The Chertoff Group

KASEYA INCIDENT SECURITY BULLETIN

What Happened

On the evening of July 2, IT software management provider Kaseya announced that threat actors had successfully targeted its on-premises VSA server software technology, which is used by multiple Information Technology (IT) managed service providers (MSPs) to manage and monitor computers remotely. Initial reports suggest that the threat actors exploited a 0-day software vulnerability, and Kaseya’s CEO stated that œWe will release that patch as quickly as possible to get our [on-prem] customers back up and running. The threat actor in this context appears to be REvil, the same threat actor group behind numerous other ransomware attacks including on meat processor JBS. The scope of impact is not yet fully understood.

Why it’s important

IT MSPs are commonly used across sectors to outsource the operation of network, compute, storage, endpoint and other IT functions, and this compromise is highly concerning because of where it falls in the increasingly interdependent IT supply chain. Specifically, the campaign entails at least four tiers of potential information security and business continuity impact: (1) on Kaseya itself (although there is no indication yet that Kaseya’s internal systems were breached); (2) on the multiple IT MSPs who use Kaseya; (3) on the clients of each impacted MSP; and (4) on those clients’ customers.

We have previously warned about how the software supply chain is increasingly being used as a stepping stone into threat actor targets, and we have also highlighted how ransomware is increasingly targeting lifeline sectors such as in the recent Colonial Pipeline incident plus earlier campaigns targeting healthcare, industrial and other sectors in the midst of the COVID-19 pandemic. This incident brings those two trends together, and it portends the migration of supply chain subversion tradecraft used by state actors for espionage purposes, such as in the SolarWinds incident, now to criminal groups for ransomware and other extortionate activity.

What to do About It

While the adversary tactics for the Kaseya incident have not been released, defenders can apply the following guidelines and best practices to address risks from ransomware and other disruptive cyber threats:

  • Threat-informed defense. The Chertoff Group recommends that security practitioners should apply security controls based on anticipated adversary behavior and an assumption that a breach is inevitable or has likely already occurred. By understanding the anatomy of recent ransomware attacks and associated tactics, techniques and procedures (TTPs), defenders can ensure risk-based defenses are in place. The MITRE Corporation’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework can help through its library of mappings between TTPs and defensive countermeasure coverage.
  • Validating control effectiveness. Critical infrastructure owners & operators must validate that defensive countermeasures are operating as intended. As more details emerge from the Kaseya incident, defenders should ensure existing security controls are effective against identified TTPs. Likewise, security teams can use Breach and Adversarial Simulation (BAS) tools to measure control performance with added precision, instilling greater confidence that controls are operating effectively.
  • Cooperation with law enforcement. Early cooperation with law enforcement can help: the FBI successfully recovered $2.3 million of the Colonial Pipeline ransom.

Guidance from multiple public and commercial sector sources”including from CISAU.S. Department of JusticeFBIMITRE and other sources”track and analyze ransomware attacks. Initial Kaseya-related threat hunting queries can also be found here. These resources provide valuable context and tactical mitigations and detection analytics for organizations to employ in attempting to thwart ransomware campaigns.

The Chertoff Group has deep experience helping organizations of all sizes rapidly implement threat and risk-informed cyber defenses.  Contact info@chertoffgroup.com for more information.

Let's Talk.

Let's explore ways we can help you manage risk or position for strategic growth.

202.552.5280 | Mon. – Fri. 8:00 AM – 5:00 PM EDT