LockBit Is Using RMMs to Spread Its Ransomware

  /     /     /  
Publicated : 23/11/2024   Category : security


LockBit Is Using RMMs to Spread Its Ransomware


The LockBit group is using native IT management software to live off the land, planting and then spreading itself before deploying its ransomware.



The LockBit ransomware group is taking advantage of remote monitoring and management (RMM) software to spread its foothold in targeted networks.
Three recent attacks described
in a report published Sept. 18
by Canada-based eSentire follow a similar trajectory: a LockBit affiliate either took advantage of exposed RMM instances, or brought their own RMM to the party,
living off the land (LotL)
in order to cement its footing in victim networks. Two of these cases affected manufacturers, and one struck a managed service provider (MSP), enabling the group to further compromise some of its downstream customers.
Theres a general trend towards living off the land, where theyre just avoiding malware. Period. Even for initial access, explains Keegan Keplinger, senior threat intelligence researcher with eSentires Threat Response Unit. They want to get valid credentials, and use those legitimate credentials to get in.
In June, the Cybersecurity & Infrastructure Security Agency (CISA)
published a cybersecurity advisory about LockBit
, and for good reason. Arguably no cybercriminal outfit — in the ransomware-as-a-service game or otherwise — has been as prolific in 2023, with attacks seemingly targeting
just about every possible sector
,
and every type of device
,
often yielding big money payouts
.
The advisory details the groups favored tactics, techniques, and procedures (TTPs), including its penchant for taking advantage of RMMs.
In a February 2022 attack against a home decor manufacturer, for example, eSentires threat researchers discovered a LockBit affiliate with admin access in an unprotected machine, attempting to establish persistence and spread to other computers via the RMM AnyDesk.
Especially in the last year, threat actors have been pivoting to not using malware, Keplinger explains, referring to how hackers establish persistence, and spread between and inside of networks. Malware is often detected by antivirus, and if not, advanced endpoint technology. So anytime you can use either software thats already in the environment, or software that could be conceivably legitimate, some people may not even recognize that as malicious right away.
LockBit was counting on this in a June attack against a storage materials manufacturer, which counted itself a customer of the RMM ConnectWise. In this case, the researchers speculated that the threat actor was not able to steal credentials necessary to log into the companys ConnectWise environment. So, instead, it installed its own, second instance of ConnectWise in the network.
Its pretty brilliant, because they said: We already know ConnectWise is in this particular target organization. So, well bring our own and nobody will really notice theres another instance.
Organizations that enjoy the benefits of RMMs, without applying proper security controls to prevent their abuse, may expose not only themselves but also partners and customers, as LockBits MSP breach this February demonstrates.
The MSP in question had left its ConnectWise login panel exposed to the open Internet. The justification, the researchers speculated, was to make it easier for its customers IT administrators to access the service. But with brute force, or simply by purchasing them from the Dark Web, the attackers gained the necessary credentials to break through. Within five minutes of the intrusion, LockBit began dropping its ransomware binaries on multiple endpoints.
They pretty much can go in unfettered when they get into those tools, and they get admin credentials, Keplinger laments. Indeed, before it was stopped, the group had used the RMMs remote access capabilities to reach customers in manufacturing, business services, hospitality, and transportation.
Companies can harden themselves against this kind of abuse by applying multi-factor authentication and strict access controls to these powerful tools. And, Keplinger adds, endpoint monitoring is probably the biggest differentiator thats stopping and preventing these attacks.
Theyre very successful, he warns of LockBit, for those not yet convinced. Very pervasive, and very destructive.

Last News

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
LockBit Is Using RMMs to Spread Its Ransomware