Kaseya Remote Monitoring is Struck by Another Cyberattack
Early in July, hundreds of businesses worldwide were impacted in a supply-chain ransomware attack, in which hackers exploited a vulnerability in a remote management tool called Kaseya VSA.
Hackers deployed REvil ransomware through Kaseya, which impacted a number of managed service providers (MSPs). From there, the attackers got through to many customers of those MSPs. Kaseya was able to shut down its cloud-based service and urge all on-premise users to shut down vulnerable servers until a patch could be released, but more than 1,000 businesses had already been attacked.
Over the next few weeks, experts were able to figure out how the attack was carried out. The malicious actors used a Kaseya update to deliver the REvil ransomware, using Kaseya’s administrative privileges to infect other systems. Once an MSP was infected, the ransomware could be used to attack all of the clients they provided remote IT access to.
Exploiting a zero-day vulnerability
According to researchers, the ransomware was pushed via an automated, fake, and malicious software update using Kaseya VSA, dubbed “Kaseya VSA Agent Hot-fix.” The attackers then immediately disabled the legitimate administrator access to the software to prevent the attack from being stopped.
Since Kaseya documentation advises customers to exclude the folders where the VSA agent is installed from antivirus scans, it was an especially vulnerable point of attack.
Employees of Kaseya report being fired or quitting after repeated warnings about security flaws were ignored over the years.
Kaseya VSA is an IT remote monitoring and management solution used by IT and network administrators to automate patching on endpoints and servers, manage backups and antivirus deployments, automate IT processes, and remotely resolve and troubleshoot IT issues.
To perform all these tasks, Kaseya VSA software operates with administrator-level access. According to cybersecurity firm Huntress, Kaseya places a high level of trust on customer devices, which may have been a reason the company was targeted in the first place. This is at least the third time Kaseya software has been used as an attack vector. In February, 2019 hackers used a Kaseya VSA plugin vulnerability to target MSPs with ransomware. A few months later, in June 2019, attackers again exploited Kaseya software to target MSPs.
Impact of the latest Kaseya ransomware attack
Independent investigations at first concluded that six MSPs were affected. However, further probing revealed that around 40 MSPs had been compromised. Kaseya representatives have stated that more than 36000 users worldwide have been affected. Most of the affected organizations were using the on-premise deployment method of Kaseya VSA, with little evidence of SaaS customers being compromised.
As attackers claimed to have compromised more than a million systems, the ransom amount rose to $70 million.
Swedish supermarket chain Coop had to temporarily close 800 locations, as they were unable to open cash registers.
Who are the attackers?
REvil is a “ransom-as-a-service” threat that first appeared in 2019, according to CSO. It relies on affiliates to distribute the malware in return for a share of ransom payments. The REvil ransomware group has been previously linked with Russia and it has already perpetrated attacks on companies such as Acer and meat supplier JBS.
Over the past year, REvil has been one of the most common manually operated ransomware strains to infect corporate networks. The initial attack vector often varies, as well as the actions taken by attackers inside networks.
How secure remote access helps mitigate risks and reduce attack surface
Remote access is one of the most common attack methods for point-of-sale devices and corporate networks. But remote access is not exactly optional anymore. Retailers and other organizations maintain complex networks of devices, POS systems, and other types of technology that demand extensive protection from cyberattacks while offering efficiency that keeps business moving.
Impero helps mitigate those risks by exceeding the security and compliance set forth by PCI DSS, GDRP, HIPAA and other frameworks. Impero Connect is purpose-built to support MSP endpoint protection strategies while offering new avenues for secure communication.
We offer multiple layers of security to ensure remote access is only granted to the individuals and devices you have approved. Impero Connect offers granular identity and privileged access management options for remote access sessions through a centralized role-based access system.
The technical side of how to prevent a data breach begins with authentication and encryption. Impero Connect provides the authentication services your organization needs with options for native multi-factor authentication and/or integration with a variety of authentication technologies and providers. Also, strong encryption is one of the foundations Impero Connect is built on. We offer multiple encryption options so organizations can choose the right level of encryption for their specific use case.
Last but not least, you should train your entire staff on the best practices for preventing data breaches. Just as you give your staff and vendors least-privilege access to protect them, you should also be giving them an abundance of resources to combat phishing scams and other social engineering attempts. Endpoints may be monitored, and channels may be encrypted, but only proper training can prevent an employee from clicking on a malicious link or unknowingly exposing sensitive information.
Safe remote access is not a luxury anymore, and it is critical for MSPs. Impero Connect can help your company securely access networks and devices from any location while minimizing security threats. Contact us for your free trial today.