From the vendor: “Kaseya’s VSA product has unfortunately been the victim of a sophisticated cyberattack.” Hackers believed to be associated with the Russian threat group known as “REvil” exploited a SQL vulnerability and an authentication bypass to hijack the on-premise deployments of Kaseya VSA. This resulted in the encryption for ransom of files on an unknown number of laptops, desktops, and servers across numerous enterprises and customers of managed service providers. From this costly (and for some, catastrophic) cyber incident, there is yet again a valuable lesson to be learned. Applications that consume data from the outside of an organization pose a risk of becoming hijacked by adversaries. IT/Sec-Ops personnel in all enterprises MUST apply containment controls to these high-risk applications so that attacks like these cannot succeed.
What You Need to Know About On-Premise Kaseya VSA
Kaseya VSA is an IT remote monitoring and management (RMM) solution that is used by IT and network administrators to install and patch software on enterprise computing devices, manage backups, automate other IT processes, and remotely resolve and troubleshoot IT issues. Such tools require a software agent with elevated privileges running on each computing device. In the case of this attack, the individual agents on each computing device were not exploited, instead the VSA software running on two or more servers was compromised, which then directed the agents to install and run malicious software.
Kaseya SaaS was NOT Compromised
Kaseya SaaS, like Kaseya VSA, relies on agents running on each computing device. However Kaseya SaaS agents are directed by Kaseya’s cloud and it appears these customers were not affected by this attack.
What Executives Should Know About Mitigating Risks From These Kind of Cyber Attacks
As you read and listen to details about this attack, you will hear about SQL injections and authentication bypasses. These are just the means to the unfortunate result. One way or another, adversaries hijack a critical application in your infrastructure and use it against you. There is a class of security controls that every enterprise should use from stem to stern: containment and isolation. Containment restricts what a high-risk application can do to the rest of the endpoint hosting it. Isolation restricts what the rest of an endpoint can do to, or take from, an application or object on the same host.
In this attack, as the hijacked Kaseya VSA application tried to write where it should not, Containment controls would block those actions in real-time. In this attack, a zero day vulnerability was exploited to hijack the Kaseya VSA application. Alternatively, which did not occur in this attack, a different application could have been compromised and used to inject malicious code into the Kaseya VSA application. Isolation controls can block such techniques.
There is another approach that could accomplish the same protective result: an Application Control tool that performs both pre-execution and peri-execution functions. The “peri-” means that it enforces certain read and write rules for an application such as Kaseya VSA during operation. Unfortunately, for most of the cyber tools that can perform this function, the rule sets can be very complex to create and maintain because these fine-grained rules must change as the application changes over time. Very few enterprises, less than 5% (and likely less than 1%), implement peri-execution Application Control tools because they burden day-to-day operations.
AppGuard Could Have Protected Victims From Their Hijacked Kaseya VSA Software
AppGuard has cracked the code to adding strong protections while avoiding the difficulties of periexecution Application Control. No vendor makes containment and isolation security controls as easy to implement and maintain, or as effective. As with the SolarWinds supply chain attack, the Microsoft Exchange Server Proxylogon attack, and many other major headline malware attacks from the last year, AppGuard was found to be the difference between victims and victors.
AppGuard’s approach likely differs greatly from what you are familiar with, it neutralizes attacks without having to recognize the malware by blocking disallowed actions, and avoids the pitfalls of past technologies by automatically adapting its controls to context of activity. This contrasts with most of what is deployed for you or others, which only successfully defends against attacks when something malicious is recognized (and more onerously, IF something is recognized).
Today’s adversaries are too good at disguising their attacks and often look like harmless, daily activity. Mandiant, the company Kaseya hired to investigate this incident, previously reported that in 65% of investigations they conducted in 2020, IT/SecOps teams did NOT discover the attack within a week. This leaves too much time for attackers to lurk within an enterprise, sometimes hiding in plain sight. If you were protecting a bank or military base, think of AppGuard as your locks and your security clearances, while detection based tools like EDR or NGAV are your security cameras and security guards. Even if a spy can trick your guards, they need the legitimate clearance to get into the vault.
AppGuard can be added to any pre-existing cyber infrastructure to significantly boost protection from malware attacks that evade detection-based tools, such as this Kaseya attack. It’s lightweight, easy to operate, and employs real-time blocking of malware attacks at the endpoints to alleviate the workload of other cyber layers by reducing alerts, lateral movement, endpoint remediations, and even application patch management pressures. Learn more about how AppGuard can help you.