Making Sense Out Of Technology

The Kaseya Incident Shows Why Network Monitoring Is Essential

IT network monitoring has always been an important part of the frontline defenses of organizations against hackers, but the changing nature of malicious attacks is increasingly making monitoring tools the sole means of detecting problems. An incident involving Kaseya, a provider of software used by a wide range of managed services firms, puts the importance of watching a network closely in stark relief. The hackers didn't come to steal credit cards, personal information, database entries or anything else that we think of as traditional targets. If not for IT network monitoring services technologies, there's a good chance the hack would've simply gone unnoticed.

What Happened

The goal of the attack was to use a Virtual System Administrator tool to gain access to computers that offered SaaS solutions to customers. These were Windows-based servers that operated in managed environments, and that made them a juicy target for a group of hackers who wanted to harvest their processor cycles to perform cryptocurrency mining operations. In other words, it was entirely to the hackers' benefit to see that their activities went unnoticed for as long as possible.

Spotting the Attack

An IT network monitoring system first noted suspicious traffic in January of 2018. PowerShell activity was monitored and logged over the course of 5 days, and the traffic indicated that systems were contacting a Dropbox account to acquire XML and PS1 files. Components were being installed, and scheduled tasks were set to launch at random future dates.

The PS1 scripts were encoded pieces of a binary called Xmrid.exe, a commonly used system for Monero cryptocurrency mining on Windows computers. Monero is not itself an inherently malicious system, rather it's just one of many competing cryptocurrencies being mined in the wake of the BitCoin craze. The hackers appear to have been using around two-thirds of the resources on the systems that were compromised, leaving enough overhead to not disrupt all but the most active users.

Conclusion

Kayesa was notified by the IT network monitoring services firm of the unwanted activity, and patches were rushed out to end users. The attack, however, highlights the shifting nature of security challenges. In the Kaseya attack, there were never going to be any users reporting misuse of their identities or their credit card numbers. The only way to stop the attackers from running operations cost-free on the network was to spot them mid-act with IT network monitoring tools.


Share