21 June 2019

Attackers hack MSPs to distribute Sodinokibi ransomware

Attackers hack MSPs to distribute Sodinokibi ransomware

Cybercriminals have compromised the infrastructure of at least three managed service providers (MSPs) and distributed the ransomware on their customers’ computers. The details of the attack are scarce at the moment, but early information suggests that hackers somehow have managed to gain access to two remote management tools (one from Webroot and other from Kaseya) used by the MSPs.

Initially, first reports about the incident have appeared on a Reddit thread dedicated to MSPs (companies that provide remote IT services and support to customers all over the world).

According to a security firm Huntress Labs that provides security services to MSPs, in two instances the attackers got initial access via RDP and then elevated their privileges on the system and manually uninstalled Webroot and ESET antivirus solution. They also removed the endpoint based backup (Veeam in both cases).

The hackers used a remote management console from Webroot to execute a PowerShell-based payload that, in turn, downloaded and installed Sodinokibi ransomware on client systems. Additionally, the attackers also used the Kaseya VSA remote management console to deliver ransomware, said Huntress Labs.

According to an email that Webroot sent to its customers following the incident and shared by Huntress Labs, the company began forcibly enabling two-factor authentication (2FA) for the remote management portal. The email noted that threat actors who might have been "thwarted with more consistent cyber hygiene" had impacted a small number of Webroot customers. Webroot also initiated an automated console logoff and implemented mandatory 2FA in the Webroot Management Console.

The Sodinokibi is relatively new malware that has been discovered by Cisco Talos team at the end of April 2019. Sodinokibi encrypts data in a user's directory and deletes shadow copy backups to make data recovery more difficult.

Back to the list

Latest Posts

“Agent Smith” malware infected more than 25 million Android devices

“Agent Smith” malware infected more than 25 million Android devices

The malware leverages known Android exploits and automatically replaces installed apps with malicious clones without users’ knowledge or interaction.
15 July 2019
Magecart hackers copromised more than 17K sites via misconfigured Amazon S3 buckets

Magecart hackers copromised more than 17K sites via misconfigured Amazon S3 buckets

Since the beginning of the campaign in April 2019 the group has continuously been scanning the Internet for insecure Amazon S3 buckets.
12 July 2019
Recently patched Windows zero-day exploited in Buhtrap cyber-espionage campaign

Recently patched Windows zero-day exploited in Buhtrap cyber-espionage campaign

The exploit for CVE-2019-1132 created by the Buhtrap group relies on popup menu objects.
11 July 2019
Featured vulnerabilities
Denial of service in MatrixSSL
Medium Patched | 15 Jul, 2019
Denial of service in Apple iMessage
Medium Patched | 15 Jul, 2019
Multiple vulnerabilities in Redis
Medium Patched | 11 Jul, 2019
Reverse Tabnabbing in Quill
Low Not Patched | 11 Jul, 2019
Remote code injection in domokeeper
High Not Patched | 11 Jul, 2019