ThreatLocker: Cybercriminals Targeting MSPs' Remote Management Tools

ThreatLocker: Cybercriminals Targeting MSPs’ Remote Management Tools

Written by Edward Gately
May 6, 2022

Dual-factor authentication didn't stop attackers from launching attacks.

Cybercriminals have targeted at least 30 MSPs using their remote management tools over the last few days, according to ThreatLocker.

The company has seen a large increase in these attacks on companies and MSPs. In most of these cases, the remote management tools had dual-factor authentication. However, attackers were still able to access them and use them to launch cyberattacks.

Using these tools, the attacker may issue commands to reboot the machine in Safe Mode with Networking. That’s a feature available in many RMM tools. Rebooting a machine can get into Safe Mode and remove security software.

Total Impact Remains Unknown

Sami Jenkins is ThreatLocker’s COO and co-founder.

“We do not know the total number impacted,” she said. “We saw about 30 MSPs have the attack attempted, which is about 25% of the largest MSP breaches.”

The largest breaches tend to affect more than 120 MSPs.

It’s unlikely the attackers were able to get around dual-factor authentication, Jenkins said.

“It is not uncommon to see ransomware from remote management tools,” she said. “The dual-factor configuration was confirmed by MSPs, not by ThreatLocker independently. But also, it is not uncommon for attackers to get in other ways, such as API keys. I do not believe this is a vulnerable RMM or management tools. [These] more likely are isolated attacks based on weak keys, or in some cases no dual-factor. The pace of the attacks seemed to increase over normal attack attempts. It is also worth noting that it is heavily swayed towards remote access (remote control) tools versus RMMs.”

ThreatLocker’s Recommendations

ThreatLocker recommends all users consider ringfencing their remote management tools. Ringfencing allows granular control over how applications can interact with other applications and data, and how and whether they can connect to the internet.

In addition to this, ThreatLocker has also added a new suggested policy: Deny bcdedit.exe. It recommends adding it at the global level, should BCDedit not be needed. This will block the execution of BCDEdit across all environments.

“BCDedit is just a program that is part of Windows,” Jenkins said. “It is used to reboot in safe mode. If you do not need it, it is better to block it from running completely, only to enable it when it is needed. In some cases, you cannot block it because you have applications that need it. If that is the case, you can ringfence your RMM and block it from calling BCDEdit.”

ThreatLocker blocks the execution of all unapproved programs whether pushed out by a remote management tool or run by users.

“Attacks seem to go up and down, but the average attack amounts have increased year over year,” Jenkins said. “I do not expect any reduction, especially with what is happening in Russia. The tools attackers use will always change. [That’s] why it is important to block as much software as possible and ringfence permitted software to limit its permissions.”

Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn.