Cyberattacks Continue to Wreak Havoc – What Can Compliance Teams Do?
It’s déjà vu all over again for cybersecurity professionals around the world, many of whom are now scrambling to recover from the latest cyberattack involving Kaseya software. The Russian affiliation of hackers known as the REvil Group, the same hackers attributed to the recent ransomware attack against JBS, is allegedly behind this latest ransomware as well. In what has become an unfortunate sign of things to come, ransomware is now increasingly of the “exfiltrate and extort” variety. Rather than simply encrypt a company’s data and hold it hostage for a ransom payment, hackers have found it profitable to also exfiltrate massive amounts of corporate data and demand a hefty ransom to either give the data back or decrypt it.
In this latest cyberattack, the REvil Group is alleged to have perpetuated an attack against vulnerabilities in a product of cybersecurity software company Kaseya, based in Miami, Florida. Kaseya is a well-known software company which provides, among other tools, VSA RMM, a “remote monitoring and management” that enables companies to remotely monitor networks and push out patches and other updates. The software is used by approximately 37,0000 companies in many industries and sectors around the world, the majority of whom are managed service providers (MSPs) handling information security for an even greater number of their own business customers. The legacy on premises version of Kaseya VSA is the product specifically accessed by the hackers, which fortunately appears to have limited the impact to those firms who still had an on premises configuration of it. Although many firms had migrated to Kaseya’s cloud-based solution, this cyber incident highlights the importance of keeping software patched, remaining vigilant of identified vulnerabilities through regular vulnerability testing and monitoring, and properly retiring old systems no longer needed or used by a firm.
Kaseya was allegedly informed of seven vulnerabilities as recently as April 2021, and had been working to patch them. Unfortunately, they didn’t finish the patching before the hackers struck. Time is clearly of the essence when new vulnerabilities are discovered and hackers race to exploit them before IT teams can close the security holes. In the Kaseya cyberattack, hackers exploited a credential leak among other vulnerabilities.
In some sense, what we are seeing with these latest hacking attempts is more of the same supply chain attacks that began to make headlines back in 2013. The difference now is that hackers are going after software applications used by MSPs and by many companies of all shapes and sizes to manage their information security. By compromising updates to security software itself, which is then pushed out to thousands of unsuspecting machines around the world, hackers are able to get a lot of mileage (and do damage to a lot of companies around the world) from a single hack. The sophistication and complexity of the attack method suggests a growing cybersecurity problem around the world: that regardless of using established industry vendors, organizations are only as strong as their current weakest link. It has become challenging for small companies to defend against attacks perpetuated by nation state actors, especially when those cyberattacks are targeting the same software that these companies rely upon to try to stay secure in the first place.
These recent attacks have highlighted how interconnected the global security ecosystem really is. CSS is not using the impacted Kaseya product, and we will continue to monitor the situation. If you are interested in speaking with one of our cybersecurity experts about testing your network and applications and monitoring for credentials of your staff on the dark web, please contact [email protected].