Defensible TechnologyDecember 15

Supply Chain Security: Lessons Learned From the Kaseya Ransomware Attack


Supply chain security risks are a significant part of the threat landscape for managed security providers, and nothing underscores that as strongly as the Kaseya ransomware attack. Kaseya is a market leader in management software for enterprise IT departments and managed security providers. Their VSA platform offers services such as remote monitoring, endpoint management, troubleshooting, and automated scanning and patching.

In July 2021, Kaseya discovered that the VSA software had been the victim of a supply chain ransomware attack. Attackers exploited an authentication bypass vulnerability in the VSA web interface and deployed a fake management agent update that was actually REvil ransomware. In order to respond to the attack, Kaseya’s CEO urged clients to shut down their VSA servers. Kaseya shut down its own SaaS servers and took its data centers offline in order to stem the spread of the ransomware.  

Even though Kaseya said that less than 0.1% of their customers were affected by the ransomware attack, that still meant a strong effect, given their line of business. Since some of those customers are MSPs, it is estimated that between 800 and 1500 small-to-medium-sized businesses were compromised in the attack. As an example of its effects, the Swedish Coop grocery store chain had to close all 800 of its stores after the ransomware left it unable to operate its cash registers.

The Kaseya ransomware attack makes it clear that attackers are embracing the power of supply chain attacks. Supply chain attacks serve as a force multiplier, and MSPs have so much customer trust that they become attractive targets. The stakes are high, and to protect not only their own data but the data belonging to hundreds of companies who trust them as a security partner, MSPs need to understand how to improve their supply chain security.

The Multiplier Effect

For financially motivated attackers, as with those engaged in legitimate business, the goal is return on investment. Attackers want to collect the most loot (be it ransom payments, data, or other assets) with the least investment. Supply chain attacks are attractive from an ROI perspective due to the one-to-many aspect. If an attacker is able to compromise one supplier, who is able to pass the exploit on to multiple companies who do business with a compromised supplier, then the attacker has been able to compromise dozens, hundreds, or even thousands of targets while only having to find and exploit a vulnerability at one target organization.

The Kaseya ransomware attack highlights several layers of the multiplier effect. The REvil group targeted Kaseya, an IT services firm that markets its offerings to MSPs. So, by compromising the Kaseya VSA platform, attackers were able to winnow their way into multiple MSPs who used the platform, and through that, have a chance to compromise multiple customers of these multiple MSPs that used the platform.

However, the Kaseya ransomware attack is just one prominent example of an attack on a service provider that helped outside organizations gain access to other targets downstream. Mandiant researchers recently identified two distinct clusters of Russian APT activity linked to the Nobelium SolarWinds attackers. The 2020 attack on SolarWinds utilized malicious code in the company’s IT management software “Orion,” which is used by approximately 33,000 customers, to gain unauthorized access to the IT systems of SolarWinds customers. Attackers were then able to implement additional malicious code and malware in numerous information technology systems, allowing them to spy on U.S. government agencies and private companies, such as Microsoft, Intel, and Deloitte, among others. Mandiant’s latest intel furthers the idea that as attack groups become more capable and sophisticated, attacks leverage third parties and trusted vendor relationships to exploit vulnerabilities in one system and take aim at multiple targets through a multiplier effect will only become more prominent. 

MSPs as Targets

MSPs, and the suppliers they use for components of their offerings, are particularly attractive targets for supply chain attacks. It starts with the one-to-many effect since many businesses will work with each individual MSP, but it does not end there. Customers of MSPs trust their MSPs as a security partner and provider, meaning they are likely to assume that software and updates coming from an MSP are, in fact, legitimate. Customers of MSPs also give MSP software and agents elevated privileges on their systems and networks since MSP offerings are built into the fabric of network monitoring, data protection, and system patching.

Even if the eventual targets, for ransom demands or other repercussions, are not the MSPs themselves but their customers, there is still a significant cost to MSPs when they are used in these supply chain attacks. In case of an incident like the Kaseya ransomware attack, MSPs have to spend time and money doing incident response, leading remediation efforts, and providing assurance to current and prospective customers about their security practices. MSPs also have significant reputational concerns around security. If they become an attack vector, it hurts their reputation as a trusted security partner, so they can lose current and future customers in the fallout.

How to Respond to This Threat

A key component of strengthening supply chain security is making sure products and services are properly secured and audited. Between cloud services, web platforms, and device firmware, this means MSPs must build security into the software development process. They must continuously assess the security of their products, including static and dynamic code testing, review, and penetration testing. When incorporating other companies’ products, software, and libraries, MSPs must also evaluate them to determine whether their approach to secure software is strong enough to link to their own product and reputation.

Another important component, which supports software build security and the rest of a program, is leadership. The Kaseya ransomware attack drives home the need for expert security leadership within MSPs. Expert security leadership will guide the internal security program, evaluate tools, set priorities, and help assure customers that the MSP has the right cybersecurity expertise to protect their assets. As MSPs market themselves as cybersecurity providers, they also need to implement a strong cybersecurity program internally. Though many providers highlight being certified, that is no substitute for a strong program, and checked boxes will not save their reputation if they are compromised. A mature, well-led security program, on the other hand, will not only strengthen reputation but help prevent attacks.

How a vCISO Can Help

Expert security leadership is important for MSPs and their customers, and MSPs can differentiate themselves by embracing the value of security leadership.

For MSPs who may not be large enough to hire a full-time CISO, a virtual CISO (vCISO) is an excellent option. A vCISO is an experienced Chief Information Security Officer who provides expert guidance and insight on an as-needed basis, without having to go through the time of recruiting and hiring. A vCISO can also interact with customers and prospects to assure them that your MSP takes security seriously internally and relies on more than compliance checklists.

MSPs can also stand out in a crowded market by reselling vCISO services. In a marketplace where many companies are selling technical solutions, your MSP can stand out by offering vCISO services to clients. As a vCISO reseller, your MSP can present a more mature and holistic approach to security and offer your customers all of the necessary tools to embrace that in their business.

If you are ready to learn more about how vCISO can help you strengthen your security posture in the face of supply chain security risks and offer more to your customers, ask Defensible today.

For more information or to schedule your free 30-minute consultation, please reach out to