The LockBit ransomware group has emerged as a formidable threat by leveraging remote monitoring and management (RMM) software to infiltrate targeted networks. This article explores the group’s tactics, highlighting case studies where manufacturers and a managed service provider (MSP) became victims of LockBit’s attacks, leading to further compromises for downstream customers.
Case studies: Manufacturers and MSPs
LockBit’s exploitation of RMM software has been particularly prevalent in the manufacturing sector. In one instance, a home decor manufacturer fell victim to a LockBit attack in February 2022. Researchers from eSentire discovered an affiliate of LockBit with administrative access to an unprotected machine. The attacker attempted to establish persistence and spread throughout the network using the RMM software, specifically the popular tool AnyDesk.
Another company targeted by LockBit was a storage materials manufacturer that relied on the RMM software, ConnectWise. In a June attack, LockBit capitalized on the company’s use of ConnectWise by installing its own instance within the network. This allowed the ransomware group to evade detection and extend its reach, compromising sensitive data and demanding ransom payments.
The trend towards “Living off the Land”
Cybercriminals like LockBit are increasingly adopting the strategy of “living off the land,” which involves avoiding traditional malware for initial access into target networks. This technique allows them to bypass security measures focused on detecting malware and increases their chances of remaining undetected during the infiltration stage. Instead, attackers exploit vulnerable entry points such as unprotected machines or weakly secured RMM software.
Specific Attack Example: Home Decor Manufacturer
During the attack on the home decor manufacturer, LockBit’s affiliate gained admin access to an unprotected machine. By exploiting this entry point, the attacker attempted to establish persistence and spread to other computers using the widely used RMM software, AnyDesk. This highlights the need for organizations to secure their RMM software and implement effective access controls to prevent unauthorized access.
Specific Attack Example: Storage Materials Manufacturer
In the case of the storage materials manufacturer, LockBit targeted the company’s usage of the RMM software ConnectWise. Instead of directly attacking the ConnectWise infrastructure, LockBit took advantage of the network’s reliance on the software. By installing its own instance of ConnectWise within the network, LockBit bypassed existing security measures, enabling the group to freely move laterally and encrypt critical data.
Implications for organizations
The incidents involving LockBit underscore the risks that organizations face when utilizing RMM software without implementing proper security controls. The breach of the MSP in February serves as a stark reminder of the potential impact not only on the organization itself but also on its partners and customers. The MSP’s failure to secure its ConnectWise login panel exposed them to a swift and devastating attack from LockBit.
Lack of Security Controls: Exposing ConnectWise Login Panel
The MSP’s critical mistake of leaving the ConnectWise login panel exposed to the open internet resulted in dire consequences. Within minutes of LockBit’s intrusion, the ransomware group began dropping its malicious binaries on multiple endpoints, rapidly spreading its reach and encrypting valuable data. This emphasizes the urgent need for organizations to implement robust security measures for their RMM tools.
Strengthening defense against RMM abuse
Organizations can protect themselves against the abuse of RMM software by implementing preventive measures. Key recommendations include:
1. Apply multi-factor authentication to RMM tools: By requiring additional verification steps, organizations can prevent unauthorized access and reduce the risk of a successful attack.
2. Implement strict access controls: Ensure that only authorized personnel have access to RMM systems, and regularly review and update access privileges to minimize the chances of unauthorized activity.
3. Regularly update and patch RMM software: Keeping RMM tools up to date with the latest patches and security updates is crucial in preventing vulnerabilities that cybercriminals can exploit.
LockBit ransomware’s utilization of RMM software to infiltrate networks highlights the evolving tactics of cybercriminals. The case studies discussed illustrate the devastating consequences for organizations that fail to secure their RMM tools adequately. By implementing multi-factor authentication, strict access controls, and regular software updates, organizations can fortify their defenses against these attacks and protect their networks, partners, and customers from the growing threat posed by ransomware groups like LockBit.