On Friday, July 2nd around 2PM, the hacker group REvil successfully compromised the popular Managed Service Provider (MSP) tool Kaseya. Kaseya provides Remote Monitoring & Management (RMM) functionality, including the execution of commands on client computers.
REvil exploited this ability through a vulnerability in the Kaseya platform, for which there was not a patch available. These events are called zero-day exploits—meaning the software developer was either not aware or did not have time to implement a patch—allowing an attacker to use a vulnerability in the software to get into a system.
Let's take a look at how this attack transpired.
The REvil Attack on Kaseya
Once inside, REvil quickly deployed ransomware to the MSPs' clients and is demanding a $70 million ransom for the decryption of all affected systems.
According to Kaseya CEO Fred Voccala in a video statement on July 6, approximately 50 MSPs were affected. Those MSPs had between 800 and 1,500 client companies compromised.
If this sounds familiar, that's because it's another supply chain attack that is now becoming more common. Just last year, Solarwinds' Orion software was hacked, which led to the compromise of many big entities, including federal agencies. Orion, similar to Kaseya, was meant to help monitor and protect client systems. Instead, it was used in the delivery of the attack.
The security risks to all organizations have increased dramatically, driven by how successful attackers have been at extracting a ransom from companies. If this behavior didn't pay, the attackers wouldn't be inclined to play. The Kaseya attack is another example of the significant market that exists for attackers to try breaking into business systems and demanding a ransom.
What Can We Learn From This Attack?
While Houk Consulting does not use Kaseya and is not impacted by this incident, we can still learn lessons to help prevent this from happening to our clients or us.
Some best practices around the use of these powerful tools:
- Extreme limitation of access into the system. Don't allow just anyone to knock on the door.
- Filter access by geography. If you don't need access from outside the US, don't allow access.
- Enable Multi-Factor Authentication for all RMM accounts. Just like any other cloud account, needing more than one key to get in is essential.
- Diligent frequent updates. Unpatched systems will always pose a threat. Keep them updated.
- Audit and remove old accounts. Each account that exists creates risk. Remove old accounts.
- Use Modern Endpoint Detection and Response (EDR) instead of traditional antivirus. These newer security tools are more effective in dealing with today's threats.
- Have a response plan in place. Even with perfect controls, the risk is never completely eliminated. Plan for how you might respond in the event that the worst happens.
We take the security of our systems and the protection of our clients seriously. That's why we spend so much of our time working proactively, auditing, checking, making recommendations, and ultimately improving client systems. We do the same for our internal security.
Modern Security Attacks Are Serious
Nothing is for 100% certain in the world of security. The Kaseya attack highlights that even if you do almost everything right, there is still a risk. Planning how to respond to these incidents is just as important as seeking to prevent them.
But you can significantly reduce that risk by following best practices. This applies both to MSPs themselves, and through a system of audit, recommendation, and improvement for their clients.
These attacks show the importance everyone must place on security and controls. This is a severe situation that should be a wake-up call to both MSPs and the vendors of their tools. The stakes are high.