Attackers exploit two-year-old vulnerability to infect MSPs with GandCrab ransomware

• Attackers are exploiting the SQL injection vulnerability in the Kaseya VSA plugin to infect the MSPs with Gandcrab ransomware.
• ConnectWise noted that only companies who have the plugin installed on premise were impacted.

Attackers are targeting Managed Service Providers (MSPs) in order to infect their clients with the GrandCrab ransomware. Attackers have leveraged a two-year-old vulnerability in a software package used by MSPs to gain access to vulnerable networks and deploy the GandCrab ransomware on the MSP clients' endpoints.

Vulnerability in the Kaseya VSA plugin

The vulnerability exists in the Kaseya VSA plugin for the ConnectWise Manage software, a professional services automation (PSA) product used by IT support firms. This Kaseya VSA plugin allows MSPs to link data from the Kaseya VSA remote monitoring and management solution to a ConnectWise dashboard.

Many small IT support firms and managed service providers (MSPs) use the two applications to centralize data from their clients and manage customer workstations from a remote central location.

The vulnerability (CVE-2017-18362) in the Kesaya VSA plugin could allow an attacker to create new administrator accounts on the main Kaseya app.

Patch released but not updated by companies

Kaseya has released patches to address this vulnerability, however, many companies failed to update the Kaseya plugin on their ConnectWise dashboards, leaving their networks vulnerable to attacks.

Taunia Kipp, Kaseya executive VP of marketing and communications, said that they have identified 126 companies who failed to update the plugin and were vulnerable to attack.

“We posted a notification/support article to our support help desk and immediately started reaching out via phone/email to those identified who were at risk of impact with resolution,” said Taunia Kipp in an interview with MSSP Alert.

MSP’s clients infected with GandCrab

At the end of January 2019, attackers started exploiting this vulnerability. A Reddit post revealed that attackers breached an MSP's network and then infected the network with GandCrab ransomware on almost 80 clients endpoints.

ConnectWise observed a growing number of ransomware attacks exploiting the Kesaya plugin vulnerability. Furthermore, ConnectWise noted that only companies who have the plugin installed on premise were impacted.

In response to the evolving ransomware attacks, ConnectWise has issued a security alert requesting its users to update their ConnectWise Manage Kaseya plugin.

“Kaseya takes security very seriously and recommends that all customers using the Connectwise Plugin for VSA upgrade to the newly released version of the Plugin immediately or alternatively remove all versions of this Plugin,” ConnectWise stated in the security alert.