CISA and the Federal Bureau of Investigation (FBI) have provided a guidance for managed service providers (MSPs) and their customers impacted by the REvil supply chain ransomware attack that exploited a vulnerability in Kaseya VSA software.
The ransomware attack took place last Friday, July 2. The attackers reportedly compromised Kaseya on-premises VSA servers by exploiting a zero-day flaw (CVE-2021-30116) in Kaseya VSA software used for remote monitoring and management.
Kaseya estimates that "fewer than 1,500 downstream businesses" have been affected by the REvil ransomware attack.
“To date, we are aware of fewer than 60 Kaseya customers, all of whom were using the VSA on-premises product, who were directly compromised by this attack. While many of these customers provide IT services to multiple other companies, we understand the total impact thus far has been to fewer than 1,500 downstream businesses,” the software vendor said in a statement.
On their dark web leak site, the REvil gang claims to have encrypted over 1,000,000 systems. Initially, hackers demanded $70 million for a universal decryptor to decrypt all Kaseya attack victims, but later they reduced the price to $50 million.
CISA and FBI strongly urge the impacted MSPs and their customers to follow the recommendations listed below:
-
Download the Kaseya VSA Detection Tool. This tool analyzes a system (either VSA server or managed endpoint) and determines whether any indicators of compromise (IoC) are present.
-
Enable and enforce multi-factor authentication (MFA) on every single account that is under the control of the organization, and—to the maximum extent possible—enable and enforce MFA for customer-facing services.
-
Implement allowlisting to limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs, and/or
-
Place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.