LockBit Affiliates Use RMM Software in Ransomware Attacks – Source: securityboulevard.com

Affiliates of the Russia-linked LockBit ransomware group are using remote monitoring and management (RMM) software to distribute its malicious payload to organizations and their downstream customers and partners.

Researchers with cybersecurity firm eSentire discovered three separate attacks in which affiliates of LockBit – which runs a ransomware-as-a-service (RaaS) operation, enabling other cybercriminals to pay to use its ransomware in a campaign – used RMM software to establish a presence in the victims’ networks and in one instance to extend its reach to customers of a managed service provider (MSP).

The company’s Threat Response Unit (TRU) “found that in each attack, once the LockBit hackers gained initial access to the targets, they either used the companies’ remote monitoring and management (RMM) tools or brought in their own RMM tools to try and spread ransomware across the targets’ IT environment, or in the case of the MSP, push their malware to the MSP’s downstream customers,” researchers wrote in a report his week.

RMM tools are used by service providers, channel companies, and other organizations to remotely manage their own or customers’ IT systems. While the software gives them quick access to those systems, a hacker that gets access to the product can gain similar access and quickly expand the reach of its malware.

Remote management software often is targeted in software supply-chain attacks. It not only gives them access to a greater range of potential victims but also, as a living-off-the-land (LotL) method, can make it more difficult for organizations to detect them.

Migrating to Living-Off-the-Land Methods

According to Keegan Keplinger, senior threat intelligence researcher with eSentire’s TRU, LockBit affiliates typically gain initial access into targeted systems through browser-based attacks like SocGholish, exploiting vulnerable internet-facing servers, and using valid credentials. However, some are migrating to LotL models to launch their ransomware. That includes using such products as Advanced IP Scanner, AnyDesk, Atera, and ConnectWise RMM, Keplinger said in the report.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) in a report in June noted LockBit affiliates were beginning to use RMM software, helped in part by organizations using access control management best practices, eSentire wrote.

Other ransomware groups also are turning to RMM software to spread their malicious malicious code.

LockBit and its affiliates have been prolific in recent years in using its ransomware. Earlier this year, LockBit was knocked off its perch as the top ransomware threat by the threat group Cl0p, which was behind the wide-ranging attacks that abused a zero-day vulnerability in the MOVEit managed file transfer application.

LockBit was a close second. According to the FBI, over the past three-plus year, LockBit actors have launched more than 1,4000 attacks against targets in the United States and elsewhere – including the high-profile attack on the city of Oakland, California, in February – and collecting some $91 million worth in cryptocurrencies like Bitcoin. The operators also have continued their assaults even as the FBI and other global law enforcement agencies have arrested LockBit members.

RMM and the Attacks

According to eSentire, the first of the three attacks that involved RMM software occurred in February 2022, with the other two coming between February and June this year.

The first one involved the home décor manufacturer, with the LockBit affiliate using PsExec service – typically used to execute services on another system – to delete files brought into the victim’s environment by the affiliate, which wanted to hinder security teams’ ability to retrace the attacker’s movements and collect forensics.

The use of the PsExec was traced back to an unmanaged and unprotected system. The affiliate was trying to use AnyDesk to establish persistence in the environment, but eSentire disabled the source machine and the threat actors blocked.

Earlier this year, eSentire detected ransomware being used on several customer computers, the attacks were blocked, and the systems wiped clean. However, the researchers learned that all the victims were customers of the same MSP and found that the LockBit attackers got on to the systems through the service provider’s ConnectWise RMM software, which was exposed to the internet.

“Many providers of remote monitoring and management services will leave their RMM service open to the Internet, to make it easier for their customers’ IT administrators to access the service for deployment, device enrollments, file sharing and brand building,” the researchers wrote. “However, if an IT system, like a RMM service, is open to the Internet, threat actors can use any number of search services, like Shodan, to find Internet-connected systems and devices and then target those systems for ransomware attacks or other types of attacks.”

A months later, eSentire found a corporate desktop at a storage materials manufacturer was being attacked by a hacker who uploaded a Microsoft Install File and then ConnectWise RMM, then pushed the LockBit ransomware to a different corporate computer. The manufacturer also had the ConnectWise tool in its IT environment.

The researchers believe the LockBit affiliate installed its own ConnectWise RMM because it didn’t have the credentials for the manufacturer’s.

“Because the manufacturer already had the RMM tool running in their network, the presence of additional copies of the tool would not immediately raise a red flag with system administrators and security defenders,” the researchers wrote.

Defending Against LockBit

CISA last month outlined a plan for organizations to thwart hacker abuse of RMM software.

For its part, eSentire noted several steps organizations can take to defend against hackers using legitimate tools like RMM software, including enforcing two-factor authentication for software systems, implementing access control lists or – for MSPs – use client SSL certificates, educate employees about phishing attacks, and keeping software patched and updated.

The researchers also suggested companies not be too specific about what’s in their software stacks in job postings.