The Kaseya Attack: How It Could Have Been Prevented

by ·

Unless you have been hiding under a rock, you’re probably aware of the Kaseya attack. A terrifying assault on an organisation with global reach, the attack was almost unprecedented and has (understandably) caused widespread panic amongst the cybersecurity community and beyond.

As it has been so well discussed in the media of late, I wasn’t going to comment on the attack myself. But I recently came across a piece of information that left me completely speechless. There is a cybersecurity solution that would have made this attack literally impossible for the perpetrators to pull off. I am not sure if this is a saving grace or even more of a concern, but this discovery simply wasn’t something I could keep to myself.

Who Are Kaseya?

Kaseya is a multinational organisation providing cloud-based IT management and security software to small and medium-sized companies. Most of their clients are companies that are small in size and thus do not possess the infrastructure or capabilities to fulfill their own IT, data, and security needs. Kasey also provides a wealth of products that allow other IT organizations and Managed Service Providers (often referred to as ‘MSPs’) to deliver these services to their own customers. In this respect, they are a sort of “white label” agency to some of their clients (i.e. they provide the product that the company sells, but the company sells it on as if it is their own).

Operating since 2000, Kaseya prides itself on having an “open and customer-centric approach”. It also claims to have the most comprehensive, integrated IT management platform on the market. The ‘Kaseya’ brand is an umbrella with a whole family of companies beneath it. These companies include Unitrends, RapidFire Tools, Spanning Cloud Apps, IT Glue, ID Agent, Graphus, and RocketCyber.

More than 40,000 organizations around the world use at least one of Kaseya’s solutions, producing a huge client base that made the recent attack all the more impactful. The worst bit? Kaseya are supposed to be the security experts…

Here’s a little snippet from Kaseya’s website:

“Providing you with best-in-breed technologies that allow you to efficiently manage, secure and backup IT under a single pane of glass.

Technology is the backbone of all modern business. Small to mid-size businesses deserve powerful security and IT management tools that are efficient, cost-effective, and secure. Enter Kaseya. We exist to help multi-function IT professionals get the most out of their IT tool stack.”

What Happened To Kaseya?

Attackers carried out a ransomware attack on Kaseya’s supply chain by leveraging a vulnerability in their VSA software. ‘VSA’ is the underlying tool most of Kaseya’s clients use to control their customer systems. This software requires specific privileges in order to serve its purpose for the MSP’s that rely on it. These include the ability to update machines on the network, add and remove users, add and remove programs, and backup all recorded data. Unfortunately, these privileges make it all the more dangerous if the software is hacked, as it can easily be manipulated to steal information and/or decrypt data.

As the attack was on Kaseya’s supply chain (i.e. the hackers targeted Kaseya as a software supplier in order to impact every one of their eventual clients) it affected every single company in the chain, from the MSP’s who purchase directly from Kaseya’s brands, right down to the clients of the MSP’s. Due to the aforementioned ‘white labeling’ involved in the process, these end-users most likely did not even know the service they purchased was outsourced to a Kaseya brand. That is until the hack occurred and their entire infrastructure was compromised, of course…

The attack is thought to have affected up to 1,500 businesses but may have impacted more. Through their attack, the hackers were able to completely paralyze hundreds of businesses across the globe and across a multitude of industries – from health and social care to finance, and from schools to grocery stores. Basically, they gained access to as many of the target organisations as possible, blocking the victims from accessing their own systems via advanced encryption techniques, and demanded a $70 million ransom for the decryption that would set their systems back online. Kaseya bosses strenuously deny paying this ransom but seem to have somehow reversed the attack anyway. This in itself has caused a bit of a stir, as the organisation’s spokespeople have been incredibly quiet about how exactly they managed to pull this off. All they seem to have said so far is that they purchased a ‘universal decryption tool’ from a third-party to decrypt data encrypted by the hackers.

Who Was Responsible For The Attack?

A ransomware attack, like the attack on Kaseya, utilises a type of malicious software designed to block access to a computer system so that a ransom can be held. The ‘business’ of ransomware (which is a very lucrative one), is the type of business that operates on an affiliate model. In other words, there is a kind of corporate overlord that provides the branding, processes the payments, and engages in a kind of criminal version of customer services for both the criminals and their victims. The criminals (or ‘affiliates’) are the hackers who actually target and break into the client’s systems to deploy the ransomware in the first place. They do the hard work of finding a vulnerability in a company’s cybersecurity barriers in order to gain the access they need, then they use the ransomware product they purchased through their affiliate network to make it a profitable hack.

As far as we know, the ransomware used in the Kaseya attack was provided by one such ‘overlord’ known as ‘REvil’ or ‘Sodinokibi’. They are one of the best-known ransomware providers in the world and are thought to operate primarily in Russia. This is not a surprise to anyone who knows anything about cybercriminals, as Russia has a long history of turning a blind eye to any criminal activity that doesn’t directly negatively impact their own systems. I could go on about this for hours in itself, but I don’t have time, so I’ll leave that for another blog…  

As the name ‘REvil’ implies, this notorious group is known for / associated with some pretty serious cybercrimes. One website I found went as far as to call them “The McDonalds of the cyber criminal world”. To help you understand the power these guys have over the cyber world, they are known to be responsible for an attack on Apple that saw them gain access to their plans for three upcoming products. They demanded a $50 million ransom for the safe return of the data, or else they’d leak it all. Some pretty serious stuff, right?!

But How Exactly Did This Happen?

If you’ve read about it already, you may have heard some news outlets refer to this incident as a “sophisticated” attack. This implies that even the best cybersecurity measures would have struggled to prevent it, but this isn’t the case. There is literally a solution available RIGHT NOW that would have made this attack, and others like it, impossible to pull off.

On a slightly higher level than those already discussed, the Kaseya attack was essentially enabled by the abuse of something called Public Key Infrastructure (or PKI). PKI is the term used to describe everything involved in the management of public-key encryption (or PKE), the most common form of internet encryption used today. The fact that PKI is still so popular is quite frankly insane, given that it was invented in the 80s, but that’s another story for another day…

Anyway, PKI is currently secured into every web browser we use today (Internet Explorer, Firefox, Google Chrome, you name it…) and was developed to help internet users and providers secure traffic and data shared across this new worldwide network. Alongside its use on the web, many organizations also deploy PKI as a cybersecurity measure. In this instance, it is used to secure internal and external communications and prevent unauthorised access to connected devices. This particular use has also been far more common in the past 24 months, as remote working has become more and more popular, and thus the ability to safely connect multiple remote devices to one central network has become a necessity.

Unfortunately, there is a huge problem with PKI (you knew that was coming, didn’t you?). The problem is that the solution is simply not secure enough anymore. As hacking techniques become more and more sophisticated, it is far too easy for the certificates that allow access to PKI-secured data to be illegitimately acquired. But this isn’t new. In fact, a paper published more than 20 years ago highlighted 10 very obvious risks associated with PKI and was not the first to raise the alarm. Yet, for some bizarre reason, multiple organisations (and every internet browser known to man) are still relying on this outdated solution to keep us safe online.

So, How Could The Attack Have Been Prevented?

As you might expect, the solution to preventing future attacks like the one on Kaseya is to find and implement a better alternative to the outdated PKI solution. The good news is, a UK-based company called Arqit has already developed, and made readily available, the exact solution we need.

Said UK company, ‘Arqit’, has developed a new type of encryption that relies entirely on the cloud, alleviating the need for the kind of third-party certificate that Kaseya’s hackers were able to obtain illegally. It calls the solution QuantumCloud™because it says it is entirely safe against the future concerns of cybersecurity (quantum computing, another subject for another blog!)

QuantumCloud™ allows organisations to simplify and strengthen their encryption without reliance on any physical infrastructure, giving cybercriminals much less to target. Arqit says its solution can support clients in “moving away from a complex PKI infrastructure, and the need to trust third parties”.

In conclusion…

While it feels pretty obvious that a system developed over 50 years ago is not strong enough to secure the enormous amount of data that we hold both individually and collectively in 2021, it is apparently not obvious enough, even for organisations that claim to be cybersecurity experts!

The Kaseya attack served as a reminder of the fragility of our online infrastructure and the importance of cybersecurity. It also highlighted the urgent need for a worldwide cybersecurity upgrade in order to respond to the rapidly developing abilities of cybercriminals. Luckily, the upgrade we need doesn’t just exist, it is available right here, right now.