Who Is watching the watchers?

Much like any revolution, this one started with a whisper and not a bang.

In 2017, we heard the whispers of hijacked accounting software that led to worldwide outages, and we didn’t have to wait long in 2018 for the first cannon shot.

I am referring to the Ukraine-based MeDocs accounting software firm that was systemically exploited, owned and used to spread the NotPetya malware, taking down the likes of one of the most prestigious law firms DLA Piper, along with Danish shipping giant Maersk, Russian oil firm Rosneft and Pharma paragon Merck, among others.

At the time, I predicted that, while perhaps unintentional, this well-serving (for the criminals behind it) MeDocs disaster created a blueprint for attacking, on mass, a significant swath of a homogenous industry, like law firms, healthcare providers or complex manufacturers relying upon distributed automation. 

Let’s level set for a moment. As reported, MeDocs computer systems were compromised and infected a global software update that was pushed to customers. The malware spread laterally (and stealthily) across networks before detonating. And like other forms of ransomware, the code delivered also installed tools to harvest user credentials from infected computers.

Now let’s fast forward to 2018, to witness a predicted evolution of opportunistic cyberattacks leveraging transactional ransom payments to a target approach demanding complex ransoms based on systemic or industry sensitive attacks. And we see the DNA of a systemic attack in the recent exploitation of Kaseya Ltd.’s Virtual Systems Administrator (VSA) agent used to gain access to multiple customer assets since January 2018.

Discovered by security researchers at eSentire, unknown threat actors exploited the Kaseya software to deploy a Monero cryptocurrency miner software across compromised client networks. Indicators of this attack were identified on over multiple client networks. Since the initial discovery, Kaseya was quick to release updates to remove this exploit.

So, a cryptocurrency miner isn’t exactly the Ebola of the cyber world, but its transmission method is what makes it virulent and extremely dangerous. Consider another way of looking at this incident. Kaseya’s VSA agent is widely used by managed security service providers—the vendors tasked with protecting their clients, who became the unwitting agents spreading malware to the very same clients they are hired to protect. Ironic at best; disturbing at worst. Who is watching the watchers?

This event should serve as a wake-up call for companies that fail to scrutinize the security standards of their vendors—including their security vendors! We used to speak two dimensionally about the interconnected chain of suppliers and their clients and tugged on the adage about being only as strong as our weakest link. Two dimensions drastically fail to summarize the real topology of interconnectedness. It’s a three-dimensional web of connection. Vendors have vendors. And clients are vendors to their clients, and this relationship stretches out in an ever expanding universe born of a digital “Big Bang”.

From the first telling of the Target retailer fiasco (apologies for even mentioning this…it’s been done to ad nauseam by every security vendor out there), companies know that even the most innocuous vendors pose a risk in the cybersecurity chain. And as such, deserve scrutiny. Insurance companies, class action lawyers, and regulators have all caught on to this class of risks, which means companies can no longer point the finger at their vendor and claim innocence, or at least ignorance.

Most cybersecurity frameworks include some provisions or aspirational guidelines around supply chain cyber security.  For example, the American Bar Association (ABA) cybersecurity guidelines cover third-party vendors, and in healthcare, the HIPAA framework contains provisions and templates for business associates (their language for vendors). For years, the Securities and Exchange Commission (SEC) has been offering guidance on third-party cybersecurity, and one governed industry association, AITEC, created its own cybersecurity framework. There are numerous frameworks including NIST, ISO, and GDPR that address vendors. Perhaps the best guidance comes from the Department of Financial Services, in its New York Cybersecurity Rules and Regulations (NYCRR 500). In one year’s time, governed financial institutions will have to implement NYCRR500 section 11, the most stringent controls around their vendors that include:

• Risk assessments conducted with the vendor
• Documented security policies and procedures based on the results of the risk assessment
• Clear security event notification of unauthorized data exposure
• Contractual obligations with the vendor, establishing representations and warranties around the protection of controlled information

I recommend you review the DFS rules around third-party vendors. Even if you aren’t governed by the DFS, their recommendations cover the core cybersecurity responsibilities between vendor and client.

This form of systemic attack has yet to fully evolve. Today, we see the agnostic systemic vulnerabilities that exploit infrastructure tools and software, be it remote access administrative tools or cloud-based accounting software. Tomorrow, will bring the next generation which specializes in infecting its homogenous host through very targeted assaults on the core industry-centric tools upon which the industry depends and cannot operate without.

Let’s revisit my earlier industry examples: law firms, healthcare providers and manufacturers. What happens when an eDiscovery or document management firm is used like MeDocs to attack multiple law firms? Not scary enough? How about a patient records management firm exploited to cripple hospitals and clinics, shutting down life-saving operations? Or the chaos of a disabled (worse sabotaged) supply chain in critical manufacturing like food processing?

Hundreds of hospitals and clinics shut down simultaneously. Core supplies, like groceries, disabled and rotting in warehouses. Court rooms and law firms shut down. The headlines will light up, and regulators will turn the eye of Sauron to these self-regulated industries, looking to rebuild consumer trust.

And cybercriminals will move to this kind of targeted attack. Why? Simple: economies of scale. Exploit one victim and spread from there to hundreds of their clients. It’s good for the criminal bottom line.

So, again, I ask: who is watching your watchers? Are you?