Kaseya ransomware attack underlines vendor accountability

The Kaseya VSA breach may prove a major turning point for MSPs' relationships with their IT services software vendors; other IT channel news.

The Kaseya ransomware attack, which has affected dozens of service providers and hundreds of downstream customers, raises the issue of MSP software vendor accountability in dramatic fashion. 

The REvil ransomware attack, which surfaced July 2, targeted Kaseya's VSA remote monitoring and management (RMM) product. According to Kaseya, compromised customers were using the on-premises version of the RMM offering. Threat actors exploited zero-day vulnerabilities in VSA to "bypass authentication and run arbitrary command execution" according to Kaseya's incident overview. As a result, the attackers were able to control VSA servers and deliver ransomware to MSP customers' endpoints.

Kaseya advised MSPs to shut down their on-premises VSA servers and took its VSA SaaS servers offline. Kaseya said its on-premises patch will be available at 4 p.m. ET on Sunday, July 11, and it will also "start the deployment to our VSA SaaS infrastructure."

Fewer than 60 VSA customers were compromised by the attack, Kaseya said. Company CEO Fred Voccola has pledged direct financial assistance to MSPs brought down by REvil.

MJ ShoerMJ Shoer

One of the affected companies contacted CompTIA's Information Sharing and Analysis Organization (ISAO) on July 2. "We have heard from one [ISAO] member -- a small MSP in the Midwest," said MJ Shoer, senior vice president and executive director of CompTIA's ISAO. The ISAO put out a call to members to assist the stricken MSP. Forty-one members responded in less than three hours, Shoer noted.

Charles WeaverCharles Weaver

MSPAlliance, an industry association based in North Chapel, N.C., has also heard from VSA customers. MSPAlliance CEO Charles Weaver said the MSPs that he spoke with have the association's MSP Verified certification and have reported no disruptions thus far. "They have taken down their instances of VSA and are reporting normal business operations," he said. MSP Verified certification criteria encompass business resilience measures.

A call for accountability

The affected companies represent a small subset of the entire MSP population, but the Kaseya ransomware attack has raised a red flag.

"There is a good amount of anger and distrust," Weaver said. Those feelings are not leveled solely at Kaseya, he noted.

"With all the money being spent in the [MSP] platform space, what has the investment community done with regard to shoring up the security of these tools?" Weaver asked, summarizing MSP sentiment. "I think that is a fair question."

"I think this undoubtedly leaves a bad taste in their mouths, from the MSP perspective," said John Ferrell, co-founder of Huntress Labs, a managed detection and response company based in Ellicott City, Md. He cited previous attacks. "This has been yet another slap in the face, yet another wake-up call."

RMM offerings, by design, provide admin access and "godlike superpowers" to all MSP endpoints, noted Ferrell, who tracked the Kaseya ransomware attack. "If we are using software that has so much access, that needs to be absolutely secure."

[MSPs] are really looking at this as wanting accountability from platform vendors and feeling that they are not getting accountability now.
Charles WeaverCEO, MSPAlliance

To that end, RMM products must be audited, reviewed and subjected to extreme scrutiny before released to world, Farrell said. Additionally, MSPs should hold vendors, Huntress included, accountable.

"Accountability is a big conversation here," he said.

A new relationship?

The Kaseya ransomware attack represents a watershed moment for MSP-vendor relations, according to Weaver.

"[MSPs] are really looking at this as wanting accountability from platform vendors and feeling that they are not getting accountability now," Weaver said. "This is not an MSP mistake. … What will the vendor do to make whole the MSPs and downstream customers, if they were impacted?"

While MSPs might enter a new dialogue with their vendors, they would also do well to create a fallback plan if they don't have one already, Shoer said. The MSPs most successful at navigating disruption have a plan for handling events such as an RMM outage. MSPs should think about alternative ways to deploy patches, support customers remotely and monitor customer networks.

Such a redundancy plan can help MSPs deal with business disruptions, whether they stem from cyber attacks or storms. "I think it's important to play out scenarios," Shoer said.

Regional cloud distributors in M&A deals

The latest round of channel M&A activity features cloud distributors Rhipe and Resello.

Crayon, an IT services firm based in Oslo, Norway, agreed to purchase Rhipe Ltd., a cloud services distributor based in North Sydney, Australia. The transaction, valued at about $300 million, is expected to close in October.

Rhipe focuses on the APAC region and works with more than 3,000 IT resellers. Crayon has focused on expanded its presence in Australia, opening its first offices in that country in August 2019.

Rhipe's business model is "very similar" to Crayon's approach, said Crayon CFO Jon Birger Syvertsen in an online presentation about the acquisition. Syvertsen said Rhipe's licensing business is "fully in line" with Crayon's channel business, which he characterized as based on monthly recurring transactions that run through a proprietary platform. He also noted Rhipe's "strong emphasis on the combination of software and cloud resell with value-added services."

The pending deal expands Crayon's reach into APAC, which company CEO Melissa Mulholland said is "growing substantially relative to other markets." The regional market for managed cloud services is forecast to grow at compound annual growth rate of 15% to 20% between 2020 and 2025, Mulholland said, citing Gartner data and Crayon's own research.

Based on the Rhipe acquisition, Crayon will become the No. 1 partner in Microsoft's Cloud Solution Provider (CSP) program in the APAC region, Mulholland said.

Denver-based cloud distributor Pax8, meanwhile, acquired Resello, a cloud services distributor based in the Netherlands. The deal lets Pax8 expand to more than 40 countries across Europe, according to Pax8.

The acquisition also extends Pax8's Microsoft footprint. Resello is an authorized Microsoft CSP Indirect Provider in Europe. As a result, Pax8 is now "globally authorized with Microsoft," according to a Pax8 spokesperson. Pax8 is one of six companies globally to have that designation, the spokesperson said.

Indeed, geographic reach is the key motivation behind the Resello deal. "The acquisition will enable localized support and provide access to Resello's rapidly growing partner base," the Pax8 spokesperson said.

The cloud distributor model has evolved in recent years in response to customers shifting from on-premises IT to cloud spending.

Partner roster update

  • Deft, a cloud, consulting and managed data center services provider, renewed its status as a member of the AWS MSP Partner Program. The Chicago-based company said it completed the required AWS MSP audit for the seventh consecutive year.
  • Fluid Networks, an MSP based in Camarillo, Calif., deployed Cyren's anti-phishing offering to its customers. The services provider tapped Cyren Inbox Security after evaluating four alternative offerings, according to Cyren, an email security and threat intelligence solution provider.

Tools for MSPs

  • Secureworks, a cybersecurity company that works with managed security services providers (MSSPs) and other channel partners, said it has integrated threat intelligence feeds from its Counter Threat Unit into Secureworks Taegis VDR, a vulnerability detection and response offering. A spokesperson for the Atlanta-based company said the integration helps MSSP partners and direct customers prioritize threats, free up security personnel, and identify and eliminate high-risk vulnerabilities.
  • Redstor, a cloud data management solutions provider that sells to channel partners, unveiled support for Salesforce. The addition lets MSPs extend their data protection services to cover the SaaS vendor's CRM offerings, as well as Microsoft 365, Google Workspace and Xero.

Partner program launches and updates

SecurityAdvisor, a security awareness platform provider based in Sunnyvale, Calif., launched a partner program for MSPs, MSSPs and resellers. Program components include pricing discounts, annual subscription and monthly usage-based billing options, and demand generation support. Participants can also access deal registration and multi-tenant management capabilities.

Other news

  • Hiring is looking up, according to a survey from West Monroe, a technology and business consultancy based in Chicago. The company's poll of 150 C-level executives at companies in excess of $250 million in revenue found 77% of respondents plan to hire more people in the third quarter. At the same time, the executives cited talent attraction and retention as a top challenge. Fifty-one percent of respondents cited a shortage of people with the right skill sets as the main obstacle to hiring in third quarter.
  • RIB Schneider Group, based in Stuttgart, Germany, has merged five subsidiary organizations into an MSP. Dubbed InTwo, the new company will focus on Microsoft cloud services and operate out of offices in Seattle, San Diego, Puerto Rico, Amsterdam, Saudi Arabia, Dubai, Bangalore and Singapore.
  • Platinum has completed its acquisition of Ingram Micro Inc. from HNA Technology Co. Ltd.
  • Supply Chain Services, a Sole Source Capital portfolio company, acquired ISG Technologies, an automatic identification and data capture VAR based in Arlington, Texas. The deal is the fourth add-on transaction for Supply Chain Services since Sole Source Capital acquired the company in May 2020.

Executive appointments

DTEX Systems, a workforce cybersecurity company based in San Jose, Calif., named Denis Eversen as CRO. He will lead the company's worldwide sales, channel and partnership functions in that role. Eversen was previously senior vice president of Americas sales with Fidelis Cybersecurity.

Armor, a cloud security company based in Dallas, appointed Bryan Hauptman as CRO. Hauptman will oversee go-to-market operations and reinforce the company's efforts to expand its MSP base, according to Armor. He was previously CRO at ThreatConnect.

Market Share is a news roundup published every Friday.

Next Steps

Kaseya pledges support for MSPs hit by ransomware attack

Dig Deeper on MSP business strategy

MicroScope
Security
Storage
Networking
Cloud Computing
Data Management
Business Analytics
Close