A sophisticated ransomware attack targeted Managed Service Providers (MSPs) through well-crafted phishing emails designed to appear as authentication alerts for their ScreenConnect Remote Monitoring and Management (RMM) tool.
This attack resulted in the deployment of Qilin ransomware across multiple customer environments, showcasing the continued vulnerability of MSPs as supply chain targets.
The attack began with a highly convincing phishing email alerting administrators to an alleged unauthorized login to their ScreenConnect instance.
.png
)
.webp)
When victims clicked the “Login and review the security alert” link, they were directed to a malicious domain (cloud.screenconnect[.]com.ms) that perfectly mimicked the legitimate ScreenConnect login page.
Sophos researchers identified this campaign as the work of a ransomware affiliate tracked as STAC4365, which has been conducting similar operations since late 2022.
The threat actors leveraged domains specifically designed to spoof legitimate ScreenConnect URLs, with at least 25 malicious domains identified dating back to November 2022.
Upon gaining access to the administrator’s credentials, the attackers bypassed multi-factor authentication by intercepting the time-based one-time password (TOTP) sent to the administrator.
This adversary-in-the-middle technique allowed the attackers to establish an authenticated session within the legitimate ScreenConnect environment, granting them super administrator privileges.
Infection Mechanism and Lateral Movement
The sophisticated infection process began with the deployment of a malicious ScreenConnect instance via a file named ‘ru.msi’.
The attackers then utilized this backdoor to perform network enumeration, reset credentials, and deploy a variety of tools for lateral movement, including PsExec, NetExec, and WinRM.
A key element of the attack was the download of “veeam.exe,” designed to exploit CVE-2023-27532, a vulnerability in the Veeam Cloud Backup service that allows unauthorized access to unencrypted credentials.
The attackers also employed WinRAR for data compression before exfiltrating sensitive information to easyupload.io using Google Chrome’s Incognito mode to hide forensic evidence.
Prior to ransomware deployment, the attackers methodically targeted backup solutions and modified boot options to ensure systems would restart in Safe Mode with networking, effectively bypassing security controls.
The Qilin ransomware was then deployed with unique 32-character passwords for each customer environment, demonstrating the attackers’ awareness that they were targeting multiple distinct organizations through the compromised MSP.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try 50 Request for Free
