Kaseya’s attempt to recover its SaaS services has failed, and its CEO has attempted to play down the significance of the incident that has seen its VSA services offline since July 2nd and over 1,000 ransomware infections.
The biz, which makes system monitoring and management software for IT service providers, issued an update at 10PM Eastern Daylight time (EDT) on July 6th that stated:
The company had previously advised that SaaS restoration had commenced, with individual SaaS servers due to come online “throughout the night US time”. “All systems will be online and accessible by July 7th 6AM US EDT,” the advice stated.
Now the company says its next update will come at 8AM US EDT. It has offered no information on likely time of restoration or the nature of the issue that has slowed the SaaS rollout. Nor has Kaseya said if its promise to patch its on-premises VSA software within 24 hours of SaaS restoration remains in force.
The delay is a further embarrassment to the company, given that CEO Fred Voccola went on the record, in the video below, with his opinion that he expected SaaS restoration “in the coming hours” — although he added that the company is being “incredibly conservative about it”.
The CEO comes out swinging in the video, saying “even the best defences get scored on” and mentioned that other vendors including direct rival ConnectWise have experienced similar troubles. Voccola also offered his opinion that Kaseya’s woes mean: “All of a sudden cyber crime and ransomware has become … the topic of the day and we're caught in the middle of it and people make the story and make the impact of this larger than what it is.”
A quick reminder: this cyber-attack has seen countless businesses going without IT management tools, with impacts including shuttered supermarkets, problems with schools, an estimated 1,000-plus ransomware infections, and a demand for a $70m payment in Bitcoin by the REvil ransomware gang. It really is quite a large impact.
It appears miscreants were able to exploit a vulnerability in on-prem deployments of Kaseya's IT management suite VSA to infect systems with the REvil ransomware. Kaseya urged people to disable their VSA servers to protect themselves, and it shut down its software-as-a-service offering of VSA, too.
The CEO also observed: “Unfortunately there are bad people out there who can make a lot of money or try to make a lot of money and get paid in anonymous currencies that are very difficult if not impossible to trace by the authorities, so there’s no money trail for them to go and get these criminals.”
- Kaseya says it's seen no sign of supply chain attack, sets SaaS restoration target of Tuesday afternoon, on-prem fix to follow
- IT for service providers biz Kaseya defers decision about SaaS restoration following supply chain attack
- Wipro wasn't a one-off: Same hacking crew targeted scores of firms, big and small – researchers
Also in Voccola’s video, he appears to have changed Kaseya’s guidance on the number of infected on-premises deployments, as he mentions “50 customers or so” were infected. Kaseya’s previous guidance mentioned “fewer than 40” and “fewer than 60." The aforementioned 1,000-plus ransomware victims are the customers of those four-dozen or so Kaseya customers, infected via their VSA IT management installations.
Whenever Kaseya’s SaaS is restored, customers will have to check the network configurations they use, as one of the new security measures is a change to the IP addresses of the company’s SaaS servers.
“For almost all customers, this change will be transparent,” the 10PM advisory states. “However if, and only if, you have whitelisted your Kaseya VSA server in your firewall(s), you will need to update the IP whitelist.” The new addresses can be found here.
Voccola’s video also revealed that around 150 Kaseya staff “have probably slept a grand total of four hours in the last two days literally and that’ll continue until everything is as perfect as can be.” ®