21 June 2019

Attackers hack MSPs to distribute Sodinokibi ransomware


Attackers hack MSPs to distribute Sodinokibi ransomware

Cybercriminals have compromised the infrastructure of at least three managed service providers (MSPs) and distributed the ransomware on their customers’ computers. The details of the attack are scarce at the moment, but early information suggests that hackers somehow have managed to gain access to two remote management tools (one from Webroot and other from Kaseya) used by the MSPs.

Initially, first reports about the incident have appeared on a Reddit thread dedicated to MSPs (companies that provide remote IT services and support to customers all over the world).

According to a security firm Huntress Labs that provides security services to MSPs, in two instances the attackers got initial access via RDP and then elevated their privileges on the system and manually uninstalled Webroot and ESET antivirus solution. They also removed the endpoint based backup (Veeam in both cases).

The hackers used a remote management console from Webroot to execute a PowerShell-based payload that, in turn, downloaded and installed Sodinokibi ransomware on client systems. Additionally, the attackers also used the Kaseya VSA remote management console to deliver ransomware, said Huntress Labs.

According to an email that Webroot sent to its customers following the incident and shared by Huntress Labs, the company began forcibly enabling two-factor authentication (2FA) for the remote management portal. The email noted that threat actors who might have been "thwarted with more consistent cyber hygiene" had impacted a small number of Webroot customers. Webroot also initiated an automated console logoff and implemented mandatory 2FA in the Webroot Management Console.

The Sodinokibi is relatively new malware that has been discovered by Cisco Talos team at the end of April 2019. Sodinokibi encrypts data in a user's directory and deletes shadow copy backups to make data recovery more difficult.

Back to the list

Latest Posts

500 Chrome extensions secretly pilfered data from millions of users

500 Chrome extensions secretly pilfered data from millions of users

The extensions were part of a malvertising and ad-fraud campaign that has been active since at least since January 2019.
14 February 2020
Hamas-linked hackers target victims in Palestinian territories

Hamas-linked hackers target victims in Palestinian territories

The hackers exploit current geopolitical events to spy on Palestinian entities and individuals.
13 February 2020
The Outlaw hacking group returns with updated kit, targets businesses in the U.S and Europe

The Outlaw hacking group returns with updated kit, targets businesses in the U.S and Europe

The group used a combination of pre-existing tools and new techniques to monitor for programs that could detect its malware.
13 February 2020