Kaseya Supply Chain Attack Affects Hundreds of Organizations
On Friday, July 2, ransomware operators exploited a vulnerability in Kaseya’s update mechanism to push REvil ransomware out to the IT services company’s customers. Kaseya develops software for Managed Service Providers (MSPs), which means the attackers’ reach could extend to hundreds if not thousands of organizations. The Coop supermarket chain in Sweden closed hundreds of stores for two days because its point-of-sale systems were affected. The attackers appear to be demanding a ransom of $70 million. Kaseya says it may begin restoring SaaS on Tuesday afternoon, July 6.
Ransomware actors have been hitting MSPs for a while now. The advantage of attacking MSPs is that they provide trusted access to multiple organizations and a bigger "bang for the buck." Now REvil did "take it up a notch" by simultaneously exploiting software used by MSPs. The entire scope of this attack will probably take a few more days to become clear and this will be a bad return to work from a long holiday weekend for many. If you are not affected by this attack: Take half a day this week to brainstorm how similar scenarios could affect your network: Which trusted suppliers have access to your network, and what software are you using to manage your network. How are you ensuring the integrity of this software after updates? And please: Do not exempt this software from anti-malware scans. Sometimes it is better to let the software break vs having the software break you.
Your MSP has potentially sensitive access to your IT and is using their preferred tools to support your business. When you setup that access, you probably verified the security of the tools used and the scope of permissions granted to their accounts. Are you monitoring for a change in scope? Could you detect their tool going bad? Have you walked down what would happen if you turned that off? Kaseya advises on-premise VSA users to turn systems off until a patch can be deployed. The patch is planned for release 24 hours after the SaaS service is restored. The flaws exploited appear to be Zero-day vulnerabilities rather than a supply chain attack.
This is a worrying change in tactics for those behind ransomware attacks as they move from phishing emails to ways to infiltrate the supply chain for many vendors. It is a reminder that given the modern business reliance on third party vendors and their downstream suppliers, we need to move beyond simply checklist exercises for managing third party risk. Any vendors who deploy tools or systems into our environments need to be assessed with additional scrutiny and appropriate controls. In particular, any software that requires excessive permissions, administrator access, or to be excluded from anti-virus software, as is the case with Kaseya.
Kaseya has a relatively small market share in the client management market, but (like system management and Solar Winds) attackers are targeting product areas where one compromise not only gives them deep access but that same access across many targets. Larger competitors to Kaseya VSA include BMC, CA, IBM Big Fix and ManageEngine – if you are using them, use this as spur to make sure you’d quickly notice if they went bad and to test resiliency plans if you had to shut them off in the event of compromise.
With cyber criminals becoming so brazen, I wonder if / when they will begin to not only attack and ransom large corporations, but start ransoming entire countries, especially countries that don’t have the resources to retaliate.
Caveat emptor! However, the buyer will rarely have sufficient visibility into the supply chain to adequately resist such attacks. The deeper down in the chain the supplier, the greater the potential damage. We must hold suppliers accountable for what they distribute or the services that they offer. Such accountability will include timely remedies but also consequential damages.
William Hugh Murray
Read more in
Threatpost: Kaseya Attack Fallout: CISA, FBI Offer Guidance
Bleeping Computer: CISA, FBI share guidance for victims of Kaseya ransomware attack