MSP cybersecurity stalwart ThreatLocker has issued a security alert warning MSPs of a sharp increase in ransomware attacks using remote management tools.
“We have observed a large increase in attackers using remote management tools over the last few days,” said ThreatLocker in a security alert titled “Attackers Using RMMs With [Windows] BCDedit To Bypass Security Software.” “We are unsure how these remote management tools and their cloud control panels are being accessed, as the tools in question were protected by dual-factor authentication.”
ThreatLocker has already created a script to block the attackers from using the Windows BCDedit tool with a new security patch for ThreatLocker MSPs using its Ringfencing technology.
“I went from extreme concern to peace of mind by implementing a new ThreatLocker script that is available with its Ringfencing technology,” said David Stinner, CEO of US itek, a Buffalo, N.Y.-based MSP and ThreatLocker partner. “This goes to show that the bad actors are extremely smart and well-funded business operations that are constantly trying to outsmart the protections put in place to deliver ransomware. Fortunately, the Cyber Heroes at ThreatLocker identified this threat, created a policy and worked with our security team to roll out protection against this exploit in under 30 minutes.”
CRN reached out to vendors of widely used RMM platforms, including ConnectWise, Kaseya, N-Able, NinjaOne, Datto who all said they are looking into the issue. CRN also reached out to Microsoft but had not head back at press time.
Neal Juern, founder and CEO of Juern Technology, a San Antonio-based MSSP and ThreatLocker partner, has also implemented the new ThreatLocker script to protect his customers. “I can’t believe how fast ThreatLocker responded to this threat to protect us and our customers,” he said. “This is why we consider ThreatLocker the backbone of our security practice. “
For those not using ThreatLocker, the increasing attempts to exploit RMM platforms represent a “huge issue,” said Juern. “The fact that it is unclear how the RMMs are being accessed is especially alarming. What that means is the attackers have found a vulnerability no one else is aware of, and they are actively exploiting it. This could bring MSPs to their knees. What the attackers are doing is going after [MSP] tools and then using those tools to deploy ransomware.”
As a result of the new security threat, Juern said he is going to accelerate his adoption of ThreatLocker’s new zero trust network access control product. “We are beta testing that product now,” he said. “That will give us another layer of security. We are committed to the ThreatLocker zero trust portfolio”
RMM tools remain the biggest threat vector for MSPs, said Juern. “Once attackers have access to the RMM they have access to the keys to the kingdom, and they can implement ransomware at will on any customer,” he said. “The problem is RMMs were always meant to give us complete and full control of systems. It provides top-level access for us to monitor and fix things.”
ThreatLocker CEO Danny Jenkins said the number of attempted ransomware attacks on MSPs hit 30 on May 4, the highest level since the Kaseya ransomware attack rocked the MSP market last July 4.
“This is the second-largest number of attacks we have seen in the seven-year history of ThreatLocker,” said Jenkins. “MSPs need to make sure that their RMMs are locked down and that calls like [Microsoft Windows] BCDedit can’t run on their machines and that the RMMs are limited in what they can do.”
Jenkins suspects that the increased ransomware threat may be related to the recent return of the Russia-based REvil ransomware operation, which just resurfaced in the wake of Russia’s attack on Ukraine. “I don’t think it is a coincidence that REvil has come back to life and now we see these increased attacks,” he said. “We haven’t confirmed it, but that is our belief.”
Using RMM tools , attackers may issue “commands to reboot the machine in Safe Mode with Networking, a feature available in many remote management tools,” said ThreatLocker in the alert.
Once the machine is rebooted in safe mode it does not load security software, said ThreatLocker. “BCDedit allows you to reboot Windows in safe mode, ripping out all security software protection,” said Jenkins.
BCDedit is a built-in Windows tool that can be used to change the way a computer boots, or what files it uses to boot up. In this case, the bad actors are using it to change the operating system to bypass two-factor authtentication, ThreatLocker said.
In the security bulletin, ThreatLocker recommended that all MSPs consider Ringfencing their remote management tools. “Application Interaction can and should be blocked between these tools and BCDedit.exe,” said ThreatLocker.
Mark Clift, vice president of information systems for US itek, said he was not surprised that the bad actors are successfully bypassing multifactor authentication.
“We have been saying from the beginning that multifactor authentication is necessary, but it is not a panacea,” he said. “It does not stop everything. MFA bypass has been around for as long as MFA has been around. You need to implement depth security. You need multifactor authentication. You need security software. You need a SOC (Security Operations Center) that is monitoring all of this 24/7.”
The increased attacks are another sign that Ringfencing and whitelisting security technology is key to stopping attacks, said Jenkins. “People told us two years ago that Ringfencing and whitelisting was the dumbest idea in the world, “ he said. “Fortunately MSPs are embracing this new way of thinking. The world is changing, but not fast enough”
ThreatLocker provides assistance at no charge for any MSP that has been hit by a ransomware attack. “If you need help figuring out what files have been hit and where they are, we won’t charge you for that,” he said. “We will put our agent on the MSP systems and monitor what is going on. We do that free of charge for customers.”
ThreatLocker is bracing for an increase in attacks during the Memorial Day weekend, said Jenkins. “We expect attacks at any point in time, but during holiday weekends we increase our staff to make sure that if anything happens, we are there to help customers,” he said.
Juern Technology, which has a a 24-hour-a-day, seven-day-a-week SOC, is doubling down to protect its customers over the Memorial Day break. “We will be on higher alert for that weekend,” Neal Juern said. “We monitor our security information and event management systems very closely during holidays.”
Juern said he sees the attacks on MSPs as an existential threat to the MSP model. “We all have to really go to war against these bad actors,” he said. “As soon as the world starts to see MSPs as a problem, it hurts the whole industry.”
Jenkins, for his part, said MSPs need to have a greater “sense of urgency” around improving security for themselves and their customers. He said future of the MSP model is at stake given the level of attacks on MSPs.
“Ransomware is the biggest threat to any individual MSP, but it is also the biggest threat to the industry as a whole because when one of your peers gets hit by ransomware and it makes the headlines, it makes it harder for MSPs to sell their services to businesses,” he said. “Once MSPs start treating security with a sense of urgency, the world will be a better place.”
Additional reporting by C.J. Fairfield