06 Jul Urgent Kaseya VSA Breach Response
You will see this in the news if you haven’t already, so I’ll give you the important information up front. Bytagig does not utilize Kaseya BSA. No action on your or my part is required for this major cyber security incident.
For more information and valuable lessons from this incident, keep reading below.
Kaseya reacted quickly. Within the hour of first reports, they took their entire SaaS client base offline, 10’s of thousands of customers worth, even though there were no reports of any of them being hit. What was hit was several dozen of those that “self-host” Kaseya VSA on their own infrastructure and have it open to the internet OR buy usage rights from such an organization.
Definitions:
Zero-Day Vulnerability: A flaw in a piece of software unknown by anyone until a hacker or security researcher comes across it and actively exploits it.
Supply Chain Attack: You have your business. Your business gets software from other software companies, sometimes those software companies use distributors and those distributors sometimes use VARs (Value Added Resellers), and those VARs sell to IT Companies or consultants which then sell to you. Instead of hackers going directly for your business via social engineering or phishing, they go right to another company in the supply chain. During that process, they can hit dozens or hundreds of companies (maybe even thousands in this case, the extent is unclear.)
Self-Host: When a company buys software and hosts it on their own equipment.
Kaseya VSA: Kaseya VSA is classified as a “Remote Management and Monitoring” or “RMM” Tool. RMM’s make sure your computer’s stay up to date, that antivirus is working, keep an inventory of active computers, initial setup actions on new computers, etc. Our entire industry and major enterprise IT departments all utilize a RMM tool.
Microsoft Intune: This is Microsoft’s “cloud” management tool, it has some of the same capabilities of a RMM.
Zero Trust: Assuming that every user and every computer was already hacked so you only allow what is absolutely necessary to get work done.
What’s happening?
A Russian Ransomware Gang REvil has successfully executed a supply chain attack utilizing Kaseya VSA as the weapon. They used a Zero-Day vulnerability in the On-Premise Self-Hosted version of Kaseya VSA. Hundreds (likely going to be in the thousands) of companies were ransomed. Almost nothing caught this until it was happening except Security Software that works based on whitelisting. This is not the first RMM tool compromise. All RMM companies have had compromises of their customers to various degrees, but this is by far the biggest thus far. Companies without segregated backups will likely be paying the ransom.
How should we react?
The software used such as in the Solarwinds hack or the Kaseya hack are necessities for modern networks. Switching vendors is not the solution. All vendors have had some degree of compromises over the past few years.
Keep your computers patched. Maintain active security tools. Have your computers connected to Microsoft Intune in this ever complicated cloud world we find ourselves in. Have a good business continuity plan in place. These are all systems Bytagig recommends to our clients.
For every one of these attacks, thousands of “low hanging fruit” attacks are prevented every day by what these tools allow IT companies and departments to do. Sally clicking on a link in an email, Billy giving away his credentials on a fake website, Johnny downloading an infected Adobe Acrobat Reader.
There is always a risk factor, nothing is 100%. The Solarwinds hackers went undetected for months, by everyone big and small, including our federal government. But we actively work to get as close to 100% as reasonably possible without clients paying for a dedicated security budget and team, which is out of reach for most small organizations. For those on our premium service plans, we are focused on managing our client’s risks and getting them as close to 100% as possible.
If you would like to have Bytagig conduct a vulnerability assessment and review your incident response plan together, please contact us here: Get a Vulnerability Scan
Share this post:
Sorry, the comment form is closed at this time.