As if the recent cyber-attacks against Colonial Pipeline and meat processor JBS were not big enough wake up calls regarding the threat ransomware poses to our nation’s critical infrastructure and business supply chains, late last week the Russia-linked cyber-crime group REvil launched yet another ransomware scheme against IT management software firm Kaseya impacting 1,500 companies across more than a dozen countries.
According to multiple published reports, REvil, which is the same group suspected of extorting JBS in May, exploited a flaw in Kaseya’s code that was then used to send ransomware to the servers of clients that used the company’s software. The gang was reportedly seeking $70 million in cryptocurrency in exchange for the decryption keys.
“This latest attack is not only devastating on its own; it needs to be seen as an emerging pattern – savvy cybercriminals taking advantage of brands that are not where they should be when it comes to proactive measures and security. This was a sophisticated, well-timed attack and the only way to avoid future issues is to take a hard look at internal security and defense – and be aware of the growing level of sophistication on the part of attackers,” says Richard Blech, Founder of XSOC Corp., a provider of encryption solutions. “REvil’s recent successes, and the impact of this Independence Day attack will only embolden the organization and encourage others like it to launch targeted attacks on businesses of all types.”
Caroline Wong, Chief Strategy Officer for pentest-as-a-service firm Cobalt, says the Kaseya attack demonstrates that “anyone and everyone” is vulnerable to ransomware.
“Many of those impacted were small businesses -- not just the traditional ‘juicy’ ransomware targets for IP,” Wong explains. “This alarming takeaway makes it clear why it’s so urgent to put preventative security controls like pentesting in place; nowadays no business can hope to ‘fly under the radar.’”
Echoes of SolarWinds
The attack is similar to the SolarWinds hack that came to light earlier this year in which malicious actors leveraged a flaw in a solution from the managed services provider to infiltrate multiple targets in both the public and private sectors.
“If ransomware were a TV series this latest incident involving Kaseya VSA would be a great season finale; a ransomware attack affecting a competitor to SolarWinds,” says Tom Garrubba, CISO of Shared Assessments, a member-led risk management strategies, tools, and intelligence organization. "Organizations must understand that we are in a ‘soft war’ with these RaaS (ransomware as a service) providers, and we must be expeditiously and continuously diligent on all-forms of IT and cyber hygiene. Everything from application code reviews to patch management, along with methodologies and processes to upgrading network and system components must be incessantly reviewed and any actions needed are immediate.”
According to Purandar Das, Chief Security Evangelist and Co-Founder at data security platform provider Sotero, Kaseya also illustrates how third-party software platforms are being increasingly leveraged as threat vehicles.
“There are many advantages to this approach. First, the ability to attack a very large number of organizations utilizing a single carrier. Second, most organizations rely on the software provider to ensure that their software is secure. There is usually a lesser amount of scrutiny and security against third party software products once the platform is adopted,” Das says. “Also, it is hard for clients of the products to be able to identify the vulnerabilities that exist in a third-party software product due to the lack of knowledge about the product and its architecture. These kinds of attacks are becoming common due to the ease with which they allow attackers to access a secure network as well as the ability to attack in scale.”
Nadav Levy, Senior Product Manager for Cyberpion, a provider of third-party risk assessment and management tools, says the incident is also a good reminder for organizations that just because they have outsourced the management of certain parts of their network infrastructure to another firm it doesn’t absolve them from addressing cybersecurity threats that might arise from using the services or solutions of said firm.
“Organizations should understand that even though they are not the ones managing the service they are receiving, they can be the ones to suffer the consequences,” Levy adds. “Managed services are part of an organization's ecosystem and should be treated and monitored no less than a proprietary asset. The Kaseya attack shows that all organizations need to up their game and change their perspective from protecting a walled garden to protecting the entire ecosystem of services and software that they use."
The Biden Administration’s Response
Ironically, the Kaseya attack comes just weeks after a summit between U.S. President Joe Biden and Russian President Vladimir Putin in which cybersecurity was a top issue on the agenda.
“This attack, which follows soon after the Colonial Pipeline and JBS breaches, means the cybersecurity industry, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and the Biden administration must take urgent steps to provide greater cyber resilience for smaller companies. If they fail to do so, then 2021 will see the launch of one successful supply chain cyberattack after another,” says David Bicknell, Principal Analyst, Thematic Research at data and analytics company GlobalData.
On Sunday, White House cybersecurity official Anne Neuberger issued a statement urging anyone who believes their networks may have been compromised in the attacks to notify authorities.
“Since Friday, the United States government has been working across the interagency to assess the Kaseya ransomware incident and assist in the response. The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have been working with Kaseya and coordinating to conduct outreach to impacted victims,” the statement read. “Yesterday, President Biden directed the full resources of the government to investigate this incident. We extend our thanks to the cybersecurity professionals across the FBI, CISA, and the intelligence community for working around the clock to respond to this incident.”