There’s a new attack vector that is exploiting a vulnerability in a widely used utility by Managed Services Providers (MSP’s) that can penetrate managed client systems and infect them with malware.
An investigation showed that the MSP’s systems itself had not been compromised but the software that some of them use are linked to a vulnerable plugin for a remote management tool from Kaseya.
Many MSPs use Kaseya’s VSA RMM tool to remotely manage client systems. The vulnerable plugin for Kaseya was from ConnectWise and acts as an interface between the Kaseya monitoring system and the ConnectWise ticketing system.
The vulnerability basically gives the attackers the ability to run remote commands allowing them complete access to the Kaseya database. “They were able to task the RMM tool as if they were an administrator at the MSP,” Chris Bisnett, chief architect at Huntress Labs said. He added “They essentially said, ‘Take this executable and put it out on every system the MSP is managing.'”
In one case, the executable was Gandcrab, a widely distributed ransomware tool that has been used in numerous other attacks. All customer systems that the MSP was managing via the Kaseya RMM tool were encrypted simultaneously effectively scrambling the entire network.
In other reported instances attackers have installed crypto-mining tools on systems. Data was also stolen from some organizations by gaining access to their networks via the MSP remote access connections.
The vulnerability that the hackers exploited in the latest attack exists in ManagedITSync, a ConnectWise plugin for Kaseya VSA. A security researcher from Australia first reported the vulnerability in November 2017 and posted details, along with proof of concept code, on GitHub.
ConnectWise issued an update addressing the issue sometime later, but for some reason, the bug and the update patching it appears to have received little attention until now. Kaseya posted a warning six days ago urging MSP’s using the ConnectWise plugin for VSA to upgrade to the patched version immediately or, alternatively, to remove the plugin altogether.
It should be noted that ACT Network Solutions does not use either of these products for client monitoring or work ticket generation.