Kaseya Ransomware Attack: Guidance for Affected MSPs and their Customers
Since July 2, 2021, CISA, along with the Federal Bureau of Investigation (FBI), has been responding to a global cybersecurity incident, in which cyber threat actors executed ransomware attacks—leveraging a vulnerability in the software of Kaseya VSA on-premises products—against managed service providers (MSPs) and their downstream customers.
Incident Response Guidance
On July 2, 2021, Kaseya shut down their SaaS servers and recommended Kaseya VSA customers shutdown their on-premises VSA servers. Note: according to Kaseya, there is no evidence that any Kaseya SaaS customers were compromised, however Kaseya took the SaaS servers offline out of an abundance of caution.
On July 11, 2021, Kaseya began the restoration of their SaaS servers and released a patch for on-premise VSA servers. CISA strongly recommends affected organizations to review Kaseya’s security advisory and apply the necessary patches, and implement the following Kaseya guidance:
- VSA SaaS and On-Premises Release Notes
- VSA SaaS Startup Runbook
- VSA SaaS Hardening and Best Practice Guide
- VSA On-Premises Startup Runbook (Updated July 11th – Updated Step 4)
- VSA On-Premise Hardening and Practice Guide
Affected MSPs
CISA recommends affected MSPs run the Kaseya VSA Detection Tool. This tool analyzes a system (either VSA server or managed endpoint) and determines whether any indicators of compromise (IOCs) are present.
Affected MSP Customers
CISA recommends MSP customers affected by this attack take immediate action to implement the following cybersecurity best practices. Note: these actions are especially important for MSP customers who do not currently have their RMM service running due to the Kaseya attack.
- Ensure backups are up to date and stored in an easily retrievable location that is air-gapped from the organizational network;
- Revert to a manual patch management process that follows vendor remediation guidance, including the installation of new patches as soon as they become available;
- Ensure that customers have fully implemented all mitigation actions available to protect against this threat;
- Implement:
- Multi-factor authentication on every single account that is under the control of the organization, and
- Principle of least privilege on key network resources admin accounts.
General Ransomware Prevention Best Practices
CISA recommends organizations, including MSPs, implement the best practices and hardening guidance in the CISA and MS-ISAC Joint Ransomware Guide to help manage the risk posed by ransomware and support your organization’s coordinated and efficient response to a ransomware incident.
General Mitigation and Hardening Guidance for MSPs
CISA recommends MSPs implement the following guidance to protect their customers’ network assets and reduce the risk of successful cyberattacks.
- Apply principle of least privilege to customer environments, i.e., ensure customer data sets are separated logically and access to the client networks is not shared.
- Ensure that log information is preserved, aggregated, and correlated to enable maximum detection capabilities with a focus on monitoring for account misuse.
- Implement robust network- and host-based monitoring solutions.
- Work with customers to ensure hosted infrastructure is monitored and maintained, either by service provider or customer.
- Manage customer data backups.
- Prioritize backups based on business value and operational needs, while adhering to any customer regulatory and legal data retention requirements.
- Develop and test recovery plans, and use tabletop exercises and other evaluation tools and methods to identify opportunities for improvement. See CISA's Cyber Resilience Review resources for guidance on conducting a non-technical evaluation of your organization's operational resilience and cybersecurity practices.
- Review data backup logs to check for failures and inconsistencies.
General Mitigation and Hardening Guidance for Small- and Mid-Sized Business MSP Customers
CISA recommends small and mid-sized MSP customers implement the following guidance to protect their network assets and reduce the risk of successful cyberattacks.
- Conduct a security review to determine if there is a security concern or compromise and implement appropriate mitigation and detection tools for this and other cyber activity. For general incident response guidance, see Joint Cybersecurity Advisory AA20-245A: Technical Approaches to Uncovering and Remediating Malicious Activity.
- Manage supply chain risks.
- Understand the supply chain risks associated with their MSP to include determining network security expectations.
- Manage risk across their security, legal, and procurement groups.
- Use risk assessments to identify and prioritize allocation of resources and cyber investment.
- Implement strong operational controls.
- Create baseline for system and network behavior in order to detect future anomalies; continuously monitor network devices’ security information and event management appliance alerts.
- Monitor processes for outbound network activity (against baseline).
- Monitor connections to MSP infrastructure.
- Regularly update software and operating systems.
- Integrate system log files—and network monitoring data from MSP infrastructure and systems—into customer intrusion detection and security monitoring systems for independent correlation, aggregation, and detection.
- Employ a backup solution that automatically and continuously backs up critical data and system configurations. Store backups in an easily retrievable location that is air-gapped from the organizational network.
- Require MFA for accessing your systems whenever possible. MFA should be required of all users, but start with privileged, administrative, and remote access users.
- Create baseline for system and network behavior in order to detect future anomalies; continuously monitor network devices’ security information and event management appliance alerts.
- Manage architecture risks.
- Review and verify all connections between customer systems, service provider systems, and other client enclaves.
- Use a dedicated virtual private network (VPN) to connect to MSP infrastructure; all network traffic from the MSP should only traverse this dedicated secure connection.
- Manage authentication, authorization, and accounting procedures.
- Adhere to best practices for password and permission management.
- Ensure MSP accounts are not assigned to administrator groups and restrict those accounts to only systems they manage. Grant access and admin permissions based on need-to-know and least privilege.
- Verify service provider accounts in their environment are being used for appropriate purposes and are disabled when not actively being used.
- Review contractual relationships with all service providers. Ensure contracts include:
- Security controls the customer deems appropriate by the client;
- Appropriate monitoring and logging of provider-managed customer systems;
- Appropriate monitoring of the service provider’s presence, activities, and connections to the customer network; and
- Notification of confirmed or suspected security events and incidents occurring on the provider’s infrastructure and administrative networks.
Resources
CISA provides these resources for the reader’s awareness. CISA does not endorse any non-governmental entities nor guarantee the accuracy of the linked resources.
- Kaseya Ransomware Attacks
- For the latest guidance from Kaseya, see Kaseya's security notice.
- For indicators of compromise, see Peter Lowe's GitHub page REvil Kaseya CnC Domains. Note: due to the urgency to share this information, CISA and FBI have not yet validated this content.
- For guidance specific to this incident from the cybersecurity community, see Cado Security's GitHub page, Resources for DFIR Professionals Responding to the ransomware Kaseya Attack. Note: due to the urgency to share this information, CISA and FBI have not yet validated this content.
- Ransomware
- For advice from the cybersecurity community on securing against MSP ransomware attacks, see Gavin Stone's article, How secure is your RMM, and what can you do to better secure it?
- For general ransomware guidance, see the CISA Ransomware page and the CISA-MS-ISAC Joint Ransomware Guide.
- Incident Response
- For general incident response guidance, see Joint Cybersecurity Advisory AA20-245A: Technical Approaches to Uncovering and Remediating Malicious Activity.
- Managed Service Providers
- For more information on improving cybersecurity of MSPs, refer to National Cybersecurity Center of Excellence (NCCoE): Improving Cybersecurity of Managed Service Providers