Kaseya fixes VSA, and the US calls for Russian action against REvil.
N2K logoJul 12, 2021

Kaseya has completed fixing VSA's on-premises and SaaS versions. And President Biden is optimistic his Friday phone call with President Putin will bring the Russians on board for cooperation against ransomware.

Kaseya fixes VSA, and the US calls for Russian action against REvil.

Kaseya yesterday afternoon pushed fixes for VSA's on-premises and SaaS versions. At 8:00 AM the company's update indicated that patching was proceeding quickly:

""As posted in the previous update we released the patch to VSA On-Premises customers and began deploying to our VSA SaaS Infrastructure prior to the 4:00 PM target. The restoration of services is now complete, with 100% of our SaaS customers live as of 3:30 AM US EDT. Our support teams continue to work with VSA On-Premises customers who have requested assistance with the patch."

Before applying the patches, Kaseya advised users to review these documents to prepare for installing them:For VSA On-Premises:

For VSA SaaS:

The company over the weekend noted several respects in which they'd trimmed their updating to accommodate customer feedback and input:

"We have updated our VSA On-Premises runbook STEP 4 – Based on customer feedback, we have made changes to the IIS rewrite tool in order to give customers more control of their environments using their firewalls. Please review STEP 4 in the document at the following [link].

"We have updated our VSA On-Premises runbook to include a tool that you can use to clear any procedures that have accumulated prior to starting restarting your VSA. Please review STEP 6 in the document at the following [link.]

In the company's Saturday evening video update, EVP Mike Sanders advised customers "to clean up Active Directory and any users tied to the VSA," and specifically to remove any users who don't require access. He also recommended that customers install the FireEye agent to perform a deep-scan of their VSA, ensuring that they have a clean environment. The Sunday afternoon updates required all users to change their passwords. All agents were set to suspended mode, and customers will have to turn them on as needed.

Direct US warning to Russia.

In an hour-long phone call Friday US President Biden communicated his expectations concerning ransomware operations to Russian President Putin. Reuters reports that in President Biden's estimation the call "went well," and that he expects Russian cooperation against gangs like REvil. "I made it very clear to him that the United States expects, when a ransomware operation is coming from his soil even though it's not sponsored by the state, we expect them to act if we give them enough information to act on who that is," Mr. Biden said.

Should expected Russian cooperation not be forthcoming, President Biden said the US was prepared to take certain actions on its own. He and Administration officials declined to say what such actions might be. At the White House daily press conference on Friday, Press Secretary Psaki said President Biden "underscored the need for President Putin to take action to disrupt these ransomware groups.” Her explanation offered Moscow a way of preserving deniability: "REvil operates in Russia and other countries around the world, and we do not have new information suggesting the Russian government directed these attacks," but then said, "we also believe they have a responsibility to take action," adding, “The President made clear the United States will take any necessary action to defend its people and critical infrastructure."

Russia's Foreign Ministry described the Presidential phone call briefly, and repeated its contention that Russia has heard nothing about this or any other cybercriminal activity over the past month. A post on the Ministry's Facebook account said:

"In the context of recent reports on a series of cyberattacks ostensibly made from Russian territory, Vladimir Putin noted that despite Russia’s willingness to curb criminal manifestations in the information space through a concerted effort, no inquiries on these issues have been received from US agencies in the last month. At the same time, considering the scale and seriousness of the challenges in this area, Russia and the US must maintain permanent, professional and non-politicised cooperation. This must be conducted through specialised information exchange channels between the authorised government agencies, through bilateral judicial mechanisms and while observing the provisions of international law."

GovInfoSecurity says that unnamed senior US officials frame the Presidential conversation as one element of a broader push toward greater US resilience with respect to ransomware and other cyberthreats. They also urge people to contain any expectations of swift results. "So, this is a broad campaign and won’t have an immediate on/off effect like a light switch," the anonymous official said.

Scam warnings continue as criminals dangle Kaseya phishbait.

Kaseya has continued to warn people that its ransomware incident continues to be used as phishbait by scammers: "Reminder: Spammers are using the news about the Kaseya Incident to send out fake email notifications that appear to be Kaseya updates. These are phishing emails that may contain malicious links and/or attachments or phone claiming to be Kaseya Partners – DO NOT click on links or download attachments and DO NOT respond to phone calls claiming to be a Kaseya Partner."

Many of the attackers are using Cobalt Strike. Lesley Carhart has tweeted a brief primer on why the legitimate red-team emulation tool is attractive to actual threat actors.