CISA and the Federal Bureau of Investigation (FBI) continue to respond to the recent supply-chain ransomware attacks which leverage a vulnerability in Kaseya VSA software against multiple managed service providers (MSPs) and their customers.
SecurityMetrics does NOT use any Kaseya VSA software in our environment. We are strongly encouraging all SecurityMetrics clients that use Kaseya VSA software in their environment to follow the recommended guidance provided by CISA and the FBI provided below.
CISA and FBI recommend guidance:
- Contact Kaseya at support@kaseya.com with the subject “Compromise Detection Tool Request” to obtain and run Kaseya's Compromise Detection Tool available to Kaseya VSA customers. The tool is designed to help MSPs assess the status of their systems and their customers' systems.
- Enable and enforce multi-factor authentication (MFA) on every single account that is under the control of the organization, and—to the maximum extent possible—enable and enforce MFA for customer-facing services.
- Implement allowlisting to limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs, and/or
- Place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.
- All businesses are encouraged to stay extra vigilant for any unusual traffic on these ports:
- VSA by default uses ports 443 and 5721.
- Port 443 is used for the Web Interface.
- The Agent Check-in port default is TCP port 5721.
- SQL uses port 1433 by default.
- Kaseya Live Connect feature uses UDP Port 5721.
- Currently, Kaseya is indicating this is impacting a number of on premises customers and are advising to shutdown their VSA server until further notice from the vendor.
.svg)
