoring and management (RMM) solution called the Virtual Systems Administrator (VSA) and is the product at the center of the current attack. When administrators noticed suspicious behavior on Friday, Kaseya shut down VSA.
Kaseya’s on-premises VSA server is a powerful machine designed for MSPs and IT vendors serving a remote network of their clients. Through a software update to Kaseya VSA, the threat actors deployed a zero-day vulnerability and from there could access network segments connected to VSA servers.
Kaspersky researchers detailed the attack techniques and noted they had seen more than 5,000 attack attempts in 22 countries. Kaspersky recommended a number of defensive steps, among them:
- Not exposing remote desktop services (such as RDP) to public networks unless absolutely necessary and always using strong passwords for them
- Promptly installing available patches for commercial VPN solutions providing access for remote employees and acting as gateways in your network
- Always keeping software updated on all the devices you use to prevent ransomware from exploiting vulnerabilities
- Focusing your defense strategy on detecting lateral movements and data exfiltration to the internet. Pay special attention to the outgoing traffic to detect cybercriminals’ connections. Backup data regularly. Make sure you can quickly access it in an emergency when needed.
REvil attracted media attention last month for its ransomware attack against meat-processing company JBS Foods. The Ransomware-as-a-Service (RaaS) gang infiltrated Kaseya’s server, moved to client networks, and executed ransomware encryption to lock end-client networks. Kaseya is updating clients on developments at this link.
High-profile attacks on the rise
Establishing Standards for Secure Systems
Working concepts like verified reproducible builds and software bill of materials (SBOM) are valuable additions to the conversation while the IT marketplace remains relatively unregulated. The chaotic nature of software development and build pipelines must change, but for now, that change starts with businesses demanding greater transparency before signing contract terms.
Though these are promising concepts, analysts noted having a SBOM here wouldn’t have made a difference for the Kaseya breach. A reliance on built-in trust between systems and excessive user privileges is a risk that a list of ingredients can’t fix.
Read more about reproducible builds, SBOMs, and certificate forgery in our comprehensive look at the SolarWinds hack tactics.
Preparing for Criminal Enterprise
REvil is representative of a business-oriented movement of black hatters. While other Ransomware-as-a-Service (RaaS) and zero-day threat offerings are declining, Sophos Labs reports REvil is taking the mantle. Some threat groups promote a moral code of conduct, but there’s little evidence to prove actors are held accountable for misuse like targeting critical infrastructure, nonprofit, and public organizations.
Managing supply chain risk
For the time being, managing supply chain risk means meticulous attention to detail, supply chain relationships based on trust and transparency, and having a breach mindset. Mastering software inventory details gives network administrators visibility into organization systems, applications, and traffic flows.
Read about our picks for the top breach and attack simulation (BAS) vendors of 2021.
The breach mindset
As attacks continue, the security wisdom to organizations is to visualize and imagine the subsequent breaches. If a network segment like the organization’s CRM application becomes compromised, what will the impact be? Specifically, what does access between network segments look like for internal clients?
Deploying zero trust security
A resounding security industry answer to today’s advanced threats is zero trust. As the network perimeter proves too tricky to guard, there’s no question that determined intruders can gain access.
For this quandary, network administrators need a solution that understands system relationships and prohibits anomalous behavior. For MSP clients, they expect their managed service provider to offer solutions fit for their network’s needs.
Raghu Nandakumara, Illumio’s EMEA and APAC Field CTO, told eSecurity Planet:
“When ransomware is distributed via authorized management channels, it is indeed difficult to stop it from spreading – and detection and response must focus efforts on the target endpoints. zero trust approaches to security put emphasis on visibility of all actions, and the ability to identify expected and normal actions compared to unexpected and abnormal activity. As we see a maturity in zero trust adoption, we will see both improved granularity in controls, coupled with more sophisticated detection of unauthorized actions, that will improve the ability to identify malicious behavior and limit its impact.”
Kaseya provides security tools
Kaseya, meanwhile, has released a number of security tools it said will greatly reduce the attack surface of Kaseya VSA:
- A 24/7 independent security operations center (SOC) for every VSA, with the ability to quarantine and isolate files and entire VSA servers
- A complementary content delivery network (CDN) with web application firewall (WAF) for every VSA (including on-premises opt-in)
- Customers who whitelist IPs will be required to whitelist additional IPs