One reason why IT security vendors can never let their guard down is the constant innovation coming from the cybercrime community. Knowledge spreads far and wide across underground forums with a speed that can take many organizations by surprise. So when we saw some of the techniques used in the infamous SolarWinds campaign applied in the recent Kaseya ransomware attacks, we shouldn’t have been surprised.
However, by deploying micro-segmentation in the right places, organizations could have made life a lot harder for the bad guys — both in minimizing the risk of initial zero-day exploitation and blocking subsequent command and control communications.
What Happened in the Kaseya Attack?
Kaseya provides software primarily to managed service provides (MSPs) to streamline essential IT tasks like patching and remote monitoring for smaller and mid-sized businesses. As was the case with SolarWinds software, the Kaseya VSA product that was targeted in this attack is granted highly privileged access to perform its core tasks for remotely monitoring and managing networks and computing devices — making it the ideal choice for spreading malware far and wide.
An additional benefit for the REvil ransomware affiliates behind the attack is the nature of Kaseya’s customers. As MSPs, they each have multiple customers of their own which the attackers could infect and extort. That’s a pretty good ROI for cybercriminals looking to make some easy money.
Kaseya has detailed its response to the attack. The vendor was first notified about a breach on July 2, just before the holiday weekend in the U.S. It appears that the threat actors used a zero-day authentication bypass exploit in the web interface of the on-premises Kaseya VSA. This helped them gain an authenticated session, upload their payload, and then execute commands via SQL injection.
With access to the MSPs’ Kaseya VSA servers, they were able to push out a fake update to these organizations’ customers, dubbed “Kaseya VSA Agent Hot-fix,” which was in fact REvil/Sodinokibi ransomware.
Fewer than 60 MSPs out of a potential 40,000 customers are thought to have been affected. But the knock-on impact meant downstream customers of the MSPs were infected with ransomware, totalling about 1,500 organizations across the globe from schools to supermarkets.
A patch for the exploited zero-day vulnerability has been released, but for these compromised businesses, it is too late.
How Micro-Segmentation Can Help: Inbound Traffic
MSPs could have mitigated the initial breach by restricting administrative access to the Kaseya VSA web interface. In this way, only specific authorized users from a small set of bastion hosts would be able to access the Kaseya software on management ports.
In effect, they would be using micro-segmentation to reduce the attack surface, putting extra barriers in the way of cybercriminals so they have to work much harder to deploy a zero-day exploit. Combine this with multi-factor authentication for those limited authorized users, and you have made it exponentially more difficult for cybercrimals to break into your network.
By forcing them to spend more time and make more “noise” as they search around a network looking for an unlocked door, you also help your threat detection and response tools “hear them” as they sneak around in the dark.
How Micro-Segmentation Can Help: Outbound Traffic
The second way micro-segmentation helps is with outbound communication from infected endpoints to the Internet.
At some point, cybercriminals typically need to communicate with their command and control (C&C) server to provide instructions and download malicious payloads. By ensuring that policies limit outbound connectivity from the Kaseya infrastructure to only well-known and pre-approved IP addresses, you could stop attackers in their tracks. If the criminals can’t communicate with their own servers, they can’t proceed to the next stage of the attack.
Zero Trust Starts With Segmentation
To protect your organization against ransomware attacks like Kaseya and SolarWinds, organizations need to develop robust and comprehensive Zero Trust policies and practices across their entire IT infrastructure. And Zero Trust starts with segmentation, since breaches will happen and criminals will find an unlocked door somewhere on your network. The key is to make sure they can’t go any farther.
There’s no silver bullet in security. But by applying micro-segmentation like this, you stand a great chance of making life significantly more difficult for your attackers, at the very least improving the chances of detection and, ideally, forcing them to give up and move on.