MSPs as a threat vector

[harlan4096]

Becoming a “link” in a supply-chain attack is an unpleasant experience for any organization — and twice as unpleasant for a managed service provider (MSP). That’s especially so if security system management is one of its services. And yet this situation is not as speculative as we would like it to be.

In fact, malefactors generally pay close attention to MSPs. Think about it: MSPs have direct access to the infrastructure of many other firms. Once you are safely inside an MSP’s network, you have unlimited opportunities for data theft or infection. This is why cybercriminals closely scrutinize MSPs’ toolkits and wait for one to commit an error. A little while back, some of those cybercriminals got what they wanted: Unauthenticated attackers took advantage of an MSP’s software vulnerability to install cryptomalware payload.

What kind of vulnerability?

The vulnerability resided in ConnectWise’s ManagedITSync plug-in for cross-integration between the professional services automation platform ConnectWise Manage and the Kaseya VSA remote monitoring and management system.

The vulnerability allows remote modification of the Kaseya VSA database. This, in turn, enables attackers to add new users with any access rights whatsoever and create any tasks — such as uploading malware to all of the MSPs’ clients’ computers.

This is not a new vulnerability. It was discovered back in 2017. As soon as it was, ConnectWise updated its plug-in and seemed to have neutralized the threat. But, as usual, not all users installed the update. 

Continue Reading