Continuum MSP Partner Hit, Credentials Stolen To Deploy Ransomware To Several End Customers

Continuum says it is for now removing access to any scripts or tasks that are capable of uninstalling antivirus or endpoint protection and eliminating the ability for all users to create new custom scripts or tasks.

Continuum said one of its MSP partners was hit likely by a phishing campaign that managed to steal its credentials, which were then used to disable antivirus and “run scripts to deploy ransomware at several end clients,” the company said in an email.

Continuum said none of its systems were compromised in the breach, which appears to have impacted just the one partner.

“We have identified a situation where credentials were stolen from a single partner, likely through phishing, and were used to disable antivirus and run scripts to deploy ransomware at several end clients,” Continuum wrote in an email signed “Team Continuum.”

In response, Continuum said it is for now removing access to any scripts or tasks that are capable of uninstalling antivirus or endpoint protection and eliminating the ability for all users to create new custom scripts or tasks.

“We understand this may cause some inconvenience and will update you when these changes are reversed,” the company wrote in the email. “Cybercriminals often use credentials retrieved from other sources to gain unauthorized access to systems. While vigilance by your employees goes a long way in preventing credential compromise, we strongly urge you to enable multifactor authentication across all your systems immediately.”

Continuum did not respond by press time to calls and emails seeking comment.

[Related: NinjaRMM Partner Used To Seed Ransomware]

David Laureys, senior system engineer and MSP technical lead at integraOne, said the MSP has been a Continuum partner for at least eight years. After reading the email from Continuum Friday morning, he said the breach doesn’t change his confidence in the company.

“It doesn’t shake our confidence at all,” he said. “As long as you protect your credentials, you shouldn’t have a problem. I’m confident their security is up to snuff.”

He said his company mandated multifactor authentication a year ago when Continuum first offered it. While it may seem an obvious next step in security, he is not surprised some MSPs don’t do it.

“We hear our technicians say they don’t like it, but if someone gets in there they have the keys to the kingdom,” he said. “It’s not worth the risk.”

Earlier this week, Continuum sent an email to partners mandating an Aug. 30 deadline for having multi-factor authentication enabled on all of their systems. The company said it was doing so to block the rise in sophistication in phishing attacks carried out by cybercriminals against MSPs and their customers.

“The old standards of a username and strong password simply cannot provide adequate levels of protection today,” Continuum wrote in the email to partners. “Multifactor authentication (MFA) has quickly become an accepted industry norm and is essential in modern IT environments. Continuum will be requiring partners to enable MFA in order to access the tools and information available in the ITSupport Portal. You must take action now to configure MFA for all of your employee accounts.”

Last month Continuum CEO Michael George told CRN that “we’re as much of a target as any of the other guys who have gotten hit.” While Continuum said its systems were not compromised in this latest attack, its tools were accessed via a partner’s account.

“Nobody is immune to the issue. I think you have to expect that everyone is going to get hit,” George told CRN. “Everybody is a target, and everybody is going to get hit. This is not about thinking you can get away with 100 percent protection and that you’re going to make yourself not vulnerable to an attack. What this is about is understanding that you will be vulnerable. You ought to do everything that you can at a practical economic level to protect and secure your environment. … Thinking ‘I’ve completely battened down my hatches and I’m watertight and no one can get in’—those days are over. That’s not how the world works anymore.”