CISA, FBI share guidance for victims of Kaseya ransomware attack

CISA and the Federal Bureau of Investigation (FBI) have shared guidance for managed service providers (MSPs) and their customers impacted by the REvil supply-chain ransomware attack that hit the systems of Kaseya’s cloud-based MSP platform.

The two federal agencies advise MSPs affected by the Friday REvil attack to further check their systems for signs of compromise using a detection tool provided by Kaseya over the weekend and enable multi-factor authentication (MFA) on as many accounts as possible.

Furthermore, MSPs should also implement allowlists to limit access to their internal assets and protect their remote monitoring tools’ admin interface using firewalls or VPNs.

The complete list of recommendations shared by CISA and the FBI for impacted MSPs includes:

• Download the Kaseya VSA Detection Tool. This tool analyzes a system (either VSA server or managed endpoint) and determines whether any indicators of compromise (IoC) are present.    
• Enable and enforce multi-factor authentication (MFA) on every single account that is under the control of the organization, and—to the maximum extent possible—enable and enforce MFA for customer-facing services.
• Implement allowlisting to limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs, and/or
• Place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.

MSP customers affected by the attack are advised to use and enforce MFA wherever possible and protect their backups by placing them on air-gapped systems.

CISA and the FBI advise affected MSP customers to:

• Ensure backups are up to date and stored in an easily retrievable location that is air-gapped from the organizational network;
• Revert to a manual patch management process that follows vendor remediation guidance, including the installation of new patches as soon as they become available;
• Implement MFA and principle of least privilege on key network resources admin accounts.

CISA and FBI involved in the incident-handling process

The two federal agencies are involved in the worldwide incident-handling process for impacted Kaseya customers and are urging all affected MSPs and their customers to follow the guidance shared above.

“Due to the potential scale of this incident, the FBI and CISA may be unable to respond to each victim individually, but all information we receive will be useful in countering this threat,” the FBI said in an official statement issued over the weekend.

The White House National Security Council has also urged victims of this large-scale supply-chain attack to report the incident to the Internet Crime Complaint Center.

Victims were also advised to follow the guidance issued by Kaseya, including shutting down their VSA servers, as well as implementing CISA’s and FBI’s mitigation techniques.

We also urge you to immediately follow the guidance from Kaseya including shutting down your VSA servers and implementing CISA’s and FBI’s mitigation techniques. More information here: https://t.co/36z73m5Trg

— National Security Council (@WHNSC) July 4, 2021

REvil hits Kaseya customers in largest ever ransomware attack

The massive REvil ransomware attack hit multiple managed service providers who are using Kaseya’s cloud-based MSP platform for patch management and client monitoring for their customers. 

In all, more than 1,000 customers of 20 MSPs had their systems encrypted in the attack carefully planned to launch on midday Friday as it lined up with the US July 4th weekend, when it’s common for staff to have shorter workdays.

To breach Kaseya on-premises VSA servers, the REvil affiliate behind the attack used a zero-day vulnerability (CVE-2021-30116) — Kaseya VSA is a RMM (Remote Monitoring and Management) software.

As BleepingComputer later found, Kaseya was in the process of patching after being reported privately by researchers at Dutch Institute for Vulnerability Disclosure (DIVD).

However, the REvil affiliate got their hands on the vulnerability’s details and managed to exploit it before Kaseya could start tolling out a validated fix to its customers.

The REvil ransomware group claims to have encrypted over 1,000,000 systems and first demanded $70 million for a universal decryptor to decrypt all Kaseya attack victims. However, today, its operators have quickly loweried the price to $50 million.

This is the highest ransom demand to date, the previous record also belonging to REvil, asking $50 million after attacking Taiwanese electronic and computer maker Acer.

This is not the first time REvil ransomware was used in attacks hitting MSPs, with at least one of their affiliates having knowledge of the tech used by MSPs as they have previously exploited in previous incidents.

In June 2019, one of REvil’s affiliates targeted MSPs via Remote Desktop using their management software to deliver ransomware installers to all of the customer endpoints they managed.

The same affiliate is also believed to have previously worked with GandCrab in attacks that compromised MSPs’ networks in January 2019.