Ransomware, Managed Security Services, Malware

eSentire Warns Service Providers of LockBit Attacks on RMM Tools

eSentire is warning service providers and public sector and private industry to batten down their remote monitoring and management tools (RMM), as the Russia-linked LockBit gang has been using the technology to spread their malware.

In a new blog post, the managed detection and response provider (MDR) is urging managed service providers (MSPs), managed security service providers (MSSPs), IT consultants and value-added resellers (VARs) to steel themselves for a possible LockBit attack.

eSentire said that in recent months LockBit has attacked an MSP and two manufacturers and have hijacked the targets’ RMM tools or brought their own to spread ransomware to the MSP’s downstream customers and across the manufacturers’ networks. Two incidents occurred between February 2023 and June 2023, and a third attack took place in February 2022.

LockBit's Tactics Examined

The companies targeted include a storage materials manufacturer, a manufacturer of home décor, and a an MSP. eSentire security researchers found that in each event, LockBit used either the victim’s RMM tools or their own to try to spread malware across the target’s IT infrastructure once they had gained entry to the network. With the MSP event, LockBit wanted to push their malware to the service provider’s supply chain. eSentire said that it blunted all three attacks.

"LockBit affiliates tend to get initial access via numerous methods, including browser-based attacks like SocGholish, exploitation of vulnerable servers exposed to the Internet, and valid credentials," said Keegan Keplinger, eSentire senior threat intelligence researcher.

He added, "The LockBit operators purport to have an open affiliate model, and they state on their leak site, ‘We are located in the Netherlands, completely apolitical and only interested in money. It does not matter what country you live in, what types of language you speak, what age you are, what religion you believe in, anyone on the planet can work with us at any time of the year'. "LockBit is one of the busiest global ransomware operations in commission, with victims across geographic and vertical domains, ranging from small mom and pop businesses to large, industrial manufacturing companies."

How to Defense Your Organization

The following are security tips for defending against LockBit and other cyberthreats as per eSentire:

  • Enforce two-factor authentication for all RMM access, VPNs and other key software systems.
  • Ensure strong and unique passwords are used for RMM accounts and other key system accounts.
  • Implement Access Control Lists (ACLs) for trusted IPs. However, if an end customer is roaming, they should connect to a VPN.
  • Alternatively, MSPs could implement the use of client SSL certificates before customers can access the RMM system.
  • Don't be too explicit about your software stack in job offerings. Because job offers are necessarily public facing, threat actors can use these to understand what software is employed in your company and craft personalized phishing lures that employees are less likely to question.
  • Any employees with access to RMM software should receive additional instruction to scrutinize communications that appear to come from a provider of RMM services.
  • Ensure your organization's IT environment, including your network, endpoints and logs (both on-premises and in the cloud) are protected by a 24/7 MDR solution.
  • Know what level of response/remediation and incident handling is provided as part of your 24/7 MDR offering.
  • Proactive threat intel operationalized – sweeps/proactive hunts to uncover malicious actors across customer organizations, after initial discovery.
  • Ensure that your organization is doing regular and timely patching and updating of its software applications, operating systems and all third-party tools.
  • Educate your clients about the importance of cybersecurity and work with them to establish security policies and guidelines for their employees.
D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.