Kaseya Ransomware Attack Update: New Authentication Patch Released

“We’re currently not using the Kaseya VSA server. We’re currently manually performing many tasks,” says Joshua Justice, owner of JustTech, a Kaseya MSP hit in the attack.


Kaseya has implemented a new personal token authentication in its latest patch release for its VSA remote monitoring and management tool in a bid to stop future ransomware attacks.

But Joshua Justice, founder of JustTech, a La Plata, Maryland-based MSP hit in the Kaseya ransomware attack, said his company is currently not using the Kaseya VSA server but, rather, manually performing tasks for his clients.

Going forward, he’s reevaluating whether or not to continue to use Kaseya’s platform.

Sponsored post

“JustTech is still providing our needed services to clients and are not utilizing the Kaseya VSA server at this time,” he told CRN. “This means for some tasks needed, we perform manually or utilize another tool to accomplish. We do envision using a remote monitoring and management (RMM) tool in the future and will soon be evaluating the best partner whether it be Kaseya or someone else. Thus far, all focus has been on the full recovery of our clients.”

JustTech has more than 3,000 clients using offered services like Xerox, managed print services, managed IT services, cloud fax services and app solutions. Only a few hundred use managed IT services. About 120 were affected by the ransomware attack, Justice said.

[Related: Accenture LockBit Ransomware Attack: 5 Things To Know]

Kaseya’s personal token authentication comes in the wake of the July 2 ransomware attack which took down the VSA software tool. That attack – which is largely considered the biggest ransomware attack ever- resulted in an estimated 60 MSPs and 1,500 end user organizations with their data locked up by the REvil cybercriminals. Ultimately the 10-day VSA outage impacted 36,000 Kaseya MSP customers.

“In this release, we are happy to introduce personal token authentication for the REST API.” said Kaseya in an August 6 9.5.7d maintenance release patch update. “It is a more secure authentication method than using standard VSA user passwords, and you can explicitly control tokens for each VSA user, including the token’s expiration period.”

In response to a CRN request for additional comment, a Kaseya spokesperson said in an email: “As we remain focused on, and committed to ensuring the highest levels of safety and security for our customers, we are developing and releasing patches as soon as they are available,” said a Kaseya spokesperson in an email.

Kaseya declined to comment further on the patches.

Kaseya said that the REST API password-based authentication will be disabled as of October 2021. After October you will not be able to authenticate REST API requests using a standard VSA username and password combination,” said Kaseya. “To continue working with the REST API you will need to authenticate via OAuth 2.0 or personal tokens.”

Kaseya issued the full SaaS deployment of the patch on August 7 with general availability for on prem customers on August 9.

The new token authentication represents a major step forward in resolving what has become one of the most critical issues for MSPs: cybercriminals stealing passwords from MSP network administrators to pass on ransomware or break into corporate networks.

“This is big step forward by Kaseya to ensure that the bad guys can’t steal MSP credentials to spread ransomware or break into corporate networks,” said Michael Goldstein, CEO of LAN Infotech, a Fort Lauderdale, Fla., solution provider and a Kaseya VSA customer. “It’s great to see Kaseya taking the next step to ensure we are not subject to another VSA attack. This is good news for every MSP!”

Goldstein applauded Kaseya for implementing a wave of software patch updates to tighten up VSA security. “Kaseya is updating the VSA client and server software to assure that remote management and monitoring of our customer’s networks is secure,” he said. “At this point there is a lot of hard work being done by Kaseya to make MSPs more secure.”

As a Kaseya VSA SaaS customer, LAN Infotech has implemented all of the new security guidelines recommended by Kaseya, said Goldstein. He said the on premise VSA customers have more patching to do than the VSA SaaS customers. “We prefer the VSA SaaS version, but there are a lot of MSPs who feel more secure hosting VSA on their servers,” he said.

MSPs are still waiting for an in-depth post-mortem on the VSA attack and how the REvil cybercriminal organization was able to breach VSA, said Goldstein.

“We’re looking forward to Kaseya sharing the forensic results of their full investigation into the attack,” he said. “We need that forensic information to feel comfortable with the VSA platform.”

Goldstein said that none of the MSP platform vendors or industry players are immune to an attack like the one that hit Kaseya. “Kaseya has done a great job being transparent in the wake of the attack,” he said. “I give them all the credit in the world for all the work they have done to make this right for their MSP customers.”

Steven Burke contributed to this report.