'When are they going to learn?' - Cybersecurity bosses slam Kaseya and other RMM vendors for neglecting security basics
50 MSPs and up to 1,500 businesses were affected by the Kaseya attack. Cyber security bosses tell CRN how RMM tools provide an easy way in for threat actors
Kaseya claims around 50 MSPs were affected by the attack by Russian-speaking ransomware group REvil on Friday, with around 800 to 1,500 customers around the world also impacted.
This is the second high-profile "supply chain" attack in less than a year, following the SolarWinds hack which brought down US federal networks and affected around 100 private sector companies.
In a video published on YouTube, Kaseya CEO said the media had over exaggerated the scale of the attack, and suggested that cyberattacks and breaches were an inevitable reality in the modern day world.
He also praised Kaseya's security plans and architecture which prevented an attack "that could have been something much greater".
"Someone gave me a really nice piece of advice. They said ‘even the best defences in the world get scored upon'," he said.
"This breach has gotten incredibly scrutiny from the press. All of a sudden, cybercrime and ransomware has become the topic of the day and we're caught in the middle of it. And people make the story, make the impact of this, larger than what it is.
"We all have to take a step back and realise this is the world we live in."
But despite Kaseya's assurances that it acted quickly, there's no doubt that supply chain attacks are on the rise, placing MSPs and their customers in the firing line.
Kaseya sells to more than 35,000 IT services firms worldwide, who in turn serve around one million businesses. It's easy to see what damage could be done if cyber attackers are able to exploit weaknesses in their products.
Are RMM tools secure?
Remote monitoring and management (RMM) tools have glaring cybersecurity flaws that leave any MSPs that use them open to future attacks, cybersecurity experts have told CRN.
Most vendors, including Kaseya, highlight the efficiency and cost saving benefits of RMM tools on their websites. But MSPs should now be pressing them on their security credentials.
Tools sold by these companies give administrators "god-like" privileges, according to Flow Communications CEO Etienne Greeff. They often require users to disable security controls such as AV detection and exclude certain directories from traditional scanning and malware detection techniques.
"I can tell you now that this won't be the last supply chain attack," said Greeff.
"All of these tools have a common issue that they enable admin privileges, but they're often tools that have interfaces cobbled together on top of them that are not as secure as you'd want them to be."
RMM tools are often lacking in even the cybersecurity basics, added Ricky Magalhaes, director of managed security services at Logicalis.
They're often not using privileged account management, nor do they use other commonplace practices such as multi-factor authentication - and many MSPs are failing to do the same.
"If you've got remote access to a customers' machines with admin privilege and the password is the same across all of the machines and that one password gets compromised, a Russian gang can hack into your system - that's a problem. This is what keeps happening; it happened with SolarWinds, it's happened with Kaseya. My question is: when are we going to learn?"
Magalhaes blasted Kaseya directly for failing to properly secure its tools.
"They're not paying attention to basic security. You should use credentials that rotate or change, use multi-factor authentication, there are so many technical controls they're just not following. They're effectively playing in the middle of traffic and then wondering why they're getting run over.
"Once you've got the password, by virtue of how the software works, you can just login; you don't even need to hack anything," he said.
The lack of security in RMM tools put MSPs in an incredibly difficult position. They rely on these tools to provide services to their customers, but are now finding themselves in the centre of the storm.
"MSPs really don't have the ability to verify the level of security of these tools. But if they don't use them, they can't provide the service. It's a really difficult position."
"A lot of the tools are not as secure as you might think they are. And actually, there's a lot of research that actually demonstrates that last year a lot of the high impact security vulnerabilities have been from security products. So there's a track record of security products having vulnerabilities."
He added that current security practices need to change as attacks against MSPs accelerate.
Most put a lot of emphasis on detection-based processes, with massive investment going into SIEM tools such as Splunk and other providers, but businesses haven't paid enough attention to the recovery and response phase of cybersecurity, said Greeff.
This will become even more vital for MSPs as cyberattacks accelerate in terms of both severity and frequency.
A recent report by Canalys suggests that RMM vendors including Kaseya, ConnectWise, Datto and SolarWinds are increasing their security focus as they come under more scrutiny.
"Firmware and patch management security providing continuous vulnerability assessments is going to be critical to address the rise in software supply chain attacks," the report reads.
Far reaching impact on MSPs
The UK government has already launched a consultation which could result in MSPs being forced to follow new security standards to help fight back against the rise in supply chain attacks.
Many MSP bosses that spoke to CRN cautiously welcomed the news, claiming that intervention would rise security standards across the UK.
In 2019, Canalys' Steve Brazier predicted that MSPs themselves could come under more scrutiny from customers as their MSPs become a larger target.
"Managed service providers are the weakest link in the chain. And sometimes you might not have done anything wrong, but the tools you're using are vulnerable. ConnectWise was guilty for example of having a breech in their systems. You may have done everything right and you're still the weakest link in the chain.
"Your customers are going to rack up, and rack up the requirements you need to have in order to do business with them. And we're seeing that as customers have one bad experience, suddenly the requirements on their MSPs are going to go up, and up."