Hackers managed to damage hundreds of companies with an attack on one company on July 2, 2021. We are talking about the attack on Kaseya, a provider of IT management solutions for managed service providers (MSPs). With its Virtual System Administrator (VSA) software, the IT specialist offers a remote monitoring and management (RMM) solution that enables IT system houses to perform services such as remote maintenance, monitoring, backups and patch management on customer systems.

Through a zero-day vulnerability, the cyber criminals were able to use a manipulated update for Kaseya VSA on-prem servers to attack not only Kaseya customers, i.e. the system houses, but also their customers with ransomware. Experts refer to this pattern as a supply chain attack. After the attack was discovered, Kaseya stopped its cloud service and warned its customers to immediately switch off any locally running VSA systems. After a few days, the services were available again thanks to security updates.

The damage caused by the attack is nevertheless enormous: not only Kaseya as the main target of the attack had to check its systems for anomalies, but also affected system houses and their customers. The analyses are time-consuming and can impair the business operations of companies. One example: the checkout system of the Swedish supermarket chain Coop was also affected by the Kaseya attack. As a result, some stores were unable to open.

Business-critical threat situation

The attackers in this example gained access to companies via the IT infrastructure. Due to the increasing networking resulting from the Internet of Things and the constant convergence of OT and IT, such attacks can also have an impact on critical infrastructures such as production, but also on sensitive areas such as research and development. In industry itself, there are also already examples of how companies have been restricted in their operations for weeks and months by ransomware and in some cases paralyzed.

Experts therefore repeatedly warn that it is not a question of if, but when a company will become the target or victim of an attack. And they call for a holistic approach to security that encompasses all areas of the company.

Attack figures on the rise

According to IT security provider Link11, the number of DDoS attacks reached a new high in the first half of 2021. The increase compared to the same period last year with its DDoS boom and a doubling of attacks amounted to a further 33%. This is according to the new network statistics from the Link11 Security Operations Center (LSOC).

According to the statistics, the number and severity of DDoS attacks have once again skyrocketed since the beginning of the year: In Q2 2021, the LSOC recorded 19% more attacks than in the previous quarter. According to the network analysis, high-volume attacks of several 100 Gbps are also becoming increasingly commonplace.

According to the security expert, the threat situation in the first three months of 2021 was characterized by DDoS attacks on web services that ensured living, learning and working under pandemic conditions. These included vaccination platforms, learning portals and IT infrastructures for mobile working from home. In many cases, hosting providers and ISPs, which made the express digitalization of the economy and society possible in the first place, came under fire.

Since the beginning of 2021, repeated and ever-increasing waves of DDoS blackmail have also created a tense threat situation. Blackmail emails with changing senders such as Fancy Bear, Lazarus Group or Fancy Lazarus have been targeted at companies with increasing frequency. Instead of proceeding indiscriminately, the ransom demands now vary depending on the size of the company and the sector of the victim, according to the company. In fact, companies from a wide range of sectors are currently affected, including finance, e-commerce, media, industry and logistics.

Industrial Control System vulnerability

Claroty examines the situation in industrial cybersecurity every six months. The latest ICS Risk & Vulnerability Report for the first half of 2021 shows that the disclosure of vulnerabilities in industrial control systems (ICS) is increasing significantly. According to the report, 41% more ICS vulnerabilities were reported in the first six months compared to the previous period. This is all the more remarkable given that they increased by 25% in 2020 as a whole compared to 2019 and by 33% compared to 2018, according to the experts.

The report analyzes the ICS vulnerabilities published in the first half of 2021, including those uncovered by Claroty's research team82 as well as those from trusted open sources. These include the National Vulnerability Database (NVD), the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), CERT@VDE, MITRE and industrial automation providers Schneider Electric and Siemens.

One potential threat lies in the modernization of industrial processes in which they are connected to the cloud. According to the experts, this offers attackers more opportunities to compromise industrial processes through ransomware and blackmail attacks. The recent cyberattacks on Colonial Pipeline, JBS Foods and the water treatment plant in Oldmsar, Florida, have not only shown how vulnerable critical infrastructure and production environments connected to the internet are, but have also prompted more security researchers to focus their efforts specifically on ICS.

Vulnerability in OT security

Claroty is no exception. According to the ICS Risk & Vulnerability Report, 637 ICS vulnerabilities were reported in the first half of 2021, an increase of 41% compared to the 449 vulnerabilities reported in the second half of 2020. 81% of these vulnerabilities were discovered by external specialists, including third-party companies, independent researchers, academics and other research groups.

71% of vulnerabilities are classified as high or critical. 90% have low attack complexity, meaning they require no special conditions and an attacker can expect repeatable success every time.

74% require no permissions, meaning the attacker is not authorized and does not need access to settings or files. 66% require no user interaction such as opening an email, clicking on links or attachments, or sharing sensitive personal or financial information. 65% can lead to total operational failure, denying access to resources. 26% have either no or only partial remediation measures in place. According to Claroty, this highlights one of the biggest challenges in securing OT environments compared to IT environments.

61% of reported vulnerabilities are remotely exploitable. According to the report, this shows that securing remote connections and Internet of Things (IoT) and Industrial IoT (IIoT) devices is of paramount importance.

Key remediation measures cited in ICS-CERT alerts and vendor recommendations include network segmentation (affecting 59% of vulnerabilities), secure remote access (53%) and protection against ransomware, phishing and spam (33%).