Comment by Richard Werner, Business Consultant at Trend Micro
Over the July 4 U.S. National Day weekend, a cyberattack hit service provider Kaseya and quickly spread to customers and other businesses. According to news platform Bleepingcomputer, about 50 of the provider’s direct customers fell victim to the attack, which in turn infected their own customers as service providers. Worldwide, the news agency said, about 1,500 companies are believed to have been affected. Trend Micro can also confirm that there were incidents in Germany as well. The time chosen for the attack, namely one of the most important holidays in the U.S., is no coincidence, but rather a calculation on the part of the perpetrators, and it worked. Not only are IT security teams generally understaffed on weekends and holidays, but the communication chains to the affected customers were also interrupted, allowing the attack to spread unhindered in many cases. If we assume the number of companies affected at the same time, the cyberattack is certainly one of the largest in the history of IT security. If you break it down into its individual parts, however, many parallels to other attacks come to mind. From the repetitive pattern, companies can learn some valuable lessons for their infrastructure:
It all starts with the vulnerability
In the “Kaseya” case, it is striking that the cybercriminals exploited a security vulnerability in the software that was known to the software manufacturer at the time of the crime and whose closure was already in the beta phase. The attackers therefore did not have much time left if they wanted to succeed. However, Kaseya is not to blame here: The service provider was made aware of the existence of the vulnerability via so-called “responsible disclosure” and worked on closing it. Nevertheless, the temporal connection is unusual and leaves room for interpretation. Although the patch issue is widely known in IT security, companies should keep in mind that attackers not only look for vulnerabilities in Microsoft or other widely used software variants, but also in the software of IT service providers. The focus here is particularly on applications that communicate directly with several customer devices. If you develop your own software, this circumstance must also be part of the risk calculation. It may also be worth considering the use of virtual patching to protect a vulnerability on a transitional basis.
The specifics of a supply chain attack
The entire incident can be broadly categorized as a “supply chain” attack. In this type of attack, the perpetrator first infects IT service providers. These are so interesting because they maintain IT connections to other companies, whether active or those that can be activated. For example, update mechanisms are used that directly perform updates in third-party systems, but also remote maintenance systems, order processing and the like. As a result, the perpetrators are able to take over a machine, usually a server, in the victim’s data center. Unlike “classic” attacks, this bypasses the entire network security as well as client-based security solutions. Only those that are activated on the server systems and monitor communications between server systems are then relevant. Especially in on-premises data centers, this is often just outdated antivirus technology. In addition, important security patches are often missing there – if they are operating systems with support at all. But this, at the core, is where the attack comes in. This circumstance ensures that the perpetrator can often eliminate the victim extremely quickly and move laterally in systems virtually undetected. The greater the initial damage, the better for the attacker, as this can build up tremendous pressure.
Kaseya’s special offer gave criminals the opportunity to reach not only companies directly, but also their customers. This explains the relatively large number of victims. Supply chain attacks are relatively rare because they are complicated and costly for an attacker. However, their effect is often fatal, as it involves the loss of data, reputation and customer trust. The current extortionists, for example, allegedly demanded a ransom of $70 million.
Lessons learned from “Kaseya”
It is important to understand that this is not a temporary wave. In the “IT security new age”, external factors are responsible for the current situation in many cases. These include the importance of IT in companies, the general way employees use IT, and Bitcoin. While the first two contribute to the fact that IT, and thus especially IT security in companies, is becoming increasingly complex and thus more confusing, the emergence of cryptocurrencies has actually revolutionized the cyber underground. This allows the protagonists in the underground to increasingly specialize and trade with each other without restrictions. All three factors can no longer be reversed. The aforementioned complexity is thus increasingly becoming a burden on defenders, causing problems both figuratively and in purely interpersonal terms. Companies must therefore review their current security strategy for modern attack techniques.
More information on the details of the attack can be found here.