Even for a mid-sized organization, tracing your dependencies within the software supply chain can be a daunting prospect. Yet, driving visibility is increasingly important for effective risk management. Another supply chain cyberattack over the past week has reminded us why — infecting maybe as many as 1,500 organizations with ransomware. Fortunately for Tanium customers, they have the tools they need to rapidly respond and shut down the threat.
Watch this video to see how Tanium Threat Response can manage the Kaseya vulnerability in less than three minutes:
What happened at Kaseya?
The attack landed on Friday, July 2, just ahead of the holiday weekend. This was likely a deliberate ploy to catch IT security teams off-guard. It was aimed at Kaseya VSA, a patch and vulnerability management platform used by an estimated 40,000 managed service providers (MSPs).
The threat actors exploited a zero-day vulnerability (CVE-2021–3011) in the platform, which is believed to have allowed an authentication bypass in the web interface of VSA. Using an authenticated session, the threat actors were able to upload a REvil ransomware payload and execute commands via SQL injection.
Allegedly, the ransomware was automatically deployed via a fake software update “Kaseya VSA Agent Hot-fix” on all managed systems. The attack only hit on-premises VSA customers, with “fewer than 60” MSP customers affected, according to Kaseya. However, each of these MSPs has multiple downstream customers, greatly increasing the global impact.
In the immediate aftermath of the attack, Kaseya’s advice was for MSP customers to take their VSA servers offline and wait for a patch, which is now set to be released on July 11. Downstream customers infected with ransomware were urged not to click on any messages from their extorters as these may also contain malicious links, it was claimed.
How Tanium can help
In situations like these — seconds count. Organizations need to check rapidly to see whether they may be exposed to the threat and remediate the issue as quickly as possible to minimize cyber risk.
Fortunately, Tanium enables customers to check for Kaseya VSA software quickly across large numbers of endpoints. It also empowers these organizations to modify technical playbooks and run them at speed and scale as new vendor information emerges. This is critical in rapidly evolving situations like this.
In summary, Tanium will help your organization:
Find the issue
Tanium Interact enables customers to ask questions of their endpoints and receive answers in real-time, to ascertain whether they’re running Kaseya VSA.
Tanium Index is a component in Tanium Asset, Tanium Integrity Monitor and Tanium Threat Response. It can be used to find malicious installations such as REvil/Sodinokibi ransomware. By pre-indexing systems and maintaining an up-to-date database of files, Tanium allows you to search for any file by name, partial name, or hash, etc., anywhere on your endpoints quickly.
Tanium Asset can be used to create a report based on the above queries, removing any recently decommissioned hosts if required.
Tanium Trends can be used to visually track the issue, leveraging the Interact questions.
Remediate the issue
Tanium can be used to issue a shutdown command to VSA servers, or to keep them online but secure via Tanium Quarantine.
Tanium Threat Response enables real-time threat hunting and detection using IoCs and threat intelligence. If threats are identified, further action can be taken via Tanium Quarantine or Tanium Enforce.
Supply chain threats have been with us for many years. But as this latest incident shows, threat actors are getting bolder and smarter about how they choose their targets. The best form of proactive risk management in this context is having tools to provide continuous endpoint visibility and the control to respond rapidly when it matters.
You can follow this developing story on Tanium Community.
Curious the health of your network? Sign up for our free cyber hygiene assessment today.