A ansomware gang has breached the infrastructure of at least three managed service providers (MSPs) and has used the remote management tools at their disposal, namely the Webroot SecureAnywhere console, to deploy ransomware on the MSPs’ customers systems.
- Hackers breached MSPs via exposed RDP (Remote Desktop Endpoints), elevated privileges inside compromised systems, and manually uninstalled AV products, such as ESET and Webroot.
- Hackers searched for accounts for Webroot SecureAnywhere, remote management software (console) used by MSPs to manage remotely-located workstations (in the network of their customers).
Javvad Malik, Security Awareness Advocate at KnowBe4:
“Going after MSSP’s allows attackers to attack many companies, or allows another route into an otherwise secure companies.
When we look at a number of these attacks, most are successful not because of any advanced techniques, but rather through tried and tested methods and by exploiting well-known vulnerabilities. While it is impractical for companies to keep up-to-date with every single exploit and patch available, it is worth assessing those vulnerabilities that have the biggest impact and deploying controls that have the best return on investment. Be that to close RDP, maintain an accurate asset inventory, or provide user awareness.”