The FBI has joined the Cybersecurity and Infrastructure Security Agency (CISA) in responding to the massive Kaseya VSA supply-chain ransomware attack. The attack targeted managed service providers (MSPs), taking take advantage of their consolidated access to and control of the servers and data of multiple companies. The two agencies are now strongly urging affected MSPs and their customers to take specific actions to mitigate the effects of the attack and to immediately implement cybersecurity best practices.
How bad is the attack?
The news has only gotten worse for Kaseya and the companies that use its software. While fewer than 60 customers were initially affected, Kaseya's software management practices allowed them to infect the systems of around 1,500 customers. The ransomware group behind the attack, REvil, claims that more than 1 million systems were infected. Adding insult to injury, the pervasive deployment of Kaseya VSA has turned the " ransomware tsunami" itself into effective bait for a phishing campaign targeting Kaseya customers, offering a supposed fix for the security flaw but installing malware instead. Meanwhile, Bloomberg reported over the weekend that Kaseya executives were warned repeatedly about vulnerabilities in its software since at least 2017. Several employees quit over frustration that new features and products were being prioritized over fixing problems, according to the report, and many others were laid off when Kaseya outsourced software development to coders in Belarus—a country closely linked with Russia. The Kaseya attacks have quickly risen to the highest level of global politics, with U.S. President Joe Biden making it " a big focus" of a high-stakes phone call with Russian President Vladimir Putin.
What are the recommendations?
The CISA-FBI Guidance for MSPs and their Customers Affected by the Kaseya VSA Supply-Chain Ransomware Attack provides two sets of recommendations: the first for Kaseya customers who were impacted by the attack, and the second for all MSP customers. If there's a chance your systems were infected by REvil's ransomware, the agencies recommend that you:
- Download the Kaseya VSA Detection Tool, which detects indicators of compromise on both servers and endpoints
- Enable and enforce multi-factor authentication (MFA) on every single account in your organization, as well as on customer-facing services if possible
- Implement IP address allowlisting on remote monitoring and management (RMM) systems, or move RMM systems
CISA and FBI meanwhile recommend that all MSP customers implement cybersecurity best practices, especially if their RMM systems are currently offline due to the Kaseya attack. These include:
- Ensuring backups are up to date and stored air-gapped from the organizational network
- Reverting to a manual patch management process, but still following vendor guidance and installing them promptly
- Implementing MFA
- Ensuring that key network resource administrative accounts are provisioned with the most restrictive privileges possible
Where else can I find help?
Kaseya is continuing to update its VSA attack information page, including a video update from Kaseya Executive Vice President Mike Sanders posted on July 11. CISA has also shared Resources for DFIR Professionals Responding to the REvil Ransomware Kaseya Supply Chain Attack, published by cybersecurity firm Cado. CISA is directing people to revisit an earlier alert as well, Technical Approaches to Uncovering and Remediating Malicious Activity. Gavin Stone, Managing Partner of MSPGeek, has posted an article: How secure is your RMM and what can you do to better secure it?
How can Paubox help?
If you're familiar with malware and ransomware, you know that ongoing cybersecurity training for employees is important, but cybersecurity training is not enough. As long as humans are involved in the process, human error is inevitable. So Paubox reduces the opportunity for hackers to reach them. Paubox Email Suite Premium integrates with the most popular email providers out there— Google Workspace, Microsoft Exchange, and Microsoft 365—to send HIPAA compliant email by default. It comes with inbound email security features like ExecProtect, which prevents display name spoofing attacks. And it comes with outbound data loss prevention (DLP) and email archiving. Paubox Email Suite Premium is also a Zero Trust Email platform, which means it requires an additional proof of authenticity before delivering any email. Read more about what Zero Trust means.