Ransomware Attack via MSP
When your Managed Service Provider gets hit so do you!
OUCH! Ransomware Attack Via MSP Locks Customers Out of Systems
Earlier this week, an unidentified threat actor managed to launch a ransomware attack resulting in the encryption of between 1,500 to 2,000 endpoint devices belonging to users of a single US managed service provider (MSP).
The MSP was subsequently urged to pay a ransom of $2.6 million to have the systems unlocked.
The attacker managed the feat by exploiting a security flaw in a plug-in for VSA RMM, a software tool from Kaseya that is designed for the remote monitoring and management of servers and other computer devices. Like many MSPs, the targeted firm uses the software for client systems.
The attack has amplified existing fears over the possibility of large-scale cyber attacks on MSPs. Chris Bisnett of Huntress Labs, the cybersecurity company working with the MSP, stated that “everyone is looking at the attack and saying, ‘This could have been me.'”
This is a Connectwise vulnerability which was announced by Connectwise in 2017 and patched by Connectwise shortly thereafter. A small number of customers either may not have installed the update from Connectwise or may have installed this update incorrectly. It gets installed onto the Kaseya system as a way to connect the 2 together. Turns out this is a patching issue, which is one of the—only two— main root causes of compromise: social engineering and patching discipline.
Would you like to know more...