Kaseya postpones service restoration, apologizes for attack

Dive Brief:

Kaseya CEO Fred Voccola, in a video message, apologized to customers for the ransomware attack by REvil and the prolonged outages that disrupted businesses since Friday when attackers shut down the company's VSA servers. Kaseya VSA provides remote monitoring and endpoint management.
The company moved the timeline for restoration to Sunday, after outside engineers advised additional security layers to ensure the system would be adequately protected, Voccola said. However, Voccola said he made the final decision to delay restoration. The company originally planned to begin restoration of its SaaS business Wednesday, followed by the release of a patch for on-premises customers.
Security researchers and industry analysts said Kaseya cannot afford to allow normal operations to resume without making sure that customers are protected against a new round of opportunistic attacks.

Dive Insight:

The restoration delay follows the disclosure that Kaseya was warned in April of pre-existing zero-day vulnerabilities that may have been exploited by the REvil ransomware organization to attack its IT management systems last week, according to the Dutch Institute of Vulnerability Disclosure.

Kaseya will make millions of dollars of assistance available to MSPs impacted by the attack to mitigate the damage.

"Now more than ever, the Kaseya VSA codebase is under the microscope," John Hammond, senior security researcher at Huntress. "With hackers and researchers focusing on the software, and examining it for not just the exploited weaknesses, but the potential for even more vulnerabilities, it's fair to consider that this response has turned into an extreme code review."

If Kaseya fails to patch the vulnerabilities, there is the potential for a similar or a more "grave incident" as systems are restored, according to Hammond. "One has to think there is more technical debt than anyone realized, and now that they are in the spotlight, they can't miss the mark on this again," Hammond said.

Kaseya officials told Cybersecurity Dive that the decision to wait is a serious one, but something the company felt it needed to do to protect its customers.

"As Fred said in his video message — we've received recommendations from the professional and agency groups supporting us, to add additional layers of security — following that guidance," Dana Liedholm, SVP, corporate marketing at Kaseya said via email. "Fred and [the] executive team made the decision to push the timeline, to be extra cautious. As he said, very painful decision for us, but we are confident it's in our customer's best interest to be extremely conservative and overly cautious."

The full scope of the attack is just beginning to emerge as more victims of the attack go public, according to Katell Thielemann, VP analyst at Gartner. Among some of the newer victims are the Maryland towns of North Beach and Leonardtown. The communities worked with JustTech, a customer of Kaseya, according to The Washington Post.

"With the SaaS update now delayed, Kaseya clients will expect more specifics of what went wrong that blocked the release — an abundance of caution given the sophistication of the attack, or additional security issues uncovered in the SaaS environment?" Thielemann said.

Knowing the risks of a failed restoration, analysts say Kaseya is making the right decision to delay the full restoration effort.

"Pushing out the restoration timeline for VSA is not necessarily a bad thing," Allie Mellen, analyst, security and risk, at Forrester Research, said via email. "Restoration is complex — much like 'security best practices,' there are a lot more challenges during implementation than it may seem from the outside."

Mellen said offering funds for impacted customers is a recommended best practice, as many of Kaseya's customers are small enterprises that lack the resources to withstand a disruption of this length.