On July 2, 2021, IT management software provider Kaseya announced it was the victim of a sophisticated cyberattack that impacted itself and many of it’s clients.
This type of ‘zero-day’ attack demonstrates the importance of using modern whitelisting tools to prevent unknown executables and scripts from running in your IT environment.
Targeting the firm’s endpoint management and network monitoring solution Kaseya VSA, the attack allowed threat actors to remotely seize and encrypt the target’s digital assets.
While ransomware isn’t new, the vector used to access systems and drive the attack – known as a supply chain attack – is still novel.
A supply chain attack is an emerging kind of cyberattack that targets software providers and development firms. The threat actor attempts to gain access to various organisations by exploiting vulnerabilities in their supply chain network.
The first step is to access source codes, development processes, and installation mechanisms used by vendors when creating or updating software. Once they have access, the threat actor can insert their malicious code into the end product. From there, the malicious code gets distributed to unsuspecting organisations making use of the vendor’s downstream supply chain.
When activated, the malicious code can engage in any number of activities, including encrypting the target’s digital assets and charging a ransom for the decryption key. While this may be overcome with an effective disaster recovery plan, they can still be damaging.
These attacks are effective because the vendors supplying the software often sign and certify their products and updates. Most IT systems use these certificates to assign roles and permissions, so the malicious code installed in the software then runs with the same trust and permissions as the affected app or update.
Types of supply chain attacks:
All businesses use a wide variety of software products, and a widespread cyber-attack of this nature is a reminder that even vendor-signed software can cause significant vulnerabilities. Unfortunately, even modern anti-virus/malware and other endpoint detection and response tools may not be enough to identify and catch new vulnerabilities such as this one. Given the emphasis put on cybersecurity in recent times, newer methods are needed.
With zero-day vulnerabilities such as this Kaseya incident, the most successful mitigation strategy at this time is application control, also known as “application whitelisting”.
Application whitelisting prevents any unknown or unauthorised applications from executing on servers and workstations.
Your IT Security personnel identify programs that are needed and give them permissions appropriate for their role. Any other programs get stopped at the gate – they can’t run until they’re approved.
This level of granular restriction makes application control a powerful security tool. It is why application control sits alongside application patching as two of the eight mitigation strategies within the Australian Cyber Security Centre’s (ACSC) Essential Eight.
Supply chain management and a thoroughly tested backup and disaster recovery plan are also critical components of your organisation’s cybersecurity risk management strategy. As this incident shows, it’s highly relevant to modern cybersecurity considerations.