In the wake of the Kaseya ransomware attack, one of the most massive cyberattacks we’ve seen lately, the CISA and the Federal Bureau of Investigation (FBI) are sharing guidance for the managed service providers (MSPs) and their customers impacted by the REvil supply-chain ransomware attack that hit the systems of Kaseya’s cloud-based MSP platform.
The federal agencies are advising the affected MSPs to make sure to further check their systems for signs of compromise by making use of a detection tool provided by Kaseya over the weekend and also to enable multi-factor authentication (MFA) on as many accounts as possible.
If you feel your systems have been compromised as a result of the Kaseya ransomware incident, we encourage you to employ all recommended mitigations, follow guidance from Kaseya and the Cybersecurity and Infrastructure Security Agency (CISA) to shut down your VSA servers immediately and report your compromise to the FBI at ic3.gov. Please include as much information as possible to assist the FBI and CISA in determining prioritization for victim outreach. Due to the potential scale of this incident, the FBI and CISA may be unable to respond to each victim individually, but all information we receive will be useful in countering this threat.
Another action that MSPs could take in order to be better protected is to also implement allowlists in order to limit the access to their internal assets and protect any remote monitoring tools’ admin interface using firewalls or VPNs.
What Are the Recommendations Made by the Federal Agencies?
The news publication BleepingComputer has published the list of recommendations shared by CISA and the FBI:
- Download the Kaseya VSA Detection Tool. This tool analyzes a system (either VSA server or managed endpoint) and determines whether any indicators of compromise (IoC) are present.
- Enable and enforce multi-factor authentication (MFA) on every single account that is under the control of the organization, and—to the maximum extent possible—enable and enforce MFA for customer-facing services.
- Implement allowlisting to limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs, and/or
- Place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.
MSP customers affected by the attack are advised to use and enforce MFA wherever possible and protect their backups by placing them on air-gapped systems.
Since Friday, the federal government has been working to assess the Kaseya ransomware incident and assist in the response. We urge anyone who believes their systems have been compromised to immediately report to the Internet Crime Complaint Center at https://t.co/sVIbk4ldBZ
— National Security Council (@WHNSC) July 4, 2021
CISA and the FBI are advising the affected MSP customers to:
- Ensure backups are up to date and stored in an easily retrievable location that is air-gapped from the organizational network;
- Revert to a manual patch management process that follows vendor remediation guidance, including the installation of new patches as soon as they become available;
- Implement MFA and principle of least privilege on key network resources admin accounts.
The federal agencies involved in the worldwide incident-handling process for impacted Kaseya customers are urging all the affected MSPs and their customers to follow the guidance shared.
Due to the potential scale of this incident, the FBI and CISA may be unable to respond to each victim individually, but all information we receive will be useful in countering this threat.
Victims were advised to follow the guidance issued by Kaseya and shut down their VSA servers, and implement the CISA’s and FBI’s mitigation techniques.