THE Kaseya ransomeware attacks over the weeked is said to be the biggest of such attack where the hackers demanded a US$70 million (RM287 million) in bitcoin for the stolen data.
It is reported that more than 1,000 companies could have been affected by the attack on Miami-based managed service provider (MSP) firm Kaseya, which provides IT services to some 40,000 businesses around the world.
Here are some feedback from Acronis' chief information security officer, Kevin Reed. Acronis is a backup software and data protection solutions company.
Q: Why go after MSPs like Kaseya?
A: MSPs are high-value targets, they have large attack surfaces, making them juicy targets to cybercriminals. One MSP can manage IT for dozens to a hundred companies: instead of compromising 100 different companies, the criminals only need to hack one MSP to get access to them all.
As we predicted last year, MSPs will only be targeted more in 2021 – they can be compromised via a variety of techniques, with poorly configured remote access software among the top attack vectors. Cybercriminals use vulnerabilities, like the lack of 2FA, and phishing to get access to MSPs management tools and eventually – to their clients' machines.
Q: How much do you think the attackers are planning to make from this?
A: The attack has already directly affected dozens of MSPs, with an estimate of 1,000 SMBs that may be affected by the attack: we're talking several millions of dollars in potential ransom pay outs alone – and hundreds of millions in direct losses from business closure. Like in the case of Coop, the Swedish store chain affected by this attack and forced to close 800 stores.
While we detect this type of ransomware, not many do. The fact that the ransomware was embedded in Kaseya VSA (Virtual System/Server Administrator), has helped it to spread to a large number of targets quickly – similar to how WannaCry attack allowed criminals to quickly penetrate hundreds of companies. This attack is already showing a larger scale – it won't end right away, likely leading to bigger impact.
Q: Friday before the long weekend in US chosen on purpose? Guard down due to upcoming July 4th?
A: Definitely done on purpose – ransomware criminals use public holidays to maximise the attack success rates, as well as the chances of a pay out. With your guard down and chain of command interrupted, you are more likely to agree to pay the ransom – just to get your files decrypted.
While we advise to never pay the ransom, the reality is businesses that can't rely on their incident response plan still pay the criminals – as seen in recent JBS and Colonial Pipeline cases. Ransomware demands against the breached clients in this case varied from the initial demand of US$44,999 to US$5 million – with further possibility of steep fines from the authorities for those opting to pay.
Q: Rate Kaseya's response to the attack. Could this type of attack have been avoided?
A: While affected MSPs are being informed to shut down on-premises VSA servers, Kaseya itself has proactively shut down its software as a servce (SaaS) servers that run VSA for their partners. They issued the warning right after the attack was detected, without any delay – which is how it should be. While affected MSPs will not be able to work since remote monitoring and management (RMM) is their main tool for IT infrastructure management, Kaseya's response allowed to drastically limit the number of affected businesses. Thus, preventing it from spreading further and alerting the world of existing threat early on.
This attack is a leap forward in the scale, scope, and sophistication of attacks against the suppliers of software for MSPs. No private business, public institution, tech vendor, or service provider is immune from this and should not be pointing fingers at the initial victims of the attack, nor the members of their software supply chain that were comprised as a result.
Q: What can you do to at least reduce the risk of being victimised by a similar attack and avoid passing the malware on to your partners and customers?
A: First, tend to your own backyard – renew your commitment to building a multi-layered, defence-in-depth security architecture. Consider following an open security framework like NIST 800-171 or ISO/IEC 27001 to help work through various potential risks, identify your softest spots, and shore up those defences.
Regularly evaluate your vendors and service providers as a potential source of risk to you. We have published an e-book with recommendations on this very topic – consider any weak link in your software supply chain. Any unneeded access should be revoked, and you have to check with any given provider for the security measures in place.
Revisit your incident response management policy. If you don't have one – start building one immediately. Assume that some kind of cyber-attack on you will eventually succeed despite your best efforts to deploy comprehensive defences, build solid security policies, and invest in trained people. It will limit the damage, reduce the external blowback from investors, partners, and customers, and preserve the kind of forensic evidence you'll need to avoid a recurrence of the attack.
Install patches – while it will not protect your business from zero-day vulnerabilities, like in this case, it will help raise the bar for attackers.