MSPs Warned of Major Ransomware Threat to RMM Platforms

Asigra on Wednesday issued a warning to its global network of MSPs about a ransomware threat to remote monitoring and management (RMM) platforms that puts solution provider and end-customer applications and data at high risk.

When MSPs are utilizing their RMM platform with tightly integrated backup solutions, there is a single access point to dozens, hundreds or even thousands of organizations. Since the RMM platform is based on agents that are pushed out, the ransomware can potentially push out its malicious code to each of the MSP clients while neutering the backups. This makes MSPs a very lucrative target, according to Asigra.

Eran Farajun, Asigra‘s executive vice president, tells us this attack method is different from others targeting MSPs because it uses the MSP’s platforms with its multiple tools that are all pre-integrated to gain entry, and then uses the MSP as proxy to access many clients.

Asigra’s Eran Farajun

“It is different than attacking each application independently,” he said. “It is much more efficient. The tradeoff of ‘pre-integrated’ to save time and less vendor management has a cost of a higher risk.”

The hacker may send an urgent email or text that appears to come from someone’s direct manager or company executive. The email or text likely contains a link that downloads the ransomware or malware, or an attachment that’s infected with it. The email may emulate an alert email from the same RMM program or another that occurs all the time. Once the RMM platform is compromised, so is the integrated backup, and now the entire MSP client base is under dire threat, according to Asigra.

“Integrated solutions are the common type of platforms used by MSPs,” Farajun said. “Think Connectwise/Momentum, Autotask/Datto, Solarwinds, TigerPaw, Kaseya and Atera. They are very widely used; hence, the popularity of the attack vector and the risk to MSPs and their downstream customers, [and] perhaps the downside of working with another vendor. But MSP surveys show they prefer best-of-breed solutions for their customers.”

Protecting the MSP’s RMM platform against data is a simple, three-step process, according to Asigra.

• First, train all employees to be aware of targeted phishing attacks, as this is the No. 1 channel by which ransomware enters the network.
• Next, separate the data protection infrastructure/solutions from the RMM platform and avoid integrated solutions, which will make it more difficult to compromise.
• And finally, use a backup solution that prevents ransomware or any malware from ever deleting the backup. Also make sure the backup software prevents a ransomware or malware infection by scanning both the backup and recovery streams.

“The density of high-value data in many RMM environments is too alluring for criminal hackers to avoid, making it incumbent upon the MSP to architect a bulletproof data recovery model,” Farajun said. “For the strongest protection, services professionals are advised to disentangle RMM and backup to ensure system recoverability.”

In addition, new research by BlackBerry Cylance finds cybercriminals increasingly focused on MSSPs as high-value targets in 2019.

In mid-2019, a new ransomware called Sodinokobi appeared in the wild, targeting businesses and causing mass disruption in some U.S. government agencies. Its deployment methods are noteworthy as the compromise occurred via targeted phishing attacks aimed at MSPs and MSSPs managing security within the target organization.

BlackBerry Cylance’s Eric Milam

Eric Milam, vice president of research operations at BlackBerry Cylance, tells us it’s much more efficient for a threat actor to attack the MSSP than individual customer targets since once the MSSP is breached, the hacker has access to the whole infrastructure including the MSSP’s customers proprietary data.

“The question is not what they are not doing; they can’t protect against zero-day vulnerabilities or disgruntled employees, but they can do better by employees’ awareness and training around phishing, email links and attachments, regular credentials audit, OS and application patching, better logging and monitoring,” he said. “This is a clear indication that threat actors are becoming more sophisticated since the expertise the MSSPs are providing to customers is computer security, so in theory it should be very hard to hack them.”