Around 120 service providers are exposed to attacks due to a non-updated vulnerable plugin
A group of hackers exploited a vulnerability
revealed a couple of years ago in a software used by remote support firms to
gain access to vulnerable networks and infect workstations of users of these
companies with GandCrab
ransomware, reported network security and ethical hacking specialists from the
International Institute of Cyber Security.
At least one of these companies has been
infected by this group of hackers, who would have exploited a known
vulnerability in the Kaseya plugin for the ConnectWise Manage software, used
for the automation of professional services, used by IT support firms.
According to network
security specialists, this plugin allows companies to link data from
the Kaseya remote monitoring and management solution to a ConnectWise panel.
Some SMEs in the IT industry use these two applications to centralize their
users’ data and manage their customers’ workstations from a remote location.
In November 2017, the network security expert
Alex Wilson discovered a SQL injection vulnerability in this plug-in, allowing
an attacker to create new administrator accounts on the Kaseya main interface.
The expert published an exploit proof of concept on GitHub.
Kaseya released update patches shortly after,
but apparently the updated version of the Kaseya plugin was not installed in
many companies, so their networks remained exposed.
This campaign would have started a couple of
weeks ago, according to reports. Through Reddit, an incident was revealed in
which hackers compromised the network of one of these companies to install
GandCrab in 80 customers’ workstations.
ConnectWise has posted a security alert in
response to reports on multiple attacks. The company advises its customers to
install the updated plugin, also said that “only companies that have installed
the vulnerable Kaseya plugin are affected”.
A spokesperson for the company said that so far
they have identified 126 companies that did not update the plugin, so they are
still at risk. He also added that the people in charge of each company are
being contacted by the company to make them aware of their condition.
