21 June 2019

Attackers hack MSPs to distribute Sodinokibi ransomware

Attackers hack MSPs to distribute Sodinokibi ransomware

Cybercriminals have compromised the infrastructure of at least three managed service providers (MSPs) and distributed the ransomware on their customers’ computers. The details of the attack are scarce at the moment, but early information suggests that hackers somehow have managed to gain access to two remote management tools (one from Webroot and other from Kaseya) used by the MSPs.

Initially, first reports about the incident have appeared on a Reddit thread dedicated to MSPs (companies that provide remote IT services and support to customers all over the world).

According to a security firm Huntress Labs that provides security services to MSPs, in two instances the attackers got initial access via RDP and then elevated their privileges on the system and manually uninstalled Webroot and ESET antivirus solution. They also removed the endpoint based backup (Veeam in both cases).

The hackers used a remote management console from Webroot to execute a PowerShell-based payload that, in turn, downloaded and installed Sodinokibi ransomware on client systems. Additionally, the attackers also used the Kaseya VSA remote management console to deliver ransomware, said Huntress Labs.

According to an email that Webroot sent to its customers following the incident and shared by Huntress Labs, the company began forcibly enabling two-factor authentication (2FA) for the remote management portal. The email noted that threat actors who might have been "thwarted with more consistent cyber hygiene" had impacted a small number of Webroot customers. Webroot also initiated an automated console logoff and implemented mandatory 2FA in the Webroot Management Console.

The Sodinokibi is relatively new malware that has been discovered by Cisco Talos team at the end of April 2019. Sodinokibi encrypts data in a user's directory and deletes shadow copy backups to make data recovery more difficult.

Back to the list

Latest Posts

New espionage campaign targets diplomatic missions and governmental institutions in Eastern Europe

New espionage campaign targets diplomatic missions and governmental institutions in Eastern Europe

The Attor malware comes with some unusual capabilities including the use of encrypted modules, Tor-based communications, and a plugin designed for GSM fingerprinting.
11 October 2019
Iran-linked Charming Kitten APT updates its arsenal with new spear-phishing techniques

Iran-linked Charming Kitten APT updates its arsenal with new spear-phishing techniques

The Iranian state-sponsored hackers Charming Kitten employed new spear-phishing methods in a campaign observed in August and September.
10 October 2019
Hackers hit Volusion e-commerce sites in pursuit of customers’ credit card data

Hackers hit Volusion e-commerce sites in pursuit of customers’ credit card data

It is estimated that more than 6,500 sites are affected, that number could be even higher.
10 October 2019
Featured vulnerabilities
Remote code execution in Bento4 media player
High Not Patched | 13 Oct, 2019
Use-after-free in libvips library
Medium Patched | 13 Oct, 2019
Denial of service in MATIO
Low Not Patched | 13 Oct, 2019
Cross-site scripting in Openfire
Low Patched | 12 Oct, 2019