grandeduc - Fotolia

ConnectWise plugin flaw exploited in ransomware attacks on MSPs

GandCrab ransomware infected several managed service providers, thanks to an old a ConnectWise manage plugin vulnerability, but a new decryptor tool is offering relief to victims.

A vulnerable ConnectWise plugin led to several managed service providers being infected with GandCrab ransomware, but a new decryptor tool has provided relief for at least one of the victims.

The vulnerable ConnectWise plugin was designed to sync data between the ConnectWise professional service automation software and the Kaseya VSA remote monitoring and management software. The flaw in the plugin was first discovered and patched in the fall of 2017, and Jeff Bishop, chief product officer at ConnectWise, said the company contacted customers at the time about the need to remediate the issue.

"We alerted affected partners a few weeks later via email and provided mitigation steps to temporarily resolve the vulnerability until a stronger and more thorough patch could be provided," Bishop said. "We worked with a broader group of partners on our planned resolution, which we officially rolled out on Feb. 21, 2018. This included a notification on the opening Manage screen that each person would see when logging in. The notification remained present until the partner applied the fix. The patch we provided resolved the vulnerability, but was only effective if the patch was applied."

Unfortunately, some customers never applied the patch or installed the new plugin incorrectly, leading to recent attacks detected by Huntress Labs, a threat detection vendor based in Baltimore, and confirmed by Kaseya. Kyle Hanslovan, founder and CEO of Huntress Labs, said he is "aware of four managed service providers that had all of their clients' endpoints encrypted with GandCrab in a single swoop" after malicious actors exploited the vulnerable plugin.

Mike Puglia, chief product officer at Kaseya, said that once they heard about the attacks in late January, they "found a way to check our customers to see if they had installed ConnectWise" and found 126 out of about 10,000 customers running an old version of the ConnectWise plugin.

"We reached out to all of those customers manually and physically. We called, we sent emails, we sent notifications, because it wasn't our whole customer base," Puglia said. "At the same time, ConnectWise updated their patch and published it. They made an enhancement to it so it couldn't be installed improperly."

ConnectWise also confirmed in a company statement that it "contacted all known partners who have the Kaseya integration with ConnectWise Manage, and have been actively working to assist with the patch where needed."

In an alert, Kaseya said the vulnerable ConnectWise plugin could allow "multiple operations to be performed on a Kaseya server without authentication."

According to Hanslovan, the first MSP attacked had "all 2,000 computers they manage encrypted and held for $2.44 million in ransom." The MSP paid part of the ransom and received a GandCrab decryptor from the attackers but have found added success in decrypting affected devices with a new tool released by Bitdefender.

Attacks on managed service providers have been getting more attention recently because of the access required by these firms and the number of potential victims if just one MSP is breached. Research has shown attacks on MSPs have been rising and in December, the DoJ indicted two Chinese nationals in part for attacking MSPs around the world in order to gain access to high-profile clients, including U.S. government agencies.

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing