Continuum is tightening security and warning managed services providers (MSPs) to be on the lookout for malicious activity after a massive cyberattack penetrated the software vendor’s IT management systems and compromised an unknown number of end-user client servers, the company confirmed today.
MSPs were notified in early August that a breach originating with a legacy IP scanner tool had spread, resulting in unauthorized administrator accounts being created inside customer networks.
More than two months after the hacking attack was initially discovered, the full extent of the damage remained unknown.
“We identified several clients who had administrative superuser accounts created within their Windows active directory without our knowledge,” said a Continuum partner who asked not to be identified. “These accounts were created and active for several days prior to us being notified of the breach, so unidentified intruders had full access to our clients’ systems and data long before we found out about it.”
“We have identified login events within server logs which confirm unauthorized access to our clients’ servers from dozens of IP addresses around the world,” the partner continued. “We still have no way to know what sort of malicious software or gateways may have been left behind nor what data has been stolen, which absolutely could lead to additional problems and liability concerns for us in the future.”
Continuum officials said they have responded aggressively to the cyberattack.
“When we learned that our partners might have been compromised, we responded quickly and forcefully,” the vendor said in a statement. “Among other things, we immediately engaged a top forensic firm and the FBI.”
“Our engineering team worked around the clock to write new software to flag suspicious activity, disable suspicious accounts and build tools to respond to the potential threat,” the statement went on. “We also communicated regularly with our partners and published a set of guidelines to help all partners strengthen the security at their end clients.”
In an Aug. 4 email, Continuum Managed Services CEO Michael George advised affected partners to close any non-essential ports and continue checking for fraudulent administrative accounts, system accounts or accounts with elevated privileges at client sites.
“We have a list of known suspicious accounts posted and we are running a script to disable known suspicious accounts,” the communication said.
“We have also created a script to display all users across all of your sites so you can review and validate each more easily,” the email continued. “In some cases, we have observed open RDP (remote desk protocols) access and other security settings that should be tightened immediately.”
Such attacks are “increasingly part of the digital world we live in,” George’s email said.
The Continuum partner who spoke on condition of anonymity said that MSP is investing a great deal of effort to prevent and detect further unauthorized access.
“We have suffered strained client relations as a result of notifying our clients about this breach,” the owner explained. “The scariest part of all of this is what we still don’t know, and what could happen in the future.”