Update on REvil's exploitation of Kaseya's VSA.
Kaseya's CEO Fred Voccola in a video message posted at 9:45 Eastern Daylight Time last night said the new release time for a fixed and patched VSA will be this coming Sunday at 4:00 PM Eastern Time. While Kaseya was confident the patches they'd developed had closed the vulnerabilities the extortionists exploited, Voccola said that third-party engineers and internal IT personnel recommended placing additional layers of security in place to protect against other exploits they may not foresee.
The company also published a run book last night of changes to the on-premises version of VSA, which should enable customers to prepare themselves for the coming update.
US response to REvil (and Russia).
US President Biden yesterday left a meeting with advisors and said that he "will deliver" a response to Russia's President Putin over the ransomware attacks on US companies. "Mr. Biden’s vague statement, delivered as he was departing for a trip, left it unclear whether he was planning another verbal warning to Mr. Putin — similar to the one he issued three weeks ago during a one-on-one summit in Geneva — or would move ahead with more aggressive options to dismantle the infrastructure used by Russian-language criminal groups," the New York Times reports.
The BBC quotes experts to the effect that the attempt to compromise the RNC looks like traditional espionage, but the Kaseya incident is another and arguably more serious matter altogether. The BBC thinks that sanctions and some arrangement that would secure Russian police cooperation against REvil are the two options the US is most likely to avail itself of. Cooperation with Russian law enforcement seems unlikely, however, to be productive. MIT Technology Review has an account of how earlier attempts at such collaboration have fallen flat after initial promises of good will.
Assessing Kaseya's response.
Kaseya's ability to cope with the attack has received harsh reviews from those who believe, like the sources CRN quotes, that the company shouldn't have left itself vulnerable to this kind of exploit. The Dutch Institute for Vulnerability Disclosure says it discovered the zero-day in April and promptly notified Kaseya. Kaseya was in the process of addressing the issue when the attack hit, so arguably the company's response was dilatory. It certainly came just a bit too late.
Others have given Kaseya much better notices. Electronic Engineering describes Kaseya as "swiftly responding" to contain the damage. The company's public communication about the incident has been regular and clear.
The CyberWire has more extensive coverage on our website.