Cybercriminals have compromised the infrastructure of at least three managed service providers (MSPs) and distributed the ransomware on their customers’ computers. The details of the attack are scarce at the moment, but early information suggests that hackers somehow have managed to gain access to two remote management tools (one from Webroot and other from Kaseya) used by the MSPs.
Initially, first reports about the incident have appeared on a Reddit thread dedicated to MSPs (companies that provide remote IT services and support to customers all over the world).
According to a security firm Huntress Labs that provides security services to MSPs, in two instances the attackers got initial access via RDP and then elevated their privileges on the system and manually uninstalled Webroot and ESET antivirus solution. They also removed the endpoint based backup (Veeam in both cases).
The hackers used a remote management console from Webroot to execute a PowerShell-based payload that, in turn, downloaded and installed Sodinokibi ransomware on client systems. Additionally, the attackers also used the Kaseya VSA remote management console to deliver ransomware, said Huntress Labs.
According to an email that Webroot sent to its customers following the incident and shared by Huntress Labs, the company began forcibly enabling two-factor authentication (2FA) for the remote management portal. The email noted that threat actors who might have been "thwarted with more consistent cyber hygiene" had impacted a small number of Webroot customers. Webroot also initiated an automated console logoff and implemented mandatory 2FA in the Webroot Management Console.
The Sodinokibi is relatively new malware that has been discovered by Cisco Talos team at the end of April 2019. Sodinokibi encrypts data in a user's directory and deletes shadow copy backups to make data recovery more difficult.