This Kaseya ransomware attack is different.
Instead of a single company or organisation being the victim of a ransomware attack (think Waikato DHB ransomware attack) any/all organisations using the Kaseya VSA product are potential victims.
Stuart MacIntosh, an independent security consultant based in Christchurch, spoke to theBit about the nature of the attack and its implication.
- From hospitals to high schools – Ransomware’s NZ journey continues
- New Zealand edging closer to digital IDs
- NZ vs Big Tech: How can little New Zealand regulate Facebook and co?
1. Who is Kaseya?
Kaseya is a Managed or ‘Shared’ Service Provider (MSP), which provides an inventory, patch and systems management tool suite hosted in the ‘cloud’.
According to documentation, in the VSA system architecture, software ‘Agents’ are installed onto the systems under management. The agent phones-home to the Kaseya VSA servers in the ‘cloud’, submitting performance and systems data for presentation on an easy-to-use dashboard.
The gist is: VSA will save you time and money by making it easier to manage and patch systems at scale. The product does what it says on the box.
Kaseya VSA is also similar to Solarwinds, another systems management product recently made infamous by a security breach.
2. What has happened?
Kaseya – and by extension its customers – has reportedly been compromised and hit with a ransomware attack.
Typical ransomware leaves the computer Operating System (OS) functioning, but searches out and encrypts data and documents, rendering that data unusable without a key to unlock it.
Attempts to buy the key (and decryption tools) from the attacker may or may not succeed. Paying ransomware attackers is highly discouraged, and no contract laws or consumer guarantees apply.
Technical details are still emerging, however. Current consensus (subject to change) is a zero-day or novel attack against the VSA cloud platform itself, which the agents report to.
By compromising the cloud platform, the agents who trust it may have had that trust abused, which could have enabled remote-code execution on the agents leading to widespread compromise of Kaseya’s customers.
3. What is an MSP?
A Managed Service Provider (MSP) is also sometimes known as a shared-services provider.
These organisations consolidate the efforts of systems management and engineering into one house, ostensibly for commercial reasons. A typical MSP will cater to clients without their own engineering expertise or resources. It is a common form of outsourcing, and without VSA, for example, an engineer may need the resources to support in-house patch management and monitoring system.
MSPs typically multi-tenant their systems. By using virtualisation and containerisation, a single (hardware) server may provide service to many users.
However, virtualisation and containerisation itself is a target of attacks, and container ‘escapes’ are widely reported in vulnerability databases.
Virtualisation is often considered a layer of security; however, its main goal is to consolidate computing resources to cut costs and improve power efficiency.
All very good things, but not security-first goals.
4. How has this happened?
MSPs represent a ‘juicy’ target for any keen attacker. The notion of many eggs in one basket applies. ‘Hack’ one MSP, and you can hack a dozen other businesses at the same time.
Zero-day or novel exploits not previously disclosed to the Common Vulnerability (CVE) database are a likely attack vector.
5. Why has this happened?
Attribution is difficult. Speaking to intent is speculation at best, in lieu of any manifesto or demands other than money. It is probably a financially-motivated crime, although political or spiteful motivations cannot be ruled out either.
The fallout from this attack could have been reduced, however. The risks of moving towards ‘cloud’ based services – at the expense of an on-premises monitoring system – are clear for all to see now.
An on-premises monitoring system may be similarly compromised, but the impact in such an event is limited to that network.
6. What happens next?
Incident response and forensics. The dust has not settled yet. CERT, Police – and if govt’ agencies are affected – the GCSB may be expected to be involved too.
President Biden has ordered an investigation into the attack.
7. What do you advise?
The ever-green security advice is:
- Install your updates.
- Have your security professionally tested, regularly
- Educate your users.
For security professionals and engineers, keep tabs on all your assets. Monitor logs and network traffic for indications of compromise where possible, and make it part of your daily routine.
Remember that tools that claim to save time and money may inevitably cost more if used incorrectly.
Use the right tool for the job, and beware of ‘attack surface’. Attack surface is what an attacker sees. The ports left open to the Internet, the VPNs without two-factor auth, that old web-based application that was forgotten. You get the idea.
Ask questions and understand the traffic on your network – why does A need to connect to B? Does C really need unrestricted Internet access to do what it does? Can we disable NAT and make it work via an HTTP proxy?
Firewall policies should be ‘deny-by-default’. Introduce exceptions for what actually does need to reach the Internet on a case-by-case basis. Treat unrestricted access to the Internet as a privilege applications need to earn.
Some security problems are, at least in part, political and relate to human factors or organisational structures and budgets. For example, an under-paid or over-worked engineer is more likely to make mistakes that compromise security.
It may sound obvious, but project managers would do well to consider these unforeseen costs, and your engineers will thank you for the time to take due diligence in their tasks.
8. How is New Zealand involved?
RNZ reported that 11 schools are impacted here in New Zealand.
The world-wide nature of the Internet makes it possible for NZ businesses to find themselves part of any overseas hacks, our geographical isolation is no protection in this regard.
NZ-based MSPs are no less vulnerable, however. Mandatory reporting of breaches was only introduced recently in NZ, meaning the public has only recently been offered visibility into issues the industry has been tackling – or blissfully unaware of – for a decade or more.
 As an independent security contractor, I have some vested interest in pushing for professional security testing.