Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/7/2019
06:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Ransomware Attack Via MSP Locks Customers Out of Systems

Vulnerable plugin for a remote management tool gave attackers a way to encrypt systems belonging to all customers of a US-based MSP.

An attacker this week simultaneously encrypted endpoint systems and servers belonging to all customers of a US-based managed service provider by exploiting a vulnerable plugin for a remote monitoring and management tool used by the MSP.

The attack resulted in some 1,500 to 2,000 systems belonging to the MSP's clients getting cryptolocked and the MSP itself facing a $2.6 million ransom demand.

Discussions this week on an MSP forum on Reddit over what appears to be the same — or at least similar — incident suggest considerable anxiety within the community over such attacks, with a few describing them as a nightmare scenario.

"From the MSP's standpoint, the tool they use to manage everything was just used against them" to inflict damage on customers, says Chris Bisnett, chief architect at Huntress Labs. "Everyone is looking at the attack and saying, 'This could have been me.'"

Huntress provides managed detection and response services to the MSP that was attacked and to numerous others like it. Bisnett says one of the company's MSP clients reported the ransomware attack on Monday. After an initial investigation showed that the MSP's systems itself had not been compromised, researchers from Huntress did some further digging and eventually linked the attack to a vulnerable plugin for a remote management tool from Kaseya.

Many MSPs use Kaseya's VSA RMM tool to remotely monitor and manage client systems and servers. The vulnerable plugin for Kaseya that was exploited in the MSP attack itself was from ConnectWise and is used to manage support tickets raised in Kaseya, Bisnett says.

The vulnerability basically gave the attackers a way to run remote commands that allowed them complete access to the Kaseya VSA database. "They were able to task the RMM tool as if they were an administrator at the MSP," Bisnett says. "They said, 'Take this executable and put it out on every system the MSP is managing.'"

In this case, the executable was Gandcrab, a widely distributed ransomware tool that has been used in numerous previous attacks. All customer systems that the MSP was managing via the Kaseya RMM tool were encrypted simultaneously, locking users out of them.

A poster on Reddit on Tuesday described a similar incident impacting a local MSP in which all client systems were encrypted. It's unclear, however, whether the incident mentioned in the Reddit report is the same one reported by the Huntress MSP customer.

Previously, attackers have installed cryptomining tools on business systems and stolen data from organizations in various sectors by gaining access to their networks via MSP connections. There have also been incidents where MSPs have reported one or two clients getting hit with ransomware. "But this was extra alarming because all customer systems were encrypted at the same time," Bisnett notes.

Rising Concerns
Attacks on MSPs are a growing concern. Recently, threat actors, some sponsored by nation states, have begun targeting MSPs in an attempt to get to the networks of their clients. APT10, a threat group believed to be working for the Chinese Ministry of State Security's Tianjin State Security Bureau, is one of the best-known operations targeting MSPs. For the past few years, the group has been conducting a broad cyberespionage operation called Cloud Hopper to steal data from organizations in banking, manufacturing, consumer electronics, and numerous other sectors by attacking their MSPs.

In fact, concerns over such attacks are so high that the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security scheduled to brief MSPs on Chinese malicious activity later this month.

The vulnerability that the threat actor exploited in the latest attack exists in ManagedITSync, a ConnectWise plugin for Kaseya VSA. A security researcher from Australia first reported the vulnerability in November 2017 and posted details, along with proof of concept code, on GitHub.

ConnectWise issued an update addressing the issue sometime later, but for some reason the bug and the update patching it appear to have received little attention until now, Bisnett says. The bug was assigned a formal CVE number only this week after Huntress Lab informed MITRE about the issue, he says. The CVE was backdated to 2017 to reflect the fact it was first reported at that time.

In a note that appears to have been posted six days ago and updated yesterday, Kaseya urged customers using the ConnectWise plugin for VSA to upgrade to the patched version immediately or, alternatively, to remove the plugin altogether.

"This only impacts ConnectWise users who have the plugin installed on their on-premises VSA," the company said, adding that only a very small number of customers appear vulnerable to the threat.

"We are lucky enough not to be directly in the path of this particular storm," says Joshua Liberman, president of Net Sciences, a New Mexico-based MSP. "The only way we'll survive this as an industry, short of stopping the threat at its source, which is well beyond our scope, is to tighten our own defenses, share information with each other, and create an 'offensive defense posture,'" he says.

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

 
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ludovic_rembert
50%
50%
ludovic_rembert,
User Rank: Apprentice
5/6/2019 | 4:28:55 AM
Re: The title should have read: Negligent MSP puts customers at risk.
"if the MSP had paid attention this would have been patched 18 months ago and they wouldn't have had a problem."

Following this logic, if millions of Windows users had run automatic updates, they would have avoided ransomware infection from Wannacry. Maybe it's time we shift the burden of responsibility a bit more from from patching updates, and onto the bad actors? 
ShieldHelps
100%
0%
ShieldHelps,
User Rank: Apprentice
2/22/2019 | 3:49:12 PM
The title should have read: Negligent MSP puts customers at risk.
Interesting that the author spent almost zero time pointing out the fact that this was caused by a negligent MSP that didn't patch their systems.  Instead, spread FUD around MSPs and the tools they use.

Here is the real notable item, from the article, buried at the bottom.

"ConnectWise issued an update addressing the issue sometime later, but for some reason the bug and the update patching it appear to have received little attention until now,."

Every update should receive attention, if the MSP had paid attention this would have been patched 18 months ago and they wouldn't have had a problem. This applies to all software and operating systems for all companies, if you aren't patching your systems, then you substantially increase your chances of getting exploited.
How Attackers Infiltrate the Supply Chain & What to Do About It
Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12551
PUBLISHED: 2019-07-22
In SweetScape 010 Editor 9.0.1, improper validation of arguments in the internal implementation of the Memcpy function (provided by the scripting engine) allows an attacker to overwrite arbitrary memory, which could lead to code execution.
CVE-2019-12552
PUBLISHED: 2019-07-22
In SweetScape 010 Editor 9.0.1, an integer overflow during the initialization of variables could allow an attacker to cause a denial of service.
CVE-2019-3414
PUBLISHED: 2019-07-22
All versions up to V1.19.20.02 of ZTE OTCP product are impacted by XSS vulnerability. Due to XSS, when an attacker invokes the security management to obtain the resources of the specified operation code owned by a user, the malicious script code could be transmitted in the parameter. If the front en...
CVE-2019-10102
PUBLISHED: 2019-07-22
tcpdump.org tcpdump 4.9.2 is affected by: CWE-126: Buffer Over-read. The impact is: May expose Saved Frame Pointer, Return Address etc. on stack. The component is: line 234: "ND_PRINT((ndo, "%s", buf));", in function named "print_prefix", in "print-hncp.c". Th...
CVE-2019-10102
PUBLISHED: 2019-07-22
aubio 0.4.8 and earlier is affected by: null pointer. The impact is: crash. The component is: filterbank. The attack vector is: pass invalid arguments to new_aubio_filterbank. The fixed version is: after commit eda95c9c22b4f0b466ae94c4708765eaae6e709e.