A vulnerable RMM tool used by an MSP enables attackers to encrypt all clients’ systems

• Some 1500 to 2000 systems belonging to the MSP’s client were affected in the attack.
• The MSP itself is facing a ransom demand or $2.6 million.

A US-based mid-sized Managed Service Provider (MSP) with about 80 clients and unknown endpoints got hacked. The hackers managed to perform the attack by exploiting a vulnerable plugin for a remote monitoring and management tool used by the MSP. As a result, the endpoint systems and servers belonging to the clients were encrypted and barred from access.

Some 1500 to 2000 systems belonging to the MSP’s client have been affected in the attack and the MSP itself is facing a $2.6 million ransom demand.

"From the MSP's standpoint, the tool they use to manage everything was just used against them. Everyone is looking at the attack and saying, 'This could have been me'", said Chris Bisnett, chief architect at Huntress Labs, DarkReading reported.

Bisnett further noted that one of the company’s MSP clients reported the ransomware attack on Monday. And, after a thorough investigation, it was found that vulnerable plugin for a remote management tool was from Kaseya. The vulnerability gave the attackers to run remote commands on Kaseya VSA database.

"They were able to task the RMM tool as if they were an administrator at the MSP. Take this executable and put it out on every system the MSP is managing,” Bisnett said. The executable used in this attack was GandCrab ransomware.

Many MSPs use Kaseya’s VSA RMM tool to remotely monitor and manage client systems and servers. Bisnett explained that the vulnerable plugin for Kaseya that was exploited in the MSP attack itself was from ConnectWise and was used to manage support tickets.