Most of the time, Remote Monitoring and Management (RMM) software is great. It allows an IT department or Managed-Services Provider (MSP) to administer any number of servers, workstations, mobile endpoints, or other types of devices without having to be physically present. A software agent is installed on each managed device, and all monitoring and management activities are performed via a central portal. If an agent detects a problem, a support ticket is automatically opened and routed to the helpdesk. This approach is far more proactive and efficient than traditional break/fix maintenance.
But what happens when the RMM unknowingly becomes a conduit for the distribution of malware? This just happened to Kaseya, a vendor of a popular RMM tool. They discovered that a number of their partners’ managed devices were infected with a Monero cryptocurrency miner. [Side note: Monero is an alternative to Bitcoin. Digital currencies need to be “mined” in order to verify transactions and build the ledger that allows the currency to exist. A good discussion can be found here.]
Earlier this week, MSP eSentire reported that it “has observed an unknown threat actor attempting to deploy a Monero cryptocurrency miner to multiple eSentire customers. We assess with high confidence that the threat leveraged Kaseya Ltd’s Virtual Systems Administrator (VSA) agent to gain unauthorized access to multiple customer assets since January 19, 2018.”
Kaseya has since released patches and is urging all customers to install them. They added that the attack affected less than 0.1% of managed devices and appeared to do nothing more than deploy the Monero miner. Further, they indicated that there has been no evidence that this vulnerability was used to harvest personal, financial, or other sensitive information.
The takeaway here is that MSPs are becoming an increasingly attractive target for attackers. When RMM systems provide ready-made access into thousands of machines that would otherwise have to be hacked manually, it’s easy to see why this is the case. And even if the RMM is fully patched, a zero-day exploit like the one that affected Kaseya could potentially wreak havoc. As always, vigilance is key.