On June 20, it was reported that compromised credentials were used to access improperly secured accounts on a widely-used Anti-Virus management platform from Webroot and a popular Remote Management platform for Managed Service Providers. Based on initial reporting from our partners at Huntress Labs, the administrative credentials belonging to some Managed Service Providers were compromised, and the platforms were used to distribute ransomware.
Both Webroot, and the Remote Management tool allow system administrators to perform any command with full access to your managed systems. While this is a critical tool we use to do our job, it’s extremely important that we take high levels of action to protect them.
Your IT Service Provider has administrative access to your environment. Of course, they need access to do their job. Your ITSP should be taking key steps to protect themselves from these types of attacks, including using Two-Factor authentication, and ensuring that their passwords are changed frequently.
It never hurts to have a conversation with your provider and ask them how they protect not only you from cyberattacks but how they protect themselves from cyber attacks. IT Service Providers are massive targets for cyber attacks because we have so much control over multiple companies’ IT assets.
Steps We’ve Taken
As a Webroot partner ourselves (many of our customers are secured by Webroot), we’ve been paying very close attention to this news as it unfolds. Out of an abundance of caution, we have made sure all of our accounts got a fresh password. We also require two-factor authentication or Single Sign-On in order to access our systems. These steps, combined with threat detection and regular review of our audit logs, help us ensure our access is secure.
Further, we audit every action taken on our systems by any accounts on those systems. This means we can always go back and see which account took which action and when. This makes identifying the “why” much easier. Anytime there is any sort of staff turnover, we have the ability to audit any customer information they’ve recently accessed and we change security information as necessary.
By leveraging Kirbside 365 internally, as well as the same Stellar Security Stack we offer our customers, we have implemented tight controls over access to our protected data without causing undue friction for the people that Make IT Easy on our behalf.