How machine learning combats threats like the Kaseya ransomware attack that targeted MSPs
The recent ransomware attack on Kaseya, a cloud-based IT and security management provider services company that supplies tech-management tools to customers worldwide, has the potential to be the most serious cyber-criminal incident this year.
About 50 of Kaseya’s own customers and around 1,000 businesses overall were affected.
Of far more concern, though, is how the?Russian-based criminal gang REvil installed the ransomware before demanding $70 million, subsequently reduced to $50m, to?unlock the files of all victims.
REvil carried out a supply-chain attack, an insidious and increasingly common form of hacking whereby malicious code or even a malicious component is slipped into a trusted piece of software or hardware.
Automatic deployment of software updates is usually beneficial as it is a huge time-saver. Unfortunately, in this case, the cyber-criminals exploited a flaw in the management system to push malicious software through a VSA (virtual server agent) to the systems Kaseya were managing.
For a managed service provider, a VSA can be installed on a managed endpoint and assigned a unique machine ID, giving providers the ability to manage individual machines on an entire IT network.
This is the reason that it was chosen as a vehicle for the attack, allowing the attacker to spread the infected files as far and wide as possible within the Kaseya platform and the organisation’s customer base. It is claimed that more than a million devices were infected.
Patch for zero-day vulnerability came too late
To deploy ransomware payloads on the systems of Kaseya customers and their clients, REvil exploited a zero-day vulnerability (CVE-2021-30116) in Kaseya VSA, an RMM (Remote Monitoring and Management) software commonly used by managed service providers to manage clients’ networks.
Kaseya was in the process of patching the zero-day vulnerability, reported privately by researchers at the Dutch Institute for Vulnerability Disclosure (DIVD).
However, REvil obtained the zero-day details and exploited it to deploy the ransomware before Kaseya could start rolling a fix to VSA customers.
Once access was gained, a Windows PING.EXE executed that ran several commands, namely to disable core malware and anti-ransomware protections offered by the likes of Windows Defender.
It disabled the following;
Following the deployment of several .EXE files, malicious files in the form of DLL files were then dropped into various memory spaces which then hijacked the normal execution of Microsoft processing and began to encrypt local disks, connected drives and mapped network drives, all from what appeared to be a certified, signed Microsoft application.
Why supply-chain attacks can be so devastating
Supply-chain attacks typically prove to be the most devastating and indiscriminate of any that cybercriminals carry out, as everyone who installs a compromised update gets the malware.
Just imagine if there was a disruption to the supply chain of platform vendors like Microsoft, Apple or Google – the aftermath would be on a catastrophic, global scale.
Even now opportunistic cyber-criminals have started taking advantage of the victims of the REvil ransomware attack.
A new malware spam campaign has targeted some UK organisations, offering what is masquerading as a patch for the impacted Kaseya VSA product, originating from Microsoft.
However, it includes an attachment named SecurityUpdates.exe and a link that, if clicked, drops Cobalt Strike, giving the attackers access to their victim’s network and systems to conduct further attacks of their own, possibly even dropping additional ransomware.
The emergence of more threat actors trying to take advantage of vulnerable victims is hardly a surprise.
The customers of the affected MSPs are considerably less likely to have appropriate security technology or trained staff in place to protect themselves, so represent an easy target.
How can MSPs protect themselves and their customers?
So what can managed service providers do to protect themselves and their customers from the devastating impact of a supply-chain attack?
The threat is very real – and it can be exacerbated by cyber-criminals initially hiding their activities, moving around inside business networks before targeting organisations’ backups.
Malware frequently lays undetected for longer than most retention policies, which are typically set for 90 or 180 days. A 2019 study by IBM Security and Ponemon institute showed the average time to detect a breach is 206 days.
If malware has remained dormant for longer than an organisation’s retention policy, it is likely all backups will be infected too.
Without the ability to remove malware from backups, a clean recovery would be extremely difficult, possibly impossible.
In the event of an attack, organisations need to restore from backups that they know to be safe.
The?National Cyber Security Centre advises organisations to use different products to increase overall detection?capability of malware.
AI malware detection for backups
When organisations purchase automated,?artificial intelligence-based malware detection for backups?as an added feature to?Redstor’s data management and protection?solution, every backup from a server, laptop and any other end-point machine or device is checked for files that resemble malware in appearance or behaviour.
A notification then gives the option to delete the file, revert to a previous safe version, mark it as safe or leave it in quarantine.
If malware, including ransomware, is found in a backup set, a safe version can quickly and easily be restored.
Crucially, though, Redstor’s machine-learning model trains itself to become more accurate in detecting malicious files.
Updates are made to virus definitions on a weekly basis as part of a regular training model for the malware detection engine.
Any new threats, updated signatures or characteristics, used by Ransomware as a Service groups like REvil, are therefore known by the Redstor system within a short enough window to enable a valid recovery.
This protects customers from inadvertently recovering malware where executable files (EXE) masquerade as certified applications, enabling them to rapidly infect multiple agents and devices.
Users have nothing to configure, install or upgrade with Redstor’s malware detection for backups – and there is no impact on internal resources.
The only manual intervention required is to delete suspicious files once they have been detected and quarantined.
In the case of the Kaseya attack, a partner would simply delete those files from their backup and restore to a known safe state?to recover the customer’s data?that was backed up prior to the attack.
Find out more about how you can retain control of your data and?ensure business continuity?with Redstor’s malware detection for backups.