*Special Edition* A Primer on Kaseya, SolarWinds and Colonial Pipeline - What the Hell Happened?
And what you should do about it. Hint: monitor your vendors.
Did you really think we could let the week go by without commenting on the Kaseya ransomware attack?
Has anyone compared it to the other infamous attacks of 2021? No, okay so I’m going to take a stab at that.
I will start by grossly over simplifying the cause of all this malicious activity, we have: SolarWinds was because of a bad password. Colonial Pipeline was not using multi-factor authentication. Kaseya was a known vulnerability that wasn’t fixed in a timely manner.
Disclaimer: I use the term “hacker” because of general familiarity with the term, but, in this article, I am talking about malicious hackers. I recognize that there are many, many good hackers out there, some of whom I am proud to call friends.
Now if you want to know a little more without having to read a super technical, authoritative post on it, then here is this lawyer’s take.
SolarWinds: What happened? Well, besides the fact that they let an intern set an easy to guess password on a critical system and then they blamed the intern, the SolarWinds attack was not an executed ransomware attack. In plain English, the lax security enabled a hacker to gain access because they found the bad password on the open internet (it was actually discovered in 2019 - oops). The hacker then targeted their Orion software patch files and inserted malicious code into the files. Once many, many customers (18,000) had installed that malicious code i.e. malware through the recommended patch, the hacker was then able to deploy it to SolarWinds customers and breach their systems. The hacker covered up their tracks by removing the malicious code in a later patch. FireEye discovered the breach and disclosed it before a ransomware attack was executed, which is why it is referred to as a supply chain attack.
I like analogies, so imagine this: You recently downloaded software on to your computer. It tells you you need to update it. You run the update and the update contains some new files, but also some old files with old dates. The hackers changed those old files. No one noticed that the old files were changed because, well, it wasn’t necessary to change them for the update. But the update uploads all the files, even the old ones again. So now you have the malicious code in one of those old files on your machine. Then, a few weeks later, the hackers changed that file back to its original. So if you had skipped the update with the unsuspected changed file, you were fine. Pretty sneaky, eh?
Colonial Pipeline: It seems that Colonial Pipeline used a virtual private network. Even though they used a stronger password than SolarWinds did, and they managed not to let that nefarious intern set it, the hackers cracked the password nevertheless and used the VPN to take control of the Colonial Pipeline systems and hold it hostage. Colonial Pipeline has come under harsh criticism because, as a pipeline i.e. critical infrastructure, they are required to undergo annual security assessments and they sort of skipped it during the pandemic. It is unclear if the security assessment would have prevented the ransomware attack, but I like the awareness.
The VPN did not have multi-factor authentication. If there is one thing you get from this article, use multi-factor which means a username + password + another type of password, whether SMS code (not ideal) or multi-factor authentication app. My co-founder, George, is going to post something on VPNs later this week, and it’s good.
Kaseya: Finally, we have the most recent Kaseya ransomware event. In this case, Kaseya had some zero day vulnerabilities. I looked up what a “zero day vulnerability” is, because I did not know, and it basically means a vulnerability for which there is no fix. If you are like me, then you are in disbelief that there can be vulnerabilities without a remedy and in even more disbelief that there is an industry term for such a thing. Anyway, the hackers found this vulnerability, exploited it and used it to mimic the SolarWinds attack, by hiding the malware in a patch or update that Kaseya pushed to its software that was being used by all those customers.
If you associate the Kaseya ransomware attack with MSPs, then all you need to know is that the MSPs are Kaseya’s customers. What’s an MSP, you ask? Well, I am so glad you did ask that. Imagine you are a private equity firm. You handle a lot of money, but you know nothing about IT or online security. You outsource that job to a consultant aka “managed service provider.”
So, in the Kaseya ransomware attack, the MSPs themselves were not the target of the attack. It was the MSPs customers who suffered. The MSPs were sort of in the middle of this particular attack. Awkward. When Kaseya discovered the malicious code, they advised their customers to turn off servers, which is why the event received so much attention. It is still unclear how many customers were actually the targets of a ransom.
So there you have it. My brief explanation of these three events, from my perspective and understanding. If I said anything wrong, please correct me in the comments!
I will leave you with this. They all three have something in common. The attacks were a one to many attack. Meaning, one attack that caused many, many people or businesses to suffer. All three of these companies are vendors. As SaaS takes over the world, vendors are core to every business and managing and monitoring them is becoming a monumental task.
I said to my husband the other day. When you are the victim of a breach, you get credit monitoring for a year. If you are the victim of a ransomware attack by your vendor, they should offer vendor monitoring for a year.
Okay, fine! That’s what ClearOPS does. We offer vendor monitoring! I am trying to spread the word about it because we have made it so easy for people. All we need is the domain name of a few vendors and I bet we can find 5 more that your company uses. Once we have the domain name, we start tracking them. So, we have an exclusive offer for you, our dear readers, if you forward this email. In exchange for forwarding the email, we will provide your business with a full year of vendor monitoring at no charge for up to 30 vendors. Email me and let me know that you want the deal: caroline@clearops.io.
I am a lawyer, which makes me an advocate. Now, I am an advocate for individual privacy rights. In today’s business culture, the burden of any data breach is borne by the individual, even though the fault is not theirs to bear. I aim to change that by improving the system from within.
ClearOPS is my company. ClearOPS is a privacy tech company. Want to hear a recent podcast where we talk about privacy tech? Listen here. These posts are just my opinion. Nothing contained herein is legal advice or constitutes legal representation in any way. I do my research but it doesn’t mean I’m perfect.
You’re the best, Caroline