Over the weekend, there were reports that attackers launched attacks against users of the Kaseya VSA remote monitoring and management software, in addition to thousands of customers of various managed service providers (MSPs) that use the software. The attackers gained access to the VSA software and deployed ransomware associated with the REvil( also known as Sodinokibi) ransomware.
Kaseya was made aware of the attack and stated the attack occurred due to a vulnerability within its software. Kaseya is working on a patch, but no further information has been released on the vulnerability. The recommendation from Kaseya to businesses and organizations that are running Kaseya is to shut the system down quickly.
The Cybersecurity and Infrastructure Security Agency also released a notice asking businesses and organizations to adhere to the guidance released by Kaseya.
Many cybersecurity and IT experts have been sounding the alarm over the weekend that many firms use Kaseya’s tools as part of their incident response process, and losing the ability to use this tool could be extremely problematic. We talked to many experts in the industry to gain an understanding of where they stand as it relates to the Kaseya ransomware attack and what impact the attack has had on their operations this weekend.
”This is not good and makes our jobs harder. However, this is why we use hosted solutions so we do not have those vulnerabilities to address. Our providers do”, said Nick Allo of Semtech IT Solutions.
Planning and Preparedness
The Kaseya ransomware attack has already proven to be very dangerous, and once again showed how businesses, agencies, and organizations need to improve their planning and preparedness.
Luis Alvarez of Alvarez Technology Group shared this about the recent attack:
“Another attack on a major RMM vendor that bled to customer sites starkly illustrates the challenge that we are facing. You can only imagine that Kaseya is keenly aware of its responsibilities to protect its network, its MSP customer and their customers, yet it happened again.”
“We cannot build walls higher enough or moats wide enough to keep out the barbarians; we need to be prepared to deal with them when (not if) they breach the castle walls. That’s what a robust cybersecurity framework is all about. As an MSP you have to be an optimistic pessimist: Hope for the best, but assume the worst.”
While Kaseya has identified the vulnerability used in the attacks and will release a patch soon, RMM will continue to be a target. Clients and MSPs will need to take the proper actions to ensure they are prepared. Planning around critical resources, systems, platforms, being unavailable should become part of the planning and preparedness process, especially given the frequency of critical level ransomware attacks. The availability of your systems is never a guarantee.
”The current attack against Kaseya and the subsequent impact across over 200 businesses represents the nightmare scenario for any MSP. The reality is that what makes MSPs efficient — centralized multi-tenant management also presents a highly attractive target for attackers. A zero-day attack into this trusted, essential infrastructure is something every MSP must plan for, but hope never occurs”, said Michael Anderson, President & CEO of 365 Technologies Inc.
“This goes to shows that no company is safe from attacks. In 2019: ConnectWise, 2020: SolarWinds and now Kaseya. It’s not a matter of “if” but a matter of “when”. Businesses need to accept the fact that threat landscape is changing and combine that with more and more business functions are reliant on technology, companies rapidly need to increase their effort in protecting their IT infrastructure”, said Ashu Singhal of Orion Networks.
Mitigating Ransomware Attacks
In comparison to the transmission of the coronavirus, when one MSP network is compromised, it can quickly spread like wildfire, deploying ransomware to hundreds or thousands of endpoints in a matter of minutes. In an entire weekend, hundreds and thousands of businesses and organizations can experience damage to their reputation and financial health.
“The most recent Ransomware attack involving Kaseya, I believe, will eliminate a lot of the smaller managed service providers. It will ensure that all executives and C-level decision-makers that utilize an MSP take a hard look and question the security they have implemented”, said Matt Brown of NST.
Brown believes that every business should ensure their MSP implements the following seven critical practices:
1. Enforce Multi-Factor Authentication
If your MSP does not force MFA for all their users and yours, they are doing you and your own clients a disservice. MFA should be set up for access to as many applications and access as possible.
2. Secure Endpoints
All endpoints should be secured with next-generation anti-virus with EDR (Endpoint Detection and Response). This will help stop a security event should one get through the layers of protection.
3. Offsite Backup
Ransomware can and probably does have access to the MSP’s local backups. That is why you should always have an offsite backup to ensure your data is not just inside your four walls.
4. Patching, Patching, Patching
Every month I walk into a new prospect and ask them to show me their patching report from their MSP? Would you please make sure that your IT provider is sending you a patching report monthly? If it’s not being provided, then how do you know it’s getting done?
5. “Zero Trust” Network Access
Over the period reviewing network access becomes a beast of a chore. However, there are tools that can help check accessibility to ensure that user permissions have been implemented accordingly.
5. Educate your employees
I make sure I inform everyone of my clients, you need to train your team. I’m talking about Intern to CxO. Training your team to avoid and detect cyber threats is essential in mitigating ransomware attacks. We give it away to clients as it is that important.
6. Protect Yourself
Everyone should follow the NIST Cybersecurity framework and complete an annual risk assessment. A risk assessment from a good MSSP will identify and gaps and help you mitigate and risks.
“For the past few years, security was always the number one topic at every meeting I attended. Now with the recent Kaseya event, the MSP’s security will be at the forefront. Ask your existing MSP how they protect your security by protecting theirs!”, said Brown.
Organized criminal groups have been a major concern for businesses, organizations, and agencies across all industries. Organized criminals love to be a part of hacking efforts because it makes it easier to make as much money as possible.
”The Kaseya attack is the next in an ongoing focus of organized hacking, making up the 21 century organized crime, targeting MSP Software providers. Why try breaking each door down to each business when they can get the keys to the service entrance”, said Mark Hicks of Mathe.
Hicks also stated the following:
“Part of the issue over the past few years has been a feature race for most software and SaaS providers more focused on the next feature that will sell their software combined with MSPs focus on more multiuse software tools, central dashboards, and optimizing their time. This has been escalated by the purchase of many software companies over the past few years by investment companies, angel investors, wealth management groups, and others who only look at it as an investment.”
“We have seen it time and time again. Just looking at the bottom line, typically their first step is to maximize their investment by cutting service levels and R&D to maximize profit and only focus on the sizzle and not the steak. Other competitors have to keep pushing sizzle also and match features detracting from resources that should be spent on security and hardening their solutions.”
Lack of Planning for Potential Cybercrime
Many victims will receive warnings of potential vulnerabilities, but they are still unprepared to recover because they lack the proper organization and planning in response to the attacks.
Mark Hicks stated:
“The other challenge is while there is organization, funding, and significant planning to these attacks, there is very little organization or coordination in the response. When we did white hat hacking exercises in college it would take about 10 or more people to thwart one person trying to hack through a system because you had to be reactionary trying to anticipate what the hacker was doing and counteract their actions.”
“That was a number of years ago when programs were simpler and were developed by a handful of skilled programmers and not large teams including 3rd party contributors and subcontractors. With millions of lines of code, most systems have become too complex to manually monitor, review, and protect. Today, protection software, as well as software tools have to look at patterns, anomalies, and health monitoring.”
How Can the Cycle Be Broken?
“This continues to escalate. No one is safe. MSPs are caught in the middle also with some being targeted directly and others getting caught in the crossfire as the tools they rely on getting perverted into virus and malware conduits into their client base. With the drowning man syndrome, companies impacted will rope in their IT providers into the lawsuits as well as the software makers.”
“Meanwhile, many are getting numb to the daily breaches thinking that everyone will be breached at some point. Meanwhile, the dark web is getting bloated with all the stolen data from all of these breaches giving the hacking community even more points of data for which to launch their next attack and of course seeing how lucrative these actions can be extorting their victims.”
When asked what he thought could be done to break the cycle or at least slow down the cybercrime crisis, Hicks said ”This cycle will only be broken or slowed down once the government and other countries agree that this is nothing more than organized crime on a global level and cooperatively agree to go after the perpetrating groups and anyone harboring these criminal organizations.”
Interesting related article: “What is Phishing?“