IT support firms around the world infected with GandCrab ransomware

Around 120 service providers are exposed to attacks due to a non-updated vulnerable plugin

A group of hackers exploited a vulnerability revealed a couple of years ago in a software used by remote support firms to gain access to vulnerable networks and infect workstations of users of these companies with GandCrab ransomware, reported network security and ethical hacking specialists from the International Institute of Cyber Security.

At least one of these companies has been infected by this group of hackers, who would have exploited a known vulnerability in the Kaseya plugin for the ConnectWise Manage software, used for the automation of professional services, used by IT support firms.

According to network security specialists, this plugin allows companies to link data from the Kaseya remote monitoring and management solution to a ConnectWise panel. Some SMEs in the IT industry use these two applications to centralize their users’ data and manage their customers’ workstations from a remote location.

In November 2017, the network security expert Alex Wilson discovered a SQL injection vulnerability in this plug-in, allowing an attacker to create new administrator accounts on the Kaseya main interface. The expert published an exploit proof of concept on GitHub.

Kaseya released update patches shortly after, but apparently the updated version of the Kaseya plugin was not installed in many companies, so their networks remained exposed.

This campaign would have started a couple of weeks ago, according to reports. Through Reddit, an incident was revealed in which hackers compromised the network of one of these companies to install GandCrab in 80 customers’ workstations.

ConnectWise has posted a security alert in response to reports on multiple attacks. The company advises its customers to install the updated plugin, also said that “only companies that have installed the vulnerable Kaseya plugin are affected”.

A spokesperson for the company said that so far they have identified 126 companies that did not update the plugin, so they are still at risk. He also added that the people in charge of each company are being contacted by the company to make them aware of their condition.