WIXLIB

Step 2 – Check your System for Indicators of Compromise (IOC)Step 3 – Patching the Operating Systems of the VSA ServersStep 4 – Using URL Rewrite to control access to VSA through IIS and Firewall RulesStep 5 – Install FireEye AgentStep 6 – Remove Pending Scripts/JobsStep 7 - VSA SQL Database AssessmentCU*Answers was advised not to start up our VSA Application until this VSA patch was applied.Acting in accordance with Kaseya instructions, CU*Answers announced to clients on July 8 a two-step processfor reactivating Kaseya systems after patching. First step was CU*Answers Network Services access to VSA,including restoration of all agent functions at credit unions. Second step was client access to VSA systems.On July 11, Kaseya released the patches to CU*Answers for immediate implementation. CU*Answers appliedthose updates the same day, as well as performing additional system hardening recommended by Kaseya. Inaccordance with other recommended guidelines, CU*Answers also put additional controls in place to furtherreduce the network footprint of the environment. CU*Answers received assurances that by patching andhardening, the system was now safe to operate. Therefore, CU*Answers brought Kaseya VSA services online,and returned managed client support to normal.CU*Answers also announced that client access into the environment would remain disabled as NetworkServices addressed minor functionality issues, and to confirm with Kaseya the best options for implementingclient access in the most secure and convenient way possible.By July 13, CU*Answers developed a secure approach in consultation with the vendor for remote clientaccess. CU*Answers announced to clients that remote client access to Kaseya VSA required VPN access, andaccess to the Kaseya VSA management interface would now only be possible from a client’s own network.Network Services contacted each client individually to review the requirement and start the VPNconfigurations. In addition, a new feature is that dual approval is required to start using new agent procedures.A new agent procedure was how the REvil attack executed delivery of ransomware, so dual approval requiresa second person to approve the agent procedure, rather than an attacker that may have already compromisedVSA credentials.On July 14, VPN access was built out for managed clients. SonicWall also offered a tool to assist with gettingall clients connected with remote access to the Kaseya system. From July 14 to July 23, CU*Answers workedwith clients on an individual basis to restore connectivity with the new VPN connection. After all clients wereconfirmed to be working, the incident was closed.On July 23, CU*Answers also met with Kaseya to discuss the event, lessons learned, and future enhancementsin light of the attack. The CU*Answers team also received individual technical support around the event toassist our team’s understanding of the event. A recap of the call is included below.AUDITLINK COMMUNICATION WITH OTHER VENDORSAs we did with the Orion SolarWinds incident, AuditLink made inquiries to our critical vendors to determineif any were affected by this Kaseya issue. On July 6, the following inquiry was sent out:Good afternoon,Kaseya Incident Response Page 7 of 16

We have recently been made aware of the Kaseya VSA Supply-Chain Ransomware Incident and arereaching out to critical vendors of CU*Answers as a part of our vendor management to determine theimpact, if any, and the steps being taken for containment and remediation. If you or one of yourvendors in your supply chain may have been impacted by this most recent compromise in some way,please let us know which system(s) or vendor(s) that would include and what impact you are able toascertain at this time. We understand that a problem of this nature and scope may take time to fullyidentify and uncover, but even early information could be valuable in restoring the supply chain andproviding security to clients.No critical vendors responded they were adversely affected by the Kaseya incident.RESPONSE TO MICHIGAN DIFSOn July 6, CU*Answers received a communication from the State of Michigan Department of Insurance andFinancial Services (DIFS) requesting information if we experienced an impact from the Kaseya event:Dear CEOs,As you are all aware we are in the middle of another major ransomware incident. Below isinformation regarding the Kaseya incident and guidance provided by the Cybersecurity &Infrastructure Security Agency (CISA). CISA and the FBI are strongly urging organizations to followthe guidance below.CISA-FBI Guidance for MSPs and their Customers Affected by the Kaseya VSA Supply-ChainRansomware Attack CISAUpdate Regarding VSA Security Incident KaseyaPlease continue to take prudent action to ascertain if you, or your vendors, have been impacted.Please let the Office of Credit Unions know as soon as possible if you have experienced or areanticipating an impact from this event.As always, do not hesitate to contact me with any questions/concerns.Regards,Christopher M. Fournier, CISA, CSCUES, BSACSInformation Technology ManagerOffice of Credit UnionsMichigan Department of Insurance and Financial ServicesOn July 8, CU*Answers responded as follows:Good afternoon Mr. FournierCU*Answers does use the affected Kaseya VSA products, here is a timeline of activity around ourresponse to this ongoing incident:Friday - 7/2 1:30 PM - notified by Kaseya that we should shut these products down until furthernotice. We did so within 30 minutes and notified all of our credit union clients. Kaseya at this timeKaseya Incident Response Page 8 of 16

listed 1) lack of admin access to the VSA console and 2) presence of a particular script as being signsof compromise. We reviewed systems and confirmed neither of these conditions were present.Sunday – 7/4 – Kaseya published a IOC toolkit and procedure doc. We obtained this and, afterremoving VSA systems physically from the network ran through the process finding no indication ofcompromise. Trend Micro, our endpoint provider also release signatures that would indicatecompromise and we ran those on CU*A and all managed client networks finding no indications ofcompromise.Tuesday – 7/6 – Kaseya updated their IOC tool and procedure – we repeated our testing with the sameresults – no indication of compromise.Today – Kaseya released guidance to further harden these VSA servers which we are confirming wehave in place, in expectation of patch installation which they are saying will be on Sunday.Further we are reviewing FBI/CISA guidance as we work through the process.At this point we have told our CUs that we have no indication of compromise and we will keep oursystems offline until Kaseya’s remediation is complete and a patch is available. While our creditunion’s are without the benefit of the Kaseya tool, we have carried forward critical managementprocesses with work arounds to ensure oversight is maintained. We applied the out of band Microsoftpatch last night and continue to monitor that situation as well.Let me know what questions you have.Matt Sawtell CU*Answers Network Services VP Managed Technology ServicesMichigan DIFS acknowledged the response on July 13 and appreciated the detail in CU*Answers’ response tothe inquiry.CALL WITH KASEYAOn July 23, Kaseya had a call with CU*Answers to discuss the incident and response. Kaseya explained theirplan was to update functionality around security and alerting. Kaseya believed this attack was a somewhatisolated incident, not minimizing what happened to the 51 affected clients. Kaseya believes they are the mostsecure RMM out there as a result of this incident and response. Kaseya agreed to work with CU*Answersdirectly on some of the technical issues CU*Answers questioned during the incident to enhance our team’stechnical knowledge. Kaseya was also asked to ensure they upgrade their incident response notification.CU*Answers has been promised additional details from Kaseya in a final report on the incident. CU*Answerswill share what we can, under our current contract, once this report has been published.WHAT WOULD CU*ANSWERS HAVE DONE IF AFFECTED?CU*Answers could have been one of the victims attacked by REvil before the notification went out and theKaseya systems were shut down. An obvious question is CU*Answers’ plan if our environment was affectedby this or a future ransomware attack. While our response could potentially change depending on the actualcircumstances of the attack, CU*Answers has both a recovery strategy and backups to critical systems torestore from. Core operations have real-time replication, while other important systems have encryptedbackups transmitted to an offsite location. We would never promise a ransomware attack would not bedisruptive to our operations, but we also believe CU*Answers is well positioned to recover. CU*Answers hasKaseya Incident Response Page 9 of 16

had discussions with other service providers that had customers affected by ransomware to understand theirapproach, which has almost universally mirrored our disaster recovery plan.CU*Answers has more information included in our knowledge base.LIMITATIONS WITH VENDOR RISK MANAGEMENTAnother reasonable question is on the CU*Answers vendor management response to this incident. In ouropinion, Kaseya was responsive, clear, and timely with their communications and released tools to identify ifsystems have been compromised. Kaseya also worked diligently to get patches published and provideadditional control recommendations. Kaseya was attacked because their offering is part of a service providerand supply chain system. Attacking service providers and the supply chain represents a “one to many”equation: successfully compromise one provider and attack everyone else down the chain. Criminalorganizations and state sponsored actors have learned that compromising a distributed service provider such asOrion SolarWinds changes the economy of the effort. Note that SolarWinds was a vastly different type ofattack, where SolarWinds own source code was compromised. Kaseya’s attack was against a vulnerability thatrequired patching. Our response would have been significantly different if Kaseya had suffered the same typeof attack as SolarWinds.Kaseya is not considered a critical vendor under CU*Answers’ vendor management program becauseCU*Answers does not provide Kaseya with sensitive information, and we can migrate to competitive products.CU*Answers maintained our core services internally and to managed clients even though Kaseya wasunavailable for several days. Any attempt to reclassify and place additional due diligence on supply chainvendors has two significant limitations. First, deciphering the upstream vendors of contracted providers can betricky or impossible. For example, a service provider could have several supply chain vendors as part of theirinfrastructure (Orion SolarWinds, SonicWall, AWS, etc.) that present these vulnerabilities. While AuditLinkhas done a great job reaching out to our critical vendors to see what their responses have been, such as they didwith Orion SolarWinds, not every vendor will provide us with reliable responses. There is no effective wayfor us to know, for example, whether critical patches or updates have been applied by our service providers.The other serious limitation is that in many ways these attacks are vendor agnostic. The issue is not whichvendor provides the service, but rather the nature of the service itself. For example, if you were to predict anetwork monitoring system that could be affected by a supply chain attack, Orion SolarWinds would be alikely target because Orion is one of the largest service providers with government and enterprise-levelservices. On the other hand, however, Kaseya is small with just a fraction of the overall market share forautomated IT management services. Kaseya is emphatically not a likely target for this kind of supply chainattack. So, while we can flag vendors that have a documented failure to update their systems with criticalpatches provided they have a SOC report or other documentation, we do not have an effective way ofpredicting who might actually be a target. Going without a service such as Kaseya means patching must bedone on a manual basis, which significantly increases the chance of human error. Attempting to develop ourown product is time intensive and challenging, and not an option for systems that require physical hardware.COMMUNICATIONS WITH CLIENTSThe initial communication and updates posted to CU*BASE Alerts regarding Kaseya were as follows:July 2 Communication to Clients and Initial Kaseya VSA CommunicationKaseya Incident Response Page 10 of 16

Clients,CU*Answers received a notice from Kaseya today advising us to shut down our Kaseya VSAsystems. We have followed the directions and have shut down all Kaseya VSA systems, as well asany network access to those systems as an added precaution. We have reviewed systems for indicatorsof compromise but have not found any.The current impact will be that we cannot monitor your systems during this time and services such asremote desktop sharing and automated patching will be unavailable.We will continue to monitor the situation with Kaseya for updates throughout this incident.If you have any questions or concerns please let us know.The notice CU*Answers received from Kaseya is below:------------------We are experiencing a potential attack against the VSA that has been limited to a small number of onpremises customers only as of 2:00 PM EDT today.We are in the process of investigating the root cause of the incident with an abundance of caution butwe recommend that you IMMEDIATELY shutdown your VSA server until you receive further noticefrom us.Its critical that you do this immediately, because one of the first things the attacker does is shutoffadministrative access to the VSA.We will be updating our support article at the link s/4403440684689July 3 CommunicationGood afternoon everyone – wanted to get an update out as we are at the 24-hour mark.At this time our Kaseya systems remain offline and this will continue until we get some actionableinformation on the event.We will continue to monitor the situation throughout the weekend and provide updates.If you have any questions please let us know.-----You can read the most recent update from Kaseya /4403440684689July 5 CommunicationGood evening – here is what has happened since the last update on 7/3:Kaseya Incident Response Page 11 of 16

1) Kaseya released an IOC (Indication of Compromise) tool that would report the signs ofcompromise they’ve seen from affected installation across their user base. We were able to run againstour Kaseya implementations and the tool reported that none of those indicators were present on oursystems.2) Trend Micro release signatures that would indicate compromise at client sites. Our Trend Micromanagement console did not detect indicators present at any client sites.3) Kaseya has continues to update the timeline to recover their SAAS environment. Once that iscomplete, which they anticipate in the next 24 hours, they will start building out a release schedule forthe patch we will need to apply to our systems.We will continue to keep our systems offline. This will not affect your ability to use CU*Base or otherline of business applications. It does mean that our ability to remotely monitor and manage yournetwork, as well as automated patch application will still be unavailable. We will have work around inplace to provide remote support should you need it at open of business tomorrow.We will continue to monitor the situation. If you have any questions please let us know.You can continue to monitor Kaseya’s update /4403440684689July 6 CommunicationOn the afternoon of Friday 7/2/21, we received notice from Kaseya, one of our network managementtool vendors, that their software was being targeted by bad actors attempting to spread ransomware.Because attacks were actively taking place, Kaseya advised that their tools be shut down until theycould develop and publish appropriate patches and mitigations. CU*Answers Network Services tookimmediate action to activate our Incident Response Plan and shut down our Kaseya managementsystems.We have since been provided with a set of tools from Kaseya to determine if our systems weretargeted by bad actors prior to shut down, and our results have been clean. At this point we have noindication that our systems were compromised by bad actors.Service Impact: Kaseya is not the only network management tool we use for managing clientnetworks, but it is a primary one for Microsoft Windows systems. For those and some others we arenot able to gather system log files, some system status/availability alerting is not active, automation isnot available, and our ability to remote into systems proactively for maintenance is not available. Weare still able to execute and monitor critical services such as communications to CU*Answers,managed hosting, firewalls/remote access systems, endpoint security and backup services.We are still here to serve you! CNS is still available to serve you during this time. We have alternatemethods for assisting you during service calls. These methods may take a little longer than normal, orwe may need your assistance such as jumping on a screen share through Zoom. We ask that youplease be patient with us during this time until we are able to return all of our systems to productionuse.Do you have a contingency plan? The good thing about using commercial tools for networkmanagement is that we can pivot to another vendor should that be necessary. If Kaseya shows signs ofnot returning to normal use for an extended period of time, CNS will initiate plans to switch to anKaseya Incident Response Page 12 of 16

alternate vendor. However, at the moment we expect they will have fixes available this week and weshould be able to return to normal operations soon.July 7 CommunicationKaseya continues to work on releasing fixes for the vulnerability. Our Kaseya servers remain offlinepending their release. Once we have the updates, they will be evaluated by our team prior to returningsystems to production.CNS remains ready to assist you and your team. We are still able to execute and monitor criticalservices such as communications to CU*Answers, managed hosting, firewalls/remote access systems,endpoint security and backup services. Please contact the Help Desk at x266 for as

down their Kaseya VSA Remote Monitoring and Management (RMM) systems. Kaseya VSA is a primary product CU*Answers uses to monitor and manage client and CU*Answers workstations, though not the only one. After confirming the validity of the communication, CU*Answers shut down all Kaseya VSA systems on the network.