Protect your Credit Union from this Ransomware Attack with these Four Action Items

Bad actors never stop; neither does your credit union's cyber security. Here is the incident response launchpad for your security team.

A recently reported ransomware attack was executed against the Kaseya VSA product (https://www.zdnet.com/article/kaseya-ransomware-supply-chain-attack-what-you-need-to-know/). The product allows for remote management of client machines. The product is used by some enterprises but mainly by Managed Service Providers (MSP’s) to manage environments for clients. First and foremost, please know that Pure IT Credit Union Services DOES NOT use this product internally or in any client environment. 

This attack continues to highlight for us the need to take continuous action on our cybersecurity. CISA and the FBI have created some guidance to assist in this attack (https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa). Some suggested action to help your security team are below:

1. Download the Kaseya VSA Detection Tool.
   
2. Analyze and determine if any Indicators of Compromise (IoCs) are present.
   
3. Enable and enforce Multi-Factor Authentication (MFA) on every single account that is under the control of the organization.  Encourage all of your employees to do the same thing on their personal accounts as well.  And to the maximum extent possible, enable and enforce MFA for all member-facing services.
   
4. Implement allowlisting to limit communications with Remote Monitoring and Management (RMM) tools, such as Kaseya, to known IP address pairs and place administrative interfaces of RMM tools behind a Virtual Private Network (VPN) or a firewall on a dedicated administrative network.  
   

This incident is another example of a supply chain attack very similar to the SolarWinds breach where a bad actor was able to exploit a flaw in the VSA software to enact a ransomware attack against the clients of the customers of Kaseya. Though only a limited number of Kaseya clients (60 reported at this point) were breached by this attack, that still represents over 1,500 downstream client environments each of which could represent many end nodes. The size of these clients range from  very small companies, to an 800 location Swedish grocery store chain. Additionally, some credit unions have reported being among those affected (https://www.cutoday.info/Fresh-Today/CUs-Reportedly-Among-Those-Hit-In-Widespread-Ransomware-Attack). Others could still find themselves among the affected or still at risk to be affected. 

It is unlikely that many credit unions would be direct customers of Kaseya, but if a credit union has any Managed Service Provider (MSP) services from anyone, there is a chance that they could be affected. Kaseya has released a tool to help to detect the presence of this exploitable software on your network. There are tools both to use to scan the Kaseya VSA server as well as the endpoints for the presence of Indicators of Compromise.  

Every credit union should investigate whether they are affected by this event. Our examiners and auditors are not just looking to see that we have an Incident Response Framework and Plan but that we have actually used it. Take the time to understand the situation and investigate and then document the findings as an Incident. If you find no Indicators, that is great news! Document that and prepare an Incident Report that shows that you have investigated and responded appropriately. However, if you do find Indicators of Compromise, then your plan can take you in other directions to appropriately respond.  

As always, please consult with your security officer on the specifics of your credit union environment. Should you have any questions, our CISO team is standing by to serve you.  Please contact us at 281-378-7737 or email our CISO team at ciso@pureitcuso.com if you have any questions or are needing assistance.