Managed Service Providers are a lucrative victim for hackers. If a threat actor can obtain access to an MSP’s network, they can use the same remote management tools that MSPs use to carry out attacks on the MSPs clients.
Many businesses are now turning to MSPs for IT support and management services. This is typically the most cost-effective solution, especially when firms lack the in-house IT expertise to manage their networks, applications, and security. An MSP will typically supply IT management services for many different firms. A successful cyberattack on the MSP can result in a threat actor gaining access to the networks of all the MSPs clients, which makes the attack extremely worthwhile.
There was a marked rise in cyberattacks on managed service suppliers in 2019, in particular by ransomware gangs using GandCrab, Sodinokibi BitPaymer and Ryuk ransomware. The MSPs were attacked in a variety of ways, including phishing, brute force attacks on RDP, and exploitation of unpatched flaws.
Once access has been obtained to an MSP’s network, hackers search for remote management tools such as Webroot SecureAnywhere and ConnectWise which the MSP uses to access its clients’ networks to supply IT services. Several 2019 ransomware attacks on MSPs used these tools to access clients’ networks and install ransomware. MSPs such as PerCSoft, TrialWorks, BillTrust, MetroList, CloudJumper, and IT by Design were all attacked in 2019 and ransomware was deployed on their and their clients’ databases.
Kyle Hanslovan, CEO at Huntress Labs, told ZDNet in a recent telephone interview that his company had provided support to 63 MSPs that had been targeted in 2019 but believes the total number of attacks was likely to be more than 100. However, the number of MSPs that have been attacked is likely to be much higher. It is likely that many cyberattacks on MSPs are not even seen.
The attacks have shown no sign of dropping off. Recently the U.S. Secret Service issued a TLP Green alert warning MSPs of a rise in targeted cyberattacks. Compromised MSPs have been used to carry out business email compromise (BEC) attacks to get payments sent to hacker-controlled accounts. Attacks have been carried out on point-of-sale (POS) systems and malware has been deployed that intercepts and exfiltrates credit card data, and there have been several successful ransomware attacks.
Along with hackers, nation state-sponsored hacking groups have also been carrying out cyberattacks on MSPs, notably hacking groups connected with China. The National Cybersecurity and Communications Integration Center (NCCIC) issued an alert about the threat to MSPs from state-sponsored hacking groups in October 2019.
There are many best practices that can be implemented by MSPs to improve security and prevent these attacks. MSPs may currently be incredibly busy helping their clients deal with IT issues linked to the COVID-19 pandemic, but given the increase in focused cyberattacks on MSPs, time should be spent improving their own security, not just security for their clients.
The U.S Secret Service advises MSPs keep up to date on patching, especially patches for any remote administration tools they implement. ConnectWise issued a security advisory last month and patched a vulnerability in the ConnectWise Automate solution. The API vulnerability could be successfully targeted remotely by a threat actor to execute commands and/or modifications within an individual Automate instance. Vulnerabilities such as these are actively sought by hackers.
The principle of least privilege should be used for access to resources to restrict the damage inflicted in the event of a breach. It is also wise to have well-defined security controls that are fully compliant with industry standards.
Annual data audits should be completed along with regular scans to identify malware that may have been downloaded on systems. Logging should be turned on, and logs should be regularly checked to spot potentially malicious activity. MSPs should also ensure that their employees receive ongoing security awareness training to teach cybersecurity best practices and how to spot phishing and BEC scams.