Threat Essentials Blog

US Independence Day attack: why knowing your supplier's cyber security status is critical

0-day vulnerability

4th July is US Independence Day. Just before Americans were planning to switch off computers and enjoy a long holiday weekend, cyber criminals took advantage of a 0-day vulnerability being patched at Kaseya – a Miami-based firm providing remote management software to IT companies. Kaseya had been monitoring 'a security incident' for around 48 hours and was informing customers that they were working quickly to find a patch.  By mid-morning that day, they announced on their website: 

"Kaseya's VSA product has unfortunately been the victim of a sophisticated cyberattack.   Due to our teams' fast response, we believe that this has been localised to a very small number of on-premises customers only." 

That small number of on-premise customers escalated quickly into a global supply chain attack affecting over a thousand organisations worldwide, with Sweden's 2nd largest supermarket reported having had to close over the weekend. 

The flaw may have spurred on the seemingly haphazard, but equally damaging attack, in the Kaseya tool, deploying an encryptor for the REvil team. Due to the smash and grab technique of this attack, the REvil group did not have enough time to enumerate files or systems on the network or differentiate the keys used for encryption. 

REVil Kaseya Ransomware

On Monday, 5th July, Threat Essentials analysts working on the intelligence platform detected an announcement  by the REvil group asking for $70 million in exchange for releasing a decryptor to the public that would solve the problem in under an hour. 

Screenshot 2021-07-06 at 09-48-03 Threat Alert 1b61d9de-99d8-42a1-8433-f3a8f7fc1d6c Threat Essentials

Image: Threat Essentials Intel Platform screenshot of the REvil announcment

The chain effect of third party cyber attacks

It's been a heart-stopping security and communications nightmare for Kaseya, who have worked hard and fast to patch and secure the problem while keeping customers informed.  However, despite their initial optimism that this attack affected only a small number of clients, they underestimated the chain effect.   

For many companies downstream, this attack is more than a headache; many will have had business disruption impacting profit and gaining them unwanted headlines.  They are likely to think twice before partnering again with a Managed Service Provider (MSP) using a third-party tool without having a clear idea of its security credentials that go beyond the typical infosec questionnaires. They will without a doubt, need to know: "what unreported vulnerabilities does my supplier, and indeed their suppliers, have that will allow attackers to compromise my systems and affect my operations?".  And they will want the information in as close to real-time as possible.  

Third party cyber ratings

Threat Essentials’ helps companies manage third-party cyber risk in near real-time.  A risk rating engine derives meaningful third-party cyber risk scores based upon a wide range of signals and indicators, including intel from dark web forums.   Using a sophisticated grading engine, businesses are given an individual cyber rating that allows you and your risk management function have a clear view of whether a partner meets your security benchmark – regardless of where they sit in your ecosystem.  

Knowing your supplier's cyber security status leads to greater level of trust and reduced risk of an attack that could affect not just you, but your customers too. 

For more information on cyber scoring the partners in your supply chain, contact us.  

 

References

Kaseya online attack 

Reuters: Cyber attack against US IT Provider