Multiple attacks targeting MSPs’ Atera RMM instances were observed, where threat actors deployed Cloudflare tunnels and successfully launched Akira ransomware on customer endpoints. Huntress SOC’s rapid response and log analysis were crucial in detecting and limiting these coordinated ransomware campaigns. #AteraRMM #AkiraRansomware #CloudflareTunnels
Keypoints
- Threat actors compromised MSPs’ Atera RMM instances to remotely access and attack multiple downstream customer endpoints.
- Cloudflare tunnels were installed to maintain covert remote access before deploying Akira ransomware on targeted systems.
- Windows Defender initially detected and quarantined ransomware attempts but was subsequently disabled by the attackers.
- Huntress agents were deployed mid-compromise, enabling endpoint isolation and detailed log analysis despite lack of EDR telemetry.
- Consistent toolmarks such as specific Cloudflare tunnel tokens, user account names, and workstation names linked multiple attacks.
- The rapid Huntress SOC response prevented the ransomware from spreading further across MSP customer networks.
- Ongoing MSP RMM abuse highlights the need for improved application control, log auditing, and remote access monitoring for MSP environments.
MITRE Techniques
- [T1071] Application Layer Protocol – Use of Cloudflare tunnels to maintain covert remote connections (“Cloudflare tunnel being created and run…”).
- [T1136] Create Account – Creation of accounts such as ‘bck’ and ‘adm1’ for persistence and access (“An account named bck was created…”).
- [T1021] Remote Services – Use of Remote Desktop Protocol and RMM tools for initial access to endpoints (“bck account accessed the endpoint… via Remote Desktop Protocol”).
- [T1083] File and Directory Discovery – Execution of network scanning tools like advanced_port_scanner.exe to map networks (“bck account started running advanced_port_scanner.exe”).
- [T1059] Command and Scripting Interpreter – PowerShell execution to remove shadow copies and facilitate ransomware deployment (“powershell.exe -Command Get-WmiObject Win32_Shadowcopy , Remove-WmiObject”).
- [T1562] Impair Defenses – Disabling Windows Defender Real-Time Protection to avoid detection (“Windows Defender RTP had been disabled”).
- [T1486] Data Encrypted for Impact – Deployment of Akira ransomware encrypting endpoint data (“successful launch of the Akira ransomware executable”).
Indicators of Compromise
- [Account Names] Suspicious accounts created and used – bck, adm1 accounts used to access endpoints and execute malware.
- [File Names] Ransomware executables detected – C:ProgramDataakira.ex_ and advanced_port_scanner.exe used for network scanning.
- [Processes] Cloudflared.exe – Usage of Cloudflare tunnel executable to create covert channels (“cloudflared.exe tunnel run –token [REDACTED]”).
- [Event Logs] Windows Event Log entries indicating RDP access and PowerShell command execution related to the attacks.
Read more: https://www.huntress.com/blog/rmm-gateway-for-bulk-attacks-on-msp-customers-part-2