Managed service providers (MSPs) and IT support companies are being targeted in a new GandCrab ransomware campaign. MSPs are an attractive target. If access can be gained to MSP systems, the attackers can abuse trusted relationships to perform attacks on their clients.
MSPs are often used by SMBs that do not have the internal resource to manage their own IT or have insufficient staff numbers to devote to cybersecurity. MSPs perform a range of functions such as patching, performing software updates, and proactively finding security issues and correcting problems. In order to provide those services remotely, MSPs are given access to their clients’ networks.
A single attack on an MSP could not only result in MSP computers being infected with ransomware, but also those of their clients. Attacks can therefore be extremely profitable. A fact not lost of hackers. A successful attack on an MSP can give the attackers access to hundreds or thousands of client devices.
Several campaigns have been detected that have targeted MSPs, the latest of which has caused widespread damage. Two MSPs posted on Reddit to explain that they had been attacked and ransomware was deployed on their clients’ networks. In one case, around 80% of client devices had ransomware installed and in the second case, around 15% of clients were attacked.
The latest attack takes advantage of MSPs who have failed to patch a vulnerability in the Kaseya VSA plugin for ConnectWise. The plugin allows the Kaseya remote management and monitoring solution to be linked to the ConnectWise dashboard.
The vulnerability exploited in the attack – CVE-2017-18362 – was discovered in late 2017 and allows actions to be performed on a Kaseya server without authentication. Soon after the publication of a PoC for the vulnerability, ConnectWise released an updated plugin which addressed the flaw. Despite the patch being issued in November 2017, several MSPs have not applied the patch and are vulnerable to attack. Kaseya said it has detected 126 MSPs who have yet to upgrade to the secure version of the plugin.
Kaseya notes that this is an issue with the ConnectWise API rather than Kaseya VSA, and advises all Connectwise users with the plugin installed on their on-premise VSA to ensure they are running the latest version of the plugin and have deleted the old connector. Connectwise has released a tool that will scan for installed versions of the vulnerable plugin.
This latest attack involves the deployment of ransomware, although it is possible that other threat actors are aware of the vulnerability and may have already exploited it to install other forms of malware. All MSPs should therefore conduct an audit of their VSA server to determine whether it has been compromised.