IT security Kaseya Ransomware

Global Cyber Attack hits businesses over 4th July Weekend

If you’ve been watching, reading or listening to any news over the last few days I am sure you will have seen the coverage of a massive, global cyber-attack which has crippled thousands of businesses around the globe through a widespread Ransomware infection.

What might not be so clear from the mainstream news media is

  • exactly what happened, or how
  • what this might mean for you and your business

Which I will try to explain in this blog  

I’ll follow up with a couple of additional blogs exploring in a bit more detail

  • Who are Kaseya and how a sophisticated “Supply Chain Attack” leveraged in this case tools used by thousands of IT Support providers, software companies and internal IT teams to compromise thousands of businesses around the world
  • Cyber security tools, systems and defences businesses should be investing in in 2021

If you have any questions or concerns about anything in this blog, as always please don’t hesitate to Contact Us to discuss with an experienced IT Security Consultant

So what exactly happened, and how?

Some time on Friday afternoon or early UK evening time, a handful of US based IT Support Businesses started to report a Ransomware attack affecting multiple customers.

Firstly it’s worth noting that a highly sophisticated, co-ordinated and well-planned Cyber Attack launching just as many US based businesses would be shutting down for a long weekend to celebrate Independence Day is no coincidence! This is a deliberate tactic used to limit the chance of early discovery and response by those affected, increasing the scope and success rate of the attack. Fortunately, it seems the attack was launched a little prematurely which did allow many businesses to respond promptly – if the attack had been launched later into the night on Friday the results might have been even more devastating!

As the red flags continued to be raised, it quickly became apparent that all of those providers reporting the issue were customers of the software provider Kaseya – much too much of a coincidence at this stage and focussing all eyes on the Kaseya system. As further news and reports rolled in, it became abundantly clear that Kaseya’s software had indeed been compromised in some way and urgent advice was issued by Kaseya to all of their customers to immediately shut down their servers running Kaseya’s software to prevent further compromise whilst investigations continued.

Once the attackers had successfully compromised a Kaseya customer using the as-yet unknown vulnerability, they were able to leverage their Kaseya software to initiate a Ransomware attack against their customers, affecting Servers, PCs, and laptops that were supported or managed by the affected Kaseya customer.

At the time of writing on Monday 5th July, at least 40 or more Kaseya customers are thought to have been affected, impacting thousands of end user businesses and at least one million endpoints which are now encrypted (servers, PCs & laptops).

The issue allowing the attack has now been identified by Kaseya as a combination of software vulnerabilities affecting the Kaseya software; by combining the vulnerabilities, the hackers had been able to upload a file to the Kaseya system and then issue commands into the system causing the ransomware to be distributed to the end computer systems.

The suspected hackers – a group known as “REvil” – posted to the Dark Web this morning demanding a 70 million dollar ransom to de-crypt the systems of everyone affected.

Right now, thousands of businesses around the globe are completely offline – from small home businesses through to high profile victims such as the Swedish Co-Op chain.

As efforts turn from investigation to recovery, IT professionals around the world are swinging in to action to restore their systems and those of their customers to production capacity.

This will likely take weeks, if not months. Inevitably, there will be some businesses that were not well prepared and will not be able to recover.

Maybe their backups are inadequate, and they aren’t able to recover their data? Maybe they didn’t have a continuity plan of how to respond to a serious Cyber incident? Maybe they don’t have adequate insurance in place to cover their outgoings, losses and other costs involved in the clean-up?

Whatever the outcome for those businesses – this genuinely should be a moment for thought and consideration for every business.

So What Does It Mean To Me?

There are a few key and pertinent takeaways from this incident that we would urge all businesses to pause and think about

  • It is a sad but true fact that most small businesses we encounter do not genuinely understand the risks they face online and are operating under a false sense of security. All businesses should be thinking of a major cyber incident as a “when not if” scenario – yet we regularly encounter small business owners who think they are “secure” and that it’s not something they need to worry; that it could never happen to them or it it’s just someone else’s responsibility.
  • Cyber Security has to be a board-level topic, with continued investment in what is a very dynamic and rapidly changing landscape. Do not assume that because someone else looks after your IT day to day – be that internal or external – that you are “secure”. I guarantee there are opportunities to improve your IT security in every business – consider the cost of not investing and most small businesses investment in security would be found lacking.
  • As affected businesses around the world turn to their backup systems to restore or recover data and applications and get their businesses back up and running, challenge yourself to an honest assessment of how you would deal with a similar situation and how long this would take. Sadly many businesses affected by this incident are only now finding that their backup system was not effective or does not meet the businesses needs in a disaster. In the worst cases, some of those impacted by this incident are only now finding that their backup either didn’t work or was simply inadequate and their backup data has also been encrypted and they are left completely helpless; others are staring at weeks more downtime whilst they recover systems that could have been recovered in hours with a capable business continuity solution and plan.
  • This particular attack has been fairly unique and so devastating to so many businesses simultaneously through the use of a Supply Chain attack vector. This has helped the hackers gain entry into thousands of organisations , and afforded them a huge economy of scale in return on their efforts.  Read our follow on Blog – what is a Supply Chain attack and why should I be worried? – to find out more on what this means and why it’s such a big issue for businesses
  • Recognise and accept that as much as you work to secure your own business, there will always be a weakness somewhere. Plan for what happens if one is found and exploited. It might not be anybody’s “fault”. Try to reduce the possible attack surface where possible, and do what you can to mitigate or limit the chances of Cyber breach – don’t be an “easy target”. See our follow on Blog – security techniques for 2021 – to find out more

How Can Vital Help?

When we became aware of the attack on Friday evening, we quickly developed and deployed a script in our own system to identify any computers across our client base that might have the affected Kaseya software installed, and disabled it to prevent the possibility of infection through this attack. Fortunately only one affected computer was identified – the affected software had been installed by a CCTV provider – and was quickly disabled, preventing compromise for the client in question.

Whilst this should be a wake-up call for all businesses, it is also a wake-up call for Vital and businesses like ours – after all, it was the software used by thousands of IT Managed Service Providers around the world just like Vital that was exploited in this case. Just as we are urging customers and all businesses to conduct an honest review and assessment of their investment, security, incident response and continuity plans, so are we doing to protect Vital and our clients.

As a security focussed MSP, we take pride in but do not take for granted our fantastic track record of maintaining the security of our clients’ IT Systems.

We will be re-doubling our efforts to ensure our clients have the best possible levels of security they can across their IT systems; we are reviewing our already comprehensive “baseline” security stack and will be taking even stricter approach to ensure our clients are making the necessary investments to protect their business and IT systems from attack.

We will continue to serve our clients as Cloud First, Security First Managed Service Provider and our range of security solutions address many of the basic security investments all businesses should be making as discussed further in our follow on blog