Kaseya Breach Points to Risks in VSA/MSP Systems

Over the last week, more than a thousand companies, many of them small businesses, were dealing with the fallout from the Kaseya mass ransomware incident. In the wake of the devastating compromise of Kaseya’s popular IT management tool, researchers and security professionals are warning that the debacle isn’t a one-off event but part of a larger trend.

Hackers are increasingly targeting the entire class of tools that administrators use to remotely manage IT systems because they give them the ability to access everything in a victim’s network.

The Kaseya incident is just the most recent high-visibility attack on these tools. A Chinese state-sponsored supply chain compromise, the Solarwinds attack, and the attack on a Florida water treatment plant are other recent examples.

These vulnerabilities of the so-called remote management tools present an enticing target for criminals for the same reasons they’re a valuable tool for the businesses that use them.

By attacking tools used by enterprise administrators to set up and control hundreds or thousands of machines across IT networks, criminals can spy on target machines, pull files off of them, spread their control from one machine to others, and ultimately install malware, as REvil just did.

These attacks represent a prime example of a larger problem: The same tools that let administrators easily manage large networks can also give hackers the same powers. “The piece of your infrastructure that manages the rest of your infrastructure is the crown jewels. It’s the most pivotal. If an attacker has that, it’s game over,” says Luke Roberts, a security researcher with the financial services company G-Research.

“The reason that ransomware actors are going after things like Kaseya is because they offer complete access. They are like the gods of the environments. If they have something over one of these platforms, they get whatever they want to get.”

Management infrastructure always holds allure to attackers. So any time you’re using a system to manage many different devices, giving administrative control, it becomes imperative that that system is configured and managed securely.

Although Kaseya was the tool that was breached, and reports have stated that there may have been several long-running vulnerabilities in its system, it’s hardly alone among remote management tools as a potential attack surface for intruders, says Jake Williams, a former NSA hacker, and chief technology officer of security firm BreachQuest.

Tools like ManageEngine, inTune, NetSarang, DameWare, TeamViewer, GoToMyPC and others present similarly juicy targets. They’re ubiquitous, usually aren’t limited in their privileges on a target PC, are often exempted from antivirus scans and overlooked by security administrators, and are able to install programs on large numbers of machines by design.

“Why are they so nice to exploit?” Williams asks. “You’re getting access to everything they manage. You’re in god mode.”

In recent years, Williams says he’s seen in his security practice that hackers have “repeatedly” exploited remote management tools, including Kaseya, TeamViewer, GoToMyPC, and DameWare in targeted intrusions against his customers. He clarifies that it’s not because all those tools had hackable vulnerabilities themselves, but because hackers used their legitimate functionality after gaining some access to the victim’s network.

As fraught as remote management tools may be, however, giving them up isn’t an option for many administrators who depend on them to oversee their networks. The key is to understand  just how powerful, and vulnerable, remote management tools can be in the wrong hands—a fact that criminals the world over are taking advantage of.