Kaseya could begin restoring access to the online version of its VSA remote monitoring and management solution as soon as tomorrow, according to an update posted this afternoon on the company’s website.
The IT management vendor’s executive committee will make a final decision on re-starting VSA’s SaaS infrastructure at midnight Eastern Daylight Time tonight. If it opts to proceed, service will be restored on July 5th in Europe, the U.K., and Asia starting at 4 a.m., and in North America starting at 5 p.m.
An update to the on-premises edition of VSA will be available soon as well. Kaseya plans to begin communicating details on the release process for that software tomorrow. A Compromise Detection Tool for the exploit has been available since yesterday.
The timelines now on Kaseya’s website confirm remarks made by CEO Fred Voccola to ChannelPro earlier today. VSA, he said, should be back up “in the very near future, hours not days and weeks.”
Kaseya has already written and tested the on-premises update, he added. Three independent security service providers are now reviewing the code.
VSA was struck by a sophisticated cyberattack on Friday. The solution’s cloud infrastructure has been offline since then, and the company continues to advise users of the on-premises version to keep that software offline too.
When a final tally is available, Voccola says, Kaseya expects about 50 to 60 out of roughly 38,000 VSA users to have been impacted by the attack, which employed the RMM system as an entry mechanism for distributing ransomware to end users. Kaseya does not currently know how many such organizations have been affected.
In addition to finalizing patches, Voccola says, “we’re also hardening our software and our infrastructure with additional layers.” Those measures include further third-party monitoring of Kaseya’s SaaS servers and implementation of enhanced web application firewall protection, according to the company’s website.
One of the extra security safeguards going into effect soon will change the underlying IP addresses of VSA’s cloud servers. Kaseya is “working on a program to enable us to extend our new security measures to our on-premises customers,” the website says, and will provide more details before issuing the update for that system.
In the interim, according to Voccola, Kaseya is working one-on-one with end user victims of the ransomware strike, either directly or via their MSP, based on the MSP’s preference.
“For every customer who has been hit by this, we will do everything in our power to fix it,” he says. “We provide and are paying for experts to advise everyone on what to do.”
Those experts include ransomware negotiation specialists, as well as Kaseya’s in-house technical staff. The company is putting victims in touch with contacts at the FBI for assistance as well.
The FBI, according to Voccola, is all but certain that the REvil malware consortium, which was behind the recent ransomware attack on meatpacker JBS, is responsible for this attack too. “They’re saying it’s them,” he says. “They know this group really well.”
Voccola credits Kaseya’s information security team for limiting the scope of the attack. The head of that unit made the call to shut down the SaaS version of VSA and tell on-premises users to follow suit within an hour of seeing the first signs that an attack was underway, and before a breach had been confirmed. That’s in keeping with procedures outlined in Kaseya’s incident response “playbook,” Voccola says, but “a pretty gutsy decision” even so given the number of people it affected.
That decision probably spared many more MSPs and end users from falling victim to the attack, which was still underway at the time. “We don’t know what the bad people were thinking when they did it, but it seems to be something where they were trying to just gradually over time take over more and more and more and more and more and more and more,” Voccola says. “We caught it before the other things they were trying to do.”
Kaseya, which has been working with FireEye among others to diagnose and remediate the incident, has a definitive understanding of how the attackers perpetrated the breach. “We know the issue,” Voccola says. “It took about two hours to find it [and] six to eight hours to verify it.”
Kaseya will share details about what happened in the future. “We won’t release what the breach was until we get the blessing from the government,” which is still conducting a criminal investigation, Voccola says. A great deal of effort and experience appears to have been involved, however.
“It wasn’t like a social, phishing type of an attack,” Voccola says. “It was incredibly sophisticated.”
Once the present crisis is behind it, he continues, Kaseya will look for opportunities to further harden its defenses. “Like anyone who just got punched in the nose, we’re going to defend our nose a little better.”
In an earlier conversation with ChannelPro, Voccola noted that Kaseya pays roughly $1 million a year for annual risk assessments from two outside firms. “We’ve been told that we’re pretty good,” he says of Kaseya’s security protocols, noting that those defenses helped the company keep the number of VSA users impacted by this strike down to dozens instead of thousands. Even the best defenses, however, will ultimately be penetrated.
“It’s not a matter of if. It’s a matter of when it happens,” Voccola says, adding that every company, no matter how seriously they take security, has vulnerabilities. “People have huge financial incentives to find them, and they will find them.”
Voccola made a point of thanking the many people who have offered aid in the last two days. So far, he says, about 40 CEOs in IT and adjacent industries, including ConnectWise CEO Jason Magee, have contacted him to offer help, along with hundreds of MSPs.
“It’s been super cool,” Voccola says.
