Kaseya was warned of security flaws years before attack

Five former employees at IT management software provider Kaseya, say company leaders were warned of critical security flaws in its software that enabled a devastating ransomware attack on 2 July which affected up to 1 500 companies.

According to Bloomberg, the employees, who asked to remain anonymous because they had signed non-disclosure agreements or were concerned about professional retribution, said they flagged several cyber security concerns to executives between 2017 and 2020, which weren’t fully addressed.

One of the most obvious issues was software that featured outdated code, the use of weak encryption and passwords in the company’s products and servers, failure to enforce basic cyber security practices including regularly patching, and a focus on sales at the expense of other priorities, the employees claimed.

The attack made use of the on-premises servers deployed by Kaseya, and while at first it was thought that the organisation may have been compromised as a root cause, reminiscent of the SolarWinds attack in December 2020, it wasn’t.

The bad actors behind this event discovered and leveraged an unpatched zero-day vulnerability in Kaseya's VSA software.

Managed threat detection and response services company Huntress said in its blog it has been tracking approximately 30 MSPs across the US, AUS, EU, and LATAM where Kaseya VSA was employed to encrypt over 1 000 businesses and said it is collaborating with many of these entities.

“All of these VSA servers are on-premises and Huntress has confirmed that cyber criminals have exploited an arbitrary file upload and code injection vulnerability and have high confidence an authentication bypass was used to gain access into these servers,” the company said.

Huntress said its team has been in contact with the Kaseya’s security team since the initial attack, adding that Kaseya began taking response actions and feedback from them as soon as the situation began to unfold.

According to Huntress, this is far from the first time attackers have targeted MSPs as supply chain targets. Anyone interested in a webinar about recovering from an attack of this nature, can click here.

The threat actors behind this attack, REvil, a Russian-speaking ransomware gang, adopted two tactics previously unseen, as well as a level of planning and sophistication closer to high-level, government-backed hackers rather than a mere criminal operation, researchers say.

What was particularly concerning was the use of a zero-day vulnerability, as well as the fact they are an entity with a small but critical role in the Internet ecosystem instead of a single organisation. This gave them access to what amounts to hundreds of thousands of potential victims.

"What we're seeing here is the tactics of more sophisticated adversaries, like nation-states, trickling down toward these less sophisticated, more financially motivated criminal ransomware groups," said Jack Cable, a researcher at the Krebs Stamos Group, and founder of ransomwhe.re, a Web site that tracks ransomware payments.

On 3 July, US President Joe Biden announced that he was directing the “full resources of the government to assist in the response to the attack". Although he said government isn’t sure of who is behind the attack, Kaseya has acknowledged receipt of a ransom note from REvil, the group that was behind the JBS USA ransomware attack. The White House has said the US will take action against the gangs involved, if the Russian government doesn't.

Ilia Kolochenko, founder of ImmuniWeb and a member of Europol Data Protection Experts Network, issued a caveat: “Counter-attacks against sovereign states, performed without a convincing attack attribution based on sound evidence of the original aggression, will contradict Tallinn Manual and will likely violate international law."

Moreover, he said any attacked countries will probably retaliate with nation-backed hacking campaigns that may rapidly create chaos and national disaster by damaging critical infrastructure including hospitals, airports, gas or water supply chains. 

"Worse, Western countries have highly digitalised economies, being specifically susceptible and vulnerable to large-scale cyber-attacks. Eventually, many innocent US citizens may fall victims to the spiralling cyber war.”

He added that counter-operations in digital space will not treat the root cause of ransomware, such as largely ignored cyber security hygiene, omnipresent carelessness and underestimation of cyber risks.

Prevention, regulation and cyber defence is a key to sustainable protection of any country, while cyber war is a reliable recipe to multiply losses and brings no desired outcomes.

Ilia Kolochenko, ImmuniWeb.

“The money spent on offensive operations would be better off spent on hardening national cyber defence capacities including the creation of cyber security awareness and support programs for SMEs. Finally, to catch up with the EU, the US should finally consider implementing federal data protection and privacy law that has been expected for over a decade. Prevention, regulation and cyber defence is a key to sustainable protection of any country, while cyber war is a reliable recipe to multiply losses and brings no desired outcomes.”

This kind of attack isn’t new, says Bruce Snell, VP: Security Strategy and Transformation at NTT Security. 

“We’ve seen REvil in action before. But it does show a progression in the ransomware-as-a-service economy making it clear to the industry, if it wasn’t already, that cyber crime is now a veritable marketable business. This latest attack highlights for us the interconnected nature of everything, and the importance of having actionable threat intelligence and a solid incident response plan to fight these zero-day vulnerability attacks.”

According to Snell, as with the SolarWinds, Colonial Pipeline and JBS ransomware attacks, in a chain of incidents that led to president Biden’s Executive Order, this is yet another reminder that we need to strengthen the supply chain and that organisations need to expect more from each other in terms of cyber security hygiene.

Laura Hoffner, chief of staff at Concentric, a security and risk management firm on the west coast, says ransomware and cyber extortion as a whole has recently started to affect even those not specifically targeted. “Ransom payments from cyber extortions was a $350 million industry in 2020, up 311% from 2019.”

She says those that don't pay the ransom are still paying ransom in other ways, with the average cost of downtime as a result of the extortion being 24 times higher than the average ransom amount.

Support of a cyber extortion event, she says, is three fold. Firstly, preparation in order to prevent the extortion from being able to occur. Secondly, response which includes threat verification, access, ransom negotiation, and cryptocurrency payment, and finally, post incident analysis and re-analysis of cyber audit to prevent follow on targeting.

“Unfortunately, corporations need to keep in mind that even if a ransom is paid, the extorting party still maintains sensitive data that they could still release, at will. Negotiations only encourage the destruction of stolen data, but have no way to enforce that.”

According to Hoffner, the most effective way of avoiding this scourge is to ensure systems have a regular cyber audit conducted, and making sure staff are fully aware of ongoing phishing and extortion trends.

“No matter how 'locked down' a system may be, the weakest link will always remain the human. All workers need to be on constant alert as to what links they're clicking on and who they're giving access for what,” she ends.