{"id":52024,"date":"2021-07-09T09:00:00","date_gmt":"2021-07-09T13:00:00","guid":{"rendered":"https:\/\/live-jc-marketing-site.pantheonsite.io\/?p=52024"},"modified":"2021-08-20T18:11:56","modified_gmt":"2021-08-20T22:11:56","slug":"notes-from-our-ciso-on-the-kaseya-ransomware-attack","status":"publish","type":"post","link":"https:\/\/jumpcloud.com\/blog\/notes-from-our-ciso-on-the-kaseya-ransomware-attack","title":{"rendered":"Notes from Our CISO on the Kaseya Ransomware Attack"},"content":{"rendered":"\n

Over the July 4th weekend, a supply-chain ransomware attack infected Kaseya VSA software, targeting managed service providers (MSPs) and spreading across their customers. This was an attack of opportunity; cyber criminal group REvil took advantage of a U.S. federal holiday to mount a zero-day-driven supply chain attack while companies had lower employee headcounts and compromised response readiness. <\/p>\n\n\n\n

The attack was also opportunistic in the sense that it targeted MSPs, which sit high-up in the IT supply chain and have the ability to drive exponential spread across smaller and mid-sized businesses. The breach hit around 60 MSPs and spread to up to 1,500 companies<\/a>, with REvil claiming that it infected over 1 million systems<\/a>. <\/p>\n\n\n\n

Notes on Supply-Chain Attacks<\/h2>\n\n\n\n

Supply-chain attacks are becoming a more common method of attack for highly advanced criminal activity. They present criminals with the opportunity to access hundreds of customers through each infiltration point, leading to widespread campaign behavior. <\/p>\n\n\n\n

In 2019, the largest exploitation of a supply chain risk occurred with the SolarWinds Orion platform compromise<\/a>, affecting more than 30,000 public and private organizations around the world. Disguised as an update from SolarWinds, the Orion product deployed SolarWinds-signed malware to impersonate users and access files and processes on SolarWinds Orion machines.<\/p>\n\n\n\n

In addition to the exponential spread of each attack, ransomware attacks compound on one another: Every time a campaign collects ransom, the cyber criminals responsible are able to fund additional criminal ventures. Perhaps an example of this, the Kaseya attack closely followed a ransomware attack by the same group on a meat processing company last month, which paid the requested ransom<\/a>. <\/p>\n\n\n\n

Impacts and Response<\/h2>\n\n\n\n

The REvil attack has shaken buyer confidence \u2014 and rightfully so. As SaaS and cloud-based models become business standards, companies need to continually assess the security of the services and vendors they use. <\/p>\n\n\n\n

At JumpCloud, we take this responsibility extremely seriously. While we were not affected by this attack, we take it as a solemn reminder of our responsibility to protect our customers. We believe security should never be assumed, and our security and development teams\u2019 jobs are never done; rather, we\u2019re constantly working to understand new and emerging threats, identify and rectify vulnerabilities, and plan deeper, wider, and more robust response strategies. <\/p>\n\n\n\n

As part of our ongoing security practice, we maintain diligent security controls, collaborate with our partners and customers on their security postures, prioritize third-party risk assessments, and practice in-depth risk assessments and incident response planning, often in coordination with other vendors. To aid in our ongoing efforts to minimize vulnerabilities and bugs in our platform, we also have a Vulnerability Disclosure Policy<\/a> that allows others to report suspected vulnerabilities to us responsibly.<\/p>\n\n\n\n

The REvil attack only emphasizes the importance of our ongoing efforts to strengthen our platform security and development cycles and hone our risk assessment and response strategies. It also underlines our focus on ransomware response planning, table-topping, and industry collaboration.<\/p>\n\n\n\n

Attack Takeaways<\/h2>\n\n\n\n

This attack reminds us to be constantly vigilant, and should prompt companies to check-in on their security environment and policies. The nature of the attack reiterated the fact that the supply chain can be obscure and is often left unexamined; vendors and customers can\u2019t afford to rely on a surface-level assessment of their supply chain. <\/p>\n\n\n\n

For security to be thorough and reliable, it needs to include a view of all the links in the IT supply chain and their security, and data needs to be protected at every point in the supply chain, including during transmission from one point to another. This means companies should examine both their internal security practices and the practices of those with whom they work and entrust data. They should collaborate with third parties in their supply chain to ensure secure data transmission and plan coordinated incident response strategies.<\/p>\n\n\n\n

Security policies should be unique to each company and their vendor environments; however, the following areas are foundational to strong vendor and customer security: <\/p>\n\n\n\n