Kaseya MSP: ‘It Sucks’ VSA Is ‘Still Down’ After Cyberattack

“We have VPN licenses that are flying out the door for those [Kaseya customers] who need it,” says one CEO of an MSP who partners with Kaseya.

ARTICLE TITLE HERE

As Kaseya keeps postponing the restoration of access to its VSA remote monitoring and management product five days after Friday’s massive REvil ransomware attack, concerns by Kaseya MSPs are growing.

“It sucks that we’re still down from this,” said one CEO from an MSP who partners with Kaseya and did not want to be named. “Last night, we did get notices that Kaseya did try to bring up four of the instances. It looked like there was one in Europe, a couple in the U.S. – we got updates on that. Then around 10 p.m. last night, we got the update that they were calling it a night and the updates didn’t go as well as they thought. I did notice that they are implementing some new security features, including using Cloudflare. That was documented. So us, also being a Cloudflare implementer, I know that utilizing something like that definitely has its own complications.”

The CEO says he is currently managing over 2,000 endpoints of Kaseya. None of his customers were on-premise Kaseya clients, but with VSA SaaS still being down, he’s had to implement other solutions like VPNs to keep remote access available for his cloud customers.

id
unit-1659132512259
type
Sponsored post

[Related: Kaseya MSPs: ‘We Want To Get Out Of This Mess’]

“We’re putting temporary solutions in place for clients that really utilize that remote desktop portion of it. So remote access solutions, but not necessarily Kaseya competitors,” he said. “We’ve also implemented VPNs for the clients. There are alternatives that we’ll definitely keep in place just for those clients that need it. We have VPN licenses that are flying out the door for those [customers] who need it.”

On Tuesday night, Kaseya said that all SaaS instances of its flagship VSA tool would be online and accessible by 6 a.m. ET on Wednesday. However, Kaseya said during the VSA SaaS deployment, “an issue was discovered that blocked the release.”

“Unfortunately, during the deployment of the VSA update an issue was discovered that has blocked the release. We have not yet been able to resolve the issue,” Kaseya said in an update Wednesday morning. “The R&D and operations teams worked through the night and will continue to work until we have unblocked the release.”

Kaseya plans to provide another status update at noon ET today.

Kaseya CEO Fred Voccola initially said on Friday evening, the same day of the REvil ransomware attack, that his company expected to restore service to its SaaS customers within the next 24 hours. However, that did not occur, along with several other timeframes over the past several days that Kaseya said it planned to restore VSA.

On July 2, the REvil ransomware group unveiled it exploited a vulnerability in Kaseya’s on-premises VSA tool to compromise nearly 60 MSPs and encrypt the data from up to 1,500 of their end-user customers. REvil is demanding $70 million in ransomware payments.

With Kaseya’s 36,000 MSP customers on their sixth day without access to VSA, one chief information security officer (CISO) from an MSP that partners with Kaseya said his customers are “patiently waiting” but “frustrations” are growing.

“There comes a time when you can’t keep telling people to, ‘Wait. Hold on, [Kaseya’s] almost ready to reboot,” said the CISO, who declined to be named. “At 7:30 p.m. last night they said they would begin to roll out the servers. We got updates that these servers were coming online. But then this morning, we saw everything being postponed again. … We know something big is going on with Kaseya and we’re hoping these delays mean they will get it right.”

Even though the SaaS version of Kaseya’s VSA tool wasn’t compromised, the company plans to reduce the attack surface for all versions of VSA by providing an independent SOC for every VSA with the ability to quarantine and isolate files as well as entire VSA servers. Kaseya says both SaaS and on-premises customers will be required to implement a set of systems and network hardening measures prior to restarting their VSA service. VSA customers will not have access to classic ticketing, classic remote control and the user portal when service returns. The patch for the compromised on-premises version of VSA is expected to be available within 24 hours of SaaS service restoration.