Ah, lovely holiday weekend. We closed early on Friday. All the staff is enjoying family time. Many are out of town. The ideal time for a horrific ransomware attack to shut down hundreds of businesses and cost millions of dollars. Happy Independence Day!
In my 30 years of running our business servers, I have noticed that system penetration attacks, denial of service attacks, and brute force email spam increases at the times and dates when US staff is away from their server. Clearly the attackers hope that people are not watching the server messages that hint that a system has been compromised.
Starting mid-afternoon on July 2nd, an nefarious group succeeded in compromising a network security reseller named Kaseya. Through Kaseya’s VSA management tools, they hit IT related businesses with ransomware. Ransomware is software that locks a server or data files and then demands a ransom to unlock them.
Kaseya Underwhelms in Response
True to holiday mode, the response from Kaseya has been underwhelming. They claim to be the victim. They claim only a few customers are affected. They state they had complete control of the attack within two hours. They offer a solution to turn off any server using their service. Meanwhile, because of the attack, a chain of 500 stores is closed in Sweden, paralyzed 200 US Companies, and caused thousands of network technicians to return to work to mitigate the damage. What is missing in Kaseya’s response is a sense of responsibility and scope. It is clear that Kaseya’s management is still by the barbecue and not in the office.
Is your Business Affected? Is your Business Next?
The year 2021 has been awash in cyberattack and ransomware news. If you are not now taking steps, then you should think about it. Like any disease, these attacks are like a virus, and you can take steps to avoid your company getting sick. This may save you thousands of dollars. Here are five steps you can take this month to lower your risk.
1. Recognize Phishing Email in all its Forms
Hillary Clinton would have become president if it wasn’t for a mistake made by Democratic Chairman John Podesta. The campaign was a target, and they already knew there were emails sent their way for information. John clicked twice and entered his email credentials. Within minutes, 50,000 campaign emails were in Russian hands, and Hillary’s campaign was toast. How could any high-level manager fall for a simple spoof?
The spoofs are getting pretty good. It takes an effort not to click. We all get them. What is typical now is they come in a short email, with no explanation and a simple and logical attachment. The only clue is that the sender is not known.
Sometimes the sender is known or even a known vendor. Here at CompanionLink, a quick view of our publicly available DNS reveals that we use Rackspace for business emails. You can guess we get many messages that claim to be from Rackspace. Things like “Phone message from Rackspace” (we do not get phone service from them), or Mailbox Full, or Mailbox Corrupted. My favorite is the ones that make you panic – “Your credit card has been billed for $6,533.32” or “Your bank account has been closed for fraud.”
Avoid the panic. Tell your staff to forward all odd messages without clicking. Then, if needed, log into your Email Portal or Bank to ensure there is no actual problem.
2. Train your Staff – Really – to Recognize and Mitigate Risks
We all know the drill. You have a 30-minute meeting with your Vice President to underscore the importance of security for your business and your customers. He tells the tech manager in 4 sentences and maybe sends an email to all. Your team managers respond upstream in glowing terms, and then behind your back, convey a “don’t screw up” message downstream. The line staff gets the message: “Please don’t leave food in the refrigerator more than 3 days, remember to buy a secret Santa gift, and do not take down the entire company with an insecure password.” Unfortunately, the line staff just treats it as another empty command from from the top.
The most common method of attack is phishing emails
The SolarWinds attack vector is not known. What is known, however, is that for five years, certain SolarWinds systems were available using the password Solarwinds123. While the company CEO claims they immediately locked out the password after being notified that it was publicly available, others dispute both the timeline and the extent of the password use.
This goes beyond simply choosing a good password. And it goes beyond any automated system that forces you to change passwords frequently. The best hygiene is to ensure every system you have has a different password and your passwords are stored securely. These are opposing goals but worthy of taking time to get it right.
3. Do not use Unnecessary Vendors
SolarWinds, Microsoft Exchange, and Kaseya show the vulnerability when an IT vendor becomes the source of a security breach. A company whose only fault is to purchase services from a vendor is suddenly left with a million-dollar mess.
For the most part, you can identify your IT vendors by looking at the bills you pay. If you pay for a service, your company may be vulnerable to a breach of that service. Keep a close eye on payments large and small because instead of paying them, they may cost you. Be sure the service is necessary and justified. Check your emails for unpaid providers like Facebook and Google, since these notices mean that you are paying by having your information sold (advertising) rather than from your bank account.
4. Do not Trust the Cloud
People who trust the cloud are the same ones that sign agreements without reading them. Their trust is misguided. You can be sure those click-through agreements have huge loopholes for data breaches. Your best security is not to be a target. Staying small and anonymous may work better than making waves and becoming a victim.
The Microsoft Exchange attack targeted corporations that run their own private Exchange servers. The problem was not systems that were up to date but systems that were lagging in updates. These were companies that made the best effort to run secure servers but that had fallen a bit behind on maintenance, which was not surprising during the COVID era. Most companies focused on how to pay staff and not on whether to install routine security updates.
For Email that is internet-based, you are safer using IMAP protocol that does not connect to LDAP logins which may allow system-level passwords. For in-house systems, like CRM, there are still many vendors that can supply an on-premise CRM that is a fraction of the cost of a cloud system and that ensures that even if your internet is down – your customer data is safe within your corporate firewall.
5. Beware of Security Dominoes
A security domino is any system that, when breached, leads to other systems that may be breached. Password vendors Lastpass and 1Password are targets for bad players. And it would be best if you kept in mind that Yahoo and AOL have been breached multiple times, as have Facebook and Twitter. Even Apple, who sticks its finger in Microsoft’s eye on viruses, has been found guilty of sickening silence when 128 million iPhone users were hacked.
For corporate servers, ensure that your logins are qualified not just by password, 2FA, and 3 Dimensions, but ensure their IP matches a minimal set of known IPs. Do not use IP location since any VPN user easily spoofs location. You need to limit access to the specific IP network that your team uses. Primitive firewalls like Iptables can sometimes block better than sophisticated ones that allow anyone to get to a login screen. The networks your team uses are limited and known. Strength lies in simplicity.
To the management of Kaseya, your company got attacked. Start your message by taking responsibility – until known otherwise – your company was vulnerable to an attack. If you did your job right, this attack would not have happened. Start by owning that fact.
Hundreds of IT workers got their holiday ruined. Reach out. Tell them that Kaseya management is called back at the office and will stay full-time to ensure the fastest possible response.
Finally, reach out to your customers – who have been damaged – to help mitigate their future losses and explain what you are doing to make up for their current losses. You have insurance. They do not.
For everyone else – sit down on Tuesday with your monthly vendor bills, and go through one-by-one. Make sure you are protected if that vendor is breached. The year 2021 has seen an unprecedented rise in successful ransomware attacks, and the trend is not in your favor.