Details about the attacks are sparse, but at least three MSPs that use Remote Monitoring and Management (RMM) software from Kaseya and Webroot have been compromised, and the attacker(s) have infected customer systems with ransomware as a result. The MSPs appear to have not been protecting their RMM systems with multifactor authentication (MFA), which made the compromises much easier to pull off.
MSPs with more than a couple of customers need a way to monitor and manage their customers’ systems from a central console. Trying to administer each system individually would be an insurmountable task. That’s where RMM software comes in—it provides the MSP with a way to efficiently and effectively carry out its monitoring and management tasks in a centralized fashion.
The danger, of course, with this centralized approach is that if an attacker were to compromise the RMM system itself, he or she could obtain unmitigated access to the MSP’s customers’ networks and systems. That appears to have been what happened here. It’s still too early to say, but the attacker(s) likely targeted MSP employees with phishing messages, tricked one or more into disclosing credentials, and then used those credentials to log into the RMM.
If that’s in fact what happened, what could these MSPs have done differently to prevent it? To start, requiring MFA in order to log into their RMM systems would have made it far less likely for these attacks to succeed. MFA adds a secondary factor—often a push notification to an app on a device in the physical possession of an authorized user—to corroborate that a login attempt is in fact authorized. In other words, it’s asking, “Hey, I just saw your username trying to log into this system. Was that legit?” The login succeeds only if the authorized user answers in the affirmative.
Now, MFA isn’t unbeatable. No security control is. But it’s easy and cost-effective to deploy (especially when compared to the cost of not deploying it). Sure, it requires users to separately acknowledge login activity (which takes a second or two), but it doesn’t degrade the experience. And after using it for a day or two, most users won’t think twice about the extra step.
And MFA isn’t just for MSPs. It has long since turned the corner from nice-to-have to mandatory, particularly for systems that are accessible from the Internet (think remote-access VPN, Office 365, SharePoint, and many others). The bad guys are poised to strike, and all they need is one stolen username and password. Without MFA, the odds of keeping them out are nil.
But back to the subject of this post. Surely these MSPs had been touting the benefits of MFA to their customers. Curious that they weren’t using it to protect their own systems. If you’re the customer of an MSP, wouldn’t you feel safer knowing they’re protected with MFA? And wouldn’t you want to protect your own systems with MFA, too?