A ransomware gang has breached the infrastructure of at least three managed service providers (MSPs) and has used the remote management tools at their dispossal, namely the Webroot SecureAnywhere console, to deploy ransomware on the MSPs' customers systems.
The ransomware infections were first reported today in a Reddit section dedicated to MSPs -- companies that provide remote IT services and support to companies across the world.
Kyle Hanslovan, co-founder and CEO of Huntress Lab, was online and helped some of the impacted MSPs investigate the incidents.
Hanslovan said hackers breached MSPs via exposed RDP (Remote Desktop Endpoints), elevated privileges inside compromised systems, and manually uninstalled AV products, such as ESET and Webroot.
In the next stage of the attack, the hackers searched for accounts for Webroot SecureAnywhere, remote management software (console) used by MSPs to manage remotely-located workstations (in the network of their customers).
According to Hanslovan, the hackers used the console to execute a Powershell script on remote workstations; script that downloaded and installed the Sodinokibi ransomware.