Malware, Managed Services, Ransomware

Kaseya plans to bring SaaS servers back online Tuesday, with patch then expected within a day

Editor's note: This story has been updated with new details released from Kaseya.

A patch for on-premises customers of the Kaseya VSA product that was the source of a widespread ransomware attack since Friday is currently going through the testing and validation process, the company said.

The patch will likely be made available within 24 hours after Kaseya servers supporting its software-as-a-service offering have been brought up, which the company currently expects to happen between 4 p.m. and 7 p.m. (This timeframe, released Tuesday morning, is a bump of about two hours from what they initially stated Monday night). Results of testing and evaluation could impact that timeline, the update posted to the Kaseya website noted.

The delay in the SaaS servers coming online was due to a configuration change, as well as enhanced security measures being put in place. Specifically, Kaseya said in the Tuesday update that the company would provide 24/7 independent security operations center support for every VSA with the ability to quarantine and isolate files and entire VSA servers. Kaseya will also provide a complementary CDN with WAF for every VSA, including on premise that opt-in and wish to use it. More detials on teh services will be made available later Tuesday afternoon.

Click here for the latest news on the Kaseya cyberattack.

VSA will be brought online with staged functionality, with the first release preventing access to functionality used by "a very small fraction" of the user base, including: classic ticketing, classic remote control (not LiveConnect), and the user portal.

"Kaseya met with the FBI/CISA tonight to discuss systems and network hardening requirements prior to service restoration for both SaaS and on-premises customers, the Monday night update noted. "A set of requirements will be posted prior to service restart to give our customers time to put these counter measures in place in anticipation of a return to service" July 6.

A new version of the Compromise Detection Tool can be downloaded at VSA Detection | Powered by Box for identify any indicators of compromise are present for a system (either VSA server or managed endpoint). Specifically, the tool searches for the IOC, data encryption, and the REvil ransom note. "We recommend that you re-run this procedure to better determine if the system was compromised by REvil," the update noted, adding that 2,000 customers have downloaded this tool since Friday.

The ransomware offensive from a REvil affiliate targeting Kaseya VSA’s on-premises customers exploited two zero-day bugs in the code – an authentication bypass and one of several SQL injections, according to research from Huntress Labs. Kaseya quickly shut down the SaaS version of VSA as a precaution and told on-premises users to shut down its service.

Jill Aitoro

Jill Aitoro leads editorial for SC Media, and content strategy for parent company CyberRisk Alliance. She 20 years of experience editing and reporting on technology, business and policy.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.