[BreachExchange] Massive Hack Hits Continuum MSPs, End Clients

Inga Goddijn inga at riskbasedsecurity.com
Wed Oct 5 19:35:01 EDT 2016


http://mspmentor.net/msp-mentor/massive-hack-hits-continuum-msps-end-clients

Continuum <https://www.continuum.net/> is tightening security and warning
managed services providers (MSPs) to be on the lookout for malicious
activity after a massive cyberattack penetrated the software vendor’s IT
management systems and compromised an unknown number of end-user client
servers, the company confirmed today.

MSPs were notified in early August that a breach originating with a legacy
IP scanner tool had spread, resulting in unauthorized administrator
accounts being created inside customer networks.

More than two months after the hacking attack was initially discovered, the
full extent of the damage remained unknown.

“We identified several clients who had administrative superuser accounts
created within their Windows active directory without our knowledge,” said
a Continuum partner who asked not to be identified. “These accounts were
created and active for several days prior to us being notified of the
breach, so unidentified intruders had full access to our clients’ systems
and data long before we found out about it.”

“We have identified login events within server logs which confirm
unauthorized access to our clients’ servers from dozens of IP addresses
around the world,” the partner continued. “We still have no way to know
what sort of malicious software or gateways may have been left behind nor
what data has been stolen, which absolutely could lead to additional
problems and liability concerns for us in the future.”

Continuum officials said they have responded aggressively to the
cyberattack.

“When we learned that our partners might have been compromised, we
responded quickly and forcefully,” the vendor said in a statement
<http://mspmentor.net/msp-mentor/oct-4-statement-continuum-regarding-security-breach>.
“Among other things, we immediately engaged a top forensic firm and the
FBI.”

“Our engineering team worked around the clock to write new software to flag
suspicious activity, disable suspicious accounts and build tools to respond
to the potential threat,” the statement went on. “We also communicated
regularly with our partners and published a set of guidelines to help all
partners strengthen the security at their end clients.”

In an Aug. 4 email
<http://mspmentor.net/msp-mentor/email-continuum-ceo-michael-george-partners-advising-security-breach>,
Continuum Managed Services CEO Michael George advised affected partners to
close any non-essential ports and continue checking for fraudulent
administrative accounts, system accounts or accounts with elevated
privileges at client sites.

“We have a list of known suspicious accounts posted and we are running a
script to disable known suspicious accounts,” the communication said.

“We have also created a script to display all users across all of your
sites so you can review and validate each more easily,” the email
continued. “In some cases, we have observed open RDP (remote desk
protocols) access and other security settings that should be tightened
immediately.”

Such attacks are “increasingly part of the digital world we live in,”
George’s email said.

The Continuum partner who spoke on condition of anonymity said that MSP is
investing a great deal of effort to prevent and detect further unauthorized
access.

“We have suffered strained client relations as a result of notifying our
clients about this breach,” the owner explained. “The scariest part of all
of this is what we still don’t know, and what could happen in the future.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161005/878d4fe4/attachment.html>


More information about the BreachExchange mailing list