REvil has struck again. What can we do? Design for explicit access.

At a glance… 

  • Kaseya VSA is used by IT organizations and many Managed Service Providers (MSPs) to track IT assets and to deliver software installations and patches to a network of endpoint nodes.  
  • Over the 4th of July weekend, a ransomware attack perpetrated by the REvil gang and its affiliates was delivered through the Kaseya VSA remote management software.  
  • Each Windows node on the network runs a Kaseya agent, which is responsible for downloading and installing patches and software packages from the VSA server. It is common practice for an MSP to use a single VSA server to manage all of the MSP’s client networks, meaning that one compromised VSA server can create a downstream impact on hundreds of individual businesses. 
  • 1,500 businesses may be effected. 

The fascinating anatomy of the hack 

REvil’s successful hack began with an SQL injection attack against the VSA server. The attacked VSA servers were exposed to the Internet, presumably to allow for remote access to the VSA server by an MSP’s employees. An SQL injection attack was crafted by the hackers to (a) bypass authentication, (b) upload a file, and (c) inject a command to distribute a malicious software patch. This software patch was then dutifully downloaded by Kaseya agents installed on Windows endpoints attached to the compromised VSA server. The technical details of how this was accomplished are explained quite clearly in this article by Sophos

The hack itself is fascinating from a technical perspective in multiple ways. First, an authentication bypass renders an entire stack of security technology (authentication providers and MFA) entirely irrelevant. There is no password guessing or credential stealing involved in this attack. Second, the MSP model where client networks are intermingled in a single VSA instance is inherently dangerous in that a single compromised server (whether it be a via a 0-day exploit or a more traditional stolen credential) can spread malicious software across many disparate organizations, geographies, and networks. Third, it is perturbing that a piece of software like the VSA server was directly exposed to the Internet. The lack of any intervening, independent authentication (e.g., a VPN or IIS authentication using certificates or Kerberos) places an inordinate amount of trust in the security architecture of a single piece of software (the VSA server). 

In general, the best way to mitigate hacks of all varieties is to apply a few principles: 

  1. Keep independent networks as separate as possible, and always require authentication to move between them. 
  1. Authenticate users and devices in layers that rely on disparate software stacks. Software is built by humans, and humans make mistakes that cause security vulnerabilities. Using independent software stacks to layer together multiple forms of authentication ensures that a hacker has to find multiple, independent mistakes that are exploitable in conjunction. 
  1. Because there is still no perfect way to prevent endpoint attacks from happening, effective endpoint protection is essential. The Kaseya exploit relied on anti-virus exceptions on the endpoint to allow a malicious file to be downloaded, decoded into an executable, and run via a shell command. This malicious executable then executed a side loading attack to actually launch the encryption process. Effective anomaly detection could have shut down the encrypting process before it got too far, and an alternative approach to using an anti-virus exception would have stopped the attack when it tried to execute the downloaded executable. 

A collective reconsideration of how we protect networks and endpoints is overdue 

This latest attack from REvil confirms the obvious – the business of ransomware is here to stay. Whether it is REvil, a spinoff from REvil, or an entirely new organization that is inspired by REvil’s success, a collective reconsideration of how we protect networks and endpoints is overdue. It has become standard practice to disable security software in order to enable functionality, rather than demanding the opposite – that software declare its intended behaviors in order to enable security software to detect anomalous behavior. 

A system of specific access vs. access to the entire network 

Our LINK system is architected with this last principle in mind. Rather than assume that all mobile devices need access to the company network (e.g., via VPN), LINK assumes that only a small number of applications and data repositories should be mobilized. To configure LINK, IT specifies exactly what intranet applications, email servers, and file repositories (Document Management Systems, One Drive, SMB shares, etc.) should be accessible from a mobile device, and this specification is role-based so that IT can take a pessimistic approach to mobile access (i.e., you can’t access anything unless permission is explicitly granted to you). LINK also uses multiple, independent layers of authentication – SSL certificates to authenticate the device, then traditional password-based authentication if the SSL authentication succeeds. Finally, each LINK installation acts as its own certificate authority for the purposes of SSL authentication. Hence, stealing a certificate for one installation does not grant access to any other installations. 

As we expand LINK beyond mobile, our goal is to promote a different approach to endpoint computing. This approach starts with the idea that users, applications and data need to be integrated explicitly, rather than implicitly. This creates a work environment that is easily encapsulated, encrypted, and protected with limited entry points and exit points to move data in and out of this environment. While no approach is perfect, the more explicit we are about how users, applications, and data interact, the better chance we have to stop the ransomware business before it expands any further. 

-Seth Hallem, CEO & Co-founder, Mobile Helix

Our CEO in CSO: Ripped from the headlines – are your messages secure in these encrypted apps?

In the investigations of Paul Manafort and Michael Cohen, the FBI has retrieved messages from Signal, Telegram and WhatsApp. While there are weaknesses inherent in all of these apps, the question remains: What does a good data protection scheme look like?

 

A few days ago, the FBI revealed that Michael Cohen’s messages sent with Signal and WhatsApp are now available as evidence in the on-going investigation into his various dealings. While thousands of emails and documents have already been recovered from Cohen’s devices, home, hotel room, and office, the recovery of data from messaging apps that promise end-to-end encryption is surprising. One would presume that end-to-end message encryption should ensure that those messages are unrecoverable without assistance from Mr. Cohen. However, clearly that is not the case.

Continue reading

AI? What about NI? Enhancing Natural Intelligence Makes Better Lawyers

By Mobile Helix CEO & Co-founder, Seth Hallem in Legal IT Professionals

Seth HallemA good lawyer helps you see around the bend. In my experience over the years as a client, I have found that each time my attorney points out something in a contract or business decision that I had not anticipated, I ignore the next bill when it comes in and I pay it gladly. When I feel that my attorney is simply a contract factory, I look at each bill closely and start to wonder if there is a better way.

I recently had this experience with my company’s attorney and, as has become my custom, I did not pay any attention to the forthcoming invoice. I did, however, stop to think about how my company, as a legal technology provider, could facilitate more such interactions for our customers and their clients.

Bend fog tyler-lastovich-371909-unsplash.jpg

A few months ago, I read an article summarizing a survey conducted by Clio. The headline of this survey is that lawyers bill only 2.3 of every 8 working hours, instead spending the plurality of their day on administrative tasks. This article jogged my memory of another article from the American Psychological Association (APA) that outlined the significant productivity lost due to context switching and distractions. If my attorney is to be a source of insight, he or she cannot be compromised by distractions that lessen her effectiveness.

Continue reading

Hacking is a booming business, and it’s time for a disruption – CSO Online

By Mobile Helix CEO and Co-founder, Seth Hallem

Hackers are siphoning billions from the global economy each year by stealing data for profit. However, in spite of this rising threat, enterprises continue to make the same mistakes over and over again. It is time to change our assumptions and to re-think how we protect sensitive data.

Hacking is a booming business. Business has been good for several years now. Data breaches are at all-time highs. Cyber-attacks are skyrocketing, and ransomware is a growing fad. And the best news of all is that the same old tricks (see XSS, SQL Injection, SPAM ….) are still working just as well as they always have. How is it possible that a business that was estimated to cost the global economy $450 billion dollars is continuing to grow? That is a lot of money diverted to criminals in lieu of legitimate participants in our global economy.

Continue reading

Is Your Data Safe? The Challenge of Client-side Security for Law Firms

Our CEO, Seth Hallem, spoke at the NetDocuments executive summit, ndElevate 2017, on May 23rd.

Seth’s presentation focused on three actionable ways for law firms, and any enterprise, to protect client-side data. We are sharing his slides from ndElevate below. If you have any comments or questions, we’d welcome hearing from you. Please write to contact at mobilehelix.com.

Thank you to NetDocuments for an excellent summit!