The LockBit ransomware group has found a new way to infiltrate targeted networks, using remote monitoring and management (RMM) software to expand its reach. Three recent attacks, detailed in a report by Canada-based eSentire, followed a similar pattern. In each case, a LockBit affiliate either took advantage of exposed RMM instances or brought their own RMM to the targeted network, using the technique known as “living off the land” (LotL) to establish a foothold. This allowed the ransomware group to compromise downstream customers of a managed service provider (MSP) and affected two manufacturers.
According to Keegan Keplinger, a senior threat intelligence researcher with eSentire’s Threat Response Unit, the trend among cybercriminals is to avoid using malware and instead focus on obtaining valid credentials to gain entry into networks. This approach allows them to bypass antivirus and endpoint protection systems. “They want to get valid credentials and use those legitimate credentials to get in,” Keplinger explained.
LockBit’s use of RMMs as an attack vector is not surprising. In June, the Cybersecurity & Infrastructure Security Agency (CISA) issued a cybersecurity advisory about LockBit, highlighting the group’s propensity for exploiting RMMs. The advisory described LockBit as one of the most prolific cybercriminal outfits in the ransomware-as-a-service game in recent years, targeting various sectors and devices and resulting in substantial monetary gains.
One attack example cited by eSentire’s researchers involved a LockBit affiliate gaining admin access to an unprotected machine in a home decor manufacturing company. The affiliate then attempted to establish persistence and spread to other computers using the RMM AnyDesk. Keplinger noted that threat actors have increasingly shifted away from using malware because it can be easily detected, opting instead for software already present in the environment or software that may appear legitimate.
In another attack against a storage materials manufacturer, LockBit installed its own instance of the RMM ConnectWise within the network. This allowed them to operate undetected as the organization was already using ConnectWise. Keplinger described this tactic as “pretty brilliant” since it allowed the attackers to go unnoticed as there was no indication of an additional instance of ConnectWise.
The extent of the LockBit threat extends beyond individual organizations. When RMMs are used without proper security controls, both the organizations themselves and their partners and customers can be exposed to risk. In a breach of an MSP earlier this year, the MSP had left its ConnectWise login panel exposed to the open Internet, making it easy for the attackers to gain access with brute force or by purchasing credentials from the Dark Web. Within minutes, LockBit had deployed its ransomware on multiple endpoints.
To defend against these types of attacks, organizations should implement multi-factor authentication and strict access controls for RMM tools. Endpoint monitoring is also crucial in detecting and preventing these attacks. Keplinger emphasized the success and destructive nature of LockBit’s operations, making it imperative for organizations to take proactive measures to protect their networks.
LockBit’s utilization of RMMs underscores the evolving tactics of ransomware groups. As cybercriminals become more sophisticated, organizations must remain vigilant in implementing robust security measures to mitigate the risk of attacks.