CyberAlert: Kaseya Ransomware Attack

July 13, 2021 — CISA has created a webpage to provide information and guidance for the recent ransomware attack against Kaseya customers that include managed service providers (MSPs) and customers of those MSPs.

Since July 2, 2021, CISA, along with the Federal Bureau of Investigation (FBI), has been responding to a global cybersecurity incident, in which cyber threat actors executed ransomware attacks—leveraging a vulnerability in the software of Kaseya VSA on-premises products—against managed service providers (MSPs) and their downstream customers.


Incident Response Guidance

On July 2, 2021, Kaseya shut down their SaaS servers and recommended Kaseya VSA customers shutdown their on-premises VSA servers. Note: according to Kaseya, there is no evidence that any Kaseya SaaS customers were compromised, however Kaseya took the SaaS servers offline out of an abundance of caution. 

On July 11, 2021, Kaseya began the restoration of their SaaS servers and released a patch for on-premise VSA servers. CISA strongly recommends affected organizations to review Kaseya’s security advisory and apply the necessary patches, and implement the following Kaseya guidance:

Affected MSPs

CISA recommends affected MSPs run the Kaseya VSA Detection Tool. This tool analyzes a system (either VSA server or managed endpoint) and determines whether any indicators of compromise (IOCs) are present.

READ MORE


Updates Directly from Kaseya

Read More Here

July 7, 2021 – 12:00 PM EDT

VSA On-Premises Update

For on-premises customers we will be publishing a runbook of the changes to make to your on-premises environment by 3PM US EDT today so customers can prepare for the patch release.
We will update the planned availability of the VSA On-Premises patch by 5PM US EDT today.

VSA SaaS Update

During the VSA SaaS deployment an issue was discovered that has blocked the release. We are resolving the issue that is related to our SaaS infrastructure and we plan on beginning to restore SaaS services no later than the evening of Thursday July 8th US time.

July 7, 2021 – 8:00 AM EDT

As communicated in our last update, unfortunately, during the deployment of the VSA update an issue was discovered that has blocked the release. We have not yet been able to resolve the issue. The R&D and operations teams worked through the night and will continue to work until we have unblocked the release. We will provide a status update at 12:00PM US EDT.

July 6, 2021 – 10:00 PM EDT

During the VSA SaaS deployment an issue was discovered that has blocked the release. Unfortunately, the VSA SaaS rollout will not be completed in the previously communicated timeline. We apologize for the delay and R&D and operations are continuing to work around the clock to resolve this issue and restore service. We will be providing a status update at 8AM US EDT.


The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) continue to track and respond to the recent Kaseya VSA software vulnerability against multiple managed service providers (MSPs) and their customers. CISA and FBI strongly urge affected MSPs and their customers to follow the proposed guidance.

Access the CISA alert here.


CISA-FBI Guidance for MSPs and their Customers Affected by the Kaseya VSA Supply-Chain Ransomware Attack

July 6, 2021 — CISA and the Federal Bureau of Investigation (FBI) continue to respond to the recent supply-chain ransomware attack leveraging a vulnerability in Kaseya VSA software against multiple managed service providers (MSPs) and their customers. CISA and FBI strongly urge affected MSPs and their customers to follow the guidance below.

CISA and FBI recommend affected MSPs:

        • Download the Kaseya VSA Detection Tool. This tool analyzes a system (either VSA server or managed endpoint) and determines whether any indicators of compromise (IOCs) are present.
        • Enable and enforce multi-factor authentication (MFA) on every single account that is under the control of the organization, and—to the maximum extent possible—enable and enforce MFA for customer-facing services.
        • Implement allow listing to limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs, and/or
        • Place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.

CISA and FBI recommend MSP customers affected by this attack take immediate action to implement the following cybersecurity best practices. Note: these actions are especially important for MSP customers who do not currently have their RMM service running due to the Kaseya attack.

CISA and FBI recommend affected MSP customers:

        • Ensure backups are up to date and stored in an easily retrievable location that is air-gapped from the organizational network;
        • Revert to a manual patch management process that follows vendor remediation guidance, including the installation of new patches as soon as they become available;
        • Implement:
          • Multi-factor authentication; and
          • Principle of least privilege on key network resources admin accounts.

Resources:

CISA and FBI provide these resources for the reader’s awareness.  CISA and FBI do not endorse any non-governmental entities nor guarantee the accuracy of the linked resources.