Lessons to learn from the Kaseya cyberincident to protect your business’ data when doing business with a MSP.
Managed service providers (MSPs) play a critical role in the IT ecosystem. By outsourcing many of their day-to-day IT requirements to these companies, smaller organizations in particular can save costs, improve service levels and focus more resources on growing the business. In theory, they can also reduce security risk by handing over to a more capable and well-resourced provider. However, as the ransomware campaign impacting Kaseya customers has illustrated, MSPs can also be a source of cyber-risk.
Amidst today’s volatile threat landscape, these risks are constantly evolving. That puts more pressure on organizations to ensure they’re asking the right due diligence questions of prospective providers before signing contracts.
Kaseya is an IT management software provider whose main clients are MSPs. Its VSA product delivers automated software patching, remote monitoring and other capabilities so that these companies can seamlessly manage their customers’ IT infrastructure. In a similar way to SolarWinds Orion, the product requires highly privileged access to customer environments to operate. This makes it a perfect choice for attackers looking for an effective, high ROI threat vector.
That’s exactly what happened on July 2. As outlined on the vendor’s service update page , threat actors used the platform to compromise scores of MSPs and fire a fake update to their customers, containing REvil/Sodinokibi ransomware. Around 50-60 MSPs were affected, and in the region of 1,500 downstream customers. How did they do this? It’s now been reported that the threat actors exploited between one and three zero-day vulnerabilities in the on-premises Kaseya VSA product, beating the vendor’s own security team, who was working on patches for the bugs at the same time. These are:
This enabled them bypass authentication in the web interface of MSPs’ on-premises Kaseya VSA. They then used the session to upload their payload and execute commands via SQL injection. At the time of writing, a patch was finally being rolled out to on-premises customers, while most SaaS MSPs are already back online.
This isn’t the first time Kaseya has been targeted by ransomware groups. In 2019, threat actors exploited a vulnerable plugin for Kaseya VSA which enabled them to compromise a single MSP customer. With administrator-level access to the software, they were able to execute ransomware on every customer system it was managing—leading to between 1,500 and 2,000 customers becoming infested with the GandCrab ransomware variant.
Although GandCrab has been linked to REvil, there’s no suggestion that these attacks were perpetrated by the same group. But in any case, the cybercrime underground does a far better job of sharing intelligence and tooling than the infosec community. That means if attacks have been proven to work in the past, they will usually be repeated in the future. This is bad news for MSPs and their customers, as there’s a mounting body of historic evidence that shows campaigns against MSPs can be highly successful.
Some of the highest profile attacks in the past have been the work state-backed operatives. These include Operation Cloud Hopper , an audacious multi-year scheme attributed to APT10 that impacted “an unprecedented web of global victims.” The difference today is that it is now financially motivated cyber-criminals who are targeting MSPs. According to one recent report , 73 percent of MSPs reported at least one security incident over the past year and 60 percent of these were ransomware-related.
Cybercrime is big business today. And it makes total business sense to spend time researching and targeting a single organization that can provide access to potentially thousands more, than to target those downstream customers individually. After all, MSPs have client data and privileged access to these organizations. According to some estimates there could be as many as 20,000 such MSPs serving multiple customers in North America alone today. And not all of them are as secure as they should be. That’s a significant target for threat actors to aim at.
Market dynamics should mean that MSPs that consistently fail their customers on security eventually give way to those with a stronger cyber-risk management posture. There’s no shortage of tools on the market to help these providers differentiate on security. However, this only works if customers are well-informed enough to vote with their feet.
To that end, here are some basic due diligence checks and questions to consider before choosing your next MSP:
Due diligence checks like this won’t insulate your organization 100 percent from a security incident involving an MSP. But they will help to reduce the risk of one. And today, that’s about as good as you can do.
What is ESETS answer to the situation? We are currently evaluating third party products outside our ESET endpoint protection. Currently looking at ThreatLocker. How does ESET plan to mitigate and fight future threats like this before they are executed across the entire organization?
Hi Garrett,
Thank you for your query. Below is a response from ESET’s product team.
Regards,
Tomas Foltyn, WLS Editor
“Supply-chain attacks are very hard to mitigate against, because the malicious software component is delivered from an initially trusted source and usually is digitally signed with a trusted certificate and so bypasses most of the security stack, including Application Whitelisting. Imagine a real-world situation where your company has dozens of different suppliers and one of them has been breached to deliver something malicious (e.g., poison through a drinking water supplier). The implementation of countermeasures for all the suppliers against anything that can be malicious would require very expensive controls of each delivery and would be too expensive to be put in place. A similar situation occurs with software supply-chain attacks – perfect mitigation would just be too expensive.
If an attack is delivered through a software update, then delaying the updates in the organization could help. However, attackers can still bypass the standard software updates and the trojan horse can stay undetected for a while before the attack is performed.
The best solution against software supply-chain attacks is to use runtime and behavioral security. Such security should be a combination of prevention (like ESET’s Ransomware Shield, Advanced Memory Scanner, Exploit Blocker, Script Execution and AMSI Monitoring) and detection (through Endpoint Detection and Response). Behavioral prevention can help to mitigate the attack at the early stage of the attack while behavioral detection will quickly identify an ongoing attack that is spreading across the network. However, if the attack is performed through software that is closely integrated with the operating system (through drivers), then a behavioral detection solution can be half-blind.
One important security aspect involves isolating resources so that an attack via, for example, accounting software would not affect the rest of the organization. However, in Kaseya’s case such isolation would not have helped much if the product has access to the whole company network.
Even if the Zero Trust concept is gaining traction, some level of trust is mandatory and suppliers should do everything to ensure that their clients will not get attacked if the suppliers suffer a security breach. ESET is investing a lot into internal security to accomplish this.”
”
buy non vbv cc tractor supply cc