Kaseya Vulnerability Makes Customers Target of Litecoin Mining Malware

Remote monitoring and management platform company Kaseya has publicly acknowledged a vulnerability with its Virtual System Administrator product, posting a new product vulnerability note on March 24 and saying its customers have been targeted in attacks to deploy Litecoin mining malware in end point Windows-based PCs. Litecoin is a digital currency similar to Bitcoin

The public posting follows Kaseya’s development and March 17 release of patches which can be found here. Sources have told MSPmentor that Kaseya representatives have been urging installation of these patches as soon as possible.

The patches are for both the 6.3  (Patch 6.3.6, Hotfix #8813) and 6.5 (patch 6.5.0.9) releases of Kaseya Virtual System Administrator to address the vulnerability, and the company says the software-as-a-service systems have already been patched.

“Several Kaseya customers had been targeted in attacks in which attempts were made to deploy ‘Litecoin’ mining malware in their environments, in some cases successfully,” Kaseya wrote in this Knowledge Base note. “While the malware may have allowed the unknown attacker to access end point systems that may contain sensitive data elements, we have seen nothing to suggest that this malware was harvesting personal, financial, or any other kind of sensitive information, or that any individual’s information has been misused as a result of this attack. The actions taken by the attacker appear to be a Litecoin mining operation only, aimed at generating this digital currency.”

In addition to patch installation, Kaseya said that MSPs and other Kaseya must run an audit across all Windows end points. According to Kaseya: “The Litecoin mining malware is a process running ‘SoftwareUpdate.exe’, version 1.0.0.0, and the file description is ‘Apple Software Update’. In order to avoid false positives, it is important that you note the affected version is 1.0.0.0. There is legitimate software from Apple using other version numbers.”

Kaseya has posted detailed instructions at its Knowledge Base note on how to remove the malware. As an alternative, those organizations that find the malware can file a ticket with the help desk with the keyword LCCLEAN, the company said.