Lewis Huynh

Ransomware Attacks Abusing RMMs: Why We’re Enforcing 2FA

In recent weeks there have been numerous reported incidents of attackers compromising MSPs and weaponizing their internal management tools to deploy ransomware across their customer base.

These attacks are obviously alarming, and helping our MSP partners mitigate this threat has become priority #1. Our team is working around the clock to implement a variety of additional security enhancements, including the following:

Effective immediately: All critical and potentially destructive administrative actions will require re-authentication, meaning two-factor authentication (2FA) must be enabled. This includes the ability to upload or edit scripts, the ability to upload executables, and the ability to create or save policies.

In addition, we are making 2FA a core component of our platform’s authentication and authorization mechanism across all customers in the next 45-60 days.

That means in order to use NinjaRMM, customers will need to adapt their work-patterns around 2FA.

We recognize that this is going to be a major adjustment for partners who aren’t yet using 2FA, and that it does represent a small tradeoff in convenience. The feedback we’ve received from MSP partners, however, has been overwhelmingly in favor of enforcing 2FA. That feedback paired with the magnitude of the disruptive risk that these attacks pose has convinced us that this tradeoff is necessary.

Therefore, we are asking all customers to take this time to prepare for the rollout of enforced 2FA accordingly. As a reminder, customers can enable 2FA now by navigating to Configuration/Users and selecting the 2FA option of your choice, including SMS, Authenticator, and FIDO key.

In addition to 2FA…

We also recognize that, while 2FA represents a clear, immediate security enhancement that can help mitigate these attacks, 2FA is not a silver bullet. It’s simply another tool at our disposal and one additional layer of security.

Just as AWS has the “Shared Responsibility Model,” where all parties play a key role in overall and global security, the practical reality is that companies using NinjaRMM or any RMM should also have their own security controls in place to protect their clients and to meet regulatory compliance requirements.

We recognize that our MSP partners are generally above average-to-expert level systems administrators who already have security habits ingrained into their day-to-day. But this is an excellent time for all of us to review our internal security practices and procedures, identify gaps, and seek out opportunities for improvements. To help, we’ve provided an extensive checklist of practical steps MSPs can take to reduce their attack surface and improve their ability to prevent, detect, and respond to attacks.

These include steps that are best practices, but that nonetheless bear repeating:

  • Always lock systems and log out of sessions, regardless of the session type (browser, RDP, SSH, TeamViewer, etc.)
  • Use 2FA at a minimum, but bonus points for using 3FA (e.g., adding biometrics like fingerprint auth)
  • Disable/don’t use browser plugins/extensions that can potentially provide harvestable information
  • Use the built-in security features of browsers such as Incognito/Private windows where no data is saved
  • Disable browser functions such as in-memory caching, SSL caching, and on-disk caching
  • Use privacy screens on displays and monitors
  • Block malicious sources such as known malware URLs/IPs, Tor exit node IPs, and SPAM houses
  • Never open a link or attachment in an email until ensured that the content is safe
  • And the list goes on here

 

These attacks underscore the need for every company to take a hard look at what they are doing within their own infrastructure, networks, systems, and staff. We hope our partners will rest assured knowing that’s exactly what we’re doing here at NinjaRMM, and that we’re laser-focused on providing the most powerful and convenient RMM possible, while taking active measures to reduce the risk of it being misused.