If you keep up with the world of technology, you probably saw the news of Kaseya being hacked over fourth of July weekend. Essentially what happened was a group of hackers called “REvil” were able to hack Kaseya’s virtual systems/server administrator (VSA) to upload ransomware, which in turn infected some of their customers. So, the attack targeted both the remote access program as well as the IT companies that used it. It’s estimated that over 1000 companies were affected by the attack with their information held at ransom for 70 million dollars.
So why is this worrisome? Well, it basically means for some companies, their trusted advisor and support (their MSP) became the gateway for hackers to gain access to their systems.
So, what happened? What occurred is called a supply chain hack. REvil was able to exploit a weakness in Kaseya’s VSA, giving them access to the MSP’s that used it. Which in turn gave them access to the customers those MSP’s supported. Because Kaseya’s design has them whitelisted in their customers systems for remote access, the hackers were able to infiltrate undetected as a fake automated software update. From there they ran a PowerShell command string that attempts to disable core malware and anti-ransomware protections offered by Microsoft Defender. Then a Windows certificate copy was created to give them the capability to download and decode web-encoded content. With this level of access, they were able to upload an outdated version of Windows defender from 2014 onto the drive giving them unfettered access to their files to encrypt.
Odds are your IT provider has already contacted you about this, but in the case they haven’t or if you don’t have a MSP, here are some things that can be applied to your approach when it comes to the security of your information.
Shift from a reactive to a proactive approach with your security. (Change your mindset from what did I block, to what did I miss?) Your endpoint protection is your LAST layer of defense.
Monitor for early signs of compromise (E.g. use of credentials for remote access during offline hours.
Take an audit of your supply chain (IT service provider, professional services, suppliers) Limit data shared and examine where you HAVE to share pertinent information.
Assess the security posture of suppliers and partners. (Audits are not guarantee, but it is an added layer of being prepared.)
Constantly review your own IT security operations.
Enable multi factor authentication EVERYWHERE!
Review supplier access and application privileges
Don't assume you're too small or not important enough to be targeted for an attack.
Proactively monitor what your suppliers say in their security bulletin. (Keep an eye on updates and patches when they find vulnerabilities.) It's easier to stay protected when you're up to date.
Ensure you have no to minimal exclusions on your endpoint protection solution.
Make sure you deploy protection on every device.
Make sure you use all of the defaults of your endpoint protection product. If you're unsure how to ask for help! A 5 min to an hour phone call could save you a lot of headache when it comes to an attack like this.
Here at Omega, we have a few fail-safes in place already for both our internal use as well as our customers. Spanning from our choice of endpoint protection, our methodology of system back-ups, and custom scripts we’ve developed to monitor and log system access, we’ve worked tirelessly to ensure the highest level of security and accessibility of information. If this is something you’d like to explore for yourself feel free to reach out to us! We’d love to talk with about how we can enhance or elevate your current security solution.