Ransomware, Breach, Content

Hackers Hit MSP Software to Launch Ransomware Attacks

Hackers have apparently leveraged MSP (managed IT services provider) software again to spread ransomware across end-customer systems.

The attackers may have gained access into an MSP-centric cybersecurity console from Webroot, while also exploiting RMM (remote monitoring and management) software from Kaseya. Both vendors say the issues involve compromised credentials rather than breaches or software vulnerabilities in their products. Webroot has activated two-factor authentication as a mandatory service as an extra precaution. Statements from both firms are further below.

Three MSPs apparently were impacted by similar attacks over the past 72 hours or so, according  to preliminary information from Huntress Labs, a cybersecurity company working with various sources to probe the situation.  Up to 200 hosts were encrypted -- which is a very small number compared to the number of hosts managed by the three MSPs, the firm adds.

Related Update, June 25, 2019: One of the MSPs paid hackers more than $150,000 in bitcoin to recover from the attacks, according to UBX Cloud.

Webroot Statement About Ransomware Attacks: No Breach, No Product Compromise

In a statement to MSSP Alert, Webroot was quick to assure MSPs that the company "was not breached and our products were not compromised."

Webroot SVP Chad Bacher
Webroot SVP Chad Bacher

Chad Bacher, SVP of products, Webroot, a Carbonite company, said:

"We all know that two-factor authentication (2FA) is a cyber hygiene best practice, and we’ve encouraged customers to use the Webroot Management Console’s built-in 2FA for some time.

Recently, Webroot’s Advanced Malware Removal team discovered that a small number of customers were impacted by a threat actor exploiting a combination of customers’ weak cyber hygiene practices around authentication and RDP.

To ensure the best protection for the entire Webroot customer community, we decided it is time to make two-factor authentication mandatory. We did this by conducting a console logout and software update the morning of June 20.

We are always closely monitoring the threat environment, and will continue to take proactive measures like this to provide the best protection possible for customers."

Kaseya Statement About Ransomware Attacks: Compromised Credentials to Blame

Kaseya CTO John Durant

In a comment from Kaseya CTO John Durant to MSSP Alert, Durant said:

"We are aware of limited instances where customers were targeted by threat actors who leveraged compromised credentials to gain unauthorized access to privileged resources. All available evidence at our disposal points to the use of compromised credentials. We continue to monitor the situation very closely.

The industry continues to see MSPs and IT administrators as targets in order to gain credentials for unauthorized access. And, the research is clear: no matter what the system or software worldwide, 80% of security breaches involve compromised credentials. As we’ve investigated recent instances experienced by customers, all available evidence to us points to the use of compromised credentials to gain unauthorized access. We work diligently to prevent the misuse of our products and continue to urge customers to employ best practices around securing their credentials, regularly rotating passwords, and strengthening their security hygiene. In short, leaders in the industry like Kaseya are constantly raising the bar of security practices and processes as the Internet threat landscape ceaselessly evolves. And, we’ll continue to help our customers through training, educational materials, and other assistance to employ these practices."

MSSP Alert has reached out to additional sources for comment, and will update this coverage if additional details about the alleged attacks surface.

Huntress Labs Investigates MSP Software Attacks

Huntress Labs, which offers MSP-focused threat detection for small and midmarket organizations, has been investigating the attacks. According to a statement from the company to MSSP Alert:

"We are not sure exactly how many MSPs are compromised. We are aware of three independently compromised MSPs in the past 72hrs, but we cannot guarantee they are directly related (although they share many similarities).

We’ve been told up to 200 hosts were successfully encrypted which is a very small number compared to the number of hosts managed by these three MSPs.

We’re not certain how the attackers gained access to Webroot or Kaseya VSA in these incidents. Considering how many MSPs use Webroot/Kaseya, we'd expect there to be way more chatter from affected MSPs if there was a new vulnerability affecting all Webroot/Kaseya customers. We suspect the incidents were the result of compromised MSP user credentials, but we're not ruling our other possibilities. We’ll definitely share more if we learn otherwise."

Amid third-party statements, Webroot has reiterated that there was no breach and there is no product compromise, per Bacher's statement above.

FBI, Department of Homeland Security: MSP Ransomware Warnings

This is the latest in a growing list of attacks that apparently target managed IT service provider (MSP) software platforms and the end customer computers linked to such systems. The FBI and U.S. Department of Homeland Security have repeatedly warned MSPs and their technology platform providers about such attacks.

Story originally published June 20, 2019. Updated June 21 with more detailed statements from Kaseya and Huntress Labs.

Joe Panettieri

Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.