Hackers utilized a previously reported and remediated vulnerability in the ConnectWise ManagedIT Sync plugin for Kaseya’s VSA remote monitoring and management system last week in efforts to load ransomware onto customer endpoints under the control of targeted MSPs. ConnectWise, working with Kaseya, has determined that the attack exploited an outdated version of the plugin that some VSA users never updated or updated incorrectly, according to Jeff Bishop, the vendor’s chief product officer.
Cybercriminals successfully encrypted all 2,000 computers managed by at least one MSP impacted by the attack and demanded $2.4 million in ransom, according to Kyle Hanslovan, CEO of security vendor Huntress Labs.
That MSP, which was trialing the Huntress Labs breach detection services, sent an alert late last week notifying Huntress about the issue. “When we started digging a little bit deeper, we realized that this was actually a vulnerability that was previously discovered,” says Hanslovan. His team spent the rest of the night identifying clients that could be impacted. “We ended up finding about 20 percent of our clients use Kaseya, and … I would say probably 20 percent of that 20 percent was vulnerable.”
Huntress notified those MSPs as well as anybody it could find via scanning tools on the internet that had a Kaseya server.
According to Bishop, “The original exploit was brought to our attention back late 2017/early 2018. It was part of a plugin arrangement that we had between ManageIT and Kaseya. We reviewed it at that time, worked with the Kaseya team, implemented a fix.”
Bishop says ConnectWise reported the vulnerability to all of its partners at the time and ran a message about it in a red banner at the top of the Today screen of the ConnectWise Manage application for months. “We maintained that in there to educate everybody that if you have the Kaseya plugin, please … follow these instructions to resolve this problem.”
Kaseya reached out to its customers at the time about the problem as well, according to Mike Puglia, the vendor’s chief customer marketing officer. “We followed suit to make sure that our customers were aware that if they were using the third-party connector that ConnectWise [had] announced that they had an issue,” he says.
Fast forward to last week. Though Hanslovan says he reached out to Huntress’ rep at ConnectWise on the night of February 4, Bishop says the issue had come to ConnectWise’s attention at the end of January. “We … made sure that we sent out all the instructions again and let everyone know what to do,” says Bishop. “The dev team was also in communications already with the Kaseya team as to how can we officially completely deprecate this with the best partner experience possible. A lot of partners already had fixed this, so we were trying to figure out with that Kaseya team what can we do for those that did not—without it impacting the customers who did. We don’t want to just completely turn off the plugin because it is working for the bulk of the customers.”
According to Puglia, Kaseya began investigating last week too, and determined that some VSA users had not applied the earlier patch. “So, we started working with ConnectWise, trying to get our arms around that,” he says. “We also created a little tool that we could run for our customers to check to see if they were using the older version from ConnectWise.” He says a number of smaller customers were still running the unpatched plugin and Kaseya “contacted those customers directly and let them know to disconnect that plugin and update to the newer version.”
In addition, Puglia says, Kaseya issued an alert on its support site on February 1.
The incident has been getting hashed out on social media. On February 5, Huntress posted this message on LinkedIn and Twitter:
Watch out: The old ConnectWise ManagedITSync plugin for Kaseya is actively being exploited to install #gandcrab! For our affected MSPs, all of their VSA managed endpoints were encrypted. This vulnerability allows unauthenticated execution of SQL commands via ManagedIT.asmx connector. Search your VSA server for the file “ManagedIT.asmx” or “KaseyaCWWebService.dll”. If found, consider removing it (WARNING: CW features using this will STOP WORKING). Vulnerabilty testing tools are available, but only check for the KaseyaCwWebService/ManagedIT.asmx URI. github.com/kbni/owlky
ConnectWise responded on Twitter:
We are working closely with the Kaseya team to push out an update today to ensure the plugin is configured correctly to prevent the previously known vulnerability. Security is important to us and we always recommend that partners keep systems updated and reach out to support.
On a Reddit thread, some MSPs have maintained that they did not know about the vulnerability. Responding to the comments on Reddit, ConnectWise issued this statement on February 6:
We worked with Kaseya when the vulnerability was originally identified and we’ve been working with Kaseya to correct the issue for those MSPs impacted recently. By working closely with the Kaseya team, we determined that MSPs currently being impacted by this vulnerability may have installed the update incorrectly. We are pushing out an update today to ensure the plugin is configured correctly to prevent the previously known vulnerability.
Security is important to us and we always recommend that partners keep systems updated and use the ConnectWise team as a resource. When we provide updates to ConnectWise products, integrations or plugins, we send out emails and in-app messaging to alert MSPs of the update. Partners can learn more about the update by contacting ConnectWise support or by visiting the ConnectWise Marketplace here.
In addition, Bishop says a new web service installed on the Kaseya web server since the vulnerability resurfaced has additional safeguards to protect partners that have the Kaseya integration.
According to Bishop, ConnectWise is re-evaluating its process for handling vulnerabilities in its software. “There’s always stuff we could do a little different and try to improve upon. I think that’s what we’re looking at now is the web service changes and being able to try to deprecate things faster and just prevent people from not harming themselves. In this situation, we did everything we thought we needed to do to get everybody fixed and to remediate the problem, but we probably could’ve done additional follow-up in there somewhere or to deprecate it completely.”
Moving forward, Bishop says ConnectWise is “going to proactively update the NIST National Vulnerability Database (NVD) where applicable for these type of incidents.”
Kaseya, for its part, says that it tests its solutions with help from outside security experts regularly and releases security patches on an ongoing basis. “It is unfortunate for everyone involved, but unfortunately it’s a reality of the day,” Puglia says. “Pretty much every system sometimes has some issues, so we take all the steps we can to make sure that those issues don’t provide an incident. But when we are made aware of something in our customer base, like this, even if it is a third-party product that they’ve installed, we work with that third-party vendor and make sure we can close that hole with the third party as quickly as possible.”
While this most recent incident was not related to a Kaseya VSA vulnerability, in January 2018, cybercriminals exploited a vulnerability in VSA to deploy unauthorized cryptocurrency mining software on managed endpoints. That same month, vulnerability management vendor Digital Defense disclosed multiple vulnerabilities in various applications on Zoho’s ManageEngine product.
Attacks like these on “supply chain” players, including MSPs, are expected to continue. Last October, the federal government issued a warning of increased advanced persistent threat activity against MSPs. In a recent blog post on security business trends, Maxim Frolov, managing director of Kaspersky Lab North America, said that software and hardware supply chain attacks, such as AppleJeus, Olympic Destroyer, ShadowPad, and ExPetr, will remain a major concern in 2019. He wrote that “organizations will need to come up with new approaches, including more strict requirements for service providers [and] hardware and software makers to reduce the risks.”
Hanslovan agrees. “Supply chain has always been a key part of anybody’s risk management. I think this is more just opening our eyes that whether you’re a small business or an enterprise business, supply-chain is absolutely a target.”
As for fingerpointing and blame, Hanslovan says there’s some to be shared. However, he concludes, “At the end of the day, I mean truly as an MSP, you’re responsible for your network—those [vulnerabilities] that are known, and those that are unknown, so you can’t take it away from the MSP.”