MSP Remote Access Tools Abused to Deploy Ransomware on Client Networks

By Richard Anderson

Managed service providers (MSPs) are being warned about a spate of attacks that has seen hackers infiltrate MSP systems, compromise their remote management tools, and use them to deploy ransomware on client networks.

It is not hard to see the attraction with attacking MSPs. If access can be gained to the MSP network, hackers potentially have access to all the MSP clients through the remote management tools they use to serve their clients. For the same amount of effort it takes to hack one organization and deploy ransomware, hackers can infect several different companies.

So far, at least three MSPs have reported that that have been attacked and have had Sodinokibi ransomware deployed on their clients’ networks via the Webroot SecureAnywhere console.

The hackers target MSPs that have exposed remote desktop endpoints. Once access is gained to the MSP system, privileges are escalated, and AV solutions are uninstalled. The hackers look for Webroot SecureAnywhere accounts and use them to execute a Powerhell script on remote workstations, which installs the ransomware. Reports have been posted on Reddit which suggest the Kaseya VSA remote management console has also been used to gain access to MSP client networks.

When it became clear that hackers were abusing SecureAnywhere, Webroot started enabling two-factor authentication on SecureAnywhere accounts. While the solution supports 2FA, it is not enabled by default. On June 20, 2019, Webroot performed an automatic logoff in the early hours and enabled 2FA in the Webroot management console to protect against attacks on MSPs.

The latest campaign is one of several to have targeted MSPs this year. Previously, a hacking group targeted MSPs that had failed to patch a vulnerability in the Kaseya plugin for ConnectWise Manager. That vulnerability was exploited and MSP tools were subsequently used to deploy GandCrab ransomware on client networks.

Twitter Facebook LinkedIn Reddit Link copied to clipboard

Posted by

Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news