According to the vendors themselves, “Kaseya’s VSA product has unfortunately been the victim of a sophisticated cyberattack.”
Hackers believed to be associated with the Russian threat group known as “REvil” exploited a SQL vulnerability and an authentication bypass to hijack the on-premise deployments of Kaseya VSA. This resulted in files being encrypted for ransom on an unknown number of laptops, desktops, and servers across numerous enterprises and customers of managed service providers.
This costly, catastrophic cyber incident can be used as a valuable case study. Applications that use data from outside an organization pose the risk of becoming hijacked by adversaries. Preventing these attacks relies on IT/Sec-Ops professionals applying containment controls to high risk applications.
What You Need to Know About On-Premise Kaseya VSA
Kaseya VSA is an IT remote monitoring and management (RMM) solution that is used by IT and network administrators to install and patch software on enterprise computing devices, manage backups, automate other IT processes, and remotely resolve and troubleshoot IT issues. Such tools require a software agent with elevated privileges running on each computing device. In the case of this attack, the individual agents on each computing device were not exploited.Instead the VSA software running on two or more servers was compromised. This directed the software agents to install and run malicious software.
Kaseya SaaS was NOT Compromised
Kaseya SaaS, like Kaseya VSA, relies on software agents running on each computing device. However Kaseya SaaS agents are directed by Kaseya’s cloud – a key difference. It appears these customers were not affected by this attack.
What Executives Should Know About Mitigating Risks From These Kind of Cyber Attacks
As you read and listen to details about this attack, you will hear about SQL injections and authentication bypasses. These are just the means to the unfortunate result. One way or another, adversaries hijack a critical application in your infrastructure and use it against you. There’s a class of security controls every enterprise should use from top to bottom: containment and isolation. Containment restricts what a high-risk application can do to the rest of the endpoint hosting it. Isolation restricts what the rest of an endpoint can do to, or take from, an application or object on the same host.
How Kaseya VSA Users Could Have Avoided Being Victims
In this attack, a zero day vulnerability was exploited to hijack the Kaseya VSA application. With Containment controls in place, when the hijacked Kaseya VSA application tried to write where it should not, those actions would be blocked in real-time.Alternatively, Isolation controls can be used to block the interjection of malicious code with a different application.
There is another approach that could accomplish the same protective result: an Application Control tool. This tool performs both pre-execution and peri-execution functions. “Peri-” means that it enforces certain read and write rules for an application such as Kaseya VSA during operation. Unfortunately, for most of the cyber tools that can perform this function, the rule sets can be very complex to create and maintain because these fine-grained rules must change as the application changes over time. Less than 5% (and likely less than 1%), implement peri-execution Application Control tools because they burden day-to-day operations.
AppGuard Could Have Protected Victims From Their Hijacked Kaseya VSA Software
AppGuard has cracked the code to adding strong protections while avoiding the difficulties of peri- execution Application Control. No vendor makes containment and isolation security controls as effective or easy to implement and maintain. As with the SolarWinds supply chain attack, the Microsoft Exchange Server Proxylogon attack, and many other major headline malware attacks from the last year, AppGuard was found to be the difference between victims and victors.
AppGuard’s approach is likely very different from what you are familiar with. It neutralizes attacks without having to recognize the malware by blocking disallowed actions, and avoids the pitfalls of past technologies by automatically adapting its controls to context of activity. This contrasts with most of what is the industry standard, which only successfully defends against attacks when something malicious is recognized (and more ominously, if something is recognized).
Today’s cyber threats are too good at disguising their attacks and often look like harmless, daily activity. Mandiant, the company Kaseya hired to investigate this incident, previously reported that in 65% of investigations they conducted in 2020, IT/SecOps teams did not discover the attack within a week. This leaves too much time for attackers to lurk within an enterprise, sometimes hiding in plain sight. If you were protecting a bank or military base, think of AppGuard as your locks and your security clearances, while detection based tools like EDR or NGAV are your security cameras and security guards. Even if a spy can trick your guards, they need the legitimate clearance to get into the vault.
AppGuard can be added to any pre-existing cyber infrastructure to significantly boost protection from malware attacks that evade detection-based tools, such as this Kaseya attack. It’s lightweight, easy to operate, and employs real-time blocking of malware attacks at the endpoints to alleviate the workload of other cyber layers by reducing alerts, lateral movement, endpoint remediations, and even application patch management pressures.