Huntress, Sophos, Kaseya See No Sign Of Widespread Coordinated MSP Attack Following ThreatLocker Bulletin

“There is nothing to make us believe there is a coordinated attack on MSPs that is leveraging a specific RMM tool and bypassing two-factor authentication,” said Huntress Vice President of Sales Andrew Kaiser.

ARTICLE TITLE HERE

Threat researcher Huntress, security behemoth Sophos and MSP platform provider Kaseya are not seeing any widespread coordinated MSP ransomware attacks in the wake of a ThreatLocker MSP security bulletin Thursday that pointed to an increase in attack attempts on remote monitoring and management tools.

Huntress said it looked at all critical incidents and all ransomware incidents across the 1.4 million endpoints it supports since April 1 representing 3,000 MSPs and 65,000 SMBs and did not see “a spike in critical incidents or ransomware activity we would expect to see during a coordinated attack” against MSPs.

“There is nothing to make us believe there is a coordinated attack on MSPs that is leveraging a specific RMM tool and bypassing two-factor authentication,” said Huntress Vice President of Sales Andrew Kaiser.

id
unit-1659132512259
type
Sponsored post

Sophos, for its part, sent out a communication from its managed threat response team alerting MSPs that it had not seen “an increase in malicious activity leveraging” the security bypass software tactic singled out by ThreatLocker.

Huntress Vice President of Sales Andrew Kaiser (above)

“We are watching this very closely, and we have prevention and detections in place that cover similar behaviors that were reported,” said Sophos Vice President of Managed Threat Response Mat Gangwer in a statement to CRN. “At this time, we don’t have any evidence showing an increase in activity across our protected MTR estates.”

Kaseya also confirmed to CRN that it had not seen an increase in MSP attacks.

After this story was originally published, ConnectWise confirmed that it also has not seen increased attacks.

In a security bulletin issued Thursday to its MSP partners titled “Attackers Using RMMs With [Windows] BCDedit To Bypass Security Software,” MSP security vendor ThreatLocker wrote: “We have observed a large increase in attackers using remote management tools over the last few days. We are unsure how these remote management tools and their cloud control panels are being accessed, as the tools in question were protected by dual-factor authentication.”

ThreatLocker Friday updated its security bulletin to allay the fears of MSPs. “ThreatLocker does not believe there is a zero day vulnerability in any tool that has led to this increase in attacks,” said the company in an update on its website. “We are simply sharing that we’ve observed a sharp increase in attacks using this method. There is no single management or remote access tool that is responsible for the increase. ThreatLocker believes that this increase pertains to a general overall increase in cyber attacks.”

Furthermore, ThreatLocker said its May 5 security bulletin was not intended to indicate there was a specific vulnerable RMM tool. “It was purely intended to advise our customers and partners to add the new suggested policies,” said the company.

ThreatLocker also was conducting a webinar late Friday to answer questions from MSPs.

The latest statement from ThreatLocker shows the company “didn’t intend to create any panic” with the original security bulletin, said Kaiser. “They did the right thing by trying to add clarity to their original message,” he said. “With all of the attacks targeting MSPs over the last 18 months, I understand why our industry is on edge, and my takeaway here is that as a security vendor we need to be very clear with our messaging when talking about attacks we’re seeing in the wild.“

When the ThreatLocker bulletin was released there was concern that another Kaseya-like attack could be imminent, said Kaiser. “We had several dozen of our partners reach out, other vendors had similar reactions from their partners, vendors responded pretty quickly,” he said. In fact, Kaiser said, Sophos, ConnectWise, Datto, and Blackpoint Cyber were not able to validate any massive uptick in attacks on MSPs.

CRN reached out to all those vendors but had not heard back from ConnectWise, Datto and Blackpoint Cyber at press time.

The swift response from vendors and MSPs about a potential attack came after ThreatLocker issued a security bulletin warning MSPs of a sharp increase in ransomware attacks using remote management tools, noting that it had seen 30 attempted ransomware attacks on MSPs on May 4, the highest level since the Kaseya ransomware attack rocked the MSP market last July 4.

Jason Slagle, president of CNWR, a Toledo, Ohio, MSP, said he was one of the MSPs that panicked in the wake of the ThreatLocker alert and scrambled to contact security experts and found no evidence of a coordinated attack. “I don’t think there is an immediate cause for concern,” he said.

Slagle said he was “relieved” to find out there was not a widespread coordinated attack taking place after reaching out to the top security researchers, including Sophos, ConnectWise, Kaseya, Datto, and Blackpoint Cyber, that he has long standing relationships with at the major MSP vendors.

“You shouldn’t be more worried today than you were yesterday [about a potential MSP attack],” said Slagle. “Continue to stay vigilant, but there doesn’t seem to be any coordinated increase in the number of attacks.”

Slagle said he is confident that there has been no widespread increase in the use of [Microsoft Windows] BCDEdit to launch attacks against MSPs. “Looking at the data that Huntress and other vendors have released, it is clear there is no marked increase in BCDEdit malicious activity,”he said.

ThreatLocker CEO Danny Jenkins said the company stands by its original security bulletin. “We’re not a threat hunter,” he said. “The type of attacks we see are always going to be different than what a threat hunter sees. We look at software that is running as opposed to bad software that is running.”

Jenkins said Microsoft’s BCDEdit tool may not trigger the “same alarms” for an EDR or MDR vendor as it does for ThreatLocker.

ThreatLocker remains on alert to protect its MSP customers. “We will continue to report on what we see and what our recommendations are,” he said. “We are not going to chase ambulances and respond to the latest press headline. We will report on the data we see and what we recommend you do to protect yourself.” In fact, ThreatLocker is planning to publish a report on the daily usage count of BCDEdit.

Kaiser said he “100 percent” believes ThreatLocker saw the malicious activity related to RMMs and BCDEdit. He believes it may have been the result of bad actors using RMM free trials to attack small businesses. “That is very different from an MSP having their RMM tool compromised and then potentially spreading ransomware to all of their customers,” he said. “That is the distinction here. The takeaway a lot of MSPs had from this was there are MSPs having their RMMs compromised with two-factor authentication bypass, which could lead to a catastrophic business event--very similar to what happened to some Kaseya partners on the July 4 weekend in 2021. That is the level of severity that people thought when they saw that bulletin.”

Kaiser said he was heartened by how MSP vendors and security vendors responded within hours to determine that there was not a widespread coordinated attack taking place. “Security companies that were competitors all got together and shared input to help keep MSPs safe,” he said.