I wanted to share what I consider to be one of the biggest moments of my career (so far) as a Network Security Analyst, which is my hands on experience with a major cyber-attack (ransomware). That of course, is the 0-day Kaseya.
Late afternoon on Friday July 2nd, 2021, I was finishing up tasks and putting time in before going offline for the three-day holiday weekend. As I was closing out the day, I received an urgent call from a client stating that their phone subnet was offline. I quickly logged into the client’s SIEM (Security information and event management) environment to see what types of events are occurring within the network. It was apparent that a concerning number of events were being generated by device named ‘Kaseya’. These events were not classified to trigger any alarms now hence no one in the SOC was notified. Upon further investigation, client and I deduced that an active attack was occurring on the network, and it seemed Kaseya equipment was the source, but we could not be sure if an errand process on the server was causing a lot of chatter. Client and I worked together to start isolating subnets while I investigated whether this attack was spreading across subnets on the network.
At this point in time, news had not broken that Kaseya was the source of America’s largest Ransomware Attack.
The client and I could not be certain this attacks source was Kaseya, it was only a developing theory at this time. We knew looking at the patterns in SIEM that ‘something’ was off.
After two hours of investigating and protecting the clients network, I was contacted by a different client claiming to have a server down. I quickly jumped on this event and realized it was another ‘Kaseya’ related server… I was then able to confirm our theory of Kaseya being under an active attack. I got on the phone with this newly infected client and was able to gather information on time estimates for the down time. I then proceeded to assist this second client by helping them determine immediate risk mitigation and isolation steps and escalated our purple team. Steps were as follows; determine the source, contain the source, assess damage, notify the proper parties, and recover services.
While I was working with both of our MSS clients that were dealing with a cyber-security attack, news broke that Kaseya’s incident response team detects a potential security incident. With no attack patterns documented by the cyber security community at this time, I assumed the worst and monitored our two clients throughout the weekend. I continuously monitored logs and events every hour throughout the three-day weekend to ensure Kaseya traffic patterns were not traversing east/west or north/south. During this period, we were able to confirm that the two clients were in the process of being infected as we found a ransom note on one of the servers. On July 3rd, Kaseya confirmed they were victims of a cyber-attack which turned out to be the largest ransomware attack in U.S. history.
This experience has taught me how crucial tools, communication, process, and relationships with our client is. Using tools to find events in the network, communicating with the right people that need to know what’s going on, having a plan of action (investigate, decide, act) and a strong relationship with our clients. No matter how advanced and tuned your SIEM or network tools are; at the end of the day human element was the most critical tool for ‘surviving’ a 0 day attack.