Published on March 7th, 2020 📆 | 2979 Views ⚑
0MSPs Warned of Major Ransomware Threat to RMM Platforms
Integrated solutions are the common type of platforms used by MSPs.
Asigra on Wednesday issued a warning to its global network of MSPs about a ransomware threat to remote monitoring and management (RMM) platforms that puts solution provider and end-customer applications and data at high risk.
When MSPs are utilizing their RMM platform with tightly integrated backup solutions, there is a single access point to dozens, hundreds or even thousands of organizations. Since the RMM platform is based on agents that are pushed out, the ransomware can potentially push out its malicious code to each of the MSP clients while neutering the backups. This makes MSPs a very lucrative target, according to Asigra.
Eran Farajun, Asigraâs executive vice president, tells us this attack method is different from others targeting MSPs because it uses the MSPâs platforms with its multiple tools that are all pre-integrated to gain entry, and then uses the MSP as proxy to access many clients.
âIt is different than attacking each application independently,â he said. âIt is much more efficient. The tradeoff of âpre-integratedâ to save time and less vendor management has a cost of a higher risk.â
The hacker may send an urgent email or text that appears to come from someoneâs direct manager or company executive. The email or text likely contains a link that downloads the ransomware or malware, or an attachment thatâs infected with it. The email may emulate an alert email from the same RMM program or another that occurs all the time. Once the RMM platform is compromised, so is the integrated backup, and now the entire MSP client base is under dire threat, according to Asigra.
âIntegrated solutions are the common type of platforms used by MSPs,â Farajun said. âThink Connectwise/Momentum, Autotask/Datto, Solarwinds, TigerPaw, Kaseya and Atera. They are very widely used; hence, the popularity of the attack vector and the risk to MSPs and their downstream customers, [and] perhaps the downside of working with another vendor. But MSP surveys show they prefer best-of-breed solutions for their customers.â
Protecting the MSPâs RMM platform against data is a simple, three-step process, according to Asigra.
- First, train all employees to be aware of targeted phishing attacks, as this is the No. 1 channel by which ransomware enters the network.
- Next, separate the data protection infrastructure/solutions from the RMM platform and avoid integrated solutions, which will make it more difficult to compromise.
- And finally, use a backup solution that prevents ransomware or any malware from ever deleting the backup. Also make sure the backup software prevents a ransomware or malware infection by scanning both the backup and recovery streams.
âThe density of high-value data in many RMM environments is too alluring for criminal hackers to avoid, making it incumbent upon the MSP to architect a bulletproof data recovery model,â Farajun said. âFor the strongest protection, services professionals are advised to disentangle RMM and backup to ensure system recoverability.â
In addition, new research by BlackBerry Cylance finds cybercriminals increasingly focused on MSSPs as high-value targets in 2019.
In mid-2019, a new ransomware called Sodinokobi appeared in the wild, targeting businesses and causing mass disruption in some U.S. government agencies. Its deployment methods are noteworthy as the compromise occurred via targeted phishing attacks aimed at MSPs and MSSPs managing security within the target organization.
Eric Milam, vice president of research operations at BlackBerry Cylance, tells us itâs much more efficient for a threat actor to attack the MSSP than individual customer targets since once the MSSP is breached, the hacker has access to the whole infrastructure including the MSSPâs customers proprietary data.
âThe question is not what they are not doing; they canât protect against zero-day vulnerabilities or disgruntled employees, but they can do better by employeesâ awareness and training around phishing, email links and attachments, regular credentials audit, OS and application patching, better logging and monitoring,â he said. âThis is a clear indication that threat actors are becoming more sophisticated since the expertise the MSSPs are providing to customers is computer security, so in theory it should be very hard to hack them.â
window.fbAsyncInit = function() {
FB.init({
appId : '760371124150117',
xfbml : true,
version : 'v2.11'
});
FB.AppEvents.logPageView();
};
(function(d, s, id){
var js, fjs = d.getElementsByTagName(s)[0];
if (d.getElementById(id)) {return;}
js = d.createElement(s); js.id = id;
js.src = "https://connect.facebook.net/en_US/sdk.js";
fjs.parentNode.insertBefore(js, fjs);
}(document, 'script', 'facebook-jssdk'));
Gloss