LockBit Ransomware Exploits RMM Software to Compromise Networks: The Growing Threat and How to Protect Against It

The LockBit ransomware group has emerged as a formidable threat by leveraging remote monitoring and management (RMM) software to infiltrate targeted networks. This article explores the group’s tactics, highlighting case studies where manufacturers and a managed service provider (MSP) became victims of LockBit’s attacks, leading to further compromises for downstream customers.

Case studies: Manufacturers and MSPs

LockBit’s exploitation of RMM software has been particularly prevalent in the manufacturing sector. In one instance, a home decor manufacturer fell victim to a LockBit attack in February 2022. Researchers from eSentire discovered an affiliate of LockBit with administrative access to an unprotected machine. The attacker attempted to establish persistence and spread throughout the network using the RMM software, specifically the popular tool AnyDesk.

Another company targeted by LockBit was a storage materials manufacturer that relied on the RMM software, ConnectWise. In a June attack, LockBit capitalized on the company’s use of ConnectWise by installing its own instance within the network. This allowed the ransomware group to evade detection and extend its reach, compromising sensitive data and demanding ransom payments.

The trend towards “Living off the Land”

Cybercriminals like LockBit are increasingly adopting the strategy of “living off the land,” which involves avoiding traditional malware for initial access into target networks. This technique allows them to bypass security measures focused on detecting malware and increases their chances of remaining undetected during the infiltration stage. Instead, attackers exploit vulnerable entry points such as unprotected machines or weakly secured RMM software.

Specific Attack Example: Home Decor Manufacturer

During the attack on the home decor manufacturer, LockBit’s affiliate gained admin access to an unprotected machine. By exploiting this entry point, the attacker attempted to establish persistence and spread to other computers using the widely used RMM software, AnyDesk. This highlights the need for organizations to secure their RMM software and implement effective access controls to prevent unauthorized access.

Specific Attack Example: Storage Materials Manufacturer

In the case of the storage materials manufacturer, LockBit targeted the company’s usage of the RMM software ConnectWise. Instead of directly attacking the ConnectWise infrastructure, LockBit took advantage of the network’s reliance on the software. By installing its own instance of ConnectWise within the network, LockBit bypassed existing security measures, enabling the group to freely move laterally and encrypt critical data.

Implications for organizations

The incidents involving LockBit underscore the risks that organizations face when utilizing RMM software without implementing proper security controls. The breach of the MSP in February serves as a stark reminder of the potential impact not only on the organization itself but also on its partners and customers. The MSP’s failure to secure its ConnectWise login panel exposed them to a swift and devastating attack from LockBit.

Lack of Security Controls: Exposing ConnectWise Login Panel

The MSP’s critical mistake of leaving the ConnectWise login panel exposed to the open internet resulted in dire consequences. Within minutes of LockBit’s intrusion, the ransomware group began dropping its malicious binaries on multiple endpoints, rapidly spreading its reach and encrypting valuable data. This emphasizes the urgent need for organizations to implement robust security measures for their RMM tools.

Strengthening defense against RMM abuse

Organizations can protect themselves against the abuse of RMM software by implementing preventive measures. Key recommendations include:

1. Apply multi-factor authentication to RMM tools: By requiring additional verification steps, organizations can prevent unauthorized access and reduce the risk of a successful attack.

2. Implement strict access controls: Ensure that only authorized personnel have access to RMM systems, and regularly review and update access privileges to minimize the chances of unauthorized activity.

3. Regularly update and patch RMM software: Keeping RMM tools up to date with the latest patches and security updates is crucial in preventing vulnerabilities that cybercriminals can exploit.

LockBit ransomware’s utilization of RMM software to infiltrate networks highlights the evolving tactics of cybercriminals. The case studies discussed illustrate the devastating consequences for organizations that fail to secure their RMM tools adequately. By implementing multi-factor authentication, strict access controls, and regular software updates, organizations can fortify their defenses against these attacks and protect their networks, partners, and customers from the growing threat posed by ransomware groups like LockBit.

Explore more

BSP Boosts Efficiency with AI-Powered Reconciliation System

In an era where precision and efficiency are vital in the banking sector, BSP has taken a significant stride by partnering with SmartStream Technologies to deploy an AI-powered reconciliation automation system. This strategic implementation serves as a cornerstone in BSP’s digital transformation journey, targeting optimized operational workflows, reducing human errors, and fostering overall customer satisfaction. The AI-driven system primarily automates

Is Gen Z Leading AI Adoption in Today’s Workplace?

As artificial intelligence continues to redefine modern workspaces, understanding its adoption across generations becomes increasingly crucial. A recent survey sheds light on how Generation Z employees are reshaping perceptions and practices related to AI tools in the workplace. Evidently, a significant portion of Gen Z feels that leaders undervalue AI’s transformative potential. Throughout varied work environments, there’s a belief that

Can AI Trust Pledge Shape Future of Ethical Innovation?

Is artificial intelligence advancing faster than society’s ability to regulate it? Amid rapid technological evolution, AI use around the globe has surged by over 60% within recent months alone, pushing crucial ethical boundaries. But can an AI Trustworthy Pledge foster ethical decisions that align with technology’s pace? Why This Pledge Matters Unchecked AI development presents substantial challenges, with risks to

Data Integration Technology – Review

In a rapidly progressing technological landscape where organizations handle ever-increasing data volumes, integrating this data effectively becomes crucial. Enterprises strive for a unified and efficient data ecosystem to facilitate smoother operations and informed decision-making. This review focuses on the technology driving data integration across businesses, exploring its key features, trends, applications, and future outlook. Overview of Data Integration Technology Data

Navigating SEO Changes in the Age of Large Language Models

As the digital landscape continues to evolve, the intersection of Large Language Models (LLMs) and Search Engine Optimization (SEO) is becoming increasingly significant. Businesses and SEO professionals face new challenges as LLMs begin to redefine how online content is managed and discovered. These models, which leverage vast amounts of data to generate context-rich responses, are transforming traditional search engines. They