Public reporting indicates yet another software supply chain attack intended at targeting certain widespread third-party services. In this case, REvil ransomware actors have allegedly exploited a vulnerability in Kaseya VSA remote monitoring and management product. The software is popular among Managed Service Providers (MSPs) and it permits centralized orchestration of systems in customer environments. Kaseya reported, as of July 3, that it believed the threat was isolated to customers using the company’s VSA servers on-premises. The company was contacting affected parties and asking that parties contact firstname.lastname@example.org if they had been impacted. Nonetheless, companies should not wait to hear from Kaseya, should evaluate their potential exposure to the breach by reviewing their portfolio for Kaseya products or contacting MSPs they use to double-check their use of Kaseya products, and should initiate their breach response protocol where any indication of exposure exists.
This software supply chain attack constitutes yet another in a growing series of malicious actors using widely popular third-party services to gain access to a variety of organizations. Thinking beyond the immediate response, the event serves as a reminder of the criticality of thorough vendor and product integration management. While the attack has potentially affected a broad number of entities and would not necessarily have been easily recognizable through such a protocol, the litigation climate is growing increasingly hostile even to the difficult challenges faced by companies with respect to third party exposure, and companies should document reasonable efforts to identify and respond to potential risks. Moreover, the SEC is apparently conducting a broadening inquiry into corporations’ exposure to the SolarWinds vulnerability that had emerged in the Fall of 2020. Corporations caught in the web of third-party risks can expect such regulatory scrutiny in the future. These trends are also reflected in Parliamentary sentiment in the UK, where a few weeks ago the British government launched a consultation on measures to enhance the security of digital supply chains and third party IT services, particularly those relating to data processing and infrastructure management.
More generally, while immediate breach response is no time for debating broader policies, any companies exposed to the Kaseya, Accellion, SolarWinds, or other third-party risks, should review their procedures for evaluating that exposure and preparing for the unexpected. And as the dust settles on initial responses, companies should conduct after-action reviews to assess potential areas for improvement both in their actual incident response and their broader policies guiding risk management and incident procedures.
Finally, the White House has heightened its focus on the threat to the private sector. Using intentional language reserved for signaling that retaliatory actions taken within another state would be justified, the White House Press Secretary recently noted that, “ . . . if the Russian government cannot or will not take action against criminal actors in Russia we will take action or reserve the right.” This phraseology invokes the “Unwilling and Unable Doctrine” of international law, which holds that victim states have the right to engage in extra-territorial self-defense where a host state is unwilling and/or unable to mitigate or suppress the threat posed by a non-state actor. It remains to be seen how the hostile foreign actors will respond to such messages, including by attempting additional indirect attacks against U.S. and Western interests, which would be consistent with precedent.