FlagThis

A recent cyberattack has exploited vulnerabilities in Managed Service Providers (MSPs) through a sophisticated phishing campaign, leading to the deployment of Qilin ransomware across multiple customer environments. The attackers, identified as affiliates of the STAC4365 threat cluster, targeted MSPs by mimicking the login page of ScreenConnect, a widely used Remote Monitoring and Management (RMM) tool. The attackers used spear-phishing emails directed at MSP administrators, disguising them as authentication alerts from ScreenConnect.

These emails directed recipients to counterfeit domains closely resembling the legitimate ScreenConnect login page, cloud.screenconnect[.]com.ms for example. Using an adversary-in-the-middle (AITM) attack framework, credentials and time-based one-time passwords (TOTP) required for multi-factor authentication (MFA) were intercepted. With these credentials, the attackers gained super administrator access to the legitimate ScreenConnect portal, enabling them to deploy malicious ScreenConnect instances across customer environments and ultimately launch Qilin ransomware. The attack highlights the risks for MSP and their customer base.

ImgSrc: news.sophos.com

References :

• Sophos News: Qilin affiliates spear-phish MSP ScreenConnect admin, targeting customers downstream
• securityonline.info: Qilin Ransomware Attack Exploits MSP Vulnerability to Target Downstream Customers
• Cyber Security News: Qilin Operators Use Mimic ScreenConnect Login Page to Deliver Ransomware and Gain Admin Access
• Cyber Security News: Qilin Operators Mimic ScreenConnect Login Page to Deliver Ransomware & Gain Admin Access
• gbhackers.com: Qilin Operators Imitate ScreenConnect Login Page to Deploy Ransomware and Gain Admin Access

Classification:

• HashTags: #Ransomware #MSP #ScreenConnect
• Company: MSP
• Target: MSP customers
• Attacker: Qilin affiliates
• Product: ScreenConnect
• Feature: ScreenConnect
• Malware: Qilin
• Type: Ransomware
• Severity: Major