On July 2nd 2021, the threat group REvil launched a targeted attack against the users of the Kaseya VSA product, a remote monitoring and management (RMM) tool many organizations and MSPs leverage to support their infrastructure. The unprecedented-scale attack exploited a vulnerability in the product, allowing the threat actors to infiltrate more than 30 MSPs, ultimately deploying ransomware to well over 1,000 organizations right before a holiday weekend.
With attacks like this and the Solar Winds Orion attack from 2020 happening more and more frequently, we are hearing customers ask questions like “How can I trust my supply chain?”, “What do I need to do in order to validate that my MSP isn’t susceptible to this type of attack?” and “What can I do to make sure this type of attack isn’t successful in my organization?” All very valid questions.
Principle of Least Privilege
To start, organizations should ensure that their infrastructure is designed using the principle of least privilege, whether or not they are leveraging an MSP for the design. This ensures that all applications that require service accounts are properly documented and that the service accounts leveraged by the applications are properly scoped with the least amount of privileges to do the work. iVision has long been a champion of implementing hardened and least-privilege infrastructure specifically to ensure that this type of attack doesn’t have the ample foothold it needs to negatively impact an environment. We are passionate about helping organizations move towards a zero-trust model for their privileged accounts in support of this type of layered protection.
In addition, businesses should leverage a properly implemented SIEM to track the use of these service accounts and monitor successful authentications completed by these accounts, allowing their uses to be audited on a consistent basis. Incident response processes should account for this type of threat and relevant team members should be clearly aware of their responsibility in such an incident and be capable of acting quickly to ensure the safety of the organization during an attack.
Secure Backup Strategy
Once the infrastructure has been secured, it is imperative that organizations adopt a secure backup strategy to ensure that if their core network or application stack is negatively impacted, threat actors don’t have an open door to their recovery media. iVision engineer Robbie Holloman recently wrote a blog providing a great set of recommendations to help protect your backup environment from this type of attack to ensure available recovery when needed.
iVision strongly believes in having a robust and secure backup platform to support an organization’s need to recover, and we would love the opportunity to help an organization implement a safe and secure program to protect them from this type of threat. Additionally, iVision’s infrastructure consultants have extensive experience in securing and hardening environments to ensure that these attacks cannot gain a foothold in an organization’s network and can help to ensure that your organization is strongly protected from these threats.