NinjaRMM Partner Used To Seed Ransomware

The breach happened Wednesday morning and was isolated to one MSP. The company sent an email to partners warning them to enable two factor authentication.

NinjaRMM said its tool was used to spread ransomware across “multiple endpoints” within the last 36 hours, and it is encouraging partners to enable two-factor authentication, which it said could have stopped the attack, according to an email it sent to partners today.

“A malicious entity — or entities — was able to access the customer’s NinjaRMM account, most likely through a cached browser session, and was then able to use NinjaRMM to distribute ransomware across multiple endpoints,” the company’s chief security officer Lewis Huynh wrote. “(Two)-factor authentication was not enabled in this environment. If 2FA had been enabled, it is likely this malicious activity could have been prevented.”

Huynh said it appears that the breach is confined to “one NinjaRMM customer” but he said this same technique was previously used against MSPs using a rival brand RMM tool, so he said it is “imperative” that two factor authentication is turned on. San Francisco-based NinjaRMM supports multiple 2FA including SMS, Authenticator, and FIDO key.

“In addition, we strongly encourage employing other security best practices, including using a secure password manager, rather than reusing credentials and/or storing them within browsers,” Huynh wrote.

NinjaRMM marketing executive Rachel Spatz told CRN that the company itself was not breached, but a customer was hit this morning and alerted the company.

“This is an isolated incident, and because NinjaRMM itself was not breached, none of our partners are at risk of infection from this ransomware attack,” Spatz said. “But we have seen this attack tactic used before and wanted to warn partners that this same thing could happen to them, and send a strong reminder that enabling 2FA can help to prevent these types of attacks.”

One MSP who is using NinjaRMM for some of his network said he likes the company because it is independent, but he is concerned about the company’s maturity. He said in this particular case, there is plenty of blame to go around.

“Shame on so-called MSP's for not taking advantage of the available 2FA,” he said. “Shame on Ninja for not making the security of their platform one of their highest priorities. We require 2FA on any system that has access to non public information.”

In the email, Huynh said the company would roll out additional security measures “over the next few releases” which will include the giving system administrators the ability to enforce two-factor authentication on all or some or none of their users.

“We recognize that there is an inverse correlation between enhanced security policies and convenience,” Huynh wrote. “We want to be mindful of providing you with the most powerful and convenient RMM tool, while also providing security mechanisms that you can employ to help ensure that we all stay on top of the ever-changing world of security.”

This is the latest example of cyber criminals targeting MSPs through the tools they use. In February cyber criminals exploited ConnectWise partners who had not patched an integration tool with a rival MSP platform to install ransomware on end-users machines. Then in March, 100 Wipro endpoints were seeded ransomware through ConnectWise Control (formerly ScreenConnect), a remote support and remote access tool.