Back in October, Datto identified the threat actor through its routine dark web monitoring practices.

Edward Gately, Senior News Editor

February 12, 2020

5 Min Read
FBI agent at desk
Shutterstock

A collaboration between Datto and Huntress Labs targeted a cybercriminal attempting to sell information that could have led to cyberattacks on an MSP and its clients.

The FBI last month arrested that hacker, Marquavious D. Britt, an Augusta, Georgia, resident, for allegedly trying to sell information that would allow hackers to take over an MSP. Britt worked for the MSP until he was terminated for failure to complete tasks assigned to him.

The FBI isn’t commenting. According to the indictment filed in the U.S. District Court for the Northern District of Georgia, Atlanta Division, Britt was charged with one count of computer fraud and abuse and one count of access device fraud.

The MSP is based in Atlanta and provides IT support, mobile application development and software support to its clients.

According to the criminal complaint, Britt “intentionally access[ed] a computer, without authorization and exceeding authorization, and thereby obtained information and attempted to obtain information from a protected computer for the purposes of commercial advantage and private financial gain, with the value of the information obtained exceeding $5,000.”

Back in October, Datto identified a threat actor through its routine dark web monitoring practices. This cybercriminal, known by his Torum handle as “w0zniak,” was seen selling access to an MSP’s VPS control panel on the dark web for $600 in bitcoin.

Kyle Hanslovan, Huntress Labs CEO and co-founder, tells us Datto and Huntress began collaborating last summer during a “bit of an epidemic” with MSPs having all of their clients ransomed at the same time.

Hansolven-Kyle_Huntress-Labs.jpg

Huntress Labs’ Kyle Hanslovan

“Where we collaborated ended up coming into fruition where it’s a bit of an informal group of vendors, several vendors within the channel as well as other security experts from MSPs themselves collaborating and sharing threat intelligence,” he said. “And the whole goal of it was we as a community are not going to let hackers steamroll us, we’re going to combat this as a team, and that was a very informal idea, and really this was the first time it crystallized in such a remarkable result.”

During its research, Datto discovered all kinds of places on the dark web where people are selling access to exploits and one of those things was “w0zniak” saying “I got into an MSP, they manage roughly 20 different small businesses and I’ll sell you credentials into their cloud management platform for $600,” Hanslovan said.

“That was a big departure from this kind of anonymous hacker,” he said. “You would think of the typical male in a hoodie hacking your network, but this was the first time we see a real-life person behind it, you get somebody communicating about this.”

The Datto team decided that they were going to share that with this threat intelligence sharing group called MSSP Information Security and Awareness (ISAC), Hanslovan said.

“When the Datto team notified the Huntress team that they found this, we decided as a group we were going to take it to the next level and that next level was Huntress actually social engineering that hacker, pretending to be another hacker saying, before we send you any money, they’ve got to give us screenshots showing details about the victim,” he said. “And from those details, we were able to pivot that IP address and the computer names, and we found out who several of the customers were and ultimately figured out who the MSP was without ever having to talk to the hacker again. That was pretty exciting for us, the idea of …

… sharing threats and trade craft, and all the different ways MSPs will be hacked. That was fulfilling, but nothing like when all of a sudden somebody has access they’re selling and here we are able to actually collaborate as a community and notify that MSP that somebody’s in your network and you better defend quickly.”

Hanslovan said when he first learned of the MSP for sale on the dark web, he informed the FBI bureau in Baltimore, Maryland, and when he contacted the breached MSP they hadn’t yet been contacted by the FBI. It’s not clear how the Atlanta FBI bureau found the alleged cybercriminal.

Ryan Weeks, Datto’s CISO, tells us if Huntress had engaged “w0zniak” and the attacker didn’t provide any information that allowed Huntress to identify the MSP without making a payment, “then it very likely would have resulted in an event like what we’ve seen for numerous MSPs.”

Ryan-Weeks-Datto-2018.jpg

Datto’s Ryan Weeks

“It is very likely it would have ended in a ransomware event that affected likely most or all of their customers,” he said.

Convincing the MSP that it was being targeted was a challenge, but further research showed the MSP was a customer of ConnectWise, and ConnectWise then was able to contact this MSP, passing along all the details of what was found so it could expel the hacker, protect their clients and harden their internal network, Hanslovan said.

“The amount of threat-actor activity and communication has dramatically increased just from what we’re able to see both through our collaborative relationships with the ISAC community, as well as just from our own kind of position, helping MSPs recover from these attacks,” Weeks said. “This is a drop in the ocean in terms … of what we need to do, but it’s definitely declaring a strong statement that, ‘Hey look, this works.’ We do eventually need to involve MSPs, but I think it starts with the vendors getting on the same page, and the vendors kind of building the path and paving that path and finding eventual MSP collaboration points, whether it’s working with peer groups or inviting MSPs to be part of that community of where we go from here and the potential for the protective capability of this community.”

If any vendors are interested in joining the collaboration, they can contact Hanslovan at [email protected] and Weeks at [email protected].

Read more about:

MSPs

About the Author(s)

Edward Gately

Senior News Editor, Channel Futures

As news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like