Wild Wild West isn’t just a ‘90s hip hop theme song for the movie of the same name, courtesy of Will Smith. It’s also become an internet playground for hackers who are willing to do anything to get into systems, which we’re hearing about on an all-too-regular basis.

One recent attack, discovered at the end of January, was an exploit designed to bypass authentication and allow third-party access to install malware on systems running Kaseya, a popular suite of tools used by managed services providers (MSPs). Strangely, it that the hackers weren’t interested in stealing personal, financial, or other data, but instead wanted to harvest central processing unit (CPU) cycles for cryptocurrency mining. Given the large number of systems being operated by MSPs, the entire sector represents a target-rich environment. In fact, we’ve seen through our Managed Detection and Response (MDR) services that several of our clients were infected by their MSP’s Kaseya deployments.

Attack Vector

The Kaseya hack focused on leveraging the Virtual System Administrator (VSA) agent to gain access to a computer. Evidence of customer assets being compromised was first identified on January 19, 2018. Over the next 5 days, Kaseya administrators saw suspicious PowerShell activity being logged. The attackers instructed systems to download a number of scripts and configurations from a Dropbox account and, once components were installed successfully, a scheduled task was randomly generated to launch at a future date. This is typical of most modern-day attacks.

Initial evidence indicates that the attack was only aimed at Windows-based systems. PowerShell software was used to trigger execution of various system executables that then conducted the malicious script downloads. The scripts were then decoded and assembled into binary files. The attack was the deployment of the Monero cryptomining software package intended for use on Windows systems.

The actors perpetrating the threat, of course, have not been identified—they rarely are—but they do appear to be actively following remediation in efforts to roll out “fixes.” Security analysts continue to state that MSPs can, and likely will, continue to contribute to the problem because their VSA systems may still be going unpatched. Kaseya has worked strenuously since the attack to make sure that news gets out to all potentially affected parties.

Although the precise method of initial entry into the systems is currently unknown, among the best guesses currently circulating is that weak passwords were brute forced, and the authentication procedure failed to shut down repeated login attempts. However, this is not the first attack on Kaseya's software. A Litecoin miner was installed by unauthorized actors back in 2014.

What Was Exposed

At this point, the hackers have not demonstrated an interest in obtaining sensitive information, even though they were in a position to do so. The objective of this attack appears to have been solely to harvest CPU resources for cryptomining. Evidence indicates that the Monero mining software that the attackers set up was consuming up to 65% of the system's resources. A large amount of underlying actionable data may also have been exposed during the hacks, including internal IP addresses, network information, user agents, usernames, and passwords.

What Now?

The attack on Kaseya-based systems is a reminder to all companies that use MSPs as an outsourced IT provider or any operator of VSA software that good old fashion hacking has opened up the Wild Wild West to hackers and it's not enough to simply rely on your MSP to manage your computer systems and network. You need a layered approach to your cyber security program. Wherever possible, changes should be made by on-site administrators to assure that hackers won't be able to utilize harvested info to launch renewed attacks on previously compromised systems. Best practices, such as using strong and long passwords for all administrative accounts, should also be implemented.

What We Can Do

Avalon’s MDR solution combines the power of user behavior analytics, endpoint detection and response, and log analysis to unify security data in order to detect, investigate, and remediate incidents and breaches before they become problems.

Get in touch with our Cyber Team today to see if you qualify for a FREE 30-day assessment.