Researchers are warning that hackers are exploiting a plug-in vulnerability to infect MSPs and their customers with GandCrab ransomware.
The bug, CVE-2017-18362, dates back to 2017, and is found in unpatched versions of the ConnectWise ManagedITSync integration plug-in tool, explains a Feb. 8 blog post by Chris Bisnett, security researcher at Huntress Labs. This plug-in is designed to sync data between the ConnectWise Manage professional services automation platform and the Kaseya remote monitoring and management system used by some MSPs.
Huntress Labs suspects that this exploit could be the culprit behind an attack reported on the MSP Reddit channel earlier this month. According to the Reddit user post, a mid-sized MSP had been recently attacked with ransomware that locked up 80 of its customers' endpoints, including servers. "Owner of a company under the mentioned MSP came over to our shop to purchase a 'clean' system," the post reads. "Seems the MSP is negotiating the ransom amount and will pay up."
The NIST National Vulnerability Database's entry for CVE-2017-18362 has been updated this month to reflect recent developments. "ConnectWise ManagedITSync integration through 2017 for Kaseya VSA is vulnerable to unauthenticated remote commands that allow full direct access to the Kaseya VSA database," the entry states. "In February 2019, attackers have actively exploited this in the wild to download and execute ransomware payloads on all endpoints managed by the VSA server. If the ManagedIT.asmx page is available via the Kaseya VSA web interface, anyone with access to the page is able to run arbitrary SQL queries, both read and write, without authentication"
"In 2017, Connectwise announced a vulnerability in their Plugin that allows multiple operations to be performed on a Kaseya server without authentication. Upon discovery of this flaw, Connectwise released an update intended to patch this vulnerability," says Connectwise in a security advisory that was last updated around Feb. 10. "Kaseya has detected that an extremely small number of customers either may not have installed the update from Connectwise or may have installed this update incorrectly."