In the latest Cybersecurity Threat Advisory, we discuss The Play Ransomware Group, also known as PlayCrypt, who are currently waging a global cyberattack campaign against multiple managed service providers (MSPs). Their primary targets are midsize businesses in sectors like finance, legal, software, shipping, law enforcement, and logistics in countries including the US, the UK, Australia, Italy, and others. Barracuda MSP recommends MSPs exercise security vigilance.
What is the threat?
Information in the wild shows that members of the Play group are infiltrating MSP systems and exploiting remote monitoring and management (RMM) tools to gain unrestricted access to the networks, as well as their customers’ systems. They gain access to privileged management systems and RMM tools via phishing aimed at MSP employees, resulting in system compromise and access through direct exploitation or credential harvesting and reuse. Once they gain access, Play actors deploy additional exploits to expand their foothold. In some cases, they have taken advantage of vulnerabilities in Microsoft Exchange Server, such as CVE-2022-41040, a privilege escalation bug, and CVE-2022-41082, a remote code execution bug. Play has also been observed exploiting older Fortinet appliances, such as CVE-2018-13379, a five-year-old path traversal flaw, and CVE-2020-12812, a security bypass flaw.
Why is it noteworthy?
The Play ransomware tool is notably sophisticated. In particular, it uses a new technique known as intermittent encryption to render data inaccessible on victim systems, providing it with quicker encryption rates and enabling threat actors to complete their tasks faster. Intermittent encryption encrypts only parts of each file in fixed blocks or at the beginning of the file.
What is the exposure or risk?
RMM provides MSPs with key administrative access to their customers’ environments. By exploiting this pivotal tool, threat actors are able to gain access to not one but to tens or hundreds of businesses the MSP manages, bypassing many security defenses along the way.
What are the recommendations?
Barracuda MSP recommends the following actions to limit the impact of a ransomware attack:
- Use Multi-Factor Authentication – This can prevent bad actors from gaining access to your or your customers’ networks. This should be a requirement for the most critical applications.
- Security updates – Ensure software security patched and updated are applied and are up-to-date. From RMM tools to remote client desktops and mobile devices.
- Practice 3-2-1 backup best practice – Ensure your customers’ data are available by following the 3-2-1 rule:
- Have at least 3 copies of your data,
- At least 2 different types of media to store the backup,
- With at least 1 backup offsite.
- If the attacker uses intermittent encryption, it may be possible to recover your data with files constructed a certain way using a free tool to help unlock some data without at decryption key.
References
For more in-depth information about the recommendations, please visit the following links:
- MSPs are the Latest Ransomware Target: Are You Safe? | 2020-04-29 | Security Magazine
- Free Tool Unlocks Some Encrypted Data in Ransomware Attacks (darkreading.com)
If you have any questions about this Cybersecurity Threat Advisory, please contact our Security Operations Center.