BLOG

5 min read

Could the Kaseya VSA supply chain ransomware attack have been prevented?

By Andreas Fuchs on Jul 12, 2021 2:20:18 PM

The background story is that despite the existence of the Kaseya vulnerability, a decent endpoint security solution could have provided better outcome. Because in the worst case, the malware could have been installed, but the security solution would have prevented its execution - and thus also the encryption of the endpoints.

The media recently reported that a hacker attack via IT service provider Kaseya affects thousands of companies.

zdnet.com reported “attackers managed to compromise the vendor's software to push a malicious update to thousands of customers. (…) an estimated 1,000 companies have had servers and workstations encrypted. The vendor added that it is reasonable to suggest "thousands of small businesses" may have been impacted. (…) The cyberattack has been attributed to the REvil/Sodinikibi ransomware group who have ties to Russia, which has claimed responsibility on its Dark Web leak site, "Happy Blog."”.

This shows that the attack hit companies of all sizes, as well as across multiple verticals. So, irrespective of the budget or vertical, everyone is vulnerable.

At the time of an attack in a zero-day exploit - i.e. a targeted exploitation of a known or unknown vulnerability in a piece of software - we know nothing about the attack tactics or the attack vectors. But we know that we have to protect ourselves against the unknown. Therefore, I am not so much concerned with the vulnerability in the Kaseya infrastructure per se, but rather with how we can successfully prevent the exploitation of all vulnerabilities and thus allow companies to be secure.

Through a simplified summary of the somewhat complex process I would like to show where DriveLock solutions could have helped to avoid the attacks.
For the following sections I refer to the Sophos News website.

REvil was able to deploy and run its dropper locally to all customers’ endpoints without testing through the Kaseya agent. Certain directories on the endpoint are deliberately and intentionally ignored by the Kaseya agent through exclusions. This opened the way for a malicious payload agent.crt file to be written to the VSA agent's working directory for updates. After deploying the payload, the Kaseya agent then executed the following Windows shell commands concatenated into a single string:

Continue Reading
3 min read

Are you Essential 8 Compliant yet?

By Eric Zheng on Jul 1, 2021 9:32:26 AM

Source: iStock

“There are only two types of companies: those that have been hacked, and those that will be."

Former FBI Director Robert Mueller

No one can escape the threat of a cyber attack. One vulnerability is all an attacker needs to gain unprecedented access to all of your organisation’s confidential files and information. Not only is your company’s data at risk, but also your client’s. So it is of paramount importance that your organisation strengthens its cyber security software and practices. But how confident are you in your company’s ability to counteract cyber attacks?

Continue Reading
3 min read

Textbook cyberattack on US pipeline operator

By Udo Riedel on May 25, 2021 1:10:44 PM

Source: iStock

Stay on the "bright side of life".

Recently, the attack by the "Darkside” hacker group on the pipeline operator Colonial in the USA has once again brought the topic of IT security into the spotlight. The attack was covered in mainstream news and caused panic buying as well as petrol shortages on the East Coast of the U.S., and even led to a state of emergency being declared in some U.S. states. This shows that attacks, specifically those targeting companies in the critical infrastructure field, can have enormous impacts on society.

Continue Reading
3 min read

2021.1 DriveLock release offers many improvements and enhancements

By DriveLock on May 4, 2021 2:46:24 PM

Our first release in 2021 introduces many new features and gives our customers and interested parties an outlook on where we are heading with DriveLock. Providing the best possible protection for your computers and devices has top priority - especially in a high-risk situation we are currently facing during the pandemic, marked by home office activity, rapidly expanding IT with partly inadequate IT security precautions and increased cyber activity.
Continue Reading
2 min read

DriveLock received Common Criteria EAL 3+ certification

By DriveLock on Apr 22, 2021 12:38:01 PM

Munich 07/04/2021 - DriveLock's Device Control and Application Control solutions received Common Criteria certification from the independent Swedish CSEC authority.

This EAL 3+ certification attests to the high trustworthiness of DriveLock Agent 2019.2. The Evaluation Assurance Level 3+, which is based on a specified set of configurations, not only confirms the high product quality - the DriveLock product was methodically tested and verified during the two year certification process. It also certifies the high quality of DriveLock's software development processes.

Continue Reading
6 min read

Microsoft Exchange hack - when the patch came, it was already too late

By Udo Riedel on Mar 24, 2021 3:25:02 PM

Bildquelle: iStock

Among a high-profile wave of cyberattacks in March 2021, tens of thousands of email servers worldwide fell victim due to a vulnerability in the Microsoft Exchange Server. Through a so-called zero-day exploit, the vulnerabilities were targeted by a previously unknown Chinese espionage group called "Hafnium.” As a result, national authorities warned thousands of companies to quickly close the gap in their own Exchange servers as Microsoft released patches to fix the vulnerabilities in Exchange servers shortly after.

In this paper, we will clarify the temporal process: What happened? Could the attacks have been prevented?

Continue Reading
2 min read

Australian Businesses Under Attack - How To Protect Yourself

By Alma Pranoto on Jun 22, 2020 8:48:26 AM

On June 19, Australian Prime Minister Scott Morrison reported that businesses are targeted by a sophisticated, state-based cyber actor. In recent months, there has been a prominent increase in attacks targeting all levels of government, political organisations, the private sector, essential services, education, medical research and development. Other countries are also detecting a similar pattern. 

Continue Reading
4 min read

EDR - the Sherlock Holmes of cyber security

By Andreas Fuchs on Jun 2, 2020 11:00:00 AM

Source: iStock

On the trail towards EDR

In our last blog post "Silent hacker attacks and the need for detection mechanisms" we talked about covert cyber attacks and the need for detection tools. Now we would like to present a typical Endpoint detection and response solution with its building blocks.

Continue Reading
3 min read

Silent hacker attacks and the need for detection mechanisms

By Andreas Fuchs on May 26, 2020 2:00:00 AM

Again and again, we read about hacking incidents where attackers can spy on a company, an authority or a ministry and remain unnoticed for months without affecting the systems.

Continue Reading
4 min read

4 Essential Strategies for IT Security

By Alma Pranoto on May 19, 2020 1:00:00 AM

The Base Formula for Preventing Cyber Security Incidents 

Continue Reading

Featured