This article is contributed. See the original author and article here.

CISA continues to respond to the recent supply-chain ransomware attack leveraging a vulnerability in Kaseya VSA software against multiple managed service providers (MSPs) and their customers. Kaseya has released guidance specifically for customers returning to their VSA software-as-a-service (SaaS) instance after the Kaseya SaaS servers are brought back online. Note: See Kaseya’s Security Notice for the status of their SaaS servers being brought back online.

CISA strongly recommends SaaS Kaseya customers read and implement the Kaseya’s VSA SaaS Best Practices published in Kaseya’s Security Notice before returning to their Kaseya VSA SaaS instance. These mitigations include:

  • Review system configurations to confirm administrative user accounts leverage multi-factor authentication (MFA). Note: Kaseya enables MFA by default.
  • Implement:
    • The principle of least privilege on key network resources admin accounts. Restrict VSA SaaS instances to authorized users based on the principal of least privilege.
    • Network segmentation between the SaaS and on-premises environments.
    • Allowlisting to limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs, and/or place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.
  • Configure logging to ensure that all Kaseya SaaS product audit logs—including System logs and Remote Control/Live ConnectVSA logs— and associated network logs are captured and stored —for at least 180 days—in a separate, centralized log aggregation capability.

For additional information about this incident, see the White House statement and the joint CISA-FBI guidance.

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.