A criminal uses a stolen password to gain unauthorised access to a locked computer.

LogicMonitor Security Breach – Ransomware Attacks Targeting Customers

LogicMonitor, a network monitoring company, has confirmed that ransomware attacks have targeted specific customers of its SaaS product. According to the company this attack attempt affected a small number of users, and it is actively working with those who were affected to mitigate the impacts of these attacks.

Jesica Church, LogicMonitor’s representative, mentioned in a statement:

We are currently addressing a security incident that has affected a small number of our customers. We are in direct communication and working closely with those customers to take appropriate measures to mitigate impact.

LogicMonitor, located in Santa Barbara, California, was started in 2007 and has already raised approximately $140 million in funding over the last 10 years. In 2018, the company sold a major chunk of its stock to the private equity firm Vista Equity Partners. LogicMonitor claims to have assisted over 2,000 organisations in monitoring over 3 million devices.

The observability solution from LogicMonitor enables businesses to carefully track down and identify technical issues in both on-premises and cloud infrastructure.

Although its clients have been the target of ransomware attacks, LogicMonitor has not publicly confirmed this. However, BleepingComputer received information about these incidents from anonymous sources. They disclosed that the threat actors got access to user accounts, enabling them to set up local accounts and spread ransomware.

The same sources claimed that the platform’s on-site LogicMonitor Collector sensors were used to launch the malware. These sensors have scripting skills in addition to monitoring user infrastructure. Threat actors allegedly did this by deploying scripts from the web-based platform, which were subsequently sent to the local Collectors and put into local execution.

Account Access Issues & Weak Passwords

The vulnerability happened as a result of LogicMonitor’s practice of providing clients with weak default passwords, which were used up until recently. Typically, these default passwords were “Welcome@” that included a simple number pattern. An unidentified person from a corporation affected by the event who did not have press authorisation gave the information.

A LogicMonitor official said that the business is unable to provide any further information about the event at this time. The informant informed us that they were aware of a compromised business.  A ransomware attack that took advantage of one company’s weak default password resulted in over 400 computers being affected.

According to CISA, the US Cybersecurity and Infrastructure Agency, legitimate accounts are the most used approach in cyberattacks, accounting for 54% of successful breaches. These accounts may include standard administrator credentials as well as those of previous workers who are still active. Failure to change default passwords allows dangerous actors to install and run programmes at their convenience.

CISA issued a warning, highlighting that accessing an organisation’s network is only the first stage of a successful attack. As a result, malicious actors can use other methods to steal data, such as privilege escalation. As a result, the major focus of network asset and data protection policies should be on preventing the initial attack.

The business updated its status page two days ago, stating that the issue had been resolved.

Access issues for LogicMonitor accounts have been fixed
Access issues for LogicMonitor accounts have been fixed (LogicMonitor)

A LogicMonitor representative declined to provide more information in response. Customers have told the media that LogicMonitor contacted them to advise them of the situation and the possibility of a ransomware attack. There are currently no other facts available, leaving us in a state of uncertainty concerning the identity and motives of the threat actor behind the attack.

The company has also changed the default password settings on its platform. Users must change their default passwords when they initially log in to their accounts since they will now expire after 30 days.

Phishing Tackle offers a free 14-day trial to help train your users to avoid these types of attacks and test their knowledge with simulated attacks using various attack vectors. By focusing on training your users to spot these types of attacks, rather than relying solely on technology (none of which can spot 100% of phishing emails), you can ensure that your organisation is better prepared to defend against cyber threats and minimise the impact of any successful attacks. 

Recent posts