Martin Riley, Director of Managed Security Services
In late January 2021 at the SANS Institute Threat Intelligence Summit, senior researchers, and analysts at Crowdstrike were sharing information and trends on a relatively ‘under the radar’ ransomware, Sprite Spider.
The number of successful attacks of Sprite Spider has been on the rise since July 2020 when the ransomware started targeting ESXi hosts and encrypting all the VMs running on the host.
This is worrying given the size of the VMWare global footprint and that organisations of all sizes depend on it. Many of the worlds managed services companies still heavily rely on VMWare for the private and multi-tenant deployments. In fact, over 70% of the worlds virtualised workloads still sit on VMWare, including the ability to run VMWare in the public cloud.
The attack uses code, inserted into common tools such as Notepad++ – a tool used by many an engineer – to deploy malware and progress to more sophisticated attacks before harvesting credentials that are used to access vCentres Web Interface.
From here, SSH is enabled, root credentials changed, and payloads deployed to the TMP directory.
Consequently, you have minutes to detect and possible an hour to respond and remediate before a catastrophic ransomware attacks every virtual machine and ESXi host connected to the environment.
So, what can be done?
There are three primary weapons that help prevent the ransomware from being successful and these are regularly patching which is always a staple recommendation and using next-gen security technology that learns behaviour so that it does not need to recognise the code in order to detect. Lastly, it is the importance of being able to provide rapid, 247 detection and response.
Obviously, if the breach is successful, you need backups and time to first rebuild your entire ESXi cluster from the ground up, then restore your possible thousands of VMs before service is restored.
Can you or your service provider confidently say that you have the mechanisms and protections in place to protect against this?
Having worked in the service provider environment for many years, with a wide network throughout the UK industry, and driven a number of security transformations to be in a position to be prepared for such events, I can comprehend the magnitude of this problem.
ISO27001 is not enough on its own.
The level of cyber security in many managed service providers (MSP) management environments do not offer this level of protection and frameworks like ISO27001 don’t require a maturity such as this to pass. Recommendations made to the Network and Information Systems Directive (NIS) also highlighted the role and importance of MSP’s and managed security service providers (MSSP) in having effective cyber security maturity, to minimise the risks into critical national infrastructure.
So, if the service providers who are getting economies of scale are not all where they need to be, can you confidently say that you’re in a comfortable position either internally or by proxy through your service provider.
Now, being on the security provider side of the fence, it is clear to see that the biggest movements in cyber security and the services provision is the ability to detect and respond. If something such as this were to occur, having an SLA on time to triage and time to resolve that you can trust and rely on is critical to reducing the impact of such malicious threats.
So, what can you do? Well, you are an organisation working with a service provider you more than likely have the right to audit. If you want peace of mind, execute the clause. Bring in a partner that can help assess the maturity of your provider and ask the right questions – not just assess against ISO27001 – as you can be sure your providers have that.
If you want to assess your own maturity and look to implement something such as managed detection and response, I suggest seeking out a security partner that can offer the consultancy to perform a maturity assessment as well as the ability to help you transform your security where needed and offer managed services where complementary.
As an MSP, I would be pro-active. Bring in that same type of provider to complete an assessment and conduct necessary tests. If there are any gaps, close them and be transparent with your customers once they are addressed. This transparency and honesty lands well with customers and demonstrates a pro-active and mature organisation.
Finally, as an MSP, a breach such as this would cripple you in the cost of restoration, SLA breach and massive churn. Can you really risk it?
Bridewell’s MDR is a fully managed Threat Detection and Response Service that can keep your business safe 24×7/365. We have a deeply experienced cyber security team of experts that harnesses the power of Microsoft’s industry-leading solutions. We focus on aligning to organisations outcomes and strategy to rapidly reduce their cyber risk, and the dwell time of breaches, whilst driving up the ROI of Security Operations. If you would like to discuss your requirements or receive further information on our MDR services please get in touch with one of our experts today.
You can reach us on 03303 110 940 or via firstname.lastname@example.org