Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/20/2019
06:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Customers of 3 MSPs Hit in Ransomware Attacks

Early information suggests threat actors gained access to remote monitoring and management tools from Webroot and Kaseya to distribute malware.

UPDATE: 06/21/2019 This story has been updated to reflect the fact that customers of at least three MSPs were impacted in the attacks, not just one MSP as previously reported.

Computers belonging to customers of at least three managed services providers have been hit with ransomware after attackers somehow gained access to tools used by the MSPs to remotely manage and monitor client systems.

Details of the attacks are still only emerging, and the full scope of the incidents or even the names of the MSPs are still not currently available. But early information suggests that attackers likely used two remote management tools at the MSPs — one from Webroot, the other from Kaseya — to distribute the ransomware. Both vendors have said the attackers appear to have used stolen credentials to access their tools at the MSP locations.

Comments on an MSP forum on Redditt, including from security researchers claiming close knowledge of the incidents, suggest one MSP is a large company and that many of its clients have been impacted.

A researcher from Huntress Labs, a firm that provides security services to MSPs, claimed on Reditt to have confirmation that the attackers used a remote management console from Webroot to execute a PowerShell based payload that in turn downloaded the ransomware on client systems. Webroot describes the console as allowing administrators to view and manage devices protected by the company's AV software.

According to the Huntress Labs researcher, the payload was likely 'Sodinokibi', a ransomware tool that encrypts data on infected systems and deletes shadow copy backups as well.

Kyle Hanslovan, CEO and co-founder of Huntress Lab says a customer of one MSP that was attacked, contacted his company Thursday and provided their Webroot management console logs for analysis.  "We don't know how the attacker gained access into the Webroot console," Hanslovan says.

But based on the timestamps, the Webroot console was used to download payloads onto all managed systems very quickly and possibly in an automated fashion. "This affected customer had 67 computers targeted by malicious PowerShell delivered by Webroot," Hanslovan says. "We're not sure how many computers were successfully encrypted by the ransomware."

What's also not clear is how the attackers are managing to gain access to the Webroot console so efficiently he says.  "We’ve yet to see anything that would suggest the issue is a global Webroot vulnerabilty." However, three MSP incidents in less than 48hrs involved compromised Webroot management console credentials, he notes.

One Reditt poster using the handle "Jimmybgood22" claimed Thursday afternoon that almost all of its systems were down. "One of our clients getting hit with ransomware is a nightmare, but all of our clients getting hit at the same time is on another level completely," Jimmybgood22 wrote.

Huntress Labs posted a copy of an email that Webroot purportedly sent out to customers following the incident, informing them about two-factor authentication (2FA) now being enforced on the remote management portal. The email noted that threat actors who might have been "thwarted with more consistent cyber hygiene" had impacted a small number of Webroot customers. The company immediately began working with the customers to remediate any impact.

Effective early morning June 20, Webroot also initiated an automated console logoff and implemented mandatory 2FA in the Webroot Management Console, the security vendor said.  Chad Bacher, sebior vice president of products at Webroot says the comapny's product has not been compronised. "We all know that two-factor authentication (2FA) is a cyber hygiene best practice, and we’ve encouraged customers to use the Webroot Management Console’s built-in 2FA for some time," Bacher says.

Meanwhile, another researcher with UBX Cloud, a firm that provides triage and consulting services to MSPs, claimed on Reditt to have knowledge that the attacker had leveraged a remote monitoring and management tool from Kaseya to deliver the ransomware.

"Kaseya was the only common touch point between the MSPs clients and it is obvious that the delivery method leveraged Kaseya's automation by dropping a batch file on the target machine and executing via agent procedure or PowerShell," the researcher claimed. As with the Webroot console, the MSP did not appear to have implemented 2FA for accessing the Kaseya console.

In emailed comments, John Durant, CTO at Kaseya, confirmed the incident."We are aware of limited instances where customers were targeted by threat actors who leveraged compromised credentials to gain unauthorized access to privileged resources," Durant says. "All available evidence at our disposal points to the use of compromised credentials."

In February, attackers pulled off an almost identical attack against another US-based MSP. In that incident, between 1,500 and 2,000 computers belonging to the MSP's customers were simultaneously encrypted with GandCrab ransomware. Then, as now, the attackers are believed to have used Kaseya's remote monitoring and management tool to distribute the malware.

MSPs and IT administrators continue to be targets for attackers looking to gain credentials for unauthorized access, Durant says. "We continue to urge customers to employ best practices around securing their credentials, regularly rotating passwords, and strengthening their security hygiene," he says.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DrBernsteinNYC
50%
50%
DrBernsteinNYC,
User Rank: Apprentice
1/2/2020 | 10:05:24 AM
I was worried about my MSP and made changes before it became a problem
I had my offices servers and applications at an MSP that had its own  data center, but the service and performance was terrible, and we had a feeling that security was simply not up to par with what we needed for HIPAA compliance and disaster recovery.  Our medical offices throughout New Jersey could not afford any downtime.   I met with several other vendors and finally found one that provided honest advice and recommendations.  Baroan Technologies really stood apart from the rest and migrated us to Microsoft Azure. This way we know that it is not up to a basic MSP like Synoptek anymore, but the servers are really in Azure.  I also like that I'm not in a vendor lock with any MSP.  I can transfer the Azure servers to the management of any company that I want.  Baroan handles everything for a fixed fee.  We have two factor  MFA with DUO and Microsoft for our email, our terminal server,  just about everything.   I got peace of mind, so I never have to think about a disaster like what happened with Synoptek and their customers.   I recommend that any business that has their servers at the private data center of any MSP should question why it is so.  Find an IT vendor like Baroan Technologies  that cares more about your business then just their own interests and take steps before there is a disaster.
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16029
PUBLISHED: 2020-01-26
A vulnerability in the application programming interface (API) of Cisco Smart Software Manager On-Prem could allow an unauthenticated, remote attacker to change user account information which can prevent users from logging in, resulting in a denial of service (DoS) condition of the web interface. Th...
CVE-2020-3115
PUBLISHED: 2020-01-26
A vulnerability in the CLI of the Cisco SD-WAN Solution vManage software could allow an authenticated, local attacker to elevate privileges to root-level privileges on the underlying operating system. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerabi...
CVE-2020-3121
PUBLISHED: 2020-01-26
A vulnerability in the web-based management interface of Cisco Small Business Smart and Managed Switches could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. The vulnerability is due to insufficient validation of user-supplie...
CVE-2020-3129
PUBLISHED: 2020-01-26
A vulnerability in the web-based management interface of Cisco Unity Connection Software could allow an authenticated, remote attacker to perform a stored cross-site scripting (XSS) attack. The vulnerability is due to insufficient input validation by the web-based management interface. An attacker c...
CVE-2020-3131
PUBLISHED: 2020-01-26
[CVE-2020-3131_su] A vulnerability in the Cisco Webex Teams client for Windows could allow an authenticated, remote attacker to cause the client to crash, resulting in a denial of service (DoS) condition. The attacker needs a valid developer account to exploit this vulnerability. The vulnerability i...