Webroot: The Three Biggest Cybersecurity Threats MSPs Face

‘If you’re only protecting a single layer, they’re going to come through the back door, they’re going to come through the side door,’ says Webroot’s Greg Luebke.


The cybersecurity threat landscape has evolved over the last few years, and MSPs must go beyond defending a single point of entry, said Webroot’s Greg Luebke.

“If you’re only protecting a single layer, they’re going to come through the back door, they’re going to come through the side door,” said Luebke, Webroot’s MSP account manager.

Broomfield, Colo.-based Webroot started in 1997 as a traditional anti-virus vendor focused on addressing threats using signatures and definitions, Luebke said Thursday during NexGen 2019, hosted by CRN parent The Channel Company.

Sponsored post

[Related: 6 Steps Carbonite And Webroot Have Taken To Come Together As One]

But the company realized about 10 years ago that it wouldn’t be able to keep up with the accelerating pace of threats through writing signatures alone, according to Luebke. By the time Webroot pushed a signature or definition down to an on-premise server, Luebke said it would already be out of date.

So Luebke said Webroot responded by moving everything to the cloud, meaning that users are now protected by a 3-megabyte agent on the machine that takes advantage of the largest threat intelligence database in the world.

As a result of that transformation, Luebke said Webroot has been able to bring on 13,000 MSP partners and is today the top SMB endpoint security solution in the world, protecting just shy of 50 percent of MSPs in the entire industry segment.

Webroot’s threat intelligence database benefits from all the third-party feeds, making it possible for solution providers to transfer more actionable information to their customers, according to Rodrigo Munoz, senior consultant at Paladin Consulting Group.

Here’s a look at three of the biggest cybersecurity threats Luebke said Webroot has seen.

#1. Cryptojacking

Cryptojacking is a low-risk, low-reward activity for malicious actors, Luebke said, and only involves putting a few lines of code into JavaScript and allowing it to run. Consequently, Luebke said a lot of MSPs don’t think of cryptojacking as a risk, and it may not have much of an impact on a company’s bottom line if it’s occurring on just a single endpoint.

But for customers that have cryptojacking taking place on hundreds of endpoints, Luebke said the scale would have a significant impact on the organization’s energy usage as well as the longevity of its equipment.

Although cryptojacking itself isn’t necessarily new, Luebke said adversaries have increased their return on investment by building scaling into the process. Historically, Luebke said cryptojacking software would occupy 20 percent of the user’s CPU allotment all day every day regardless of the user’s behavior, which in turn would allow the adversary to mine roughly three cents of Bitcoin each day.

But with scaling, Luebke said the adversary takes up 100 percent of the user’s CPU if their keyboard and mouse haven’t been active. As a result of this high-volume cryptojacking, Luebke said the typical five-year equipment lifespan is now shortened to a two-year or three-year lifespan, and the company’s energy bills spike well above their previous usage rates.

Despite the performance hit associated with cryptojacking, Munoz said customers of Paladin Consulting Group tend not to see it as a major issue. But if cryptojacking threatens to shorten the useful life of a $20,000 engineering computer, Munoz said customers will likely take it more seriously.

Munoz hasn’t seen any of Paladin’s customers affected by cryptojacking to date.

#2. Ransomware

Ransomware has evolved greatly over the last few years from the traditional scenario where everything is encrypted as soon as the user clicks on a malicious link, Luebke said. But today, Luebke said extensive reconnaissance work occurs before the adversary decides whether it’s worth encrypting the user’s files and data.

The threat actor will survey the user’s environment to determine what operating system they’re running, if it’s been patched, and what sort of information is on the computer, Luebke said. A salesperson with a bunch of Word documents on their machine likely isn’t worth encrypting since the victim organization is very unlikely to pay the ransom, according to Luebke.

But if the user has sensitive banking or healthcare information on their device and is unable to prevent their backup from being encrypted as well, Luebke said a ransomware attack would be much more appealing. Once adversaries have a good feel for what the user’s environment looks like, Luebke said they’ll decide whether or not to select something from the menu of ransomware payload options.

If the targeted user doesn’t have anything worth ransoming or has access to a clean backup of all their information, Luebke said the adversary will likely move onto cryptojacking to ensure they’re still making money on the back-end.

Munoz said virtually all of Paladin’s customers are terrified of ransomware since there’s no guarantee the problem is solved even if they pay the ransom. Specifically, Munoz said that ransomware can be embedded into an organization’s backups, and that any devices impacted by ransomware need to be either replaced or reimaged without relying on infected backups before it’s safe to use them again.

#3. Remote Desktop Protocol

Remote desktop protocol, or RDP, is one of the only hacks with no real solution to protect against it beyond paying for encrypted software, Luebke said. The primary thing MSPs can do to protect their customers is educate them about the risks associated with free versions of RDP since that provides intruders with an easy way to find open ports, drill down into them, and infect the user’s system.

Many MSPs think they’re secure using free versions of RDP so long as they change the port, but Luebke said there’s a lot of software out there like Shodan that can sniff out open ports. And once the adversary finds the open port, Luebke said they’ll likely be able to brute force their way in.

After the threat actor enters the open port, Luebke said use the stash of available usernames and passwords to elevate their privilege. At that point, Luebke said the hacker would have access to the targeted organization’s devices as well as their entire network, meaning that they can pretty much do anything they want on the victim’s machines.