Kaseya has said it’s been unable to find signs its code was maliciously modified, and offered its users a ray of hope with news that it is testing a patch for its on-prem software and is considering restoring its SaaS services on Tuesday, US Eastern Daylight Time (EDT).
The update has good news and bad news.
The bad news is an upwards revision in the number of infected customers, from the previous figure of “fewer than 40” to “fewer than 60”. The company has also estimated that “fewer than 1500 downstream businesses” have been impacted. But as exploitation of VSA results in an infection by the REvil ransomware, the impact is substantial.
The good news is that the update revealed that the company estimates it will be possible to restart its SaaS servers on July 6th between 2:00 PM and 5:00 PM EDT.
That date is not final: the update says a final decision will be made “tomorrow morning between 8:00 AM EDT – 12:00 AM EDT”.
“These times may change as we go through the final testing and validation processes,” the update adds.
- Cyber insurance model is broken, consider banning ransomware payments, says think tank
- G7 nations call out Russia for harbouring ransomware crims ahead of Biden-Putin powwow
- Ransomware-skewered meat producer JBS confesses to paying $11m for its freedom
Resuming use of the SaaS service won’t just be a case of restoring normal service.
Kaseya said it’s met with the FBI and the USA’s Cybersecurity and Infrastructure Security Agency CISA “to discuss systems and network hardening requirements prior to service restoration for both SaaS and on-premises customers.
“A set of requirements will be posted prior to service restart to give our customers time to put these counter measures in place in anticipation of a return to service on July 6th.”
A patch for on-premises customers is also in the works. The update states that code “is currently going through the testing and validation process.
“We expect the patch to be available within 24 hours after our SaaS servers have been brought up,” the update advises.
Kaseya has advised its users to pull the plug on their on-prem VSA servers, so news that a fix is imminent will be welcome — but news that it will arrive later than the SaaS fix will not. And of course, patches for enterprise software are not simple affairs — there’s every chance users will have plenty of work to do once the fix is applied.
Users have also been given another job, because Kaseya has updated its compromise detection tool. It’s a download from cloud storage locker Box and is available here.
The company has also posted an initial analysis of the attack that states it has found “no evidence that Kaseya’s VSA codebase has been maliciously modified.
“The attackers were able to exploit zero-day vulnerabilities in the VSA product to bypass authentication and run arbitrary command execution,” the explanation states. “This allowed the attackers to leverage the standard VSA product functionality to deploy ransomware to endpoints.”
The explanation also details several indicators of compromise, among them three IP addresses accessed VSA servers during the attack:
The firm also offered the following IIS web server access log extract, as indicative of either a successful or attempted attack on VSA:
POST /dl.asp curl/7.69.1 GET /done.asp curl/7.69.1 POST /cgi-bin/KUpload.dll curl/7.69.1 GET /done.asp curl/7.69.1 POST /cgi-bin/KUpload.dll curl/7.69.1 POST /userFilterTableRpt.asp curl/7.69.1