Ransomware, Content, Malware

Hackers Target Particular ConnectWise Plugin to Kaseya VSA Platform

First, some context: I suspect thousands of MSPs run software from ConnectWise & Kaseya in tandem. But fewer than 130 of those MSPs were at risk to the particular vulnerability described below.

The details: Hackers recently exploited an old ConnectWise plugin for Kaseya. The hackers' apparent goal: Install GandCrab ransomware. Such an attack can potentially encrypt Kaseya VSA managed endpoints, according to Huntress Labs. Sources say at least one MSP has suffered end-customer PC infections. MSSP Alert doesn't know the total count of infections.

ConnectWise, Kaseya Perspectives

The issue, which involved old ConnectWise code and apparently surfaced late last week, has triggered close work between ConnectWise and Kaseya in recent days. It sounds like Kaseya reached out to ConnectWise about the issue last week, and the two companies have been cooperating to assist MSPs and mitigate potential issues since that time.

ConnectWise CPO Jeff Bishop
ConnectWise CPO Jeff Bishop

ConnectWise Chief Product Officer Jeff Bishop shared these details with MSSP Alert:

"We worked with Kaseya when the vulnerability was originally identified and we’ve been working with Kaseya to correct the issue for those MSPs impacted recently. By working closely with the Kaseya team, we determined that MSPs currently being impacted by this vulnerability may have installed the update incorrectly. We are pushing out an update today to ensure the plugin is configured correctly to prevent the previously known vulnerability.

Security is important to us and we always recommend that partners keep systems updated and use the ConnectWise team as a resource. When we provide updates to ConnectWise products, integrations or plugins, we send out emails and in-app messaging to alert MSPs of the update. Partners can learn more about the update by contacting ConnectWise support or by visiting the ConnectWise Marketplace here."

Added Taunia Kipp, executive VP of marketing and communications at Kaseya:

"We reviewed who in our base was running the connector installed from Connectwise, and checked with our script to see if they were vulnerable (i.e. running old version).

We identified that 126 customers were potentially at risk for impact. We posted a notification/support article to our support help desk and immediately started reaching out via phone/email to those identified who were at risk of impact with resolution."

ConnectWise and Kaseya were complementary about one another in emails to MSSP Alert. Although the two companies have a history of intense competition, relations between the two firms have stabilized over the past six months or so -- with CEOs Arnie Bellini (ConnectWise) and Fred Voccola (Kaseya) now comparing industry notes from time to time.

MSPs: Keep Your Guard Up

The exploit is a timely reminder for MSPs to closely monitor software updates and alerts from their software suppliers.

Back in October 2018, the U.S. Department of Homeland Security (DHS) specifically warned MSPs and cloud services providers (CSPs) that cyber gangsters are exploiting them to creep unnoticed into their customers’ networks.

Send updates to MSSP Alert Editor Joe Panettieri ([email protected]).

Joe Panettieri

Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.