Following the early May, 2021 Colonial Pipeline ransomware attack in the US that caused major disruption to fuel supplies on the US East Coast, on Saturday, 3 July, 2021, Miami-based software company Kaseya announced its servers were hacked which then spread through its 40,000 customers, many of which are large IT providers. These providers in turn offer services to hundreds of smaller businesses in almost every corner of the world. The hackers have offered to decrypt their victims’ computers for US$70 million!
The attack appears to be the work of the REvil gang, which targeted Kaseya, using its network-management package (VSA) as a conduit to spread the ransomware through cloud-service providers.
The federal Cybersecurity and Infrastructure Security Agency (CISA) in the U.S. said in a statement that it is closely monitoring the situation and working with the FBI to collect more information about its impact. CISA urged anyone who might be affected to “follow Kaseya’s guidance to shut down VSA servers immediately.”
Couple of thoughts:
- Interesting but not surprising that this attack occurred over July 4 long weekend for US. This meant less NOC, SOC and Incident Response people were around to notice and react. Coincidence? I don’t think so.
- From a quick review of its website, Kaseya sells VSA as a system product AND other ‘adjacent’ products that help companies with business processes, network monitoring, compliance management and IT service desk. Kaseya also provides a while label (SAAS) service using its own products like VSA. So while the ransomware that came along with VSA updates is getting the attention, SAAS customers of Kaseya VSA are also affected.
- It is possible if not probable that Kaseya’s other system products may have been affected. Why do I say this? Well, if Kaseya’s VSA product development processes and systems got compromised in a manner that allowed injection of unauthorised code in to the VSA product, are the same development processes and controls and controls weaknesses in place for other products? This is a reasonable question. Kaseya does not appear to have said anything about this bigger systemic risk! So if you use other Kaseya products or white label services (via an MSP/ MSSP) then you have been warned! At least ask the question of your IT leaders and your service provider, NOW.
- This attack has spread out across the globe. I am a kiwi, so saw an MSN NZ article online Monday morning saying small and medium businesses and even a few schools got caught. Commenters in this article thought this was just bad luck for the victims, since ‘the hack has come in through their IT provider’, and ‘It’s not their IT provider’s fault either because it’s a problem that exists in the Kaseya software’. I disagree (to a point). At the end of the day, every organisation owns the responsibility to acquire, implement and manage their IT, including IT product and service providers. So if you are buying system products, did you ask the vendor about their quality controls over product code integrity? Did you ask for independent assurance reports on the development processes and environment? Did you at least ask for assurance reports on the SAAS environment from Kaseya or your MSP?
Delegation is NOT abrogation. Solarwinds and the Colonial Pipeline hack are recent and were a warning. IT system product supply chain attacks are very real, and their nature makes widespread damage to many organisations, both big and small, likely.
So if you are a small or medium business or organisation, I recommend you act on this third and latest warning!
Call to Action:
- Inventory your system products and service providers, and ask them hard questions about: product development controls and independent (SOC2) assurance on these development and distribution processes and controls; and SOC2 assurance on your MSP;
- check your own controls over system product implementation and operation and use of MSPs are adequate. SOC2 reports that you get from all your IT service providers have a section called ‘Controls at the User Organisation’. These are your responsibility!
- Ensure you have regular and really offline backups of your data and systems on a regular basis.
- Check your cyber insurance coverage. Talk to your broker if you are not clear on what coverage you have or do not have for an event like this.
- Ask your IT / Network team if firewall rules adequately restrict both inbound and outbound traffic to that is really required for business, or at least alert unusual traffic that could be an indicator that strange activity is taking place in your network of systems. If you have a complex network with ‘segments’ (which is becoming more accepted as a standard practice), also check that routing or firewall rules restrict traffic on an as needed basis between the segments. This can prevent bad things (i.e. malware and hackers) from moving around.