Watch the on-demand replay of the July 13th ThreatLabz webinar for a deep dive into the Kaseya attack and how to defend against it.
While Americans were prepping for their long Fourth of July weekends, cybercriminals were preparing a widespread ransomware attack on businesses around the world using a vulnerability in the Kaseya VSA remote monitoring and management tool.
The attack targeted on-premises instances of the Kaseya VSA server, which allows managed service providers (MSPs) to perform patch management, backups, and client monitoring for their customers.
Attackers exploited a zero day vulnerability in the VSA server software in order to distribute REvil ransomware to between 40 and 60 MSPs and, subsequently, the customers of those MSPs -- over 1,000 in total. This mode of proliferation is called a “supply chain” attack, which utilizes the trusted access of an IT tool to gain access to many more organizations’ networks, allowing attackers to multiply their damages many times over.
Kaseya—just as SolarWinds, which was exploited in a different supply chain attack earlier this year—is a long-standing and well-regarded IT management solution. The successful attacks on these services prove that any partner with access to your IT environment can quickly become a vulnerability.
It is critical that you adopt zero trust strategies in order to mitigate business risk from these attacks. There should be no such thing as a trusted partner, nor a trusted employee, nor a trusted device. Access to resources should be on a dynamically controlled, least-privilege basis.
Even with trusted tools and partners, organizations must assume that every connection could be a potential attack, and build controls around identity and zero trust policies that securely connect users directly to applications, and never networks. With Zero Trust, you can fundamentally eliminate the attack surface by making enterprise resources invisible to adversaries and impossible to attack-- unlike traditional network security approaches that leave the front door open to threats from trusted sources.
Every attack has a series of steps required to succeed -- often referred to as the ‘kill chain’ or ‘attack lifecycle.’ Below, we’ll break down the steps of a typical REvil ransomware attack as outlined in the ThreatLabz Ransomware Review, and will discuss how Zero Trust can stop them:
The first thing attackers have to do is compromise your network, then download and execute malicious payloads. REvil has been known to gain entry through phishing emails, exploit kits, and compromised RDP accounts, also frequently exploiting vulnerabilities in Oracle WebLogic. Many attackers sneak in through encrypted channels, as was likely the case in the Kaseya attack: ThreatLabz found a 500% increase in SSL malware year-over-year in their latest State of Encrypted Attacks report.
To prevent this kind of compromise in alignment with the principles of Zero Trust, organizations must:
Kaseya has announced that they are rolling out enhancements to their own security to prevent future compromise, including better sandboxing, isolation, and web application firewalls -- important components of the Zscaler Zero Trust Exchange.
While it does not appear to have been the case in the Kaseya supply-chain ransomware attack, once an attacker is in your network, they often move laterally to scan your network and find valuable data, which they commonly steal and encrypt in a ransomware attack. To prevent this, organizations should:
About 50% of REvil attacks (along with many other ransomware families) involve attackers stealing data and threatening to publish it, known as “double extortion.” This gives attackers a lot of leverage when making their demands, as organizations have to worry about more than just restoring their data. To ensure that your data stays protected, Zero Trust best practices dictate that you should:
Ransomware and supply chain attacks will surely get worse before they get better: CybersecurityVentures has estimated that cybercrime will cost organizations $6 trillion globally in 2021, and up to $10.5 trillion in 2025. By embracing Zero Trust, security teams can minimize the chances that they will be victimized by these attacks as well as the potential damages that attackers can cause.
For more discussion, watch the on-demand replay of our July 13th webinar in which Zscaler CISO Deepen Desai and Research Director Amit Banker discuss the Kaseya attack.
To learn more about REvil and other ransomware trends, download a free copy of our report, ThreatLabz Ransomware Review: The Advent of Double Extortion.