As Kaseya continues to move closer toward normal operations and capacity, the US considers defensive and retaliatory options.
Developments in the Kaseya ransomware attack: recovery and response.
Kaseya had expected that it would be able to patch and restore its VSA software-as-a-service product by today, but technical problems its developers encountered have blocked the rollout. As of 8:00 AM EDT today, the company was still working to resolve the issues it encountered.
This added further disappointment to an already dismaying situation for Kaseya and its customers. The company has been well aware of, and working to contain, the risk the incident poses its customers. Before it was known that the patch would be delayed, Fred Voccola, Kaseya’s chief executive, addressed customers in a YouTube video yesterday, saying "It totally sucks. If I was you, I’d be very, very frustrated, and you should be.”
Reuters quotes US President Biden as offering, yesterday, a relatively upbeat preliminary assessment of the consequences of the ransomware campaign: "It appears to have caused minimal damage to U.S. businesses, but we're still gathering information," Mr. Biden said, adding "I feel good about our ability to be able to respond."
That said, the US Government is continuing its investigation and is signalling an intention to do something about REvil and other gangs or privateers. Among other things, the US Administration said that it has communicated very clearly to Russian authorities that the US wants the REvil operators brought to book. CBS News reported yesterday that White House press secretary Psaki said that the US had been in touch with Russian officials about the REvil operation, and that if Russia doesn't take action against its ransomware gangs, "we will." TASS is, of course, authorized to disclose that Russia not only had nothing to do with the attack, and that it knew nothing about it, and that in fact Moscow had heard nothing from Washington about the matter. Either the messages crossed each other or at least one of the parties is telling a whopper. (We're guessing whopper.)
There's been some bipartisan Senatorial woofing in the direction of Moscow, but most observers are looking for a more serious and considered US response.
The ransomware attack, coming as it did so soon after cybersecurity figured prominently in the Russo-American summit, has placed the US Administration under pressure to devise some effective retaliation that might deter such attacks. The Washington Post reports a growing sense that the US must "either win some public concessions from Russia quickly or punch back hard."
Dmitri Alperovitch, chairman of the Silverado Policy Accelerator, and Mathew Rojansky, director of the Wilson Center’s Kennan Institute, have an op-ed in the Washington Post that bluntly argues for a US ultimatum to Russia. "In contemplating his response, Biden should take into account the potential connections between the Russian security services and REvil hackers. Although it is quite plausible that top Russian officials neither directed nor even had prior knowledge of REvil’s latest attack, it is certainly conceivable that lower- and mid-level officials are aware of the hackers and their activities. If Putin chose to take the problem seriously, as Biden demands, Russian security officials could quickly identify and interdict the attackers and force them to unlock the data to stop the damage to businesses worldwide, including in the United States."
Crisis draws opportunists, and this incident appears to be no different from others in that respect. Malwarebytes notes that references to the Kaseya incident have begun appearing as phishbait in social engineering schemes, usually emails offering malicious links or attachments. The subjects suggest an offer of advice, warning, or counsel in the matter of the Kaseya attack.
Fortune asks why major cyberattacks tend to happen around holidays, and gives the obvious answer: around holidays, people's minds tend to be elsewhere, people's bodies on vacation. "Cyber criminals from nation states target U.S. holidays for a reason: IT staff will likely be out of town, and it’s more difficult to react and react quickly to an attack making its way through a corporate network. Thieves know they’ll have more time to try various passwords and usernames and extend their reach to more devices. Companies may often need to call in an outside expert to deal with the hack. 'They know that the organizations are operating with skeleton crews,' says James McQuiggan, a spokesman for KnowBe4, a Clearwater, Florida-based company that provides security training for businesses."
What to make of this kind of supply chain attack.
Joshua Motta, CEO of Coalition, summarizes what he's seen in the attack against Kaseya:
“Both supply chain attacks and ransomware have been two dominant themes of the past 12 months. We’re continuing to see breaches of high profile/large companies that are then affecting their customers which are mostly small and mid-sized businesses."
While the distinction Kaseya and others have drawn between this ransomware campaign and a supply chain attack sensu stricto is certainly reasonable—no Kaseya source code was altered or compromised; the attackers instead exploited a zero-day vulnerability Kaseya was in the process of patching—there's an obvious sense in which it is a supply chain security issue. (Quartz has a useful description of supply chain attacks.) Kaseya's VSA SaaS product was exploited to deliver ransomware to customers of Kaseya's own customers.
David Bicknell, principal analyst, Thematic Research, at GlobalData, believes the threat is getting worse in 2021:
“This extremely serious attack highlights the supply chain’s vulnerability to ransomware attacks. 2020 was a challenging year for cybersecurity, and things have got worse in 2021. Last year’s SolarWinds attack showed that hackers breaching one provider magnifies the cyber threat and provides an opportunity to launch a bigger attack at scale.
“Small and medium-sized companies will suffer the most. They trust their managed service providers for support and now face potentially devastating ransomware attacks delivered through IT management software used by those very managed service providers.
“This attack, which follows soon after the Colonial Pipeline and JBS breaches, means the cybersecurity industry, the US Cybersecurity and Infrastructure Security Agency, and the Biden administration must take urgent steps to provide greater cyber resilience for smaller companies. If they fail to do so, then 2021 will see the launch of one successful supply chain cyberattack after another.”
Tim Erlin, VP, product management and strategy at Tripwire, wrote to draw attention to the similarities between the Kaseya and SolarWinds incidents:
"Though the attack details are different, it’s nearly impossible to avoid comparisons between this incident and the Sunburst incident involving Solarwinds. As we inevitably do so, it’s more useful to ask how our collective response has improved based on the lessons we’ve learned. No one should be surprised when a successful attack methodology is repeated, but we should aim to make these types of supply chain attacks harder to execute and incrementally less successful.
"Attackers are likely to continue with these types of supply chain attacks because they offer a multiplier when successful. A single successful attack can compromise thousands of targets. Supply chain attacks are high reward, but they’re also high risk."
And Erlin notes that ransomware needs to be discovered to be successful. That's not the case with cyber espionage or cyber sabotage:
"It’s important to remember that ransomware needs to be discovered to be successful, so we should always look at a successful ransomware attack as a harbinger of what other, more stealthy attacks might be able to accomplish.”
Purandar Das, Chief Security Evangelist and Co-Founder at Sotero, notes the inherent challenges of effectively assessing third-party risk:
“Third party software platforms are now being leveraged as the attack vehicles. There are many advantages to this approach. First, the ability to attack a very large number of organizations utilizing a single carrier. Second, most organizations rely on the software provider to ensure that their software is secure. There is usually a lesser amount of scrutiny and security against third party software products once the platform is adopted. Also, it is hard for clients of the products to be able to identify the vulnerabilities that exist in a third-party software product due to the lack of knowledge about the product and its architecture. These kinds of attacks are becoming common due to the ease with which they allow attackers to access a secure network as well as the ability to attack in scale.”
REvil, of course, is itself an as-a-service operation, in its case ransomware-as-a-service. Demi Ben-Ari, CTO and Co-Founder of Panorays, noted the risks managed service providers themselves may present their customers:
"[The] Kaseya VSA cyber incident that resulted in the massive REvil ransomware attack is unquestionably one of the most serious supply chain attacks in history. It could even very well turn out to be a much larger incident than the SolarWinds breach, since some of its victims are Managed Service Providers (MSPs) that may each work with hundreds of businesses.
"Moreover, it should be noted that the Russian-based REvil hacker group has been active since April 2019 and provides ransomware as a service. That is, it develops software that paralyzes networks and sells it to so-called affiliates, who earn the bulk of the ransom. So unlike the SolarWinds breach, the primary motive of this cyberattack appears to be money."
Casey Ellis, CTO and founder of Bugcrowd wrote about the resources apparently involved in running the campaign:
“The thing I find most concerning about this attack is the coupling of supply-chain techniques to gain access with the incentives and devastating impacts of ransomware, including the encryption and denial of service to systems.
"Something that is immediately interesting about this attack is the fact that only 8 months after SolarWinds - a relatively non-destructive nation-state supply chain attack - it looks as though cybercriminals, or smaller financially motivated nation-states, are deploying these techniques.
"This means they have the resources to create or procure the necessary tooling, possibly out of the proceeds of other ransomware operations. The REvil operators set their ransom between 45k and 5M USD per organization, and have since released an offer of 50M USD to decrypt all systems affected by this attack. Aside from being the largest ransomware payment in history, this would provide ample capital for REvil to reinvest in progressively better and more invasive tooling for future attacks.
"It also raises the topic of whether 'you'd prefer to get hacked by Russia, or the REvil gang?' Nation state attacks have national security and economic implications, while cybercriminals tend to be more destructive and impactful to the affected business themselves.”
Of course, the distinction drawn between Russia and REvil increasingly looks like a distinction without a difference.
Saumitra Das, CTO and Cofounder of Blue Hexagon, hopes that organizations will recognize the severity of this form of supply chain, nth-party risk, and shore up their defenses accordingly:
“This is another reminder that supply chain attacks remain an issue after the Solarwinds breach brought this topic to the forefront. Organizations are thinking harder about the supply chain security of their vendors and partners. But ultimately, they will need to limit the blast radius inside their networks assuming their vendors and partners do get compromised. The speed at which this Kaseya attack evolved was notable give these tools were used for remote IT management and had the privilege to do operations inside the organizations' networks on behalf of their MSP.
“This is one among a host of supply chain issues this year and specifically issues caused by security vendors themselves. Security itself needs to be agentless and deployed isolated or with the least privilege so it does not contribute to increasing attack surface. VPNs, firewalls, email gateways have all been misused recently to gain a foothold with privilege inside an organization’s network without having to phish a user or hope for open RDP to compromise.
“Attackers are not just targeting governments and infrastructure company supply chains but anyone who gives them a foothold into multiple organization’s networks. While this may not cause disruptions to our infrastructure like the Colonial Pipeline attack, it is nevertheless a huge burden for lots of SMB and mid-market organizations that are already struggling with budget and skill shortage issues.
“Organizations need to focus on detection and response because clearly current technology, configurations and the endless stream of security supply chain vulnerabilities together make it hard to prevent initial access into networks.”
Deepen Desai, CISO, VP security research and operations at Zscaler, sees threat actors as attracted to this kind of supply chain attack because of its ready scalability. A single exploit can enable an attacker to propagate malicious payloads through an indefinitely large number of organizations:
“Software supply chain attacks, like those against Kaseya VSA, allow adversaries to quickly multiply the scope of their attacks to hundreds or thousands of organisations. For today’s digital businesses, where organisations rely on an ecosystem of technology partners to operate, implementing a Zero Trust security model has never been more critical. Even with trusted tools and partners, organisations should assume that every connection could be a potential attack, and build their controls around identity and business policy enforcement to enable secure access to applications, not the network. Using Zero Trust, applications and resources are not visible and cannot be discovered by the adversaries, thus eliminating the external attack surface. As we continue to see an escalation in both supply chain and ransomware attacks, Zero Trust is the most effective way to reduce business risk, unlike traditional network security approaches that leave the front door open to potential attacks from trusted sources.”
Zscaler has also conducted its own technical analysis of the exploit script, with particular attention to the way in which it disabled a range of automated defensive systems.
James McQuiggan, Security Awareness Advocate at KnowBe4, also sees scalability as an attractive feature (attractive to the threat actor) of this form of attack:
"Cyber criminals continue to target organizations that provide services or products to a large number of customers or clients in an attempt to maximize their attack footprint. As seen with earlier cyber attacks, cyber criminals manipulate updated code to attack various customer organizations. As with all cyber criminal activity, their attacks have evolved and now involve injecting a ransomware attack within the code to leverage the trusted connections of the targeted organization.
"Cyber organizations need to be transparent with these large-scale attacks to a supply chain service to thousands of customers and users. With this type of remote service to customers, it is essential to mitigate the risk of further attack by following the vendor's recommendations, even if that means shutting down the service or systems.
"When organizations are informed about a zero-day vulnerability by security researchers or other third parties, communication and repeatable response plans must be implemented to mitigate the risk and make the corrected update available as soon as possible."
Garret Grajek, CEO of YouAttest, sees the Kaseya incident as a prime example of what organizations are up against:
"The Kaseya attack continues a disturbing trend made publicly known by the Solarwinds attack - that is the ability of the hackers not to just invest a single site - but to successfully integrate their malware into the existing software supply chain - in this case, Kayesa VSP, a MSP security management solution. It's important to note - the ransomware is being requested by an affiliate of REvil - which makes these attacks all the more worrisome. It's an entire ecosystem of cyber terrorist working against our IT infrastructure.
Single points of failure?
Cloud and software-as-a-service models are attractive to organizations for many reasons, efficiency, economy, and security among them. There's a risk, however, that such services can become risky to their organizational users. Chris Clements, VP of Solutions Architecture at Cerberus Sentinel expressed the challenge this way:
"This incident should highlight just how vulnerable most organizations are to single points of failure that can completely derail operations. Yesterday was SolarWinds, today is Kaseya, but there are dozens of other management and monitoring tools that have complete control of all systems and data on networks they are deployed on. These tools can provide management productivity boosts, but by their very nature introduce massive risk. It is incumbent on organizations to recognize this trade off conduct an in-depth security evaluation as part of the acquisition of these products and services. It must be part of your threat monitoring. Too many organizations discovered this weekend that there wasn’t a plan if their MSP or their tools were compromised."
Kaseya's targeting made a great deal of sense from REvil's point of view. Richard Blech, Founder of XSOC Corp, offered his take on the impact on the victims:
“The largest ransomware attack in history continues to claim new victims. Figures this morning indicate that between 800 and 1500 worldwide businesses have now been impacted by the latest attack.
"The well-coordinated attack on the Kaseya software brand has left both direct customers and their clients in tatters. These brands face a new week not running business as usual, but scrambling to respond to an attack so large the White House weighed in on a holiday weekend. The FBI and Cybersecurity and Infrastructure Security Agency are also onboard in the race to address this most recent attack, which includes a demand for a $70 million Bitcoin ransom.
Part of the impact came from target selection, but Blech sees timing as also important. Organizations can be caught with their guard down over holidays:
“How was REvil, believed to be behind the attack, able to create such devastation in such a short amount of time? Both the timing of the Kaseya attack and the choice of victim played roles in the far-reaching outcome; the lack of preparation and awareness by Kaseya allowed the attack to spread to dozens of smaller businesses and organizations.
“Kaseya...serves clients that in turn provide services to smaller businesses, including retailers, medical providers, and schools. For every brand directly impacted, there may be dozens or even hundreds more that indirectly rely on Kaseya services.
Managing the supply chain and controlling nth-party risk.
Dave Wagner, CEO and President of Zix I AppRiver, called for attention to securing the whole IT supply chain. End users as well as managed service providers have important roles to play in doing so:
“The recent Kaseya cyberattack, which saw the REvil criminal group use compromised IT management software to successfully encrypt the files of hundreds of businesses, illustrates how important it is to secure the entire IT supply chain. The software at the heart of the attack, Kaseya VSA, is popular among so-called managed service providers (MSPs), which provide IT infrastructure for companies that would rather outsource that sort of thing than run it themselves.
"Most enterprise companies fall into this category. Unfortunately, once a cybercriminal has access to an MSP, it has access to its customers. So, rather than breaching a single bank, insurer, or airline, they can gain access to multiple organizations all at once. It’s the difference between having a highly-skilled safe-cracker and the master key to the bank’s vault Organizations should ensure that the MSPs they employ only use solutions that are secure, resilient, and compliant.
"The Kaseya attack also illustrates a growing practice of combining supply-chain-based attacks with ransomware demands. REvil appears to be asking victim companies for the equivalent of roughly $45,000 in the cryptocurrency Monero. Some companies have apparently been asked for as much as $5 million to decrypt all of the PCs in their network.
"While MSPs can, and should, do everything they can to prevent such attacks, it’s important to have backups in place as a critical defense mechanism in the event of a breach. Backing up regularly and securely is critical to breach recovery. Your backup provider should be able to address the unique needs of laws such as GDPR and any others that impact the jurisdiction you operate in. This includes, but is not limited to, its choice of data center, data encryption, at-rest and in-transit rules, and the ability to purge backups. Additionally, adopting a backup provider shouldn’t impact on your organization’s ability to do business.
"The solution companies choose should offer simplified employee on-boarding and off-boarding with bulk activation, automated addition and deletion of users, and backup of inactive accounts. Additionally, it should offer an out-of-the-box setup with zero adoption effort, no matter what software as a service (SaaS) platform you use.”
Tom Garrubba, CISO at Shared Assessments (and leave aside his questionable taste in TV) offers some advice for dealing with future attacks of this kind:
"If ransomware were a TV series this latest incident involving Kaseya VSA would be a great season finale; a ransomware attack affecting a competitor to Solar Winds.
"Organizations must understand that we are in a “soft war” with these RaaS (ransomware as a service) providers, and we must be expeditiously and continuously diligent on all-forms of IT and cyber hygiene. Everything from application code reviews to patch management, along with methodologies and processes to upgrading network and system components must be incessantly reviewed and any actions needed are immediate.
"It is time for organizations to be proactive in these endeavors and to further ensure their downstream suppliers and vendors and critical partners are doing the same. RaaS providers are to be viewed in the same light as cyber terrorists; whereas organizations need to be right all the time in their IT processes and cyber hygiene, these cyber terrorists need to be right just once to affect many."
And there has been some well-received advice from the US Government. "The Cybersecurity and Infrastructure Security Agency (CISA) CISA and the FBI had key recommendations which included backups, MFA (2-Factor) authentication and executing on the Principle of Least Privilege (NIST PR-AC-6) to insure that compromised accounts are not granted excessive and damaging privileges. "Constant vigilance on the privileges of our accounts and changes must be accounted for in a secure environment," YouAttest's Grajek added.