An analysis by Sophos suggests that the latest attack is similar to one that Kaseya endured in 2018.
Kaseya issued its annual IT operations report only three days before getting hit by a ransomware attack. The report’s first finding was incredibly and unfortunately accurate: Improving IT security remains top priority amid a rise in cyberattacks.
According to an analysis by Sophos, the bad actors behind this attack “not only found a new vulnerability in Kaseya’s supply chain, but used a malware protection program as the delivery vehicle for the REvil ransomware code.”
Eldon Sprickerhoff, chief innovation officer and founder of cybersecurity firm eSentire, said that Kaseya was hit with a similar attack in 2018 and that this current attack could be a variation on the same tactic.
“My guess is in the 2018 cyberattack, a threat actor figured out a zero-day in Kaseya, went to a tool such as Shodan and looked for all external-facing Kaseya instances, built up a bundle to mine Monero, and then en masse started gaining access to these Kaseya installations and deploying their miners,” he said.
Meg King, director of the Science and Technology Innovation Program at The Wilson Center, said the attack is a bold step up for criminal actors.
“No longer are complex, expensive attack methods only the focus of nation states,” she said. “That the entry point was a zero-day exploit demonstrates the expertise of criminal hacking groups is growing.”
SEE: Colonial Pipeline attack ratchets up ransomware game (TechRepublic)
Sprickerhoff said gaining access to administration-level credentials for a remote management solution like Kaseya and targeting Managed Service Providers, is a very efficient way of deploying ransomware at scale.
“Essentially, the MSPs do all the hard work for the threat actors because they unknowingly deploy the malicious software out to all their customers,” he said.
Ransomware-as-a-service scales well
The SolarWinds attack showed the benefit of using third-party software as one component of ransomware-as-a-service. That tactic in the bad actor business model took a hit as a result of the Colonial Pipeline attack, but there are still viable compnents of the model. By farming out the work to specialists–engineers to write encryption software, network penetration experts to find and compromise targets and professional negotiators to ensure maximum payout–it makes it easier to scale the model and hit more targets at once. Using third-party software to deliver the payload fits into that plan.
Purandar Das, chief security evangelist and co-founder of security software company Sotero, said there are several advantages to using third-party software as the attack vehicle.
“These kinds of attacks are becoming common due to the ease with which they allow attackers to access a secure network as well as the ability to attack in scale,” Das said.
Also, most organizations rely on the software provider to ensure that the software is secure and there is usually less scrutiny of the security of third-party software products once the platform is adopted, according to Das.
“It is hard for clients of the products to be able to identify the vulnerabilities that exist in a third-party software product due to the lack of knowledge about the product and its architecture,” he said.
Ian McShane, Arctic Wolf’s chief evangelist and field CTO on the Kaseya ransomware attack, said this latest incident proves once again that there is no silver bullet to ensure cybersecurity.
“An organization could have done everything right – up-to-date patches, MFA, proactive hunting, etc. – and due to the nature of the Kaseya tool having pervasive admin reach, they could still have been hit by this ransomware attack,” he said.
McShane also said that reducing the risk and impact of these attacks relies on responding quickly, transitioning rapidly from investigation to containment and maintaining a comprehensive map of your environment and what runs within it.
Businesses of all sizes are at risk
Cobalt Chief Strategy Officer Caroline Wong said that this latest attack shows that anyone and everyone is vulnerable to ransomware attacks these days.
“We have data that reveals even though 78% of IT leaders consider pentesting a high-priority item for their security teams, respondents conduct pentesting on only 63% of their overall application portfolio on average,” she said. “This is a colossal problem — and one that leaves organizations vulnerable to disastrous Kaseya-level attacks.”
Barry Hensley, chief threat intelligence officer at Secureworks, said that his company has not seen evidence of the threat actors attempting to move laterally or propagate the ransomware through compromised networks.
“That means that organizations with wide Kaseya VSA deployments are likely to be significantly more affected than those that only run it on one or two servers,” he said.
David Bicknell, principal analyst for thematic research at GlobalData, expects that small and midsized companies will suffer the most.
“They trust their managed service providers for support and now face potentially devastating ransomware attacks delivered through IT management software used by those very managed service providers,” he said.
Bicknell said that the cybersecurity industry, the U.S. Cybersecurity and Infrastructure Security Agency and the Biden administration should provide greater cyber resilience for smaller companies.
“If they fail to do so, then 2021 will see the launch of one successful supply chain cyberattack after another,” he said.