New Era Of ‘Organized Gangs’ Are Infiltrating Software To Take Down MSPs: ThreatLocker CEO Danny Jenkins
‘Today, we are not defending against schoolyard bullies,’ says ThreatLocker co-founder and CEO Danny Jenkins. ‘We are not defending against enthusiasts that just want to write malware for fun. We are trying to defend ourselves against organized gangs…We are fighting sophisticated businesses.’
Cybercriminals have morphed from schoolyard bullies into organized gangs that have set up sophisticated businesses with sales departments, support organizations and sales quotas that are turning highly regarded software products into weapons of mass destruction, said ThreatLocker co-founder and CEO Danny Jenkins.
“Today, we are not defending against schoolyard bullies,” said Jenkins in a keynote session at CRN parent The Channel Company’s Best of Breed virtual conference on Tuesday. “We are not defending against enthusiasts that just want to write malware for fun. We are trying to defend ourselves against organized gangs…We are fighting sophisticated businesses.”
The new class of highly structured cybercriminal organizations are well coordinated businesses with sales departments, sales quotas, and support departments that measure everything from how many emails they have to send to launch a successful attack to what is the optimal link to lure an unsuspecting user, said Jenkins. “They are going after your business in a sophisticated manner,” he warned BoB virtual conference attendees.
“These guys are there to destroy your business, to encrypt your data, to steal your data,” said Jenkins, rallying partners to adopt a deny-by-default security strategy. “You are even fighting nation-states (now). Over the last few months we have seen attacks increase and increase from Russia with more and more ransomware and more and more organized attacks.”
The ransomware organizations that are wreaking havoc are focused on not just big businesses, but small businesses and MSPs, said Jenkins.
The attack landscape has evolved from enthusiasts launching malware attacks like the infamous “Lovebug” virus in May 2000 to sophisticated cybercriminal organizations using well established software products like the SolarWinds Orion network monitoring platform and Microsoft Exchange server to launch attacks, said Jenkins. “Now the attackers are actually using our software against us,” said Jenkins.
The SolarWinds breach, for example, which was discovered in December 2020 by cybersecurity firm FireEye, was an “incredibly sophisticated” attack in which the bad actors inserted malicious code directly into the SolarWinds Orion network monitoring product, said Jenkins. “Attackers had actually managed to get into SolarWinds source code and they had changed the code” to launch an unprecedented attack on US government agencies, said Jenkins.
“This was a really bad attack,” he said. “It was so sophisticated that federal government agencies were installing Orion for the attackers and they were essentially putting that Trojan horse in their system.”
The Microsoft Exchange server hack – which was discovered in March 2021 and was used to steal email and compromise networks – was “far more terrifying” than many thought at the time, said Jenkins.
ThreatLocker analyzed the Exchange Server hack with one of its customers anxious to get more details on the attempted attack and found that the highly regarded Virus Total database did not single out the malicious code, said Jenkins.
The troubling thing about the Exchange server hack is the malicious batch file was actually created by Microsoft’s own IIS web server, said Jenkins. “This is where it gets really concerning because you are thinking why would a batch file be created by IIS on an Exchange server?” asked Jenkins.
Working with the customer, ThreatLocker saw that the configuration in Microsoft Exchange had been changed so when the user downloaded the offline address book Exchange downloaded the malicious batch file onto the system, said Jenkins. “We actually took this into our lab post this event to find out what was going on,” he said.
That’s when ThreatLocker discovered that the malicious code had downloaded Microsoft’s PsExec tool that lets you execute processes on other systems, said Jenkins. The PsExec created a Microsoft Group Policy Object (GPO) in Active Directory to all computers in the organization. When ThreatLocker ran the malicious code in its lab, the GPO had crypto locked every machine in the test scenario.
“We saw all of the machines encrypted because of a vulnerability on an Exchange server,” he said. “Every time we run software on our computer. Everytime we open an application- whether it is Microsoft Office or Google Chrome- that software has access to everything that we have access to. Ransomware is just software. Malware is just software. It is written in the same languages, the same code. You can even find the same samples from Stack Overflow inside the ransomware if you decompile it.”
The most infamous ransomware attack on MSPs came the July 4 weekend last year when Kaseya’s on-premise VSA monitoring platform left more than 36,000 MSPs without access to Kaseya’s flagship VSA product for at least four days.
“The Fourth of July weekend was probably one of the worst weekends in history for MSPs,” said Jenkins. “We saw thousands of MSPs get hit by ransomware just across our own customer base. Thankfully the ransomware was blocked because our clients were operating on a default deny basis. We saw 46 clients attempt to have ransomware pushed out to all of their endpoints. Just think about the damage (that could have resulted without deny by default).”
All of the MSP customers had dual factor authentication enabled, said Jenkins. “This was a vulnerability in the Kaseya portal that allowed an attacker to essentially insert a command to send off ransomware to all your clients,” he said.
There was a record 21,000 Common Vulnerabilities and Exposures (CVEs) in 2022 that were documented by Mitre Corporation with funding from United States Cybersecurity and Infrastructure Security Agency (CISA), said Jenkins.
“Just think about that – 21,000 software vulnerabilities for legitimate software that was recorded in the CVE database last year,” he said. “That’s the highest ever recorded in history. Attackers are using these vulnerabilities.”
One of the critical steps MSPs need to take to make businesses more secure is to provide secure network access control, said Jenkins. “One of the biggest challenges we have today with network security (with the advent of the internet) is there isn’t any network, the network is gone, the perimeter is gone,” he said. “When we are in Starbucks or working from home we have to control access to those devices. The problem is there is a network and it is called the internet. We share it with Russia, China, North Korea.”
ThreatLocker’s new network access control product provides a portal that MSPs can configure to protect themselves and their customers and see all inbound denials, said Jenkins. That network access control product allows partners to open up their network only to trusted devices, said Jenkins. “This allows access only from the places you are - not from all over the whole world, from Russia to Canada to Detroit,” he said.
Neal Juern, founder and CEO of Juern Technology, a San Antonio-based MSSP, credits ThreatLocker’s deny-by-default software with providing him the security muscle necessary to triple his company’s sales and transform into a full fledged MSSP with a 24 hour a day, seven day a week security operations center.
“I tell other MSPs that over the last three years ThreatLocker is the single most important security tool or solution we have added to our portfolio,” he said. “That’s saying a lot because we have transformed into an MSSP and added many, many layers of security.”
ThreatLocker’s Ringfencing and whitelisting software has provided an innovative modern approach to stopping the bad actors, said Juern.
“The old way doesn’t work,” he said. “It has no future. I give Danny credit for coming up with a real security solution for MSPs. This is not the old days of malware. Now hackers are using our operating system files themselves to attack us and exploit. That is fileless malware. There is no virus to go looking for. Hackers have figured out the tools that are already installed on our systems are all they need. That is why Ringfencing is so powerful and why deny by default has become the new standard- the new way forward. You can’t rely on looking for known bad things anymore. You must stop the bad behavior -not known bad things. The bad behavior is allowing hackers access to tools they can do damage with.”
Ultimately, MSPs not employing deny by default are playing Russian Roulette, said Juern. “It’s just a matter of time before you will be breached,” he said. “That is the truth. We have to look at stopping things that could just potentially be used in a bad way. That is deny by default.”