We trust so much in our organizations — systems, partners, and vendors — for deploying software, monitoring network performance, patching (both systems and software), procuring software/hardware, and performing so many other tasks. A recent ransomware attack used one such system to successfully target thousands of victim companies.
In this most recent example, attackers targeted Kaseya VSA IT Management Software, which was designed to allow IT admins to monitor systems, automate mundane tasks, deploy software, and patch systems. Attackers were able to exploit a zero day to access customer instances of the product and use its native functionality to deploy ransomware to those customers endpoints.
Further compounding the problem, managed service providers (MSPs) use Kaseya software to manage their customer environments. When the attackers compromised Kaseya, the MSPs inadvertently and unknowingly spread the ransomware to their customers.
This is only one example of how attackers continue to abuse trust in unique ways that leaves many security and IT practitioners to wonder, "Why didn't something like this happen sooner?"
Ransomware group REvil continues to get even bolder. Make no mistake, an attack like we saw against Kaseya was prescriptive and purposeful to inflict the maximum amount of damage to the most amount of targets. Immediately after the attack, they bragged about infecting more than a million devices and set a ransom demand of $70 million. If one organization paid, they promised that the decryptor would work across all organizations that were affected.
This shines a light on a troubling trend we're seeing, where attack targets are shifting from individual organizations to exploiting platforms, like Kaseya or SolarWinds, that allow for multiple organizations to be affected. Attackers continue to research the tools we all rely on to find ways to abuse the native functionality to effectively execute an attack. This latest attack abused an old copy of Microsoft Defender that allowed sideloading of other files.
All the tools that organizations rely on -- such as tax software, oil pipeline sensors, collaboration platforms, and even security agents -- are built on top of the same vulnerable code, platforms, and software libraries that your vulnerability management team is screaming from the hills to patch or update immediately.
Organizations need to both hold their supply chain partners, vendors, and others accountable for addressing the vulnerabilities in the software that they've built on top of this house of cards as well as understand the exposure they have by deploying said software within their environments.
Forrester blog, Ransomware: Survive By Outrunning The Guy Next To You, discusses protecting against ransomware by hardening systems to make your organization a hard target. Supply chain attacks bypass defenses by exploiting your trust in systems. To protect against them, you have to scrutinize the inherent trust you've placed on your supply chain.
To start, organizations should take an inventory of the critical partners that have a large foothold within their environment, such as the vendors used for collaboration/email, MSPs that manage and monitor infrastructure, or security providers that may have an agent deployed to every system. After compiling your list, you should:
Organizations should take aggressive steps to implement prescriptive ransomware advice as well as take a look at additional ransomware resources to limit the blast radius of an attack.
This post was written by Analyst Steve Turner, and it originally appeared here.