Kaseya VSA SaaS Coming Back Tuesday, On-Prem Wednesday

Kaseya said it’ll make a final decision Tuesday morning about whether to bring its SaaS servers back online between 2 p.m. ET and 5 p.m. ET. The VSA on-premises patch should be available less than 24 hours later.

Kaseya expects to restore service to its VSA SaaS remote monitoring and management software Tuesday afternoon, with a patch expected for the on-premises product Wednesday.

The New York- and Miami-based IT service management vendor said it’ll make a final decision Tuesday morning about whether to proceed with bringing its SaaS servers back online between 2 p.m. ET and 5 p.m. ET as currently scheduled. The patch for the compromised on-premises version of VSA is expected to be available within 24 hours of SaaS service restoration, and is going through testing and validation.

“We know there is a lot of information circulating about this incident,” Kaseya wrote in an incident overview published at 9:30 p.m. ET Monday. “Some of it is accurate, much of it is not. We will continue our efforts to keep you updated as we have solid, actionable information to share.”

[Related: REvil Demands Record $70M In Kaseya Ransomware Attack]

Both SaaS and on-premises customers will be required to implement a set of systems and network hardening measures prior to restarting their VSA service, said Kaseya, who is devising the requirements in concert with the FBI and the Cybersecurity and Infrastructure Security Agency (CISA). VSA customers will not have access to classic ticketing, classic remote control, and the user portal when service returns.

Kaseya said Monday evening that nearly 60 of its MSP customers using an on-premises version of VSA were directly compromised in Friday’s REvil ransomware attack. But since a single MSP often supports a couple dozen end user organizations, up to 1,500 downstream customers ended up getting hit in the ransomware crossfire, according to Kaseya.

The restoration of service for the more than 36,000 customers of Kaseya’s flagship VSA product following the ransomware attack has taken significantly longer than expected. Kaseya CEO Fred Voccola said Friday evening that the company expected to restore service to its SaaS customers within the next 24 hours since the SaaS version of the VSA product was never compromised.

Then on Sunday morning, Kaseya said a staged return to service of its SaaS server farms was expected in the next 24 to 48 hours, and late Sunday afternoon said it planned to restart its SaaS service Monday morning in the United Kingdom, European Union and Asia-Pacific and late Monday in North America. But those restoration estimates were pushed back yet again late Sunday evening.

“Our executive committee met at 10:00 PM EDT and to best minimize customer risk, felt that more time was needed before we brought the data centers back online,” Kaseya wrote at 11 p.m. ET Sunday. “They elected to meet again tomorrow morning at 8:00 AM EDT to reset the schedule with a goal of starting the restoration process to bring our datacenters online by end of day on July 5th local time.”

The restoration process was further postponed after an executive committee meeting Monday morning, and Kaseya didn’t report out what the committee decided at its 3 p.m. ET Monday meeting until 6.5 hours later. The majority of Kaseya’s MSP customers use either a SaaS or hosted version of VSA, with roughly 6,500 MSPs using an on-premises version of the RMM product, Voccola told CRN Saturday.

As for the attack itself, Kaseya disclosed Monday that the hackers were able to exploit vulnerabilities in the VSA tool to pass authentication and run arbitrary command execution. This allowed the attackers to leverage the standard VSA product functionality to deploy ransomware to endpoints, according to Kaseya. There is no evidence that Kaseya’s VSA codebase was maliciously modified, the company said.

Kaseya first heard something was wrong Friday when it received customer reports that ransomware was being executed on endpoints managed by the VSA on-premises product. Kaseya brought in FireEye’s Mandiant incident responders to investigate and assess the manner and impact of the cyberattack. The company said it’s also cooperating with federal law enforcement’s investigation into the attack.

The zero-day vulnerability exploited by REvil had previously been disclosed to Kaseya by researchers from the Dutch Institute for Vulnerability Disclosure (DIVD), and the company was validating a patch before rolling it out to customers. But REvil beat Kaseya to the punch and used that same vulnerability to compromise MSPs using the on-premises version of the company’s VSA product.

“During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched,” wrote DIVD’s Victor Gevers. “They showed a genuine commitment to do the right thing. Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch.”