Attackers have hacked three Managed Service Providers (MSPs) and abused their remote management tools to deploy Sodinokibi ransomware on their customers' systems.
The incident came to light after some of the impacted MSPs reported in a subreddit on Reddit dedicated to MSPs.
The big picture
Kyle Hanslovan, co-founder and CEO of Huntress Lab, analyzed the incidents and revealed the following,
“Two companies mentioned only the hosts running Webroot were infected. Considering Webroot's management console allows administrators to remotely download and execute files to endpoints, this seems like a plausible attack vector,” Hanslovan said.
Webroot makes 2FA mandatory
After the incident, Webroot mandated enabling two-factor authentication (2FA) for accounts in order to prevent hackers from using any other potentially hijacked accounts to deploy ransomware.
“Recently, Webroot's Advanced Malware Removal team discovered that a small number of customers were impacted by a threat actor exploiting a combination of customers' weak cyber hygiene practices around authentication and RDP,” Chad Bacher, SVP of Products at WEBROOT told ZDNet via email.
“To ensure the best protection for the entire Webroot customer community, we decided it is time to make two-factor authentication mandatory. We did this by conducting a console logout and software update the morning of June 20,” Bacher added.