Within six months, after Sunburst (solar winds), the attack on Kaseya is the second sensational supply chain attack. Assuming the number of companies affected at the same time, the cyber attack is certainly one of the largest in the history of IT security. A comment from Richard Werner, Business Consultant at Trend Micro, on the Kaseya crisis.
On the weekend of July 4th, the US national holiday, a cyber attack hit the service provider Kaseya and quickly spread to its customers and other companies. According to the news platform Bleepingcomputer, around 50 direct customers of the provider were affected, who in turn infected their customers as service providers. According to the news agency, around 1.500 companies are affected worldwide.
50 Kaseya customers infect 1.500 other companies
Trend Micro can confirm that there have also been incidents in Germany. The fact that the attack took place on one of the most important holidays in the United States is not a coincidence, but rather careful calculation by the perpetrators - it paid off. Not only are IT security teams generally understaffed on weekends and public holidays, the communication chains to the affected customers were also interrupted, so that the attack was often able to spread unhindered. Assuming the number of companies affected at the same time, the cyber attack is certainly one of the largest in the history of IT security. If you break them down into their individual parts, however, many parallels to other attacks emerge. Companies can learn some important lessons for their infrastructure from the crude, repetitive scheme:
Everything starts with the vulnerability
What is noticeable in the "Kaseya" case is that a security hole was used in the software that was known to the manufacturer at the time of the offense and whose closure was already in the beta phase. The attackers didn't have much time left if they wanted to be successful. The service provider was made aware of the existence of the vulnerability via what is known as “responsible disclosure” and was working on the closure. Nevertheless, the temporal context is unusual and leaves room for interpretation. Although the problem of patches in IT security is well known, companies should keep in mind that attackers not only look for vulnerabilities at Microsoft or other widely used software variants, but also in the software of IT service providers. In particular, the focus is on applications that are in direct communication with several customer devices. If you run your own software development, this must also be part of the risk calculation.
The special features of a supply chain attack
The entire incident falls into the category of “supply chain attack”. In this category, which is still relatively rare but increasingly common, the perpetrator first infects IT service providers. These are so interesting because they have existing or activatable IT connections to other companies. This affects, for example, update mechanisms that carry out updates directly in external systems, but also remote maintenance systems, order processing and the like. As a result, the perpetrators are able to take over a machine, usually a server, in the victim's data center. In contrast to "classic" attacks, the entire network security and client-based security solutions are circumvented. What remains is what is activated on the server systems and monitors the communications between server systems.
Outdated antivirus technology opens the way
In on-premises data centers in particular, this is very often outdated antivirus technology. In addition, important security patches are often missing - in the event that the operating systems are supported at all. This circumstance ensures that the perpetrator can often turn off the final victim extremely quickly and move around in systems virtually undetected. The greater the initial damage, the better for the attacker, as this can create enormous pressure. The special offer from Kaseya gave the criminals the opportunity to not only reach companies directly, but also their customers. This explains the relatively large number of victims. Supply chain attacks are relatively rare because they are complicated and costly for an attacker. However, their effect is often fatal.
Lessons from "Kaseya"
It is important to understand that this is not a passing wave. In the currently rapidly changing IT security landscape, external factors are responsible for the current situation in many cases. These include the importance of IT in companies, the general use of IT by employees and the emergence of Bitcoin. While the first two contribute to IT and above all IT security in companies becoming more and more complex and therefore more confusing, the emergence of crypto currencies has actually revolutionized the cyber underground. This allows the protagonists in the underground an increasing specialization and unrestricted trade with each other. All three factors can no longer be reversed. The mentioned complexity is therefore increasingly a burden for the defenders, which causes problems both in transferred and in purely interpersonal relationships. Companies must therefore check their current security strategy for modern attack techniques. Kaseya's example can help.
More at TrendMicro.com
About Trend Micro As one of the world's leading providers of IT security, Trend Micro helps create a secure world for digital data exchange. With over 30 years of security expertise, global threat research, and constant innovation, Trend Micro offers protection for businesses, government agencies, and consumers. Thanks to our XGen™ security strategy, our solutions benefit from a cross-generational combination of defense techniques optimized for leading-edge environments. Networked threat information enables better and faster protection. Optimized for cloud workloads, endpoints, email, the IIoT and networks, our connected solutions provide centralized visibility across the entire enterprise for faster threat detection and response.