Unidentified cybercriminals exploited a vulnerability in Kaseya’s Ltd.‘s VSA remote monitoring and management system earlier this month to deploy unauthorized cryptocurrency mining software on managed endpoints.
The attack was described this morning by security vendor eSentire Inc.
“eSentire has observed an unknown threat actor attempting to deploy a Monero cryptocurrency miner to multiple eSentire customers,” the Cambridge, Ont.-based company wrote this morning in a security advisory. “We assess with high confidence that the threat leveraged Kaseya Ltd’s Virtual Systems Administrator (VSA) agent to gain unauthorized access to multiple customer assets since January 19, 2018.”
The statement went on to say that eSentire “has disclosed this issue to Kaseya, who is actively working to communicate and mitigate the issue.”
Kaseya, which maintains dual headquarters in Miami and New York, acknowledged the issue in a security update posted on its support site earlier today.
“In the course of our continuous security monitoring of our products, we have uncovered a security vulnerability in our VSA product,” the post stated. “Consistent with our commitment to providing secure solutions for our partners, we have issued a set of patches that removes this vulnerability. We strongly recommend that every on-premises VSA customer download and install this patch immediately. The patch to address this vulnerability has already been deployed to our SaaS and hosted servers.”
Mike Puglia, Kaseya’s chief product officer, added further detail in a media statement.
“While software vulnerabilities are not uncommon, we take security seriously at Kaseya,” Puglia said. “As a result, we caught this vulnerability early and have been able to work quickly with our customers to resolve this issue and safeguard their environments. A very small fraction of our customers (initial estimate <0.1%) were affected by this issue and we have seen no evidence to suggest that this vulnerability was used to harvest personal, financial, or other sensitive information. Our commitment to our customers is unwavering and we will continue to be vigilant and transparent to ensure their safety."
Monero is one of many cryptocurrencies used to buy and sell goods online. Hackers attracted to its hashing algorithm, which requires fewer CPU resources than better-known alternatives like Bitcoin, have been employing a variety of scams and exploits to harness the processing power of infected PCs and servers for mining purposes.
In November, Check Point Technologies Ltd. reported that a Monero mining virus named CoinHive had been the sixth most prevalent malware variant on the web the previous month. When successfully deployed, the San Carlos, Calif.-based security vendor also stated, crypto-mining software can surreptitiously consume up to 65 percent of an endpoint’s CPU capacity.
Today’s incident is yet another illustration of a phenomenon ChannelPro reported on in October: threat actors are increasingly targeting managed service providers, whose RMM systems harbor information that can be used to compromise dozens of other networks. In one highly publicized attack last year, the Chinese cyberespionage group knowns APT10 successfully breached multiple businesses after using malware to hack their MSP.
Kaseya shipped the latest edition of VSA last week.