The supply chain ransomware attack involving software company Kaseya is a wakeup call to anyone that believes cybercrime won’t affect them. The hack triggered an infection chain compromising thousands of businesses on Friday. How?
Hackers and security researchers have access to many of the same basic tools for scanning the internet looking for computers that are vulnerable to attack. But by infecting IT support organisations, the malicious software was passed to customers as well, multiplying the impact.
Kaseya offers a cloud-based solution called VSA for “Unified Remote Monitoring & Management” to fully control and monitor endpoints and corporate networks. Its cloud solution is supported by an on-premise instance of the software - the VSA server - which customers would deploy into their own network. This would typically grant them administrative access to the respective endpoints by using an Active Directory service account to manage the end-devices of their customers.
By exploiting a number of zero-day vulnerabilities in Kaseya’s VSA server the cybercriminals, known as the Russian REvil group, deployed ransomware to at least 1000 of Kaseya’s customers around the globe, utilising the powerful permissions that are granted to the VSA server through its Active Directory integration.
Depending on the care taken during the configuration of the Kaseya VSA server in the customer’s infrastructure, it is highly likely that its not only managed endpoints such as the cash registers of Swedish supermarket group Coop that were taken down. We can also expect to see more disruption in other companies, loss of revenue and even operations being shut down completely due to the take down of their Active Directory Domain Controllers.
This hack demonstrates that cyber war reaches far beyond the business arena and into society at large, therefore being able to say “no” to ransom and blackmail demands makes us all safer. This comes down to organisations having adequate provision for cyber preparedness, incident response, and disaster recovery within their enterprise directory services. It is these directory services that are relied upon by over 90% of organisations worldwide.
So what is the scale of the issue these affected companies now face? Next to patching the original vulnerabilities of the Kaseya VSA software, companies will struggle to regain control of their Active Directory - and their business - unless they have tools in place to ensure fast AD recovery.
Guido Grillenmeier, Chief Technologist, Semperis
Guido Grillenmeier is Chief Technologist with Semperis. Based in Germany, Guido has been a Microsoft MVP for Directory Services for 12 years. He spent 20+ years at HP/HPE as Chief Engineer. A frequent presenter at technology conferences and contributor to technical journals, Guido is the co-author of Microsoft Windows Security Fundamentals. He’s helped various customers secure their Active Directory environments, and supported their transition to Windows 10/m365 and Azure cloud services.