Most of the time, Remote Monitoring and Management (RMM) software is great. It allows an IT department or Managed-Services Provider (MSP) to administer any number of servers, workstations, mobile endpoints, or other types of devices without having to be physically present. A software agent is installed on each managed device, and all monitoring and management activities are performed via a central portal. If an agent detects a problem, a support ticket is automatically opened and routed to the helpdesk. This approach is far more proactive and efficient than traditional break/fix maintenance.

But what happens when the RMM unknowingly becomes a conduit for the distribution of malware? This just happened to Kaseya, a vendor of a popular RMM tool. They discovered that a number of their partners’ managed devices were infected with a Monero cryptocurrency miner. [Side note: Monero is an alternative to Bitcoin. Digital currencies need to be “mined” in order to verify transactions and build the ledger that allows the currency to exist. A good discussion can be found here.]

Earlier this week, MSP eSentire reported that it “has observed an unknown threat actor attempting to deploy a Monero cryptocurrency miner to multiple eSentire customers. We assess with high confidence that the threat leveraged Kaseya Ltd’s Virtual Systems Administrator (VSA) agent to gain unauthorized access to multiple customer assets since January 19, 2018.”

Kaseya has since released patches and is urging all customers to install them. They added that the attack affected less than 0.1% of managed devices and appeared to do nothing more than deploy the Monero miner. Further, they indicated that there has been no evidence that this vulnerability was used to harvest personal, financial, or other sensitive information.

The takeaway here is that MSPs are becoming an increasingly attractive target for attackers. When RMM systems provide ready-made access into thousands of machines that would otherwise have to be hacked manually, it’s easy to see why this is the case. And even if the RMM is fully patched, a zero-day exploit like the one that affected Kaseya could potentially wreak havoc. As always, vigilance is key.

Ross is the CISO at Symplexity. He has achieved CCIE Security and CISSP certifications, an MBA from the University of Notre Dame, and has 20 years of experience in the fields of computer and network security engineering and consulting. Ross provides virtual CISO services for our Symplexity Secure clients and helps them to identify information security risks and implement administrative, procedural, and technical controls to mitigate. He works effectively with both technical and managerial personnel and is a trusted resource for our clients.

Ready to take your technology to the next level?

Contact Us Now