Hacker group ‘REvil’ have exposed a zero-day vulnerability found in the Kaseya’s systems, which tens of thousands of customers use. As a result, many companies have been met with a ransomware demand from the group – totalling $70m in payment for the return of their data.
Kaseya provide IT solutions to companies across the globe, including a unified remote-monitoring and management tool (VSA) that oversees network and client devices. This very tool is exactly where the security loophole can be found, and as a result, REvil have exposed this and pushed out malware to many of the thousands of companies that use the software.
The type of malware deployed is the much dreaded ‘Ransomware’, and the hacker group have demanded a $70m payment to unlock and release all the data it has seized.
What has been done so far?
Firstly, it is not clear if Kaseya will pay the full ransom. Paying the ransom is a complete leap of faith as there are no guarantees the hackers will return the data after payment has been received. Negotiating the amount of money requested is also very risky as it may result in the group requesting more – which celebrity law firm ‘Grubman Shire Meiselas & Sacks’ discovered when they tried to make a counter offer. Additionally, if hackers receive any sort of fiscal return for their efforts, they could just use this to hire more skilled hackers and invest in more resources to help them with future attacks.
What Kaseya have done so far is:
- Customers were notified of the breach via email, phone and online services
- The affected (on-premise) VSA servers have been taken offline until a patch has been released
- They have provided an advisory via their website that is updated regularly
- A tool that customers can use to scan and find any infections on their networks has been released
- They are continually reviewing the issue and working on recovery and patch plans.
The FBI and CISA (Cybersecurity and Infrastructure Security Agency) have also released some guidance via their website, and even the Biden administration are considering domestic and international responses.
Why is this attack so significant?
This is considered to be one of the worst Ransomware attacks in history and it’s likely to be the most important cybersecurity event of the year – and even more important than the SolarWinds infiltration in 2020.
Kaseya are not just any company. They are a managed IT service provider that deploys software to other business’ systems to help manage their infrastructure. The deployment of this software is automatic, along with its updates, and under normal circumstances this would be a good thing from a security perspective. But once the zero-day vulnerability was exposed, REvil were then able to use this feature against Kaseya’s customers and push a malicious update out for them to install and thus infect their systems with the malware.
This is also not the first time a company that deploys software automatically to customers have been on the receiving end of what is known as a ‘supply chain attack’’. In 2017, the NotPetya attack caused around $10 billion of damage globally, while the SolarWinds breach last year led to the compromise of thousands of organisations’ data.
Due to the nature of how these attacks are dispersed, anyone who installs an update could be affected - and this could even lay the groundwork for further attacks. Whilst the companies that have been targeted are multi-million pound corporations, such attacks could also be made on bigger companies like Google or Apple – and the consequences of this would be cataclysmic.
What can you do as a business?
Once a vulnerability has been discovered, it is up to the software developers to patch the exploit as soon as possible. If the exploit is difficult to fix they will either disable the respective feature/setting, or if it is fairly easy to patch they will apply the fix and release an update immediately (before hackers can get there before them).
However, what can you as a business do to help prevent and mitigate such attacks? Firstly, to prevent a malware infection, you should:
- Make regular backups – Taking backups of data is essential for all businesses. It is a big topic and is covered more in the various backup articles we have done previously.
- Prevent malware from spreading – You should make it as difficult as possible for malware to spread through a combination of your IT services provider configuring your network services appropriately (e.g. E-mail filtering, website blocking, locking down ports, enabling MFA etc) and you as a user taking steps to ensure your device is secure (e.g. actively inspecting content, blocking email senders you know are not legitimate, keep your device up to date etc).
- Prevent malware from running – If malware does reach your device, you should prevent it from running. This can be done via methods such as ensuring you have an Anti-Virus solution in place and it is up to date and working, run AV scans regularly and ensure the scans either quarantine or remove the malware, do not click on any prompts you don’t recognise, ensure all applications and devices are up to date and even consider centrally managing devices so the problem can be tackled en masse.
- Be alert - Continue to read and listen out to news related to IT security breaches in case it is related to your company. Time is of the essence in these situations so being aware and alert to any cybersecurity issues could be the difference between your company being infected or not.
- Prepare for an incident – A detailed policy and plan should be in place to prepare for what you think might be an unlikely attack. This can include identifying critical devices and services, ensuring there is a communication protocol in place, decide how you will respond to a ransom request, identify legal documents you may need, implementing a management plan and then a lessons learned document for after the incident.
- Employee Training – Ensure your employees are adequately equipped with the knowledge and tools on how to identify and deal with potential cyberattacks.
- Don’t click on anything – If you receive a ransomware message or any sort of communication indicating your files and folders have been encrypted and money is required to release the data, you should not click on any links as these may also be weaponised.
If you have already been infected with malware you should:
- Go offline – Disconnect all infected devices your network. This means remove the ethernet cable from your machine, disable wifi and ensure your machine is not connected to the internet in any way. If in doubt, shut down your machine and disconnect all cables.
- Password reset – Reset any administrator or system credentials you think could be affected.
- Reconfigure devices – You should wipe the infected devices and reinstall the operating system from scratch – as this is the only full proof way of removing malware from a machine.
- Restore from backup – Once you have ensured the backup has not been infected and that your network is clean, you should look at restoring from backup to begin getting data and services up and running again.
- Update, scan, and monitor – Begin connecting the clean devices to the network, run Anti-Virus scans, ensure all updates are installed, reconnect devices back to your network and continue to monitor network traffic and Anti-Virus scans.
This is very much a summary of the sort of actions you can take in the event of a malware outbreak. We always recommend referring to the National Cyber Security Centre website for more detailed advice and guidance.
Combatting Ransomware attacks like this is not going to be easy. It will require a lot of creativity and a huge resource pool to come up with a coherent strategy to not only prevent such attacks from happening, but to also mitigate the attacks if and when they occur. Until that happens, you should follow the above advice and speak to your IT services provider about potentially tightening up your cybersecurity, and if you would like further advice from ourselves then do not hesitate to contact us.