'I let the community down' - Kaseya CEO explains why server restart was pushed back following cyber attack

VSA servers will come back online at 4pm ET on Sunday, Fred Voccola says, as Dutch Institute for Vulnerability Disclosure claims weakness was highlighted in April

Kaseya's CEO has apologised to its customers hit by last week's cyber-attack and says the restart of its VSA servers has been pushed back until Sunday to allow extra security measures to be added.

The company's SaaS VSA servers, which it says were not impacted by the attack which Russian-speaking ransomware group REvil claimed responsibility for, were due to come back online Tuesday night but the process was stopped after the vendor claimed an "issue" was discovered.

Its customers' on-premise servers, which were affected, were then set to come back on over the following day but in an update posted by Kaseya, CEO Fred Voccola claimed the decision to delay was entirely his following recommendations that extra security measures should be implemented.

The Dutch Institute for Vulnerability Disclosure (DIVD), which Kaseya is working with to ensure its software is secure, has also published a further update claiming that one of the seven vulnerabilities it identified to Kaseya back in April was exploited in the attack.

It stressed that Kaseya was co-operative and "addressed some of them by releasing a patch" which was then followed by another patch soon after. In a previous statement, the DIVD said it had "previously identified a number of the zero-day vulnerabilities which are currently being used in the ransomware attacks" but that Kaseya was "beaten by REvil in the final sprint".

"The fact that we had to take down VSA is very disappointing to me personally. I feel like I let this community down, I let my company down, our company let you down and that is not going away," Voccola said.

"I want to express my sincere apologies that you're not up on VSA, that VSA is not accessible for you to serve your customers, to serve your internal IT folks, and to make your lives easier.

"This was probably the hardest decision that I've had to make in my career and we decided to pull it for an additional three-and-a-half days, or whatever the approximate time is, to make sure that it is hardened as much as we feel that we can do for our customers.

"All the vulnerabilities that were exploited during the attack, we had them locked, we felt comfortable with the release. Some of the third-party engineering firms and companies that we've been working with, as well as some of our own IT people, made some suggestions to put additional layers of protection in there for things that we might not be able to foresee."

Voccola added that he is "extremely confident" that its servers will come back online by Sunday afternoon ET, while an updated run book outlining the changes for customers which use on-prem VSA servers has also been released.

The company is to also offer financial support for its customers that have been affected by the attack and shutting down of its servers, Voccola said, which will include "providing licences, delays of payments and other means".

Kaseya estimates that the attack impacted "approximately 50" of its own customers and "between 800 and 1,500" businesses overall after its VSA module was compromised last Friday.

The firm's chief technology officer, Dan Timpson, said the company is "working fiercely" on its security posture and is "adding a lot more rigour" to its processes.

But the company has attracted criticism for the breach from several MSPs, while Voccola also issued a statement earlier in the week claiming the impact of the attack has been made "larger than what it is".

Kaseya has also warned its customers to be vigilant following reports of phishing emails containing malicious links being sent out by those pretending to be from the company.

Big questions

Jeff Pollard, vice-president and principal analyst at Forrester, highlighted several key questions that MSPs and their clients affected by the attack or shutting down of its servers are eager to get answers to.

"MSP clients want to know when it's going to be safe to let the MSP - and by proxy Kaseya - back into their environments," he said.

"The mission for Kaseya here is two-fold. One, re-establish trust with the MSPs they work with as a platform, and two, help those MSPs re-establish trust with their clients.

"MSPs should ask Kaseya what kind of financial support it plans to offer, how it will help them rebuild trust, but also how they plan to assist the organisations suffering from this attack - both direct MSPs and clients of those MSPs.

"Kaseya is not the victim here. The downstream organisations blindsided by this are the victims, which includes the MSPs and their end user clients."

He added that MSPs and businesses must ask how Kaseya "will mitigate this in the future" and believes both the vendor and its MSPs must show how they deal with the increased scrutiny of its technology.

Pollard also said it is important to find out which "workflow and oversight adjustments" are being implemented by Kaseya and its MSP clients "to ensure that malicious updates or unauthorised distribution of software can be prevented or mitigated rapidly in the future".