The software company Kaseya has become the latest high-profile victim of ransomware, as hackers have compromised its software code to launch attacks against hundreds – or even thousands – of organisations. Here’s what you need to know about the Kaseya ransomware attack.
Ransomware is one of the most pernicious threats facing organisations today. For some time now, hackers have identified ransomware as the quickest route to money when launching attacks – in 2020, the total amount paid by victims increased 336% to reach nearly $350 million.
The extortion economy is real, and it’s here to stay. But what’s especially troubling is that hackers are evolving their tactics to target larger groups of victims through supply chain compromise attacks. We saw this in last year’s SolarWinds hack, and we’re seeing it again now with the Kaseya ransomware attack.
In this blog we’ll provide an overview of the Kaseya ransomware attack, offer guidance on how to know if you’ve been impacted – and what to do if you have been, and suggest best practice measures to protect your organisation from a threat that isn’t going away.
Let’s get started.
Kaseya Ransomware Attack: What Happened?
On Friday 2nd July, Kaseya – a company that provides IT management software – announced that it had been compromised by a targeted cyber-attack. Although precise details of the attack are not yet known, cyber security experts believe the Russia-linked hacking group REvil launched the attack. Experts believe hackers used a SQL injection attack against the Kaseya web interface in order to gain initial access. What we do know for sure is that REvil has made a $70 million ransom demand from REvil for a ‘universal decryptor’ – possibly an attempt to get victims to pool together to pay this massive ransom.
Why did the hackers target Kaseya? Well, Kaseya provides software that is used by both end user organisations and managed service providers to manage networks, systems, and information technology infrastructures. By compromising Kaseya and placing malicious code masquerading as legitimate software updates, the hackers have been able to launch attacks that target not just Kaseya but also its clients and their clients, too.
So where are we now? Despite Kaseya CEO Fred Voccola telling the New York Times that fewer than 40 Kaseya clients were directly affected by the cyber-attack, thousands of organisations have been affected by the ransomware distributed through Kaseya’s software.
The Kaseya ransomware attack reflects two concerning trends in the cyber landscape:
- Ransomware groups are becoming increasingly well-funded, whether by nation states or through money raised through cybercrime. Many are now able to deploy sophisticated, nation state-style tactics to target victims.
- Supply chains are a key attack vector for these ransomware groups, who have identified that by targeting software vendors they can massively increase the scope – and profitability – of the cyber-attacks they launch.
Even if you or your managed service provider don’t use Kaseya software, these are trends you should be addressing actively. But what if you or your managed service provider use Kaseya? Let’s take a look at what you should do.
How Do I Know if I’ve Been Impacted? And What if I Have?
At Six Degrees we don’t use or support Kaseya products, but we appreciate that your organisation – or your managed service provider – may do. Our cyber security experts have put together the following mitigation advice if you think your organisation may be impacted by the Kaseya ransomware attack:
- The attack has been launched against Kaseya’s VSA software.
- If you are an on-premises Kaseya client, you should shut down all VSA servers to reduce the possibility of a compromise.
- Kaseya has reported that the source of the vulnerability has been identified and a patch is currently under development to mitigate the ongoing issues. Restoration is currently estimated by the end of day on the Monday 5th July 2021 (UTC).
- In the meantime, Kaseya recommends that all on-premises VSA, SaaS and hosted VSA servers remain offline until it’s safe to resume operations.
- Run Kaseya’s compromise detection tool – which you can find here – to identify if there are any known indicators of compromise present on your network.
- When Kaseya has advised that it is safe to do so, start your VSA servers in isolation – not connected to the Internet.
- Apply Kaseya’s hot fix (yet to be released at the time of writing).
- Ensure you use multi-factor authentication on all admin accounts.
- Restrict monitoring access to known IPs.
- Restrict admin interface access behind firewalls.
The Kaseya ransomware attack is a developing situation that is moving at pace. If you need support following these steps, want to check that they are still best practice, or believe your organisation may have suffered a breach, contact your Six Degrees Account Manager or visit here.
We believe there are three key take-homes from the Kaseya ransomware attack: the importance of supply chain security, the need to apply zero trust-aligned principles, and the need to proactively detect and respond to events throughout your network. Let’s take a look at these one at a time.
Protect Your Organisation Through Supply Chain Security
The Kaseya ransomware attack was what is known as a supply chain compromise, as the hackers targeted their victims by first compromising a trusted supplier. This is a big deal for hackers: instead of having to trick individual targets into downloading malicious software, they can package their malicious code in otherwise legitimate software updates that they can simply leave the software provider to prompt its clients into downloading.
The challenge all organisations face is the fact that IT management software in theory has access to all assets on a network. It is essential therefore to understand the depth of this software and how it is used – including whether it is used internally or by external parties; who deployed and configured it; who manages it; and what other protective controls should be operational.
In order to mitigate the supply chain risks you face, you need to audit and monitor your organisation’s supply chain maturity. Supply chain attacks will become more commonplace as they continue to be a successful route to revenue for hackers. You therefore need assurance from your suppliers – especially those that have intimate access to your network – that they don’t pose a cyber security risk to you. Here’s how you can go about doing that.
How to Gain Supply Chain Assurance
Your organisation probably outsources a number of services that were traditionally carried out in-house. The supply chain that delivers these outsourced services is typically split into two tiers: tier one suppliers directly contracted by you, and the tier two suppliers that they themselves outsource to.
Right now, there’s a good chance that your tier one suppliers are assessed during the contract onboarding process and then forgotten. Not great, but probably better than the diligence placed around the tier two suppliers.
At Six Degrees, we recommend carrying out continual diligence around your supply chain in order to mitigate the risk of a supply chain compromise causing financial, operational and reputational damage to your organisation. By benchmarking your suppliers against key domains such as compliance and accreditation and technical compliance, you can establish the areas of security weakness within your supply chain that present the greatest threat to your organisation. You can then prioritise remediation activities to reduce this threat.
In incidents like the Kaseya ransomware attack, understanding how much access software has into your infrastructure is essential. It’s also important to establish whether your business continuity plan includes mitigation or contingency actions should an attack like this impact your organisation.
Our Aegis Cyber Security Maturity Assessment features a supply chain assurance module that enables you to do just this. To learn more about Aegis and how we tailor it to enhance your organisation’s cyber security maturity, book an appointment to speak to one of our experts.
Top Tip: our new Supply Chain Security infographic provides nine key questions you should ask to ensure you’ve protected your organisation and mitigated security risks in your supply chain. Download it for free.
Detect and Respond to Security Events
If you download malicious code as part of an otherwise legitimate software update in a supply chain attack, how can you detect the compromise and respond to it quickly in order to minimise its impact? There are two methods your organisation can employ that will reduce your attack surface and enable you to minimise the impact of a cyber-attack.
Apply Zero Trust Principles to Your Organisation
Zero trust is at best the future of cyber security and at worst an annoying buzzword that professionals throw around to sound smart. However, even though its interpretation can depend on who you speak to, its principles are sound. But what exactly is it?
With most organisations in 2021 having to deal with remote users, overlapping multi-cloud environments and Internet of Things devices, security focus is moving away from network perimeters and towards protecting assets individually. Zero trust shifts focus from where you are (on the network or at the perimeter) to who you are (your identity or device), challenging and authenticating every action you take.
Zero trust nirvana is a long way off for most organisations, but the journey to zero trust is one we believe organisations should take. Adhering to best practice zero trust-aligned security principles such as using multi-factor authentication and applying policy-based access to applications will reduce hackers’ ability to expand cyber-attacks throughout your network.
If you’ve heard the term zero trust bandied about and want to understand how it can relate to your organisation, get in touch. In the meantime, though, here’s how Managed Detection and Response complements zero trust to protect your organisation from cyber-attack.
Introducing Managed Detection and Response
It’s an unfortunate reality that even the most secure organisations are still vulnerable to zero-day vulnerabilities. However, zero-day vulnerabilities are far less damaging if your organisation is able to identify and address the threat sooner. Moving forward, how can your organisation achieve this? Well, that’s where managed endpoint security comes in.
Endpoint security is an approach to cyber security that follows zero trust principles to focus on end user devices — or endpoints. However, the goal isn’t to protect each individual endpoint — desktop, laptop, virtual environment etc. — but the system as a whole. This is done by managing the flow of information between the network and device, centralising security and control while decentralising risk.
Microsoft Defender for Endpoint is an endpoint security system that is able to automatically isolate active threats, minimise risk exposure, and provide advanced attack detection and response capabilities. When configured and managed correctly, this delivers a preventative security system and real-time defence that enables security analysts to prioritise threat alerts, view the full scope of any breaches and act immediately to rectify identified threats.
Put simply, if hackers gain access to your network, Microsoft Defender for Endpoint will generate alerts that identify the suspicious activity. Which is great. But who’s going to manage and act on the alerts the endpoint security system generates? The best security tools can only quarantine an issue and alert you to a problem. It’s then your responsibility to act upon the intelligence you’ve received to eliminate and remediate that treat.
Our Managed Detection and Response service handles this for you. Managed Detection and Response is a fully-managed endpoint protection service that keeps your organisation safe 24×7. Our experienced cyber security experts harness the power of Microsoft’s industry-leading Defender for Endpoint security solution to deliver:
- 24×7 real-time alert management, detection and rapid response
- Comprehensive protection throughout your infrastructure – right down to the endpoint
- Trended reporting to quantify the risks that have been contained
- Bespoke deployment, configuration and management to maximise your protection
- Industry-specific expertise that elevates your cyber security to the next level
By implementing Managed Detection and Response, you can reduce hackers’ ability to expand cyber-attacks across your infrastructure and minimise the risk of data breach resulting in financial, operational and reputational damage. You can learn more about Managed Detection and Response and book a demo here.
Reduce the Risk to Your Organisation
The Kaseya ransomware attack has opened up a real Pandora’s box of cyber security implications, and these touch on some pretty fundamental aspects of your organisation’s operational approach. In this blog we’ve explained the importance of supply chain security, applying zero trust-aligned principles and implementing detection and response capabilities to minimise the cyber risk your organisation faces.
At Six Degrees we have the expertise and the experience to deliver tailored solutions that will enhance your organisation’s cyber security posture. But before we start, we always want to understand your organisation and where you are on your own cyber security journey.
Our Aegis Cyber Security Maturity Assessment will compile a detailed evaluation of your organisation’s cyber security readiness and your ability to address weaknesses, highlighting potential security gaps and making recommendations to reduce vulnerabilities. To learn more about the Aegis Cyber Security Maturity Assessment, or to book your assessment, contact your Account Manager or visit here.
Subscribe to the newsletter today
Six Degrees has reinforced its commitment to driving…