NCSC: Impact on UK orgs from Kaseya ransomware attack ‘limited’

The REvil ransomware attack on Kaseya’s VSA product is estimated to have affected over 1,000 companies globally, but the impact on UK organisations currently appears limited.

supply chain management data - ERP - Enterprise Resource Planning
Thinkstock

The UK’s National Cyber Security Centre (NCSC) has issued a statement in the wake of the supply chain attack on management software provider Kaseya, which has impacted more than 1000 businesses globally. So far, impact on UK businesses is "limited," the NCSC said in a statement, adding that their "work is ongoing and [they] remain vigilant to any threats."

“We are actively working to fully understand this incident and mitigate potential risks to the UK,” NCSC said. “We encourage Kaseya customers to read the company’s incident update page, which recommends that people who have been affected do not click on any links emailed to them by the attackers as they could be malicious.”

Updates on the Kaseya attack

On its incident update page, Kaseya shines some light on the extent of the impact: “To date, we are aware of fewer than 60 Kaseya customers, all of whom were using the VSA on-premises product, who were directly compromised by this attack. While many of these customers provide IT services to multiple other companies, we understand the total impact thus far has been to fewer than 1,500 downstream businesses. We have not found evidence that any of our SaaS customers were compromised.”

Kaseya adds that it has received no new reports of compromises for VSA customers since Saturday 3 July and that it is working to get a patch out to customers.

“The patch for on-premises customers has been developed and is currently going through the testing and validation process,” writes Kaseya on its update page. “We expect the patch to be available within 24 hours after our SaaS servers have been brought up. The current estimate for bringing our SaaS servers back online is July 6 between 2:00 PM – 5:00 PM EDT. These times may change as we go through the final testing and validation processes.”

Growing threat of supply chain attacks

The Kaseya attack is not the first example of a prolific ransomware group targeting a software provider to infect a vast number of other organisations. In December 2020, a group believed to be Russia’s Cozy Bear gained access to government and other systems through a compromised update to SolarWinds’ Orion software. Such incidents are only likely to become more common as companies increasingly entrust significant elements of their services to third parties and suppliers, highlighting the increasing need for early supply chain threat detection capabilities and ransomware preparedness within businesses.

Brian Honan, founder of BH Consulting, cites the need for UK  organisations to take steps to avoid falling victim to such MSP attacks. “The Kaseya incident is a stark reminder that our security is only as strong as its weakest link,” he tells CSO. “In today’s modern business world that weakest link is most likely to be in our supply chain. Most vendor due diligence exercises focus on an organisation’s direct suppliers, but do not extend to the suppliers or tools those direct suppliers engage with.”

He urges organisations to move beyond simple compliance checklists when reviewing the security of vendors. “Rather, we need to conduct detailed analysis of third-party vendors and, depending on the risk they could pose to the business, review the tools, services, and other vendors they employ to provide the service. The more integrated a third-party vendor is within our environments, such as an MSP using a tool like Kaseya, then the greater in detail our assessments should be.”

In the case of a vendor using a tool like Kaseya within the environment, focus should also be put on how can you prevent, detect, and react to unusual or suspicious updates, he adds. “We also need to force vendors to write their products in a secure manner. There are too many software tools that require bypassing security controls such as using administrator privileges, or exclusions from scanning by security products. In today’s business environment, your security does not begin or end at your network perimeter, but more and more at the perimeter of your third parties and their supply chain.”

Copyright © 2021 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline