The Week in Breach: Supply Chain Hack – The Malware Is Coming From Inside The System

Make sure to add us or contact us for the latest news

Real-Time Service Alerts



Managing the Managers

For two decades, businesses have invested in interconnected IT management software. But reliance on that kind of technology is looking increasingly scary as security breaches become increasingly sophisticated.

The fallout from the latest ransomware security attack, waged through a breach of managed-services provider Kaseya over the holiday weekend, is raising new concerns about the intertwined nature of modern businesses and the companies they pay to manage their technology systems. Countless companies have embraced IT management tools and providers in recent years as they’ve struggled to hire good tech talent to do the job in-house.

A combination of ransomware with supply-chain attacks makes the operating model of MSPs start to look perilous.

  • Kaseya makes and sells IT management software for MSPs, and also offers those services to small and medium-sized businesses.
  • By definition, Kaseya is therefore authorized to push software updates to end-user devices, because timely software patches are considered table-stakes security measures at most corporations.
  • But judging by the last year, traditional security exploits of unpatched end-user systems seem quite dated compared to supply-chain attacks that can impact dozens or hundreds of companies through a single action.
  • REvil, a ransomware group believed to operate out of Russia, seized upon a vulnerability in Kaseya’s VSA product to push out malware that locked computers around the world. The group demanded $70 million to release the unlocking key.
  • Fallout from the incident appeared to be limited in the U.S., although a Swedish grocery store chain was forced to shut down over the weekend after Kaseya shuttered its cloud services and urged on-premises users of its software to do the same in hopes of containing the damage. In total, around 800 to 1,500 businesses were affected, according to Reuters.

This is “likely the most important cybersecurity event of the year,” according to Matt Tait, chief operating officer of Corellium, who wrote about the breach on Lawfare Blog Monday.

  • Supply-chain attacks have been around for a while, but it’s becoming very clear how much potential they have to cause havoc at scale with just one exploit.
  • The SolarWinds attacks were damaging because they allowed attackers to cover their tracks while setting the stage for further infiltration, and while that’s scary enough, they didn’t disrupt normal business activity.
  • The Kaseya incident had an immediate impact, paralyzing customers who did nothing wrong and had no chance of detecting or preventing this attack: The systems they trusted to keep their IT assets protected were the same systems that installed malware on those computers.

The really scary part is the speed at which ransomware attacks on trusted supply-chain providers can ripple throughout the world. That has the potential to cause immense economic disruption.

  • Ransomware attacks on individual companies and government organizations running outdated software are bad enough as it is in 2021, and there is no easy solution other than patching software against flaws.
  • When the software-patching mechanism is itself compromised and used to seed malware to any number of third parties, the problem gets exponentially worse.
  • Businesses have been told for years to stop wasting money trying to manage IT services themselves, with the argument that they’re better off focusing on their core business activity.
  • It would only take one successful supply-chain attack on a major IT vendor to cause damage on a scale we’ve yet to see.

And the government needs to be taking it very seriously. President Biden told reporters Wednesday that his administration expects to have more information about the attack and its ramifications later today. Cybersecurity has been a priority in the early days of Biden’s term, but the scope and intensity of these attacks is only growing.

  • Businesses of any size operating on the internet must prepare for future attacks as if they’re on their own, because traditional methods of mitigating security incidents won’t work for large-scale ransomware and supply-chain attacks orchestrated by foreign actors.
  • The incident is also likely to increase calls for more providers to provide some sort of “software bill of materials” documentation to their customers, a supply-chain transparency proposal the Biden administration is scheduled to release more details about next week.

—Tom Krazit – Protocol

Reach out to us to see how we are ensuring that supply-chain attacks and third-party compromises are not reaching our MSP clients.

Dark Web ID’s Top Threats This Week


 

Arthur J. Gallagher

https://www.bleepingcomputer.com/news/security/us-insurance-giant-ajg-reports-data-breach-after-ransomware-attack/

Exploit: Ransomware

Arthur J. Gallagher (AJG): Insurance Broker

cybersecurity news represented by agauge showing severe risk

Risk to Business: 1.673= Severe

Arthur J. Gallagher (AJG), a US-based global insurance brokerage and risk management firm, is mailing breach notification letters to customers impacted in a previously unannounced ransomware attack that hit its systems in late September 2020. The company said that an unknown party accessed data contained within their network between June 3, 2020, and September 26, 2020. The company has apparently just completed its investigation.

cybersecurity news represented by agauge showing severe risk

Individual Risk: 1.522= Severe

While the company did not specify the types of data exposed, their SEC filing did and PII starred heavily on the list. Data exposed may include a client’s Social Security number or tax identification number, driver’s license, passport or other government identification number, date of birth, username and password, employee identification number, financial account or credit card information, electronic signature, medical treatment, claim, diagnosis, medication or other medical information, health insurance information, medical record or account number and biometric information.

Customers Impacted: Unknown

How It Could Affect  Customers’ Business: Proprietary data like this is cybercriminal gold. It’s both useful for committing future cybercrime and quickly saleable in the busy dark web data markets.

IntegraMSP to the Rescue: Building a zero-trust framework is a popular and successful planning choice for a reason. Learn more about how it helps mitigate risks like stolen PII. SEE NOW>>


Washington State Department of Labor and Industries

https://www.thenewstribune.com/news/state/washington/article252532918.html

Exploit: Third-Party Data Breach

Washington State Department of Labor and Industries: Government Agency

cybersecurity news represented by agauge showing severe risk

Risk to Business: 1.816 = Severe

Washington State informed over 16,000 workers that their PII may have been exposed in a ransomware attack on Renton market research company Pacific Market Research (PMR). The contractor was hit with a ransomware attack in May 2021.

cybersecurity news represented by agauge showing severe risk

Risk to Business: 1.516 = Severe

The exposed information for workers includes claim numbers and dates of birth for 16,466 workers who had workers’ compensation claims in 2019, which PMR had used to conduct a customer service survey for the agency.

Customers Impacted: Unknown

How it Could Affect Your Business An unsecured database is easy pickings for cybercriminals and a rookie mistake that could cost the survey company a client.

IntegraMSP to the Rescue: Are you delivering security awareness training to all of your employees? If not, let us show you how to get started in only 15 minutes! CONTACT US>>


Practicefirst

 https://healthitsecurity.com/news/healthcare-ransomware-attack-targets-practice-management-vendor

Exploit: Ransomware

Practicefirst: Healthcare Technology Services

cybersecurity news represented by agauge showing severe risk

Risk to Business: 2.223=Severe

Practicefirst announced that a 2020 healthcare ransomware attack may have exposed personally identifiable information (PII) of patients and employees. The service provider specializes in medical billing, coding, credentialing, bookkeeping, and practice management solutions. When they detected suspicious activity on December 30th, 2020, they shut down all systems, changed passwords and notified authorities but not before the bad guys scooped up data.

cybersecurity news represented by agauge showing severe risk

Risk to Business: 2.201=Severe

Practicefirst disclosed that patient and employee information has been impacted including birthdates, names, addresses, driver’s license numbers, Social Security numbers, email addresses and tax identification numbers employee usernames and passwords, bank account information. Other data that may have been stolen is primarily treatment-focused like diagnoses, lab and treatment information, medication information and health insurance identification.

Customers Impacted: Unknown

How it Could Affect Your Business Clients and employees won’t be happy about having this kind of personal information stolen – and neither will the Department of Health and Human Services.

IntegraMSP to the Rescue:  Building a strong security culture is essential. Let us help you build a good educational system for your team! CONTACT US>>


UofL Health

https://www.infosecurity-magazine.com/news/kentucky-healthcare-system-exposes/

Exploit: Insider Threat (Employee Error)

UofL Health: Healthcare System

cybersecurity news represented by agauge showing severe risk

Risk to Business: 1.575 = Severe

Kentucky-based UofL Health has notified more than 40,000 patients of an employee blunder that resulted in their personal health information being emailed to the wrong address. In this case, a UofL employee accidentally sent personal health information from UofL patients to an email address outside of the health system’s network. According to UofL, the accidental recipient of the data did not view or access any patient information.

cybersecurity news represented by agauge showing severe risk

Risk to Business: 1.502 = Severe

Patients whose data was impacted by the incident have been offered free identity protection services. No specifics about what exact data was accessed have been released beyond personal health information.

Customers Impacted: 40,000

How it Could Affect Your Business Employee errors that impact compliance in a heavily regulated industry pack a punch after regulators get to work.

IntegraMSP to the Rescue:  Learn more about the factors that make it easy for employees to make mistakes and how you can mitigate them for a better staff. CONTACT US>>



1 – 1.5 = Extreme Risk

1.51 – 2.49 = Severe Risk

2.5 – 3 = Moderate Risk

Risk scores for The Week in Breach are calculated using a formula that considers a wide range of factors related to the assessed breach.