Over 120 managed service providers forgot to update a software plugin from 2017 and are now vulnerable to attacks.

Hackers used a two-year-old vulnerability in a remote management software to gain access to networks and deploy the GandCrab ransomware on customer workstations of managed service providers.

At least one company has been hit already, according to a report on Reddit, confirmed by cyber-security firm Huntress Labs.

The vulnerability used by the hackers is from the Kaseya plugin for the ConnectWise Manage software, a professional services automation (PSA) product used by many IT service providers.

The Kaseya VSA plugin integrates data from the Kaseya VSA, a remote monitoring and management solution with a ConnectWise dashboard.

Many small IT service providers and other types of managed service providers (MSPs) use the two applications to centralize data from their clients and manage customer workstations from a remote central location.

In November 2017, a security researcher named Alex Wilson, discovered an SQL injection vulnerability (CVE-2017-18362) in this plugin that could allow an attacker to create new administrator accounts on the main Kaseya app. He also published proof-of-concept code on GitHub that could automate the attack.

Kaseya released patches at the time, however it appears that many IT companies failed to install the updated Kaseya plugin on their ConnectWise dashboards, leaving their networks exposed.

Attacks exploiting this vulnerability started two weeks ago, towards the end of January 2019. One report posted on Reddit describes an incident at an MSP where hackers breached an MSP’s network and then deployed GandCrab ransomware to 80 customer workstations.

A now-deleted tweet claimed that hackers used the same attack routine to infect other MSPs, locking more than 1,500 workstations.

ConnectWise has issued a security alert for their Manage product in response to the growing number of reports surrounding these ransomware attacks, advising users to update their ConnectWise Manage Kaseya plugin. The company said that only companies “who have the Plugin installed on their on-premises [Kaseya] VSA” are impacted.

In an interview with MSSP Alert, Kaseya executive VP of marketing and communications Taunia Kipp said they’ve identified 126 companies who failed to update the plugin and were still at risk.

“We posted a notification/support article to our support help desk and immediately started reaching out via phone/email to those identified who were at risk of impact with resolution,” she said.

Huntress Lab researchers, who said they had “first-hand knowledge” of the incident involving 80 customer workstations that got infected with GandCrab.