Nick Isaacs | July 15th, 2022

For tens of millions of Americans, the recent 4th of July holiday was an opportunity to relax, gather with friends and family, and celebrate the joys of Independence. In the cybersecurity world, the holiday is unfortunately marked by an industry-changing cyberattack that occurred just over one year ago.

While most people were preparing for a long weekend—including numerous security and IT teams—our team of engineers was hard at work in our 24×7 Security Operations Center (SOC) monitoring our partners’ networks and gathering the latest threat intelligence. Doing so allows us to be proactive in our approach to security and remediate any malicious activity before threats actualize in an environment.

Our intelligence indicates threat actors prefer nights, weekends, and holidays to launch nearly 75% of their attacks precisely because defenses are down and security teams are short-staffed, if not entirely off. Small and midsized businesses (SMBs) and contracted MSPs are especially vulnerable due to their size, financial limitations, abundance of tools to manage, and lack of 24×7 cybersecurity.

What Happened Last Year

One of the most popular remote monitoring and management tools used by over 40,000 MSPs is Kaseya’s virtual system administrator (VSA), which allows users to maintain focused insight into client environments. Multiply this by the 122 clients an MSP supports on average and it’s clear that this one tool has tremendous access into thousands of SMB environments. As such, threat actors spent a lot of time performing reconnaissance and customizing an attack plan to locate and exploit a software or security flaw to access business-critical data from thousands of organizations.

The Russian-based REvil ransomware group (aka Sodinokibi)—now defunct following international pressure, intelligence, and investigations—exploited the lapse in focused security operations during last year’s Independence Day weekend and infiltrated Kaseya’s VSA software. Most companies, unfortunately, were unable to respond effectively. As a result, around 1500 SMBs and more than 50 MSPs were victimized by ransomware and experienced extraordinary downtime.

This most recent Independence Day, again landing over a long weekend, we saw a similar attempt by threat actors to target a global MSP leader, SHI International. Given the proactive work of cybersecurity teams safeguarding the channel and enhanced threat intelligence, a large-scale incident was prevented. These two events serve to remind us just how necessary it is to stay aware of the current threat landscape.

How We Responded

SpearTip was at the forefront, defending businesses from the ransomware attack. As the attack was unfolding, our team actively prevented our partner environments from being affected. Because our engineers operate from our US-based, 24x7x365 SOC, we were immediately alerted to suspicious activity, which was just as quickly isolated before it was able to gain a foothold within their networks.

Our response, however, was not made in the moment; a lot of front-end work went into it. Prior to gaining any true active incidents, our team was pulling threat intelligence and data surrounding known intrusions. We collected payloads and analyzed actions being taken by threat actors in a bulk scenario, discovered the same indicators of compromise in each environment. From this we built a response playbook allowing our incident response team to provide our clients resources as we reviewed and protected their machines prior to any potential impact.

 Once cases of active breaches began coming in, the SpearTip team was able to quickly assess environments, collect forensic images, and provide responses to critical questions, such as “was any data stolen?” Based on the proactive measures taken by our tremendous team of security analysts, cases were quickly resolved and businesses received assurance their environments, including business-critical data, were protected.

 Our Continued Response

Reflecting on the aforementioned events, the SpearTip team has re-affirmed our belief in and commitment to providing 24×7 proactive intelligence gathering, active network monitoring, and real-time threat remediation to our partners. Furthermore, we’ve realized the need for enhanced cybersecurity for MSPs and built a platform to serve the channel. Attack surfaces are too great, particularly as threat actors are increasingly targeting the channel to potentially gain access to the data of hundreds, if not thousands, of businesses.

SpearTip’s IR department assists MSP partners continuously by responding to cyber events for their customers, providing pre-breach advisory services, and actively defending their networks. We have proven to our partners that we will go to work for them immediately so they can avoid an attack like last year’s from happening again.