A vulnerability was discovered and disclosed in late 2017 that affected the ConnectWise ManagedITSync integration, designed to sync data between the聽聽and the聽. This vulnerability allows a remote attacker to execute arbitrary SQL commands against the Kaseya VSA database, which means they can create administrative users, change user passwords, or even create tasks to deploy software to all endpoints under management.
ConnectWise created a patch and notified their users to upgrade and eventually pulled the integration from their marketplace but for whatever reason, some subset of users continued to use the vulnerable integration. This week an unknown attacker leveraged the vulnerable integration to attack Managed Service Providers and their customers by tasking all managed endpoints to download and execute a ransomware variant known as聽. This type of attack is particularly devastating because the Kaseya RMM tool has remote administrative (SYSTEM) access to all managed endpoints leading to a quick and complete compromise of all customer assets.
We will follow up in the weeks to come with a complete teardown and analysis of the attackers聽s but we wanted to provide some additional details and context to a conversation started on聽聽that understandably has the MSP community concerned about their own vulnerability and ability to handle and recover from an attack of this scale.
Anyone running an on-premises Kaseya VSA server who has聽also聽installed the ConnectWise ManagedITSync integration.
You are NOT vulnerable if you do not use Kaseya VSA or use the cloud hosted option. You are also NOT vulnerable if you have not installed the ManagedITSync integration.
You can check if the聽ConnectWise MSP Kaseya Web Service聽program is installed in聽Add or Remove Programs. You can also check if the file聽ManagedIT.asmx聽is installed on your VSA server. Finally you can try to access the vulnerable page by browsing to聽丑迟迟辫蝉://尘测办补蝉别测补蝉别谤惫别谤.肠辞尘/办补蝉别测补肠飞飞别产蝉别谤惫颈肠别/尘补苍补驳别诲颈迟.补蝉尘虫听(谤别辫濒补肠别听尘测办补蝉别测补蝉别谤惫别谤.肠辞尘聽with the domain name of your VSA server).
If you can鈥檛 find any of these you鈥檙e likely not vulnerable.
If you鈥檙e really concerned you can try the聽聽previously released by Kaseya that will check for the vulnerability. Simply run the tool and provide the URL to your VSA server. We tested this and found it to work well.
If you鈥檙e really adventurous or want to play around (after you鈥檝e patched your production server of course), you can download the聽聽developed by聽, the security researcher who discovered and reported the vulnerability back in 2017.
The first thing you should do is to immediately disconnect your VSA server from the internet until you can be sure it hasn鈥檛 already been infected. While the attacks we saw this week immediately deployed ransomware it鈥檚 entirely possible other attackers have known about this vulnerability and may already have a foothold within your system. Disconnecting the VSA server will at least prevent it from deploying ransomware while you investigate.
Next you should thoroughly audit your VSA server and any other critical infrastructure for suspicious/malicious footholds, suspicious accounts, etc. We know this can be a tedious and lengthy process but want you to understand the risks associated with attacker access of this level.
Finally remove the ManagedITSync integration and replace it with the聽聽prior to re-connecting your VSA server to the internet.
Hopefully this sheds some light on who and what is vulnerable. We received a ton of calls from MSPs who were concerned about the risk and wanted to know if they were vulnerable so we figured it was a good idea to try and clear up the situation. Please let us know if we got anything wrong and we鈥檒l do our best to fix it.
Get insider access to 杏吧传媒 tradecraft, killer events, and the freshest blog updates.
