A vulnerability was discovered and disclosed in late 2017 that affected the ConnectWise ManagedITSync integration, designed to sync data between the ConnectWise Manage PSA and the Kaseya VSA RMM. This vulnerability allows a remote attacker to execute arbitrary SQL commands against the Kaseya VSA database, which means they can create administrative users, change user passwords, or even create tasks to deploy software to all endpoints under management.
ConnectWise created a patch and notified their users to upgrade and eventually pulled the integration from their marketplace but for whatever reason, some subset of users continued to use the vulnerable integration. This week an unknown attacker leveraged the vulnerable integration to attack Managed Service Providers and their customers by tasking all managed endpoints to download and execute a ransomware variant known as GandCrab. This type of attack is particularly devastating because the Kaseya RMM tool has remote administrative (SYSTEM) access to all managed endpoints leading to a quick and complete compromise of all customer assets.
We will follow up in the weeks to come with a complete teardown and analysis of the attackers TTPs but we wanted to provide some additional details and context to a conversation started on Reddit that understandably has the MSP community concerned about their own vulnerability and ability to handle and recover from an attack of this scale.
Anyone running an on-premises Kaseya VSA server who has also installed the ConnectWise ManagedITSync integration.
You are NOT vulnerable if you do not use Kaseya VSA or use the cloud hosted option. You are also NOT vulnerable if you have not installed the ManagedITSync integration.
You can check if the ConnectWise MSP Kaseya Web Service program is installed in Add or Remove Programs. You can also check if the file ManagedIT.asmx is installed on your VSA server. Finally you can try to access the vulnerable page by browsing to https://mykaseyaserver.com/kaseyacwwebservice/managedit.asmx (replace mykaseyaserver.com with the domain name of your VSA server).
If you can’t find any of these you’re likely not vulnerable.
If you’re really concerned you can try the tool previously released by Kaseya that will check for the vulnerability. Simply run the tool and provide the URL to your VSA server. We tested this and found it to work well.
If you’re really adventurous or want to play around (after you’ve patched your production server of course), you can download the proof-of-concept developed by Alex Wilson, the security researcher who discovered and reported the vulnerability back in 2017.
The first thing you should do is to immediately disconnect your VSA server from the internet until you can be sure it hasn’t already been infected. While the attacks we saw this week immediately deployed ransomware it’s entirely possible other attackers have known about this vulnerability and may already have a foothold within your system. Disconnecting the VSA server will at least prevent it from deploying ransomware while you investigate.
Next you should thoroughly audit your VSA server and any other critical infrastructure for suspicious/malicious footholds, suspicious accounts, etc. We know this can be a tedious and lengthy process but want you to understand the risks associated with attacker access of this level.
Finally remove the ManagedITSync integration and replace it with the newest version prior to re-connecting your VSA server to the internet.
Hopefully this sheds some light on who and what is vulnerable. We received a ton of calls from MSPs who were concerned about the risk and wanted to know if they were vulnerable so we figured it was a good idea to try and clear up the situation. Please let us know if we got anything wrong and we’ll do our best to fix it.
Get insider access to Huntress tradecraft, killer events, and the freshest blog updates.
