Kaseya Ransomware Breach: What Can We Take Away From This?

What Happened To Kaseya?

Kaseya is yet another big name in the long list of companies that have been hit with a ransomware attack this year. The company is a key software vendor for over 40,000 companies including Coop, a large supermarket chain that had to temporarily close all of their shops when workers were unable to use their cash registers.

The breach occurred this past week on July 2nd and extended through Independence weekend. Officially, Kaseya has stated that only about 50 of its customers were compromised by the attack but more than 1,500 businesses were caught in the crossfire. A majority of those, according to researchers, are small to medium-sized companies.

It is unlikely that the intricacies of this attack were coincidental. Everything from choosing the holiday weekend as the date of attack and a critical software provider such as Kaseya as the target seems premeditated.

The group behind the breach is believed to be a hacking syndicate known as REvil. If that name sounds familiar, it is likely because that same group was able to extort $11 million from JBS, a major meat supplier, just days prior.

From Solar Winds to Accellion to Colonial Pipeline Co to JBS and now to Kaseya, the list of ransomware attacks on notable companies continues to grow rapidly.

Bad Actors And Their Demands

After the attack occurred, REvil announced on the Dark Web via blog of their involvement.

The group is thought to have ties to Russia as many of their chat logs seem to indicate that they are communicating in Russian. As previously mentioned, REvil has been linked to the JBS breach but also has an extensive list of victims which include Acer and Travelex.

As for Kaseya, the syndicate is currently demanding a ransom of $70 million in crypto currency for a universal key to unlock all of the encrypted systems. Though, they are also willing to bargain individually with companies to get their data back.

Kaseya has noted that every expert that has consulted them on the issue has strongly advised against the former option. This is due to the fact that it would be unlikely for all of the systems to be remediated at once. An even more worrying possibility is that they might not even receive the key as promised at all.

Just a couple days ago, it was announced that REvil had vanished from the web with their whereabouts unknown.

What Was The Cause Of The Breach?

Kaseya has had a history of glaring over vulnerabilities. For years, employees have voiced their concerns over outdated code, poor encryption, and lack of timely patching. One vulnerability in particular, involving their billing and customer support website, took over 6 years to remediate.

Though this would not be the exact vulnerability that caused the breach itself. The actual security hole that allowed the hackers to infiltrate Kaseya was caused by a zero-day vulnerability in its VSA, their proprietary remote management software.

A zero-day vulnerability in layman’s terms essentially means that the exploit has just recently been discovered hence the zero days. Oftentimes, only the bad actors are aware of the flaw which is especially risky for the companies involved.

As of July 11th, Kaseya was able to remediate these vulnerabilities. However much of the damage has been done and we have still not yet learned of its full extent.

One vendor in particular that still seems to be reeling from their ransomware attack even months later is Accellion. More victims continue to be announced with Morgan Stanely as its latest big name revealed just a few days following Kaseya.  Other notable names include Shell, Jones Day, Kroger, and the University of California school system.

Although Accellion’s reported number of victims is only about 300, their breach bears striking resemblance to that of Kaseya’s. Both have had a track record of not regularly patching their vulnerabilities. In fact, back in 2016, a single independent researcher was able to find and exploit vulnerabilities in Accellion’s file transfer application. This would cause clients such as Facebook to drop the vendor. Kaseya, unfortunately, was not much better in this regard.

One employee even wrote a 40 page report detailing his concerns for the company but the end result was his forced resignation. Many others quit out of their own free will when they knew their voices were not being heard. Staff members have cited previous ransomware breaches in the past from 2018 to 2019 as evidence of Kaseya’s startling indifference.

The Importance of Third-Party Security

The ransomware attack on Kaseya that subsequently affected thousands of businesses in a chain reaction is yet another reminder of the importance of vendor security.

Third-party security risk has been a persistent thorn that has continued to plague businesses more and more over the past year. Hackers have historically preyed on vendors before but this has especially been the case as of late.

The idea of third-party attacks is to prioritize large supply chains rather than targeting the individual companies themselves. This is because these bad actors have the potential to steal a multitude of companies’ sensitive data rather than just a single one.

In fact one of the largest public breaches in recent history, the Target data breach, was caused by a third-party vendor. A report done by the Ponemon Institute found that 61 percent of U.S. companies said that they had experienced a data breach caused by one of their vendors, a 5 percent increase from the year prior.

This statistic is even more significant when you consider the fact that about a fourth of the companies did not even know if they had a third-party breach or not in the past year. The prevalence of this risk combined with the lack of awareness from these businesses makes third-party security risk one of the most serious security hazards that a business may face.

So What Can Be Done To Improve Vendor Security?

Third-party vendor security is an on-going issue and we have seen large companies pay a lot more attention to the companies they work with and the quality of their security programs. Oftentimes, these vendors do not invest in security and thus can be a weak link in the supply chain. So what can be done? Well, it is going to take a concerted effort between both the supplier and the company.

Before even getting into it, it is important to note that no business can be one hundred percent secure. Vendors must regularly patch their vulnerabilities and ask themselves what is the most secure that they can be. On the other hand, enterprises must evaluate how confident they are in their vendors and find out what they can do to help.

As for ransomware, with attacks trending up, now is the time to take notice of important security practices.

Here are a few from Reza Zaheri, a cybersecurity awareness instructor from Udemy.

  • Be extremely paranoid about unsolicited emails and text messages coming in, that ask you to click a link, download a file or do something out of feeling fearful
  • Always making sure your operating system, all applications and your browser are automatically updated to the latest versions as they are released
  • Also remove any applications and apps you don’t need from your devices
  • Have offline backups of your most critical data stored both in the Cloud as well as to an offline backup device such as a thumb-drive. This is crucial so that if any ransomware encrypts your important files on your systems, that you can easily restore from an offline backup ASAP

At Tiro Security, we offer cost effective, quality, third party supplier risk assessments and online security awareness training that can help mitigate vendor security risks. Tiro Security has helped some of the most well known companies assess their small to medium vendors in a thorough and cost effective way. If you are a large company looking to audit your vendors or a vendor being asked to comply with a clients audit, reach out to us to find out how we can help.

Contact us now to schedule a comprehensive assessment or learn more about our services.

Posted in