In this episode of the podcast, sponsored by Trusted Computing Group* we dig deep on this week’s ransomware attack on users of the Kaseya IT management software. Adam Meyers, the Senior Vice President of Threat Intelligence at CrowdStrike joins us to talk about the attack. We also talk with Frank Breedijk of the Dutch research group DIVD that discovered the vulnerability used by the REvil ransomware gang and was working with Kaseya to fix it. Finally, Tom Laffey, a product security strategist at Aruba, a Hewlett Packard Enterprise firm, and co-chair of the Network Equipment working group at TCG joins us to talk about the role that strong device identities play in securing Internet of Things endpoints.
Another week, another devastating ransomware attack. On the heels of attacks on the Colonial Gas Pipeline and meat processor JBS, the last week brought news of a ransomware attack on Kaseya, an IT management platform used primarily by managed service providers. The attack saw Kaseya’s VSA software used to push out copies of the REvil ransomware to hundreds of downstream customers of MSPs that used the on-premises version of Kaseya VSA.
The issue raises more questions about the security of software supply chains that companies across industries rely on. In this week’s episode of the podcast we dig deep into the Kaseya hack and some of the larger questions it raises about the security of critical technology platforms that are the scaffolding of modern enterprises.
Kaseya caught in Pinchy Spider’s Tangled Web
In our first segment, we’re joined by Adam Meyers, the Senior Vice President of Threat Intelligence at the firm CrowdStrike. Adam has been a frequent guest on the podcast. In this interview, he helps us dig into the specifics of the Kaseya hack and the group behind the REvil ransomware, an advanced threat that CrowdStrike has dubbed Pinchy Spider.
In this conversation, Adam and I talk about the Kaseya attack and what it means for companies that have come to rely on managed service providers of the type that use the Kaseya software. These firms provide important services for customers, but also demand access to and high levels of privilege on the networks they manage. Adam notes that threat actors recognize that IT suppliers like Kaseya and SolarWinds are an easy avenue to gain access to a large population of networks in one fell swoop.
To stop these attacks, organizations need to do basic blocking and tackling: patch management, threat detection firewalls, endpoint security and so on. But Customers need to do more to understand what software they’re using internally and what profile that software keeps under normal conditions.
“Threat actors recognize the power of (this) type of attack. The writing is on the wall. You need to be cognizant of what software you use and what that software looks like in its normal operation,” Meyers told me.
Everything and the Dog
Up next: months before the REVil ransomware gang sprung their trap on Kaseya’s customers, a group of 40 or so Dutch security researchers were plumbing the security of the company’s software – and growing alarmed by what they found. The group uncovered a number of serious flaws (the exact number isn’t yet known) and reported them to Kaseya and other vendors to fix. Unfortunately, they weren’t alone in delving into the Kaseya software and, despite having months to address the issues, Kaseya lost a footrace with the REvil group which found and exploited those software holes before a patch was available.
In our second segment, we speak with one of the researchers who worked to discover those flaws and report them to Kaseya. Frank Breedijk (@seccubus), the CISO of Schuberg Philis and manager at DIVD the Dutch Institute for Vulnerability Disclosure, which discovered the flaw exploited by the REVil gang.
In this conversation, Frank and I talk about how DIVD came to scrutinize the Kaseya software and what other “IT for IT” platforms the DIVD researchers are looking at. We also talk about what companies can do to secure their networks from software supply chain attacks, and how a public health approach to cyber security is needed to address widespread flaws in core systems like IT management and data backup software.
He said that his team has discovered a wide range of software security flaws in these platforms. The kinds of flaws that populate the OWASP Top 10 are common, but that’s not all. “It’s everything and the dog,” he said. “Everything that’s wrong with normal web applications you can find in these interfaces as well. And because they’re used by a small group of people, they are poorly researched,” he said.
According to Frank, whose day job is managing the security of an MSP, companies need to pay special attention to administrative interfaces used by MSPs and applications. They should also vet MSPs and be prepared to ask uncomfortable questions about their exposure to cyber risk.
“Right now is a good time to have a conversation with your MSP,” he told me.
IoT Identity Crisis
The Internet of Things is growing by leaps and bounds. And so is the cyber risk that goes along with Internet connected devices. It has been years since the Mirai botnet put IoT security on the map, and Internet of Things insecurity is still a major problem.
What’s to be done? In our final installment we’re joined by Tom Laffey, a product security strategist at Aruba, a Hewlett Packard Enterprise firm, and co-chair of the Network Equipment working group at TCG about how that group is adapting its technology to make it easier for new generations of connected devices to attest to their integrity.
Top on TCG’s to do list: strong, immutable device identifies that can be assigned to new devices during manufacturing and live with that device for its useful life, providing a root of trust for a wide range of critical functions like secure boot and configuration. In this conversation, Tom and I talk about the work he and TCG is doing to craft secure device identities for the IoT.
(*) Disclosure: This podcast and blog post were sponsored by Trusted Computing Group. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.
As always, you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloud, Stitcher, Radio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted.