Taking a closer look at one of the largest ransomware attacks on record reveals insights into how it could have been prevented and what companies can do to minimize their risk of becoming the next victim.
Earlier this year, Russian-linked cybercriminal organization, REvil, launched the single biggest global ransomware attack on record. The breach infected thousands of victims in more than 17 countries and demanded $70 million in cryptocurrency to unscramble all the infected machines. What made this breach especially noteworthy was the specific conduit the criminals used to gain access to the victims: Kaseya VSA (virtual systems/server administrator), a remote monitoring and management (RMM) solution. RMM solutions are commonly used by managed services providers (MSPs) and managed security services providers (MSSPs) alike. What makes them particularly attractive to cybercriminals is that each MSP/MSSP breach has an enormous trickle-down effect. For example, CBS News reported that Swedish grocery chain Coop had to close most of its 800 stores for multiple days because the attack crippled their cash register software supplier. Thus, not only do these “one-to-many” attacks lead to more victims in a shorter period, but they also lead to bigger payoffs for the attackers.
How it Happened, and How it Could Have Been Prevented
Talos, Cisco’s worldwide commercial threat intelligence team, composed of world-class researchers, analysts and engineers who scan the world for new cyberattacks, new URLs, malware and spoofs, shared the following analysis:
- This event consisted of two separate but related incidents. The initial compromise resulted from a zero-day attack against MSSPs that enabled adversaries to conduct a service supply chain attack on additional victims.
- The initial compromise of Kaseya VSA servers appears to have resulted from the successful exploitation of an unpatched software vulnerability (CVE-2021-30116), which allowed attackers to obtain privileged access to vulnerable Kaseya VSA servers for ransomware deployment.
- Attackers first infected victims via a malicious automatic update to the software, eventually delivering the REvil/Sodinokibi ransomware. Once active in victim environments, the ransomware encrypts the contents of systems on the network, causing widespread operational disruptions to a variety of organizations that use this software
- Ransom demands varied across victim organizations. This indicates that once attackers obtained access to VSA servers, the server configuration was analyzed to identify victims before activating malicious ransomware payloads.
- The REvil ransomware samples identified as being associated with this attack were configured to disable communication with the C2 (command and control) infrastructure customarily used to send encryption information and statistics.
Less than two weeks after the Kaseya hack, some former Kaseya software engineering and developers said the attack “could and should have” been prevented. According to a report by Bloomberg, the former employees had expressed frustrations to the company over various security problems such as outdated code, weak encryption and passwords in products and the general failure to meet basic cybersecurity requirements, including continuous patching of its software and servers.
Additionally, the Dutch Institute for Vulnerability Disclosure (DIVD) said that one of its researchers discovered seven vulnerabilities in Kaseya’s VSA remote monitoring and management product in April and notified the vendor about the flaws less than a week later. Kaseya resolved four of the vulnerabilities disclosed by DIVD through patches released April 10 and May 8, but three vulnerabilities remained unresolved heading into late June, according to DIVD.
How Presidio Protects Its Customers
A cybercriminal can target any company. But, following security best practices significantly reduces the chances of an attack breaching a network—and even if a breach does occur, following best practices helps quickly mitigate the damage. Besides using Cisco security solutions, which include added threat intelligence from Talos, the Presidio cybersecurity team follows industry best practices, such as:
- Enabling and enforcing multifactor authentication (MFA) on all accounts and customer-facing services
- Implementing whitelisting to limit RMM communication to only known IP addresses
- Putting RMM admin interfaces behind a VPN or firewall on a dedicated network
- Making sure backups are performed regularly using a 3-2-1 strategy, which includes three copies of your data, on two different systems, with one copy stored offline.
- Using MFA and the Principle of Least Privilege for network admin accounts.
All these security best practices (and more) are summed up in our Zero Trust strategy, which you can learn more about here.