In an incident that unfolded across the closing months of 2019, an attacker posted an offer on the dark web to sell access to a control panel used by the MSP to manage servers for approximately 20 clients, including law firms, accounting practices, and a pharmaceutical company.
The successful effort to identify the targeted MSP, warn them of the theft, and help them mitigate the impact involved critical assistance from ConnectWise. Huntress CEO Kyle Hanslovan discussed those efforts with ChannelPro during ConnectWise’s IT Nation Connect event last October in Orlando, but requested confidentiality to protect the MSP and their end users until remediation was complete.
“Security is one of those things that if you get it wrong and tip the hacker off, we can make it way worse for an MSP, and there’s no reason to do that,” Hanslovan said last year.
Actions to protect the MSP and investigate the hacker were coordinated through an MSP information sharing and analysis center (MSP-ISAC) quietly formed by Datto, Huntress, ConnectWise, and Kaseya last summer, and since joined by numerous other vendors who exchange threat information through a Slack channel.
“Threat-sharing is super critical,” Hanslovan told ChannelPro last year. “If MSPs don’t get behind their own, we’re not going to progress.”
The story publicly disclosed today began last October, when Datto employees performing a routine dark web scan spotted a post by someone claiming to have successfully gained administrative access to a control panel used by an unidentified MSP to manage virtual private servers for its clients. Passwords for each of those clients, the post said, could be acquired through the management console as well. The hacker, identified as “w0zniak”, offered to sell the stolen credentials for $600 in Bitcoins.
Datto brought the discovery to the MSP-ISAC, and Huntress soon began efforts to determine who the compromised MSP was and acquire intelligence about the attacker. Using an assumed identity, the vendor offered to pay $500 in Bitcoin for information on how w0zniak got access to the MSP’s control panel.
“I’d want proof of access (screenshots), learn how you got in, (phishing, RCE, RDP), customer list, proof of number of computers, list of compromised user accounts,” the Huntress message said.
“I was able to get in via phishing the credentials,” the hacker replied. “User accounts, customer list, and compromised accounts I can show via screenshots…MSP is a great target because of the plethora of clients.”
The attacker did subsequently provide screenshots of the stolen panel. Clues in those images helped Huntress identify the victimized MSP. Additional hints suggested that they were a ConnectWise partner. Concerned that the MSP would be unlikely to believe a security warning from a vendor they hadn’t worked with before, the Huntress team approached then ConnectWise Chief Information Security Officer and MSP-ISAC member John Ford, who notified the MSP about the theft.