Unpatched Plugin Cost MSP To Fall For Ransomware Infection
Signing-up for Managed Service Providers (MSP) is a quick solution to lower the cost of maintenance for workstation troubleshooting, repairs, and maintenance. However, allowing a 3rd party company as the system administrators of a corporate network entails its own risks. Such risk may even reach critical operational levels and damage the company, losing weeks if not months worth of productivity to be lost. That scenario came to pass when an MSP got their remote management tool hijacked by a malicious party, which went ahead and encrypt the critical user files of their clients numbering to 2000.
The remote management tool used by the MSP had a vulnerable old version of ConnectWise, a VSA RMM plugin, which enables attackers to encrypt the files of all the servers belonging to the MSP’s clients. Since the hackers hold the decryption key, they were demanding $2.6 million worth of ransom payment.
“We’re prepping an in depth write up on this situation. We have full VSA logs from these incidents and we can guarantee ManagedIT.asmx was exploited in this campaign (multiple MSPs were targeted the same way). If u/fishandcheese has this MSP look at their unencrypted “kaseyaedgeservices” log, they will see the GET and POST requests to ManagedIT.asmx’s ExecuteSQL() and GetDataSet() functions. With regard to “first-hand knowledge of ‘THIS’ incident”, we actually meant THIS specific MSP as they are the same size, followed the same actions, in the same geographical area, and received the same payload as our affected partner. We might have made a wrong assumption by thinking this was the same client we are directly working with. However, this does not change the fact that ManagedIT.asmx is actively being targeted,” said Chris Bisnett, Huntress Labs Chief Architect.
As an integrated remote management tool + ticketing solution, Kaseya’s VSA RMM tool is conveniently used by the unnamed MSP. They use it to collect information about the clients’ desktops, laptops and corporate servers under their service contract. However, the ConnectWise plugin which is exclusively used for connecting the report capabilities of VSA RMM to an integrated ticketing system.
ConnectWise tool comes with its own update mechanism which the MSP’s system administrators failed to use in order to perform the critical update. The open vulnerability is a loophole that enabled attackers to gain the capability to remotely issue commands, including the encryption command against the clients’ files.
“They were able to task the RMM tool as if they were an administrator at the MSP. They said, ‘Take this executable and put it out on every system the MSP is managing’. we’re looking into a peculiar action performed by the attacker which could expand the theoretical scope of this threat. Considering the attention/concern this incident has already generated, we will not comment further until we confirm this new potential situation.,” added Bisnett.
Under the initial investigation, the attackers were found using Gandcrab, a well known ransomware application. It only took a few minutes to encrypt around 2000 clients of the MSP, which led to interested parties to discuss the issue publicly in a Reddit thread. It was already demonstrated in a GitHub page in November 2017 that a vulnerability in Connectwise can lead to 3rd parties executing arbitrary code against the target exploitable system. It is just unfortunate that the unnamed MSP company failed to do their homework when it comes to patching their system.
Kevin Jones951 Posts
Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.