Kaseya Ransomware Attack: 10 Things MSPs Must Do To Protect Themselves

From scrutinizing the security of acquired assets and pen testing software development environments to limiting how much access MSPs have to customers, here’s what Black Hat 2021 attendees said MSPs should do following the Kaseya ransomware attack.

Preparing For Next Time

The REvil gang pulled off one of the biggest ransomware heists in years, exploiting a vulnerability in Kaseya’s on-premise VSA remote monitoring and management (RMM) tool to compromise nearly 60 MSPs and encrypt the data and demand ransom payments from up to 1,500 of their end user customers.

Kaseya said the cybercriminals were able to exploit vulnerabilities in its VSA tool to pass authentication and run arbitrary command execution. This allowed REvil to leverage the VSA product‘s standard functionality and deploy ransomware to customer endpoints. The Kaseya ransomware attack also left more than 36,000 MSPs without access to the company’s flagship VSA product for nearly 10 days.

CRN spoke with 10 C-suite executives and threat researchers during Black Hat USA 2021 about what MSPs must do following the Kaseya ransomware attack. From scrutinizing the security of acquired assets and conducting pen tests in software development environments to putting east-west segmentation in place and limiting the access MSPs have in customer environments, here’s what experts recommend.

Limit Scope Of MSP Access In Customer Organization

MSPs should limit their scope of access in the customer’s organization to minimize the blast radius in the event a supplier like Kaseya is compromised, said Colin Henderson, OneTrust’s vice president of security. MSPs should document the minimum level of access needed for the services they provide to customers since many only need to deploy on a segment of the network without full access to the entire company.

If an MSP purchases a solution from a vendor and deploys it into the customer’s network while retaining access to the entire network, then any type of corrupted update or event could give the adversary unfettered access to the victim’s systems, Henderson said. MSPs should consider how far their technology needs to reach in the customer’s network and limit their access to that, Henderson said.

If customers allow only the minimum amount of MSP access necessary, then a system compromise likely cannot be leveraged by the hackers to get into other systems in the victim’s environment, according to Henderson. MSPs must treat their environment with more care since they have direct hooks into so much of their customer’s environments, Henderson said.

East-West Segmentation To Stop Lateral Movement

MSPs need to keep their customers separate so that hackers can’t attack all their customers if they compromise the RMM software they use, according to John Maddison, Fortinet’s chief marketing officer and executive vice president of products. Traditional segmentation needs to be augmented by east-west micro-segmentation to keep an adversary from hopping across the MSP’s servers, he said.

Even if something gets through, Maddison said micro-segmentation isolates the incident by preventing horizontal spread from the RMM tool, which can typically see all customers and is connected to everything. MSPs traditionally have a very flat network, which means an adversary would have access to everything if they’re able to get into the MSPs’ systems, according to Maddison.

Both MSPs and their customers need to re-architect their networks to minimize the damage if they’re attacked, which Maddison cautioned is a big project. From there, Maddison said its all about how quickly an MSP can recognize that a customer has been compromised and activating their mitigation plan, which hopefully is already ready to go in the company’s Security Operations Center (SOC).

Pen Test Software Development Process

MSPs need to look at their pipeline for software development and implementation since the software they and their vendors use is highly trusted by customers, according to Barracuda Chief Technology Officer Fleming Shi. Supply chain isn’t the only software infrastructure that’s getting compromised, and MSPs need to continuously monitor and scan the tools that they license and libraries that they utilize.

MSPs should ensure their penetration tests go beyond the IT infrastructure and get into the software development process since adversaries can enter through the development environment and then get into other environments like production, Shi said. Developers need to be included in security awareness training exercises since they’re used to thinking about software availability rather than security first.

MSPs should also ensure their credentials are secure and that SaaS access points are well-protected by web application security technology, according to Shi. Encrypting data is also really important to make it harder for hackers to sell victim data, Shi said.

Conduct Due Diligence During Acquisition Process

MSPs generally ramp up their services offering through acquisitions, which can result in tool sprawl as the MSP acquires different companies and tries to promote their services globally, said Gee Rittenhouse, senior vice president and general manager of Cisco Secure. It’s hard to examine a company’s tools and source code before a deal closes, which Rittenhouse said can result in temporary exposure for the MSP.

The developers coming in through acquisition often have a different level of security awareness than the developers already working at the MSP, and often have different build systems and development tools based on a different development pipeline, according to Rittenhouse. MSPs need to level set and bring all developers up to the same level of security awareness knowledge, Rittenhouse said.

Tool sprawl is problematic following an acquisition by an MSP, and Rittenhouse said MSPs need to deal with it fairly quickly to ensure there’s a uniform, world-class process for pushing out updates as quickly as possible.

Avoid Connecting To Vulnerable Ports

Kaseya’s VSA RMM tool suffered from an open port, meaning that the adversary was able to access the vulnerable area with a special key after conducting reconnaissance and compromise a small subset of their MSP and end user customers, according to Splunk Security Strategist Ryan Kovar. Customers of MSPs had no way to defend against this since the hackers came in through a trusted method, he said.

Once adversaries got onto the MSP’s machine, they engaged in typical hacker behavior which MSPs should be able to detect, Kovar said. MSPs also must employ cyber hygiene practices such as avoiding connections to vulnerable ports. A RMM agent installed on a customer’s machine is the ultimate trojan horse since customers invite MSPs into their network to do monitoring and administration, Kovar said.

“In my belief, those [the RMM tools] are the crown jewels of an MSP because they provide God-like access to customers, and they should be defended as such,” Kovar said. “You’re never going to win all the time, but you can certainly slow hackers down to a point where you can detect them more easily.”

Test For Common Source Code Vulnerabilities

MSPs need to test for remote code execution or privilege escalation vulnerabilities in the software they build or deploy since they have so much sensitive end customer information and can be used as a launch pad to compromise customers, said Sri Mukkamala, Ivanti’s senior vice president of cyber products. MSPs must have visibility into what vulnerabilities are being introduced into their ecosystem, he said.

Hackers have taken a sniper-based approach to their cyberattacks and typically go after MSPs with customer density or knowledge in a particular industry, according to Mukkamala. They attempt to determine what technology and software these MSPs are using by looking at the questions their developers are asking on forums like Stack Overflow, Mukkamala said.

From there, hackers will conduct reconnaissance work to see if MSPs are susceptible to common vulnerabilities in any of the software products they use, and exploit any vulnerabilities that remain unaddressed, Mukkamala said. MSPs need to understand the offensive strategy of their cyber adversary and conduct purple team exercises focused on their own organization, according to Mukkamala.

Hire And Empower CISO To Drive Internal Security

Customers are increasingly asking MSPs about what security controls they have in place, and while MSPs serving large enterprise customers have typically already invested in internal security, many MSPs in the SMB space have not, according to Netskope Founder and CEO Sanjay Beri. Specifically, Beri said MSPs providing operations and network management services often haven’t invested enough around security.

MSPs need to employ a Chief Information Security Officer (CISO) and should empower them by putting a reporting structure in place that allows the CISO to communicate directly with the board of directors, he said. MSPs need to at least triple and possible quintuple their security investment by building out risk, data protection and vulnerability scanning teams to help keep their customers safe, according to Beri.

MSPs runs on small margins, which Beri said has historically limited how much they invest into security. But the vendors they get PSA and RMM software from also ran on low margins and traditionally did only what was needed from a security perspective, according to Beri. MSPs that want to thrive in the future need to build one of the best security teams out there, Beri said.

Computer code. Deep blue screen.

Computer code. Deep blue screen.

Monitor And Analyze Software Update Process

Adversaries have gotten access to the customers of MSPs by infiltrating their software update process and deploying malware, meaning that MSPs must do better at monitoring and analyzing the software update process of suppliers, said Jon Clay, Trend Micro’s vice president of threat intelligence. Attackers are looking for the critical systems and processes MSPs utilize, and no longer start at the endpoint.

The Kaseya VSA compromise leveraged unpatched systems and critical applications, and Clay said MSPs are most concerned about man-in-the-middle attacks since they allow bad actors to compromise customers by inserting themselves in the middle of recurring processes. Going forward, Clay said MSPs must become more diligent about monitoring and protecting their supply chain.

The software supply chain is massive for MSPs, and threat actors are taking advantage of unpatched vulnerabilities increasingly quickly, meaning that MSPs looking to manually vet software updates for security issues before implementing them are leaving themselves susceptible to attack, Clay said. If MSPs don’t trust the software coming from third-party vendors, they’re going to get stuck in the mud.

Ensure Vendors Have A Vulnerability Management Program

If an adversary can infiltrate a MSPs software update due to an oversight, the poisoned software can propagate quickly to thousands of their customers within moments, according to Rob Cataldo, managing director of Kaspersky North America. Given the number of customers MSPs have being serviced through RMM platforms, Cataldo said they should conduct a third-party risk analysis around those providers.

MSPs should create the expectation that their RMM vendors have a vulnerability management program in place, Cataldo said. In addition, he said MSPs should ensure technology suppliers have vetted their source code to the maximum extent possible to ensure their customers have a secure experience.

RMM vendors should ideally have a risk-based vulnerability management program in place, but Cataldo said there’s a wide range of maturity levels among technology suppliers when it comes to identifying vulnerabilities and managing patches. As a result, Cataldo said bad actors have been able to take advantage of common vulnerabilities and exposure that have been present for a long period of time.

Have Solid Security Fundamentals In Place

MSPs must ensure solid security fundamentals are in place such as multi-factor authentication, robust next-generation endpoint security, and internal personnel dedicated to monitoring and managing those endpoints, according to Sophos CEO Kris Hagerman. MSPs should also conduct regular online backups and retain updated copies of those backups, which he said is a difficult but manageable challenge.

MSPs need to look at their entire supply chain and assess the security profile of each of the different organizations, which Hagerman said creates a substantial additional obligation for MSPs. MSPs should ask important questions about how well-positioned that provider is in terms of their internal security controls and ensure that key cybersecurity best practices have been implemented.

In addition, Hagerman said MSPs themselves need to implement more robust security capabilities to ensure they’re less vulnerable and not promulgating problems in the event of a supply chain attack. MSPs can enhance their security posture by being on the most advanced systems and ensuring those systems are actively patched and monitored.