Kaseya Rules Out Supply-Chain Attack:

Kaseya BMS is a business management solution (BMS) built specifically to help MSPs spend less time on non-revenue-generating tasks like billing and project management.

A Professional Services Automation platform, Kaseya BMS provides an easy-to-use interface without compromising with the level of depth and customization required to meet the various business objectives of different teams. Kaseya BMS is equipped with solutions for: project management, CRM, time tracking and billing, inventory, finance and billing, and service desk.

What is Kaseya?

Kaseya is a software that provides a single framework for maintaining the IT policies of your company and helps you manage your remote endpoints. It gives you the ability to monitor the situation, provide patching updates to enhance the security of your IT infrastructure, and control endpoint systems remotely.

Kaseya software solves the challenge many systems administrators have faced when maintaining the network of their PCs. There is always that employee who tries to circumnavigate the firewall, so they can watch some DIY, and dire warnings have done little to discourage this practice. Install the Kaseya Agent and this problem would be a thing of the past.

What is Kaseya VSA?

Kaseya VSA is a remote monitoring and management (RMM), endpoint management and network monitoring solution.

Kaseya’s state-of-the-art technology offers visibility and control of remote and distributed PC environments within one integrated IT management solution. Developed with the technician experience in mind, Kaseya VSA provides an RMM/endpoint management experience with all essential IT management functions in a single pane of glass.

With Kaseya VSA you can:

  • Discover and monitor all your assets; view endpoint connectivity in the network topology map
  • Automate software patch management
  • Automate common IT processes and auto-remediate incidents
  • Leverage remote endpoint management to quickly resolve issues.

U.S. technology firm Kaseya, which is firefighting the largest ever supply-chain ransomware strike on its VSA on-premises product, ruled out the possibility that its codebase was unauthorizedly tampered with to distribute malware.

While initial reports raised speculations that the ransomware gang might have gained access to Kaseya’s backend infrastructure and abused it to deploy a malicious update to VSA servers running on client premises, in a modus operandi similar to that of the devastating SolarWinds hack, it has since emerged that a never-before-seen security vulnerability (CVE-2021-30116) in the software was leveraged to push ransomware to Kaseya’s customers.

On Sunday, the prolific cybergang known as REvil posted a message to a hacker forum taking credit for the attack. The message stated:

“On Friday (02.07.2021) we launched an attack on MSP providers. More than a million systems were infected. If anyone wants to negotiate about universal decryptor – our price is 70 000 000$ in BTC and we will publish publicly decryptor that decrypts files of all victims, so everyone will be able to recover from attack in less than an hour. If you are interested in such deal – contact us using victims “readme” file instructions.” – REvil.

According to a detailed analysis of the REvil attack by Kaspersky, the gang (also known as Sodinokibi ransomware gang) has been active since April 2019 after the GrandCrab cybergang disbanded. “REvil ransomware has been advertised on underground forums for three years and it is one of the most prolific Ransomware as a Service (RaaS) operations,” researchers wrote.

CISA and FBI Offer Guidance

In a statement released by the FBI on Saturday, the agency announced a coordinated investigation of the attack with CISA.

“We encourage all who might be affected to employ the recommended mitigations and for users to follow Kaseya’s guidance to shut down VSA servers immediately. As always, we stand ready to assist any impacted entities,” according to a security alert.

The following day the FBI updated its guidance, encouraging impacted companies to follow newly developed mitigations and report the attack to the agency.

“If you feel your systems have been compromised as a result of the Kaseya ransomware incident, we encourage you to employ all recommended mitigations, follow guidance from Kaseya and the Cybersecurity and Infrastructure Security Agency (CISA to shut down your VSA servers immediately, and report your compromise to the FBI at ic3.gov.

Mitigation recommendations posted by CISA include:

  • Download the Kaseya VSA Detection Tool. This tool analyzes a system (either VSA server or managed endpoint) and determines whether any indicators of compromise (IoC) are present.
  • Enable and enforce multi-factor authentication (MFA) on every single account that is under the control of the organization, and—to the maximum extent possible—enable and enforce MFA for customer-facing services.
  • Implement allow listing to limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs, and/or
  • Place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.

On Sunday, President Joe Biden ordered U.S. intelligence agencies to investigate the ransomware attack.

Bident said he and other US agencies were “not certain” was behind the attack. “The initial thinking was it was not the Russian government but we’re not sure yet,” he said.