The Multiplier Effect – Targeting The MSP Supply Chain

CyberSense is a monthly bulletin by CSA that spotlights salient cybersecurity topics, trends and technologies, based on curated articles and commentaries. CSA provides periodic updates to these bulletins when there are new developments.

OVERVIEW

Cybersecurity threats targeting supply chains have been around for more than a decade, but recent cyber-attacks have showcased how adroit threat actors are in taking advantage of any vulnerability. Making the headlines recently was cybercriminal group REvil’s exploitation of Kaseya Virtual System Administrator (VSA) – an IT management platform popular among corporates and Managed Service Providers (MSPs) - as a conduit to deliver ransomware. Beyond the multiplier effect of the incident, it also generated much discussion on the nature of the attack. This edition of CyberSense revisits the nature of supply chain attacks, and looks at the implications on MSPs and the cascading impact downstream.

KASEYA – ZERO-DAY OR SUPPLY CHAIN?

According to Kaseya, the ransomware attack affected about 60 of their customers, and through the targeting of the latter’s customer bases, between 800 to 1,500 more organisations – mostly small businesses – could have been impacted by the ransomware as well. Initial reports on the Kaseya incident had described it as a “supply-chain ransomware attack”.

By definition, a software supply-chain attack occurs when attackers target software vendors to compromise legitimate software by introducing malware into their source codes, build processes or update mechanisms. By compromising a single software vendor, attackers could produce an enormous ripple effect across the vendor’s entire ecosystem, springboarding into networks of the vendor’s customers, as seen during the SolarWinds breach (see Figure 1 below for comparison of recent attacks).

Figure 1: Comparison of recent major cyber-attacks (Image Source: SophosLabs)

In Kaseya’s incident report, it was noted that there was no evidence that its codebase had been maliciously modified. Instead, the attackers exploited a zero-day vulnerability (a newly discovered, yet-to-be-patched software security flaw) in the VSA software product itself to bypass authentication processes, and directly deploy the ransomware to its customers. From a technical viewpoint, the incident is not a supply-chain attack through Kaseya itself, but rather, a zero-day was exploited to launch attacks on organisations using Kaseya’s VSA software.

Nonetheless, the high level of trust accorded to Kaseya’s VSA software among its users, including MSPs, resulted in them being infected by ransomware. This was the first stage of the attack. The second stage occurred when the attackers then exploited the supply chains of the infected MSPs, leading to further ransomware infections of the latter’s customers.

WHY ARE MSPs ATTRACTIVE TARGETS?

As countries around the world continue to grapple with the COVID-19 pandemic, MSPs have been in high demand given the shift to the new normal of remote working. Recent survey findings reveal that more than 75% of MSPs said that remote working was the best revenue-generating opportunity, while 65% of MSPs had increased their revenue from delivering cybersecurity services. This comes as no surprise given that MSPs provide services to help other companies and firms with a number of IT services and their maintenance, such as network, application, infrastructure and security, via ongoing and regular support and active administration. To perform these tasks, MSPs are typically granted access to their clients’ systems and networks, which allow them to manage their client’s IT infrastructure – a double-edged sword that can also be used to hack a compromised MSP’s clients’ networks.

While attacks against MSPs are not new (e.g. “Operation Cloud Hopper” in 2017), they have been increasingly targeted by ransomware operators since 2019. A cyber-attack targeting MSPs – a major component of the supply chain – greatly multiplies the effect, especially given the rise in companies using third parties to manage their IT needs.

 KEY TAKEAWAYS

Ransomware attacks are set to become more sophisticated - leveraging both zero-days and supply-chain attacks - both long-believed to belong only in the arsenals of more sophisticated APT groups. Supply-chain attacks are also expected to persist, given their demonstrated effectiveness at compromising a disproportionate number of organisations in one fell swoop. MSPs in particular, have proven to be prime targets given their ability to serve as conduits for large scale attacks. This highly effective combination of tactics and targets underscores the need for heightened vigilance to guard against such threats.

Beyond the swift detection of anomalous behaviour in systems and networks, minimising third-party cybersecurity risk and reducing exposure ahead of a compromise can also help reduce the impact of supply-chain attacks. Organisations will need to assess cybersecurity risk pose by their vendors, evaluate these vendors’ cybersecurity posture and put in place measures to mitigate the associated supply-chain risks, which may also include appropriate levers incorporated into vendor contracts.

For mitigation tips following the ransomware attack involving Kaseya VSA, please refer to SingCERT’s advisory. For further reading on cybersecurity trends and other insights, the Singapore Cyber Landscape 2020 report can be downloaded here.

REFERENCES:
Altaro, Armor, Data Center Knowledge, Kaseya, MarshMcLennan, MSSPAlert, NTT, SophosLabs, US Cybersecurity and Infrastructure Security Agency, ZDNet