Attackers Exploit MSP’s Tools to Distribute Ransomware
June 21 2019For the second time in the past few months, systems belonging to customers of a managed service provider have been hit with ransomware because of what may have been a security lapse on the part of the MSP.
Details of the attack are still only emerging, and the full scope of the incident or even the name of the MSP is still not currently available. But early information suggests that attackers may have somehow gained access to two remote management tools at the MSP — one from Webroot, the other from Kaseya — to distribute the ransomware.
Comments on an MSP forum on Redditt, including from security researchers claiming close knowledge of the incident, suggest the MSP is a large company and that many of its clients have been impacted.
A researcher from Huntress Labs, a firm that provides security services to MSPs, claimed on Reditt to have confirmation that the attackers used a remote management console from Webroot to execute a PowerShell-based payload that, in turn, downloaded the ransomware on client systems. Webroot describes the console as allowing administrators to view and manage devices protected by the company’s antivirus software.
According to the Huntress Labs researcher, the payload was likely “Sodinokibi,” a ransomware tool that encrypts data on infected systems and deletes shadow copy backups, as well.
Kyle Hanslovan, CEO and co-founder of Huntress Labs, says a customer of the MSP that was attacked contacted his company Thursday and provided its Webroot management console logs for analysis. “We don’t know how the attacker gained access into the Webroot console,” Hanslovan says.
Based on the timestamps, the Webroot console was used to download payloads onto all managed systems very quickly and possibly in an automated fashion. “This affected customer had 67 computers targeted by malicious PowerShell delivered by Webroot,” Hanslovan says. “We’re not sure how many computers were successfully encrypted by the ransomware.”
One Reditt poster using the handle “Jimmybgood22” claimed Thursday afternoon that almost all of its systems were down. “One of our clients getting hit with ransomware is a nightmare, but all of our clients getting hit at the same time is on another level completely,” Jimmybgood22 wrote.
Huntress Labs posted a copy of an email that Webroot purportedly sent out to customers following the incident, informing them about two-factor authentication (2FA) now being enforced on the remote management portal. The email noted that threat actors who might have been “thwarted with more consistent cyber hygiene” had impacted a small number of Webroot customers. The company immediately began working with the customers to remediate any impact.
Effective early morning June 20, Webroot also initiated an automated console logoff and implemented mandatory 2FA in the Webroot Management Console, the security vendor said.
Meanwhile, another researcher with UBX Cloud, a firm that provides triage and consulting services to MSPs, claimed on Reditt to have knowledge that the attacker had leveraged a remote monitoring and management tool from Kaseya to deliver the ransomware.
“Kaseya was the only common touch point between the MSPs clients and it is obvious that the delivery method leveraged Kaseya’s automation by dropping a batch file on the target machine and executing via agent procedure or PowerShell,” the researcher claimed. As with the Webroot console, the MSP did not appear to have implemented 2FA for accessing the Kaseya console.
In emailed comments, John Durant, CTO at Kaseya, confirmed the incident.”We are aware of limited instances where customers were targeted by threat actors who leveraged compromised credentials to gain unauthorized access to privileged resources,” Durant says. “All available evidence at our disposal points to the use of compromised credentials.”
In February, attackers pulled off an almost identical attack against another US-based MSP. In that incident, between 1,500 and 2,000 computers belonging to the MSP’s customers were simultaneously encrypted with GandCrab ransomware. Then, as now, the attackers are believed to have used Kaseya’s remote monitoring and management tool to distribute the malware.
MSPs and IT administrators continue to be targets for attackers looking to gain credentials for unauthorized access, Durant says. “We continue to urge customers to employ best practices around securing their credentials, regularly rotating passwords, and strengthening their security hygiene,” he says.
Related Content:
- Ransomware Attack Via MSP Locks Customers Out of Systems
- APT10 Indictments Show Expansion of MSP Targeting, Cloud Hopper Campaign
- China-Based Threat Actor APT10 Ramps Up Cyber Espionage Activity
- 8 Ways to Authenticate Without Passwords
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio
Attackers Exploit MSP’s Tools to Distribute Ransomware
June 21 2019For the second time in the past few months, systems belonging to customers of a managed service provider have been hit with ransomware because of what may have been a security lapse on the part of the MSP.
Details of the attack are still only emerging, and the full scope of the incident or even the name of the MSP is still not currently available. But early information suggests that attackers may have somehow gained access to two remote management tools at the MSP — one from Webroot, the other from Kaseya — to distribute the ransomware.
Comments on an MSP forum on Redditt, including from security researchers claiming close knowledge of the incident, suggest the MSP is a large company and that many of its clients have been impacted.
A researcher from Huntress Labs, a firm that provides security services to MSPs, claimed on Reditt to have confirmation that the attackers used a remote management console from Webroot to execute a PowerShell-based payload that, in turn, downloaded the ransomware on client systems. Webroot describes the console as allowing administrators to view and manage devices protected by the company’s antivirus software.
According to the Huntress Labs researcher, the payload was likely “Sodinokibi,” a ransomware tool that encrypts data on infected systems and deletes shadow copy backups, as well.
Kyle Hanslovan, CEO and co-founder of Huntress Labs, says a customer of the MSP that was attacked contacted his company Thursday and provided its Webroot management console logs for analysis. “We don’t know how the attacker gained access into the Webroot console,” Hanslovan says.
Based on the timestamps, the Webroot console was used to download payloads onto all managed systems very quickly and possibly in an automated fashion. “This affected customer had 67 computers targeted by malicious PowerShell delivered by Webroot,” Hanslovan says. “We’re not sure how many computers were successfully encrypted by the ransomware.”
One Reditt poster using the handle “Jimmybgood22” claimed Thursday afternoon that almost all of its systems were down. “One of our clients getting hit with ransomware is a nightmare, but all of our clients getting hit at the same time is on another level completely,” Jimmybgood22 wrote.
Huntress Labs posted a copy of an email that Webroot purportedly sent out to customers following the incident, informing them about two-factor authentication (2FA) now being enforced on the remote management portal. The email noted that threat actors who might have been “thwarted with more consistent cyber hygiene” had impacted a small number of Webroot customers. The company immediately began working with the customers to remediate any impact.
Effective early morning June 20, Webroot also initiated an automated console logoff and implemented mandatory 2FA in the Webroot Management Console, the security vendor said.
Meanwhile, another researcher with UBX Cloud, a firm that provides triage and consulting services to MSPs, claimed on Reditt to have knowledge that the attacker had leveraged a remote monitoring and management tool from Kaseya to deliver the ransomware.
“Kaseya was the only common touch point between the MSPs clients and it is obvious that the delivery method leveraged Kaseya’s automation by dropping a batch file on the target machine and executing via agent procedure or PowerShell,” the researcher claimed. As with the Webroot console, the MSP did not appear to have implemented 2FA for accessing the Kaseya console.
In emailed comments, John Durant, CTO at Kaseya, confirmed the incident.”We are aware of limited instances where customers were targeted by threat actors who leveraged compromised credentials to gain unauthorized access to privileged resources,” Durant says. “All available evidence at our disposal points to the use of compromised credentials.”
In February, attackers pulled off an almost identical attack against another US-based MSP. In that incident, between 1,500 and 2,000 computers belonging to the MSP’s customers were simultaneously encrypted with GandCrab ransomware. Then, as now, the attackers are believed to have used Kaseya’s remote monitoring and management tool to distribute the malware.
MSPs and IT administrators continue to be targets for attackers looking to gain credentials for unauthorized access, Durant says. “We continue to urge customers to employ best practices around securing their credentials, regularly rotating passwords, and strengthening their security hygiene,” he says.
Related Content:
- Ransomware Attack Via MSP Locks Customers Out of Systems
- APT10 Indictments Show Expansion of MSP Targeting, Cloud Hopper Campaign
- China-Based Threat Actor APT10 Ramps Up Cyber Espionage Activity
- 8 Ways to Authenticate Without Passwords
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio
