Arpad Nagy-Bagoly - stock.adobe.

MSP ransomware attack exploits privileged users' credentials

WatchGuard Technologies said recent MSP ransomware attacks revealed that hackers have detailed knowledge of managed service providers' internal operations and technologies.

A threat report has shed light on recent MSP security incidents and highlighted the role that privileged users' credentials play in hackers' methods.

The report, published by Seattle-based security vendor WatchGuard Technologies, examines three MSP ransomware attacks that surfaced on June 20. In all three cases, the attackers hijacked the MSP's internal management tools to distribute Sodinokibi ransomware to their end customers. WatchGuard said it gleaned information for its study from online forums and Huntress Labs research and by analyzing malware samples shared with the company by an affected MSP. While WatchGuard's threat team couldn't identify the root cause of the breaches, the company said it determined the attackers used MSP employees' lost or stolen privileged credentials.

"This was simply a problem with people not securing user credentials and authenticating enough," said Corey Nachreiner, CTO at WatchGuard.

WatchGuard did not identify the MSPs involved in the security breaches.

The MSP ransomware attack in June contrasts with previous incidents where hackers exploited vulnerabilities in MSPs' internal IT management tools. Nachreiner cited the February GandCrab attacks exploiting an unpatched ConnectWise plugin for Kaseya's VSA remote monitoring and management (RMM) platform. "It was a 2-year-old vulnerability even at the time this attack happened, and [the MSP affected] hadn't updated the plugin," he said of the ConnectWise plugin flaw.

Corey Nachreiner, CTO at WatchGuardCorey Nachreiner

Nachreiner noted several possibilities for how the hackers in the June 20 incidents obtained the MSPs' privileged credentials: phishing, brute force attacks, weak password policies, or by uncovering software vulnerabilities. "There are a lot of ways it could happen. ... What we do know is that the attackers somehow gained at least one MSP privileged credential" to access internally used tools, Nachreiner said.

WatchGuard, however, reported it found no evidence of an exploited software vulnerability in the incidents examined.

The incident studied

In the MSP ransomware attack sample that WatchGuard studied, the bad actor (or actors) showed a sophisticated understanding of MSPs' internal operations.

"They had to do some reconnaissance on MSPs to understand how MSPs work, to understand these types of tools that those service providers use," Nachreiner said.

Once inside the MSP's network, the attacker used an employee's credentials to access the MSP's central management consoles. The hacker logged into the MSP's security management platform, Webroot SecureAnywhere, which connects to customer desktops managed by the MSP, he said.

[Editor's Note: WatchGuard competes with Webroot in the security market. Nachreiner emphasized that the incident described didn't exploit a software flaw within Webroot SecureAnywhere. Lost or stolen MSP employee credentials enabled the attacks. "There was no vulnerability in [Webroot's] product, but rather somehow that attack got the privileged Webroot credential," he said.]

With the hijacked management software, the attacker then disabled security controls and applied PowerShell, a Microsoft scripting language for IT management, to run commands on the MSP's managed endpoints and load the Sodinokibi malware. "If you have a privileged credential with PowerShell, there is almost nothing you can't do to remote Windows computers," Nachreiner noted.

If you have a privileged credential with PowerShell, there is almost nothing you can't do to remote Windows computers.
Corey NachreinerCTO, WatchGuard

WatchGuard noted the ransomware attack featured PowerSploit, a PowerShell tool used in ethical penetrating testing. "There a lot of tools that good guys make for penetration testing but they also get reused by criminals for real attacks," Nachreiner said.

Cybersecurity imperatives for MSPs
The growing number of MSP security incidents should put service providers on high alert, Nachreiner said. He said his gut feeling is that hackers are "targeting MSPs as a group and they are looking for low-hanging fruit." WatchGuard had no evidence the June 2019 ransomware attacks were specifically targeted at the MSPs affected.

He also noted the MSP-as-target attacks have largely been a U.S.-based phenomenon, but new reports show the trend spreading globally. On Sept. 18, researchers at Symantec reported that an undocumented attack group was targeting IT service providers in Saudi Arabia.

Nachreiner listed several security measures MSPs should take to safeguard operations and their customers.

Use multifactor authentication (MFA). Nachreiner said he firmly believes that authentication is the cornerstone of security. He advised MSPs to use MFA across their systems.

Although the security industry is turning toward biometrics and tokens, he asserted that neither of these methods is perfect. Biometrics and digital or hardware tokens "can be lost, stolen or tricked with enough effort," he said. Multifactor authentication, however, raises the bar a hacker has to leap.

Aggressively patch publicly facing software. While the June spate of MSP ransomware attacks didn't appear to exploit software vulnerabilities, the Kaseya-ConnectWise hacks in 2018 show that hackers are looking for holes in MSP systems.

"Any MSP, by definition, needs to expose things remotely. In order to remotely manage some of the customers, they have to have some sort of management interface exposed. Anything that is exposed, even if you are limited it ... you should make sure any software behind it is [completely] patched," Nachreiner said.

Put stronger access control lists on RMMs and use VPN. He said MSPs should follow the principle of least privilege, a security practice for restricting employees' access rights to only the files and resources they need to do their work.

Adopt advanced antimalware services. Signature-based antivirus "is no longer enough," he said. He recommended MSPs implement security tools that have advanced technologies such as behavioral analysis and threat detection and response.

Back up. Though an obvious tip, Nachreiner said it bears emphasizing. He said MSPs need to ensure they have backup and disaster recovery technology in place, back up their clients and regularly test those backups.

Next Steps

Security awareness training best practices for MSPs

Kaseya ransomware attack underlines vendor accountability

Dig Deeper on MSP business strategy