A ransomware attack targeted MSPs via phishing emails, deploying Qilin ransomware across customer environments.
Ransomware Attack Targets MSPs via Phishing Campaign
Victims of a recent ransomware attack were tricked into clicking a link titled “Login and review the security alert,” which directed them to a malicious domain (cloud.screenconnect[.]com.ms) mimicking the legitimate ScreenConnect login page.
Sophos researchers linked the attack to a ransomware affiliate group, STAC4365, active since late 2022. The attackers used spoofed domains to mimic ScreenConnect URLs, with at least 25 malicious domains identified since November 2022.
Once they gained access to administrator credentials, the attackers bypassed multi-factor authentication by intercepting the time-based one-time password (TOTP). This allowed them to establish an authenticated session and gain super administrator privileges in the legitimate ScreenConnect environment.
Infection Mechanism and Lateral Movement
The attack began with deploying a malicious ScreenConnect instance via ‘ru.msi’. The attackers then used tools like PsExec and WinRM for lateral movement and exploited CVE-2023-27532 to access unencrypted Veeam Cloud Backup credentials.
They also used WinRAR for compression and exfiltrated data via easyupload.io, hiding their actions with Incognito mode.
Before deploying Qilin ransomware, the attackers targeted backup solutions and altered boot options to bypass security controls, ensuring systems restarted in Safe Mode with networking. The ransomware was deployed with unique 32-character passwords for each affected customer.
Leave A Comment