(847) 796-3177 [email protected]

With the ever-increasing number of hacking attacks, it’s important for all businesses to ensure their data is secure. That’s even more important if you’re a Managed IT Provider.

Managed IT Providers have direct access to the infrastructure of many other companies. Once you are safely inside an MSP’s network, you have unlimited opportunities for data theft or infection. This is why cybercriminals closely scrutinize MSPs’ toolkits and wait for one to commit an error. A little while back, some of those cybercriminals got what they wanted:  Unauthenticated attackers took advantage of an MSP’s software vulnerability to install cryptomalware.


The vulnerability itself resided in ConnectWise’s ManagedITSync plug-in for cross-integration between the professional services automation platform ConnectWise Manage and the Kaseya VSA remote monitoring and management system.

The vulnerability allows for remote modification of the Kaseya VSA database. This, in turn, enables attackers to add new users with any access rights and create any tasks — such as uploading malware to all of the MSPs’ clients’ computers.

This is not a new vulnerability. It was discovered back in 2017. As soon as it was, ConnectWise updated its plug-in and seemed to have neutralized the threat. But, as usual, not all users installed the update.

This is why it’s important to choose an IT provider you can trust and not one that simply talks the talk.

Details of incident

According to the Huntress Labs research team, the vulnerability was used by unidentified hackers to attack an unnamed MSP’s client computers using a piece of encryption ransomware called GandCrab. Taking advantage of the fact that Kaseya had administrator access to all end-user devices, the attackers created a task to download and run the malware on endpoints. The danger of GandCrab is covered in this post.

There is no information stating whether this case was the only one, but around the same time, the US Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about the rise in Chinese actors’ malicious cyberactivity targeting MSPs.

What’s next?

First, don’t forget pick an IT provider that can actually do something as trivial as keep their software up-to-date (we definitely do). If you’re looking for a solution to the particular integration problem between ConnectWise Manage and Kaseya VSA, start by updating the integration tool.

But do not trust that this was an isolated incident. Likely as not, the same or other attackers are already looking for other ways to get to MSPs’ clients. This is why, like previously mentioned, it’s important to find an IT provider that takes security seriously and isn’t simply there to stuff their pockets.

Therefore, an MSP’s own infrastructure protection must be taken no less seriously than that of your clients’ infrastructure. If you provide security services, you have all the tools you need to safeguard your own systems — especially if you follow industry best practices by utilizing cyber security tools and guidelines in conjunction with data backup and disaster recovery services.

You can read more about AtyxIT’s Managed IT Services. We take our client’s security seriously.