Kaseya: assessment and lessons learned.
N2K logoJul 8, 2021

How well has Kaseya responded to the ransomware campaign? The company is providing regular updates, and says a full patch will be available Sunday. In the meantime, the US Administration considers its retaliatory or diplomatic options.

Kaseya: assessment and lessons learned.

Kaseya's CEO Fred Voccola in a video message posted at 9:45 Eastern Daylight Time last night described "a long, long five days" as he apologized for the continuing VSA outage. He assured customers that Kaseya was taking the incident very seriously, and delivered the unwelcome news that the fix the company was working on would be further delayed. The new release time for a fixed and patched VSA will be this coming Sunday at 4:00 PM Eastern Time. While Kaseya was confident that the patches they'd developed had closed the vulnerabilities the extortionists exploited, Voccola said that third-party engineers and internal IT personnel recommended placing additional layers of security in place to protect against other exploits they may not foresee. He said he was confident that the upcoming release would fix the problems, and he confirmed that only the VSA product had been affected in the incident.

The company also published a run book last night of changes to the on-premises version of VSA, which should enable customers to prepare themselves for the coming update.

Voccola alluded to "Kaseya Cares," a program initiated during the early days of the COVID-19 pandemic last year. Kaseya Cares provided direct assistance, both financial and advisory, to MSPs serving small to mid-sized businesses. He said they were extending similar help now to businesses affected by the VSA-propagated ransomware.

A US response for the Kaseya incident remains under preparation.

US President Biden left a meeting with advisors yesterday and said, in a brief Treppenwitz as he departed the area, that he "will deliver" a response to Russia's President Putin over the ransomware attacks on US companies. "Mr. Biden’s vague statement, delivered as he was departing for a trip, left it unclear whether he was planning another verbal warning to Mr. Putin — similar to the one he issued three weeks ago during a one-on-one summit in Geneva — or would move ahead with more aggressive options to dismantle the infrastructure used by Russian-language criminal groups," the New York Times reports.

But it's at least clear that the US Administration's belief is that Russia bears some responsibility for the Kaseya ransomware campaign, even if that responsibility goes no farther than tolerating criminal behavior. REvil is not a new group, and it's operated for some time without molestation or interference by Russian law enforcement or security organs. More evidence that REvil is following its practice of not hitting Russian targets was presented by Trustwave's Spider Labs, who, in their study of the operation against Kaseya, found that its ransomware packages avoided systems identifiable as Russian.

The Times juxtaposes its account of deliberations about a response to REvil with a discussion of the US Administration's view of the attempt on the Republican National Committee (RNC), apparently by Russia's SVR. “'The F.B.I. is working with the R.N.C. to determine the facts,' Mr. Biden said. 'I will know what I am going to do tomorrow.'” Whether this represents a causal link or mere correlation in time isn't clear, but the focus of US response in both cases is Russia.

The BBC quotes experts to the effect that the attempt to compromise the RNC looks like traditional espionage, but the Kaseya incident is another and arguably more serious matter altogether. The BBC thinks that sanctions and some arrangement that would secure Russian police cooperation against REvil are the two options the US is most likely to avail itself of. Cooperation with Russian law enforcement seems unlikely, however, to be productive. MIT Technology Review has an account of how earlier attempts at such collaboration have fallen flat after initial promises of good will.

The US seems to be in a position where it will have to attempt to impose costs against the extortionists and their enablers. The Geneva summit between Presidents Biden and Putin saw a drawing of red lines by the US side, and a red line is an or-else proposition. When it's crossed, as the Strategist observes, it's important that the "else" materialize." The National Interest sees the possibility of a face-saving waffle on the US side in which a case might be made that, well, the ransomware attack didn't actually affect any of the sixteen specific areas President Biden told his Russian counterpart should be off-limits. Such a waffle seems, however, unlikely. Despite President Biden's reassurances earlier this week that the effects of the incident on business seemed to have been "minimal," the effects of this and other ransomware attacks have become too visible, too disruptive, to be easily tided over. Both the Washington Post and Lawfare have published explanations of why the ransomware attack on Kaseya's customers is serious both in extent and in sophistication.

Ilia Kolochenko, Founder of ImmuniWeb, and a member of Europol Data Protection Experts Network, commented on the constraints surrounding retaliatory options. He argues that credible and clear attribution of attack is essential in formulating a response:

“Counter-attacks against sovereign states, performed without a convincing attack attribution based on sound evidence of the original aggression, will contradict Tallinn Manual and will likely violate international law. Moreover, any attacked countries will probably retaliate with nation-backed hacking campaigns that may rapidly create chaos and national disaster by damaging critical infrastructure including hospitals, airports, gas or water supply chains. Worse, Western countries have highly digitalized economies, being specifically susceptible and vulnerable to large-scale cyber-attacks. Eventually, many innocent US citizens may fall victims to the spiralling cyber war.

"Importantly, counter-operations in digital space will not treat the root cause of ransomware: largely ignored cybersecurity hygiene, omnipresent carelessness and underestimation of cyber risks. The money spent on offensive operations would be better off spent on hardening national cyber-defense capacities including the creation of cybersecurity awareness and support programs for SMEs. Finally, to catch up with the EU, the US should finally consider implementing federal data protection and privacy law that has been expected for over a decade. Prevention, regulation and cyber defense is a key to sustainable protection of any country, while cyber war is a reliable recipe to multiply losses and bring no desired outcomes.”

We also heard from Mike Hamilton, founder and CISO of Critical Insight, who thinks it likely that REvil may have deliberately avoided the sectors around which President Biden drew the red line:

"Also note that in order to hold Russia responsible we have to prove NOT that the gang operates out of Russia (we know that), but that the Russian government has knowledge of these attacks prior. That’s a much taller order. It is likely that the US will go directly after individuals involved, but retaliatory acts against the country may have to wait until further intelligence is available. As a comparison, I note that we are just now getting ready to publicly call out China for the Exchange attack and that was months ago."

We'll give the BBC the last word on the prospect of US retaliation. Their article concludes: "By laying down the law in Geneva so clearly, Joe Biden may now feel he has to act. Certainly, just like the US military, the US president has a cyber operation that can more than hold its own in a fight. The question now is to what extent Mr Biden chooses to use it."

Industry assessment of Kaseya's preparation and response.

Kaseya's ability to cope with the attack has received harsh reviews from those who believe, like the sources quoted in CRN, that the company shouldn't have left itself vulnerable to this kind of exploit. The Dutch Institute for Vulnerability Disclosure says it discovered the zero-day in April and promptly notified Kaseya. Kaseya was in the process of addressing the issue when the attack hit, so arguably the company's response was dilatory. It certainly came just a bit too late.

Others have given Kaseya better reviews. Electronic Engineering describes Kaseya as "swiftly responding" to contain the damage. The company's public communication about the incident has been regular and clear.

Critical Insight's Mike Hamilton also gave Kaseya high marks: "In terms of incident response, Kaseya is doing a good job. The real question is whether the affected MSPs and their customer base is able to respond well. Good examples are the communication that Kaseya has kept up, producing a tool for use in identifying compromised versions of the agent, and having DHS and the FBI at the table from the beginning."