Kaseya VSA Hack
On Friday, a popular IT tool called Kaseya VSA was hacked. The exploit was a “zero day” vulnerability, which means it was previously unknown by anyone in the cyber-security industry. Kaseya VSA is a Remote Monitoring and Management tool (RMM) that is used by many IT firms, especially Managed Service Providers (MSPs) like Advanced Data. Thankfully we had retired our Kaseya server prior to this attack, but I can’t help but think “What if?” If our management tools were to get hacked, not only would Advanced Data be at risk, but our clients would be at risk as well!
There are common sense steps to securing an RMM like: keep the RMM patched, have backups, choose strong passwords, etc. Besides these, the following are additional steps that should be taken.
Tips on How to Best Protect RMMs Against Future Zero Day Vulnerabilities
- Enable multi-factor authentication (MFA) on all user accounts! This is a mandatory step to preventing user accounts from being abused. Some MSPs are publicly reporting that they had MFA on their user accounts and they still got hacked. In the coming days we will know for certain if MFA prevented some Kaseya clients from being hacked.
- On the firewall protecting the RMM, enable Web Application Firewall to protect against common website hack techniques such as cross site scripting (XSS), SQL injection, and other known HTTP attacks.
- Similar to #2, use an Intrusion Prevention System (IPS) in front of the RMM. IPSes can detect common attack vectors and put a stop to them before they reach the server.
- If possible use geo-fencing rules on the firewall protecting the RMM. If the technicians that access the RMM are all in a specific country, then only allow management access from that country. If possible, only allow agent check-ins from that country as well!
- Disallow management access to the RMM except via VPN client. This could potentially eliminate options 2-4 since the RMM would not be directly accessible via the internet. However this option is not always possible if the RMM is tenanted and has many different clients managing agents.
What can RMMs do to further secure their applications?
- RMMs should employ safeguards for mass scripting. For example if a single user account attempts to push out a script to 10 or more devices in an hour, then retrigger an MFA authentication to ensure that the source of the scripts is from a real person.
- RMMs should employ a script approval process. Tech accounts shouldn’t be able to run scripts without first being approved by another designated person. Once the script has been deemed acceptable and safe by a human, then the script can be approved for use in the script library.
- If the RMM is handling backups, then MFA should be retriggered for any operations that would cause backups to be deleted or overwritten.
- RMMs should have a mechanism to ensure new user accounts are human approved. This would prevent a zero day from creating an account for hackers with their own MFA.
Fiercely Protecting RMMs is a Necessary Evil
Some of these items might feel like a hassle or overbearing for techs and RMM admins, but events like the Kaseya hack prove they are necessary. The security checks at airports are a hassle to all passengers, but we understand that the greater good is at stake and we accept the measures. Protecting RMMs must take on a similar level of urgency and should become accepted as necessary by all.
Comment below if there are other steps that can be taken to protect RMMs!