A software company has been forced to remind customers to patch a two-year-old flaw in a third-party plug-in, after reports it is being exploited to infect scores of companies with GandCrab ransomware via their managed security provider (MSP).
The issue relates to CVE-2017-18362, a flaw which affects the Connectwise Manage plug-in for the Kaseya VSA remote-monitoring tool. ConnectWise Manage is a professional services automation (PSA) product popular among IT support staff in MSPs.
“This vulnerability allows a remote attacker to execute arbitrary SQL commands against the Kaseya VSA database, which means they can create administrative users, change user passwords, or even create tasks to deploy software to all endpoints under management,” explained Chris Bisnett, co-founder of Huntress Labs.
“This week an unknown attacker leveraged the vulnerable integration to attack MSPs and their customers by tasking all managed endpoints to download and execute a ransomware variant known as GandCrab. This type of attack is particularly devastating because the Kaseya RMM tool has remote administrative (SYSTEM) access to all managed endpoints leading to a quick and complete compromise of all customer assets.”
The incident was first revealed in a Reddit post a few days ago with the user claiming if affected a “local mid-sized MSP with about 80 clients” — all of which were apparently infected.
Kaseya was forced to issue an update on the ConnectWise plugin bug.
“Kaseya takes security very seriously and recommends that all customers using the Connectwise Plugin for VSA upgrade to the newly released version of the Plugin immediately or alternatively remove all versions of this Plugin,” it stated.
The news is yet another example of the lengths ransomware authors are now going to in order to get their wares on as many victim machines as possible.
Other threat vectors include email spam, RIG and GrandSoft exploit kits, and compromised websites offering cracked apps for download.
As of last March, GandCrab had infected over 50,000 victims and extorted an estimated $300,000-600,000 from its victims, more than 70% of which are based in the US and UK, according to Check Point.