 Local MSP got hacked and all the clients got crypto-lockered. This is not good. So this is obviously a worst case scenario for someone in an MSP space or even really anyone who's running a tech business that services other clients because this means the tools used by this particular MSP were used against them. It's like having the tool that's protect you used against you to infect all of your clients. So it sounds like as based on this post here we're going to break down some of the details that they had about 80 clients slash businesses but unknown number of end points within those businesses and they were all hacked. Now how does this happen? So it started with the RMM tool. That's similarly with the things we, we're going to go with what we know and what we don't know and kind of cover this and break it down. We know the RMM tool appears to have been compromised and with the RMM tool or remote management tool does MSP it allows me to see into all of the different systems, all the different computers and we're able to get inside of them to run tasks like updates and push tools to computers. And that's the important part because it allows a two-way access where I communicate with you through the RMM tools to coordinate and orchestrate many servers or many workstations at a time to push an update or load a file. That is a very powerful tool that should be kept very, very locked down. Now we know because there's been issues and warnings about from the government saying, yes, we see high levels of attacks focused on the MSP space. And the reason why is it's a scaling thing. It's maybe hard to get into the client but if you attack through the MSP instead of the individual business that gains access to all the other businesses that that MSP has, especially if they're a larger one and they have a lot of customers that can represent thousands of end points. You know, and we're no exception to that. We service a lot of computers, we do the MSP model. So attacking us would open up all of our clients if we were compromised to that threat. So the few things here, and this person did a really good job breaking some of this down of saying what they do know and what they don't know. And first off, they will not name the compromised MSP and that's good. It's not about knowing who the compromised MSP is. What I'm really hoping comes out of this is a good debrief and a good understanding of how it happened. Because understanding how it happened, we can look at it. You know, even if that how is just they did something wrong, they use weak passwords, they didn't use two factor. We wanna know that because it serves as a warning to others and it should serve as a warning to you if you don't have two factor or are you auditing all your tools? Are you making sure they're all up to date and there's no vulnerabilities in here? We need to know. The second part and is really a good point in here is that you need to hold these other companies, these companies we buy the tooling from. We need to hold their feet to the fire. And the first post was from Huntress Labs or official account. They have one on Reddit as well here and they claim they have firsthand knowledge of the incident. And I'll link over to their LinkedIn. They're claiming the old connect-wise managed IT sync plugin for Casay has actively exploited. Now firsthand knowledge of the exploits interesting that they can make that claim. And I wanna break this down. We don't know that this is the exploit used against this client but Huntress Labs can at least tell us that they do know that this is being exploited in a while. These two things together don't always mean that's exactly how they got in but it's just still interesting to think that's how they got in. It's still something if you are someone using this particular plugin, you shouldn't be. And let me explain how this happens. So connect-wise, if you're running it you're locally hosting it in your office and then you use tools to connect to other tools such as the VSA from Casay. So the Casay managed endpoint tool and then the connect-wise tool uses managed IT sync plugin to talk to it. Well unfortunately, back in November of 2017 there is a proof of concept posted that showed yes, that can be compromised without a username and password giving you full control over all those RMMs. And so based on this there was a notice released by connect-wise and Casay they both have it on here that you really need to get rid of this. And I noticed that this was updated four hours ago and today is February 6th, 2019. So they're actively reminding people you have to get rid of this plugin because this plugin is vulnerable. Now this plugin talks to the Casay RMM so it's not exactly Casay's fault because they're just accepting the commands from the plugin. Well this is where it gets fuzzy because I'm not sure what Casay could have done. I don't know their API well enough to say they should have blocked this or maybe there's not a way to block this. Maybe it's on the connect-wise side. So you've got the blame game going back and forth that either way whoever is at fault the fact that this compromise can happen is a serious reason you should be making sure your tooling's up to date and making sure you're not basing anything on this plugin for connect-wise. Now something else that is interesting and I've covered this before and I'm not gonna rehash it but I'll leave a link to the video, Casay via a mining payload. It's interesting to me because Casay has had this problem not once but I believe twice before now where the Casay product was used somehow compromised to push out all these different viruses or not viruses but crypto miners via the RMM tool and turn customers' machines into mining tools for that. So this is what happened before. To me that makes me nervous in general about the process by which these are written, the fact that one, someone could write and deploy and implement a secure plugin and two, that there's not been some way to just get this off. I know it's self-hosted but there's gotta be something or was it complete ineptitude on the side of the MSP where they were told, they were given letters, they were everything they could. It's not like they can just drive over their place and unplug their servers but it might have been good if they did that. I know they can't. And that's why I've heard horror stories over in Reddit system and about people who work for MSPs that have a lot of poor security practices. Hopefully you're not one of them. Hopefully you don't work for one of them because you don't really wanna be there when this happens because no one's having a good day, not the clients, not the MSP and your job is at risk if you work for one of these places because unless they had insurance to cover all this and it's gonna be a big maybe because they could deny insurance claims on cybersecurity insurance if you weren't following rules. Cybersecurity insurance doesn't mean you can't still get that claim denied for ineptitude because you simply chose to ignore things. You chose to not update plugins. You're gonna negate your own insurance on that. So this is interesting. I will leave links to all this. I'm gonna follow it as a story because it's definitely a worst case scenario. It is kind of what they talked about where we see that there's gonna be more and more active attacks against MSPs because well, we hold a lot of things and they're actively attacking the tooling that we use. Now, just for me to be clear for all those of you wondering, I still run everything on our side, our memory, everything is all solar winds. The only connect-wise tool we use, the Screen Connect, we still use it. I'm still happy with that tool and it had nothing to do with that but I'm keeping an eye out for all this because anytime I see these, we're always keeping things up to date. We're always making sure we're running the latest versions and you should be too. So if you work for a company that's using this, raise the flag, scream, yell, do whatever you gotta do to hopefully to turn this off, show them this article. You don't want to be the next person that this happens to. And like I said, I'll follow up that there's a better debrief where they can kind of walk through everything that happened because it's really anytime this happens, it's not to shame the company that happened to, that's whatever, that's just hyperbole and people getting excited about it. What really we need to come from any of these hacks is kind of a debrief, a walkthrough and a look at it so we can be introspective and say, how can we keep this from happening to me? How can we keep this from happening to other people? And that's what I'll leave you with. All right, if you want to carry on the discussion, head over to the forums. I have the active link posted about it there. Thanks. Thanks for watching. If you liked this video, give it a thumbs up. If you want to subscribe to this channel to see more content, hit that subscribe button and the bell icon and maybe YouTube will send you a notice when we post. If you want to hire us for a project that you've seen or discussed in this video, head over to laurancesystems.com where we offer both business IT services and consulting services and are excited to help you with whatever project you want to throw at us. Also, if you want to carry on the discussion further, head over to forums.laurancesystems.com where we can keep the conversation going. And if you want to help the channel out in other ways, we offer affiliate links below, which offer discounts for you and a small cut for us that does help fund this channel. And once again, thanks again for watching this video and see you next time.