GandCrab ransomware gang infects customers of remote IT support firms
Hackers have used a two-year-old vulnerability in a software package used by remote IT support firms to gain a foothold on vulnerable networks and deploy the GandCrab ransomware on those companies’ customer workstations.
At least one company has been hit already, according to a report on Reddit, confirmed by cyber-security firm Huntress Labs.
The Kaseya VSA plugin allows companies to link data from the Kaseya VSA remote monitoring and management solution to a ConnectWise dashboard.
Many small IT firms and other types of managed service providers (MSPs) use the two applications to centralize data from their clients and manage customer workstations from a remote central location.
In November 2017, a security researcher named Alex Wilson discovered an SQL injection vulnerability (CVE-2017-18362) in this plugin that could allow an attacker to create new administrator accounts on the main Kaseya app. He also published proof-of-concept code on GitHub that could automate the attack.
Kaseya released patches at the time, however, based on new evidence, it appears that many companies failed to install the updated Kaseya plugin on their ConnectWise dashboards, leaving their networks exposed.
Attacks exploiting this vulnerability started two weeks ago, around the end of January 2019. One report posted on Reddit describes an incident at an MSP where hackers breached an MSP’s network and then deployed GandCrab ransomware to 80 customer workstations.
A now-deleted tweet that ZDNet wasn’t able to verify claimed that hackers used the same attack routine to infect other MSPs, locking more than 1,500 workstations.
ConnectWise has issued a security alert in response to the growing number of reports surrounding these ransomware attacks, advising users to update their ConnectWise Manage Kaseya plugin. The company said that only companies “who have the Plugin installed on their on-premises [Kaseya] VSA” are impacted.
In an interview with MSSP Alert, a tech news site focused on the MSP sector, Kaseya executive VP of marketing and communications Taunia Kipp said they’ve identified 126 companies who failed to update the plugin and were still at risk.
“We posted a notification/support article to our support help desk and immediately started reaching out via phone/email to those identified who were at risk of impact with resolution,” she said.
Huntress Lab researchers, who said they had “first-hand knowledge” of the incident involving 80 customer workstations that got infected with GandCrab, had some advice for companies that are still running outdated versions of the Kaseya plugin.
The first thing you should do is to immediately disconnect your VSA server from the internet until you can be sure it hasn’t already been infected. While the attacks we saw this week immediately deployed ransomware it’s entirely possible other attackers have known about this vulnerability and may already have a foothold within your system. Disconnecting the VSA server will at least prevent it from deploying ransomware while you investigate.
Next you should thoroughly audit your VSA server and any other critical infrastructure for suspicious/malicious footholds, suspicious accounts, etc. We know this can be a tedious and lengthy process but want you to understand the risks associated with attacker access of this level.
Finally remove the ManagedITSync integration and replace it with the newest version prior to re-connecting your VSA server to the internet.