There has been a lot of news and some speculation about the ransomware attack on the Kaseya VSA software.
Here’s what’s happened so far.
Cybercriminals exploited several vulnerabilities on Kaseya’s VSA on-premises product to attempt to install ransomware onto computers and servers managed by the Kaseya VSA. IT departments and MSPs use the VSA software for remote monitoring and management. By targeting the VSA software, the criminals were able to infect some of the systems of Kaseya customers and, through its MSP customers, some of Kaseya’s customers’ customers as well.
The attack took place on Friday, July 2. Kaseya shut down the VSA SaaS infrastructure and recommended that all on-premise VSA customers shutdown their servers until a verified patch could be produced and distributed. Kaseya began working with partners to resolve the issues as part of its response plan. The company has run into problems updating both the SaaS and on-premise software, delaying the fixes thus far.
In all, Kaseya says about 50 customers were compromised, about 40 of them MSPs, and fewer than 1,500 hundred total companies worldwide have been compromised. Some researchers say the impact is greater. One example of third-party impact was a grocery store chain in Sweden that had to close because the attack shut down its cash registers.
As of this writing, it is unknown if Kaseya will pay the $70 million ransom demand. Kaseya VSA customers are also receiving ransom demands.
Supply-chain attack trend
While most ransomware is a crime of opportunity that exploits a vulnerability within a single IT system, ransomware that targets the IT supply chain is specific, strategic, and well-researched. To pull off this attack, cybercriminals studied Kaseya software and leveraged it to conduct a widespread, coordinated attack on Kaseya’s customers.
This supply-chain attack is similar to the SolarWinds attack — both attacks targeted companies that provide technology management software for IT departments and MSPs. Using the supply chain enables attackers to maximize the reach of their malware and, therefore, maximize their results. For ransomware, this means more potential payouts from more victims. The SolarWinds attack allowed hackers to remotely take control of systems while the Kaseya attack was ransomware.
Leapfrog believes the SolarWinds and Kaseya attacks point to a disturbing trend in which hackers seek to magnify the impact of zero-day vulnerabilities by going after all kinds of supply chains.
Other possible trends
Another trend we see is the desire of the attackers not to go overboard with their demands. The Colonial Pipeline $5 million ransom demand could’ve been higher (the company was also able to retrieve part of the paid ransom) and the Kaseya ransom demand can be met with a single payout of $70 million instead of what might add up to billions of dollars if the attackers ransom every affected company.
REvil, the group that’s claimed responsibility for the Kaseya attack, is the same group that hit meatpacker JBS with an $11 million ransom demand in June. The criminal hacking group DarkSide claimed to have attacked Colonial Pipeline in May. Both REvil and DarkSide are based in Russia and it’s believed Russia’s Foreign Intelligence Service, or SVR, is responsible for the SolarWinds attack.
However, at this time, there’s no clear line from REvil or DarkSide to the SVR. So while hackers in Russia are attacking the U.S., this does not indicate a nation-state cybercrime trend as some news reports have hinted.
Leapfrog uses Kaseya software but was not directly impacted
Leapfrog uses Kaseya VSA on-premises software but Leapfrog’s system wasn’t hacked and none of our clients were impacted by the malware through Leapfrog. Leapfrog is leaving Kaseya services offline until Kaseya is finished with its review and provides the runbook we’ll use to harden the systems. The effect on our customers includes delays in patching and the lack of visibility into operating systems while the services are offline (infrastructure monitoring has remained active throughout the event).
The single Leapfrog client that was a victim of the attack was hit through one specific system that is managed by another IT provider. This vendor couldn’t adequately assist all of its customers, leaving our client unable to do business heading into the Independence Day weekend. Leapfrog stepped in on Friday afternoon and worked through the night to have production ready by Saturday morning.
What you can do to protect your company from similar attacks
- Protect against ransomware:
- Make your backups ransomware-resistant
- Segment your IT environment
- Update and test your Incident Response Plan (IRP)
- Use MFA
- Train your employees
- Add Early Detection Response (EDR) technology
- For more, see Is Your Organization Ransomware-Ready?
- Protect against third-party risk:
- Assess your current cybersecurity risk
- Look at your third-party exposure
- Take immediate corrective action on any vulnerabilities you find
- Work together with your vendors to make improvements
- For more, see Third-party Vendors Risk: 6 Steps To Protect Your Business
- Create systemic security improvements:
- Take an inventory of all of your applications and vendors
- Look at everything and everyone connected to your network
- Having visibility into your systems and monitor continuously
- Look for vulnerabilities so you can manage them
- Work on moving up the IT Security Scale
- For more, see The 2 Most Important Actions To Take After The SolarWinds Hack
- Take steps to ensure you can get cyber insurance:
- Take more responsibility for protecting your environment
- Keep your systems up to date
- Use concise access controls and permissions
- Implement the latest security controls
- For more, see How To Qualify for Cyber Insurance As Claims Skyrocket
Cybersecurity in the age of supply-chain attacks
Third-party risk management and having multiple layers of security are more critical than ever — and it’s going to stay that way. As a company, you can be doing everything right but if one of your vendors is not, you can still be at risk. Talk with your IT security experts about your current vulnerabilities. Dive deep and look at everything if you haven’t already. Move up the IT security scale as quickly as you reasonably can and insure what you can’t fully protect.
You may never know about the attacks your company avoided by hardening your systems but staying up and running is a worthy reward.