Conti Ransomware Gang Playbook Mentions MSP Software
A leaked Conti Ransomware Gang Playbook and resulting cyber industry chatter mentions a specific RMM (remote monitoring and management) software vendor that supports MSPs, but the RMM provider says its cloud-based software has not been compromised and remains secure.
Based on the leaked playbook, ethical hacker Vitali Kremez tweeted a warning for network administrators looking for Conti activity to “scan for unauthorized Atera Agent installations and Any Desk persistence,” ThreatPost reports.
Atera develops a cloud-based platform that spans RMM, PSA (professional services automation) and other software capabilities for MSPs and corporate IT professionals. Atera raised $77 million in Series B funding in July 2021, and serves roughly 7,000 customers across 90 countries.
Separately, AnyDesk Software of Germany provides remote desktop software.
Atera Perspectives on Conti Ransomware Gang Playbook
In a comment to ChannelE2E about the alleged ransomware playbook, Atera VP of Customer Success Sharon Peer said:
The “playbook” released that you are referencing speaks to the fact that bad actors have attempted to use remote solutions to maintain persistence to unsecured networks for illegal or illegitimate purposes. That said, Atera has not been compromised in any way and the platform remains secure.
We are aware of the security threats in the industry and we continuously monitor to ensure our platform and our customers are secure. We encourage MSPs to follow proper security measurements, which we are continuously sharing with our community.”
What MSP-Focused Threat Intelligence Says
A third-party security expert in the MSP market reinforced Atera’s perspective. In a comment to ChannelE2E, Wes Spencer, CISO of co-managed threat detection and response provider Perch Security, said:
“There is no evidence, threat intelligence, or indication of Atera being directly compromised. Conti, in some cases, prefer to leverage Atera in their attack process to streamline their attack process. But other tools are also known to be used. Threat actors have long used legitimate tools as part of their attacks. We commonly refer to these TTPs as “living off the land.”
Threat actors prefer legitimate tools that are either built in, company approved, or installed by the threat actor. Given that they are not malicious in and of themselves, this tactic allows the threat actor greater ability to operate without detection.
In fact, this is why RMMs have become a tool of choice for a threat actor for Buffalo Jumps.”
Buffalo Jumping, a term frequently used by Perch Security, describes how hackers compromise a specific target in order to target and ultimately access multiple customers and partners.
Perch Security is owned by ConnectWise (an Atera rival) but provides SIEM (security information and event management) integrations to multiple third-party tools to support the overall MSP market.
Hackers vs. IT Service Providers, IT Consulting Companies
The REvil ransomware attack against Kaseya VSA, 50 MSPs and 1,500 downstream customers put a mainstream media spotlight on MSP software security in July 2021.
But in reality, hacker attacks against the MSP software industry have been swirling and escalating for several years — prompting ChannelE2E to warn of a looming MSP Judgment Day in 2019.
MSPs and IT consulting firms of all sizes have suffered attacks. Some of the biggest ransomware-related financial setbacks have involved CompuCom spending $10 million on cyberattack recovery costs in the first half of 2021, and Cognizant suffering $50 million to $70 million in lost revenue following a 2020 attack.
MSP Software Companies, Federal Agencies Up Their Cybersecurity Games
Still, MSP software companies appear to be making some progress against the attacks — thanks to stricter software development processes and default 2FA (two-factor authentication) requirements for many tools, among other moves.
Also, multiple federal agencies — including the FBI and CISA (Cybersecurity and Infrastructure Security Agency) have issued alerts and guidance to assist MSPs and cloud service providers (CSPs) with their cyber strategies.
For instance, the CISA partnered with Amazon, Microsoft and Google to launch the Joint Cyber Defense Collaborative (JCDC) in August 2021. The JCDC’s key priorities include such goals as:
- Design and implement comprehensive, whole-of-nation cyber defense plans to address risks and facilitate coordinated action;
- Share insight to shape joint understanding of challenges and opportunities for cyber defense;
- Implement coordinated defensive cyber operations to prevent and reduce impacts of cyber intrusions; and
- Support joint exercises to improve cyber defense operations.
In the executive branch, President Biden issued a cybersecurity executive order in May 2021. The order, which describes how federal agencies and their contractors must strengthen security, mentions IT service providers 15 times.