Kaseya Ransomware Attack: Lessons Learned and 15 things you can do NOW

July 28th, 2021 News

The ransomware attack on Kaseya hit 1,500 businesses using MSP’s as the delivery mechanism.  How can you better prepare your company and clients infrastructure from similar attacks?

 

As a result of the recent Kaseya ransomware attack, and the mistakes leading up to their breach, all MSPs, Solution Providers and Channel Partners are likely to face far-reaching consequences and implications going forward.  Are clients beginning to scrutinize their relationships with their service providers?

 

You may be asking, what did Kaseya do wrong? How can you, as a Solutions Provider or MSP, ensure you’re effectively minimizing the risk of future cyberattacks?   And how can you effectively demonstrate your cybersecurity efforts to your clients?  How can you assist your customers in reducing their risk of a cyberattack? 

 

Read the full article on what happened with Kaseya, the impact of the attack and how you can take precautions to reduce exposure and ensure their clients are protected.

 

About the Kaseya Attack


Earlier this month, a Russian-based group unleashed one of the most widespread ransomware attacks affecting upwards of 1,500 organizations in more than a dozen countries, demanding $70 million in cryptocurrency in exchange for a key to decrypt clients’ data. 


Kaseya provides IT solutions for MSPs including VSA, a unified remote-monitoring and management tool for handling networks and endpoints.  Hackers took advantage of a zero-day vulnerability in the Kaseya VSA web interface, allowing them to circumvent authentication controls, gain an authenticated session, and load the malicious code.  They were then able to use the MSP’s Remote Monitoring and Management (RMM) tools to push across their software delivery and patching supply chain ultimately to the end clients. 


Because the VSA Server automates IT tasks, it has a “high level of trust” on customer devices and any attached clients will perform whatever task the VSA Server requests without question, giving attackers privileged access to MSP’s customers.   Security experts suggest that between 50 and 60 MSPs were impacted, with between 800-1500 businesses down the chain. 


Incident Response Planning

What is the best way to avoid having a cyberattack turn into a full breach?  With increased threats by ransomware groups, organizations of all sizes are directly in the path of attack.  It is essential for everyone in IT and information security to ensure they have an effective incident response/disaster recovery plan so that if and when an incident occurs they are prepared to recover, resume business operations, and minimize damage.


Client Security Proactive Preparedness

For the end customer, there are a number of things you can do as a Service Provider to help reduce the risk and/or impact of an attack on your clients’ IT infrastructure. 


  1. Deploy protection tools.  Ensure your client has the appropriate endpoint, network, server, cloud, mobile and email protection available.
  2. Install patches and updates as soon as they become available.
  3. Use multi-factor authentication wherever possible.
  4. Evaluate your external and internal attack surface by regularly performing vulnerability scanning.
  5. Ensure that your client is protecting their internet-facing applications using a Web Application Firewall (WAF) to prevent and direct known and unknown threats.
  6. Deploy dynamic IP blocking to strengthen first line of defense and protect authentication endpoints.
  7. Create redundancy.  Consider multiple remote monitoring solutions - one for your critical server infrastructure and another for your workstations. While this creates some overhead, it does immediately reduce risk.
  8. Collect Log files for all systems, especially business critical ones.  Consider centralizing these logs and integrate them into a threat detection and response for more immediate alerting.
  9. Implement access control.  Regularly ensure that your client has the proper controls in place to establish access control.  This includes limiting admin privileges to as few accounts as possible, changing passwords frequently and reducing the amount of access points you need to monitor. 
  10. If your organization has a need for on-premises servers that are internet-facing, evaluate WAFs to create an additional layer of defense.
  11. Backups.  It’s inevitable that there will be more attacks.  Make sure you have robust disaster recovery procedures in place to reduce the impact of a breach.  Test your backup and recovery regularly and ensure you are meeting your own SLAs for recovery time and success rates.  Consider offsite or remote backups detached from your primary network and make sure you know who actually has access to backups.

How can MSPs, Channel Partners and Solution/Service Providers Prepare?

In addition to all of the ways you would help a client prepare, additional precautions can be taken to ensure that the tools you are using to assist your customers are not compromised – to avoid a Kaseya-type situation from happening.


  1. Ask your vendors what their disaster recovery/incident response plan is. When was it last tested? Do they have Soc 2 Type 2, ISO, FedRAMP,  or similar certification to capture how they're doing against safeguarding customer data and how well those controls are operating?
  2. Adopt a patch management process that follows industry standard guidance, including the installation of new patches as soon as they become available.
  3. Consider a multi-factor authentication on any privileged user, if not all users should apply the concept of least privilege.
  4. Use whitelisting to limit communication with remote monitoring and management (RMM) capabilities to authorized IP addresses.

Enlist the help of a Cybersecurity Expert

Whether you or one of your clients is actively dealing with a potential breach or assessing their overall vulnerability – Coquina can help.  Building on years of security engineering, operations, and pen testing experience, we have developed numerous automation’s, integrations, and processes that keep a security program streamlined, accurate, and cost-effective.  We pride ourselves on our highly technical competencies, which span across all facets of cybersecurity.  Our experts can help protect you and your client’s hardware, software and networks from cybercriminals.  Our most requested security services include:


  • Security Assessment – to locate vulnerabilities, risks and preparedness
  • Penetration Testing – identify exploitable vulnerabilities and misconfigurations
  • Security Operations (SecOps) – monitoring and management of security systems and processes
  • Security Engineering – Incorporate security controls as part of systems operational capabilities


Need additional help?  Download our Security and Cyber Risk Services Brief or contact a Coquina representative to discuss your security needs.