Year-Old Connectwise Vulnerability Exploited in MSP Ransomware Attacks

A year-old vulnerability in the Connectwise plugin for Kaseya VSA has been exploited in a series of MSP ransomware attacks over the past two weeks. The latest campaign is one of several cyberattacks targeting MSPs in recent months that abuse trusted relationships between MSPs and their clients. The aim of the attacks is to gain access to MSP systems in order to attack their clients.

MSPs are trusted by SMBs to improve security, identify and correct vulnerabilities, and prevent costly cyberattacks. However, if MSPs do not follow cybersecurity best practices such as ensuring patches and software updates are applied on their own systems, they place their clients at risk.

MSP ransomware attacks such as these have potential to cause considerable damage to an MSP’s reputation, could easily result in loss of clients, and also possible legal action.

On MSP Reddit poster explained that cybercriminals recently exploited a vulnerability to gain access to clients’ systems and had installed ransomware on approximately 80% of client machines. Other attacks have also succeeded in encrypting files on client networks.

It is not always possible to update plugins, apply patches, and perform software updates instantly, but in this case the vulnerability was identified in November 2017. A proof of concept exploit was published, and an updated plugin was rapidly released by Connectwise to correct the flaw. Despite this, 126 MSPs are still using the out of date and vulnerable plugin according to a recent Kaseya security warning.

The Connectwise plugin for Kaseya VSA contained a flaw – CVE-2017-18362 – that allowed commands to be run on a Kaseya VSA server without the need for authentication due to an error within the Connectwise API. By exploiting the vulnerability, an attacker would be able to gain access to the Kaseya VSA server and conduct attacks on MSP clients. In this case, GandCrab ransomware was installed.

The group behind this campaign may not be the only criminal gang to attempt to exploit the vulnerability. It is possible that some MSPs who failed to update the plugin may have also had their server compromised and less conspicuous malware may have been installed.

All MSPs that use Connectwise and have the plugin installed on their on-premise server should ensure the latest version of the plugin is installed. Connectwise has made a tool available to users that will conduct a scan to determine if the vulnerable plugin is in use. It is also recommended to disconnect the VSA server from the internet and to perform an audit to determine if the server has been compromised.

Thanks to advanced cybersecurity defenses, many of which are provided by MSPs to their clients, it is becoming harder for cybercriminals to use standard tactics such as mass spam emails to gain access to business networks. As the past few months have shown, cybercriminals are now targeting MSPs to gain access to their clients’ systems. It is therefore essentials that MSPs ensure they scan for vulnerabilities on their own systems to identify potential weaknesses before they are exploited by hackers.

TitanHQ Launches 2019 MSP Roadshow Campaign in London and Tampa

TitanHQ is on the road again and has kick started a busy 2019 schedule of conferences with events on both sides of the Atlantic.

On February 14, 2019, TitanHQ Alliance Manager Patrick Regan attended the TitanHQ-sponsored Datto Roadshow in Tampa, Florida, and has been meeting with MSP partners from the region to help them with their existing and new email security, DNS filtering, and email archiving projects. TitanHQ has been working very closely with Datto MSP partners to ensure they get the most out of TitanHQ products to better support their clients.

On the other side to the pond, TitanHQ Alliance Manager Eddie Monaghan kicked off a week at the IT Nation Q1 EMEA Meeting in London and has been meeting MSP clients and finding what is going in in their world.

TitanHQ Alliance Manager, Eddie Monaghan 

At both locations and in the upcoming roadshow events the TitanHQ team is available to meet with prospective MSP partners to explain about TitanHQ’s award-winning email security (SpamTitan), web security (WebTitan) and email archiving (ArcTitan) solutions and how they can easily be slotted into MSPs security stacks to better help and protect their clients. Current MSP partners will be given tips to help them get the very most out of the products.

Partner with TitanHQ

TitanHQ is the leading provider of email and web security products for MSPs serving the SMB market and now provides its products to more than 1,500 MSP partners serving clients in more than 200 countries. The combination of SpamTitan and WebTitan allows MSPs to provide their clients with superior protection against malware, ransomware, phishing and other cyber threats.

All TitanHQ products have been developed to specifically meet the needs of MSPs and save them support and engineering time by blocking cyber threats at source.

TitanHQ has developed it’s TitanShield Program to help partners in a wide range of industry sectors take advantage of TitanHQ’s suite of products. The TitanShield Program consists of four elements which meet the needs of MSP, ISP, and technology partners:

The MSP Program: Allows MSPs and resellers adopt the TitanHQ platform and security solutions to provide TitanHQ products direct to their clients.

The OEM program: TitanHQ’s entire suite of products is supplied in white-label form ready to take your company’s branding.

The Technology Alliance Program: Allows tech companies to partner with TitanHQ to offer spam filtering, web filtering, and email archiving solutions to clients alongside their own products.

The Wi-Fi Program: A program for Wi-Fi providers allowing the incorporation of TitanHQ’s cloud-based WiFi content filtering solution partners’ WiFi services.

Over the coming few months, TitanHQ will be visiting Dublin, heading across the channel to the Netherlands, and will be travelling through the UK and United States. If you are a current MSP partner or are interested in finding out how TitanHQ products could benefit your clients and be slotted into your technology stack, be sure to come and meet the team at one the following events.

We look forward to seeing you at one of the roadshow events in 2019.

TitanHQ 2019 MSP Roadshow Dates

February 2019

Date Event Location
February 14, 2019 IT Nation (HTG) Q1 EMEA Meeting London, UK
February 14, 2019 Datto Roadshow Tampa, FL, USA

March 2019

Date Event Location
March 5, 2019 CompTIA UK Channel Community Manchester, UK
March 7, 2019 Datto Roadshow EMEA Dublin, IE
March 11, 2019 CompTIA Community Forum Chicago, IL, USA
March 12, 2019 Datto Roadshow NA Norwalk, CT, USA
March 19, 2019 Datto Roadshow EMEA London, UK
March 26, 2019 Datto Roadshow EMEA Houten, Netherlands
March 26, 2019 Datto Roadshow NA Toronto, Canada

April 2019

Date Event Location
April 25, 2019 Datto Roadshow Long Island, NY, USA
April 29, 2019 IT Nation Evolve (HTG 2) Dallas, TX, USA

May 2019

Date Event Location
May 6, 2019 Connect IT Global (Kaseya Connect) Las Vegas, NV, USA
May 13, 2019 IT Nation (HTG) Q1 EMEA Meeting Birmingham, UK
May 14, 2019 Wifi Now Washington DC, USA

June 2019

Date Event Location
June 17, 2019 DattoCon San Diego, CA, USA

Survey Highlights Healthcare Email Security Weaknesses

The 2019 Cybersecurity Survey conducted by the Healthcare Information and Management Systems Society (HIMSS) has highlighted healthcare email security weaknesses and the seriousness of the threat of phishing attacks.

HIMSS conducts the survey each year to identify attack trends, security weaknesses, and areas where healthcare organizations need to improve their cybersecurity defenses. This year’s survey confirmed that phishing remains the number one threat faced by healthcare organizations and the extent that email is involved in healthcare data breaches.

This year’s study was conducted on 166 healthcare IT leaders between November and December 2018. Respondents were asked questions about data breaches and security incidents they had experienced in the past 12 months, the causes of those breaches, and other cybersecurity matters.

Phishing attacks are pervasive in healthcare and a universal problem for healthcare providers and health plans of all sizes. 69% of significant security incidents at hospitals in the past 12 months used email as the initial point of compromise. Overall, across all healthcare organizations, email was involved in 59% of significant security incidents.

The email incidents include phishing attacks, spear phishing, whaling, business email compromise, and other email impersonation attacks. Those attacks resulted in network breaches, data theft, email account compromises, malware infections, and fraudulent wire transfers.

When asked about the categories of threat actors behind the attacks, 28% named ‘online scam artists’ and 20% negligence by insiders. Online scam artists include phishers who send hyperlinks to malicious websites via email. It was a similar story the previous year when the survey was last conducted.

Given the number of email-related breaches it is clear that anti-phishing defenses in healthcare need to be improved. HIPAA requires all healthcare employees to receive security awareness training, part of which should include training on how to identify phishing attacks. While this is a requirement for compliance, a significant percentage (18%) of healthcare organizations do not take this further and are not conducting phishing simulations, even though they have been shown to improve resilience against phishing attacks by reinforcing training and identifying weaknesses in training programs.

The continued use of out of date and unsupported software was also a major concern. Software such as Windows Server and Windows XP are still extensively used in healthcare, despite the number of vulnerabilities they contain. 69% of respondents admitted still using legacy software on at least some machines. When end users visit websites containing exploit kits, vulnerabilities on those devices can easily be exploited to download malware.

It may take some time to phase out those legacy systems, but improving healthcare email security is a quick and easy win. HIMSS recommends improving training for all employees on the threat from phishing with the aim of decreasing click rates on phishing emails. That is best achieved through training, phishing simulations, and better monitoring of responses to phishing emails to identify repeat offenders.

At TitanHQ, we can offer two further solutions to improve healthcare email security. The first is an advanced spam filtering solution that blocks phishing emails and prevents them from being delivered to inboxes. The second is a solution that prevents employees from visiting phishing and other malicious websites such as online scams.

SpamTitan is an advanced anti-phishing solution that scans all incoming emails using a wide range of methods to identify malicious messages. The solution has a catch rate in excess of 99.9% with a false positive rate of just 0.03%. The solution also scans outbound messages for spam signatures to help identify compromised email accounts.

WebTitan Cloud is a cloud-based web filtering solution that blocks attempts by employees to visit malicious websites, either through web surfing or responses to phishing emails. Should an employee click on a link to a known malicious site, the action will be blocked before any harm is caused. WebTitan also scans websites for malicious content to identify and block previously known phishing websites and other online scams. Alongside robust security awareness training programs, these two solutions can help to significantly improve healthcare email security.

For further information on TitanHQ’s healthcare email security and anti-phishing solutions, contact TitanHQ today.

Office 365 Phishing Scam Uses SharePoint Lure

A new Office 365 phishing scam has been detected that attempts to get users to part with their Office 365 credentials with a request for collaboration via SharePoint.

The campaign was first detected in the summer of 2018 by researchers at cybersecurity firm Avanan. The Office 365 phishing scam is ongoing and has proven to be highly effective. According to Kaspersky Lab, the phishing campaign has been used in targeted attacks on at least 10% of companies that use Office 365.

This Office 365 phishing scam abuses trust in SharePoint services that are often used by employees. An email is sent to an Office 365 user that contains a link to a document stored in OneDrive for Business. In contrast to many phishing campaigns that spoof links and fool users into visiting a website other than the one indicated by the link text, this link actually does direct the user to an access request document on OneDrive.

A link in the document then directs users to a third-party website where they are presented with a Microsoft Office 365 login page that is a perfect copy of the official Office 365 login page. If login credentials are entered, they are given to the scammers. Once obtained, it is possible for the scammers to gain access to the Office 365 account of the user, including email and cloud storage.

The email accounts can be used for further phishing campaigns on the user’s contacts. Since those messages come from within the organization, they are more likely to be trusted. Email accounts can also contain a wealth of sensitive information which is of great value to competitors. In healthcare, email accounts can contain patient information, including data that can be used to steal identities. The attackers can also use the compromised credentials to spread malware. Employees may know not to open attachments from unknown individuals, but when they are sent from a colleague, they are more likely to be opened.

Businesses that use Microsoft’s Advanced Threat Protection (APT) service may mistakenly believe they are protected from phishing attacks such as this. However, since the links in the email are genuine OneDrive links, they are not identified as malicious. It is only the link in those documents that is malicious, but once the document is opened, Microsoft’s APT protection has already been bypassed.

Finding Office 365 users is not difficult. According to a 2017 Spiceworks survey, 83% of enterprises use Office 365 and figures from 2018 suggest 56% of organizations globally have adopted Office 365. However, a basic check can easily identify Office 365 users as it is broadcast on public DNS MX records. If one user can be found in an organization, it is highly likely that every other user will be using Office 365.

Businesses can take steps to avoid Office 365 phishing scams such as this.

  1. Ensure that all employees are made aware of the threat from phishing, and specifically this Office 365 phishing scam. They should be told to exercise caution with offers to collaborate that have not been preceded by a conversation.
  2. Conduct phishing email simulations to test defenses against phishing and identify individuals that require further security awareness training.
  3. Activate multifactor authentication to prevent stolen credentials from being used to access Office 365 accounts from unknown locations/devices.
  4. Change from APT anti-phishing controls to a third-party spam filter such as SpamTitan. This will not only improve catch rates, it will also not broadcast that the organization uses Office 365.
  5. Use an endpoint protection solution that is capable of detecting phishing attacks.
  6. Implement a web filter to prevent users from visiting known phishing websites and other malicious web pages.

LockerGoga Ransomware Suspected in Altran Cyberattack

The French engineering firm Altran Technologies has been grappling with a malware infection that hit the firm on January 24, 2019.

Immediately following the malware attack, Altran shut down its network and applications to prevent the spread of the infection and to protect its clients. Technical and computer forensics experts are now assisting with the investigation. The Altran cyberattack has affected operations in some European countries and the firm is currently working through its recovery plan.

A public announcement has been made about the attack although the malware involved has not been officially confirmed. Some cybersecurity experts believe the attack involved a new ransomware variant named LockerGoga which emerged in the past few days.

LockerGoga ransomware was first identified on January 24 in Romania and subsequently in the Netherlands. It was named by MalwareHunterTeam, based on the path used for compiling the source code into an executable.

LockerGoga ransomware does not appear to be a particularly sophisticated malware variant. Security researcher Valthek, who analyzed the malware, claimed the code was ‘sloppy’, the encryption process was slow, and little effort appears to have been made to evade detection. The ransomware appends encrypted files with the .locked file extension.

The ransomware note suggests that companies are being targeted although it is currently unclear how the ransomware is being distributed.

LockerGoga ransomware encrypts a wide range of file types and, depending on the command line argument, may target all files. Since the encryption process is slow, fast detection and remediation will limit the damage caused. Failure to detect the ransomware and take prompt action to mitigate the attack could prove costly. The ransomware can spread laterally through network connections and network shares, resulting in widespread file encryption.

The ransomware had a valid certificate that was issued to a UK firm by Comodo Certificate Authority. The certificate has since been revoked.

LockerGoga ransomware is currently being detected as malicious by 46/69 AV engines on VirusTotal, including Bitdefender, the primary AV engine used by SpamTitan.