In today's bulletin, Charlie discusses how supply chain cyber attacks affect different organisations, in particular Kaseya.
The Kaseya cyber-attack has been in the news for the last few days, and I thought this was an excellent opportunity to delve deeper into the issues surrounding supply chain cyber attacks rather than discussing the details of the attack itself.
Supply chain cyber attacks are when criminals target software vendors or IT services to infect their clients’ computers. The best definition is: “In a typical hack, cybercriminals pick one company to target and find a unique way to break into that particular victim’s computer network. But during a supply chain attack, hackers infiltrate a trusted company that supplies software or IT services to many other firms. Their goal is to slip malware into the ‘supply chain’ of software updates the company installs on its customers’ computers. Given IT management firms’ virtually unlimited access to their customers’ computer systems, a virus can be installed undetected on thousands of computers at once.
Supply chain hacks target businesses indiscriminately; anyone who uses software from an infected vendor can get swept up in the attack. This raises the risks for small and medium sized businesses that would typically escape the notice of cybercriminals. With the Kaseya attack, hackers appear to be testing their ability to extort a large collective ransom by hacking hundreds of small businesses." - You can read more here.
Kaseya is an American software company that develops software for managing networks, systems, and information technology infrastructure. The Kaseya ransomware attack occurred on 2nd July 2021, when their servers were infected by ransomware developed by REvil, which spread from several managed service providers to their clients, affecting about 1,500 companies worldwide. One high profile victim was Swedish Coop, who had to close 800 stores for a week as the ransomware encrypted their point of sale software. The attack didn’t affect the Coops IT infrastructure but affected their supplier, Visma EssCom, which uses Kaseya technology and manages the servers used for Coops tills.
Supply chain cyber attacks are a very efficient means of attack for cybercriminals. It means that they can gain access to large numbers of organisations without attacking each organisation individually. The Kaseya and Sunburst/SolarWinds attacks are both examples of using a trusted IT supplier service to infect the victims. Organisations are encouraged to patch their IT systems with the latest software patches as soon as possible. These patches are often installed automatically and do not have the same virus and sandbox checks other software deployments might have. You don’t expect your IT security provider to infect you with malware. In the Sunburst case, the attacking malware was included in a security patch, while in Kaseya, the ability of their system to send out patches was compromised, and the REvil ransomware ended up being sent out to Kaseya’s managed service providers customers. The two hacks were conducted for different reasons, the SolarWinds hack was to gain access to the USA government, military and intelligence agencies for intelligence purposes, while the Kaseya attack was to launch a mass ransomware attack.
One of the issues associated with compromising so many organisations simultaneously is the ability to exploit the hack. The SolarWinds hack compromised approximately 18,000 organisations. Even a well resourced, nation state would have difficulty trying to extract intelligence from so many organisations at the same time. In the same way, REvil had to deal with 1,500 organisations that are all potentially wanting to pay the ransom. One of the articles I read on the hack stated that they are struggling to answer all the correspondence from their victims and there is a large backlog of correspondence. This is perhaps why they asked for a combined ransom of $70m to be paid by all victims as they struggled to carry out individual negotiations. The $70m has since been reduced to $50m. When an attack is facilitated by phishing, the organisation carrying out the hack can concentrate on one victim at a time.
Ask yourself these questions to protect your organisation against supply chain attacks:
- Are you carrying out an inventory of all organisations that have access to your systems?
- Can an attacker access your systems via their systems, or do they provide you with software updates that could be compromised?
- Can the number of services that have access be reduced?
- Does your organisation check software patches before deploying to ensure they do not contain malware?
- Are you carrying out sufficient due diligence on software vendors? Further details can be found in this document from FireEye.
Suppose you try and follow best practices, such as using an international security company used by some of the most secure companies in the world and you patch as quickly as a new patch comes out. In that case, you should be ahead of the pack and less vulnerable than others. Sadly, in the case of cyber supply chain attacks, this will not help you and might make you even more vulnerable to an attack. On the other hand, the Swedish Coop were not a customer of Kaseya, and they were collateral damage of a cyber hack through one of their suppliers. Sometimes in cyber, it seems you can’t win! This week, I taught the new NCSC certified training course, ‘BCT Certificate in Cyber Incident Management', and those who attended are now ready to manage a cyber-attack should it occur. If you are interested in attending, our next public course is in September or we can also run the course privately for your organisation - get in touch with the BCT team to find out more!