CISA and the Federal Bureau of Investigation (FBI) continue to respond to the recent supply-chain ransomware attack leveraging a vulnerability in Kaseya VSA software against multiple managed service providers (MSPs) and their customers. CISA and FBI strongly urge affected MSPs and their customers to follow the guidance below.
CISA and FBI recommend affected MSPs:
CISA and FBI recommend MSP customers affected by this attack take immediate action to implement the following cybersecurity best practices
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
Today in Health it, the story is FBI guidance on the Kaseya ransomware attack. My name is Bill Russell. I'm a former CIO for a 16 hospital system and creator of this week in Health IT at channel dedicated to keeping health IT staff current and engaged. I wanna thank our sponsor for today's Sears Healthcare.
They have been a phenomenal sponsor for a little over a year now, and they are committed to our mission of developing the next generation of health leaders. I. And we really appreciate them. If you believe in our mission as they do and wanna support the show, please shoot me a note at partner at this week in health it.com.
All right, here's today's story. There's a ransomware event that is active and going on right now as we speak. Lemme give you some of the details. Kaseya Cassia, I think it's probably Cassia International is a company that provides IT solutions, including VSA, which is a unified remote monitoring and management tool for handling networks and endpoints.
The the firm's software is designed with enterprise and managed service providers in mind, and Cassia says that over 40,000 organizations worldwide use at least one of their software solutions. And they are a. Provider primarily to MSPs and which, you know, serve other companies. So they are central to a wider software distribution supply chain.
So here's what happened. There was an attack they took over this thing. So this is a distribution system, so Cassia. Distributes patches and fixes and other things to systems. So it requires a secure connection through that secure connection. If that's infiltrated, you end up with a significant domino effect.
And here is, let's see, I'm reading this from ZDNet. So, uh, the FBI described the incident succinctly as a supply chain ransomware attack, leveraging a vulnerability in Cassia VSA software against multiple MSPs and their customers. Hunts has tracked 30 MSPs involved in the breach and believe with high confidence that the attack was triggered via an authentication bypass vulnerability.
And the Cassia VSA web interface according to the cybersecurity firm. This allowed the attackers to circumvent authentication controls, gained an authentication session, uploaded malicious payload, and executed command via SQL injection achieving code execution in the process. Kyle Han Slobin, CEO, and founder of Huntress told attendees of a webinar discussing the technical aspects of the attack on July 6th, that the threat actors responsible were crazy efficient.
There's no proof that the threat actors had any idea of how many businesses they targeted through VSA. Angela Lovin commented adding that the incident seemed to be shaped. More due to a race against time. Some of the functionality of the VSA server is deployment of software and automation of it. Task Sophos noted As such, it has a high level of trust on customer devices by infiltrating the VSA server, any attached client.
We'll perform whatever tasks the VSA server requests. Without question. This is likely one of the reasons why Cassia was targeted security expert. Kevin Beaumont said that ransomware was pushed via an automated fake and malicious software update using Cassia VSA, dubbed Cassia VSA agent Hot Fix. The fake updates then deployed across the estate, including on MSP client systems.
As it is a fake management agent update. Beaumont commented, this management agent updated is actually Reil, R-E-V-I-L, ransomware. To be clear, this means organizations that are not cassia customers we're still encrypted, alright? And they go on to talk about a bunch of this stuff, and you can find these stories everywhere.
What I want to get to is the FBI guidance on this. Four health systems, and this comes from the cybersecurity command and FBI, and they're giving us a couple things to do. One is there's a Cassia VSA detection tool. Download that and run that tool to analyze your systems. Second thing, enable and enforce multifactor authentication on every single account that is under control of the organization.
That should be pretty common these days in healthcare. If you're not doing that, you're a couple steps behind. So I would . Get on that. And yes, it is not a satisfier for physicians or clinicians in using the system, but multifactor authentication is a must in any security implementation at this point. Uh, third thing, implement, allow listing to limit communication with remote monitoring and management capabilities known as IP address pairs.
And or place administrative interfaces of RMM behind a virtual private network or firewall on a dedicated administrative network. That's probably a little above my pay grade, but for the most part, what they're trying to do is limit the ability for the malware to communicate back to the mothership. And so you create these routes that make it harder for them to get across.
The note goes on to recommend. This is again from the cybersecurity command and FBI. For those affected MSP customers ensure backups are up to date and stored in an easily retrievable location that is air gapped from the organization network. We should be there already as healthcare organizations as well, knowing what we know about what happened at Sky Lakes, what happened at Scripps as well.
So this should just be common practice for us today. . Revert to a manual patch management process that follows vendor remediation guidance, including the installation of new patches as soon as they become available. And then finally implement multi-factor authentication, which they already talked about, so you can get these guidelines.
Chime also sent out something today to get in front of this. My only, so what on this is know what's going on. Be a part of a community that is discussing these things. Get early. Information on them get plugged in. So that's, that's the first thing I would say. The second thing I would say is if I were a CIO today, much like in wartime, I would probably have a cabinet meeting every morning with my Minister of Defense, which in your case is your chief Information Security officer.
I would be talking to them every morning. What happened last night? What happened yesterday? Give me an update. What are we doing? What are the plans and where are we going? If you have investments, and I've talked to some CIOs that are doing this, if you have investments planned over the next five years in cybersecurity, ratchet 'em all back up.
Make sure that they're getting implemented over the next year, year and a half, two years. And that will mean going to the board, getting some additional dollars. But if you can't get additional dollars for cybersecurity right now, I'm not sure you're ever gonna be able to get that money. 'cause this is the time where everybody in the country is very aware of what's going on in cybersecurity and if you put together a solid plan and make a good
Presentation, you should be able to get more dollars or at least accelerated dollars to put the right things in place today to make sure that you're ahead of it. So that's the so what, be aware of what's going on and try to get ahead of it. So that's all for today. If you know of someone that might benefit from our channel, please forward them a note.
They can subscribe on our website this week, health.com or wherever you listen to podcasts. Apple, Google Overcast, Spotify, Stitcher. You get the picture. We are everywhere, but not on your servers. We want to thank our channel sponsors who are investing in our mission to develop the next generation of health leaders, VMware Hillrom, Starbridge Advisors, McAfee and Aruba Networks.
Thanks for listening. That's all for now.