The number of managed service provider (MSP) customers impacted by a wide-rangingorchestrated through Kaseya’s VSA product has been revised upward from around 40 to about 60.
The attack, which unfolded on 2 July, has disrupted some 1,500 downstream customers – many small and medium-sized enterprises (SMEs) of the affected MSPs.
In a new statement, Kaseya said it had received no reports of any further compromises for VSA users since 3 July and had found no evidence that any of its software-as-a-service (SaaS) customers have been impacted. It added that VSA is the only product compromised, and all its other services are unaffected.
“Ourcommittee met this afternoon [5 July] at 6.30 pm EDT [11.30 pm BST] to reset the timeline and process for online,” said the firm. “The patch for on-premises and is currently going through the testing and validation process. We expect the patch to be available within 24 hours after our SaaS servers have been brought up.”
Kaseya expects to return its SaaS serverson 6 July between 7 pm and 10 pm UK time and will make a final decision imminently. It said it would release VSA with staged functionality to recover services sooner, with the first release preventing being.
It has also met with US authorities to discuss the system and network hardening requirements for SaaS and on-premise customers and will post these requirements again. The patch will likely be required to be installed before restarting. In the meantime, all on-premise VSA.
“Our outside experts have advised us that customers who experienced ransomware and received communication from the attackers should not click on any links – they may be weaponized,” it added.
So far, few of the impacted MSP customers havethemselves. Still, Netherlands-based Velzart, a cloud, IT, and networking services provider, keeps its customers informed of its recovery progress .
At the end of Monday, 6 July, the firmrepaired 70% of impacted servers and returned them to customer use. It was by Wednesday. The firm thanked its clients for their patience, understanding, technical assistance, and refreshments.
As more information continues to trickle out about the attack, it is now becoming clear that REvil accessed on-premise instances of the VSA server through a newly uncovered zero-day – as previously disclosed, probably an SQL injection vulnerability – and delivered the ransomware payload via anagent. Sophos noted that this gave the gang additional cover to sneak past defenses by exploiting customer trust in the VSA product.