Researchers urge firms to ‘lock down’ RMM software after Russia-linked LockBit attacks

Researchers have warned businesses to lock down their Remote Monitoring and Management (RMM) software after LockBit, a prolific Russia-linked ransomware gang, used it to deploy three separate attacks.

The first incident happened in February 2022, with the following occurring a year later between February-June 2023. Companies targeted include a storage materials manufacturer, a home decor manufacturer, and a Managed Service Provider (MSP).

According to a report by eSentire, the security provider that intercepted the attacks, each one involved the hackers either using the victim’s RMM software – a type of software used to manage computer systems at multiple locations – or brought in their own to try and spread ransomware across their systems. Though, in the case of the MSP they pushed malware to its downstream customers.

After becoming aware of the attack eSentire blocked a handful of customers’ computers and immediately called in its Threat Response Unit (TRU) to investigate.

TRU discovered that the RMM software login panel at the MSP had been exposed to the Internet. To avoid situations like this, researchers suggest that all providers of remote monitoring and management services employ three tools.

– Enforce two-factor authentication for all RMM access and ensure the use of strong and unique passwords for RMM accounts.

– Implement Access Control Lists (ACLs) for trusted IPs. However, if an end-customer is roaming, they should connect to a VPN.

– Alternatively, RMM service providers can implement client SSL certificates before customers can access the RMM system.

LockBit exercised what the researchers claim to be a popular tactic known as living-off-the-land, whereby cybercriminals avoid using trademark malware and use legitimate software already present within a company’s IT environment.

In many cases, threat actors avoid detection, making attribution more difficult. It is particularly difficult when IT management software can be accessed remotely or from the cloud.

According to Keegan Keplinger, senior threat intelligence researcher at the Threat Response Unit (TRU), eSentire’s security research team, LockBit tends to get initial access to targets via browser-based attacks like SocGholish, exploitation of vulnerable servers exposed to the Internet, and valid credentials. However, some affiliates have moved towards the living-off-the-land model.

“The LockBit operators purport to have an open affiliate model, and they state on their leak site, ‘We are located in the Netherlands, completely apolitical and only interested in money. It does not matter what country you live in, what types of language you speak, what age you are, what religion you believe in, anyone on the planet can work with us at any time of the year,'” said Keplinger.

LockBit typically functions as a Ransomware-as-a-Service (RaaS) model where other cybercriminals are recruited to conduct ransomware attacks using its own tools and infrastructure. LockBit is one of the most pervasive, lucrative and destructive ransomware groups currently operating worldwide.

The Russia-linked gangs most recent endeavor took place at the beginning of this month, where they leaked the UK’s MoD data on the dark web.

To read more stories on cyber security click here