Hackers have used a two-year-old vulnerability in a software package used by remote IT support firms to gain a foothold on vulnerable networks and deploy the GandCrab ransomware on those companies’ customer workstations.
The infamous GandCrab ransomware has been distributed with the help of a two-year-old security flaw (CVE-2017-18362) in a software package used by remote IT security companies, security researchers say. The vulnerability has been exploited to grant access to vulnerable networks and distribute the ransomware payload. The vulnerability in question affects the Kaseya plugin for the Connectwise Manage software, which is a professional service automation product for IT support.
CVE-2017-18362 in Kaseya Plugdin Discovered in 2017
In November 2017, Alex Wilson, a security researcher, unearthed an SQL injection vulnerability known as CVE-2017-18362 in this plugin. The vulnerability could allow an attacker to create new administrator accounts on the main Kaseya app, ZDNet reported. The researcher also published proof-of-concept code on GitHub that could automate the attack.
Here’s the official description of CVE-2017-18362:
ConnectWise ManagedITSync integration through 2017 for Kaseya VSA is vulnerable to unauthenticated remote commands that allow full direct access to the Kaseya VSA database. In February 2019, attackers have actively exploited this in the wild to download and execute ransomware payloads on all endpoints managed by the VSA server. If the ManagedIT.asmx page is available via the Kaseya VSA web interface, anyone with access to the page is able to run arbitrary SQL queries, both read and write, without authentication.
Apparently, Kaseya patched the flaw but it appears that many companies failed to install the updated plugin, thus leaving their networks vulnerable to attacks.
Reports indicate that attacks based on the CVE-2017-18362 flaw started about two weeks ago. One particular report shared on Reddit says that hackers successfully breached an MSP’s network and dropped GandCrab to 80 customer workstations. There are also unconfirmed rumors claiming that attackers deployed the same technique to infect other MSPs, affecting more than 1,500 workstations.
In response to these new attacks, Connectwise released another security alert. In it, the company urges users to update their Kaseya plugin. It should be noted that the vulnerability “only impacts Connectwise users who have the Plugin installed on their on-premises VSA”, as written in the alert.
“We posted a notification/support article to our support help desk and immediately started reaching out via phone/email to those identified who were at risk of impact with resolution,” said Taunia Kipp, VP of marketing and communications of Connectwise, in an interview.