Managed service providers, the vendors companies hire to manage their IT infrastructure, have been having a second banner year in a row. The pandemic-driven switch to remote work has driven a huge spike in outsourcing to MSPs.
The REvil Kaseya ransomware attack, disclosed just as Americans were logging off for the long weekend to celebrate July Fourth, was a wakeup call for an industry that relies so much on outsourcers for support of its most critical operations. By breaching a single software company, Kaseya, whose tools are widely used by MSPs, the gang was able to disrupt up to 1,500 businesses those MSPs support.
“It’s a highly effective, cascading event," Daniel Clayton, VP of global services at Bitdefender who in the past worked for intelligence services of both the US and UK governments, said.
MSPs Rake It in, Thanks to the Pandemic
Companies rely on MSPs for a wide range of tasks. The providers might offer help desk support, for example, or manage entire enterprise networks, data centers and cloud infrastructure, including cybersecurity.
Some of the biggest reasons IT shops turn to MSPs are to improve security, become more flexible and scalable, access the best expertise, and reduce costs, according to NTT's 2021 global managed services survey.
Kaseya itself released an annual MSP benchmark survey this spring, which showed that 65 percent of MSPs had increased their revenue from cybersecurity services, even during the global economic recession.
NTT’s survey shows that the number of companies using third parties to manage more than half of their IT needs increased by 50 percent this year: from 25 percent last year to 38 percent in 2021.
As the COVID-19 pandemic took hold, companies sent employees home with limited access to on-premises IT infrastructure. They relied on MSPs to handle the increased need for tech support and the accelerated shift to cloud services. MSPs managed the new network architectures needed to support the remote workforce and new, digital customer experiences. For the most part managed services providers were already working remotely, so they had it down to a science.
And since they often provide the same type of service to many clients, they can afford to invest in specialist staff, technologies, and infrastructure. They can provide better service than many companies can inhouse, with better security, and at a lower cost.
Why the REvil Kaseya Ransomware Attack Stands Out
The REvil ransomware attack targeted Kaseya VSA, a remote monitoring and management tool for networks and endpoints. It has both on-prem and SaaS versions of the product, used by IT shops inhouse as well as by MSPs to manage client infrastructure.
On July 3, Kaseya announced that VSA had been compromised and that its customers had been hit by ransomware attacks. Three days later it released more details: 50 customers had been directly affected, many of them MSPs, and, counting their customers, between 800 and 1,500 businesses had been impacted by the attack in total.
A report by the cybersecurity firm Huntress said that about 30 MSPs fell victim to the REvil Kaseya ransomware attack, resulting in more than 1,000 of their business customers getting hit with ransomware.
What makes this attack different is that it combines two dangerous attack vectors into an exponentially larger threat: the software supply chain and the MSP sector.
Supply chain attacks – like last year’s SolarWinds breach – can potentially affect any company that uses the compromised software.
Attacks against MSPs, aimed at their customers, have happened before. In 2018, for example, the US Justice Department disclosed that Chinese hackers had been attacking MSPs for over a decade to get at their customers. REvil itself used an MSP in 2019 to hit 22 Texas municipalities all at once.
Aiming a supply chain attack at MSPs, however, multiples the effect.
Kaseya Ransomware Attack Highlights Need for Better MSP Vetting
The REvil Kaseya ransomware attack demonstrates that businesses need to step up the security vetting they do before choosing vendors – including vetting those vendors' vendors.
"Are they practicing what they preach?" Bitdefender’s Clayton said. "Do they have effective security controls like MFA [multi factor authentication] in place? Are they operating to an accepted cybersecurity framework, like NIST or CIS?"
Businesses that use MSPs must realize that their MSPs are an important part of their incident response plans.
"It’s important they understand what specific role they would play in an incident and, of course, that they are capable of playing that role effectively," he told DCK. "Like any partnership, trust but verify."
Next, companies should doublecheck their cyber insurance policies. Are they covered for ransomware attacks that hit their MSPs? Even if a company has its whole IT operation handled by an MSP, it’s not guaranteed that the MSP will cover any losses that result from data breaches or ransomware attacks.
"Although most MSPs are insured, the extent of the coverage doesn’t always support the clients," said Danielle Parks, global cybersecurity research analyst at Nucleus Research.
Businesses need to buy their own cybersecurity insurance, she told DCK. "If a customer believes the attack is the MSP’s fault, then it will have to write a letter claiming damages or file a lawsuit. Once the claims process begins, then there can be forensic experts who work to investigate who is at fault."
If businesses are still willing to trust Kaseya, the software company has a product that can help, Parks pointed out. Last year it partnered with Cysurance, a cybersecurity insurance agency, to create a compliance process automation platform.
The platform helps MSPs provide their customers with the tools needed to satisfy cybersecurity insurance policy conditions and help with the recovery process after a cyberattack. That increases the likelihood of a claim payment, she said.
Kaseya released a patch on July 11. Anyone using its software – or using an MSP that uses that software – should make sure that all systems are updated before they're brought back online and follow other recommended remediation best practices, including scanning potentially affected systems for indicators of compromise.