Or not. As the case may be.
Last week has seen yet another dastardly and seemingly incredibly successful ransomware attack using a trusted supply chain as the vector.
You will have no doubt unless, of course, you have been in the Nevada desert looking for UFOs or similar, read about the fact that the widely deployed IT management software from Kaseya has been used (via a ‘zero day’ attack) to deploy and execute ransomware onto a large number of Kaseya customers, and in the case of Kaseya managed service providers, their customers.
‘Supply chain attack’ is something of a broad church, a fact which is being somewhat, at least in our opinion, abused in mitigation and explanation. More of this later.
There are so many write-ups and associated opinions about this attack, varying in detail and quality, including from the vendor, that we do not need to go all-in with our explanation of events other than to summarise.
On Friday, July the 2nd, Kaseya, which provides a management platform for enterprises and Managed Service Providers, claims that it started ‘receiving reports from customers and others suggesting unusual behaviour occurring on endpoints managed by the Kaseya VSA on-premises product’. It transpires that this unusual behaviour was that the Kaseya VSA platform (on-premise at multiple customers and Kaseya provided SAAS platforms) had been compromised and used to deliver and execute ransomware on endpoints of customers and, as above, in the case of managed service providers, their customers.
Estimates are that when you include the downstream customers of managed service providers, more than 1500 businesses have been impacted. So this is clearly very serious.
The attack has been claimed by the notorious REvil crime gang about whom we have written before and who have even been interviewed by our partners Recorded Future. REvil has demanded a frankly ludicrous sum of $70,000,000 to provide the decryption keys for all infected systems. Or is it ludicrous given the scale?
Claiming to be following a security playbook and looking pretty good at it too, the CEO of Kaseya gave an address to the ‘Kaseya community’ which very much downplayed the impact of the breach (by not quantifying the actual number of impacted systems or counting customers of customers) and made no mention of any early warnings that Kaseya may have had.
And that, dear readers, is where the whole thing starts smelling a little fishy. Researchers from the Dutch Institute of Vulnerability Disclosure (which sounds a little bit too much like something you could contract after a weekend in Amsterdam) announced that they advised Kaseya of vulnerabilities in the VSA product in April. Then, in May this year, researchers from our very own team had a look at an incident that involved a breach of Kaseya, which they assure the writing staff, was the work of the very same REvil group.
The REvil group’s MO is not that hard to spot. They use common tools for lateral movement and the usual misconfigurations or phishing to break down the door. For those interested, Palo Alto’s Unit 42 researchers have produced this excellent paper on REvil’s tactics and tooling. A recommended read.
So if Kaseya knew that REvil were on its case back in April – what the actual have they been doing? Are they somewhat disingenuous with the apparently transparent breach reporting and squeaky clean playbook? Time will tell.
The question we asked ourselves was this: ‘How did REvil access on-premise Kaseya VAR servers in order to use them to distribute Ransomware?’. Our own experience, together with this series of recommendations from none other than the FBI and CISA make this fairly clear. It seems that many of these servers were directly connected to the internet and not protected at all using VPN or even Access Control Lists. Like leaving your front door open in Shepherds Bush while you were looking out the back windows. Unbelievable.
The FBI recommendations read like a ‘just how to do things properly’ guide and include all of the stuff you read about constantly, backups, segregation, multi-factor authentication, the whole bit.
What they do not recommend is that you should implement automated security services utilising the best-practice functionality available on the licenses you have already purchased (or at relatively low additional cost) and leveraging expert knowledge to manage and drive these systems alerts and remediations for you.
When Tiberium designed our FROST and MYTHIC managed security services, the detection, prevention and remediation of the early phases of a ransomware attack were uppermost in our minds and we are confident that if you use our services your chances of falling victim are considerably reduced.
We would love the opportunity to present our services to you and explain how they help (at a reasonable price point of course). If you are interested, please contact us to book a demo.
Something that people should be aware of is that (as usual), scumbag begets scumbag and a phishing campaign is doing the rounds targeting people who may think they have issues with Kaseya. Be careful.
You may recall that last week we were talking about the Microsoft Print Spooler vulnerability (now called PrintNightmare apparently). No surprise then that this threat was badged up to Critical by Microsoft who are seeing it in the wild. So if you haven’t patched it…
Now, the song! Relax – Take It Easy is a song by Mika, it is also a jumbled up (sadly not encrypted) version of Kaseya tite. Tite means quick and you have to be quick, automated indeed, to stop this sort of thing. Maybe then you can relax.