The tools that are used by Managed Security Providers (MSPs) to protect and assist your organization can be the same tools that are used by threat actors to infiltrate your organization. In recent headlines, it was confirmed that three MSPs were hit in ransomware attacks. Computers belonging to the MSPs’ customers were targeted by attackers leveraging software the MSPs use to remotely monitor and manage client systems in conjunction with stole credentials. As of this publication, it has been confirmed that Webroot and Kaseya were both used to distribute the ransomware.
According to Kyle Hanslovan, CEO and co-founder of Huntress Labs, a security firm that supports MSPs, Huntress confirmed that the attackers used a remote management console from Webroot to execute a PowerShell (a Windows Management Tool) based payload that ultimately downloaded the ransomware on client systems, which affected 67 computers. Furthermore, it is very likely that the payload was ‘Sodinokibi’ which is a ransomware tool that encrypts data on infected systems and deletes shadow backups. It has been assumed that the console that was used resulted in the ability to download payloads onto the managed systems very quickly.
Following the incident, Webroot sent out an email to customers reminding them about their two-factor authentication (2FA) that is now being enforced on the Webroot Management Console. Chad Bacher, Webroot, Senior Vice President of Products, confirmed that the company’s product had not been compromised. However, the product was used to push out a payload. It was later disclosed on Reddit by another researcher from UBX Cloud that the attacker leveraged a remote monitoring and management tool from Kaseya to deliver the ransomware. As of this publishing, there have not been any confirmed breach reports or specifics beyond what has been shared. The commonality in these in leveraging both tools to compromise the systems was lack of 2FA on the consoles.*
It has become common practice to rely on the tools for safety. It is even more important to protect your tools with their built-in security capabilities, particularly MFA (Multi-Factor Authentication), which we have discussed in previous blogs. Furthermore, your company’s security is reliant on the vendors that you trust. It is the job of your MSP to continue to provide you with a security-minded service to ensure your company is protected from emerging threats and does not introduce risk. Though this attack hit the headlines in June, in February attackers pulled off an almost identical attack against another United States based, MSP. Between 1,500-2,000 computers were infected with GandCrab ransomware, which was later believed to have used Kaseya to distribute the malware.
If your MSP is a security forward organization, it is monitoring its own network and tools for security events. Ideally, security first MSP will proactively communicate, and enforce 2FA or MFA to ensure you and your clients are as safe as possible. Unfortunately, the recent malware and ransomware attacks demonstrate that the tools unaware MSPs use to provide their services are creating vulnerabilities for the very customers they seek to serve. If you are ready to explore how Intrinium, a company built around security first, can help protect your business, reach out to us today for a free consultation.
Source: DarkReading.com and Reddit
*Webroot does not currently support true MFA. Currently, the implementation only requires the main password and a secondary password. When utilizing MFA, it requires something you know (password) and something you have (device/phone) to authorize a user on log in. For more information on MFA, read here.