Threat Management, Malware, Ransomware, Vulnerability Management

Ransomware attackers exploit old plug-in flaw to infect MSPs and their clients

Researchers are warning that hackers are exploiting a plug-in vulnerability to infect MSPs and their customers with GandCrab ransomware.

The bug, CVE-2017-18362, dates back to 2017, and is found in unpatched versions of the ConnectWise ManagedITSync integration plug-in tool, explains a Feb. 8 blog post by Chris Bisnett, security researcher at Huntress Labs. This plug-in is designed to sync data between the ConnectWise Manage professional services automation platform and the Kaseya remote monitoring and management system used by some MSPs.

Huntress Labs suspects that this exploit could be the culprit behind an attack reported on the MSP Reddit channel earlier this month. According to the Reddit user post, a mid-sized MSP had been recently attacked with ransomware that locked up 80 of its customers' endpoints, including servers. "Owner of a company under the mentioned MSP came over to our shop to purchase a 'clean' system," the post reads. "Seems the MSP is negotiating the ransom amount and will pay up."

The NIST National Vulnerability Database's entry for CVE-2017-18362 has been updated this month to reflect recent developments. "ConnectWise ManagedITSync integration through 2017 for Kaseya VSA is vulnerable to unauthenticated remote commands that allow full direct access to the Kaseya VSA database," the entry states. "In February 2019, attackers have actively exploited this in the wild to download and execute ransomware payloads on all endpoints managed by the VSA server. If the ManagedIT.asmx page is available via the Kaseya VSA web interface, anyone with access to the page is able to run arbitrary SQL queries, both read and write, without authentication"

"In 2017, Connectwise announced a vulnerability in their Plugin that allows multiple operations to be performed on a Kaseya server without authentication. Upon discovery of this flaw, Connectwise released an update intended to patch this vulnerability," says Connectwise in a security advisory that was last updated around Feb. 10. "Kaseya has detected that an extremely small number of customers either may not have installed the update from Connectwise or may have installed this update incorrectly."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.