Becoming a \u201clink\u201d in a supply-chain attack is an unpleasant experience for any organization \u2014 and twice as unpleasant for a managed service provider (MSP). That\u2019s especially so if security system management is one of its services. And yet this situation is not as speculative as we would like it to be.<\/p>\n
In fact, malefactors generally pay close attention to MSPs. Think about it: MSPs have direct access to the infrastructure of many other firms. Once you are safely inside an MSP\u2019s network, you have unlimited opportunities for data theft or infection. This is why cybercriminals closely scrutinize MSPs\u2019 toolkits and wait for one to commit an error. A little while back, some of those cybercriminals got what they wanted: Unauthenticated attackers took advantage of an MSP\u2019s software vulnerability to install cryptomalware payload<\/a>.<\/p>\n The vulnerability resided in ConnectWise\u2019s ManagedITSync plug-in for cross-integration between the professional services automation platform ConnectWise Manage and the Kaseya VSA remote monitoring and management system.<\/p>\n The vulnerability allows remote modification of the Kaseya VSA database. This, in turn, enables attackers to add new users with any access rights whatsoever and create any tasks \u2014 such as uploading malware to all of the MSPs\u2019 clients\u2019 computers.<\/p>\n This is not a new vulnerability. It was discovered back in 2017. As soon as it was, ConnectWise updated its plug-in and seemed to have neutralized the threat. But, as usual, not all users installed the update.<\/p>\n According to the Huntress Labs research team<\/a>, the vulnerability was used by unidentified hackers to attack an unnamed MSP\u2019s client computers using a piece of encryption ransomware called GandCrab. Taking advantage of the fact that Kaseya had administrator access to all end-user devices, the attackers created a task to download and run the malware on endpoints. The danger of GandCrab is covered in this post<\/a>.<\/p>\n There is no information stating whether this case was the only one, but around the same time, the US Cybersecurity and Infrastructure Security Agency (CISA) issued a warning<\/a> about the rise in Chinese actors\u2019 malicious cyberactivity targeting MSPs.<\/p>\n First, don\u2019t forget to update your software. If you\u2019re looking for a solution to the particular integration problem between ConnectWise Manage and Kaseya VSA, start by updating the integration tool<\/a>.<\/p>\n But do not trust this was an isolated incident. Likely as not, the same or other attackers are already looking for other ways to get to MSPs\u2019 clients.<\/p>\n Therefore, your own infrastructure protection must be taken no less seriously than that of your clients\u2019 infrastructure. If you provide security services, you have all the tools you need to safeguard your own systems \u2014 especially if you have the protection solutions management console already deployed.<\/p>\nWhat kind of vulnerability?<\/h2>\n
Details of the incident<\/h2>\n
What\u2019s to be done?<\/h2>\n