LockBit Ransomware Exploits RMM Software to Compromise Networks: The Growing Threat and How to Protect Against It

The LockBit ransomware group has emerged as a formidable threat by leveraging remote monitoring and management (RMM) software to infiltrate targeted networks. This article explores the group’s tactics, highlighting case studies where manufacturers and a managed service provider (MSP) became victims of LockBit’s attacks, leading to further compromises for downstream customers.

Case studies: Manufacturers and MSPs

LockBit’s exploitation of RMM software has been particularly prevalent in the manufacturing sector. In one instance, a home decor manufacturer fell victim to a LockBit attack in February 2022. Researchers from eSentire discovered an affiliate of LockBit with administrative access to an unprotected machine. The attacker attempted to establish persistence and spread throughout the network using the RMM software, specifically the popular tool AnyDesk.

Another company targeted by LockBit was a storage materials manufacturer that relied on the RMM software, ConnectWise. In a June attack, LockBit capitalized on the company’s use of ConnectWise by installing its own instance within the network. This allowed the ransomware group to evade detection and extend its reach, compromising sensitive data and demanding ransom payments.

The trend towards “Living off the Land”

Cybercriminals like LockBit are increasingly adopting the strategy of “living off the land,” which involves avoiding traditional malware for initial access into target networks. This technique allows them to bypass security measures focused on detecting malware and increases their chances of remaining undetected during the infiltration stage. Instead, attackers exploit vulnerable entry points such as unprotected machines or weakly secured RMM software.

Specific Attack Example: Home Decor Manufacturer

During the attack on the home decor manufacturer, LockBit’s affiliate gained admin access to an unprotected machine. By exploiting this entry point, the attacker attempted to establish persistence and spread to other computers using the widely used RMM software, AnyDesk. This highlights the need for organizations to secure their RMM software and implement effective access controls to prevent unauthorized access.

Specific Attack Example: Storage Materials Manufacturer

In the case of the storage materials manufacturer, LockBit targeted the company’s usage of the RMM software ConnectWise. Instead of directly attacking the ConnectWise infrastructure, LockBit took advantage of the network’s reliance on the software. By installing its own instance of ConnectWise within the network, LockBit bypassed existing security measures, enabling the group to freely move laterally and encrypt critical data.

Implications for organizations

The incidents involving LockBit underscore the risks that organizations face when utilizing RMM software without implementing proper security controls. The breach of the MSP in February serves as a stark reminder of the potential impact not only on the organization itself but also on its partners and customers. The MSP’s failure to secure its ConnectWise login panel exposed them to a swift and devastating attack from LockBit.

Lack of Security Controls: Exposing ConnectWise Login Panel

The MSP’s critical mistake of leaving the ConnectWise login panel exposed to the open internet resulted in dire consequences. Within minutes of LockBit’s intrusion, the ransomware group began dropping its malicious binaries on multiple endpoints, rapidly spreading its reach and encrypting valuable data. This emphasizes the urgent need for organizations to implement robust security measures for their RMM tools.

Strengthening defense against RMM abuse

Organizations can protect themselves against the abuse of RMM software by implementing preventive measures. Key recommendations include:

1. Apply multi-factor authentication to RMM tools: By requiring additional verification steps, organizations can prevent unauthorized access and reduce the risk of a successful attack.

2. Implement strict access controls: Ensure that only authorized personnel have access to RMM systems, and regularly review and update access privileges to minimize the chances of unauthorized activity.

3. Regularly update and patch RMM software: Keeping RMM tools up to date with the latest patches and security updates is crucial in preventing vulnerabilities that cybercriminals can exploit.

LockBit ransomware’s utilization of RMM software to infiltrate networks highlights the evolving tactics of cybercriminals. The case studies discussed illustrate the devastating consequences for organizations that fail to secure their RMM tools adequately. By implementing multi-factor authentication, strict access controls, and regular software updates, organizations can fortify their defenses against these attacks and protect their networks, partners, and customers from the growing threat posed by ransomware groups like LockBit.

Explore more

Can Federal Lands Power the Future of AI Infrastructure?

I’m thrilled to sit down with Dominic Jainy, an esteemed IT professional whose deep knowledge of artificial intelligence, machine learning, and blockchain offers a unique perspective on the intersection of technology and federal policy. Today, we’re diving into the US Department of Energy’s ambitious plan to develop a data center at the Savannah River Site in South Carolina. Our conversation

Can Your Mouse Secretly Eavesdrop on Conversations?

In an age where technology permeates every aspect of daily life, the notion that a seemingly harmless device like a computer mouse could pose a privacy threat is startling, raising urgent questions about the security of modern hardware. Picture a high-end optical mouse, designed for precision in gaming or design work, sitting quietly on a desk. What if this device,

Building the Case for EDI in Dynamics 365 Efficiency

In today’s fast-paced business environment, organizations leveraging Microsoft Dynamics 365 Finance & Supply Chain Management (F&SCM) are increasingly faced with the challenge of optimizing their operations to stay competitive, especially when manual processes slow down critical workflows like order processing and invoicing, which can severely impact efficiency. The inefficiencies stemming from outdated methods not only drain resources but also risk

Structured Data Boosts AI Snippets and Search Visibility

In the fast-paced digital arena where search engines are increasingly powered by artificial intelligence, standing out amidst the vast online content is a formidable challenge for any website. AI-driven systems like ChatGPT, Perplexity, and Google AI Mode are redefining how information is retrieved and presented to users, moving beyond traditional keyword searches to dynamic, conversational summaries. At the heart of

How Is Oracle Boosting Cloud Power with AMD and Nvidia?

In an era where artificial intelligence is reshaping industries at an unprecedented pace, the demand for robust cloud infrastructure has never been more critical, and Oracle is stepping up to meet this challenge head-on with strategic alliances that promise to redefine its position in the market. As enterprises increasingly rely on AI-driven solutions for everything from data analytics to generative