Ransomware Attacks Target MSPs to Mass-Infect Customers.
Ransomware distributors have started to target managed service providers (MSPs) in order to mass-infect all of their clients in a single attack. Recent reports indicate that multiple MSPs have been hacked recently, which has led to hundreds, if not thousands, of clients being infected with the GandCrab Ransomware.
With the mass distribution of ransomware increasingly becoming more difficult through methods such a spam, attackers are coming up with more creative ways to infect their victims. This includes hacking into RDP, teaming up with criminal download monetization companies, renting the services of botnet operators, and now attacking MSPs.
A managed service provider is a company who remotely manages and supports the IT infrastructure and technical support for their clients. One of the benefits of an MSP is that they monitor their client’s networks and proactively fix problems that they discover.
In order to perform this type of support, though, MSPs utilize software that allows them to remotely access their client’s networks and the computer and push out new updates, install applications, or apply fixes. Ransomware distributors are beginning to leverage this model by hacking into an MSP and then using their backend to distribute ransomware, and potentially other malware, to all of the MSP’s clients.
In a recent post on the MSP Reddit channel, a user reports that a local mid-sized MSP was hacked and used to distribute the GandCrab Ransomware to 80 of their client’s endpoints.
Bill Siegel, the CEO of ransomware remediation firm Coveware, told BleepingComputer that a MSP that they spoke to was also attacked and 15% of this MSP’s clients had GandCrab installed on to them.
According to security consulting firm HuntressLabs, the attackers are gaining access to MSPs through a vulnerability in use to link two software products that are commonly used by MSPs to manage the endpoints of their clients and perform remote administration.
Year old vulnerability being exploited
Common products used by MSPs to manage their client’s endpoints are ConnectWise and Kaseya. ConnectWise is commonly used as a customer relationship manager and ticketing system and Kaseya is used to perform remote management on the endpoints managed by the MSP.
Over a year ago, Alex Wilson disclosed a vulnerability and proof-of-concept in ManagedITSync, which is a plugin used to integrate ConnectWise with Kaseya. This vulnerability can be used to perform various commands in Kaseya, including resetting the administrator password.
“What is this? This is a proof of concept exploit for a Kaseya & ConnectWise integration called ManagedITSync which allows ConnectWise to retrieve information about assets in your Kaseya database (to then generate Configurations in ConnectWise).
Specifically, this script targets the
KaseyaCwWebService/ManagedIT.asmxendpoint which is installed on the Kaseya server. To be clear, this is not really an exploit with Kaseya’s offering — but rather the integration published by ConnectWise which happens to be installed on the Kaseya server.”
According to a LinkedIn post by MSP security firm Huntress Labs, ransomware distributors are attacking MSPs through this vulnerability.
Once attackers gain access to the Kaseya server, they can push out commands to install programs on the various endpoints that are being managed. In this particular attack, Huntress Labs stated that all of the endpoints were infected with GandCrab.
Coveware told BleepingComputer, that this vulnerability was also used to target the MSPs that they have spoken to.
ConnectWise has issued an advisory that explains that MSPs should upgrade to a newer version of this plugin and delete the old connector, especially the ManagedIT.asmx file. They have also released a tool that can allow clients to scan their servers for the vulnerable plugin.
Huntress Labs has also released a blog post explaining how to check if a Kaseya VSA server is vulnerable. All MSPs that utilize these products are advised to read the Huntress Lab’s article to confirm if their installations are secure.
DHS issues warning about attacks against MSPs
In October 2018, the U.S. Department of Homeland Security issued Alert TA18-276B titled “Advanced Persistent Threat Activity Exploiting Managed Service Providers” that discussed how bad actors are targeting MSPs to gain access to their customer’s networks.
More recently, the DHS has been hosting webinars titled “Chinese Cyber Activity Targeting Managed Service Providers” that covers cyber attacks by Chinese actors against MSPs. This session was previously recorded by Huntress Labs for those who wish to learn more about this activity.
While there is no evidence that these ransomware attacks are related to the DHS alerts, it does show that targeting MSPs provides a launch pad into numerous other networks that an actor would want to gain access.