On July 2nd, the cybersecurity world was buzzed with another massive supply chain attack by a notorious REvil gang that crippled more than a thousand businesses across the U.S. and the rest of the world. Presently, the group is demanding $70 million for decrypting the files that they have encrypted on victims’ networks.
Kaseya, a provider of IT solutions to enterprises and MSPs, announced on July 2nd that it had encountered a cyberattack. The attackers conducted a supply chain ransomware attack by exploiting the zero-day vulnerability in Kaseya’s VSA tool (a remote monitoring and management tool for managing endpoints and networks).
Initially, Kaseya believed that the victim customers (MSPs) were few, but the recent update via blog post narrated that the victim MSPs were fewer than 60 and all of them were actively using the VSA on-premises product. But since MSPs usually have hundreds of small and mediums businesses (SMEs) associated with them, therefore the ripple effect is being witnessed in fewer than 1,500 businesses linked with those victim MSPs.
Kaseya supply chain attack is another devastating ransomware attack that the U.S. has witnessed followed by past SolarWinds, Microsoft Exchange, and similar recent attacks. Let’s have a closer look at the present updates about the attack and then discuss the vulnerability chances of your business.
A Closer Look at the Kaseya Ransomware Attack
As per the current investigation, the attack was triggered by a zero-day authentication bypass vulnerability, along with antivirus workarounds that Kaseya had set up in its products to enable automatic updates. With the zero-day authentication bypass vulnerability, attackers managed to send arbitrary commands over the VSA product.
Since the flaw was related to authentication bypass, so it validated Kaseya’s statement that none of its source codes was accessed or altered. The attackers mainly conducted malicious updates that seemed like legitimate updates from Kaseya. So, they first attacked the MSPs that were using Kaseya VSA, and then they used VSA to inject ransomware to hundreds of businesses linked with those MSPs.
Kaseya Knew This Was Eventually Going to Happen a Long Time Ago
It seems shocking, but there were chances that the Kaseya attack could have been avoided completely. A former employee of Kaseya told Bloomberg that they warned the higher authorities of the company multiple times (from 2017 to 2020) about severe security loopholes in the Kaseya products. Employees argued with Kaseya for poor encryption, outdated code, and lack of regular software patching. In fact, employees found plenty of problems in the VSA tool that they wanted the tool to be replaced. Unfortunately, the company didn’t give any attention, which made some employees quit, while some got fired.
Besides the concerns raised by employees, some researchers also highlighted the vulnerabilities. Kaseya did some fixing when the Dutch researcher highlighted the flaws, but not everything was fixed. In addition, soon after that analyst firms, such as Truesec, also discovered serious security flaws in Kaseya infrastructure.
All these earlier flaws indications seem enough for Kaseya to have taken the security measures seriously. If the company had aggressively responded to these flaws, the situation would not have been that worse today.
How Vulnerable Is Your Business?
It is a bitter truth that supply chain attacks are on an exponential rise for the past couple of years. The SolarWinds attack was alone one of the worst attacks the tech world witnessed in recent times. Now the Kaseya attack shows how powerful cybercriminals are becoming with the passage of time. This definitely triggers a concerning alarm for businesses, especially small and medium businesses who greatly rely on such vendors.
The answer regarding how much is your business vulnerable to supply chain attacks mainly depends on your IT vendor choice. You should have a closer eye on your vendor list and pay attention to any security-related information circulating about your vendors. But this doesn’t seem that simple from the client’s perspective. For example, the Kaseya VSA attack went undetected until the attackers were able to make an impact. From a client perspective, attackers penetrated networks by presenting a malicious update that seemed legitimate. So, if your vendor is breached, there are always chances that you will also face some calamity.
But there are some practices that can help your business to ensure better security and minimal damage if your vendor is compromised. Some of the key ones are as follow:
1. Don’t Get in the Trap of Phishing Emails
A phishing email is one of the best sources for attackers to penetrate any system. Attackers often present themselves as known vendors so that you can consider the email legitimate and click the given malicious link. So, you must become smart and recognize phishing emails in whichever form they are presented to you. Once employees are educated well to avoid getting trapped by the phishing email, your business has already rescued itself from any potential breach.
2. Smart Vendors Choice
Businesses often have multiple vendors for different services, but sometimes there are unnecessary vendors as well. Unnecessary vendors mean more chances of a security breach. The past attacks (Microsoft Exchange, SolarWinds, and Kaseya) have shown that when the main vendor is breached, the connected businesses also become vulnerable. Therefore, you should make smart vendors choice where you are considering the reliable and the needed ones only.
3. Up-to-Date Systems
Microsoft Exchange attack mainly targeted those systems that were not up-to-date, while the Kaseya attack tricked victims with a malicious update. So, it’s a mix-up situation. If you show resistance to updates, then you are in danger, and if you conduct malicious but legitimate-looking updates, then again you are in danger. The best way out is that you ensure that you are keeping your system up-to-date, along with verifying that the updates you are installing are released by your vendor.
The Bottom Line
Kaseya ransomware attack showcases that such attacks are not going to slow down anytime soon. Besides that, the frequent attacks on tech giants, who are supposed to be highly secure, also showcase that attackers are not missing any chance of breaching security flaws. As a business relying on such vendors, you should not just blindly trust their security measures. You should consider more robust cybersecurity practices so that there is no or minimal security negligence from your side.