The two top security agencies in the US have shared their guidance for managed service providers (MSPs) impacted by the largest known supply-chain ransomware attack by REvil gang. Hackers compromised thousands of systems by exploiting a bug in Kaseya’s cloud-based MSP platform.
The US Department of Homeland Security and the Federal Bureau of Investigation have issued a joint statement urging MSPs affected by the recent Friday REvil attack to thoroughly check their systems for traces of compromise using a detection tool provided by Kaseya.
The two agencies also urged impacted businesses to implement allowlists using firewalls or VPNs to limit access to their remote monitoring tools’ critical assets and configurations.
The list of recommendations shared by CISA and the FBI for impacted MSPs includes the following measures described below.
Install and use the Kaseya VSA Detection Tool, a simple and effective way to identify if a system (either VSA server or managed endpoint) has been compromised.
Turn on multi-factor authentication on all accounts, so that organizations can easily and securely verify the identities of their customers across various accounts.
Specify which remote monitoring and management capabilities may be used with known IP address pairs.
The administrative interfaces of RMM must be located on a virtual private network or behind a firewall on a dedicated administrative network.
Customers affected by the attack are also urged to protect their backups by putting them on air-gapped systems.
Both the FBI and the CISA advise that affected customers to ensure that their backup is up-to-date and stored in an easily accessible and air-gapped location.
They also advise implementing a manual patch management process which includes the installation of new patches.
Finally, users should implement the principle of least privilege and MFA on key network resources administration accounts.