At least 126 managed service providers forgot to update a plugin back in 2017 and are now vulnerable to attacks.
*Editorial Note: Longevity Technology has often been wary of ConnectWise and Kaseya and our clients are on a different platform that was not affected by these vulnerabilities.
Hackers have used a two-year-old vulnerability in a software package used by remote IT support firms to gain a foothold on vulnerable networks and deploy the GandCrab ransomware on those companies’ customer workstations.
The vulnerability used by the hackers impacts the Kaseya plugin for the ConnectWise Manage software, a professional services automation (PSA) product used by IT support firms.
The Kaseya VSA plugin allows companies to link data from the Kaseya VSA remote monitoring and management solution to a ConnectWise dashboard.
Many small IT firms and other types of managed service providers (MSPs) use the two applications to centralize data from their clients and manage customer workstations from a remote central location.
In November 2017, a security researcher named Alex Wilson discovered an SQL injection vulnerability (CVE-2017-18362) in this plugin that could allow an attacker to create new administrator accounts on the main Kaseya app. He also published proof-of-concept code on GitHub that could automate the attack.
Kaseya released patches at the time, however, based on new evidence, it appears that many companies failed to install the updated Kaseya plugin on their ConnectWise dashboards, leaving their networks exposed.
Attacks exploiting this vulnerability started two weeks ago, around the end of January 2019. One report posted on Reddit describes an incident at an MSP where hackers breached an MSP’s network and then deployed GandCrab ransomware to 80 customer workstations.
A now-deleted tweet that ZDNet wasn’t able to verify claimed that hackers used the same attack routine to infect other MSPs, locking more than 1,500 workstations.
ConnectWise has issued a security alert in response to the growing number of reports surrounding these ransomware attacks, advising users to update their ConnectWise Manage Kaseya plugin. The company said that only companies “who have the Plugin installed on their on-premises [Kaseya] VSA” are impacted.
In an interview with MSSP Alert, a tech news site focused on the MSP sector, Kaseya executive VP of marketing and communications Taunia Kipp said they’ve identified 126 companies who failed to update the plugin and were still at risk.
“We posted a notification/support article to our support help desk and immediately started reaching out via phone/email to those identified who were at risk of impact with the resolution,” she said.
Huntress Lab researchers, who said they had “first-hand knowledge” of the incident involving 80 customer workstations that got infected with GandCrab, had some advice for companies that are still running outdated versions of the Kaseya plugin.
The first thing you should do is to immediately disconnect your VSA server from the internet until you can be sure it hasn’t already been infected. While the attacks we saw this week immediately deployed ransomware it’s entirely possible other attackers have known about this vulnerability and may already have a foothold within your system. Disconnecting the VSA server will at least prevent it from deploying ransomware while you investigate.
Next, you should thoroughly audit your VSA server and any other critical infrastructure for suspicious/malicious footholds, suspicious accounts, etc. We know this can be a tedious and lengthy process but want you to understand the risks associated with attacker access of this level.
Finally, remove the ManagedITSync integration and replace it with the newest version prior to re-connecting your VSA server to the internet.
Hackers steal 7.5TB of data from Russian Intel Agency FSB’s contractorOn Saturday, 13 July 2019, a group of hackers going by the online handle of 0v1ru$ hacked and defaced the official website of SyTech, a high-profile contractor working for Russian intelligence...
Bluetooth Flaws Could Allow Global Tracking of Apple, Windows 10 DevicesIdentifying tokens and random addresses, meant to create anonymity, do not change in sync on some devices — opening an attack vector. Vulnerabilities in the way Bluetooth Low Energy is implemented...
Sprint says hackers breached customer accounts via Samsung websiteUS mobile network operator Sprint said hackers broke into an unknown number of customer accounts via the Samsung.com "add a line" website. "On June 22, Sprint was informed of unauthorized access to your...
Stay Up to Date With The Latest News & Updates
Join Our Newsletter
Get weekly tech updates and immediate alerts when there is a zero-day or security issue!