Update July 15, 2021
CISA has created a webpage for relevant resources regarding the Kaseya ransomware incident. Kaseya Ransomware Attack: Guidance for Affected MSPs and their Customers can be accessed at CISA.
Kaseya VSA SaaS Infrastructure has been Updated – Updated July 12, 2021
As of July 12, 2021 3:30PM US EDT, Kaseya reports that the unplanned maintenance across the VSA SaaS infrastructure has been completed and all instances are now live. Kaseya released VSA version 9.5.7a for their VSA On-Premises software addressing vulnerabilities that enabled the ransomware attacks on Kaseya’s customers. Impacted members are encouraged to follow the instructions detailed in the Kaseya security notice. The Kaseya security notice includes Startup Runbooks and Hardening and Best Practice Guides for both VSA On-Premises and VSA SaaS.
Other resources:
- https://us-cert.cisa.gov/ncas/current-activity/2021/07/12/kaseya-provides-security-updates-vsa-premises-software
- https://www.flashpoint-intel.com/blog/kaseya-ransomware-attack-revil-dismisses-mounting-global-scrutiny-with-more-large-scale-targets/
- https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident
REvil Ransomware Attack Against Kaseya VSA – Update July 8, 2021
- Kaseya is still in the process of releasing a patch to fix the vulnerability that enabled the mass exploitation through MSPs over the Independence Day weekend.
- According to the July 7 Flashpoint report, REvil Attack on Kaseya VSA Tool, “news broke of a second wave of attacks, which attempted to build on a sense of urgency created by the initial incident. The security firm Malwarebytes identified an email campaign that aimed to propagate malicious attachments as security updates. The attachments appeared to load “Cobalt Strike,” a tool that is able to give attackers remote access to the infected systems. There is no indication that this campaign is connected to REvil.”
- Kaseya has published a Startup Readiness Guide to ensure on premises VSA servers are prepared to receive the patch when it becomes available – sysadmins that work with Kaseya may find this guide useful.
- Among many information sources, SecurityWeek is providing continuous and credible coverage on the latest updates and resources.
Kaseya and Supply Chain/Vendor Risk Management
If your utility contracts with an MSP/TSP that uses Kaseya VSA, this may have impact on your current service and even more direct impact if ransomware was deployed on your network due to this vulnerability exploitation – hopefully this has not happened to any members. If your utility does not contract with an MSP/TSP for technology services, this actual incident has no impact on you. However, the nature of this exploit has relevance for all utilities that use third party services or software that could be compromised in a similar fashion (through software update functionality reminiscent of the SolarWinds Orion compromise). To that end, this incident provides much value toward organizational supply chain risk management programs.
One issue that often comes up is how to select a service provider. In light of this incident, there have been some good resources aimed at MSPs on best practices for responding to a cyber attack and protecting their customers. These resources could also be used to give the customers insight on what their MSPs should be doing and questions to employ during vendor risk assessments when selecting new or reviewing existing relationships. Huntress Labs CEO, Kyle Hanslovan recently provided such guidance on 5 Key Steps for MSPs. Whether it is this supply chain attack or another, members are encouraged to incorporate security guidance for MSPs into their own vendor/supply chain risk management activities when assessing trusted relationships.
Update July 6, 2021
If the Windows Print Spooler “PrintNightmare” vulnerability wasn’t keeping you busy enough, if your utility partners with a managed service provider (MSP)/technology service provider (TSP) that uses Kaseya VSA, you may have been even busier and/or more concerned. In an email to members late Friday afternoon, WaterISAC reported initial details that began surfacing of a REvil Ransomware attack against Kaseya VSA. Kaseya, federal partners, and security and research teams worked nearly around the clock over the weekend to determine details and scope of the incident and to keep Kaseya customers (MSPs/TSPs) and their stakeholders informed while a fix was being developed.
The investigation is ongoing, but according to Huntress, researchers continue to see a growing number of MSPs, resellers, and their customers impacted. At this time there is no published information indicating the impacted entities by name. However, members who contract information technology services are encouraged to reach out directly to their MSP/TSP. At present, Kaseya, CISA, and the FBI have published recommended guidance to follow until the patch has been deployed.
CISA and FBI recommend affected MSP customers:
- Ensure backups are up to date and stored in an easily retrievable location that is air-gapped from the organizational network;
- Revert to a manual patch management process that follows vendor remediation guidance, including the installation of new patches as soon as they become available;
- Implement:
- Multi-factor authentication; and
- Principle of least privilege on key network resources admin accounts.
From Kaseya:
- All on-premises VSA Servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations. A patch will be required to be installed prior to restarting the VSA and a set of recommendations on how to increase your security posture.
- We have been advised by our outside experts, that customers who experienced ransomware and receive communication from the attackers should not click on any links – they may be weaponized.
Additionally, in a statement from the White House on July 4, 2021, Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology urges “anyone who believes their systems have been compromised in the Kaseya ransomware incident to immediately report to the Internet Crime Complaint Center at https://www.IC3.gov. The FBI and CISA will reach out to identified victims to provide assistance based upon an assessment of national risk. We also urge you to immediately follow the guidance from Kaseya including shutting down your VSA servers and implementing CISA’s and FBI’s mitigation techniques.”
For WaterISAC members using ConnectWise/Perch:
Perch has provided an analysis and has added logging detection within the Perch platform for the activity discussed. Perch users would be able to detect this malicious activity within their environment by subscribing to the SIEM alerts under the Marketplace/Windows Advanced (Beta).
For additional information:
- https://www.kaseya.com/potential-attack-on-kaseya-vsa/
- https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa
- https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/04/statement-by-deputy-national-security-advisor-for-cyber-and-emerging-technology-anne-neuberger-on-reporting-kaseya-compromises/
- https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident
- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b
- https://grahamcluley.com/revil-ransomware-rampages-following-kaseya-supply-chain-attack/
- https://www.zdnet.com/article/kaseya-ransomware-supply-chain-attack-what-you-need-to-know/
July 2, 2021
This afternoon, a large-scale REvil ransomware attack began affecting multiple managed service providers (MSPs) and their clients through a reported supply-chain attack on Kaseya VSA. Kaseya VSA is a cloud-based MSP platform that allows providers to perform patch management and client monitoring for their customers.
Read more at Bleeping Computer.
Kaseya has issued an advisory warning all VSA customers to immediately shut down their VSA servers to prevent the attack’s spread while it investigates. If your utility partners with an MSP that uses Kaseya VSA, you may experience impacts. Additionally, the Cybersecurity and Infrastructure Security Agency (CISA) reports it is taking action to understand this attack and encourages organizations to review the Kaseya advisory and follow its guidance to shutdown VSA servers.
Next Steps
WaterISAC will continue to share information with its members and partners as more is learned about this attack. Members are encouraged to share information with WaterISAC by emailing [email protected], calling 866-H2O-ISAC, or using the online incident reporting form.