Kaseya Ransomware Attack: 10 Things MSPs Must Do To Protect Themselves
From scrutinizing the security of acquired assets and pen testing software development environments to limiting how much access MSPs have to customers, here’s what Black Hat 2021 attendees said MSPs should do following the Kaseya ransomware attack.
Avoid Connecting To Vulnerable Ports
Kaseya’s VSA RMM tool suffered from an open port, meaning that the adversary was able to access the vulnerable area with a special key after conducting reconnaissance and compromise a small subset of their MSP and end user customers, according to Splunk Security Strategist Ryan Kovar. Customers of MSPs had no way to defend against this since the hackers came in through a trusted method, he said.
Once adversaries got onto the MSP’s machine, they engaged in typical hacker behavior which MSPs should be able to detect, Kovar said. MSPs also must employ cyber hygiene practices such as avoiding connections to vulnerable ports. A RMM agent installed on a customer’s machine is the ultimate trojan horse since customers invite MSPs into their network to do monitoring and administration, Kovar said.
“In my belief, those [the RMM tools] are the crown jewels of an MSP because they provide God-like access to customers, and they should be defended as such,” Kovar said. “You’re never going to win all the time, but you can certainly slow hackers down to a point where you can detect them more easily.”