Once again, news of a massive ransomware attack dominated the headlines, this time over the July 4th weekend. The (now defunct?) Russia-based REvil ransomware group used a zero-day against Kaseya – a remote monitoring platform used to provide administrators with privileged access to entire swaths of computers.
The Kaseya VSA has been considered a “solution” software that helps people remotely manage endpoints. But what happens when a bad actor takes over the “solution” as their own? We’ve seen that play out right now to the tune of millions of devices compromised, a $70 million ransom demand, and confusion over what companies should do now that REvil has apparently been taken down and has left the scene.
People like to talk about problems and solutions. But in technology, automatically lumping certain technologies into the “solutions” category leads us astray — they can also be problems. Kaseya wasn’t the first, and it won’t be the last. FireEye revealed several exploited vulnerabilities in Pulse Secure VPNs, and let’s not forget the Palo Alto bug from last year.
Out of sight does not equal out of mind
Security pros should think of the Kaseya VSA as a powerful system— one that has privileges, access and can transit security boundaries. But people don’t think of it the same as a critical system; they think of it as a service. The provider stands it up, and customers use it like their appliances: run and use it to solve problems, rarely worrying about its configuration or management. In my experience, once something makes it into the “solutions” bucket, rather than the “problems” bucket, it’s lumped with the appliances, and rarely given additional monitoring or defenses – in fact, people are usually hesitant to change the configurations at all.
But security pros should treat VSAs, VPNs, firewalls—any security appliance or monitoring software as they would treat any other high-risk asset. Because If I can own the Kaseya VSA, I can access every single one of the endpoints the company remotely monitors. And, as we see, that’s a really bad day.
Common mistakes even security consultants make
A while back, I was contracted to do a research project with a security consulting company. They were teaching energy companies how to build secure networks, and had a test power grid that they used to do so. They had a number of appliances deployed in their IT stack. But to access it all, they had a single Cisco VPN appliance for remote administration. Not wanting to pay for a Cisco switch for each VLAN, they had a single switch with about 10 VLANs running through it. And while they had numerous layers of security, they had not set up a password on the VPN when standing it up. My team could log in as privileged users and bypass all their other protections with the box’s administrative privileges.
Here’s what their CISO did wrong: First, he created a single point of failure. Second, he assumed it could never fail and designed a security architecture around this assumption. He should have purchased physically different hardware and physically segmented the switches.
Security teams treat high-risk assets which they consider problems very differently than they treat so-called solutions. Traditional endpoints are considered problems — they need EDR, external logging, and extensive monitoring. Why? Because security teams don’t know if they can trust the logs coming out of a compromised device. If an asset becomes a problem, the team probably put it behind a firewall, segmented it from other high-value assets, and disconnected unused services. If they consider it a solution, they probably do none of those tasks. In our work, we regularly find and use zero-days as part of our attack surface management (ASM) and attack platform. People treat endpoint monitoring, VPNs and other appliances like solutions, when they are just as exploitable as any other more protected asset.
Look at the “problem” from a different perspective
While I’ve been talking about a VPN, the same logic applies to all out-of-the-box security and monitoring solutions. If a network administrator uses Kaseya to manage endpoints, and an attacker gets access to that Kaseya, the attacker will have all the access of the network administrator, and possibly even more (imagine if they bypass security controls, or escalate privileges on the Kaseya!). If I can subvert the system that manages patching, there’s often nothing left in the defender’s playbook when it comes time to kick me out.
Threat actors target software that has potential for the farthest reach. Thus, software used to manage other systems always tempts the bad guys. Indeed, the Kaseya VSA breach allegedly led to over 1 million devices being compromised. Despite its temptation, I can’t view the VSA as the problem. Like every other security and management solution, there are tasks that we could run to defend a VSA better. No one application’s failure, no matter how bad a CVE, should lead to a total compromise, and we should all know where our most tempting targets are.
Technology people apply a lot of great thinking to how to secure the well-known "problems" they think about day-to-day—defense-in-depth, anybody? Apply that same thinking to traditional “solutions” and security team will be more effective. Most companies already deploy firewalls, WAFs, logging, and segmentation on assets the security team deems high risk. Group security and monitoring solutions into this category as well.
David “Moose” Wolpoff, chief technology officer, Randori