Kaseya VSA Ransomware Attack, SolarWinds Hack Share Many Similarities
Kaseya is preparing its customers for the planned release of its patch for VSA on-premises.
![Cybersecurity Cybersecurity](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt647f2f28ba501b3a/65244d6028ff12fb7e81d690/Cybersecurity.jpg?width=700&auto=webp&quality=80&disable=upscale)
Getty Images
Victim organizations’ experiences likely vary depending on how good their business continuity and disaster recovery planning is for themselves and their customers, said WatchGuard Technologies‘ Corey Nachreiner.
“In either case, even the better-prepared ones will likely have a busy week,” he said. “In short, the MSPs really hit by this would return to computers in their own infrastructure with ransom messages. They wouldn’t be able to complete the tasks they use those devices for if the data involved with that work was encrypted. As they are dealing with and learning of their own device and data issues, they would also start to get calls from customers whose IT they manage who are finding themselves in the same situation.”
MSPs have to balance running their own investigation and remediation while also managing their customers, Nachriener said.
“This is a security incident, which means most mature companies would want to run a formal investigation,” he said. “That starts with getting your legal counsel involved, gathering tons of evidence following the right practices and documenting everything. This is what you have to do before you even start recovering or you risk destroying evidence. So the MSP has to consider doing that for their own organization, but will also have customers in the same situation. In short, even if you are prepared for it, this is not a cakewalk. Some will be able to recover quicker than others, since they had the right plan in place beforehand. But even then, it can be time consuming.”
Kelvin Coleman is executive director of the National Cyber Security Alliance (NCSA). He said recovering from a security breach, whether it is a direct attack or one against an MSP, is always a painstaking process.
“For example, even if a breach is resolved quickly, the road to recovery is usually a longer-term project as impacted companies are forced to engage in in-depth audits of where organizational weaknesses exist and patch building,” he said. “Furthermore, organizations must engage in a long-term effort to help customers deal with both the current breach, but also any longstanding concerns that may develop among customers as to whether their data is safe with a given organization or not.”
Those companies and products that manage remote endpoint computers will be suspect, but not for long, said SecureAge‘s Jerry Ray.
“Even Kaseya should be able to withstand the incident and any backlash, as it can point to its immediate efforts toward remediation and claims that it might have been much larger than it was had it not been for its vigilance,” he said. “Tragically, short memories of all cybersecurity events like this one come from frequency. And the next sizable attack will displace this one in the minds of most everyone, leaving even the name of Kaseya to be a familiar, yet not immediately recalled one when comparing it to future attacks.”
While there are several similarities between the SolarWinds and Kaseya hacks, primarily that they are both MSP ransomware breaches, one of the most noteworthy aspects of these breaches is which type of users were impacted, Coleman said.
“For example, SolarWinds resulted in breaches to critical infrastructure, whereas the Kaseya breach does not appear to have compromised any critical infrastructure,” he said. “With that said, however, the Kaseya breach should put companies of all sizes on notice to the fact that no matter how big or small they may be, they are still a target for cyber bad actors.”
When it comes to IT vendors and their clients protecting themselves from these cybercriminals, this is tricky, particularly in the case of Kaseya, Ray said.
“The primary function of the Kaseya VSA product is to allow dedicated MSPs to remotely support and monitor the computers of customers who typically either don’t have or don’t want internal staff to manage their IT infrastructure,” he said. “Clients of MSPs are, in effect, declaring that they do not have the expertise to manage their own systems and are, for a fee, placing their cybersecurity into the hands of those MSPs with greater expertise. All that leaves for the clients of the MSPs is to be skeptical and challenge the MSPs on both policies and tools.”
But the extent to which that might be effective likely will be limited to or manifest itself in guarantees, warranties or processes for claiming damages, Ray said.
“Given that, it’s far more realistic for the burden of defending against cyberattacks [to be on the] vendors,” he said. “They need to challenge their own products and services with greater tenacity, building security into applications, scanning code with third-party tools, engaging penetration testers, and anything else that could reasonably push the security limits of their offerings. Legalistically, it may come to greater liability being heaped upon product vendors, which may simply result in market exits for some vendors and a dwindling of security providers and tools. Again, it’s a very tricky issue.”
The full impact of the Kaseya attack should be known within weeks, Nachreiner said.
“Actually, the malware and payloads dropped are pretty well understood at this point, thanks to the MSP community sharing so many logs and samples that professionals have analyzed,” he said. “What is missing is the technical detail about the root cause; in other words, the technical detail of the Kaseya vulnerabilities used to break in and start the process. Some smart analysts suspect that the zero-day vulnerabilities could include arbitrary file uploads, command injection and some sort of authentication bypass. They have recreated enough to prove those flaws work.”
Moreover, a Dutch vulnerability research institute claims to have reported a Kaseya flaw believed to be related to the this attack back in April, Nachreiner said.
“However, [the institute], Kaseya and some researchers are rightly not sharing all these technical vulnerability details yet, as we are waiting for the patch to protect customers,” he said. “I suspect some of the remaining details/mysteries will be explained once that patch is released.”
As far as impact or fallout on users, many will be reporting that now, Nachreiner said.
“There is some evidence that this attack hit all of its victims at the same time, a timer in the code that synchronized when the attackers dropped the ransomware,” he said. “While I guess some businesses may not have disclosed anything, I do think this has hit most of the victims it will.”
Given the dependency of the U.S. economy on IT systems and infrastructure, it may soon be time to create liability laws, oversight boards, certification bodies, or even inspection and testing bureaus for certain categories of IT vendors and products, Ray said.
“That’s not at all ideal, and the notion should not be a punitive one,” he said. “More than anything else, it should be an effort to raise the security standards of IT product and service vendors, especially since the complexity and scale of cybersecurity far exceeds the capacity of individual clients and users of IT products. Right now, everyone and everything is vulnerable while nobody is entirely culpable, including the attackers.”
Nachreiner provided the following tips to help organizations minimize risk:
Concentrate on more modern antimalware technologies that can proactively catch new threats without waiting for signatures. Those that use machine learning (ML) or behavioral analysis techniques tend to catch new ransomware that signatures miss.
Use endpoint detection and response (EDR) solutions. They have methods for catching malware that uses “living off the land” techniques. In this case, that type of solution might have protected your endpoints, but it actually would not have prevented the attacker from compromising your Kaseya VSA server, since that was zero day.
Protection requires good policy. IT professionals need remote management tools. But access to those remote management tools must be guarded with least privileged principles. Have multifactor authentication (MFA) on every login. And if a product doesn’t support it, don’t use it.
Don’t expose management interfaces to the entire internet. Rather, use VPNs to limit access, or at the very least, use a limited access control list.
Nachreiner provided the following tips to help organizations minimize risk:
Concentrate on more modern antimalware technologies that can proactively catch new threats without waiting for signatures. Those that use machine learning (ML) or behavioral analysis techniques tend to catch new ransomware that signatures miss.
Use endpoint detection and response (EDR) solutions. They have methods for catching malware that uses “living off the land” techniques. In this case, that type of solution might have protected your endpoints, but it actually would not have prevented the attacker from compromising your Kaseya VSA server, since that was zero day.
Protection requires good policy. IT professionals need remote management tools. But access to those remote management tools must be guarded with least privileged principles. Have multifactor authentication (MFA) on every login. And if a product doesn’t support it, don’t use it.
Don’t expose management interfaces to the entire internet. Rather, use VPNs to limit access, or at the very least, use a limited access control list.
Last weekend’s Kaseya VSA supply chain ransomware attack and last year’s giant SolarWinds hack share a number of similarities.
So says Jerry Ray, COO of SecureAge, and Corey Nachreiner, chief security officer of WatchGuard Technologies.
The Kaseya attack breached about 50 customers, including 35 MSPs, and penetrated or directly impacted up to 1,500 downstream businesses.
The attackers breached Kaseya VSA, the company’s remote monitoring and management (RMM) service. All of the MSPs were using the VSA on-premises product.
On Wednesday, Kaseya said it’s preparing its on-premises customers for the planned release of its patch for VSA on-premises. In addition, it should restore its VSA SaaS by Thursday evening.
Sinister Point of Compromise
Ray said the attacks on Kaseya and SolarWinds share the most “sinister point” of compromise. That’s the trust between a vendor and a client.
SecureAge’s Jerry Ray
“As for the similarity between the two, it appears to be another supply-chain attack, wherein the attack on an upstream vendor’s product led to the compromise of downstream customers,” he said. “Key among the differences, however, is that the exploit of the Kaseya VSA product led to the injection of ransomware into the endpoints managed by Kaseya VSA on-premises users, while the SolarWinds attack led to data exfiltration.”
Kaseya claims the number of victims is relatively small when you compare it to SolarWinds, Ray said.
The size of the Kaseya VSA attack will be measured in either the ransom paid or the cost of data recovery and restoration, Ray said.
“The data exfiltrated and systems monitored through the SolarWinds attack could ultimately cost infinitely more,” he said. “The ultimate intention or use of the data may not be realized for months or years.”
Zero-Day Vulnerabilities
Nachreiner said both SolarWinds and Kaseya seem to involve zero-day vulnerabilities in a software package used for monitoring and management that are popular among IT professionals.
WatchGuard’s Corey Nachreiner
“That said, the Kaseya attack mainly targets MSPs, which wasn’t the case with SolarWinds,” he said. “There were many other MSP-targeted ransomware attacks in 2019. I believe this attack has more similarities with some of those past MSP ransomware attacks.”
Dave MacKinnon is N-able‘s chief security officer.
N-able’s Dave MacKinnon
“The adversarial pivot to supply-chain-based attacks for delivering ransomware underscore the role we all must play in helping to keep each other protected,” he said. “MSPs, in particular, provide a variety of services to help protect and secure their customers. But if a cybercriminal gets into one MSP system, they can easily find themselves holding the key to a kingdom of SMEs in one fell swoop.”
It’s key to keep in mind that this can happen to anyone, at any time McKinnon said.
“As technology vendors, we have to realize we’re all potential targets, and the risks are steep,” he said.
Our slideshow above features more commentary on the Kaseya attack.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
Read more about:
MSPsAbout the Author(s)
You May Also Like