MSPs as a threat vector

March 27, 2019

Becoming a “link” in a supply-chain attack is an unpleasant experience for any organization — and twice as unpleasant for a managed service provider (MSP). That’s especially so if security system management is one of its services. And yet this situation is not as speculative as we would like it to be.

Once you are safely inside an MSP's network, you have unlimited opportunities for data theft or infection.

In fact, malefactors generally pay close attention to MSPs. Think about it: MSPs have direct access to the infrastructure of many other firms. Once you are safely inside an MSP’s network, you have unlimited opportunities for data theft or infection. This is why cybercriminals closely scrutinize MSPs’ toolkits and wait for one to commit an error. A little while back, some of those cybercriminals got what they wanted: Unauthenticated attackers took advantage of an MSP’s software vulnerability to install cryptomalware payload.

What kind of vulnerability?

The vulnerability resided in ConnectWise’s ManagedITSync plug-in for cross-integration between the professional services automation platform ConnectWise Manage and the Kaseya VSA remote monitoring and management system.

The vulnerability allows remote modification of the Kaseya VSA database. This, in turn, enables attackers to add new users with any access rights whatsoever and create any tasks — such as uploading malware to all of the MSPs’ clients’ computers.

This is not a new vulnerability. It was discovered back in 2017. As soon as it was, ConnectWise updated its plug-in and seemed to have neutralized the threat. But, as usual, not all users installed the update.

Details of the incident

According to the Huntress Labs research team, the vulnerability was used by unidentified hackers to attack an unnamed MSP’s client computers using a piece of encryption ransomware called GandCrab. Taking advantage of the fact that Kaseya had administrator access to all end-user devices, the attackers created a task to download and run the malware on endpoints. The danger of GandCrab is covered in this post.

There is no information stating whether this case was the only one, but around the same time, the US Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about the rise in Chinese actors’ malicious cyberactivity targeting MSPs.

What’s to be done?

First, don’t forget to update your software. If you’re looking for a solution to the particular integration problem between ConnectWise Manage and Kaseya VSA, start by updating the integration tool.

But do not trust this was an isolated incident. Likely as not, the same or other attackers are already looking for other ways to get to MSPs’ clients.

Therefore, your own infrastructure protection must be taken no less seriously than that of your clients’ infrastructure. If you provide security services, you have all the tools you need to safeguard your own systems — especially if you have the protection solutions management console already deployed.

You can read more about Kaspersky Lab’s offerings for MSPs.