What is the threat?
A group of threat actors has targeted customers of Managed Service Providers (MSPs) using Remote Desktop Protocol (RDP) to provide remote assistance and technical support. In this case, the threat actors specifically targeted the SecureAnyware technology platform from Webroot, but the attack can be launched against any unpatched RDP platform – leveraging a recently discovered vulnerability in this Microsoft tool-set. Once exploited, the vulnerability allows the attacker to execute remote code on all systems where the vulnerability is present; which they then use to disable anti-malware defenses and launch PowerShell commands to install and run the Sodinokibi ransomware malware package.
Why is this noteworthy?
As many MSPs provide remote assistance services to their customers, all MSPs could fall victim to this form of attack regardless of which remote assistance software they use to gain access to their customers’ devices. While one vendor was specifically targeted in this particular attack, many remote assistant solutions utilize RDP for gaining access to Windows desktops, laptops, and servers; and are therefore vulnerable. Note also that no third-party software is specifically required, as RDP is a native component of Windows desktop and server Operating Systems – and is typically enabled by default on older versions of Windows Servers. This provides for an immense attack surface if MSPs utilize RDP to offer remote services, which would enable the RDP tool-set on all desktops, laptops, and managed servers.
What is the exposure or risk?
All Windows-based Operating Systems contain a form of Remote Desktop Protocol, and therefore are susceptible to this form of attack. Windows Servers before Server 2016 typically had RDP enabled by default, while desktops and laptops typically do not have it enabled by default. Cloud instances of any Windows Operating System will nearly always have RDP enabled to permit administrative access to the system from another location. Any Windows system that has RDP enabled – for administrative and/or remote assistance purposes – can be compromised if it is left unpatched. Additionally, many remote access/assistance tools used by MSPs leverage RDP – and it may not be visible that these tools are using the RDP system to create assistance connections, creating a situation where the exposure isn’t specifically visible to the MSP.
What can you do?
A patch for this critical RDP vulnerability is available from Microsoft for both currently-supported Windows desktop and server versions and for versions beyond their support lifecycle such as Windows XP, Windows 7, Server 2003, Server 2008, and Server 2008R2.
MSPs should immediately identify any tools which leverage Remote Desktop Protocol to offer remote assistance and ensure the appropriate Microsoft patches are applied to all desktops, laptops, workstations, servers, and other Windows devices at all customer sites. MSPs should also strongly encourage customers to upgrade to patched and supported versions of Windows, as patches for future critical vulnerabilities for unsupported versions are not a guarantee.
All MSP tools should be secured by two-factor or multi-factor authentication. While this RDP vulnerability is executed pre-authentication, threat actors have specifically been targeting brute-force and weak-password attacks against MSP platforms that allow customer device access. Most remote-access tool vendors (including Webroot) allow and often require 2FA/MFA for administrative accounts.
SKOUT recommends ensuring that critical data is regularly backed up in a secure location in order to prevent it from being rendered inaccessible during a ransomware attack. Preferably, using a backup provider that maintains previous versions of files (file rewind, file versioning, previous version protection, etc.) is best, as some backup jobs may run before the ransomware is discovered. Having an incident response plan in place is recommended to quickly contain a ransomware attack from propagating. Endpoint protection such as Cylance is also recommended to block malware from running on a victim machine.
Strong Password Guidelines:
For more information on this topic, please refer to the following links:
If you have any questions, please contact our Security Operations Center.