EXECUTIVE SUMMARY
Organisations across various sectors, including managed service providers, have recently fallen victim to a wave of attacks exploiting a critical vulnerability in Bomgar remote monitoring and management (RMM) instances. The attackers, who are believed to be targeting downstream customer bases, gain initial access via compromised Bomgar RMMs, often using outdated versions vulnerable to the disclosed flaw. Once inside, they deploy LockBit ransomware, conduct domain reconnaissance, and add administrator users for persistence. The attackers' ultimate goal appears to be data theft and disruption, with the ransomware deployed in several incidents successfully encrypting endpoints and impacting downstream organisations.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
Organisations across various sectors, including managed service providers, have recently fallen victim to a wave of attacks exploiting a critical vulnerability in Bomgar remote monitoring and management (RMM) instances. The attackers, who are believed to be targeting downstream customer bases, gain initial access via compromised Bomgar RMMs, often using outdated versions vulnerable to the disclosed flaw. Once inside, they deploy LockBit ransomware, conduct domain reconnaissance, and add administrator users for persistence. The attackers' ultimate goal appears to be data theft and disruption, with the ransomware deployed in several incidents successfully encrypting endpoints and impacting downstream organisations.[emaillocker id="1283"]
The malware infection begins with the exploitation of the vulnerability in Bomgar RMM, allowing the attackers to remotely execute code. The attackers then use the compromised instance to deploy additional RMMs, such as AnyDesk and Atera, for further persistence and to gain access to downstream environments. They also use the compromised instance to conduct domain reconnaissance, perform network enumeration, and add administrator users. The attackers maintain control by regularly checking for and executing malicious processes, including the deployment of LockBit ransomware. The attack chain from infection to impact is characterised by a series of malicious actions, including encryption, persistence, lateral movement, and data exfiltration.
This threat is significant for organisations, as it can result in substantial data loss and disruption. The attacks are also difficult to detect and recover from, particularly for organisations with outdated RMM instances. To mitigate this risk, organisations should ensure that their RMM instances are patched and up-to-date, monitor their environments for suspicious activity, and audit their RMM usage. Additionally, organisations should implement robust endpoint protection, maintain regular backups, and conduct regular security checks to identify and address potential vulnerabilities. By taking these defensive actions, organisations can reduce their risk of falling victim to these attacks and protect their data and systems.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1190 | Exploit Public-Facing Application | — |
| Execution | T1059.003 | Command and Scripting Interpreter | Windows Command Shell |
| Persistence | T1136.001 | Create Account | Local Account |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation | — |
| Defense Evasion | T1562.001 | Impair Defenses | Disable or Modify Tools |
| Credential Access | T1003.001 | OS Credential Dumping | LSASS Memory |
| Discovery | T1082 | System Information Discovery | — |
| Discovery | T1018 | Remote System Discovery | — |
| Lateral Movement | T1021.001 | Remote Services | Remote Desktop Protocol |
| Lateral Movement | T1570 | Lateral Tool Transfer | — |
| Command and Control | T1219 | Remote Access Software | — |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Impact | T1486 | Data Encrypted for Impact | — |
REFERENCES:
The following reports contain further technical details:
[/emaillocker]