Managed service providers & supply chains – The backdoor to your network

Those of you who enjoy keeping track of IT security news over their weekends may be a bit too familiar with the name “Kaseya” today. For those who aren’t, what is Kaseya?

Kaseya is a software company based out in Florida, USA, who provide IT management software to managed service providers (MSPs) to allow IT teams to remotely manage networks, systems and information technology for their clients. They offer a range of tools, but the one we’re most interested in today is a program called Kaseya VSA.

Kaseya VSA is used by MSPs to provide IT security and administration to their clients remotely, in lieu of an in-house IT support team. This meant that Kaseya VSA had to have access to administrative level processes in order to patch machines, manage backups and anti-virus programs.

An organization named REvil, who are commonly known in the cyber security world as one of the most infamous ransomware operators in the world (also associated with the Colonial Pipeline attack that affected fuel distribution to 45% of East Coast, USA), saw this as an opportunity to gain easy access to a multitude of client networks.

Perhaps you should consider asking your MSP what they’re doing to ensure they’re keeping you safe

Therefore, using a SQLi* vulnerability within Kaseya VSA, attackers were able to access the administration panel for all MSPs and deploy an application that disabled Windows’ built-in protection (Windows Defender), then proceeded to encrypt data on client networks. The cyber security company who initially detected the incident, Huntress Labs, have said they were tracking around 30 MSPs across the US, Australia, EU and Latin America, where well over 1,000 businesses were affected by the ransomware attack.

*SQLi is short for an SQL injection attack, whereby an attacker will use malicious SQL code to gain access to the backend database of your website, to access sensitive information that is normally hidden to a user.

REvil have since announced on 4^th July that their price to decrypt all victims has been set at $70 million (approximately £50.5 million), which, if paid, would overtake the current $4.5 million record that would appear a small sum in comparison.

What does this teach us?

Firstly, it should be said that an attack of this magnitude is unlikely to be on any MSP’s risk register, and that MSPs cannot be blamed for an unknown vulnerability in a piece of software they use to administrate. For the MSPs who are affected by this, I really hope they can do right by their clients and learn valuable lessons.

But what if this happened to a software company who willingly ignored a vulnerability? This isn’t to say Kaseya did that, as we simply don’t know, but there is evidence of companies who do just that. This leads us to our next question: How can we be sure that companies supplying services to our organization are using tools that are responsibly patching vulnerabilities?

This question leads to the core of supply chain security, and expecting everyone within your supply chain to have a level of security that assures others that you will not fall victim to an attack. With this in mind, perhaps you should consider asking your MSP, the company you buy software from, what they’re doing to ensure they’re keeping you safe, before it’s too late.

Find out more about our cyber security experts.