https://www.channelfutures.com/wp-content/themes/channelfutures_child/assets/images/logo/footer-new-logo.png
  • Home
  • Technologies
    • Back
    • SDN/SD-WAN
    • Cloud
    • RMM/PSA
    • Security
    • Telephony/UC/Collaboration
    • Cable
    • Mobility & Wireless
    • Fiber/Ethernet
    • Data Centers
    • Backup & Disaster Recovery
    • IoT
    • Desktop
    • Artificial Intelligence
    • Analytics
  • Strategy
    • Back
    • Mergers and Acquisitions
    • Channel Research
    • Business Models
    • Distribution
    • Tech Services Brokerages
    • Sales & Marketing
    • Best Practices
    • Vertical Markets
    • Regulation & Compliance
    • Diversity, Equity & Inclusion
  • MSP 501
    • Back
    • MSP 501 Information Center
    • 2021 MSP 501 Rankings
  • Intelligence
    • Back
    • Galleries
    • Podcasts
    • From the Industry
    • Reports/Digital Issues
    • Webinars
    • White Papers
  • Channel Futures TV
  • EMEA
  • Channel Chatter
    • Back
    • People on the Move
    • New/Changing Channel Programs
    • New Products & Services
    • Industry Honors
  • Resources
    • Back
    • Advisory Boards
    • Industry Organizations
    • Our Sponsors
    • Advertise
    • 2022 Editorial Calendar
  • Awards
    • Back
    • 2021 MSP 501
    • Circle of Excellence
    • DE&I 101
    • Top Gun 51
    • Channel Partners 101 (CP 101)
  • Events
    • Back
    • CP Conference & Expo
    • MSP Summit
    • Channel Partners Europe
    • Channel Partners Event Coverage
    • Webinars
    • Industry Events
  • About Us
  • DE&I
Channel Futures
  • NEWSLETTER
  • Home
  • Technologies
    • Back
    • SDN/SD-WAN
    • Cloud
    • RMM/PSA
    • Security
    • Telephony/UC/Collaboration
    • Cable
    • Mobility & Wireless
    • Fiber/Ethernet
    • Data Centers
    • Backup & Disaster Recovery
    • IoT
    • Desktop
    • Artificial Intelligence
    • Analytics
  • Strategy
    • Back
    • Mergers and Acquisitions
    • Channel Research
    • Business Models
    • Distribution
    • Tech Services Brokerages
    • Sales & Marketing
    • Best Practices
    • Vertical Markets
    • Regulation & Compliance
    • Diversity, Equity & Inclusion
  • MSP 501
    • Back
    • MSP 501 Information Center
    • 2021 MSP 501 Rankings
  • Intelligence
    • Back
    • Galleries
    • Podcasts
    • From the Industry
    • Reports/Digital Issues
    • Webinars
    • White Papers
  • Channel Futures TV
  • EMEA
  • Channel Chatter
    • Back
    • People on the Move
    • New/Changing Channel Programs
    • New Products & Services
    • Industry Honors
  • Resources
    • Back
    • Advisory Boards
    • Industry Organizations
    • Our Sponsors
    • Advertise
    • 2022 Editorial Calendar
  • Awards
    • Back
    • 2021 MSP 501
    • Circle of Excellence
    • DE&I 101
    • Top Gun 51
    • Channel Partners 101 (CP 101)
  • Events
    • Back
    • CP Conference & Expo
    • MSP Summit
    • Channel Partners Europe
    • Channel Partners Event Coverage
    • Webinars
    • Industry Events
  • About Us
  • DE&I
    • Newsletter
  • REGISTER
  • MSPs
  • VARs / SIs
  • Agents
  • Cloud Service Providers
  • Channel Partners Events
 Channel Futures

Security


Shutterstock

Cloaked hacker

ThreatLocker: Cybercriminals Targeting MSPs’ Remote Management Tools

  • Written by Edward Gately
  • May 6, 2022
Dual-factor authentication didn't stop attackers from launching attacks.

Cybercriminals have targeted at least 30 MSPs using their remote management tools over the last few days, according to ThreatLocker.

The company has seen a large increase in these attacks on companies and MSPs. In most of these cases, the remote management tools had dual-factor authentication. However, attackers were still able to access them and use them to launch cyberattacks.

Using these tools, the attacker may issue commands to reboot the machine in Safe Mode with Networking. That’s a feature available in many RMM tools. Rebooting a machine can get into Safe Mode and remove security software.

Total Impact Remains Unknown

Sami Jenkins is ThreatLocker’s COO and co-founder.

“We do not know the total number impacted,” she said. “We saw about 30 MSPs have the attack attempted, which is about 25% of the largest MSP breaches.”

The largest breaches tend to affect more than 120 MSPs.

It’s unlikely the attackers were able to get around dual-factor authentication, Jenkins said.

“It is not uncommon to see ransomware from remote management tools,” she said. “The dual-factor configuration was confirmed by MSPs, not by ThreatLocker independently. But also, it is not uncommon for attackers to get in other ways, such as API keys. I do not believe this is a vulnerable RMM or management tools. [These] more likely are isolated attacks based on weak keys, or in some cases no dual-factor. The pace of the attacks seemed to increase over normal attack attempts. It is also worth noting that it is heavily swayed towards remote access (remote control) tools versus RMMs.”

ThreatLocker’s Recommendations

ThreatLocker recommends all users consider ringfencing their remote management tools. Ringfencing allows granular control over how applications can interact with other applications and data, and how and whether they can connect to the internet.

In addition to this, ThreatLocker has also added a new suggested policy: Deny bcdedit.exe. It recommends adding it at the global level, should BCDedit not be needed. This will block the execution of BCDEdit across all environments.

“BCDedit is just a program that is part of Windows,” Jenkins said. “It is used to reboot in safe mode. If you do not need it, it is better to block it from running completely, only to enable it when it is needed. In some cases, you cannot block it because you have applications that need it. If that is the case, you can ringfence your RMM and block it from calling BCDEdit.”

ThreatLocker blocks the execution of all unapproved programs whether pushed out by a remote management tool or run by users.

“Attacks seem to go up and down, but the average attack amounts have increased year over year,” Jenkins said. “I do not expect any reduction, especially with what is happening in Russia. The tools attackers use will always change. [That’s] why it is important to block as much software as possible and ringfence permitted software to limit its permissions.”

Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn.
Tags: MSPs Best Practices Cloud RMM/PSA Security Technologies

Most Recent


  • Barracuda Discover22 EMEA
    Barracuda Sees Huge Shift to Managed Services Among Partners
    Nine out of 10 Barracuda partners now identify as MSPs as CEO Hatem Naguib details “going heavy” into managed services.
  • Grabber machine
    Converge Technology Solutions Snaps Up PC Specialists
    This is the California-based company’s 31st acquisition.
  • Ingram Micro Cloud Summit: From the Expo Floor
    "By gaining access to an ecosystem of partners, we’ll put distribution at the center of our channel strategy,” summit participants said.
  • Old job new job
    Exclusive: Zoom Channel Leader Laura Padilla Takes New Role with Airtable
    Airtable's valuation reached $11 billion in December.

Leave a comment Cancel reply

-or-

Log in with your Channel Futures account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

Related Content

  • Marketplace
    IBM, AWS to Bring More of Big Blue’s Software to Cloud Marketplace
  • Sammy Kinlaw TD Synnex TechSelect 2022
    TD Synnex TechSelect: Partners Contributing to High Year-Over-Year Growth
  • goodbye
    Cisco Says Goodbye to Security Sales Leader, Hires Proofpoint Alum
  • Roll out
    Fortinet Rolls Out Numerous Engage Partner Program Updates

Upcoming Events

View all

Channel Partners Europe

June 14, 2022 - June 15, 2022

MSP Summit

September 13, 2022 - September 16, 2022

Galleries

View all

Ingram Micro Cloud Summit: From the Expo Floor

May 20, 2022

What Does TSB Consolidation Mean for Vendors? Channel Reacts to PlanetOne-Avant Deal

May 19, 2022

The Gately Report: BlackBerry Ups Investment, Support of MSSP Partners

May 19, 2022

Industry Perspectives

View all

How SD-WAN Helps Secure the Expanding Network Perimeter

May 19, 2022

A Sneak Peek at the 2022 BrightCloud Threat Report

May 17, 2022

Build Customers for Life with CX and Lifecycle Selling

May 16, 2022

Webinars

View all

Simplifying SaaS Security for MSPs

April 27, 2022

How to Supercharge The Network to Support Your IT Superhero Moves

May 3, 2022

The 2022 MSP Challenge: Scale Service Delivery Despite the Talent Gap

April 21, 2022

White Papers

View all

The New Bottom Line: How MSPs Can Meet the Healthcare Crisis While Evolving Their Businesses

April 19, 2022

How to build a Security Operations Center (on a budget)

April 4, 2022

The AT&T Cybersecurity Incident Response Toolkit

April 4, 2022

Channel Futures TV

View all

AT&T, Microsoft, Cisco, ThreatLocker on Unlocking Partner Potential

Agents Share ‘Secrets,’ Industry Opportunity

May 11, 2022

Vonage Addresses Potential Partner Opportunity via Acquisition by Ericsson

May 5, 2022

Lumen Technologies ‘Built for Growth and Scale’

May 4, 2022

Twitter

ChannelFutures

We are proud to recognize @UNESCO's World Day for Cultural Diversity for Dialogue and Development, a day to celebra… twitter.com/i/web/status/1…

May 21, 2022
ChannelFutures

.@barracuda seeing huge shift to managed services among partners at #discover22 dlvr.it/SQmR1y https://t.co/driODezzpS

May 20, 2022
ChannelFutures

.@ConvergeTSC has just announced the acquisition of PC Specialists (@TIGConnect). dlvr.it/SQmMqK https://t.co/suLrTFx1W1

May 20, 2022
ChannelFutures

Photos from Expo @IngramMicroInc Cloud Summit for @pluralsight, @Vonage, @CloudCt4, @watchguard, @TenableSecurity,… twitter.com/i/web/status/1…

May 20, 2022
ChannelFutures

.@Zoom channel leader @LauraPadillaSF has taken a new role with @airtable. dlvr.it/SQm6pd https://t.co/R71QtFlwwy

May 20, 2022
ChannelFutures

Was Cisco right to blame "external factors" for its latest numbers? @zkerravala, @AnuragTechaisle, @OmdiaHQ and… twitter.com/i/web/status/1…

May 20, 2022
ChannelFutures

The deal between @Avant_CCC and @PlanetOneComm comes at a critical juncture in the channel, as vendors envision dea… twitter.com/i/web/status/1…

May 19, 2022
ChannelFutures

.@QNAP_nas warns of #ransomware attack on storage devices. dlvr.it/SQhjs3 https://t.co/2FL32Zh5Be

May 19, 2022

MSSP Insider

Business advice for MSSPs and news from the broader security channel.

Newsletters and Updates

Sign up for The Channel Report, Channel Futures Update, MSP 501 Newsletter and more.

Live Channel Events

Get the latest information on the next industry-leading Channel Partners event.

Galleries

Educational slide shows and images from live events.

Media Kit And Advertising

Want to reach our audience? Access our media kit.

DISCOVER MORE FROM INFORMA TECH

  • Channel Partners Events
  • Telecoms.com
  • MSP 501
  • Black Hat
  • IoT World Today
  • Omdia

WORKING WITH US

  • Contact
  • About Us
  • Advertise
  • Newsletter

FOLLOW Channel Futures ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookie Policy
  • Terms
Copyright © 2022 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X