Cyber Hacking MSPs!

It has been reported that Hackers working within China’s Ministry of State Security have hacked into networks of eight well known Managed Service Providers as part of an agenda to steal commercial secrets from the MSPs’ customers, as you can see in this Reuters report.


Known as the Island Hopper attacks, they were able to attack:

The service providers downplayed the attacks or decided to withhold all comments about the alleged attacks to Reuters.

Managed Service Providers: A window of opportunity to hackers-a risk to MSPs & Client Systems

The hackers used Managed Service Provider networks as a means to an end into customer’s operating systems, Reuters reported. The victim systems include Ericsson, U.S. Navy shipbuilder Huntington Ingalls Industries, and travel reservation system Sabre, Reuters said.

Reports of these attacks first began in December 2018. At that time, only HPE and IBM were mentioned in news coverage about the cyber criminal attacks. Now it has come out that Reuters has now identified all eight service providers by name.

Small MSPs under Attack

Hackers have been hitting MSPs of all sizes and not just locally, but globally. The FBI and U.S. Department of Homeland Security have repeatedly warned MSPs and their technology platform providers about these dreaded cyber attacks.

It is about time that MSPs are pursuing more effective: risk mitigation, cybersecurity, and data protection strategies for themselves and their clientele.

In one shocking story about a recent attack, an MSP had no choice but to appease hacker demands and paid $150,000+ in ransom to recover their data. In other situations, it has recently been revealed that some IT consulting and cyber security companies that claim to clean up ransomware are actually secretly paying attackers as part of their ransomware recovery services.

Recently, a ransomware operation known as GandCrab Ransomware was shut down. Partners are looking to fill the hole left behind with other ransomware. For example: Sodinokibi Ransomware, whose partners are using a wide range of sneaky tactics to distribute ransomware and earn a commission.

This is displayed as a domino effect of attacks involving the hacking of well known websites; they do this by replacing a download with GandCrab, then are able to hack into managed service providers (MSPs) to push Sodinokibi to managed operating systems, and by deploying spam email campaigns to entangle their victims in their web.

All of these hacking campaigns end with the same result; a victim who has their files encrypted and a nasty ransom note explaining how to pay a ransom to get them back.

Sodinokibi Ransom Note

Below we outline three recent campaigns that Sodinokibi affiliates have been using over the past couple of days to gain wider distribution of the ransomware and thus more payments.

Managed Service Provider (MSP) Hacks

Similar to a previous MSP hacks by GandCrab affiliates, news started circulating yesterday on the /r/msp Reddit about MSPs being hacked to push Sodinokibi Ransomware to clients.

Sodinokibi conducted these attacks by accessing the networks via Remote Desktop Services and then utilizing the MSP’s management console to push ransomware installers to all of the end points that they manage.

Kyle Hanslovan, the CEO of MSP security provider Huntress Labs, reports that one of the attacks against a large MSP was compromised through their Webroot antivirus.

A picture of a MSPs Webroot Management Console that was posted to the Reddit thread shows a PowerShell command being pushed to all of the end points.

Webroot Management Console Logs

According to ZDNet, in order to disrupt ongoing attacks, Webroot emailed customers to tell them that they have logged everyone out of their Webroot Management Consoles and enabled mandatory 2 Factor Authentication.

Email from Webroot

Allegedly, a second attack appeared to have used the MSP’s Kaseya VSA console to push a file called 1488.bat to operating systems and execute it. Once executed, it’d install the ransomware.

BleepingComputer was able to gain access to the 1488.bat batch file and it contained an base64 encoded PowerShell command that decodes to the following script. When executed the script will download and execute a script from Pastebin, which includes a base64 encoded Sodinokibi installer.

1488.bat PowerShell Command

A third MSP was hacked where the attackers pushed the ransomware through a system called ConnectWise Control.

In this instance, Webroot was disabled from the management console. However, ConnectWise Control (ScreenConnect) was used to install the ransomware.

In total, 200 hosts were successfully encrypted by the shifty Sodinokibi Ransomware. Spam

Hackers have used spam campaigns in the past to distribute and install the Sodinokibi Ransomware; this is a continuous

A new spam campaign was discovered recently that pretends to be a “New Booking” on the site Spam

Attached to this email is a malicious Word document with names like “ 1571165841.doc” that asks you to “Enable Content” in order to access the booking information.

Shifty Word Document

Once you click enable the content, embedded bugs will download Sodinokibi from a remote site.


WinRar Hack

Sodinokibi hackers are also targeting sites that host downloads in order to replace certain software with ransomware. Last but not least, a distributor for WinRar located in Italy, was hacked to distribute the vicious ransomware installer.

It was reported that the file downloaded was Sodinokibi  instead of the correct setup of WinRar.

You can see a process graph below for the Any.Run  session that shows how the winrar-x64-571it (1).exe file was actually the installer for the ransomware. This means that they didn’t just send the usual hack but deployed a malicious “agent” program that can install the hacked files and spread like wildfire.

 Process from Any.Run Session


This is what their site looks like currently; it’s been taken down while they resolve these horrid issues.