Published on the 08/07/2021 | Written by Heather Wright
Supply chain hacks push incident response plans to fore…
Giovanni Russello doesn’t have great news for Australian and New Zealand businesses wondering what protections they can put in place against supply chain hacks such as last weekend’s Kaseya attack.
“There’s not really a lot companies can actually do to protect themselves from supply chain hacks like this one,” the head of the School of Computer Science at the University of Auckland and cybersecurity expert, Russello says. “That is why supply chain attacks are so devastating.”
Hackers – ones associated with the Russian-linked REvil ransomware-as-a-service group have claimed responsibility – infiltrated US-based Kaseya last week, exploiting a security vulnerability in the vendor’s VSA remote management and network monitoring product, used by managed service providers around the world. The attack was used to deploy ransomware to networks using Kaseya VSA, with the hackers demanding US$70 million in bitcoin in exchange for data stolen.
“We were beaten by REvil in the final sprint.”
Kaseya said it had shut down access to the software in question within an hour of being alerted to a potential attack.
Kaseya customers were warned to shut down on-premise servers immediately and Kaseya’s cloud service – which isn’t believed to have been affected – was taken offline as a precaution.
The company says ‘fewer than 60’ of its customers were impacted. But many of those customers are managed service providers managing the IT infrastructure for other businesses. Those 60 impacted customers translated to ‘about 800 to 1,500’ downstream businesses compromised, according to Kaseya.
Organisations across at least 17 countries, including Australia and New Zealand, South Africa, Canada and Indonesia were affected.
In New Zealand schools and kindergartens were knocked offline. The Australian Cyber Security Centre says it is working with Australian organisations impacted. Supermarkets in Sweden were forced to close after tills and self checkouts stopped working.
The Kaseya hack is the largest global ransomware attack disclosed, and follows similar supply chain attacks on Solarwinds, the US’ Colonial Pipeline which disrupted fuel infrastructure and lead to panic buying in the US, and the JBS attack which impacted the Australian operations. REvil were behind the June JBS attack which saw the meat processor pay a US$11 million ransom. Kaseya CEO Fred Voccola told Reuters he couldn’t confirm whether the company would pay the ransom or negotiate with ‘the terrorists’.
Russello dubs supply chain attacks – where an outside partner or third party is compromised providing access to the systems and data of downstream companies – ‘the low hanging fruit’ of the current cyber threat landscape.
“The more successful a company is in serving a large quantity of customers – in this case other businesses – the more impact you an get with one attack. It is going for the low hanging fruit: Maximum impact with minimal effort.”
“These repeating attacks are a wake-up call that supply chain security needs to be top of mind,” says Ben Carr, CISO at cloud IT, security and compliance vendor Qualys.
“MSPs are a lucrative target with access to multiple customers’ mission-critical data, which acts as a validator for an astronomically high ransom demand.”
So what can you do?
Even with all the right protections in place, there’s still potential for an organisation to be compromised, particularly through supply chain attacks.
Andrew Hampton, director general of New Zealand’s Government Communications Security Bureau, says its critical for organisations to think about incident response and know how to continue their business even if systems are locked down.
The GCSB’s Supply Chain Security guidance includes three key phases in establishing effective capability to manage supply chain cyber risk and improve cyber resilience:
- Identify supply chain entities and supplier management processes
- Assess the cyber threat landscape and determine which suppliers are most critical and
- Establish processes to effectively manage supply chain risk and continuously improve your organisation’s cyber resilience
Having an incident response plan also features high in advice from CertNZ, New Zealand’s Computer Emergency Response Team.
Michael Shearer, CertNZ principal advisor – threats and vulnerabilities, says the Kaseya hack shows the importance of a defence in depth approach, given cyber security attacks can happen in a variety of ways.
“Our top 11 tips for businesses provide organisations with advice on actions they can take to protect themselves against a range of incidents,” Shearer told iStart.
“It is important to note that organisations can’t just rely on one or two of these actions to protect themselves against all potential attacks.”
Many of those 11 tips would have done little to protect against a supply chain hack like the Kaseya one, but Shearer calls out two tips in particular to protect against such an attack:
- Back up business and customer data so if it’s lost or stolen you can recover it quickly. Backing up your data on an external hard drive or cloud service will enable you to access stolen data quickly.
- Have an incident response plan because no matter how well you prepare, things sometimes go wrong, Shearer says. “Having a step-by-step plan will help you take control of the situation if the worst were to happen and will help reduce the impact on your business.”
Russello says while having redundancy of some sort – such as having a second similar service from another vendor – would be the ideal solution, it’s not realistic for many.
“This is very expensive. Not only do you need to pay twice, but you need also to make sure that the two services are fully synchronised.”
Having a local backup of data, not linked to the main service, as advocated by CertNZ, is a more realistic option for many, though he notes it’s not a bullet proof solution, and depends on the specific application or service.
“Maybe this data is not going to be the best up-to-date but it will get the business going in case of a ransomware attack.”
Daniel Watson, SMB cybersecurity expert, Vertech managing director and author of cybersecurity guide She’ll Be Right (Not!), meanwhile says companies using IT service providers should ask their provider if they’re cloud or server based.
He says onsite servers are often easy pickings for criminals, noting that Kaseya’s software-as-a-service offering wasn’t impacted. Those that were impacted had downloaded the licensed software to their onsite servers.
“There is a bit of a division in the IT industry,” Watson says. “Most trust the cloud; some prefer onsite servers – which is more profitable – and it is these latter onsite systems that are getting smashed.
“There’s no real excuse for using servers other than profit or if a client has an application that doesn’t work well in the cloud or your enterprise resource planning (ERP) software doesn’t have a cloud option,” he says.
“Ask your IT support company if they are cloud or server-based and the reason for their decision. Onsite servers mean you are relying on them to keep their operating systems, applications and security up-to-date.”
Knowing your IT support company’s crisis plan – including whether they can call on other companies for urgent matters – is also important, Watson says.
“Most good IT support companies will welcome a discussion about their crisis planning.”
He’s also a fan of cyber insurance for both businesses and their IT providers.
“Insurance brokers that I have spoken with tell me that, on average, just six per cent of their clients have cyber insurance – it could be the same with IT support companies.
Kaseya is working with law enforcement and government cybersecurity agencies in the US, including the FBI, and the Cybersecurity and Infrastructure Security Agency.
While SaaS services were expected to be brought back online, one by one starting with the EU, UK and APAC data centres on July 5, an update from Kaseya on July 7 (US time) said an ‘issue’ was discovered during the VSA SaaS deployment, blocking the release.
“We are resolving the issue that is related to our SaaS infrastructure and we plan on beginning to restore SaaS services no later than the evening of Thursday July 8, US time.”
A runbook of changes required for on-premises environments is due to be published later today so customers can prepare for the release of a patch.
The Dutch Institute for Vulnerability Disclosure (DIVD) says it had identified ‘a number of the zero-day vulnerabilities which are currently being used in the ransomware attacks’. Those vulnerabilities had been reported to Kaseya, who were working to patch the vulnerabilities when the attack happened.
“During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched,” Victor Gevers, chairman and head of research for DIVD, says in a blog post. “They showed a genuine commitment to do the right thing. Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch.”