Editor's note: This story has been updated with new details released from Kaseya.
A patch for on-premises customers of the Kaseya VSA product that was the source of a widespread ransomware attack since Friday is currently going through the testing and validation process, the company said.
The patch will likely be made available within 24 hours after Kaseya servers supporting its software-as-a-service offering have been brought up, which the company currently expects to happen between 4 p.m. and 7 p.m. (This timeframe, released Tuesday morning, is a bump of about two hours from what they initially stated Monday night). Results of testing and evaluation could impact that timeline, the update posted to the Kaseya website noted.
The delay in the SaaS servers coming online was due to a configuration change, as well as enhanced security measures being put in place. Specifically, Kaseya said in the Tuesday update that the company would provide 24/7 independent security operations center support for every VSA with the ability to quarantine and isolate files and entire VSA servers. Kaseya will also provide a complementary CDN with WAF for every VSA, including on premise that opt-in and wish to use it. More detials on teh services will be made available later Tuesday afternoon.
VSA will be brought online with staged functionality, with the first release preventing access to functionality used by "a very small fraction" of the user base, including: classic ticketing, classic remote control (not LiveConnect), and the user portal.
"Kaseya met with the FBI/CISA tonight to discuss systems and network hardening requirements prior to service restoration for both SaaS and on-premises customers, the Monday night update noted. "A set of requirements will be posted prior to service restart to give our customers time to put these counter measures in place in anticipation of a return to service" July 6.
A new version of the Compromise Detection Tool can be downloaded at VSA Detection Tools.zip | Powered by Box for identify any indicators of compromise are present for a system (either VSA server or managed endpoint). Specifically, the tool searches for the IOC, data encryption, and the REvil ransom note. "We recommend that you re-run this procedure to better determine if the system was compromised by REvil," the update noted, adding that 2,000 customers have downloaded this tool since Friday.
The ransomware offensive from a REvil affiliate targeting Kaseya VSA’s on-premises customers exploited two zero-day bugs in the code – an authentication bypass and one of several SQL injections, according to research from Huntress Labs. Kaseya quickly shut down the SaaS version of VSA as a precaution and told on-premises users to shut down its service.