- The remote management tools which were targeted include Webroot SecureAnywhere and Kaseya VSA.
- The tools have been abused to execute a Powershell script that downloads and installs the Sodinokibi ransomware.
Attackers have hacked three Managed Service Providers (MSPs) and abused their remote management tools to deploy Sodinokibi ransomware on their customers' systems.
The incident came to light after some of the impacted MSPs reported in a subreddit on Reddit dedicated to MSPs.
The big picture
Kyle Hanslovan, co-founder and CEO of Huntress Lab, analyzed the incidents and revealed the following,
- Attackers compromised the MSPs via exposed RDP endpoints.
- Upon compromise, attackers gained escalated privileges and uninstalled antivirus products such as ESET and Webroot.
- The attackers then searched for remote management tools used by MSPs to manage remotely-located workstations of their customers.
- They then abused the remote management tools to execute a Powershell script on customers’ systems.
- The malicious script downloaded and installed the Sodinokibi ransomware on customer endpoints.
- The abused remote management tools include Webroot SecureAnywhere and Kaseya VSA.
“Two companies mentioned only the hosts running Webroot were infected. Considering Webroot's management console allows administrators to remotely download and execute files to endpoints, this seems like a plausible attack vector,” Hanslovan said.
Webroot makes 2FA mandatory
After the incident, Webroot mandated enabling two-factor authentication (2FA) for accounts in order to prevent hackers from using any other potentially hijacked accounts to deploy ransomware.
“Recently, Webroot's Advanced Malware Removal team discovered that a small number of customers were impacted by a threat actor exploiting a combination of customers' weak cyber hygiene practices around authentication and RDP,” Chad Bacher, SVP of Products at WEBROOT told ZDNet via email.
“To ensure the best protection for the entire Webroot customer community, we decided it is time to make two-factor authentication mandatory. We did this by conducting a console logout and software update the morning of June 20,” Bacher added.