Looking behind the ConnectWise ransomware attacks Special

Posted Nov 9, 2019 by Tim Sandle
ConnectWise has announced that hackers have targeted on-premise Automate systems so they can take over servers and then deploy ransomware across a company's entire computer fleet. James Carder of LogRhythm Labs explains more.
The hacker will face up to 35 years in jail if convicted of passing details of US security staff to ...
The hacker will face up to 35 years in jail if convicted of passing details of US security staff to Islamic State
Leon Neal, AFP/File
ConnectWise is a Florida-based company that provides remote IT management solutions, and it has been subject to a ransomware attack, according to ZDNet. Following the attack, more than 100,000 IT professional users have been advised to block access to ConnectWise Automate servers.
It remains unclear, as Search Security reports: "when the attacks occurred, what type of ransomware was used, how many ConnectWise customers were targeted and if any of the ransomware attacks were successful."
To understand a little more about this type of attack, Digital Journal checked in with James Carder, CISO and VP of LogRhythm Labs.
Carder explains why cyber-criminals are turning to ransomware: "Threat actors and criminals always look for the easiest way to break into an organization, while also being the most covert."
With ransomware specifically, cyber-criminals have a key goal in mind, according to Carder: "In cases like ransomware, the goal is to use the initial access into the environment to move to and compromise as many systems as possible. This allows the attacker to rapidly inflict as much pain as possible, bringing the company to its knees and maximizing the attacker’s reward."
For ransomware to work, there needs to be a weak fragment in any company's security protocols. According to Carder: "The most obvious entry point that satisfies this scenario is an approved, privileged, understood, knowledgeable, and centralized system used to manage a company’s computer systems. If an attacker compromises that system, he gets unfettered access to the entire environment. Moreover, he can thwart many security operations teams."
All too often this ends up being remarkably easy, as Carder notes: " Installing software (since ransomware is nothing more than software) is likely standard operating procedure for that system, so it still appears to be acting normally. This tactic is nothing new to security incidents and breaches; nation state threat actors and others have used it for decades."
This means that companies need to focus on the basics when it comes to cyber security, looking at different entry points that cyber-criminals might be keen to exploit and then putting appropriate systems in place.