Multiple companies that use LogicMonitor Inc.’s observability platform have been hit with ransomware because of weak default passwords in the software, according to two new reports.

BleepingComputer and TechCrunch reported the hacking campaign on Thursday, citing sources familiar with the matter. TechCrunch’s source is described as a person affiliated with a “company that was impacted by the incident.” LogicMonitor confirmed the hacking campaign in response to the reports. 

“We are currently addressing a security incident that has affected a small number of our customers,” the company said in a statement. “We are in direct communication and working closely with those customers to take appropriate measures to mitigate impact.”

Santa Barbara, California-based LogicMonitor launched in 2007 and went on to raise more than $140 million from investors over the next decade. In 2018, the company sold a majority stake to the private equity firm Vista Equity Partners. LogicMonitor says it helps more than 2,000 organizations monitor more than 3 million devices.

LogicMonitor’s observability platform allows companies to monitor cloud and on-premises infrastructure for technical issues. It can spot sudden drops in application performance, excessive hardware usage and other issues.

Until recently, the company reportedly provisioned the accounts it created for customers with weak default passwords. They consisted of the text snippet “Welcome@” plus a series of numbers. According to TechCrunch’s source, an organization that signed up for LogicMonitor could expect all its user accounts to be created with an identical default password.

Hackers reportedly exploited the flaw to gain access to some customers’ LogicMonitor deployments. According to BleepingComputer, the hackers installed ransomware on the affected companies’ infrastructure using a component of the observability platform called LogicMonitor Collector. It’s a program used to collect technical data from on-premises systems for monitoring purposes.

Besides collecting data, the program also provides a tool that allows companies to extend its features with custom code. The hackers reportedly used that tool to install their ransomware on the affected organizations’ systems. At one of the organizations, more than 400 systems are believed to have been compromised. 

The hackers carried out the ransomware attacks last week. This past Tuesday, LogicMonitor reported a technical issue that temporarily prevented some customers from accessing certain features of its platform. The company said it had identified the cause of the issue within a few hours and rolled out a fix. 

After learning of the hacking campaign, LogicMonitor reportedly notified customers that their infrastructure could be at risk. The company also changed its platform’s default password settings. According to TechCrunch, default passwords in the platform now expire after 30 days and must be changed the first time users log into their accounts. 

Image: LogicMonitor