ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah

    IT Discussion
    msp ransomware security breach
    21
    111
    12.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • LilAngL
      LilAng
      last edited by

      LOL, this did not age well. e4f95362-b0f0-494c-a7f9-b34999bf6828-image.png

      DustinB3403D scottalanmillerS 2 Replies Last reply Reply Quote 2
      • DustinB3403D
        DustinB3403 @LilAng
        last edited by

        @LilAng said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

        LOL, this did not age well. e4f95362-b0f0-494c-a7f9-b34999bf6828-image.png

        The only way it could've been worse is if they said "We're all vulnerable to emergencies (because of Protek), but if you are prepared. . . ."

        1 Reply Last reply Reply Quote 3
        • scottalanmillerS
          scottalanmiller @LilAng
          last edited by

          @LilAng said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

          LOL, this did not age well. e4f95362-b0f0-494c-a7f9-b34999bf6828-image.png

          I had seen that one... two weeks before their compromise was discovered! They might have already been infected by that point!

          1 Reply Last reply Reply Quote 1
          • scottalanmillerS
            scottalanmiller
            last edited by

            Been another month, and no response here, and their feeds are still totally silent. They just popped into my head and I thought that I'd look up to see if they had made any announcements or anything about their situation yet. Guess not. But BAU seems to have totally died that day.

            1 Reply Last reply Reply Quote 1
            • scottalanmillerS
              scottalanmiller
              last edited by

              Another company follow up while I'm thinking about them. Their social media has remained totally silent since Feb 4th. And their blog that was always a twice weekly thing has been silent since a few days before that. The news reports definitely continue to seem to have been real, contrary to what they stated.

              Screenshot from 2019-05-19 21-26-18.png

              Goes to their blog one week before the compromise.

              IRJI 1 Reply Last reply Reply Quote 1
              • scottalanmillerS
                scottalanmiller
                last edited by

                Another MSP had this happen.

                https://mangolassi.it/topic/20069/wide-ransomware-virus-infection-sourced-from-3rd-party-it-s-remote-agents/

                Just followed up to see that ProTek is still silent, and still hasn't responded here about the claim that they didn't have this happen.

                1 Reply Last reply Reply Quote 0
                • IRJI
                  IRJ @scottalanmiller
                  last edited by

                  @scottalanmiller said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                  Another company follow up while I'm thinking about them. Their social media has remained totally silent since Feb 4th. And their blog that was always a twice weekly thing has been silent since a few days before that. The news reports definitely continue to seem to have been real, contrary to what they stated.

                  Screenshot from 2019-05-19 21-26-18.png

                  Goes to their blog one week before the compromise.

                  The title of the article is correct. Just remove the dash

                  CCWTechC RojoLocoR 2 Replies Last reply Reply Quote 4
                  • CCWTechC
                    CCWTech @IRJ
                    last edited by

                    @IRJ said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                    @scottalanmiller said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                    Another company follow up while I'm thinking about them. Their social media has remained totally silent since Feb 4th. And their blog that was always a twice weekly thing has been silent since a few days before that. The news reports definitely continue to seem to have been real, contrary to what they stated.

                    Screenshot from 2019-05-19 21-26-18.png

                    Goes to their blog one week before the compromise.

                    The title of the article is correct. Just remove the dash

                    Oh now that is funny crap!

                    1 Reply Last reply Reply Quote 1
                    • RojoLocoR
                      RojoLoco @IRJ
                      last edited by

                      @IRJ remove the dash and add a colon after "mistakes"...

                      1 Reply Last reply Reply Quote 2
                      • PhlipElderP
                        PhlipElder @scottalanmiller
                        last edited by PhlipElder

                        @scottalanmiller said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                        So we heard from customers of Protek Support in Salt Lake City that the MSP has been hit with ransomware that has gone on to hit all of their clients as well. From what we understand, they are currently on four days of customers being without their files and they aren't cleaning them up yet. We would suspect that their internal systems have been hit and they are tied up dealing with that.

                        Pretty good timing considering we just posted about this MSP Risk a few days ago.

                        How do MSPs survive this kind of level of destruction? Are clients talking to each other? Are clients going on to talk to other MSPs and look for assistance when their main support is gone?

                        We rarely think about how the MSP itself would be offline indefinitely and potentially unable to function in the case of a breach like this. But in this case, it looks like the MPS has been impacted to such a degree that they aren't even able to start helping customers yet. Four days with no action is a lifetime to an impacted business. Something like a hundred customers down for a whole week with no end in sight, it sounds like.

                        Each customer is going to need every machine - desktops, servers, storage, etc. to be totally wiped, reloaded, and restored. Imagine the manpower necessary to do that.

                        WiPro outsourcing giant breach: https://krebsonsecurity.com/2019/04/experts-breach-at-it-outsourcing-giant-wipro/

                        PCM MSP Breach: https://krebsonsecurity.com/2019/06/breach-at-cloud-solution-provider-pcm-inc/

                        Ongoing mess: https://www.insynq.com/support/#status

                        2019-07-29 Twitter - iNSYNQ.PNG
                        ^^^ Note the word meticulous in the "we've cleaned things out" paragraph. SMH

                        CCH Walters Kluwer: https://www.accountingtoday.com/news/the-wolters-kluwer-cch-outage-what-happened

                        Maersk: Saved by a physical DC that was off in Africa after a power outage.

                        MSPs: Vulnerabilities in RMM/PSA software allowed compromise a while back.

                        Bing Search: MSP Breach

                        Privileged Access Workstation is the only way to go today. There needs to be an air-gap between systems being used to manage clients/customers and the MSP's day to day production systems.

                        There is no excuse for not segmenting operations, administration, cloud services systems, backup systems, and more. None. Nada. Zippo. Zilch.

                        Oh, and this:
                        2018-11-20 Malware-Traffic-Analysis.PNG
                        Courtesy of Malware-Traffic-Analysis. It's virtually always the human.

                        dafyreD 1 Reply Last reply Reply Quote 1
                        • dafyreD
                          dafyre @PhlipElder
                          last edited by

                          @PhlipElder said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                          Privileged Access Workstation is the only way to go today. There needs to be an air-gap between systems being used to manage clients/customers and the MSP's day to day production systems.

                          Agreed. The MSP doesn't need to be connected to their customer 24x7.

                          1 Reply Last reply Reply Quote 1
                          • dafyreD
                            dafyre
                            last edited by dafyre

                            For the couple of sites I manage some stuff for, I have separate VMs (on my end) for each of them. Each VM has only the VPN client for the client I am connecting to.

                            Edit: Passwords are different for each VM, as well as each VPN connection as well.

                            PhlipElderP 1 Reply Last reply Reply Quote 0
                            • PhlipElderP
                              PhlipElder @dafyre
                              last edited by

                              @dafyre said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                              For the couple of sites I manage some stuff for, I have separate VMs (on my end) for each of them. Each VM has only the VPN client for the client I am connecting to.

                              Edit: Passwords are different for each VM, as well as each VPN connection as well.

                              Catch is, the VMs need to be accessed from a system that has nothing to do with day-to-day operations. None.

                              dafyreD 1 Reply Last reply Reply Quote 0
                              • dafyreD
                                dafyre @PhlipElder
                                last edited by

                                @PhlipElder said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                                @dafyre said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                                For the couple of sites I manage some stuff for, I have separate VMs (on my end) for each of them. Each VM has only the VPN client for the client I am connecting to.

                                Edit: Passwords are different for each VM, as well as each VPN connection as well.

                                Catch is, the VMs need to be accessed from a system that has nothing to do with day-to-day operations. None.

                                I think I get your thinking... but for clarity's sake: Why?

                                PhlipElderP 1 Reply Last reply Reply Quote 0
                                • PhlipElderP
                                  PhlipElder @dafyre
                                  last edited by PhlipElder

                                  @dafyre said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                                  @PhlipElder said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                                  @dafyre said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                                  For the couple of sites I manage some stuff for, I have separate VMs (on my end) for each of them. Each VM has only the VPN client for the client I am connecting to.

                                  Edit: Passwords are different for each VM, as well as each VPN connection as well.

                                  Catch is, the VMs need to be accessed from a system that has nothing to do with day-to-day operations. None.

                                  I think I get your thinking... but for clarity's sake: Why?

                                  The whole point of a Privileged Access Workstation setup is to keep things separate.

                                  As soon as I manage client systems from this system I'm sitting at there is no guarantee of protection.

                                  The idea is to keep an air-gap in there.

                                  I remember a story of a small MSP that not too long ago got compromised. As it turns out, the perps that got in on their system managed to get in to the balance of the MSP's clients. Why? They had saved the passwords in the RDP files for their client's servers. Duh.

                                  All it takes is one absentminded click or drive-by that's completely shielded from us as we go about the day to day stuff and it's done. Game over. Say, "Bubbye".

                                  dafyreD 1 Reply Last reply Reply Quote 0
                                  • DashrenderD
                                    Dashrender
                                    last edited by

                                    Basically you're saying that every admin at an MSP should have two machines - one for managing clients, and one for MSP related email/web surfing, etc.

                                    PhlipElderP 1 Reply Last reply Reply Quote 0
                                    • PhlipElderP
                                      PhlipElder @Dashrender
                                      last edited by

                                      @Dashrender said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                                      Basically you're saying that every admin at an MSP should have two machines - one for managing clients, and one for MSP related email/web surfing, etc.

                                      https://blogs.technet.microsoft.com/datacentersecurity/2017/10/13/privileged-access-workstationpaw/

                                      1 Reply Last reply Reply Quote 0
                                      • dafyreD
                                        dafyre @PhlipElder
                                        last edited by

                                        @PhlipElder said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                                        All it takes is one absentminded click or drive-by that's completely shielded from us as we go about the day to day stuff and it's done. Game over. Say, "Bubbye".

                                        There's always going to be that risk or one absentminded click.

                                        Granted an Air-gapped PWA is a good way to handle it.... but so is not saving passwords in RDP files (I don't do this), and if you use an app like MobaXterm that can encrypt the files for you, use a good pass phrase.

                                        However if your admin machine is owned, you have bigger issues to start with.

                                        DashrenderD 1 Reply Last reply Reply Quote 0
                                        • DashrenderD
                                          Dashrender @dafyre
                                          last edited by

                                          @dafyre said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                                          @PhlipElder said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                                          All it takes is one absentminded click or drive-by that's completely shielded from us as we go about the day to day stuff and it's done. Game over. Say, "Bubbye".

                                          There's always going to be that risk or one absentminded click.

                                          Granted an Air-gapped PWA is a good way to handle it.... but so is not saving passwords in RDP files (I don't do this), and if you use an app like MobaXterm that can encrypt the files for you, use a good pass phrase.

                                          However if your admin machine is owned, you have bigger issues to start with.

                                          Well, the idea is that the air-gapped machine won't ever be in a situation to become compromised, is my guess. I haven't had a chance to look at the MS link Philip sent earlier.

                                          scottalanmillerS PhlipElderP 2 Replies Last reply Reply Quote 0
                                          • scottalanmillerS
                                            scottalanmiller @Dashrender
                                            last edited by

                                            @Dashrender said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                                            @dafyre said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                                            @PhlipElder said in Protek Support MSP Ransomware Hits Customers in Salt Lake City, Utah:

                                            All it takes is one absentminded click or drive-by that's completely shielded from us as we go about the day to day stuff and it's done. Game over. Say, "Bubbye".

                                            There's always going to be that risk or one absentminded click.

                                            Granted an Air-gapped PWA is a good way to handle it.... but so is not saving passwords in RDP files (I don't do this), and if you use an app like MobaXterm that can encrypt the files for you, use a good pass phrase.

                                            However if your admin machine is owned, you have bigger issues to start with.

                                            Well, the idea is that the air-gapped machine won't ever be in a situation to become compromised, is my guess. I haven't had a chance to look at the MS link Philip sent earlier.

                                            It will be, because a human always has to use it at the end of the day. A used system is an at risk system. Less risk, certainly. There is good design and bad design. Good useage and bad useage. But any useful machine is at risk by nature of being useful.

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 5 / 6
                                            • First post
                                              Last post