Summertime, holidays and long weekends, where many of us are taking time off, are prime times for cyber attacks. The bad guys are counting on people being in a hurry and letting their guard down so it’ll make it easier to suck you into their attack. July 4th 2021 was no different: MSPs attacked again by cyber criminals. This time it was Kaseya. Although this is still an active incident, we will cover what we know in today’s podcast.
In this episode:
MSPs Attacked Again – Ep 313
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
The HIPAA Boot Camp
Virtual Edition Aug 17-19, 2021
Great idea! Share Help Me With HIPAA with one person this week!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
MSPs Attacked Again
[03:42] When an MSP is attacked, it’s not all about them. It’s about their clients. On July 2nd the Kaseya Incident Response Team learned about a security incident affecting its VSA software. Kaseya is a vendor of software that is used by IT companies to support their clients. Once the attackers got into the MSP’s network via vulnerabilities in the Kaseya software, they attacked every endpoint of the MSP that they could get to.Later in the day it was made known that the attack only affected the on-premise version of the software, meaning an MSP is paying for a version of the software that they could run on their own servers vs using the cloud version of the software. It’s unknown, so far, exactly how many different MSPs were hit. But essentially clients of one of those MSPs were hit by a ransomware attack. Keep in mind those clients typically have many many endpoints. So, the numbers of endpoints could be in the tens of thousands, easily.
Kaseya is being fairly transparent in releasing what’s going on and the activity taking place via their update site: Updates Regarding VSA Security Incident. But, even if you’re not part of this attack, you’re still at risk because other criminals are using this as an opportunity to phish folks through email and make phone calls to companies saying they are a Kaseya representative and want to help them. They try to convince you to load software to “stop” an attack or “prevent you from being attacked”, but that software is malware itself.
At this point, it is worth saying this again: If you receive an email or phone call that causes you to have an emotional response about your computer, STOP. Hang up. Don’t click. Call someone that you know, your IT folks, to find out if it is legitimate.
[17:49] On Kaseya’s update site, they have a timeline of the facts. Here are some of the interesting facts from the update site:- Our executive committee met this afternoon at [6:30] PM EDT to reset the timeline and process for bringing our SaaS and on-premises customers back online.
- The Patch for on-premises customers has been developed and is currently going through the testing and validation process. We expect the patch to be available within 24 hours after our SaaS servers have been brought up.
- The current estimate for bringing our SaaS servers back online is July 6th between [2:00] PM – [5:00] PM EDT. A final go/no-go decision will be made tomorrow morning between [8:00] AM EDT – [12:00] AM EDT. These times may change as we go through the final testing and validation processes.
During the VSA SaaS deployment an issue was discovered that has blocked the release. Unfortunately, the VSA SaaS rollout will not be completed in the previously communicated timeline. We apologize for the delay and R&D and operations are continuing to work around the clock to resolve this issue and restore service. We will be providing a status update at 8AM US EDT.
As communicated in our last update, unfortunately, during the deployment of the VSA update an issue was discovered that has blocked the release. We have not yet been able to resolve the issue. The R&D and operations teams worked through the night and will continue to work until we have unblocked the release. We will provide a status update at [12:00]PM US EDT.
VSA SaaS Update
During the VSA SaaS deployment an issue was discovered that has blocked the release. We are resolving the issue that is related to our SaaS infrastructure and we plan on beginning to restore SaaS services no later than the evening of Thursday July 8th US time.
Here is what is interesting. On July 5th they said that this attack only affected the on-premise software, so then why did they take down the SaaS (software as a service or cloud version) version of the software? And then 3 days later they still don’t have the SaaS version back up, likely because they found problems with it too. (Just for reference, this podcast was recorded on Fri, July 9th.) As of 9am Friday morning it still hasn’t been released when the SaaS version of the software will come back up. They have, however, published a “run book” to prepare for the steps to take once it returns to service. Supposedly, the on-prem updates are scheduled to be released on Sun, July 11th.
The good news is that it seems, from reading private forums, a lot of MSPs and vendors are pulling together to help one another; some vendors even offering free use of their software tools and platforms until others can get theirs back online.
[27:47] CISA and the FBI released guidance that was also pushed out by OCR to their privacy and security list. The guidance was directed towards MSPs and their customers.Among other things, CISA and the FBI urge affected MSPs to
CISA and the FBI also recommend MSP customers affected by this attack take immediate action to implement a few cybersecurity best practices as well. They make a note to say that these “actions are especially important for MSP customers who do not currently have their RMM service running due to the Kaseya attack.”
Here are the best practices that CISA and the FBI recommend to affected MSP customers:
- Ensure backups are up to date and stored in an easily retrievable location that is air-gapped from the organizational network;
- Revert to a manual patch management process that follows vendor remediation guidance, including the installation of new patches as soon as they become available;
- Implement:
- Multi-factor authentication; and
- Principle of least privilege on key network resources admin accounts.
So, as of our recording of this episode, the problem at Kaseya is not solved. It does appear there was no exfiltration of data, which is a good thing. But, they are still trying to figure out whether they are going to pay the 70 million dollar ransom. But their CEO of Kaseya has come out to say that they will be providing direct financial assistance to MSPs who have been crippled by these evil people and the new adversaries that we face. So, that’s some encouraging news.
Here are a few more articles that we used as references for this podcast, in case you might want to check them out for yourself.
VSA SaaS Startup Guide – July 7, 2021 – Kaseya
Kaseya Left Customer Portal Vulnerable to 2015 Flaw in its Own Software – Krebs on Security
Ransomware as a service: Negotiators are now in high demand
Kaseya ransomware attack updates: Your questions answered
Kaseya’s Race to Patch Ends in Ransomware Attack
Piggyback Hack: Criminals Preying on Kaseya Attack
Believe it or not, we do hate to talk so much about ransomware, but it is getting worse. It is not getting better. It’s best to have an open line of communication with your MSP vendor or internal IT team. Don’t wait on them to contact you and let you know how things are going. Reach out to them. Demand it even. Don’t just assume that your MSP has it all covered. Be a proactive participant in your organization’s security program.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
