Kaseya ransomware attack fallout: federal agencies put MSPs on notice

Featured image

Share this article

Federal Agencies put Managed Service Providers on Notice - Paubox

The FBI has joined the Cybersecurity and Infrastructure Security Agency (CISA) in responding to the massive Kaseya VSA supply-chain ransomware attack.

The attack targeted managed service providers (MSPs), taking take advantage of their consolidated access to and control of the servers and data of multiple companies. The two agencies are now strongly urging affected MSPs and their customers to take specific actions to mitigate the effects of the attack and to immediately implement cybersecurity best practices.

How bad is the attack?

The news has only gotten worse for Kaseya and the companies that use its software.

While fewer than 60 customers were initially affected, Kaseya’s software management practices allowed them to infect the systems of around 1,500 customers. The ransomware group behind the attack, REvil, claims that more than 1 million systems were infected.

Adding insult to injury, the pervasive deployment of Kaseya VSA has turned the “ransomware tsunami” itself into effective bait for a phishing campaign targeting Kaseya customers, offering a supposed fix for the security flaw but installing malware instead.

Meanwhile, Bloomberg reported over the weekend that Kaseya executives were warned repeatedly about vulnerabilities in its software since at least 2017. Several employees quit over frustration that new features and products were being prioritized over fixing problems, according to the report, and many others were laid off when Kaseya outsourced software development to coders in Belarus—a country closely linked with Russia.

The Kaseya attacks have quickly risen to the highest level of global politics, with U.S. President Joe Biden making it “a big focus” of a high-stakes phone call with Russian President Vladimir Putin.

What are the recommendations?

The CISA-FBI Guidance for MSPs and their Customers Affected by the Kaseya VSA Supply-Chain Ransomware Attack provides two sets of recommendations: the first for Kaseya customers who were impacted by the attack, and the second for all MSP customers. If there’s a chance your systems were infected by REvil’s ransomware, the agencies recommend that you:

  • Download the Kaseya VSA Detection Tool, which detects indicators of compromise on both servers and endpoints
  • Enable and enforce multi-factor authentication (MFA) on every single account in your organization, as well as on customer-facing services if possible
  • Implement IP address allowlisting on remote monitoring and management (RMM) systems, or move RMM systems

CISA and FBI meanwhile recommend that all MSP customers implement cybersecurity best practices, especially if their RMM systems are currently offline due to the Kaseya attack. These include:

  • Ensuring backups are up to date and stored air-gapped from the organizational network
  • Reverting to a manual patch management process, but still following vendor guidance and installing them promptly
  • Implementing MFA
  • Ensuring that key network resource administrative accounts are provisioned with the most restrictive privileges possible

Where else can I find help?

Kaseya is continuing to update its VSA attack information page, including a video update from Kaseya Executive Vice President Mike Sanders posted on July 11.

CISA has also shared Resources for DFIR Professionals Responding to the REvil Ransomware Kaseya Supply Chain Attack, published by cybersecurity firm Cado.

CISA is directing people to revisit an earlier alert as well, Technical Approaches to Uncovering and Remediating Malicious Activity.

Gavin Stone, Managing Partner of MSPGeek, has posted an article: How secure is your RMM and what can you do to better secure it?

How can Paubox help?

If you’re familiar with malware and ransomware, you know that ongoing cybersecurity training for employees is important, but cybersecurity training is not enough.  As long as humans are involved in the process, human error is inevitable. So Paubox reduces the opportunity for hackers to reach them.

Paubox Email Suite Premium integrates with the most popular email providers out there—Google Workspace, Microsoft Exchange, and Microsoft 365—to send HIPAA compliant email by default. It comes with inbound email security features like ExecProtect, which prevents display name spoofing attacks. And it comes with outbound data loss prevention (DLP) and email archiving.

Paubox Email Suite Premium is also a Zero Trust Email platform, which means it requires an additional proof of authenticity before delivering any email. Read more about what Zero Trust means.

Try Paubox Email Suite Premium for FREE  today.
Author Photo

About the author

Ryan Ozawa

Read more by Ryan Ozawa

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022