Fraud Management & Cybercrime , Fraud Risk Management , Governance & Risk Management

Kaseya Sees Service Restoration Delay After Ransomware Hit

Vendor of IT Remote Management Software Promises Security Improvements After Attack
Kaseya Sees Service Restoration Delay After Ransomware Hit
Kaseya's Tuesday update

(Update: Kaseya said midday Wednesday it will publish a "runbook" of changes and the planned availability of its patch for on-premises VSA by 5 p.m. July 7. The vendor is also resolving an issue with its SaaS VSA update and expects service to be restored by the evening of July 8.)

See Also: Malware Report: The Evolution of BumbleBee - Understanding the Emerging New Threat

Cue delays for customers of Kaseya waiting for their software-as-a-service and on-premises software to get emergency fixes.

Following a ransomware attack involving Kaseya's VSA software that came to light Friday, the U.S. Cybersecurity and Infrastructure Security Agency advised all users of the on-premises version of VSA to immediately deactivate the software. The Miami-based IT remote management software vendor said that to be safe, it also took the SaaS version of VSA offline, although it was not exploited by attackers.

Kaseya estimates that the July 4 holiday weekend ransomware attack hit about 60 of its IT managed service provider customers as well as up to 1,500 of their collective managed service clients. The company says many of the crypto-locked organizations - the MSP clients - are smaller businesses, such as dentists' offices, small accounting offices and restaurants (see: Kaseya: Up to 1,500 Organizations Hit in Ransomware Attack).

Kaseya had previewed fixes being in place for its SaaS software, allowing for the service to be restored, by Tuesday, to be followed by patches for on-premises VSA software being distributed within 24 hours. But in a Wednesday update, the company announced that its SaaS service remains offline, and no on-premises software patches are yet available (see: Did Kaseya Wait Too Long to Patch Remote Software Flaw?).

"Unfortunately, during the deployment of the VSA [SaaS] update, an issue was discovered that has blocked the release. We have not yet been able to resolve the issue," Kaseya says in a Wednesday morning update. "The R&D and operations teams worked through the night and will continue to work until we have unblocked the release."

In a Monday statement, Kaseya CEO Fred Voccola said: "Our global teams are working around the clock to get our customers back up and running. We understand that every second they are shut down, it impacts their livelihood, which is why we're working feverishly to get this resolved."

Security Improvements Planned

On Tuesday, Kaseya announced that it is implementing a number of security improvements, including a 24/7 independent security operations center for every VSA server. Each center will have the ability to quarantine and isolate files and entire VSA servers.

Kaseya says it is also putting in place a content delivery network with a web application firewall for every VSA server.

Credit for the ransomware attack involving Kaseya's VSA software has been claimed by the REvil ransomware-as-a-service operation, also known as Sodinokibi.

Kaseya has continued to warn organizations that were hit in the VSA-targeting attacks to not click on any links supposedly sent by REvil, noting that the links may have been weaponized.

With its typical bluster, the REvil operation claims to have compromised 1 million VSA-using organizations. On Monday, the ransomware operation also began demanding $70 million in bitcoins for a universal decryption tool that it said would decrypt all victims' files. Due to no uptake, the group appeared to have lowered its asking price for the tool shortly thereafter to $50 million.

Federal Probe

On Sunday, U.S. President Joe Biden ordered federal intelligence agencies to investigate the incident, initially noting that "we are not sure yet" whether the Russian government held any blame in the REvil campaign (see: Biden Orders Investigation of Kaseya Ransomware Attack).

Kaseya says it's working with multiple governmental agencies that are probing the attack, including the FBI, CISA, the Department of Homeland Security and the White House. FireEye's Mandiant incident response group is also assisting the company.

While the full damage from the incident is still coming to light, some experts have voiced cautious optimism. "There were some novel aspects of this particular incident that actually could have [made the impact] much, much worse," Michael Daniel, president and CEO of the Cyber Threat Alliance, tells Information Security Media Group. "So I actually think, in many ways, compared to what people [initially] were afraid of, this ended up not being quite as bad."

Grading Kaseya's Response

Kaseya has continued to keep the details of the software vulnerability that attackers exploited, and for which it is still preparing a patch, under wraps, which Mike Hamilton, formerly the CISO for the city of Seattle, says is the right move. "Kaseya was working on a patch for the vulnerability when it was exploited. Making a vulnerability public before a patch is prepared and released just invites attack," he says.

Hamilton, co-founder of CI Security, says that although Kaseya has stated that the ransomware attack did not hit any organizations operating in critical infrastructure, he suspects such organizations may indeed have fallen victim. "It's highly likely that a good number of local governments are victims, and that means water purification, waste treatment, communications for law enforcement. All may have been impacted - and that's critical infrastructure," he says.

As the pace and severity of ransomware attacks continue to worsen, experts say that obviously, more needs to be done. Daniel of the Cyber Threat Alliance says the best way to mitigate the risk of ransomware attacks continues to be through collaboration between the government and the private sector.

"We need to be bringing all the different diplomatic, economic and law enforcement intelligence cybersecurity tools to the field and employ them in different combinations that impose costs on the adversaries," he says.

Next Steps for Affected MSPs

On July 4, CISA and the FBI issued a joint statement with guidance for MSPs and their customers affected by the supply chain ransomware attack leveraging a zero-day exploit in Kaseya's VSA software. Those recommendations include:

  • Download the Kaseya VSA Detection Tool: The tool analyzes a system (either VSA server or management endpoint) and determines whether any indicators of compromise are present.
  • Enable and enforce multifactor authentication: The agencies recommend enforcing MFA on every account that is under the control of the organization and for customer-facing services.
  • Implement "allowlisting": This will limit communication with remote monitoring and management capabilities to known IP address pairs.
  • Use admin interfaces: The agencies urge those affected to place administrative interfaces of RMM behind a virtual private network or a firewall on a dedicated administrative network.

This story has been updated.


About the Author

Dan Gunderman

Dan Gunderman

Former News Desk Staff Writer

As staff writer on the news desk at Information Security Media Group, Gunderman covered governmental/geopolitical cybersecurity updates from across the globe. Previously, he was the editor of Cyber Security Hub, or CSHub.com, covering enterprise security news and strategy for CISOs, CIOs and top decision-makers. He also formerly was a reporter for the New York Daily News, where he covered breaking news, politics, technology and more. Gunderman has also written and edited for such news publications as NorthJersey.com, Patch.com and CheatSheet.com.

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to Forbes.com, TheStreet and Mainstreet.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.