Hackers successfully use a two-year-old vulnerability in a software package of IT support companies to gain a foothold in networks. In this way, hackers can place the GandCrab-ransomware on the workstations of those IT supporters’ customers.
A report on Reddit, which was later confirmed by the cyber security firm Huntress Labs, shows that at least one company is actually infected. The vulnerability that hackers abuse affects the Kaseya plugin of the ConnectWise Manage software. This is a professional services automation (PSA) product that some IT support companies use in their operations.
The Kaseya plugin
The Kaseya plugin allows businesses to transfer data from the plugin to a ConnectWise dashboard. Especially small IT companies and other managed service providers (MSPs) use the two apps to centralize their customers’ data. This allows them to manage workstations from a different location.
However, in November 2017, a security researcher named Alex Wilson discovered an SQL injection vulnerability (CVE-2017-18362) in the plugin that allows attackers to create a new admin account in Kaseya’s main device. He then published proof-of-concept code on GitHub which could automate the attack.
Installing a patch
Kaseya released an update with a patch for the problems at the time. But now it turns out that it is not always actually installed. There are still many companies that do not have the Kaseya plugin installed, which exposes their networks to unnecessary risks. Attackers started exploiting the vulnerability two weeks ago.
In January, an initial report appeared on Reddit describing an incident involving an MSP in which hackers infected that network and then placed GandCrab-ransomware on 80 customer workstations. A similar attack would have been carried out on other MSPs, where a total of more than 1,500 workstations would have been infected, although this has not been confirmed.
ConnectWise has now released a security alert in response, advising customers to update the Kaseya plugin.
This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.