On Friday, July 2—just in time for what would normally be a long holiday weekend—Kaseya experienced a major security event related to its remote monitoring and management (RMM) software, VSA. RMM software is commonly used by IT manages services providers (MSPs) to enact control over the machines under their purview. While exact counts are unknown, it appears as though approximately 1500 MSPs were affected, which some estimates indicate could mean up to a million endpoints were infected with this ransomware. In a few different ways, the Kaseya Breach is unlike anything we’ve been previously.
WHAT IS RANSOMWARE?
First, a quick run down on the basics here. Ransomware is a type of malware that encrypts data, most commonly on servers and personal computers. This is then usually accompanied by a ransom note demanding payment for the “release” of the data.
Due to the financial benefits for the attackers via this type of malware use, ransomware has become a particularly tough and persistent enemy for cybersecurity professionals (as opposed to politically motivated attacks primarily seeking destruction of data or finances of the victim such as those one may see from “hacktivists” like Anonymous, terrorists, or state-sponsored actors for example).
HOW BAD IS THIS?
In short, bad. This Kaseya breach is the most widely distributed ransomware attack in history. However, due to the growing nature of the ransomware threat, many experts believe these will increase in frequency and the size of this attack could be eclipsed in the not-too-distant future.
WHAT IS THE CURRENT STATUS?
Currently, Kaseya is in clean-up mode and have done little in the way of a debrief (or “post-mortem” as it is often called). In Kaseya’s most recent communication, a patch is to be released Sunday, June 11th for at-risk machines. Once this fix is in place, we expect to hear more from Kaseya on specifics both looking back and what to expect moving forward.
HOW DID IT HAPPEN?
This Kaseya breach was particularly difficult to contain as it emanated from the RMM itself, which is—by its nature—authorized to make changes to the machines it is intended to protect. (Apologies for the tech talk incoming, but some is necessary to understand how this occurred.)
In malware attacks, the malicious code is referred to as a payload. In this case, the payload was injected via a database within the RMM, meaning the code was “signed” by VSA and bypassed critical security checks that may have otherwise alerted security systems and, thus, security professionals monitoring those systems. (For example, Super User (sudo) privileges were not required for these changes.) Using executable (agent.exe) and certificate (agent.crt) files, the hacker group essentially had their route to malware delivery. The remaining piece was an authentication bypass to execute the payload. Although unconfirmed at this time, this commonly will come from compromised credentials of a privileged-access person, such as a a Kaseya employee. The hackers also used an executable disguised as an image file called screenshot.jpg to alter logs and end logged in user sessions.
Luckily for many, only on-premise servers were able to be touched by the malware. Any cloud-based solutions were passed by on this attack. Those affected were ones using Kaseya VSA locally.
Note: Much of this information was shared by Huntress in this blog. It’s quite technical but very informative.
Additionally, the synchronized nature of the attack—the hacking group made specific arrangements within the malicious code—caused the wide distribution to happen quite quickly.
SO THEN, WHERE DOES THAT LEAVE US?
The answer to this question is branched and depends on the position your business finds itself. If affected by the Kaseya breach, a business is certainly in recovery mode. Hopefully this includes utilizing a recent, pre-infection system image and rebuilding the IT infrastructure. Unfortunately, for those not correctly planning recovery, it could involve trying to negotiate with a hacking group to buy a decryption key.
Thankfully, at Certified CIO our customers were not affected by the Kaseya breach as we do not utilize the VSA RMM software. However, just because this attack did not affect our operations, there is no guarantee that our operations will be affected in the future. In fact, no technical system is completely impervious. The best lesson for those not affected may be the following:
Layers: Since no single solution is currently known be completely impenetrable, cybersecurity experts recommend using multiple security checks, called layers, for protection. This can be visualized (if imperfectly) as swiss cheese: one layer has many holes, but when one stacks several layers together the holes shrink and close. At Certified CIO, many of our policies and processes help to create layers of cyberdefense, to include password and login requirements, policies of least privilege, and monitoring agents on our servers and personal computers (which can give us real-time feedback of odd connections or activities occurring) and ring fencing agents which can alert to unusual software executions.
However, there are also additional tools that we highly recommend which are not required but can greatly enhance a system’s security when utilized, including MFA and VPNs. (Please check out blogs posts covering these and other topics here and here.)
Knowledge: We are also able to help expose issues you may not even know exist for your business. One of the better ways to do this is arranging a risk assessment with our security experts. This can range in scale from an examination of system to a full “red team/blue team” exercise which employs actors to simulate a cyber attack in real-time.
Preparedness: Training end users is key for a business or organization to avoid ransomware attacks as seen in the Kaseya breach. We recommend KnowBe4 security training, but there are many different options in this arena. We additionally cannot fail to acknowledge the importance of backing up data. The digital information stored on IT systems is often is the backbone of a business without which the business would fail, yet far too often we see inadequate protection of that vital resource. The scale and frequency of backups are intensely important during recovery efforts. We strongly support Datto products as the industry leaders in this space.
I’ll end on this quote from Kyle at Huntress:
In Florida, hurricanes happen. Florida businesses are not measured on whether they can prevent a hurricane from happening (that’s preposterous); they’re measured on how fast they can recover and get back to serving customers and making money. In 2021, cybersecurity incidents are the inevitable hurricane. Your business is not judged by whether you can prevent an incident, but rather by how fast you can recover. A large security incident is an opportunity to prove that you are the IT/Security provider that can quickly restore your customer’s business operations when “it” hits the fan.
If your business or organization needs help with any of this, we are HERE FOR YOU! CONTACT US or give us a call!