While many Americans took off early to jump-start the Independence Day weekend, cyber attackers were launching the single biggest ransomware attack in history. It’s estimated that at least 800 to 1,500 organizations — primarily managed service providers (MSPs) and their customers — have been impacted, and additional victims are still being identified. Law enforcement and government cybersecurity agencies involved in the ongoing investigation, including the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA), are urging affected organizations to take immediate steps to implement cybersecurity best practices.
Initial Kaseya Infection Aims for Scale and Impact
The ransomware attack initially targeted Kaseya, an IT management software provider for MSPs and small-to-medium sized businesses. Based on initial reports, attackers likely identified and exploited a vulnerability to compromise Kaseya’s Virtual System Administrator (VSA) solution, which is used to remotely monitor and manage endpoints and servers.
With control over SaaS and on-premises Kaseya VSA servers — along with other MSP-managed on-premises servers — the threat actors pushed a phony software update containing the ransomware to all managed endpoints. Similar to the SolarWinds supply chain attack, the malware spread across Kaseya’s global customer base and their downstream customers. The potential breadth of the Kaseya attack “may make it so that we are unable to respond to each victim individually,” said the FBI in a statement.
The attackers claiming responsibility demanded a staggering $70 million ransomware payment from Kaseya to restore affected corporate and customer data. Meanwhile, organizations across the supply chain soon began to feel the ripple effects — from dental offices to accounting firms to restaurants. In Sweden, a major grocery store chain was forced to close hundreds of stores for days due to inoperative cash registers. In New Zealand, schools and more than 100 kindergartens went offline and had to resort to pen and paper. According to the New York Times, some victim organizations have been asked for as much as $5 million in ransom payments.
Echoes of Cloud Hopper Supply Chain Attack
Though details of this international ransomware campaign are still emerging, the attack patterns are reminiscent of the mega Cloud Hopper attack, a years-long cyber invasion that was first uncovered in 2016 and targeted the world’s largest technology service providers and their customers.
We asked Lavi Lazarovitz, senior director of Cyber Research at CyberArk Labs, about the similarities, and how ransomware operators are honing their craft to become more sophisticated, targeted, and persistent — sometimes conducting reconnaissance for several years before making a move.
“With Cloud Hopper, one compromised endpoint went on to impact hundreds of firms that had relationships with breached cloud providers. For one victim, the attack cycle continued for at least five years. In this attack, like the previous attack on SolarWinds, threat actors capitalized on automation and trust that provide the means by which malware can be distributed and deployed as a legitimate cooperate software,” he said.
He continued, “In the Kaseya incident, the attackers are focusing on the compromise of trusted software and trusted processes. Targeting trusted services allows the threat actors to leverage the trusted services’ granted permissions and access.”
Cloud Hopper, SolarWinds, Codecov, and many recent ransomware attacks have proven that traditional security boundaries are no longer enough. By targeting cloud service providers, adversaries can move fluidly between “isolated” environments and across multiple organizations with ease. Lateral movement is no longer restricted to one organization’s physical network — exponentially extending the attackers’ reach.
CISA and FBI Guidance for Ransomware Risk Mitigation
To help minimize attack impact and mitigate future risk, the CISA and FBI have issued guidance for MSPs and their customers affected by the Kaseya VSA supply chain ransomware attack.
Their recommendations include cybersecurity fundamentals, such as enabling multi-factor authentication (MFA) and enforcing the principle of least privilege. They align with the CyberArk Blueprint for Identity Security Success, a best practices framework to help disrupt and prevent the common identity attack chain. We encourage any organization seeking ways to bolster ransomware protections to give it a look, with emphasis on these three steps:
1. Implement or strengthen privileged access controls. Focusing on least privilege enforcement can help ensure both human and machine identities have the minimum levels of access required. Other effective privileged access controls, such as rotating privileged credentials and monitoring sessions, can help to quickly reduce risk.
2. Take a defense-in-depth approach to endpoint security. Ransomware operators exploit endpoint vulnerabilities to steal or encrypt confidential information. Deploying least privilege measures is an important part of a defense-in-depth strategy that helps prevent adversaries from moving laterally and potentially forcing them to use methods that expose their presence.
3. Enable multi-factor authentication (MFA). It’s one step that can block a majority of account compromise attacks. If access controls are already in place, consider strengthening them with adaptive MFA that uses AI to assign risk to each access event based on context and behavior.
The Kaseya VSA attack shows us yet again how ransomware supply chain attacks are increasing in frequency, sophistication, and scale. Now is the time to take proactive steps to secure your organization’s most valuable assets and stay a step ahead of attackers.