Lessons to learn from the Kaseya cyberincident to protect your business’ data when doing business with a MSP.
Managed service providers (MSPs) play a critical role in the IT ecosystem. By outsourcing many of their day-to-day IT requirements to these companies, smaller organizations in particular can save costs, improve service levels and focus more resources on growing the business. In theory, they can also reduce security risk by handing over to a more capable and well-resourced provider. However, as the ransomware campaign impacting Kaseya customers has illustrated, MSPs can also be a source of cyber risk.
Amidst today’s volatile threat landscape, these risks are constantly evolving. That puts more pressure on organizations to ensure they’re asking the right due diligence questions of prospective providers before signing contracts.
What happened at Kaseya?
Kaseya is an IT management software provider whose main clients are MSPs. Its VSA product delivers automated software patching, remote monitoring and other capabilities so that these companies can seamlessly manage their customers’ IT infrastructure. In a similar way to SolarWinds Orion, the product requires highly privileged access to customer environments to operate. This makes it a perfect choice for attackers looking for an effective, high ROI threat vector.
That’s exactly what happened on July 2. As outlined on the vendor’s service update page, threat actors used the platform to compromise scores of MSPs and fire a fake update to their customers, containing REvil/Sodinokibi ransomware. Around 50-60 MSPs were affected, and in the region of 1,500 downstream customers. How did they do this? It’s now been reported that the threat actors exploited between one and three zero-day vulnerabilities in the on-premises Kaseya VSA product, beating the vendor’s own security team, who was working on patches for the bugs at the same time. These are:
- CVE-2021-30116: A credential leak and business logic bug
- CVE-2021-30120: A multi-factor authentication bypass
- CVE-2021-30119: A cross-site scripting vulnerability
This enabled them bypass authentication in the web interface of MSPs’ on-premises Kaseya VSA. They then used the session to upload their payload and execute commands via SQL injection. At the time of writing, a patch was finally being rolled out to on-premises customers, while most SaaS MSPs are already back online.
Why are MSPs risky?
This isn’t the first time Kaseya has been targeted by ransomware groups. In 2019, threat actors exploited a vulnerable plugin for Kaseya VSA which enabled them to compromise a single MSP customer. With administrator-level access to the software, they were able to execute ransomware on every customer system it was managing—leading to between 1,500 and 2,000 customers becoming infected with the Gandcrab ransomware variant.
Although Gandcrab has been linked to REvil, there’s no suggestion that these attacks were perpetrated by the same group. But in any case, the cybercrime underground does a far better job of sharing intelligence and tooling than the infosec community. That means if attacks have been proven to work in the past, they will usually be repeated in the future. This is bad news for MSPs and their customers, as there’s a mounting body of historic evidence that shows campaigns against MSPs can be highly successful.
Some of the highest profile in the past have been the work state-backed operatives. These include Operation Cloud Hopper, an audacious multi-year scheme attributed to APT10 which impacted “an unprecedented web of global victims.” The difference today is that it is now financially motivated cyber-criminals who are targeting MSPs. According to one recent report, 73 percent of MSPs reported at least one security incident over the past year and 60 percent of these were ransomware-related.
Cybercrime is big business today. And it makes total business sense to spend time researching and targeting a single organization that can provide access to potentially thousands more, than to target those downstream customers individually. After all, MSPs have client data and privileged access to these organizations. According to some estimates there could be as many as 20,000 such MSPs serving multiple customers in North American alone today. And not all of them are as secure as they should be. That’s a significant target for threat actors to aim at.
How to manage MSP risk
Market dynamics should mean that MSPs which consistently fail their customers on security eventually give way to those with a stronger cyber risk management posture. There’s no shortage of tools on the market to help these providers differentiate on security. However, this only works if customers are well-informed enough to vote with their feet.
To that end, here are some basic due diligence checks and questions to consider before choosing your next MSP:
- What is their patch/vulnerability management program like?
- Which software partners do they work with and what is their reputation like for security/quality assurance?
- Do extra checks on any MSP software operating with high privileges
- Do they run the eight essential controls for MSPs? (These are: app whitelisting, patching and hardening, restricting administrative privileges, multi-factor authentication, OS patching, daily backups, and adjusting Office macro settings)
- Do they have robust anti-malware protection across servers, endpoints, networks, email, cloud systems etc?
- Do they operate a least privilege access policy and network segmentation to minimize the attack surface?
- Do they regularly train and update staff in phishing awareness?
- Do they undertake regular and comprehensive security audits/reviews?
- Do they run extended threat detection and response (XDR) for proactive protection?
- Do they have a well-rehearsed incident response plan in the even of a worst-case scenario?
- What industry standards, certifications and frameworks do they follow?
Due diligence checks like this won’t insulate your organization 100 percent from a security incident involving an MSP. But they will help to reduce the risk of one. And today, that’s about as good as you can do.
written by Phil Muncaster, ESET We Live Security