LockBit Ransomware Exploits Remote Monitoring and Management (RMM) Software
Increasing Use of Living off the Land (LotL) Approach
The LockBit ransomware group has been leveraging remote monitoring and management (RMM) software to infiltrate targeted networks, according to a recent report published by eSentire. In three recent attacks, LockBit affiliates either took advantage of exposed RMM instances or brought their own RMM to gain control over victim networks. This approach, known as “living off the land” (LotL), allows hackers to avoid traditional malware and instead focus on obtaining valid credentials to gain legitimate access to compromised networks.
The Role of RMMs in LockBit Attacks
The Cybersecurity & Infrastructure Security Agency (CISA) has previously highlighted LockBit’s affinity for exploiting RMMs. LockBit has been highly active in 2023, targeting various sectors and devices, resulting in substantial financial gains. LockBit’s favored tactics, techniques, and procedures (TTPs) involve finding vulnerabilities in RMMs and using them as entry points into targeted networks. By doing so, LockBit can establish persistence and spread its ransomware throughout the network.
In one attack against a home decor manufacturer in February 2022, LockBit used the RMM software AnyDesk to gain admin access to an unprotected machine. The hacker then attempted to spread to other computers using the compromised RMM. This approach allows attackers to avoid detection by antivirus software and advanced endpoint technology, as they are not employing traditional malware.
In another attack on a storage materials manufacturer in June, LockBit took advantage of the RMM software ConnectWise. Rather than stealing the necessary credentials to log into the company’s ConnectWise environment, the threat actors installed their own instance of ConnectWise in the network. By leveraging software that was already present in the environment, LockBit was able to operate discreetly, evading immediate detection by the organization.
The Wider Impact of LockBit’s Exploitation of RMMs
Organizations that utilize RMMs without implementing proper security controls expose not just themselves but also their partners and customers to risk. LockBit’s breach of a managed service provider (MSP) in February demonstrated this. The MSP had left its ConnectWise login panel accessible on the open internet, presumably to facilitate access for its customers’ IT administrators. LockBit gained the necessary credentials through brute force or by purchasing them from the Dark Web. Once inside, the ransomware group swiftly deployed its malware on multiple endpoints, affecting customers in various industries, including manufacturing, business services, hospitality, and transportation.
To safeguard against these types of abuses, organizations should employ multi-factor authentication and enforce strict access controls for RMM software. Additionally, implementing robust endpoint monitoring is crucial in detecting and preventing such attacks.
Editorial: The Growing Threat Posed by LockBit
An Unrelenting Menace
LockBit has proven itself to be one of the most formidable ransomware groups in recent memory. Its extensive use of RMMs to infiltrate targeted networks demonstrates its adaptability and relentless pursuit of profit. LockBit’s attacks target various sectors and devices, leaving no industry or organization safe from its reach. The scale and frequency of LockBit’s operations have made it a primary concern for cybersecurity professionals and government agencies alike.
A Shift in Attack Strategy
LockBit’s preference for the LotL approach, eschewing traditional malware in favor of legitimate credentials, marks a significant shift in attack strategy. By leveraging software and access already present in compromised networks, LockBit can operate undetected for longer periods, allowing it to spread its ransomware further and inflict greater damage. This approach presents challenges for cybersecurity defenses reliant on the detection of malicious code or behavior.
Collaboration and Defense Strategies
The rise of sophisticated ransomware groups such as LockBit demands coordinated action from organizations, government agencies, and cybersecurity professionals. Given LockBit’s proficiency in exploiting RMMs, companies must prioritize securing these tools. Implementing multi-factor authentication, strict access controls, and robust endpoint monitoring can significantly reduce vulnerabilities and mitigate the risk of a LockBit attack.
Furthermore, organizations must continually update their cybersecurity measures to stay ahead of evolving threats. Collaboration and information sharing are crucial in this fight, as knowledge of attackers’ tactics is essential to the development of effective defensive strategies.
Advice: Safeguarding Against LockBit and Ransomware Threats
Protecting RMM Software
To defend against LockBit and similar ransomware groups, organizations should implement the following measures to protect their RMM software:
1. Multi-Factor Authentication (MFA)
Enabling MFA for RMM software adds an extra layer of security by requiring users to provide multiple forms of verification. This protects against stolen or compromised passwords, reducing the risk of unauthorized access.
2. Strict Access Controls
Limiting access to RMM software to only authorized individuals who require it for their job responsibilities minimizes the potential attack surface for hackers. Regularly reviewing and updating access privileges ensures that only those who need access can utilize the software.
3. Robust Endpoint Monitoring
Employing robust endpoint monitoring tools helps detect any suspicious activity or signs of compromise. This enables organizations to identify early indicators of an attack and respond swiftly to prevent further spread of ransomware within the network.
Continuous Education and Awareness
Organizations should prioritize educating employees about the risks of phishing emails, malicious attachments, and social engineering techniques. Regularly conducting cybersecurity awareness training can help employees identify and report potential threats, reducing the chances of falling victim to a LockBit attack.
Collaboration and Information Sharing
To effectively combat the growing threat of ransomware, organizations should actively collaborate with industry peers, government agencies, and cybersecurity experts. Sharing information about emerging threats, attack techniques, and successful defense strategies empowers the collective defense against ransomware groups like LockBit.
In conclusion, LockBit’s exploitation of RMM software highlights the escalating danger posed by ransomware groups. Implementing stringent security measures for RMM software and fostering a collaborative approach to defense are essential steps in mitigating the threat. However, organizations must remain vigilant and adapt to the evolving tactics of these adversaries to safeguard their networks and protect their customers and partners from the devastating impacts of a ransomware attack.
<< photo by Sigmund >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- Editorial Exploration: Exploring Strategies for Data Protection in the Era of Language Models
Title: Safeguarding Data in the Age of LLMs: Strategies and Solutions Explored
- Boardroom Battle: Winning Over Your Board for Cybersecurity Success
- Dragos Secures $74 Million in New Funding to Strengthen Cybersecurity Defenses and Expand Global Reach
- Addressing RMM Software Risks: Analyzing CISA’s Cyber Defense Plan
- “North Korea’s Lazarus Group Strikes Again: Behind the $31 Million CoinEx Heist”
- Striking the Balance: Safeguarding Privacy in Open Government Data
- Striking the Balance: Unlocking the Potential of De-Identifying Government Datasets
- The Growing Threat of Cybercrime: Arrest Made in Arizona’s Battle Against LockBit Ransomware
