concept w - stock.adobe.com
Sophos warns MSPs over DragonForce threat
Example of a recent ransomware attack is a sobering one that underlines how criminals are trying to exploit channel vulnerabilities
Sophos has warned managed service providers (MSPs) they are the targets of a ransomware attack that is hoping to exploit the systems the channel uses to monitor and service customers.
The security vendor has shared its experiences tracking DragonForce attacks, which look to exploit vulnerabilities in remote monitoring and management (RMM) tools.
It shared an example of a ransomware attack that gained access to the SimpleHelp RMM and used it as a springboard to reach multiple endpoints.
Sophos is warning MSPs to be vigilant in the face of DragonForce and to tighten up managed detection and response (MDR) tools to keep the threat at bay.
DragonForce ransomware has been described by Sophos as “an advanced and competitive ransomware-as-a-service brand”, which has been around for the past two years.
“In this incident, a threat actor gained access to the MSP’s remote monitoring and management tool, SimpleHelp, and then used it to deploy DragonForce ransomware across multiple endpoints,” Sophos stated in a blog post. “The attackers also exfiltrated sensitive data, leveraging a double extortion tactic to pressure victims into paying the ransom.
“Sophos MDR was alerted to the incident by detection of a suspicious installation of a SimpleHelp installer file,” it continued. “The installer was pushed via a legitimate SimpleHelp RMM instance, hosted and operated by the MSP for their clients. The attacker also used their access through the MSP’s RMM instance to gather information on multiple customer estates managed by the MSP, including collecting device names and configuration, users and network connections.”
Lack of security investment
Those that were using the vendor’s MDR and extended detection and response endpoint protection were able to shut off the hacker’s access to their networks, but those that had not invested in security were left exposed.
“The MSP and clients that were not using Sophos MDR were impacted by both the ransomware and data exfiltration,” the blog post said. “The MSP engaged Sophos Rapid Response to provide digital forensics and incident response on their environment.”
With MSPs increasingly coming under the spotlight, with increased regulations, as a potential security risk, there have been calls across the industry for the channel to improve its own security.
As an example, Mark Appleton, chief customer officer for Also Cloud UK, has urged MSPs to invest in advanced exposure management tools to fend off cyber attacks.
“Providing outsourced IT services, such as infrastructure management, security monitoring and applications support, will now be regulated,” he said. “Therefore, ensuring that your cyber security standards and technical controls, as well as incident reporting and supply chain risk management tools, are all compassing is an essential stage of preparing for increased regulation.
“Endpoints are priority targets, accounting for 70% of successful breaches, as organisations onboard even more new entry points,” said Appleton. “Cloud misconfigurations account for 15% of initial attack vectors, ensuring threats spiral further across compromised cloud environments. Managing exposure to threats across endpoints, networks, cloud-based applications and data – and other digital assets – is essential to keep costs down, but needs to be done continuously lest MSPs open themselves or clients to attack.”
He added that continuous threat exposure management was now an essential part of an MSP’s response to increasing threats.
