On July 2, IT management software vendor Kaseya confirmed that a supply chain ransomware attack had compromised its VSA remote management software, affecting at least 50 of its MSP customers and up to 1500 organizations that subscribed to their services. The cyberattack could allow hackers to gain control of computer systems accessed by the compromised Kaseya VSA instances and install malicious code on them. Kaseya was forced to shut down its VSA SaaS service while notifying customers to shut down their own VSA servers. The ransomware was spread by a fake VSA agent update, which instead installed the REvil ransomware, the same group behind a number of recent high-profile ransomware attacks.
This is the second major cyberattack on an IT management software vendor and its customers, following the SUNBURST attack that used SolarWinds Orion IT monitoring and management updates to spread malware to corporate and government computing networks around the world, affecting an estimated 18,000 Orion customers. That attack, thought to have begun as early as Spring 2020, was detected last December.
Since we received a lot of questions from customers about these attacks, we have prepared the following FAQ document to reassure our customers and partners about our product security, while assuaging their concerns and providing guidance to prevent future cyberattacks.
- Has OpsRamp been impacted by ransomware attacks related to Kaseya ?
No, OpsRamp has not been impacted by the Kaseya ransomware attack. We have performed a thorough review of the security processes and controls in the light of this attack. We have not observed any security risk or anomalies across our IT operations platform. - Is OpsRamp using any software which can be vulnerable to this type of attack ?
OpsRamp does not use either SolarWinds or Kaseya software across any of its infrastructure. - What immediate actions has OpsRamp taken in response to this latest attack?
OpsRamp has performed a number of activities to strengthen our security posture: -
- We’ve reviewed the current firewall, anti-malware, and antivirus logs and ensured there are no exceptions.
- We communicated with partners who have Kaseya implementations in their network.
- We validated that we have no active Kaseya integrations in our customer network.
- What would you recommend we do to protect our clients from this attack?
OpsRamp recommends customers and partners take the following actions: -
- Shutdown Kaseya VSA servers as per vendor advice:
Kaseya
MSSPAlert - Review any exceptions across their Security Information and Event Management (SIEM) systems, trace out any unusual traffic, and validate any Kaseya installations in their environments.
- In the next few days, customers should rigorously adopt vendor advice on mitigating the ransomware attack. There are currently few details known on the exact cause of the attack.
- Beware of phishing attacks pushing fake updates to any of your software applications or SaaS services. You should validate any updates with your software providers or partners. Make sure your employees are up to date on cybersecurity training.
- Shutdown Kaseya VSA servers as per vendor advice:
- What controls does OpsRamp have in place to avoid these kinds of attacks?
OpsRamp regularly reviews its build and deployment processes to identify any gaps and exceptions and address such anomalies on priority:
-
- All components that are deployed on-premises are digitally signed and security assessments are performed for every new release.
- All of our cloud components are regularly tested for vulnerabilities. We also have robust SIEM controls in place.
- We conduct regular third-party audits to assess any security and process gaps.
- All of our development and deployment systems have mandatory two-factor authentication enabled.
- All servers are regularly patched and antivirus tools are updated regularly.
- Attack surface monitoring is in place for all our external assets to identify any unusual behavior.
All of this comes in addition to OpsRamp’s traditional controls over updates, our rigorous vulnerability scans during QA, and the fail-safes we provide to our customer environments. We engineer our entire platform to be safe, secure, and trustworthy. In an era of considerable threats to data, that’s what you should come to expect from your software.