Cybersecurity: Amplified And Intensified

Allstate to block Datto, Ninja RMM and Kaseya - Escalate, Exfiltrate & Encrypt - Round 9

September 23, 2021 Shiva Maharaj/Eric Taylor/Ryan Weeks
Cybersecurity: Amplified And Intensified
Allstate to block Datto, Ninja RMM and Kaseya - Escalate, Exfiltrate & Encrypt - Round 9
Show Notes Transcript
Shiva Maharaj:

kind of sucks. Ladies and gentlemen. Good morning. Welcome to another episode of cybersecurity amplified and intensified with your Friday dose of piss and vinegar. And today, boy, do we have some pison vinegar brought to us by Reddit. It's gone.

Eric Taylor:

Oh man, it's gonna be a very long couple more days I'm sure maybe even a week so those who don't know we'll put it down in the show notes but but more than likely anybody who listens to this by now will know about this whole Reddit post word. Allstate is pretty much slamming datto RMM ninja Nick could say a products to be removed from any all state infrastructure with it effectively going into September 27 which is

Shiva Maharaj:

Monday? Yeah, Monday that's not bad three business days and to two weekend days to give notice to exfiltrate Okay, it's almost like it's a zero day that you know, that's the BS hatch slash on insult.

Eric Taylor:

Yeah, like the shit the Sisa kinda does. Um So yeah, this is this is really weird because you know, we've been having a lot of internal discussions like okay, what is the driving force behind this shit?

Shiva Maharaj:

I think it's money. I think all state internal it wants to sell services to their franchisees because let's not forget Allstate the insurer and the Allstate offices around the corner from you is a franchise or franchisee type of model.

Eric Taylor:

Yep. And I mean, all states not the other one state farms the same. That's the same shit. Yeah, I don't think there's really any of them that are different than that. But if you know, leave a comment below, let us know. Just over educated But anyway, um, yeah. So it's just the simple fact that they did not name solar winds in the shed, and they didn't name connectwise in this shit makes me think it's some sort of internal grab is some sort of, you know, policy, or there's some sort of inside deal going on here. Because datto RMM and Ninja have not had a public disclosures of CVS, major exploits, like a say like connectwise had, like damn sure solar winds has had. So why they're going after these versus the ones have actually been in the spotlight. I don't freaking know. But this I think the first

Shiva Maharaj:

question to ask is what is Allstate internal it using? Some seem to think it's some homegrown, lacking devstack ops product? Or could it be connectwise? Could it be SolarWinds can be one of the other arms that have not been named. But I want to hone in on the three bullet points here. Allowing support vendors to view an agency computer without the agency user's knowledge, which could expose PII and pH, I go HIPAA, someone's using you as an excuse to get rid of someone Good for you. But here's the thing with the datto RMM. policy, you can literally check a box and a technician will not be able to hop into your computer unless you explicitly granted each and every time. Furthermore, once that box has been checked, there is no way to undo it remotely, it has to be undone by the user on the device. So I'm going to chalk that one up as a hot steaming pile of shit.

Eric Taylor:

And the only reason we know that is because we use datto. So this is why we're a little bit of pizzazz. And we know what we

Shiva Maharaj:

do sometimes

Eric Taylor:

that you know what that actually brings up a good point because you and I both had connectwise even back when it was a laptop. Oh, yes. And I remembered there being a screenshot option on there, maybe there was but I don't remember.

Shiva Maharaj:

There was not in ScreenConnect, you could configure it and it was a few layers deep and needing approval to join a session. It was not as easy as with datto. And secondly, with connectwise, you had full control. So you could enable disable that feature at your whim provided you had administrator privileges. Whereas again with datto Once enabled, it has to be disabled from the endpoint.

Eric Taylor:

Yeah, very true. And I do remember what I tried, because say our in my early infancy of an MSP. I do remember that the screenshots would constantly update on the application. So it was an ongoing screenshot screen, grab whatever term you want to use. So yeah, unless that's been changed in the past 10 years, that's probably still the same but I'm being used in a supply chain ransomware attack,

Shiva Maharaj:

that's Kaseya can say I can wear that veil of shame all day every day for all I care SolarWinds had their incident but that was an elegant nation state attack that no one could defend against. Okay, so that's fine. We can go to connect wise because not connected I Sorry, could say it because they got popped by the remote group three times over in four years.

Eric Taylor:

Was it three years, three or four years?

Shiva Maharaj:

I think every name change they got popped. So when they Come back to something else we can expect Kaseya to maybe get

Eric Taylor:

popped again, whether the new name is groundhog day just to be? Well, firstly, say it will be Groundhog Day.

Shiva Maharaj:

And ninja RMM. As far as I can tell, or as far as I researched, they have not had a major security incident that can be classified in any way shape or form as a supply chain reach. Yeah, I

Eric Taylor:

mean, Ninja RMM hasn't had really any CVS that have been pushed out either. So that's all saying no, in the intro, I don't understand why some of these companies are getting named the way that they are. So it will get to your point about some of the internal stuff here in just a moment. But you know, causing errors when your staff attempts to access all state applications for the computers that have their software installed. Yo, so the thing that we had connectwise, you know, that had problems all over the place with third party applications, a lot of business apps, they even at the

Shiva Maharaj:

white listed in your AV. So let's go ahead and whitelist command and control in your anti malware engine, because that's the dumbest fucking thing ever.

Eric Taylor:

The only op application that I know of that datto RMM interferes with is the Mitel receptionist console, where they have the little management where they switchboard screen all their negative route their calls and stuff like that, for some reason, datto RMM conflicts with that friggin thing. I don't know what it has been a big

Shiva Maharaj:

Well, I can tell you that all state has an integration with the netsapiens platform. And it's an open integration between them and like say sky switch, which is a popular white label, boy ERP reseller in the MSP space. So are they going to go after that as well. So I will, Joe. And so that's it for the three bullet points here. But I think this third bullet point is the most telling because it is going on selling on based on Fudd and saying, hey, it interferes with our applications. So why don't you come and get our professional services team to look at your stuff and give you a better option. I mean, they didn't say that closely. But I think that's where this was going. I think this is a targeted attack at the MSP vertical and selling off of the fear that Kaseya has brought to us most recently, back in July, when they're what I would call negligence and not informing their on prem partners to restrict access or shutdown on prem servers led to the rebl hack, not incident. It was a hack.

Eric Taylor:

But the simple fact that they're listing these RMM vendors and not just calling out it msps in general, why are they not doing that? Because that's what really makes me think that one their internal is probably using altaira or some other jackwagon program. So they can't listen here because you know, pot and kettle calling each other black type crap.

Shiva Maharaj:

But yeah, but we live in do as we say, not as we do world. Now. That's

Eric Taylor:

not just in Congress. Sorry. No, that's everywhere, man. Um, no, definitely consider using our agency vendor consulting process. What the fuck is that crap. I mean, that's internal

Shiva Maharaj:

it that that is using soft money, they want the franchisee to use their services, and they will get a redemption, whether it's on premiums, advertising and marketing, something or the other. That is that is all state I think looking to grow top line revenue when you really get down to this. The only thing in here that I really agree with is we're also to saying that all state franchisee staff is using these command and control systems to gain remote access to their computers when they are working from home. I am a firm believer that should be a separate system that does not tie to any real command and control ability. Because that is just a can of worms, or that's Pandora's box that no one wants to open.

Eric Taylor:

Exactly. So this definitely. So this is actually you had to pivot on this a little bit this. We'll talk about some personal stuff here a little bit that's affecting us. Right. So this is actually opening up a can of worms, right. So we have partners that I will not name publicly that we get a lot of referrals from, and they are already contacted me is like you use datto RMM, right. I'm like, Yeah, what the hell's going on here?

Shiva Maharaj:

I know the answer to that hold on. I don't know

Eric Taylor:

exactly. I don't know. But I am looking into it. And they are starting to push backs like you have to the end of the day Friday to figure this out. And we are pulling referrals from any. So they are giving me at least as of right now I'm trying to get you know more communication going on. But this is going to affect partners where it's you have to remove your RMM by a certain date or lose your agreement. And that's kind of where some of my stuff is like any active agreement or the verse has been told to me any active agreement or any sorry. Any active engagement that we are on for incident response must have datto RMM removed by the end of the day, Friday. Or you will be pulled from that it's a response. And you will no longer get new cases, as referrals until you are no longer with that platform.

Shiva Maharaj:

I don't blame them for saying that, quite honestly. I don't like it. But you have a multinational company and all state because God alone knows who actually owns these people sending out letters, email, sorry, faxes, and information behind a authorization page, saying that you can't use these RMM platforms anymore. And these are very loose reasons why datto RMM is one of the few art memes out there that hasn't had any security incidents, they I would consider datto to have a security team that is leaps and bounds above most of their peers. In the managed services vertical Hell, I think Ryan actually has an AI RP, or various situations. I can't say the same for Connect wise. Oh, absolutely. Yeah. And I just say that because I had experience with Connect wise, but this is starting to affect business for everyone. And I think this is just another way for insurance companies to exfiltrate themselves from the managed services industry and get away from a group of people who the majority of which have no business touching a computer, much less maintaining. Yeah, and I blame MSP vendors for this because they don't care who they sell to, as long as they have revenue

Eric Taylor:

coming in. Gotcha. Yeah, it's gonna be interesting to see how all this thing shakes out. And unfortunately, you know, datto is starting to see even in the Reddit post that, you know, potential incoming partners, we're going to come over to data from whatever platform they're on, they're seeing this and now pump their brakes. So, you know, this is going to be a potential. I mean, they I'm not sure, you know, again, I'm not a lawyer, but I don't see any defamation cases on this one, but or anything slanderous, but I mean, I could imagine this has got to be some sort of legal action that datto and maybe we could potentially take against them.

Shiva Maharaj:

I wouldn't say it's a defamation case, I, I would hope for all states side of this argument that they have real reasons to send out that email, aiming datto naming cause a hole because it's pretty much public dumpster fire, so fuck them. But Daming ninja and naming datto is something that they really need to have data behind. Because that, you know, loss of revenue is a big deal. And unfortunately, this doesn't just touch datto. This trickles down to us, our clients or our clients that service other people using tools we provide. And it's highly irresponsible, I think. Yeah, I mean,

Eric Taylor:

even though we're recording this video on Thursday, but even data's stock prices are going through the floor. Now

Shiva Maharaj:

it rebounded. It's back up low, is it? Yeah, I mean, this is just a blip. I think the world, the economy, everyone's immune to ransomware. At this point, I just think that it's gonna happen. And you're really going to be judged on how well you react. You know, and that's one of the reasons I stayed with a specific datto platform is because I believe in their seaso. And his ability to recover more so than another platform. Yeah. So. But one thing I find really interesting about this, this notice was sent out on September 22, with a hard stop date of September 27. Five days, which includes Saturday and Sunday, that seems like a very knee jerk reaction to something.

Eric Taylor:

I don't know. Definitely speculative. A lot of speculation in there. But I don't know, what do you think and

Shiva Maharaj:

I think someone has a hard on for these three vendors, because they're dealing with another vendor who's giving them a sweetheart price to commit to using that platform very quickly.

Eric Taylor:

So it goes back to what my original thought was some sort of inside deal.

Shiva Maharaj:

I think so. I mean, everything points to that. I can't imagine datto and Ninja are going to stay quiet on this datto is a publicly traded company, you know, the shareholders here are at risk, something like this. So now the SEC would probably have to give a shit. But who knows? You know, it's it's interesting, because there's no indication that Allstate has ever engaged with datto in any way, shape, or form to have datto end up on those list or ninja for that matter. So,

Eric Taylor:

again, let's just be clear, the, let's just say Ryan weeks from datto. And whoever the seaso is over at ninja gets all state to retract from they're standing on their to RMS for a vendor that, you know, their, quote unquote, partner of these platforms, this damage is going to be long, long coming. So like, even if they retract it, they're going to remember this, and it's going to be searchable and people are going to be able to see this and it's going to cause problems for via anybody that's in our industry, you know, MSSP, MSSP, IR whatever. Because I mean, no matter what, we're in a no I'm not going to use panda. We are definitely in a mobile workforce,

Shiva Maharaj:

we're gonna work from anywhere world. And people aren't going back to the offices in mass, I go by office parks all the time. And you can count the number of cars on two hands when there used to be hundreds or even 1000s of cars in those parking lots. So something like an RMM, a command and control system is needed for maintenance is now our buddies over at pacsafe love selling the Microsoft endpoint manager as a replacement RMM. And that's

Eric Taylor:

fine with Microsoft partners. But I have a number of clients that are not under the whole Microsoft ecosystem, they are under G Suite ecosystem. So while they may work for some partners and some technologists, it doesn't work for everybody, you know, that's why these RMM vendors exist.

Shiva Maharaj:

Yeah. But you know, I keep going back to security with datto. Because they do have a better stance than most of the other vendors. I've been around the vast majority of vendors, not just RMM vendors in the MSP space, have horrible dev sec Ops, or none whatsoever. And they love to jump to the word to the phrase NDA every time you ask them about it. If you have security, I'm not telling you to give me your playbooks make me feel comfortable.

Eric Taylor:

Yeah, yeah, we will, we went over to datto. They, they didn't disclose by any means, what issues they've had or whatever. But, you know, we were just asking the high level questions, you know, how does this process work? What is your responses? And, you know, do you do Josie sees and, you know, just that whole framework of what they do, so we felt more comfortable knowing that they had a policy, they have procedures, you know, they are actually working, though, not just saying it, like, you know, say your self acetate it of a NIST framework, you know, there's a difference in seeing somebody talk about it, and seeing somebody who actually knows in lives that every day, right, so

Shiva Maharaj:

you know, what, I'm gonna put it out there. If you are an all state franchisee, or owner of a local all state office, and you are able to and allow to send us a copy of this email, please send it to info at amplified and intensified.com. Only if you are allowed to, I do not want or in nor encourage you to send me anything if you are not allowed to.

Eric Taylor:

Oh, but come on. I really would love to see some of these Q and A's and everything that they've got behind this walled garden. Hopefully, somebody will give it to us, or we're able to get it for a third party source because

Shiva Maharaj:

it'll end up on Reddit. At some point, man, I just hated the fact that I you know, I woke up at 530 this morning to an email from a prospect sending me this thing. Hey, dude, what the Yes,

Eric Taylor:

yep. Yeah. So we actually have to like in our situation, we're having to slow down some of our incident response cases, to pivot to maybe a different solution. So it's just affecting things and is

Shiva Maharaj:

what you shouldn't have to right, because this is, I don't want to say it's unfounded. But this is a situation where you have a decree from an insurance company that affects 1000s upon 1000s of businesses, and there's no solid reasoning. Why, you know, if you told me, You can't use Connect wise, you can't use because you can't use SolarWinds because their products are mapped to CVS that have been exploited widely. I'd say, Okay, that makes perfect sense. But where's datto? on that CVE list? I don't believe they are there in terms of something that's been exploited in US

Eric Taylor:

News, Ninja. Neither, man. They haven't been we haven't brought it up but synchro MSP has been on here.

Shiva Maharaj:

a terror attack other than Conti. ttps Yeah, that's a push. That is,

Eric Taylor:

you know, yeah. Cuz altero is able to be deployed by a power show. And can fully configure where the remote code so anything like that this Yeah, that's a bar. Oh, yeah. So anyway. Oh, good. This is gonna be a long couple of days, man. I'm not looking forward

Shiva Maharaj:

to this at all. TGI Thursday, and tomorrow's Friday. Yeah,

Eric Taylor:

maybe we should start drinking now. That could ranged. Alright, well, ladies and gentlemen, thank you so much for tuning in to yet another piss and vinegar show of amplified and intensified. If you enjoyed this content, please share it with somebody please give us a rating on iTunes. Let us know how we're doing. If you're watching the video, please comment, like and subscribe there as well. And until next time, thank you so much.