Kaseya BOTG BLM registry
I believe you guys have some confusion on the product and what an RMM tool like Kaseya offers and why the premise of "Why would a grocer in Sweden need a cloud connected cash register?" is a bit off base.
Kaseya's VSA software is a RMM tool similar with other competitors such as ConnectWise.... Remote Monitoring and Management. It is used by Managed Service Providers or Enterprises to support and manage remote endpoints. In the case of the pandemic, this is an even more widely used type tool with remote laptops being deployed. This is OS patching, software patching, remote control (support/troubleshooting), automation/scripting, reporting, antivirus, etc.
MSPs are generally used for businesses that don't have the personnel, budget, or expertise to properly manage their endpoints to ensure they meet regulatory requirements. Cash registers\ card processing in this case would probably have to meet PCI regulations or something similar. They would have to be able to show proof of this as well. Banks in the US typically follow FFIEC (Federal Financial Institutions Examination Council) guidelines and abide by FDIC (Federal Deposit Insurance Corporation) regulations.
The hack involved a Supply Chain attack that only appeared to affect Kaseya's customers that were running their VSA software on-prem, not their hosted or cloud offering of the same product. Because it was a supply chain attack, it was similar to the Solarwinds hack in the update mechanism. It was then able to attack some vulnerabilities via SQL injection and ASP. Even if the product on-prem is locked down and restricted properly with security and network controls, the update mechanism from Kaseya to the MSP/Enterprise VSA servers caused the infection. Once those were infected, an MSP that has access to potentially hundreds of customers and thousands of endpoints has many new targets to spread the ransomware to. This makes MSP's and software vendors that make RMM type tools a prime target for ransomware. Infect one to reach the potential of many.
Background that I would like to be kept from being read if possible:
I am a dude named Ben that works for a company (MSP) that uses Kaseya in the financial field.(that requires all of this regulation and reporting for customers). This is def. a product that no one really loves and most dislke for some of the decisions software/application coders make. But you pick a RMM tool vendor and make it do what it wasn't supposed to do. There just isn't that much to choose from.More now than when we started. I am the network/firewall/security guy and do a lot of the other internal infrastructure when I can. We were very lucky not to be one effected. We luckily have a guy who knows this Kaseya product probably better than they do. He actually found additional vulnerabilities during this attack in SQL./ASP that he submitted while our servers were sandboxed. Our deployment on-prem is highly customized and do not auto update and manually update on a delay. Some of our layered security measures and policies that were in place helped us avoid this but there was no guarantee. We could have easily been one of the ones affected.
the following can be used:
Interestingly enough, analysis of the attack... some of the Indicators of Compromise showed that there were Windows registry modifications that say "Black Lives Matter". of course no one mentions this in the media.
It is scary cause they push heavily for automated updates and for p2p updates just increasing the spread of something like this. However, automated updates with a supply chain hack like this will cause havoc for anything including Linux. Just imagine an Ubuntu repo being compromised.
There's a need to stay current on updates but never be the the guinea pig and disable automatic updates.
Cyber Polygon | World Economic Forum
Cyber Polygon is a unique cybersecurity event that combines the world's largest technical training exercise for corporate teams and an online conference featuring senior officials from international organisations and leading corporations.
The 2021 conference discusses the key risks of digitalisation and best practice for the secure development of digital ecosystems.
The 2021 technical exercise builds and tests the skills needed to protect our industries, centring on a targeted supply-chain attack.
Digitalisation is accelerating everywhere. New digital ecosystems are forming all around us, creating unnoticed linkages across services and supply chains.
As the world grows more interconnected, the speed of development makes it difficult to assess the impact of change.