On July 2nd, 2021, network software provider Kaseya announced its infrastructure was compromised, and asked a number of its clients to immediately shut down their networks. The REvil ransomware gang had struck again, claiming to have shut down more than 1 million systems, and was demanding a $70 million ransom.
More than 800 grocery stores across Sweden shut down for over a week in the aftermath— some of them located in villages with no other food shops. As many as 1,500 businesses were affected, illustrating the vulnerability of increasingly interconnected IT infrastructure.
Most of the companies affected were managed service providers (MSPs) who act as brokers for Kaseya’s services. Around 60 MSPs were affected, while the rest of the businesses affected were downstream clients of these MSPs.
So what happened, and how can MSPs protect themselves and their clients against events like these?
The Kaseya attack
The Kaseya attack was carried out by the REvil gang, which is actually a “ransomware-as-a-service” software business. In other words, affiliates of REvil handle breaking into networks, while the REvil software evades antivirus software, encrypts files, and demands a ransom. The REvil gang and the affiliate then split the profits if they can force the victim to pay.
The Kaseya attackers gained access to a zero-day vulnerability, meaning the attack was carried out entirely through a software vulnerability with no elements of brute force or phishing, which is a relative rarity for ransomware attacks. The vulnerability was in Kaseya’s virtual system administrator (VSA), a popular remote management tool used by Kaseya clients as part of their IT infrastructure.
Kaseya has more than 35,000 MSPs that use its software, but only around 60 were fully penetrated by the attack.
Lessons for MSPs
Even though it’s not technically the “fault” of the MSPs whose clients were affected, an attack like this can still damage reputation and client trust. There is, in fact, a lot that MSPs can do to mitigate, if not prevent, the danger of an attack like the Kaseya hack.
Limit client-side access
If you’ve had much contact with cybersecurity, you’re probably familiar with the need to implement the principle of least privilege. This can greatly reduce the number of potential attack vectors within a network. It’s easy to overlook this principle when integrating software solutions into a client's network, however.
Limiting the access of MSP-provided software to the bare minimum can significantly reduce the risk of adverse effects for clients in the event of a Kaseya-style attack.
Verify vulnerability management
MSPs should make sure that the service providers they work with have a robust vulnerability management program in place. In the case of Kaseya, this might not have helped, because Kaseya’s team was in the process of patching the vulnerabilities when the attack occurred. Still, it's a good thing to keep in mind when choosing a VSA.
Don’t connect to vulnerable ports
The security already in place with the MSPs affected by Kaseya should have been able to detect and stop the hackers once they were in the system, but they didn’t. Because Kaseya was a trusted software, there was no monitoring in place on the ports used by Kaseya’s VSA. Even trusted third party software should not be granted unrestricted access to vulnerable ports.
Secure against lateral movement
It’s important to segment operations to prevent attackers from spreading through a network. Many MSPs have relatively flat networks, which is convenient, but also means that attackers have a much easier time moving between servers and affecting all of an MSP’s clients.
Lessons for end users
The Kaseya attack also presents a real conundrum for software end users. How can we prevent attacks that enter our own systems via third party software? One of the most important steps is properly vetting MSPs before signing a contract.
It’s also worth it for users to look into the cyber security practices of MSPs they’re already working with. A few questions to ask:
- What does their vulnerability management program look like?
- What’s the reputation of their software partners like, and what quality assurance procedures do they have with their partners?
- Does the MSP software need all of the privileges that it has?
- Do they implement multi-factor authentication, daily backups, app whitelisting, patching and hardening, restrict administrative privileges, OS patching, and adjust Office macro settings?
- Do they implement next-generation anti-malware measures across all servers, endpoints, networks, and other systems?
- Do they implement network segmentation and the principle of least privilege?
- Do they have strong phishing awareness training programs for employees?
- Do they conduct regular security audits and pentesting?
- Do they run extended threat protection?
- Do they run incident response rehearsal and planning?
- Do they follow any industry standards or frameworks?
There is no 100 percent foolproof way to prevent third party risk exposure. However, asking some tough questions can help you to understand the overall security policy of an MSP and help to minimize your risk exposure. As the saying goes, hope for the best, and prepare for the worst— and given the current cybersecurity climate, that applies now more than ever.
When this article was written, Jeff Stout worked for BeforeCrypt.
He is now vice-president of Machinery and Truck