Threat actors recently obtained unauthorized access to the networks of three managed service providers (MSPs) and subsequently targeted customers of the compromised firms with ransomware using SecureAnywhere, an MSP tool by Webroot designed for the remote monitoring and management of client machines. The ransomware used in the attack is dubbed Sodinokibi.
The attackers gained an initial foothold on the MSP networks by targeting Internet-facing Remote Desktop Protocol (RDP) services. In response to the attack, Webroot has started to enforce two-factor authentication (2FA) for SecureAnywhere accounts in order to make it harder for attackers to take advantage of the tool.
Ransomware groups are increasingly going after MSPs in order to target many customers at once. Earlier this year, 1,500 to 2,000 devices were infected with ransomware after attackers breached the systems of a single MSP.
Read more: Ransomware gang hacks MSPs to deploy ransomware on customer systems