Are you using the right vendor remote access tool? Lessons from the Texas mass ransomware attack

Nearly six months after the Texas mass ransomware attacks that took down operations at 22 small Texas cities, we still talk about it pretty regularly. That’s the type of impact a mass ransomware attack can have. As a refresh, the attackers coordinated the timing of the malware launch to hit all of the victims at once, thereby swamping the available digital first responders. It was previously reported that the attack originated in a Managed Service Provider (MSP) that the victim cities all had in common: RSM Consulting out of Rockwall, Texas. Based on reporting done by CRN, the MSP was using the ConnectWise Control tool to support their clients and apparently the hackers were able to coopt the tool to exploit their clients. 

Here are my thoughts on these attacks:

• It’s not surprising that the hackers were able to take over a poorly secured tool and use it to spread their malware. Hackers know these platforms are used to support massive customer populations and go after them because they are huge providers with lots of published exploits. To be blunt, it’s simply an easy kill zone for hackers. 
• These broad-spectrum remote management systems might be fine for providing generic desktop support in an unregulated environment, but for critical infrastructure (like utility bills, real estate records and more) that’s not the case. For compliance sensitive organizations such as law enforcement or credit card merchants, they simply aren’t enough. 
• There’s probably plenty of blame to go around in this case, from ConnectWise, to the MSP, to the customers themselves. The customer did not choose to implement multi-factor authentication which would have likely stopped the attack in its tracks. However, the software vendor should have made it mandatory or fully explained the risks of not using MFA, especially in environments like law enforcement where the CJIS standard requires it for admin accounts. 
• It has yet to be explained how the hackers got the credentials for the systems, but I’m willing to bet that the MSP might have some fault in that. They implemented the tool and had the admin credentials to it, so all paths lead through them to the eventual victims. 
• I’d even go as far as to blame the cyber liability insurance companies. I would expect to see stricter underwriting standards and more outright rejection of claims when the claimant can be shown to have practice gross negligence in their security protocols. 

Key takeaways

So, due to all these factors, there’s no silver bullet that will quell this ransomware epidemic overnight. Small governments are going to have to take a good, hard look at established practices such as using MSPs and their own internal policies and procedures. MSPs are going to have to batten down the hatches and properly protect their customers’ systems and networks. And software providers can no longer get away with saying “we told you so” when their software is implicated in a massive attack like these. 

How this may have been stopped

An underlying issue with anyone, and especially government entities, using external vendors is that it opens up your network and systems to unwanted issues—like data breaches, lost data, and ransomware attacks. The best way to combat these well-known threats is to implement a program built for managing vendors’ access. Advanced technologies, such as vendor privileged access management (VPAM), will fully secure vendor accounts and their use in order to avoid making headlines for a data breach or ransomware attack. 

To learn more about how your vendor access management tools are putting your company at risk and how to be proactive in your battle against vendor-related incidents, stop by SecureLink’s booth (booth 501) at the 20 Annual Information Security Forum for Texas Government March 10-11, 2020 at the Palmer Events Center in Austin, Texas. We hope to see you there!