Hackers exploit flaw in enterprise software to deploy Monero cryptominer

Security researchers recently observed an unknown threat actor attempting to deploy a Monero cryptocurrency miner software to users' systems by leveraging Kaseya Ltd's Virtual Systems Administrator (VSA).

The covert operation to infect systems with a cryptocurrency miner was first observed on 19 January and is similar to last year's NotPetya ransomware attack that involved hackers compromising and leveraging a third-party vendor software.

According to security researchers at cyber-security company eSentire who were the first to discover the operation, Kaseya Ltd has issued a set of security patches to ensure its customers are no longer affected by the malicious activity. However, they have also warned that the exploit could mutate, requiring new Indicators of Compromise. 

In a statement published on its website, Kaseya Ltd strongly recommended users to download and install the patches that were made available on SaaS and hosted servers. It also said that less than 0.1 percent of customers were affected by the operation.

'We have seen no evidence to suggest that this vulnerability was used to harvest personal, financial, or other sensitive information.  However, we are aware of a small subset of our partners where Monero cryptocurrency mining software was deployed to endpoints,' it said.

The malicious activity was first discovered by the researchers between 19 January and 24 January when they observed suspicious PowerShell activity across several customers running esENDPOINT, a proprietary software supplied by the firm to its customers. The said PowerShell activity resulted in the deployment of xmrig.exe, a Monero miner. The researchers traced back this activity to Kaseya Ltd's Virtual Systems Administrator (VSA) and informed the company about the presence of the mining software.

'Customers who actively use Kaseya VSA are encouraged to examine systems for the indicators of compromise included in this advisory. Impacted systems can be remediated by removing registry keys and scheduled tasks, and by stopping the PowerShell process running xmrig.exe,' the researchers said.

According to Mark McArdle, CTO at eSentire, hackers can use similar techniques (leveraging third party vendor software) to infect user systems with all kinds of malware or ransomware.

'MeDoc's compromise last year amplified third-party vendor risk. In this case, Kaseya provides infrastructure to many Managed Security Service Providers (MSPs) and enterprises. A vulnerability within this type of infrastructure provides attackers with a potentially massive platform to carry out their attacks.  This most recent attack was a crypto-miner.  It could just have easily been ransomware or a wiper,' he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.