Latest Big Hack Highlights a Robust Software Model
(Bloomberg Opinion) -- The centralized software management model is once again under a spotlight after hackers exploited a vulnerability at one vendor, leaving hundreds of companies as victims. Yet it’s this very approach to handling sprawling workforces that has likely prevented even more attacks and makes global networks safer overall.
Within just 24 hours, Kaseya Ltd. went from advising clients of a potential attack to confirming it was struck by a sophisticated cyber offensive. Despite the Miami-based software provider’s “genuine commitment to do the right thing,” wrote the Dutch Institute for Vulnerability Research, which found a key flaw and notified the company, “we were beaten by REvil in the final sprint.”
REvil has a long rap sheet. It’s blamed for the May attack on Brazilian meat processor JBS SA, and has previously been fingered for stealing schematics of Apple Inc. products from one of the tech giant’s suppliers. This time, the group, believed to be based in Russia, is accused of infiltrating around 30 managed service providers that among them work with more than 1,000 businesses. The hackers then encrypted hundreds of computers and demanded a ransom, with one post putting the asking price at $70 million to unlock all of the victims collectively.
Kaseya produces a particular type of software that lets clients remotely manage and monitor devices across an entire organization. Buyers of this product, called Kaseya VSA, are typically managed service providers who are outsourced subcontractors handling the administration of their customers’ fleets of servers, computers and printers. By automating tasks, the software allows MSPs to control thousands of devices with relatively few technicians. Among Kaseya VSA’s tasks: “Automate software patch management and vulnerability management to ensure that all systems are up to date.” Ouch.
That’s why Kaseya, and the cybersecurity community at large, were in a race against the bandits who’d also discovered the flaw. Get there first, and the door could have been shut by the introduction of new patches to close off the vulnerability. But they didn’t, and REvil seized the opportunity. By understanding the existing weaknesses in the Kaseya VSA software, at least one of which was signaled by the Dutch team, hackers were able to trick servers running the product into distributing malicious code onto individual computers. The result was a widespread attack that hit mostly small and medium businesses but also included Swedish supermarket chain Coop and more than 100 New Zealand kingergartens.
What makes MSPs particularly good targets is their efficient and automated approach to managing hundreds of computers. Hack one of these control servers and there’s a good chance you have access to its entire network. With the attacker then automating the process of spreading the payload across the globe, it’s entirely possible that REvil doesn’t even know who all its victims are.
It’s important to note, however, that the current incident didn’t come from merely exploiting one minor flaw. In fact, the hackers had developed a sophisticated set of weapons that could be launched when an opportunity was found. This fact strengthens, rather than weakens, the argument for remote management.
There are numerous untold stories where centralized software management has ensured that the right patches were installed before a nefarious player could exploit them. Microsoft Corp., maker of the world’s most ubiquitous operating system, has teams dedicated to discovering flaws and issuing updates.
But this find-and-fix approach doesn’t work unless the millions of computers that use its products — including Windows, Office, and Exchange Server — update their software to close such holes. According to one report, the most exploited vulnerability in 2020 was one first discovered a few years earlier, but hackers kept working with it because users had failed to apply the patch. Managed service providers, employing tools such as Kaseya VSA, ensure that fixes are automatically installed.
An analogy can be drawn with aircraft automation. Recent fatal airline crashes have been linked directly to problems with the sophisticated systems that are used to control modern planes. Yet the aviation industry over the past few decades has become safer thanks in part to this digital assistance. The problem now lies in the conflict over the information and control that computers share with the people they’re supposed to help. Human pilots consistently lose out, and crashes occur, when machines are put in charge instead of being used primarily to assist.
The same applies to centralized remote software management. Global networks are arguably safer with this automation in place, but we mustn’t forget the role humans play. One group creates the original software, accidentally writing in the flaws, while others find the weaknesses and seek to exploit them. Yet it’s also people, with the aid of computers, who fix the faults before machines can replicate vulnerabilities.
When investigators look back upon this hack, doubtless there will be many fingers pointed at the automation and concentrated risk that centralized software supply chains create. Yet it’s exactly this management model that’s crucial in minimizing attacks, too.
This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.
Tim Culpan is a Bloomberg Opinion columnist covering technology. He previously covered technology for Bloomberg News.
©2021 Bloomberg L.P.