Kaseya: Second major supply chain attack

Kaseya: Second major supply chain attack

Share post

Within six months, after Sunburst (solar winds), the attack on Kaseya is the second sensational supply chain attack. Assuming the number of companies affected at the same time, the cyber attack is certainly one of the largest in the history of IT security. A comment from Richard Werner, Business Consultant at Trend Micro, on the Kaseya crisis.

On the weekend of July 4th, the US national holiday, a cyber attack hit the service provider Kaseya and quickly spread to its customers and other companies. According to the news platform Bleepingcomputer, around 50 direct customers of the provider were affected, who in turn infected their customers as service providers. According to the news agency, around 1.500 companies are affected worldwide.

50 Kaseya customers infect 1.500 other companies

Trend Micro can confirm that there have also been incidents in Germany. The fact that the attack took place on one of the most important holidays in the United States is not a coincidence, but rather careful calculation by the perpetrators - it paid off. Not only are IT security teams generally understaffed on weekends and public holidays, the communication chains to the affected customers were also interrupted, so that the attack was often able to spread unhindered. Assuming the number of companies affected at the same time, the cyber attack is certainly one of the largest in the history of IT security. If you break them down into their individual parts, however, many parallels to other attacks emerge. Companies can learn some important lessons for their infrastructure from the crude, repetitive scheme:

Everything starts with the vulnerability

What is noticeable in the "Kaseya" case is that a security hole was used in the software that was known to the manufacturer at the time of the offense and whose closure was already in the beta phase. The attackers didn't have much time left if they wanted to be successful. The service provider was made aware of the existence of the vulnerability via what is known as “responsible disclosure” and was working on the closure. Nevertheless, the temporal context is unusual and leaves room for interpretation. Although the problem of patches in IT security is well known, companies should keep in mind that attackers not only look for vulnerabilities at Microsoft or other widely used software variants, but also in the software of IT service providers. In particular, the focus is on applications that are in direct communication with several customer devices. If you run your own software development, this must also be part of the risk calculation.

The special features of a supply chain attack

The entire incident falls into the category of “supply chain attack”. In this category, which is still relatively rare but increasingly common, the perpetrator first infects IT service providers. These are so interesting because they have existing or activatable IT connections to other companies. This affects, for example, update mechanisms that carry out updates directly in external systems, but also remote maintenance systems, order processing and the like. As a result, the perpetrators are able to take over a machine, usually a server, in the victim's data center. In contrast to "classic" attacks, the entire network security and client-based security solutions are circumvented. What remains is what is activated on the server systems and monitors the communications between server systems.

Outdated antivirus technology opens the way

In on-premises data centers in particular, this is very often outdated antivirus technology. In addition, important security patches are often missing - in the event that the operating systems are supported at all. This circumstance ensures that the perpetrator can often turn off the final victim extremely quickly and move around in systems virtually undetected. The greater the initial damage, the better for the attacker, as this can create enormous pressure. The special offer from Kaseya gave the criminals the opportunity to not only reach companies directly, but also their customers. This explains the relatively large number of victims. Supply chain attacks are relatively rare because they are complicated and costly for an attacker. However, their effect is often fatal.

Lessons from "Kaseya"

It is important to understand that this is not a passing wave. In the currently rapidly changing IT security landscape, external factors are responsible for the current situation in many cases. These include the importance of IT in companies, the general use of IT by employees and the emergence of Bitcoin. While the first two contribute to IT and above all IT security in companies becoming more and more complex and therefore more confusing, the emergence of crypto currencies has actually revolutionized the cyber underground. This allows the protagonists in the underground an increasing specialization and unrestricted trade with each other. All three factors can no longer be reversed. The mentioned complexity is therefore increasingly a burden for the defenders, which causes problems both in transferred and in purely interpersonal relationships. Companies must therefore check their current security strategy for modern attack techniques. Kaseya's example can help.

More at TrendMicro.com

 


About Trend Micro

As one of the world's leading providers of IT security, Trend Micro helps create a secure world for digital data exchange. With over 30 years of security expertise, global threat research, and constant innovation, Trend Micro offers protection for businesses, government agencies, and consumers. Thanks to our XGen™ security strategy, our solutions benefit from a cross-generational combination of defense techniques optimized for leading-edge environments. Networked threat information enables better and faster protection. Optimized for cloud workloads, endpoints, email, the IIoT and networks, our connected solutions provide centralized visibility across the entire enterprise for faster threat detection and response.


 

Matching articles on the topic

IT security: NIS-2 makes it a top priority

Only in a quarter of German companies do management take responsibility for IT security. Especially in smaller companies ➡ Read more

Cyber ​​attacks increase by 104 percent in 2023

A cybersecurity company has taken a look at last year's threat landscape. The results provide crucial insights into ➡ Read more

IT security: Basis for LockBit 4.0 defused

Trend Micro, working with the UK's National Crime Agency (NCA), analyzed the unpublished version that was in development ➡ Read more

MDR and XDR via Google Workspace

Whether in a cafe, airport terminal or home office – employees work in many places. However, this development also brings challenges ➡ Read more

Mobile spyware poses a threat to businesses

More and more people are using mobile devices both in everyday life and in companies. This also reduces the risk of “mobile ➡ Read more

Crowdsourced security pinpoints many vulnerabilities

Crowdsourced security has increased significantly in the last year. In the public sector, 151 percent more vulnerabilities were reported than in the previous year. ➡ Read more

AI on Enterprise Storage fights ransomware in real time

NetApp is one of the first to integrate artificial intelligence (AI) and machine learning (ML) directly into primary storage to combat ransomware ➡ Read more

FBI: Internet Crime Report counts $12,5 billion in damage 

The FBI's Internet Crime Complaint Center (IC3) has released its 2023 Internet Crime Report, which includes information from over 880.000 ➡ Read more