Arctic Wolf’s Response to Kaseya Supply Chain Attack and Takeaways from Matt Kozloski

Response to Kaseya Supply Chain Attack

Arctic Wolf is aware of the Kaseya supply chain attack, reportedly affecting between 800 and 1,500 businesses around the world.

The Kaseya VSA supply chain ransomware campaign is a sophisticated and intentional attack, the scope of which will not be fully understood for many weeks or possibly months. Any organization using Kaseya VSA should treat this as a critical risk to their business and immediately shut down their Kaseya VSA server. They should also follow CISA guidance to ensure that back-ups are up-to-date and air-gapped, manual patching is implemented, multi-factor authentication (MFA) is turned on, and then await additional instructions from Kaseya for next steps.

With supply chain attacks able to cascade across thousands of organizations within a matter of hours, those looking to protect themselves against future incidents must deploy world-class security operations with 24×7 monitoring capable of detecting, managing, and mitigating any threat. Often, users are seen as the weakest link, and adversaries will continue to exploit the human element to reach their objectives, which means establishing a stronger security posture is the first and best approach organization can take in avoiding future supply chain compromises.

We will continue to update notices and guidance as the situation evolves.

Want to know more? The Arctic Wolf Information Security Policy on our website provides additional detail on the steps we take to ensure the integrity of our systems.

Matt Kozloski’s Key Takeaways:

1. It is NO coincidence this happened over a holiday weekend when American’s “left the shop” to celebrate. There were plenty of sysadmins “out of pocket” this weekend. What a great time to slam a zero-day in. Answer: People NEED a 24×7 eyes-on-glass SOC-as-a-Service type offering. We crossed the point of “nice to have” a while ago.
2. These are zero-day attacks. A zero-day attack is a vulnerability that can be / is being exploited “in the wild” with no patch from a vendor. “Zero-day” is a reference to the vendor’s developers having had “zero days” to develop a patch or fix. Zero-days are particularly dangerous.
3. Regarding the Kaseya attack – these attacks are fairly complex and very coordinated. Unlike the Solar Winds developer supply chain attack, this targets MSPs. Leveraging the MSP “supply chain” (via Kaseya) to, encrypt/ransomware MSP’s customer systems. (Regarding the Kaseya incident – WTG’s current managed service offerings do not make use of an RMM, by design, for this very reason.)
4. This is ultimately targeted at the little guys. It is highly probably that organizations who rely on MSPs to manage their environment should ALSO rely on MSSPs/SOC-as-a-Service providers (such as Arctic Wolf, Secureworks, Crowdstrike, etc.) to help manage their cybersecurity posture and risk. Fortune 100 and Fortune 500 companies aren’t generally using “mom n pop” MSPs to support their environments.
5. Organizations like Arctic Wolf and Secureworks (and others) are able to write code to use their endpoint agents to detect this activity and report (hopefully interrupt) while vendors are writing patches.
6. Kaseya’s VSA patches are imminent.
7. Newsworthy Links:
   1. Kaseya:
      1. News Link 1
      2. News Link 2
      3. News Link 3
   2. PrintNightmare

– Matt