The US Secret Service (USSS) has been sending security alerts to organisations across the pond regarding an upswing in the number of cyberattacks related to compromised managed service providers.
The warning comes as a result of threat intelligence out of the Global Investigative Operations Center (GIOC), which supports USSS in combatting organised crime groups. The alert document, obtained by ZDNet, says that cybercriminals are "leveraging compromised MSPs to conduct a variety of attacks including point-of sale intrusions, business email compromise and, specifically, ransomware attacks."
While some reports have painted this as a relatively new trend, that would not appear to be the case. "MSP's have been in the cross hairs of APT 10 since 2014," threat intelligence expert and CISO at Cyjax, Ian Thornton-Trump, told SC Media UK. APT 10, also known as Stone Panda, is a Chinese state-sponsored actor and the MSPs in question back then were based in Japan.
"If something is big in Japan," Thornton-Trump reminds us, "it has every chance of going global - and it did." He points towards the Cloud Hopper report in 2017 that concluded attacks on large global MSPs were peaking in 2016. Thornton-Trump says that this alert should not come as news to anyone, least of all MSPs. "If an MSP has not tightened up defences post 2017, and has ignored a constantly increasing cyber-threat, is repeating the same warning over and over really going to make any difference?"
Reports that MSPs are increasingly being targeted by ransomware actors in particular, "proves that security is not understood to the extent that it should be," Dan Panesar, director, Securonix UK and Ireland, said. It's the old low-hanging fruit problem, in other words. "We will likely see a steady proliferation of well thought out attacks against MSPs and targeting their clients' data," Ilia Kolochenko, CEO at ImmuniWeb, said. "Attackers concentrate their malicious efforts on MSPs because they are now such a low-hanging fruit."
Justin Gilbert, senior director of channels at ZIX, agrees that MSP’s are at the forefront in a battle between attackers and their customers. "Up to date patches and security measures are critical but diligence in password management is a low effort, high impact activity," he said.
The USSS alert offered advice for MSPs as far as best practice is concerned. The first of which would appear to be aimed more at protecting itself from customer litigation than threat actors: have a well defined service level agreement. Beyond that, however, the advice improves. Ensuring remote administration tools are patched, a least privilege culture when it comes to resource access, well defined security controls, cyber awareness and training programmes and annual audits.
Of course, the MSP threat doesn't stop at the service provider; it's the customers the attackers are really after. "It is important to remember that even though you rely on a MSP or managed security service provider, you are still culpable for the information that you own," Panesar reminds us. Which means putting all that same USSS security advice for MSPs into practice within the client business. "Even though it may seem expensive," Panesar concludes, "it will be significantly cheaper than a data breach."