A flood of ransomware victims were hit the Friday before July 4th, this time all at once by leveraging a remote monitoring and management ("RMM") solution named Kaseya. Over 1,500 companies, including a grocery store coop, several schools, various small businesses and startups, and even a railroad company are known to have been affected, causing several to have to shut down operations.
Kaseya, the "RMM", is a tool used by managed service providers to remotely manage client devices. These MSPs are often used by smaller-sized companies to outsource IT services.
Hackers in this case exploited vulnerabilities in Kaseya's software update process, similar to the Solarwinds attack last December, to upload their ransomware program.
Attacks like this one, dubbed "supply chain attacks", are becoming a more frequently used strategy by ransomware gangs to distribute malicious code designed to extract payments from victims of all sizes. By focusing on breaching a distribution method like Kaseya's software, they're able to take down hundreds or even thousands of endpoints before being suppressed effectively by anti-virus and malware defenses.
This type of attack proves that startups and small businesses can be targeted and affected by sophisticated attackers. Through the conduit of modern IT infrastructure and the plethora of vulnerabilities that exist, malicious actors are increasingly becoming victims of a strategy that breaches one provider but affects many small related companies.
If your MSP runs Kaseya, or you're using it directly, disabling the software immediately is your best course of action as the investigation is underway. While Kaseya has shown a genuine commitment to responding to the attack, a patch for the malicious update is still in the works and as-of-yet undiscovered avenues may exist to exploit the attacker's existing access. Reach out if you need help disabling Kaseya.
RMM and related device management software can be wonderful tools to quickly and effectively respond to new threats by regularly rolling out security patches, configuring devices securely, etc. The irony is that they can also be used in attacks such as this to enable malicious actions such as the installation of ransomware.
The strategy of "Defense in Depth" should be leveraged by companies wishing to prepare for the next supply chain type or other increasing types of attacks. This strategy employs multiple security controls across the organization, and in various "depths", or layers of your technology and human processes in order to thwart an attacker that might make it through one of those layers from achieving their final goal.
We recommend employing each of the following high-impact controls to defend against these types of attacks:
While the above is just the start of a defense in-depth program, its existence will likely save you from many bad days. If you'd like help doing the above and building a cybersecurity program that will enable you to respond and recover more effectively to these accelerating attacks, reach out!
We're available to help at email@example.com, clicking the blue badge in the bottom-right of any page, or calling 888.HAVOCSHIELD. Stay safe!