About 60 Kaseya customers hit by REvil

by Joseph K. Clark

The number of managed service provider (MSP) customers impacted by a wide-ranging REvil/Sodinokibi ransomware attack orchestrated through Kaseya’s VSA product has been revised upward from around 40 to about 60.

The attack, which unfolded on 2 July, has so far caused disruption to some 1,500 downstream customers – many of them small and medium-sized enterprises (SMEs) of the affected MSPs.

In a new statement released within the past 24 hours, Kaseya said it had received no reports of any further compromises for VSA users since 3 July and had found no evidence that any of its software-as-a-service (SaaS) customers have been impacted. It added that VSA is the only product compromised, and all its other services are unaffected.

 Kaseya customers

“Our executive committee met this afternoon [5 July] at 6.30pm EDT [11.30pm BST] to reset the timeline and process for bringing our SaaS and on-premises customers back online,” said the firm. “The patch for on-premises customers has been developed and is currently going through the testing and validation process. We expect the patch to be available within 24 hours after our SaaS servers have been brought up.”

Kaseya currently expects to bring its SaaS servers back online later on 6 July between 7pm and 10pm UK time and will make a final decision on this imminently. It said it will release VSA with staged functionality to recover services sooner, with the first release preventing access to some functionality for the time being.

It has also met with US authorities to discuss the system and network hardening requirements for SaaS and on-premise customers and will post these requirements, again, imminently. The patch will likely be required to be installed before restarting. In the meantime, all on-premise VSA servers must remain offline.

“We have been advised by our outside experts that customers who experienced ransomware and received communication from the attackers should not click on any links – they may be weaponized,” it added.

So far, few of the impacted MSP customers have identified themselves. Still, Netherlands-based Velzart, a provider of cloud, IT, and networking services, keeps its customers informed of its recovery progress via its blog.

At the end of Monday 6 July, the firm reported that it had technically repaired 70% of impacted servers and returned them to customer use. It was expected to restore the rest of its server estate by Wednesday. The firm thanked its clients for their patience and understanding and technical assistance, and even refreshments.

As more information continues to trickle out about the attack, it is now becoming clear that REvil accessed on-premise instances of the VSA server through a newly uncovered zero-day – as previously disclosed, probably an SQL injection vulnerability – and delivered the ransomware payload via an automatic update rolled out disguised as a management agent. As noted by Sophos, among others, this gave the gang additional cover to sneak past defenses by exploiting customer trust in the VSA product.

Related Posts

Leave a Comment