The Wall Street Journal reports tonight that
On Sunday evening, roughly 1,000 people—mostly essential workers and military families—gathered on the White House’s South Lawn. It was covered with red, white and blue decorations and dotted with festive tables and signs that read “America’s Back Together.” The crowd listened to military bands and dined on burgers, chicken sandwiches and pulled pork.
Mr. Biden struck an optimistic tone in his remarks, noting that Americans were gathering and celebrating for the holiday. However, he emphasized the lives lost and acknowledged that the virus hasn’t been defeated yet, urging people to get vaccinated.
“Do it now, for yourself, for your loved ones, for your community and for your country,” he said. “While the virus hasn’t been vanquished, we know this: It no longer controls our lives, it no longer paralyzes our nation, and it’s within our power to make sure it never does again.”
True that.
However, while grateful for our great country, the principal reason why the FEHBlog is posting tonight is to supplement yesterday’s post on the “REvil * * * attack on Kaseya VSA, software used by large companies and technology-service providers to manage and distribute software updates to systems on computer networks, according to security researchers and VSA’s maker, Kaseya Ltd.” The Journal reports that “REvil is a well-known purveyor of ransomware—malicious software that locks up a victim’s computer until a digital ransom is paid, typically in the form of bitcoin. This latest attack appears to be its largest ever. The incident may have infected as many as 40,000 computers world-wide, according to cybersecurity experts.”
Here is a link to “CISA-FBI Guidance for Managed Service Providers (MSP) and their Customers Affected by the Kaseya VSA Supply-Chain Ransomware Attack”:
CISA and FBI recommend affected MSPs:
- Download the Kaseya VSA Detection Tool. This tool analyzes a system (either VSA server or managed endpoint) and determines whether any indicators of compromise (IoC) are present.
- Enable and enforce multi-factor authentication (MFA) on every single account that is under the control of the organization, and—to the maximum extent possible—enable and enforce MFA for customer-facing services.
- Implement allowlisting to limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs, and/or
- Place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.
CISA and FBI recommend MSP customers affected by this attack take immediate action to implement the following cybersecurity best practices. Note: these actions are especially important for MSP customer who do not currently have their RMM service running due to the Kaseya attack.
CISA and FBI recommend affected MSP customers:
- Ensure backups are up to date and stored in an easily retrievable location that is air-gapped from the organizational network;
- Revert to a manual patch management process that follows vendor remediation guidance, including the installation of new patches as soon as they become available;
- Implement:
- Multi-factor authentication; and
- Principle of least privilege on key network resources admin accounts.