Managed services providers (MSPs) rely heavily on their remote monitoring and management (RMM) software to operate efficiently—Kaseya VSA is one of the most popular in the industry. Although every MSP was familiar with Kaseya before July 2, 2021, the whole world knows about it now. The software vendor became the target of one of the largest ransomware attacks to date. Shortly after the supply chain attack impacted dozens of MSPs and their clients—a total of about 1,500 companies—Russian hacker group REvil demanded $70 million in ransom.
The Kaseya VSA Attack
Security platform Huntress, a provider of managed detection and response capabilities, reports that the attack began on July 2 around 11 a.m. ET—just in time for the Independence Day holiday in the U.S. Attackers exploited zero-day vulnerabilities in Kaseya VSA to distribute ransomware. In a July 6 webinar, “Recovering from a Mass Ransomware Incident,” Huntress points out that attackers were “crazy efficient,” deleting logs and removing users as well as distributing the ransomware to MSPs clients.
Huntress has been careful not to go into detail to reveal sensitive information but shared that the attack began with authentication bypass, followed by file upload and code execution. The Huntress team analyzed multiple databases and, as of July 6, did not believe the attackers exfiltrated data from any of its victims, referring to the attack as a “smash and grab” with seemingly no plans for additional demands beyond the astronomical ransom request.
Kaseya reports that only customers who use the on-premises version of VSA were impacted—the SaaS product was not affected.
Guidance from CISA and FBI
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued guidance on July 4 for MSPs impacted by the attack, advising them to:
- Download the Kaseya VSA Detection Tool.
- Enable and enforce multifactor authentication (MFA) on all accounts that you control and for customer-facing services, if possible.
- Implement allowlisting to limit communication with RMM to known IP address pairs
- Put RMM admin interfaces behind a VPN or firewall on a dedicated network.
CISA and FBI also suggest that end users:
- Make sure backups are up to date and stored in a location air-gapped from the network.
- Revert to manual patch management.
- Use MFA and the Principle of Least Privilege for network admin accounts.
Respond and Recover Intentionally
The Huntress team urged its July 6 webinar attendees who were not victims of this attack to talk through and plan how they would respond to a ransomware attack, stressing that the three keys to an effective response are:
- Preserving evidence, ensuring you don’t lose evidence as logs rollover
- Verifying backups and confirming all tools are working as expected
- Keeping a validated inventory of every encrypted system
However, what may have come as a surprise to some MSPs is that the first step should always be to contact legal counsel or their insurance company to arrange for legal advice.
An MSPs first impulse may be to repair and restore—however, each step you take can impact an investigation and have legal implications. Therefore, have your legal counsel guide your recovery plan and review any messaging you create to minimize further liability.
Additionally, in a mass ransomware incident that requires recovery for all of your clients, it’s vital to conduct a risk assessment and establish priorities. Consider factors such as how mission-critical encrypted assets are and which clients are most likely to prosecute when you choose where to start and how to move forward. Huntress shares more information in the video How MSPs Can Survive a Coordinated Ransomware Attack.
A Community United
Although the MSP space can be competitive, all bets were off over the July 4th weekend. Stories are emerging of how MSPs are pulling together to help victims of the Kaseya VSA attack. For example, CompTIA’s Information Sharing and Analysis Organization (ISAO) group stepped up to offer assistance to an MSP company in the unimaginable situation of having to help all of its clients recover, including between 40 and 60 servers and 400-500 PCs impacted.
Consider helping if you can. Of course, you’d want your peers to do the same. Then, have the conversation in your organization about how you will respond to an incident, practice it, and be ready to put your plan into action when needed.