The Kaseya cyber-attack has been in the news for the last few days and I thought this was an opportunity not to look at the detail of the attack itself but to look at the issue of supply chain cyber attacks.
Supply chain cyber attacks are where criminals target software vendors or IT services companies in order to infect their clients. “In a typical hack, cyber criminals pick one company to target and find a unique way to break into that particular victim’s computer network. But during a supply chain attack, hackers infiltrate a trusted company that supplies software or IT services to many other firms. Their goal is to slip malware into the “supply chain” of software updates the company installs on its customers’ computers. Given IT management firms’ virtually unlimited access to their customers’ computer systems, a virus can be installed undetected on thousands of computers at once”.
Supply chain hacks target businesses indiscriminately; anyone who uses software from an infected vendor can get swept up in the attack. This raises the risks for small- and medium-sized businesses that would normally escape cybercriminals’ notice. With the Kaseya attack, hackers appear to be testing their ability to extort a large collective ransom by hacking hundreds of small businesses”.
Kaseya is an American software company that develops software for managing networks, systems, and information technology infrastructure. Kaseya ransomware attack was occurred on the 2 July 2021 where their servers were infected by ransomware developed by REvil, which spread from a number of their managed service providers to their clients, effecting about 1,500 companies worldwide. One of the most high profile victims was the Swedish Coop which had to close 800 of its stores for a week as the ransomware encrypted their point of sale software. The attack didn’t actually affect the Coops IT infrastructure but that of their supplier, Visma Esscom, which uses Kaseya technology and managed the servers used for Coops tills.
Supply chain cyber attacks are a very efficient means of attack for cyber criminals. It means that they can gain access to large numbers of organisations without the need to attack each organisations individually. The Kaseya attack and the Starburst / SolarWinds attacks are both examples of using a trusted supplier of IT services to infect the victims. Organisations are encouraged to patch their IT systems with the latest software patches as soon as possible, often these patches are installed automatically and do not have the same virus and sandbox checks which other software deployments might have. You don’t expect your IT security provider to infect you with malware. In the Starburst the attack malware was included in a security patch while in Kaseya the ability of their system to out patches were compromised and the REvil ransomware was sent out to Kaseya’s managed service providers customers. The two hacks were conducted for different reasons the SolarWinds hacks was to gain access to USA government, military and intelligence agencies for intelligence purposes while the Kaseya attack was to launch a mass ransomware attack.
One of the issues associated with compromising so may organisations simultaneously is the ability to exploit the hack. The SolarWinds hack compromised approximately 18,000 organisations. Even a well resourced nation state would have difficulty in trying to extract intelligence from so many organisations at the same time. In the same way, REvil have to deal with 1,500 organisation all possibly wanting to pay a ransom. One of the articles I read on the hack was that they are struggling to answer all the correspondence from their victims and there was a backlog of correspondence. This is perhaps why they are asked for a combined ransom of $70 to be paid by all victims as they were struggling to carry out individual negotiations. The $70m has been reduced to $50m. When an attack is facilitated by a phishing attack the organisation carrying out the hack can concentrate on one victim at a time.
How can organisations protect themselves again supply chain attacks?
1. Carry out an inventory of all org organisations that have access to your systems? Can an attacker access your systems via their systems or so they provide you with software updates which could be compromised? Can the number be reduced?
2. Does your organisation check software patches before they are deployed to check they are containing malware?
3. Are you carrying out sufficient due diligence on software vendors? Further details can be found in this document from Fireeye.
If you try and follow best practice, by using an international security company used by some of the most security companies in the world and you patch as quickly as a new patch comes out, then you should be ahead of the pack an less vulnerable than others. Sadly, in cyber supply chain attacks this will not help you and might make you more vulnerable to an attack. On the other hand, the Swedish Coop were not a customer of Kaseya and they were also collateral damage of a cyber hack d through one of their suppliers. Sometimes in cyber it seems you can win! This week I taught new ‘BCT Certificate in Cyber Incident Management’ so if you had been on the course at least you would be ready to manage a cyber-attack if it did occur.