|
|
|
|
|
|
by tonyb
1809 days ago
|
|
|
This wasn't a typical "someone clicked a link they shouldn't have" attack. There was a vulnerability in the RMM server software that allowed remote code execution. The attackers used the RCE to push the ransomware out to all of the endpoints connected to the RMM server. The attack is still being researched but it looks like there were two vulnerabilities. The first was an authentication bypass that allowed the attacker to authenticate as if it were an authorised client. That was used to upload the payload. There was as a RCE vulnerability that allowed the attacker to executed the uploaded file. The payload itself modified the SQL database of the RMM software to create a task on the remote endpoints that executed the ransomware. |
|
|