CISA-FBI Guidance for MSPs and their Customers Affected by the Kaseya VSA Supply-Chain Ransomware Attack

 

Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

You are subscribed to National Cyber Awareness System Current Activity for
Cybersecurity and Infrastructure Security Agency. This information has recently
been updated, and is now available.

CISA-FBI
Guidance for MSPs and their Customers Affected by the Kaseya VSA Supply-Chain
Ransomware Attack

07/04/2021 12:29 PM EDT

 

Original
release date: July 4, 2021

CISA and the Federal Bureau of Investigation (FBI) continue to respond to
the recent supply-chain ransomware attack leveraging a vulnerability in Kaseya
VSA software against multiple managed service providers (MSPs) and their
customers. CISA and FBI strongly urge affected MSPs and their customers to
follow the guidance below.

CISA and FBI recommend affected MSPs:

  • Contact Kaseya at support@kaseya.com
    with the subject “Compromise Detection Tool Request” to obtain and run
    Kaseya’s Compromise Detection Tool available to Kaseya VSA customers. The
    tool is designed to help MSPs assess the status of their systems and their
    customers’ systems.
  • Enable and enforce multi-factor authentication (MFA) on
    every single account that is under the control of the organization, and—to
    the maximum extent possible—enable and enforce MFA for customer-facing
    services.
  • Implement allowlisting to limit communication with
    remote monitoring and management (RMM) capabilities to known IP address
    pairs, and/or
  • Place administrative interfaces of RMM behind a virtual
    private network (VPN) or a firewall on a dedicated administrative network.

CISA and FBI recommend MSP customers affected by this attack take immediate
action to implement the following cybersecurity best practices. Note: these actions
are especially important for MSP customer who do not currently have their RMM
service running due to the Kaseya attack.

CISA and FBI recommend affected MSP customers:

  • Ensure backups are up to date and stored in an easily
    retrievable location that is air-gapped from the organizational network;
  • Revert to a manual patch management process that
    follows vendor remediation guidance, including the installation of new
    patches as soon as they become available;
  • Implement:
    • Multi-factor
      authentication; and
    • Principle of least
      privilege on key network resources admin accounts.

Resources:

CISA and FBI provide these resources for the reader’s awareness.  CISA
and FBI do not endorse any non-governmental entities nor guarantee the accuracy
of the linked resources.