SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Security vendors weigh in as fallout of Kaseya cyber attack continues
Thu, 8th Jul 2021
FYI, this story is more than a year old

The fallout of last week's Kaseya ransomware attack continues, with fellow security vendors saying the attack is a stark reminder that ransomware continues to be an increasing threat to organisations around the world.

The attack saw up to 1500 businesses around the world affected, which centred on U.S. information technology firm Kaseya. REvil ransomware group, who claimed responsibility for the breach, have demanded US$70 million to restore all the affected businesses' data.  

Matt Sanders, director of security at LogRhythm, says the attack is a major reminder that ransomware attacks continue to be an increasing threat to companies, critical infrastructure organisations and government agencies at all levels.

"This attack is especially dangerous because Kaseya is used by many Managed Service Providers that many businesses trust to handle their IT functions, such as endpoint inventory, patching, and software deployment," he says.

"With up to 1500 possible businesses affected from the Kaseya ransomware attack, the impacts from the attack will be felt for months to come."

Sanders says recovering from a ransomware attack takes time, and a well-rehearsed incident response plan will prove invaluable should the worst happen.

"Aside from planning their response to a successful attack, organisations should keep their prevention and detection technologies top of mind by ensuring that they have the appropriate protective controls in place, as well as visibility into what is happening across their environment," he says.

"A properly configured security monitoring solution that has full visibility into the environment with robust automated response capability would help organisations such as Kaseya identify malicious activity and thwart bad actors before ransomware can take hold."

Jeff Costlow, chief information security officer at ExtraHop, says Kaseya is a "terrifying" example of how quickly cybercriminals are adopting Advanced Persistent Threat tactics.

"In the Kaseya attack, the threat actors deliberately targeted a well-established but little-known software management firm that would allow them access to hundreds of other environments," he says.

"They meticulously researched their target and found a zero day flaw in their software. They then exploited it and waited for a long holiday weekend to detonate their ransomware."

Costlow says the technique parallels almost exactly the techniques used by nation-state adversaries in the NotPetya attack four years ago, which used an exploit in Ukrainian tax software MeDoc and more recently, in the SolarWinds SUNBURST attack.

"Both NotPetya and SUNBURST used exploits in software that was widely used but little known to the public to disseminate malware on a massive scale," he says.

"Both waited for national holidays (the former in the Ukrainian, the latter in the US) when many were out of the office to detonate their attacks.

"The fact that techniques that were once the dominion of the most advanced nation states are now being used to extract multi-million dollar ransoms should serve as a stark warning for every organisation and every software vendor," Costlow says.

"The threat of sanctions or other diplomatic repercussions is of no concern to cybercriminals that operate outside the bounds of any government," he says.

"Ransomware is now an advanced persistent extortionate threat one thats far more calculated than opportunistic."

Srikant Vissamsetti, senior vice president engineering at Attivo Networks, says attackers steal and destroy information as part of their attacks, whether they seek to move deeper into the system or to hold data for ransom.

"Since Kaseya VSA runs on all endpoints and servers, this compromise provided the ransomware operator access to all systems without requiring any lateral movement," he says.

"Organisations need functions that hide and deny access to local files, folders, removable storage, network or cloud shares, local administrator accounts and application credentials.

"By denying attackers the ability to see or exploit critical data, organisations can disrupt their discovery or lateral movement activities and limit the damage from ransomware attacks."

Corey Nachreiner, CSO at WatchGuard Technologies says the Kaseya ransomware attack underscores the importance of multilayered security for MSPs as well as enterprises.

"While novel attacks like this are impossible to predict, having protection across networks and endpoints can help minimise the worst effects until patches and other measures can be taken."