REvil Ransomware Targets RMM Users: CISA and FBI Provide Instructions
Just before the holiday weekend, REvil ransomware hit Kaseya Virtual System Administrator (VSA), encrypting the company’s files until their $70M ransomware demand is met. Kaseya has released that 60 of its customers using the VSA on-premises product were compromised in the attack as well. This then led to compromising the clients of those 60 customers, adding up to a total of roughly 1,500 companies.
According to Kaseya, only its on-premises customers were impacted by the attack.
CISA and FBI Advise
After last Friday’s attack, US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have published a list of recommended actions for managed service providers using Kaseya VSA’s services.
If you, as an MSP provider, were affected by Friday’s attack, CISA and the FBI suggests that you:
- Download the Kaseya VSA Detection Tool to determines whether any indicators of compromise are present.
- Enable and enforce multi-factor authentication (MFA) on every account and enable MFA for customer-facing services.
- Implement allowlisting to limit communication with remote monitoring and management (RMM) capabilities
- Place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.
Affected MSP customers are urged to take immediate action. This is especially important for MSP customers who do not have their RMM service running after the Kaseya ransomware attack.
Affected MSP customers should:
- Make sure all of their backups are up to date and stored on a device that is disconnected or “air-gapped” from their company’s network.
- Revert to manual patch management, following vendor remediation guidance. They should install new patches as they become available.
- Implement multifactor authentication (MFA)
- Implement a principle of least privilege on key network resources admin accounts.
The CISA and FBI have provided further resources for anyone concerned about the attack or their vulnerability. These resources include:
- Kaseya’s most recent guidance: Important Notice July 3rd, 21
- General incident response guidance: Joint Cybersecurity Advisory AA20-245A: Technical Approaches to Uncovering and Remediating Malicious Activity
The CISA has called out dangerous cybersecurity practices in the past, and it is important to implement safe practices as soon as we can. A lack of urgency leads to vulnerabilities, and attackers have not stopped pushing forward with increasingly sophisticated and aggressive campaigns. To read up on CISA’s take on bad internet practices, see CISA Calls Out Dangerous Cyber Security Practices