Free Trials Of RMMs Are Being Used By Bad Actors: Blackpoint Cyber CEO

‘What we are watching the bad guys do is they get free trials of an RMM, then they phish you, they log into your VPN with stolen creds [credentials], they put the RMM down and they use that to put the ransomware down,’ says Blackpoint Cyber founder and CEO Jon Murchison.

ARTICLE TITLE HERE

Blackpoint Cyber founder and CEO Jon Murchison said bad actors are now using free trial versions of RMM tools to launch attacks.

“We are seeing definitely more use of free trials of RMM platforms being leveraged by the bad guys,” said Murchison in an interview with CRN. “So instead of putting down like a malware backdoor you put down another RMM agent and then the bad guy essentially leverages that to push his ransomware down because it is not going to flag [that].”

The managed detection and response provider has seen five or so cases over the last two and a half weeks where the bad actors were using free trials to launch attacks, said Murchison.

id
unit-1659132512259
type
Sponsored post

[RELATED: Microsoft: Lapsus$ Gained ‘Limited Access’ In Hack Attack]

“What we are watching the bad guys do is they get free trials of an RMM, then they phish you, they log into your VPN with stolen creds [credentials], they put the RMM down and they use that to put the ransomware down,” said Murchison.

“The RMM companies need to have a lot more checks and balances on their free trial system—not just letting people [download them with no checks],” said Murchison. “I think a lot of the big ones do that [provide checks on who is allowed to access a free trial version] but there are some smaller ones that don’t and foreign ones [that don’t]. They need to make sure there is some sort of gate with the free trial. You can’t just sign up with a Gmail or some made-up account and get it. You need to talk to people. You need to know you are dealing with a real human and not a bad guy.”

In a blog post on May 10, Blackpoint Cyber pointed to threat actors “circumventing the cost” of developing enterprise-level software—“ranging anywhere from $50,000 to $750,000”—by using free trials.

“ScreenConnect [ConnectWise Control] only requires the user to provide an email address, password and the name of their preferred ScreenConnect URL,” wrote Blackpoint Cyber in the blog post. “TSD [Total Software Deployment] and SoftPerfect Network Scanner simply allow for the download of the product without any checks. Sadly, there are no measures in place to easily identify when threat actors are using trial versions of software. Nevertheless, the capabilities employed by these actors can still be identified and remediated.”

CRN reached out to Total Software Deployment and SoftPerfect Network Scanner but had not heard back at press time.

In an email response to CRN, ConnectWise Chief Product Officer Jeff Bishop said his company has “no information from partners or vendors to identify the account(s) in order to determine if it was a trial or a paid license.”

That said, ConnectWise had added machine learning and artificial intelligence to ConnectWise Control, whether free, trial or paid, to prevent malicious activity. “In addition, there are prompts to end clients that alert them that the technician is using a trial version of our product and that they should use caution,” he said.

Murchison said bad actors have gotten more savvy and are now using legitimate enterprise IT tools to launch attacks. “The message is MSPs really need to look at their software inventory, if they use one RMM and they see another one pop up, that should be something you pay attention to,” he said. “It is about having good inventory and control of the enterprise software that you use and that you have to use. RMMs are great. It is just that you have got to protect them like the crown jewels that they are. All we are saying is threat actors have wised up and that they can use an upstart or an old legacy freemium sort of RMM because if they can get it on the system somehow they can execute commands the way they need to. That is the lesson.”

Blackpoint Cyber, for its part, has put in place stringent controls for the free trial software that it issues to customers. “If someone can just sign up and there is no human in the loop, and you don’t vet the person before you give a free trial, then there is a chance a bad guy can get a hold of it,” he said. “You can’t even get into our platform without one, an invite from a real human and two, you get on a call and talk to us. Once we know who you are, then you get invited for a free trial.”

What kind of techniques are you seeing from the bad actors?

We just released a threat intel [intelligence information] report from our advisory pursuit group—think of it as like our skunk works unit. Our head of that unit was the former global director of all threat research for Cylance. His name is David Rushmer.

We just put out a threat intel report [on May 10]. We are definitely seeing more use of free trials of RMM platforms being leveraged by the bad guys. So instead of putting down like a malware backdoor, you put down another RMM agent and then the bad guy essentially leverages that to push his ransomware down because it is not going to flag [that]. It going to be seen as a legitimate process. We’re definitely seeing that more specifically the BlackCat ransomware group [has been doing] that.

How much at risk are RMMs?

RMM tools are a requirement to be an MSP pretty much. The problem is when they are co-opted they are the best legitimate ... backdoor you could ever have.

So the point is you need to protect them as if they are the crown jewels because they are. That is probably at the root of CISA’s warning. It is just because the RMM platforms touch all of your customers. It is an agent that can operate with extreme privileges on every computer.

What we are watching the bad guys do is they get free trials of an RMM then they phish you, they log into your VPN with stolen creds [credentials], they put the RMM down and they use that to put the ransomware down.

Do you think the biggest issue is free trials being used by the bad actors?

That is a very big issue. The other big issue is people not having MFA [multifactor authentication] on their RMM.

Specifically the MFA one because that hits all of their customers—that is the most dire for MSPs.

Second to that we [need] to be smart and realize that the bad guys are using RMMs to evade AVs [antirviruse] and EDRs [endpoint detection and response] to deploy the ransomware.

What is the biggest step RMM makers can take to stop these free trial threats?

The RMM companies need to have a lot more checks and balances on their free trial system—not just letting people [download them with no background checks]. I think a lot of the big ones do that but there are some smaller ones that don’t and foreign ones. They need to make sure there is some sort of gate with the free trial. You can’t just sign up with a Gmail or some made-up account and get it. You need to talk to people. You need to know you are dealing with a real human and not a bad guy.

Were you shocked by the bad actors using free trial RMMs?

No. We have been talking about it for a year now.

How many are you seeing?

There was about five or so in the last two and a half weeks.

We see a lot of attempted ransomwares all the time. I am saying we have seen five or so in the past week and a half that were leveraging free trials [of RMMs].

A lot of times it is a smaller, less-known RMM.

What do you do when you see that? Do you tell the RMM maker?

We have told some of them. But our No. 1 priority is just to stop the breach.

Can you quantify how many free trials are being used to launch attacks?

There has been five in the last two and half weeks at least in our SOC [Security Operations Center].

What was your reaction to the international advisory from the U.S. Cybersecurity and Infrastructure Agency [CISA] that warned there are new reports of increased malicious cyber activity targeting MSPs with an expectation of stepped-up attacks?

First off, I’m glad CISA put out the alert. I would say, though, we have not seen any sort of sharp increase in attacks. This warning is honestly a steady state of what we have been seeing for two years against MSPs. It is kind of a no-brainer. Extortion ransomware groups will absolutely go after an MSP. And they specifically love getting into their RMM platform because that allows you to hit a lot of victims at once.

I think the purpose of the advisory is to highlight that the MSP can be part of a supply chain attack that can affect end customers. It is kind of a warning to all the MSPs that you have got to massively up your defenses. For end customers leveraging an MSP, it shows the MSP needs to be secure and they as the customer need to be secure because MSPs are a target of opportunity.

Are you seeing nation-state attacks against MSPs ?

When we talk nation-state attacks against MSPs, we see them—not too often. And it is usually against a customer of an MSP that does something in the defense community or has some sort of intellectual property that a country like China or whoever might want to steal. That is kind of what we see.

Threat research company Huntress says MSPs should not be alarmed by the CISA alert. What do you think?

I agree. I think they are just stating what has been going on. If you are an MSP and your livelihood depends on providing IT services to other companies and you know you are a big target for ransomware groups, you should already be acting with shields up 110 percent. One, it is the ethical thing to do for your customers. Two, the viability of your business relies on it.

I think this warning is just another good highlighter of the issue that MSPs need to up their game massively. I don’t want MSPs to think that there is some new zero-day [breach] or some new massive campaign that has been kicked off [by bad actors]. We just haven’t seen it and I don’t think any of the other cybersecurity companies have seen it. We see probably one to two responses a day where we are stopping an attempted mass ransom against a customer. It’s not on MSPs. It’s usually on the end customer.

This [CISA] warning is just keeping the topic alive and front of mind.

Do you think CISA and the government overstated the threat to MSPs?

CISA is doing a good job. But, remember, they get intel from all sorts of agencies that has to be analyzed, synthesized, put into a report, the report has to go through quality control and editing and then someone blesses the report to be released. I don’t know how long that process takes.

We have stopped so many breaches that are long gone and then the FBI shows up six months later to tell the company they had an attack against them.

This is absolutely going on. Ransomware groups know MSPs are juicy targets. Look at the Kaseya attempt last summer.

Do you think there is going to be a stepped-up increase in attacks on MSPs specifically from nation states?

That has always been going on. Do I expect that nation states might get clued in that, ‘Wow there are some pretty important customers of MSPs or large IT integrators when you look at the enterprise?’ Absolutely. Can we predict there is going to be a big increase or decrease? No, I just think it is pragmatic to realize it is a very viable targeting technique.

Will you do anything different in the wake of the new CISA alert?

No, we always operate at the same level. We are a 24/7 shop. So we operate at the same level we do always. These cyberattacks are very much like a virtual ambush. The point is you always have to operate as a defender of the information asymmetry advantage where we know the customer’s network better than the adversary. So we prey on them trying to figure out where they are and when it [the attack] is going to come. You just never know when it is going to come. So it doesn’t change our operations.

With the whole Kaseya event—we were one of the first crews to pick up on that—we knew this could happen.I will say I think Kaseya did a good job in the heat of the battle.

I will say that caused us to make new technology. So we went and built a worst, worst, worst case scenario capability in our agent that will automatically stop most ransomware variants before it causes too much damage. That is as protection in case our own SOC and our own human response miss something or failed, or in a case where there is no time for a human to get involved because it is an exploit and then boom— instant encryption on the endpoint. So we came out with new technology just to kind of bring down that kind of supply chain attack risk on tools, specifically on IT tools.

How many MSP customers do you have?

Thousands.

One top MSP said he believes the majority of MSPs have not implemented all of the CISA recommendations. What do you think about that?

I think there is a pretty big gap. You have to understand the market breadown, which is 70 percent of the MSPs out there in the world manage 500 endpoints or less.

So you have a large percentage of the MSP population that is still a new company so their technology stack and their knowledge [is limited]. It is hard enough to do IT and make a network work, let alone do all of that and secure that network with all of the best practices. So there is a gap, but I think as you go up to the larger more sophisticated MSPs it is a lot better. But we still have RDP [remote desktop protocol] open to the internet everywhere. We just stopped an attack today. Why? It was an end customer with RDP open to the internet. We see that all the time.