What You Need To Know About The Kaseya Ransomware Attack; And Why You Shouldn’t Be Surprised

Carlo Cadet | July 8, 2021 | tag: Data Breaches

It happened again - another disruptive ransomware attack. On July 2, 2021 Kaseya, a Florida-based software provider that provides Remote Management Monitoring, warned of its software being abused to deploy ransomware on end-customers' systems.

The attack has been attributed to the REvil ransomware group, who have claimed to have encrypted over one million end-customer’s systems.

Kaseya has shut down its cloud-based Kaseya VSA product and has contacted their customers to do the same for on-premises Kaseya VSA deployments, while they patch the underlying vulnerabilities. Kaseya VSA is widely installed and so presents a large opportunity for attackers. Via netflow data recorded prior to the incident, BitSight observed traffic from 7,500 endpoints connecting to Kaseya’s management endpoint; most of these were likely VSA clients. 

After the attack, BitSight data observed a steep decline in the count of vulnerable Kaseya servers exposed to the Internet, indicating that, encouragingly, most vendors responded quickly by taking instances offline. In the month preceding the incident, BitSight observed approximately 1,900 Internet-facing Kaseya VSA instances. In contrast, a targeted scan on July 7 found fewer than 100 instances (which remained vulnerable, however).

Should we be surprised? Probably not.

 

Nearly 80 Ransomware attacks have occurred during each month of 2021 this year, according to BitSight ransomware analysis. The REvil/Sodinokibi group is the market-leading “solution”, accounting for nearly 15% of attacks. Hackers are infiltrating victims with multiple tactics, including phishing and exploiting vulnerabilities, and then dropping the ransomware payload.

An alarming, but growing trend

 

The Kaseya attack underscores the software supply chain risks. Software vulnerability exploits lie at the heart of notable attacks, from the crippling 2017 NotPetya attack resulting from an exploited Ukranian accounting software vendor, to the recent SolarWinds, Hafnium, Accellion and now Kaseya incidents.  

In April, 2021 NIST published recommendations on Defending Against Software Supply Chain Attacks. This followed the unusual step taken by the NSA in October 2020 to identify the top 25 software and hardware vulnerabilities being actively exploited by Chinese state-sponsored cyber actors.

Lone wolf cyber attackers are being eclipsed by threat actors operating at industrial scale. Some groups, including ReVil, are clearly financially motivated. Similar groups operate with similar business models seen in well known commercial brands - SLA’s, customer service, multiple fee-sharing agreements for ransom payments, etc. 

The national security impact

 

From a national security perspective, state sponsored actors are drawing increasing attention. US President Biden added cyber security as part of the agenda in the bi-lateral conversations with Russia and also added it to the G7 agenda. Regardless of motivation, cyber attacks are both increasing in frequency and impact.

What could the future of ransomware attacks look like?

 

There is some encouraging news: Commercial software development practices are improving. 

The DevOps mantra of shifting left is benefiting secure coding practices.  GitLab’s Fifth Annual Global DevSecOps Survey reveals that increasingly automated software pipelines are implementing approaches to discover security vulnerabilities prior to code getting shipped.  While clearly a best practice, it will unlikely result in ever consistently delivering 100% secure code.

Despite the growing traction of DevSecOps practices, the list of published Common Vulnerabilities and Exposures (CVE)  is growing. Over the period of 2015 to 2020, the number of CVEs reported rose 183%, from 6,487 to 18,358.

New CVE by year sourced from NIST.

 

Key factors fueling the ransomware fire

 

2020 saw a nearly 10x increase in Ransomware compared to 2018, setting a new level that is likely to be matched again in 2021.

Ransomware is growing because it is financially efficient. The growth of crypto currency, which is difficult to trace, has made it easy for hackers to collect, becoming a critical ransomware enabler.

At the same time, cybercrime groups have found safe operating havens (i.e., Russia) and adopted corporate practices promoting specialization of skills along with distributed responsibilities. ReVil develops ransomware, and affiliates execute attack campaigns. 

Vulnerability management is a never ending process


The trend is against InfoSec teams, but the response strategy is clear. Vulnerability management is not optional, and requires diligent effort and cybersecurity updates. New CVEs are discovered, and cybercrime teams have a steady supply of opportunities both old (NSA 25) and new to exploit. The monthly Patch Tuesday ritual may ultimately evolve to become a daily practice.

At the same time, we know that many organizations are challenged by poor patching performance and, and so operate at higher risk of being breached. Patching cadence (the elapsed time between software patches becoming available compared to when patches are implemented) is a strong security program performance indicator. The more time that passes between patch available and patch implemented indicates lower performance. Unsurprisingly, poor patching performance correlates to a nearly sevenfold increase in ransomware risk for companies with a C grade or lower.

What we also know is that cyber security leaders who share a continuous improvement mindset are 5.9x more likely to report significant and continued security posture improvement over the past 12 months. In other words, they are constantly refining practices and measuring process gains, and are maintaining strong patching cadence

Conclusion

 

Cyber attacks will continue. They should now be factored into the cost of doing business. Too many business leadership teams see cyber risk as exclusively a technical risk. A 2020 ESG survey found 69% of business and technology leaders believe cybersecurity is entirely or mostly a technology area with little or no linkage to the business. 

This is false; ransomware is a business risk. Ransomware attacks cause business disruption lasting days (Colonial Pipeline) into sometimes weeks (Maersk). 

To learn more about the growing ransomware threats targeting businesses globally, read our report.

Ransomware: The rapidly evolving trend ebook

Suggested Posts

What You Need To Know About The Kaseya Ransomware Attack; And Why You Shouldn’t Be Surprised

It happened again - another disruptive ransomware attack. On July 2, 2021 Kaseya, a Florida-based software provider that provides Remote Management Monitoring, warned of its software being abused to deploy ransomware on end-customers'...

READ MORE »

Cybersecurity Protection in the Wake of a Rough Six Months – Industry Experts Weigh In

In the six months since the SolarWinds supply chain attack there has been increased action in the cybersecurity breach world – and the bad actors aren’t letting up. This means that cybersecurity protection is more critical than ever. 

READ MORE »

Colonial Pipeline is Not Alone: Ransomware Risk in the U.S. Oil/Energy Sector

After last week’s catastrophic cyber incident targeting Colonial Pipeline, could more U.S. Oil and Energy companies be at risk of a ransomware attack? 

READ MORE »

Get the Weekly Cybersecurity Newsletter.