On July 2nd, cybercriminals used Kaseya VSA to initiate a widespread ransomware attack on multiple Managed Service Providers (MSPs) and the customers they support. Currently we do not know the full extent of the damage, but it appears to be among the largest ransomware attacks observed, with some reports estimating close to a 1000 customers of MSPs affected.
My goal with this post is not to inform you of what happened as other individuals have already done a great job with this, but to help you consider how you can handle a situation like this in the future. For more information about the attack, Huntress Labs has a highly detailed post on Reddit, and Kaseya has released technical details as well.
Supply chain attacks cause major challenges for businesses
Supply chain attacks have been all over the news this past year between Solarwinds, Microsoft Exchange, and now Kaseya.
The difficulty with these attacks is they abuse our trust in the various products we use and rely on. Ultimately, a ransomware incident is the worst case scenario for many companies as it has a huge impact not only on security but on customer confidence as well.
So, how can we work to prepare for these incidents?
Security measures you should be aware of and what you can do
Indicators of Compromise
Indicators of compromise (IOCs) do have purpose in a general security plan. Specifically, they are good for helping to catch and identify low hanging fruit. They are good at detecting past threats, but can lend to a false sense of security against current threat actors.
IOCs are not and should not, however, be viewed as the primary source for intel. It can be too easy for threat actors to leverage a different domain/URL/IP or to make a minor change to a file and cause all the IOCs you may have to be out of date.
The Kaseya incident is a great example of this. While there are plenty of IOCs available–over 1200 domains, a few IPs, and a few file hashes–they are very difficult to detect and prevent. The time between detection and compromise is so small that it is very hard to react quick enough to prevent a ransomware attack.
Also, Kaseya VSA, like many other sysadmin tools, requires administrator access on hosts and recommends allow-listing the file paths from antivirus software. Due to this, security software will often miss malicious activity, or be disabled by the threat actors, and cause any potential preventative actions to occur too late. This is why it is important to have multiple layers of security.
Tactics, Techniques, and Procedures
A better solution would be to look for the tactics, techniques, and procedures (TTPs) of the threat actors targeting your business sector.
After identifying the TTPs, it is recommended that you then create detections for those threats. Process creation logs–preferably via Sysmon but also Windows 4688 events–are vital to this solution, as many of the TTPs are host-based activity.
Do not buy into the thought that something like this will not happen to you. Plan for the eventuality that it does happen to you.
Ask yourself, if you were to have a ransomware incident now, what would be your first step in triage? This is where having a detailed and well-thought-out plan is important. A few things to consider include:
- Who needs to be involved in your incident response?
- What is their contact information?
- When was your last backup, and when was it last tested to ensure full recovery?
- Who are the external individuals (e.g., legal advisors, customers, etc.) that need to be contacted and when?
- Does everyone who needs this information have it or know where to get it?
Lastly, don’t just make a plan, test it out. Make sure your plan works and identify any weak points you may have.
We have a great blog on running tabletop exercises available for you to take advantage of as you work through this process.
This is not the first, and certainly won’t be the last, cyberattack we see. We can only do so much to protect against the next one, so preparing for the potential of when it may happen next is crucial.