The Kaseya ransomware attack, which has affected dozens of service providers and hundreds of downstream customers, dramatically raises the question of MSP software vendor accountability.
The REvil ransomware attack, which emerged on July 2, targeted Kaseya’s VSA Remote Monitoring and Management (RMM) product. Kaseya said compromised customers were using the local version of the RMM offering. According to Kaseya’s Incident Summary, threat actors exploited zero-day vulnerabilities in VSA to “bypass authentication and execute arbitrary command execution.” This allowed the attackers to control VSA server and deliver ransomware to MSP customer endpoints.
Kaseya advised MSPs to shut down their local VSA servers and take their VSA SaaS servers offline. Kaseya said it is local patch will be available on Sunday, July 11th at 4:00 PM ET and will also “begin deploying on our VSA SaaS infrastructure”.
One of the affected companies contacted CompTIA’s Information Sharing and Analysis Organization (ISAO) on July 2nd. “We heard of one [ISAO] Member – a small MSP in the Midwest, “said MJ Shoer, ISAO senior vice president and executive director of CompTIA. The ISAO called on members to help the ailing MSP. 41 members responded in less than three hours, Schoer noted.
MSAlliance, an industry association based in North Chapel, NC, has also heard from VSA customers. Charles Weaver, CEO of MSPLalliance, said the MSPs he spoke to hold the association’s MSP Verified certification and have not yet reported any incidents. “They have shut down their VSA instances and are reporting normal business operations,” he said. MSP Verified’s certification criteria include corporate resilience measures.
A call to accountability
The affected companies represent a small subset of the entire MSP population, but the Kaseya ransomware attack raised a red flag.
“There’s a lot of anger and suspicion,” said Weaver. These feelings aren’t unique to Kaseya, he noted.
“With all the money that’s in the [MSP] Platform room, what has the investment community done to make these tools more secure? “Weaver asked, summarizing the MSP sentiment.” I think that’s a fair question. “
“I think this undoubtedly leaves a bad taste in the mouth from an MSP perspective,” said John Ferrell, co-founder of Huntress Labs, a managed detection and response company based in Ellicott City, Md. He quoted as saying previous attacks. “That was another slap in the face, another wake-up call.”
RMM offerings inherently provide administrative access and “godlike superpowers” to all MSP endpoints, noted Ferrell, who tracked the Kaseya ransomware attack. “When we use software with so much access, it has to be absolutely secure.”
Charles WeberCEO, MSAlliance
To that end, RMM products must undergo testing, validation, and extreme testing before being released to the world, Farrell said. Additionally, MSPs should hold vendors, including Huntress, accountable.
“Accountability is big talk here,” he said.
A new relationship?
The Kaseya ransomware attack marks a turning point in the relationship between MSPs and vendors, according to Weaver.
“[MSPs] Really see this as if they want to be accountable to the platform vendors and feel that they are now unaccountable, “said Weaver.” This is not an MSP bug. … What will the provider do to make the MSPs and downstream customers complete if they are affected? “
While MSPs could start a new dialogue with their vendors, they would do well to create a fallback plan if they don’t already have one, Shoer said. The MSPs who are most successful at managing disruptions have a plan for dealing with events such as an RMM outage. MSPs should consider alternative ways to deploy patches, remotely support customers, and monitor customer networks.
Such a redundancy plan can help MSPs deal with business disruptions, whether or not they stem from cyber attacks Storms. “I think it’s important to play out scenarios,” said Shoer.
Regional cloud distributors for M&A deals
The latest round of channel M&A activity includes cloud distributors Rhipe and Resello.
Crayon, an IT services company based in Oslo, Norway, has agreed to purchase Rhipe Ltd. zu, a cloud services provider based in North Sydney, Australia. The transaction, valued at approximately $ 300 million, is expected to close in October.
Rhipe focuses on the APAC region and works with more than 3,000 IT resellers. Crayon has focused on expanding its presence in Australia and opened its first offices in that country in August 2019.
Rhipe’s business model is “very similar” to Crayon’s approach, said Crayon’s CFO Jon Birger Syvertsen in an online presentation on the takeover. Syvertsen said Rhipe’s licensing business was “fully in line” with Crayon’s channel business, which he was based on monthly recurring transactions running through a proprietary platform. He also pointed to Rhipe’s “strong emphasis on combining software and cloud reselling with value-added services.”
The upcoming transaction extends Crayon’s reach in APAC, which, according to CEO Melissa Mulholland, “is growing significantly compared to other markets.” The regional market for managed cloud services is expected to grow at an average annual growth rate of 15 to 20% between 2020 and 2025, Mulholland said, citing Gartner data and Crayon’s own research.
Based on the acquisition of Rhipe, Crayon will become the No. 1 partner in Microsoft’s Cloud Solution Provider (CSP) program in the APAC region, Mulholland said.
The Denver-based cloud distributor Pax8 has meanwhile acquired Resello, a cloud service distributor based in the Netherlands. The deal allows Pax8 to expand into more than 40 countries across Europe, according to Pax8.
The acquisition also expands Pax8’s presence at Microsoft. Resello is an authorized Microsoft CSP indirect provider in Europe. As a result, according to a Pax8 spokesperson, Pax8 is now “authorized worldwide by Microsoft”. Pax8 is one of six companies worldwide that bears this designation, the spokesman said.
In fact, geographic reach is the main reason behind the Resello deal. “The acquisition will enable local support and access to Resello’s rapidly growing partner base,” said the Pax8 spokesman.
The Cloud distributor model has evolved in recent years in response to customers moving from on-premise IT to cloud spending.
Update of the partner list
- Deft, a provider of cloud, advisory and managed data center services, has renewed its status as a member of the AWS MSP partner program. The Chicago-based company said it completed the required AWS MSP audit for the seventh year in a row.
- Fluid Networks, an MSP based in Camarillo, California, has provided Cyren’s anti-phishing offering to its customers. Cyren, a provider of email security and threat intelligence, selected Cyren Inbox Security after evaluating four alternative offerings.
Tools for MSPs
- Secureworks, a cybersecurity company that works with Managed Security Services Providers (MSSPs) and others Channel partner, said it has integrated threat intelligence from its Counter Threat Unit into Secureworks Taegis VDR, a vulnerability detection and response offering. A spokesman for the Atlanta-based company said the integration will help MSSP partners and direct customers prioritize threats, free security personnel, and identify and remediate high-risk vulnerabilities.
- Redstor, a cloud data management solutions provider that sold to channel partners, revealed support for Salesforce. The extension allows MSPs to expand their data protection services to cover the SaaS provider’s CRM offerings as well as Microsoft 365, Google Workspace and Xero.
Introduction and updating of the partner program
SecurityAdvisor, a security awareness platform provider based in Sunnyvale, California, has launched an affiliate program for MSPs, MSSPs, and resellers. The program components include price discounts, annual subscriptions and monthly usage-based billing options as well as support in generating demand. Participants can also access the business registration and multi-tenant management functions.
- Employee hiring is on the up, according to a survey by West Monroe, a Chicago-based technology and business consultancy. The company’s survey of 150 C-level executives at companies with sales over $ 250 million found that 77% of respondents plan to add more employees in the third quarter. At the same time, the executives named the acquisition and retention of talent as one of the greatest challenges. Fifty-one percent of respondents named a lack of people with the right skills as the main barrier to hiring people in the third quarter.
- The RIB Schneider Group, based in Stuttgart, has merged five subsidiaries into one MSP. The new company, named InTwo, will focus on Microsoft cloud services and operate from offices in Seattle, San Diego, Puerto Rico, Amsterdam, Saudi Arabia, Dubai, Bangalore and Singapore.
- Platinum has its. completed Acquisition of Ingram Micro Inc. by HNA Technology Co. Ltd.
- Supply Chain Services, a Sole Source Capital portfolio company, acquired ISG Technologies, an automated identification and data collection VAR based in Arlington, Texas. The deal is the fourth supply chain services add-on transaction since Sole Source Capital acquired the company in May 2020.
Appointments of executives
DTEX Systems, an employee cybersecurity company based in San Jose, California, has named Denis Eversen as CRO. In this role, he will lead the company’s global sales, channel and partner functions. Eversen was previously Senior Vice President of Americas Sales at Fidelis Cybersecurity.
Armor, a Dallas-based cloud security company, has named Bryan Hauptman as CRO. Hauptman will oversee go-to-market activities and intensify the company’s efforts to expand its MSP base, according to Armor. Previously, he was CRO at ThreatConnect.
Market Share is a news summary published every Friday.
#Kaseya #ransomware #attack #underscores #responsibility #provider