If you’re like most of us, you barely pay attention. These software updates arise, after all, from the system itself, which is about as trustworthy as a source can get. In this new era of cyberattacks, malware, and ransomware, however, there is a slim but very real chance that the system itself could have been hacked. This is precisely what happened in the recent supply chain attack on multinational tech company Kaseya.
How did the Kaseya supply chain attack happen? First, let’s meet the players.
Kaseya: The victim of the supply chain attack
Kaseya provides a Virtual System Administrator (VSA) platform, giving remote monitoring and management capabilities to its Multiple Managed Server (MSP) clients. Service desks, compliance systems, and automation platforms are also on the company’s menu. A crucial point to keep in mind for later: the VSA tool automates security and software updates.
MSPs use the systems provided by companies like Kaseya to help businesses of all sizes automate processes and generally manage their technology. This means a downline structure is built into Kaseya’s business model. The company has around 37,000 direct clients and as many as 1 million businesses relying on those clients, and by extension, Kaseya.
REvil: The perpetrator of the supply chain attack
REvil is a ransomware syndicate that appears to be based in Russia. They have been implicated as the culprits behind the Kaseya attack by numerous expert sources, including John Hammond of Huntress Labs, a threat-hunting cybersecurity company tasked with investigating the breach.
REvil is one of many syndicates offering Ransomware as a Service (RaaS), with some of their many competitors including Locky, Gandcrab, WannaCry, Cerber, Darkside, and Maze. If your jaw dropped when you read the term Ransomware as a Service (RaaS), that’s the correct response. According to Carnegie Melon University, RaaS operates just like Software as a Service (SaaS), only it allows ransomware developers to sell or lease malicious programs to affiliates who can then perpetrate attacks.
Figure 1: How RaaS attacks work (courtesy of Carnegie Melon University)
Just as SaaS allows non-tech-savvy users to navigate advanced software systems, so too does RaaS open up the doors for any motivated player, regardless of their skill level, to conduct ransomware attacks. With millions on the table, there are plenty of motivated players.
Cybersecurity firm Palo Alto Networks revealed that REvil received $11 million from meatpacking giant JBS and $5 million from a medical diagnostics company based in Brazil. These were just two of many attacks, with the ransomware syndicate apparently averaging around half a million dollars per victim.
Individual scammers: the supply chain attack scavengers
In the wake of the Kaseya supply chain attack, the company issued a report warning customers about spammers who were taking advantage of the news to send out phishing emails that looked like Kaseya updates. These fake notifications contained malicious links and attachments, with some even including phone numbers of businesses claiming to be affiliated with Kaseya.
This is one of the ancillary risks that arise when a supply chain attack is publicised. Scammers may even make phone calls to affected end-users, claiming to be a reputable organization reaching out to help. These spammers generally aren’t connected to syndicates like REvil. Rather, they are bad actors taking advantage of a situation that can be leveraged to their advantage.
How the Kaseya ransomware attack went down
All it took was one vulnerability in Kaseya’s VSA software for REvil to enact a ransomware attack capable of infiltrating the MSP supply chain. The attack was carried out through an automatic system update. Imagine seeing a notification pop up that your MAC or PC’s OS is auto-updating only to find that the system has loaded malware onto itself. This is what happened to many of Kaseya’s clients.
Kaseya first became aware of the attack around midday on Friday the 2nd of July, 2021, meaning it was likely designed to coincide with America’s 4th of July weekend – a time when many businesses operate with minimal staff.
With around 37,000 customers servicing hundreds of thousands of downline clients, the effects could have been catastrophic had Kaseya not acted promptly. This is the danger of a supply chain attack – by hitting just one company, gangs like REvil are able to potentially reach hundreds of thousands of businesses in a single attack. How many they are able to infiltrate hinges on how quickly and efficiently the targeted company is able to respond.
Kaseya’s most recent estimate is that around 50-60 of their direct clients were impacted, with a total reach of around 800 to 1,500 downline clients affected. Given that their system is used by around 800,000 to 1 million end-users, this appears to have been a favourable result. Though, of course, it has been a nightmare for those affected.
This style of attack is not new, but it does appear to be the largest one to date. In this instance, it was the IT supply chain that was weaponised, allowing REvil to reach multiple victims with just one breach. Most customers were lucky enough to avoid being hit with the ransomware update, making this incident little more than a terrifying inconvenience as their system was taken offline. However, if you’re unfortunate enough to bear the brunt of a ransomware attack, the impact can be devastating.
What is a ransomware attack?
Ransomware is a form of malware designed to allow an attacker to hijack a targeted system. In the simplest possible terms, it scrambles the data, encrypting files and drives and halting operations until the encryption is released.
This is where the “ransom” part of ransomware comes into effect. Cybercriminals leave a ransom note in the system, with instructions on how to make a payment in exchange for the decryption key which will, if you’re lucky, release the system.
The rise of sophisticated Ransomware-as-a-Service (RaaS) enterprises like REvil has ushered in a new trend of double extortion. If the bad actors are able to extract data during the hack (or convince the victim that valuable information has been stolen), they may demand an additional ransom to prevent the data from being, used, sold, or published online.
Who is at risk of ransomware and supply chain attacks?
Kaseya has received multiple accolades, including a Cyber Security Excellence Award in 2021. If a company like this can fall victim to a ransomware attack, the one thing we can say for sure is that no one is impervious. These attacks are organised, strategic, and growing at a rapid rate.
According to the latest report from the Identity Theft Resource Center® (ITRC), supply chain attacks are on the rise, with data breaches up 38% in the second quarter (Q2) of 2021. There were 32 reported supply chain attacks in Q2 of 2021, compared to 27 in Q1. It’s also worth bearing in mind that there is a significant underreporting issue when it comes to ransomware attacks, with many companies hesitant to admit to the breach and the ransom paid. So, the true figures are likely higher than the statistics suggest.
Companies that deliver software to thousands of clients who, in turn, provide services to millions more are at an ever-increasing risk of supply chain attacks. This means all businesses, from hospitals and food suppliers to travel agencies and small local stores, are at risk if the providers of their software or cloud computing solutions are targeted.
There’s no getting around the need for automation in modern businesses, and it’s essential to be able to trust the companies providing such services. However, as intelligence architect Allan Liska explained to the Financial Times, “We’ve essentially handed over too much trust so that if something happens to them, it becomes a catastrophic event for your organisation through no fault of your own.”
How can organisations protect themselves against supply chain attacks?
Though RaaS syndicates are growing more sophisticated by the day, there are several defences you can deploy to protect your business from the threats they pose.
Identify what’s at stake
To understand how you might be targeted and where the attack is most likely to come from, it is essential to understand what value you present to cybercriminals. Assess your assets, including customer data, proprietary information, and other forms of intellectual property.
By understanding what might motivate a bad actor to target you with a ransomware attack, you’ll be able to determine which systems and which aspects of your supply chain require extra protection.
Assess your existing weaknesses
Now is the time to engage in threat hunting and risk assessment to uncover evidence of any malicious activity that may have already been directed at your company. Even if you don’t find any immediate threats, this will help you identify gaps in your current ability to detect and deflect cyberattacks.
Develop supply chain transparency
A supply chain attack can come from any third-party service provider or vendor you do business with. For this reason, transparency is essential. With the risk of cyberattacks growing, businesses must determine what data is available to each vendor, who within their company has access to it, and how it may be used.
Supply chain transparency allows you to monitor products and services through their lifecycle, perform deeper analytics, vet any third-party service providers you’re considering working with, and regularly audit vendor contracts to ensure they are providing the cybersecurity measures you require.
Plan for the worst
Preparation is key if you want to be able to swiftly and effectively contain a cyberattack and minimize the damage to your company and your supply chain. You cannot assume that the vendors you engage will handle these kinds of events for you. Indeed, Kaseya was first alerted to the ransomware attack by reports from customers.
To be prepared for the worst, you need to know what measures your vendors have in place to address cybersecurity issues, what their response team’s strategy is, what they will alert you of, and how their strategy will integrate with your own. From here, you can adjust your strategy to ensure you’re equipped to mitigate the damage as quickly as possible if an attack goes down.
As we learned with the Kaseya ransomware incident, having a system in place may not offer perfect protection from supply chain attacks. However, it will allow you to act on them quickly. It was through rapid action that Kaseya was able to restrict the flow of the ransomware. While the event was disastrous for the 1,500 or so businesses affected, close to 1 million end-users were protected by swift and targeted action from the company that was breached.