Qilin affiliates spear-phish MSP ScreenConnect admin, targeting customers downstream
NetmanageIT OpenCTI - opencti.netmanageit.com
SUMMARY :
A Managed Service Provider administrator fell victim to a sophisticated phishing attack targeting their ScreenConnect Remote Monitoring and Management tool. The attack, attributed to Qilin ransomware actors, used a fake ScreenConnect domain to intercept credentials and bypass multi-factor authentication. This incident matches a pattern of similar attacks tracked by Sophos MDR as STAC4365, dating back to 2022. The attackers gained access to the MSP's environment, deployed their own ScreenConnect instance across multiple customer networks, and conducted extensive reconnaissance and data exfiltration. They ultimately deployed Qilin ransomware across multiple customer environments, targeting backups to prevent service restoration. The attack demonstrates the growing threat to MSPs and their customers through supply chain compromises.
OPENCTI LABELS :
phishing,ransomware,screenconnect,mfa bypass,supply chain,qilin,cve-2023-27532,evilginx,stac4365,msp
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
Qilin affiliates spear-phish MSP ScreenConnect admin, targeting customers downstream