MSP got hacked and all clients cryptolocked - outdated “ManagedIT.asmx” and "KaseyaCWWebService.dll"

Electron1

Expert Member
Joined
Jan 29, 2009
Messages
4,028
#1
Links:
https://www.darkreading.com/attacks...daily_20190208&elq_mid=89241&elq_cid=22919816

https://blog.huntresslabs.com/cve-2...tion-in-mangeditsync-integration-ba142ff24f4d

A Post on Reddit quotes Huntress labs who have gone pubic (3rd link above)
An attacker this week simultaneously encrypted endpoint systems and servers belonging to all customers of a US-based managed service provider by exploiting a vulnerable plugin for a remote monitoring and management tool used by the MSP.
The attack resulted in some 1,500 to 2,000 systems belonging to the MSP's clients getting cryptolocked and the MSP itself facing a $2.6 million ransom demand.

CVE-2017-18362: Arbitrary SQL Injection in ManagedITSync Integration
A vulnerability was discovered and disclosed in late 2017 that affected the ConnectWise ManagedITSync integration, designed to sync data between the ConnectWise Manage PSA and the Kaseya VSA RMM. This vulnerability allows a remote attacker to execute arbitrary SQL commands against the Kaseya VSA database, which means they can create administrative users, change user passwords, or even create tasks to deploy software to all endpoints under management.

ConnectWise created a patch and notified their users to upgrade and eventually pulled the integration from their marketplace but for whatever reason, some subset of users continued to use the vulnerable integration. This week an unknown attacker leveraged the vulnerable integration to attack Managed Service Providers and their customers by tasking all managed endpoints to download and execute a ransomware variant known as GandCrab. This type of attack is particularly devastating because the Kaseya RMM tool has remote administrative (SYSTEM) access to all managed endpoints leading to a quick and complete compromise of all customer assets.
....
Who is vulnerable?
Anyone running an on-premises Kaseya VSA server who has also installed the ConnectWise ManagedITSync integration.
You are NOT vulnerable if you do not use Kaseya VSA or use the cloud hosted option. You are also NOT vulnerable if you have not installed the ManagedITSync integration.
How can I check if I’m vulnerable?
You can check if the ConnectWise MSP Kaseya Web Service program is installed in Add or Remove Programs. You can also check if the file ManagedIT.asmx is installed on your VSA server. Finally you can try to access the vulnerable page by browsing to https://mykaseyaserver.com/kaseyacwwebservice/managedit.asmx (replace mykaseyaserver.com with the domain name of your VSA server).
If you can’t find any of these you’re likely not vulnerable.
I didn’t find any but I’m still afraid I might be vulnerable. What else can I do?
If you’re really concerned you can try the tool previously released by Kaseya that will check for the vulnerability. Simply run the tool and provide the URL to your VSA server. We tested this and found it to work well.
Worth checking out if you are using / have used Kaseya, some of the local MSP's use it.
 

MDKza

Well-Known Member
Joined
May 24, 2012
Messages
436
#4
It blows my mind that SQL Injection hacking is still a thing. So easy to prepare for.
 
Top