Kaseya VSA Ransomware Attack, SolarWinds Hack Share Many Similarities

Last weekend’s Kaseya VSA supply chain ransomware attack and last year’s giant SolarWinds hack share a number of similarities.

So says Jerry Ray, COO of SecureAge, and Corey Nachreiner, chief security officer of WatchGuard Technologies.

The Kaseya attack breached about 50 customers, including 35 MSPs, and penetrated or directly impacted up to 1,500 downstream businesses.

The attackers breached Kaseya VSA, the company’s remote monitoring and management (RMM) service. All of the MSPs were using the VSA on-premises product.

On Wednesday, Kaseya said it’s preparing its on-premises customers for the planned release of its patch for VSA on-premises. In addition, it should restore its VSA SaaS by Thursday evening.

Sinister Point of Compromise

Ray said the attacks on Kaseya and SolarWinds share the most “sinister point” of compromise. That’s the trust between a vendor and a client.

SecureAge’s Jerry Ray

“As for the similarity between the two, it appears to be another supply-chain attack, wherein the attack on an upstream vendor’s product led to the compromise of downstream customers,” he said. “Key among the differences, however, is that the exploit of the Kaseya VSA product led to the injection of ransomware into the endpoints managed by Kaseya VSA on-premises users, while the SolarWinds attack led to data exfiltration.”

Kaseya claims the number of victims is relatively small when you compare it to SolarWinds, Ray said.

The size of the Kaseya VSA attack will be measured in either the ransom paid or the cost of data recovery and restoration, Ray said.

“The data exfiltrated and systems monitored through the SolarWinds attack could ultimately cost infinitely more,” he said. “The ultimate intention or use of the data may not be realized for months or years.”

Zero-Day Vulnerabilities

Nachreiner said both SolarWinds and Kaseya seem to involve zero-day vulnerabilities in a software package used for monitoring and management that are popular among IT professionals.

WatchGuard’s Corey Nachreiner

“That said, the Kaseya attack mainly targets MSPs, which wasn’t the case with SolarWinds,” he said. “There were many other MSP-targeted ransomware attacks in 2019. I believe this attack has more similarities with some of those past MSP ransomware attacks.”

Dave MacKinnon is N-able‘s chief security officer.

N-able’s Dave MacKinnon

“The adversarial pivot to supply-chain-based attacks for delivering ransomware underscore the role we all must play in helping to keep each other protected,” he said. “MSPs, in particular, provide a variety of services to help protect and secure their customers. But if a cybercriminal gets into one MSP system, they can easily find themselves holding the key to a kingdom of SMEs in one fell swoop.”

It’s key to keep in mind that this can happen to anyone, at any time McKinnon said.

“As technology vendors, we have to realize we’re all potential targets, and the risks are steep,” he said.

Our slideshow above features more commentary on the Kaseya attack.