Protecting SMBs Against Kaseya Supply Chain, Zero Day, and Ransomware Attacks

The Highlights

  • Massive Kaseya supply chain attack carried out by REvil in early July weekend impacted numerous customers with millions of USD in ransom demands
  • Check Point Research (CPR) has seen 15 new attacks per week from the REvil hacking group in the past 2 months with a focus on US, Germany, Brazil, & India
  • Ransomware attacks are up 93% from 2020 continuing the global surge
  • Check Point’s Quantum Spark & Harmony Endpoint protects SMBs from supply chain, ransomware, malware, phishing and other cyber-attacks

Just as SMBs thought it couldn’t get any worse after the COVID-19 pandemic, the Kaseya Attack in July adds to a long list of cyber-attacks including SolarWinds supply chain, the Hafnium attack, the Colonial Pipeline attack, and the overall global surge in ransomware incidents.

What Happened? (Section taken from recent Kaseya Attack Check Point blog)

Kaseya, an IT management software company that enables MSSPs to perform patch management and client monitoring for their customers, experienced a massive global supply chain attack that impacted thousands of businesses in early July.  Kaseya issued a security advisory on their site, warning all customers to immediately shut down their VSA server to prevent the spread of the attack while they investigated. At least 1,000 businesses are said to have been affected by the attack, with victims identified in at least 17 countries.

It would appear that the timing of the attack was no accident and that the Russian speaking ransomware gang REvil, aka Sodinokibi, deliberately chose the 4th of July weekend to strike.

To breach on-premise Kaseya VSA servers, REvil used a zero-day vulnerability that was in the process of being fixed. The vulnerability had been previously disclosed to Kaseya by security researchers from the Dutch Institute for Vulnerability Disclosure, and Kaseya was validating the patch before rolling it out to customers. However, the REvil ransomware gang was one step ahead of Kaseya and used the vulnerability to carry out their attack. The ransom demand ranged from $45K USD to $5M USD.

With the attack on Kaseya VSA servers, REvil’s affiliate was initially targeting Kaseya’s MSSP’s, with a clear intent to propagate to the MSSP customers. The attack amplified exponentially and profitably from the MSSP to the actual customers – which although further down the line, SMBs could experience negative lasting impact due to their reliance on these services. In other words, although around 100 MSPs were impacted with this attack, far more businesses downstream are exposed to impact because of it.

The Details/Forensics of the Attack

To learn more about the details and see an actual forensics report (providing an in-depth overview of the attack and remediation), check our recent blog post.

What Does Check Point Offer to Help This Problem?

Check Point Quantum Spark

Check Point Quantum Spark Next Generation Firewalls are specifically designed to protect SMBs from the latest security threats with best-in-class threat protection, are easy to deploy and manage from the cloud or on the go with a mobile app, and provide optimized internet connectivity including Wi-Fi, fiber, GbE, VDSL and 4G LTE wireless in an “all in one” solution. SMBs often struggle with the expertise, manpower, and IT budget – so, the solution being optimized for delivery by managed service providers as a monthly subscription, SMBs can be secure regardless of their resources and/or budget.

Quantum Spark is part of the Check Point Quantum product suite, created to prevent any cyber-attack, reduce complexity, and lower overall cost through combining SandBlast threat prevention, hyper-scale networking, a unified management platform, remote access VPN, and IOT security.

Check Point Harmony Endpoint

Check Point Harmony Endpoint is a complete endpoint security solution built to protect the remote workforce from today’s complex threat landscape. It prevents the most imminent threats to the endpoint such as ransomware, phishing, or drive-by malware, while quickly minimizing breach impact with autonomous detection and response. The solution’s forensics is a patented set of algorithms designed to build the end-to-end attack flow (the “attack story”) clearly and accurately. The forensics view provides an accurate process tree of the attack, detailed view of the entry point, detailed description of the business impact and allocates the files deleted/encrypted, with remediation process details – what was automatically remediated and what are the attack residuals.

Check Point Harmony Endpoint is part of the Check Point Harmony product suite, the industry’s first unified security solution for users, devices, and access. Check Point Harmony consolidates six products to provide uncompromised security and simplicity for everyone. Discover its capabilities by yourself, and schedule a personalized demo to see it in action.

What Should I Do Next?

As a good rule of thumb, MSP’s should ensure they are providing their SMBs with enterprise-grade security services that include:

  • Automated threat prevention
  • Automatic set-up with zero-touch provisioning
  • Flexible connectivity options like Gigabit Ethernet, Wi-Fi, LET, etc. with support for multiple ISPs and performance-based routing
  • Easy, intuitive management that can be managed on-the-go (whether through mobile or browser)
  • Complete protection for customers’ remote employees and cloud applications

In addition, you should ensure your SMBs are educated both on the top threats plaguing the market as well as the top best security best practices to follow. To help, we’ve created some whitepapers and infographics for you to learn more about the Top 3 Cyber Threats and the Top 10 Security Best Practices for SMBs.

To further get into the details on how to protect SMBs from supply chain, ransomware, and zero day attacks, schedule a demo of Quantum Spark and/or Harmony Endpoint.  Kaseya has also issued several recommendations to their affected clients following the attack, including advice to shut down and remain offline until further notice. Enclosed are a few extra security “hygiene” recommendations we’ve put together to remain protected from the next attack. You can find those at our previous blog here.