If you’re not already paying attention to the Kaseya ransomware incident, you should be. Matt Tait writes in Lawfare that it is likely the most important cybersecurity event of the year. Bigger than the Exchange hacks by China in January. Bigger than the Colonial Pipeline ransomware incident. And, yes, more important than the SolarWinds intrusions last year.
Kaseya is a managed service provider; its customers use Kaseya to manage their company information technology (IT) infrastructure. As part of this task, Kaseya can deploy software to the systems under management – Tait says that, in a way, that is broadly equivalent to a software provider deploying an automatic update to those machines.
Under normal circumstances, automatic software deployment, especially in the context of software updates, is a good thing. But here this feature was turned on its head. Russian-based criminal gang REvil hacked into Kaseya’s management system and pushed REvil software to all of the systems under Kaseya’s management. From there, the ransomware promptly disabled those computers and demanded a cryptocurrency payment of about $45,000 per system to set the machines free. As of writing, REvil claims that about a million total computers were affected and is offering a “bulk discount” of $70 million to unlock all affected systems in a single payment.
The direct impact is already enormous, but, Tait writes, “to me, the direct impact is, in some sense, far less important than the issue of how the incident occurred, namely by subverting software delivery mechanisms as a means to install ransomware.”
Tait says that there are three more reasons why we should worry about Kaseya-like attacks:
· First, supply chain compromises, such as these, are very often indiscriminate; everyone who installs a malicious update gets the malware.
· Second, and perhaps scariest, observation is that the software vendors used in malicious update compromises thus far have, in the grand scheme of things, been relatively small.
· Third, defensive remediation of ransomware deployed through automatic updates is pathological to the cybersecurity industry itself in a way that is qualitatively different from other categories of cybersecurity incidents.
In short, software supply chain security breaches don’t look like other categories of breaches. Tackling this problem is no small task,
But before researchers and policymakers can start to look for solutions, the first step is recognizing why supply chain compromise is fundamentally different from most other problems encountered day-to-day in cybersecurity, and one with a failure mode that can be unusually fast and large scale. Only then will the information security community be able to start tackling the problem with the scale and seriousness that it deserves.
