Cybercriminals have evolved from schoolyard bullies to organized gangs that have created sophisticated businesses with sales departments, support organizations and sales quotas that turn popular software products into weapons of mass destruction, said ThreatLocker co-founder and CEO Danny Jenkins.
“Today we don’t fight back against schoolyard bullies,” Jenkins said during a keynote session at CRN parent The Channel Company’s Best of Breed virtual conference on Tuesday. “We don’t defend ourselves against enthusiasts who just want to write malware for fun. We try to defend ourselves against organized gangs… We fight sophisticated companies.
The new class of highly structured cybercriminal organizations are well-coordinated businesses with sales departments, sales quotas and help desks that measure everything from the number of emails they have to send to launch a successful attack at what is the optimal link to attract an unsuspecting user, says Jenkins. “They are attacking your business in sophisticated ways,” he warned attendees of the virtual BoB conference.
[RELATED STORY: ThreatLocker Alert Warns Of Increased Ransomware Attacks Using MSP RMM Tools]
“These guys are out to destroy your business, to encrypt your data, to steal your data,” Jenkins said, rallying his partners to adopt a denial-by-default security strategy. “You even fight nation states (now). Over the past few months we have seen attacks increase and increase from Russia with more and more ransomware and more and more organized attacks.
The ransomware organizations that are wreaking havoc focus not only on large enterprises, but also on small businesses and MSPs, Jenkins said.
The attack landscape has evolved from enthusiasts launching malware attacks like the infamous “Lovebug” virus in May 2000 to sophisticated cybercriminal organizations using well-established software products like the SolarWinds Orion network monitoring platform and the Microsoft Exchange server to launch attacks, Jenkins said. “Now the attackers are actually using our software against us,” Jenkins said.
The SolarWinds breach, for example, which was discovered in December 2020 by cybersecurity firm FireEye, was an “incredibly sophisticated” attack in which bad actors inserted malicious code directly into the SolarWinds Orion network monitoring product, said Jenkins. “The attackers had actually managed to break into the source code of SolarWinds and they had changed the code” to launch an unprecedented attack on US government agencies, Jenkins said.
“It was a very bad attack,” he said. “It was so sophisticated that federal government agencies were installing Orion for attackers and they were basically putting this Trojan into their system.”
The Microsoft Exchange server hack – which was discovered in March 2021 and was used to steal emails and compromise networks – was “much more terrifying” than many realized at the time, Jenkins said.
ThreatLocker analyzed the Exchange Server hack with one of its customers keen to get more details about the attempted attack and found that the highly regarded Virus Total database failed to isolate the malicious code, said Jenkins.
The disturbing thing about the Exchange server hack is that the malicious batch file was actually created by Microsoft’s own IIS web server, Jenkins said. “This is where it gets really worrying because you wonder why a batch file would be created by IIS on an Exchange server?” Jenkins asked.
Working with the customer, ThreatLocker found that the Microsoft Exchange configuration had changed. So when the user downloaded the Offline Address Book, Exchange downloaded the malicious batch file to the system, Jenkins said. “We actually took this to our lab after this event to find out what was going on,” he said.
That’s when ThreatLocker discovered the malicious code had downloaded Microsoft’s PsExec tool that lets you run processes on other systems, Jenkins said. The PsExec has created a Microsoft Group Policy Object (GPO) in Active Directory for all computers in the organization. When ThreatLocker ran the malicious code in its lab, the GPO had crypto-locked every machine in the test case.
“We saw all the machines encrypted because of a vulnerability on an Exchange server,” he said. “Every time we run software on our computer. Every time we open an application, be it Microsoft Office or Google Chrome, that software has access to whatever we have access to. Ransomware is just software. Malware is just software. It’s written in the same languages, the same code. You can even find the same Stack Overflow samples in the ransomware if you decompile it.
The most infamous ransomware attack on MSPs took place over the July 4 weekend of last year when Kaseya’s on-premises VSA monitoring platform left over 36,000 MSPs without access to the product. Kaseya’s VSA flagship for at least four days.
“The 4th of July weekend was probably one of the worst weekends ever for MSPs,” Jenkins said. “We have seen thousands of MSPs affected by ransomware within our own customer base. Fortunately, the ransomware was blocked because our clients were operating on a deny basis by default. We saw 46 customers attempt to deliver ransomware to all of their endpoints. Just think of the damage (which could have resulted without negating by default).
All MSP customers had two-factor authentication enabled, Jenkins said. “It was a vulnerability in the Kaseya portal that allowed an attacker to essentially insert a command to send ransomware to all of your customers,” he said.
There were a record 21,000 common vulnerabilities and exposures (CVEs) in 2022 that were documented by Miter Corporation with funding from the United States Cybersecurity and Infrastructure Security Agency (CISA), Jenkins said.
“Just think about it – 21,000 software vulnerabilities for legitimate software that were logged in the CVE database last year,” he said. “This is the highest ever recorded in history. Attackers use these vulnerabilities.
One of the critical steps MSPs must take to make businesses more secure is to provide secure network access control, Jenkins said. “One of the biggest challenges we face today with network security (with the advent of the Internet) is that there is no network, the network is gone, the perimeter is gone” , did he declare. “When we are at Starbucks or working from home, we have to control access to these devices. The problem is that there is a network and it is called the Internet. We share it with Russia, China , North Korea.
ThreatLocker’s new network access control product provides a portal that MSPs can configure to protect themselves and their customers and see all incoming denials, Jenkins said. This network access control product allows partners to open their network only to trusted devices, Jenkins said. “It only allows access from where you are – not from anywhere in the world, from Russia to Canada to Detroit,” he said.
Neal Juern, founder and CEO of Juern Technology, a San Antonio-based MSSP, credits ThreatLocker’s default denial software with providing him with the security muscle needed to triple his company’s sales and transform into an MSSP. fully-fledged with 24-hour service, seven-day-a-week security operations center.
“I tell other MSPs that in the past three years, ThreatLocker is the single most important security tool or solution we’ve added to our portfolio,” he said. “That says a lot because we’ve become an MSSP and added so many layers of security.”
ThreatLocker’s fence and whitelist software provided a modern and innovative approach to stopping bad actors, Juern said.
“The old way doesn’t work,” he said. “He has no future. Thanks to Danny for coming up with a real security solution for MSPs. This is not the old days of malware. Now hackers themselves use our operating system files to attack and exploit us. It is fileless malware. There are no viruses to look for. Hackers have figured out that the tools already installed on our systems are all they need. This is why ringfencing is so powerful and why denial by default has become the new normal, the new way forward. You can no longer rely on finding known bad things. You have to stop the bad behavior – the unknowable bad things. Bad behavior gives hackers access to tools with which they can do damage.
Ultimately, MSPs that don’t use the default decline are playing Russian roulette, Juern said. “It’s only a matter of time before you get raped,” he said. “It’s the truth. We need to seek to stop things that could potentially be misused. That’s deny by default.