CISA and the Federal Bureau of Investigation (FBI) continue to respond to the latest ransomware attack on the supply chain that exploited a vulnerability in Kaseya VSA software against multiple managed service providers (MSPs) and their customers. CISA and FBI urge affected MSPs and their customers to follow the guidelines below.
CISA and FBI recommend affected MSPs:
- Download the. down Kaseya VSA detection tool. This tool analyzes a system (either VSA server or managed endpoint) and determines if there are any indicators of a compromise (IoC).
- Enable and enforce Multi-Factor Authentication (MFA) for every single account under the control of the company, and enable and enforce MFA as much as possible for customer-facing services.
- Implement allow lists to limit communications with remote monitoring and management functions (RMM) to known IP address pairs; and / or
- Place the RMM management interfaces behind a virtual private network (VPN) or firewall on a dedicated management network.
CISA and FBI recommend that MSP customers affected by this attack take immediate action to implement the following cybersecurity best practices. Note: These actions are especially important for MSP customers whose RMM service is currently down due to the Kaseya attack.
CISA and FBI recommend affected MSP customers:
- Make sure backups are up to date and stored in an easily accessible location away from the corporate network;
- Return to a manual patch management process that follows the vendor’s guidance, including installing new patches as they become available;
- To implement:
- Multi-factor authentication; and
- Principle of least authorization for administrator accounts of the most important network resources.
CISA and FBI are making these resources available for reader awareness. CISA and FBI do not endorse or guarantee the accuracy of the linked resources.
- For the latest instructions from Kaseya, see Kaseyas Important note July 3, 2021.
- You can find advice on compromising on Peter Lowe’s GitHub page REvil Kaseya CNC domains. Note: Due to the urgency to share this information, the CISA and FBI have not yet validated this content.
- Information on this incident from the cybersecurity community can be found on the Cado Security GitHub page, Resources for DFIR professionals responding to the REvil Ransomware Kaseya supply chain attack. Note: Due to the urgency to share this information, the CISA and FBI have not yet validated this content.
- For advice from the cybersecurity community on how to protect yourself from MSP ransomware attacks, see Gavin Stone’s article, How secure is your RMM and what can you do to make it more secure?.
- For general guidance on responding to incidents, CISA encourages users and administrators to Common Cyber Security Advisory AA20-245A: Technical Approaches to Detect and Eliminate Malicious Activity.
(Visited 40 times, 40 visits today)
#CISAFBI #Guide #MSPs #Customers #Affected #Kaseya #VSA #Supply #Chain #Ransomware #Attack #Homeland #Security #Today