Watch the on-demand replay of the July 13th ThreatLabz webinar for a deep dive into the Kaseya attack and how to defend against it.
While Americans were prepping for their long Fourth of July weekends, cybercriminals were preparing a widespread ransomware attack on businesses around the world using a vulnerability in the Kaseya VSA remote monitoring and management tool.
The attack targeted on-premises instances of the Kaseya VSA server, which allows managed service providers (MSPs) to perform patch management, backups, and client monitoring for their customers.
Attackers exploited a zero day vulnerability in the VSA server software in order to distribute REvil ransomware to between 40 and 60 MSPs and, subsequently, the customers of those MSPs -- over 1,000 in total. This mode of proliferation is called a “supply chain” attack, which utilizes the trusted access of an IT tool to gain access to many more organizations’ networks, allowing attackers to multiply their damages many times over.
Kaseya—just as SolarWinds, which was exploited in a different supply chain attack earlier this year—is a long-standing and well-regarded IT management solution. The successful attacks on these services prove that any partner with access to your IT environment can quickly become a vulnerability.
Zero Trust is the answer.
It is critical that you adopt zero trust strategies in order to mitigate business risk from these attacks. There should be no such thing as a trusted partner, nor a trusted employee, nor a trusted device. Access to resources should be on a dynamically controlled, least-privilege basis.
Even with trusted tools and partners, organizations must assume that every connection could be a potential attack, and build controls around identity and zero trust policies that securely connect users directly to applications, and never networks. With Zero Trust, you can fundamentally eliminate the attack surface by making enterprise resources invisible to adversaries and impossible to attack-- unlike traditional network security approaches that leave the front door open to threats from trusted sources.
Every attack has a series of steps required to succeed -- often referred to as the ‘kill chain’ or ‘attack lifecycle.’ Below, we’ll break down the steps of a typical REvil ransomware attack as outlined in the ThreatLabz Ransomware Review, and will discuss how Zero Trust can stop them:
The first thing attackers have to do is compromise your network, then download and execute malicious payloads. REvil has been known to gain entry through phishing emails, exploit kits, and compromised RDP accounts, also frequently exploiting vulnerabilities in Oracle WebLogic. Many attackers sneak in through encrypted channels, as was likely the case in the Kaseya attack: ThreatLabz found a 500% increase in SSL malware year-over-year in their latest State of Encrypted Attacks report.
To prevent this kind of compromise in alignment with the principles of Zero Trust, organizations must:
- Have full visibility with full inspection of all traffic, whether encrypted or not, to stop malicious downloads, whether through emails, websites, or other channels.
- Minimize the attack surface. Applications should not be published to the internet to be brute forced or exploited; instead, they should only be accessible through an exchange after proper authentication.
- Detect and stop malicious activity by keeping security tools up-to-date and using AI-powered detection to discover never-before-seen ransomware variants and analyze behaviors. In-line sandboxing and browser isolation capabilities should be deployed to help identify and stop advanced unknown threats.
- Control access with strict least-privilege policies that are monitored and addressed for gaps in entitlements, policy, compliance, and configurations.
Kaseya has announced that they are rolling out enhancements to their own security to prevent future compromise, including better sandboxing, isolation, and web application firewalls -- important components of the Zscaler Zero Trust Exchange.
Prevent lateral movement
While it does not appear to have been the case in the Kaseya supply-chain ransomware attack, once an attacker is in your network, they often move laterally to scan your network and find valuable data, which they commonly steal and encrypt in a ransomware attack. To prevent this, organizations should:
- Segment applications: Microsegmentation is an important cornerstone of zero trust, which limits access to mitigate damage under the assumption that you’ve already been breached. Use a proxy architecture to connect users and workloads directly to the application or resource that they need -- never the network. If an attacker should breach a single application, the damage they can cause stops there.
- Get proactive with active defense: A less common but extremely effective defense tactic is using active defense or “deception” technologies to identify and stop lateral movement attempts. These tools deploy decoy apps and lures that act as tripwires for attackers, diverting them from the assets they’re actually after while giving your security team high-fidelity alerts that an attack is underway.
Prevent data theft
About 50% of REvil attacks (along with many other ransomware families) involve attackers stealing data and threatening to publish it, known as “double extortion.” This gives attackers a lot of leverage when making their demands, as organizations have to worry about more than just restoring their data. To ensure that your data stays protected, Zero Trust best practices dictate that you should:
- Inspect all northbound traffic. Safeguard sensitive data with granular DLP controls that identify and block data leakage or theft across all inline and SSL traffic in real-time.
- Set policies to only allow communication with known-good destinations: In the case of SolarWinds, attackers took advantage of lax policies that allowed the software to communicate with unknown destinations, which ended up including the DarkSide command-and-control servers. No matter how good your technology is, “default deny” is a critical concept in Zero Trust; you should only allow communications that are required for the tool to function properly.
- Shield your cloud apps from exposure: Use cloud access security brokers (CASB) to enforce granular controls of sanctioned and unsanctioned cloud apps, while securing sensitive data at rest from theft or accidental exposure.
- Address cloud misconfigurations: Prevent cloud breaches and data loss by identifying and closing dangerous misconfigurations in SaaS and public clouds.
Ransomware and supply chain attacks will surely get worse before they get better: CybersecurityVentures has estimated that cybercrime will cost organizations $6 trillion globally in 2021, and up to $10.5 trillion in 2025. By embracing Zero Trust, security teams can minimize the chances that they will be victimized by these attacks as well as the potential damages that attackers can cause.
For more discussion, watch the on-demand replay of our July 13th webinar in which Zscaler CISO Deepen Desai and Research Director Amit Banker discuss the Kaseya attack.
To learn more about REvil and other ransomware trends, download a free copy of our report, ThreatLabz Ransomware Review: The Advent of Double Extortion.