Huntress and SOC Managed Detection and Response Service Update
The following information is crucial and comes directly from Huntress and our SOC regarding the endpoint managed detection and response (MDR) service we provide. If you subscribe to our MDR, be on the lookout for these articles in your monthly Huntress Threat Report.
LockBit Ransomware Decryption Keys Now Available
The LockBit ransomware group, one of the most notorious cybercrime operations worldwide, has had its multi-million dollar operation decisively disrupted by US and UK law enforcement. This group has targeted over 2,000 victims, demanding hundreds of millions in ransom payments, and has successfully collected $120 million. In Q1 2024, a joint task force effectively dismantled critical LockBit infrastructure, including servers and public-facing websites, severely crippling their operations. This task force has obtained multiple sets of LockBit decryption keys and developed their own capabilities to assist victims in recovering their data.
Action Required:
If you have been affected by LockBit ransomware, it is imperative that you contact the FBI through the following link to determine if your systems can be decrypted: https://lockbitvictims.ic3.gov. Additionally, ensure you subscribe to our managed detection and response service for enhanced protection.
RMM Vulnerability:
Remote Management and Monitoring (RMM) tools are vital in Managed Service Provider (MSP) environments for remote access to endpoints. However, improper configuration and maintenance significantly increase your organization’s attack surface, posing serious security risks. On February 20th, 2024, Huntress researchers identified a critical vulnerability in ConnectWise CW-288 and strongly advise immediate patching of all ScreenConnect RMM installations. Legacy RMM tools can easily be overlooked during organizational changes and may expose vulnerabilities or credentials that can be exploited by threat actors. These tools also serve as persistence mechanisms for attackers, allowing them to install AnyDesk or RustDesk post-exploit to maintain hidden access within your network. Additionally, MSSQL installations, commonly found in applications, may expose endpoints to brute force attacks if failed login attempts are not monitored, enabling threat actors to execute commands with SYSTEM privileges and bypass multi-factor authentication for RMM access.
Action Required:
- Conduct a thorough review of all applications on your endpoints and eliminate any RMM tools that are no longer in use. (This does not apply to the remote monitoring tools used by our technicians.)
- Implement monthly audits of failed login attempts across all servers and endpoints and take immediate action on any findings.
- Subscribe to our recurring Network and Security Assessments to ensure comprehensive protection.