This past 4th of July holiday weekend, a supply-chain ransomware attack successfully infected Kaseya VSA software which is used by many managed security providers and in turn spread across Kaseya’s customers. It was first thought that Kaseya themselves had been compromised, similar to the Solar Winds attack, however it turned out to be Kaseya’s VSA software. This affected around 1,500 downstream customers serviced by 60 MSPs. The REvil group claims they infected over 1 million systems in total.
Kaseya customers using the on-premise VSA server were affected by the attack. The VSA server is used to manage large fleets of computers and is normally used by MSPs to manage all their clients. When the VSA server is compromised then all client environments managed from this server can be compromised too. In this case, the VSA servers were exposed to the internet and was affected by a zero day attack. All of the computers managed by the server were affected which as well is why this particular attack was so widespread.
Supply-chain attacks are becoming a more common and highly damaging method of attack for criminal activity. These attacks give the attackers the ability to infect many companies at one time and cause widespread damage.
In 2020, the SolarWinds incident occurred affecting more than 30,000 public and private organizations around the world. The ransomware was disguised as an update from SolarWinds, the Orion product deployed SolarWinds-signed malware to impersonate users and access files and processes on SolarWinds Orion machines.
This is turning into a never-ending cycle. As the attackers become successful in getting paid the ransom, it provides them more money and resources for additional ransomware attacks. These attacks are just getting bigger and bigger. Ransomware has been around for a long time, however it is just getting a high profile as it is now affecting daily life such as gas prices, meat supply, hospitals and more.
These continued attacks are a constant reminder that we need to be more vigilant and proactive when it comes to securing our environments as well as looking closely at third party vendors and their processes. I’m not sure how we get there, because this means we have to look not only at our vendors but their supply chains as well.
Every company, no matter the size, should be following the basic security protocols for them and others to stay safe.
Here are my two cents on the basics:
Use multi-factor authentication everywhere possible. Even small companies can take advantage of this as pretty much every app offers 2-factor at a minimum. This does not stop all attacks; however, it will slow down attackers to a crawl. Also, use a single sign on provider such as Okta or OneLogin. Multifactor should also be deployed internally for all of your applications. Airgap Networks can help with this and easily implement MFA for all applications, legacy or cloud (including Active Directory).
Zero trust. It is difficult to implement true zero trust networks, however using Airgap Networks zero trust isolation platform is a great start. We can ringfence each device on your network to contain ransomware to one device and prevent it from spreading.
Audit and log all of your service, admin and user accounts. Regularly check privileges and access of each account and make sure they are still active or not.
Red Teaming. Instead of pen testing your environment both externally and internally annually/quarterly, do it on a regular or constant basis. Tools like Horizon3.ai is a good start.
Follow the frameworks. NIST, CIS, COBIT, ISO take your pick and follow best practices to check all the boxes. It is a long journey, but one well worth starting.
Inventory all your devices and know what they are doing. You need to know what is on your network so you can protect it. This does not only mean laptops and servers, it also includes all IoT such as TVs, IP phones, cameras, etc. You also need to monitor what these devices are doing within your network.