Sophos has issued a cautionary note to managed service providers (MSPs), highlighting their vulnerability to ransomware attacks that aim to exploit the very systems used to monitor and service customer networks. The security vendor has been closely tracking DragonForce attacks, which specifically target weaknesses in remote monitoring and management (RMM) tools.
In a recent blog post, Sophos detailed a ransomware incident where attackers gained access to the SimpleHelp RMM. This access served as a launchpad for deploying DragonForce ransomware across multiple endpoints. The attackers not only executed the ransomware but also exfiltrated sensitive data, employing a double extortion strategy to coerce victims into paying the ransom.
“In this incident, a threat actor gained access to the MSP’s remote monitoring and management tool, SimpleHelp, and then used it to deploy DragonForce ransomware across multiple endpoints,” Sophos explained. The detection of a suspicious installation of a SimpleHelp installer file prompted an alert from Sophos MDR. This installer was pushed through a legitimate SimpleHelp RMM instance, operated by the MSP for its clients. Furthermore, the attacker leveraged their access to gather information on various customer estates managed by the MSP, including device names, configurations, users, and network connections.
Lack of security investment
Those utilizing Sophos’s MDR and extended detection and response endpoint protection successfully thwarted the hacker’s access to their networks. In contrast, those who had not made security investments found themselves vulnerable. “The MSP and clients that were not using Sophos MDR were impacted by both the ransomware and data exfiltration,” the blog post noted. Following the incident, the MSP sought assistance from Sophos Rapid Response for digital forensics and incident response.
As MSPs face increasing scrutiny and regulatory pressures, the call for enhanced security measures within the channel has grown louder. Mark Appleton, chief customer officer for Also Cloud UK, emphasized the need for MSPs to invest in advanced exposure management tools to mitigate cyber threats. “Providing outsourced IT services, such as infrastructure management, security monitoring, and applications support, will now be regulated,” he stated. “Therefore, ensuring that your cybersecurity standards and technical controls, as well as incident reporting and supply chain risk management tools, are comprehensive is essential for preparing for increased regulation.”
Appleton further pointed out that endpoints are prime targets, accounting for 70% of successful breaches, especially as organizations introduce more entry points. “Cloud misconfigurations account for 15% of initial attack vectors, ensuring threats spiral further across compromised cloud environments,” he added. “Managing exposure to threats across endpoints, networks, cloud-based applications, and data—along with other digital assets—is crucial for controlling costs, but it must be a continuous effort to prevent MSPs from exposing themselves or their clients to attacks.”
He concluded that continuous threat exposure management has become an indispensable component of an MSP’s strategy in response to escalating threats.
