REvil, a Russia-based sibling of DarkSide, managed to compromise hundreds or thousands or millions (they lie) of victims’ systems by attacking a trusted system, a Kaseya configuration manager.
REvil found an authentication vulnerability in Kaseya’s authorization controls, then used its new-found privileged access rights to command Kaseya to send ransomware payload to its customers. Kaseya VSA monitors and configures customer systems remotely to ensure their secure and efficient operations. So if VSA tells a system to accept malware, the system will accept the malware.
REvil disappeared as quickly as their victims’ data did, so decryption has been difficult. Kaseya has been working with trusted third parties to develop decryption methods which appear to be working.
Why is this important?
Kaseya’s services were so deeply trusted that companies allowed Kaseya systems to automatically update their own systems. That is a tremendous amount of trust that should be matched with a tremendous amount of verification.
What does this mean to me?
Automation and contracted services are important for cost efficiency. But there are always trade-offs. The more dependent you are to a third-party vendor the more vulnerable you are to them. And the more assurance you need that they will operate safely in your network.
How did Kaseya assure their customers about their security program? They stated that their underlying data centers were ISO 27001 certified. Not their systems. Not their services. That’s like saying during a pandemic, “You can hug me. My doctor was vaccinated.” Moreover, when someone’s marketing tries to trick you about security, beware.
Unprotected third-party vendors
Permitting unverified vendors to monitor and alter your systems without verifying their security controls.
Do not permit systems and services to monitor and alter your systems until they have shown you that they are secure.
Security certifications are important, but third-party vendor discussions are critical to understand where risks remain, and to know what to do about them.
Commonality of attack