If you are an MSP, as in managed service provider, or your organization uses the services of an MSP, then you need to be aware of increased malicious hacking activity directed at MSPs and their clients around the world. This article offers some advice on how to respond to this trend. If you are not sure what an MSP is, you might want to scroll down to the section headed “MSPs: who, what, why?”
Attacks on MSPs
The managed service industry finds itself in the cybercrime spotlight thanks to two news items that appeared in recent months. The first, which may have been under-reported due to the timing, came out just before Christmas, 2018. That’s when the US Department of Justice announced that two Chinese nationals had “conducted global campaigns of computer intrusions targeting, among other data, intellectual property and confidential business and technological information at managed service providers (MSPs), which are companies that remotely manage the information technology infrastructure of businesses and governments around the world”.
While MSPs were not mentioned in the headline of the DoJ press release announcing the indictment of these two people, the sub-head stated: “Defendants Were Members of the APT 10 Hacking Group Who Acted in Association with the Tianjin State Security Bureau and Engaged in Global Computer Intrusions for More Than a Decade, Continuing into 2018, Including Thefts from Managed Service Providers”. According to the indictment, the APT10 Group targeted MSPs “in order to leverage the MSPs’ networks to gain unauthorized access to the computers and computer networks of the MSPs’ clients.”
Unfortunately, I think some MSPs did not see this news, or perhaps they discounted it due to the Chinese state security connection – some people assume that means military and political targets. However, these attacks by APT10 were far more diverse than that, as the detailed DoJ announcement makes clear, for example:
“the APT10 Group obtained unauthorized access to the computers of an MSP that had offices in the Southern District of New York and compromised the data of that MSP and certain of its clients involved in banking and finance, telecommunications and consumer electronics, medical equipment, packaging, manufacturing, consulting, healthcare, biotechnology, automotive, oil and gas exploration, and mining.”
If that is not worrying enough, consider the second news item: “Ransomware Attack Via MSP Locks Customers Out of Systems.” That was the headline in Dark Reading which reported that: “The attack resulted in some 1,500 to 2,000 systems belonging to the MSP's clients getting cryptolocked and the MSP itself facing a $2.6 million ransom demand.”
An attack of that scale is hard to ignore and it is now abundantly clear that there are some serious criminals who see MSPs as a prime target because they typically have access to the systems of multiple clients, offering the enticing possibility of victimizing multiple companies with just one hack. However, as news reports noted, this ransomware attack was linked to a vulnerable plugin for a remote management tool from Kaseya. Naturally, that led some MSPs to discount it because either they don’t use Kaseya, or if they do, they don’t use that plugin.
Threat Response
In the light of these two developments I think any MSP that has not recently undertaken a comprehensive security audit/review should do so now. There are several good reasons for this. First, the risk assessment that shaped your current security posture might not have included serious and well-funded threat actors targeting MSPs and MSP clients via the MSP.
Second, recent public reports of these attacks against MSPs has – I would argue – raised the standard of due care. If you suffer a data breach – either as an MSP or the client of an MSP – you cannot reasonably defend legal challenges to your security posture on the grounds that you were unaware serious criminals were active in this space.
To put the scale of risk in perspective, the implications of the US DoJ announcement were serious enough to prompt the Australian government to issue a warning and advisory in January: “Implementing the Essential Eight for MSPs.” This essential eight is a set of security measures that the Australian Cyber Security Centre has put together. (In brief, the eight measures are: application whitelisting, application patching, application hardening, restricting administrative privileges, multi-factor authentication, OS patching, daily backups, and adjusting Microsoft Office macro settings.)
To that list I would add making sure that all of your endpoints are protected with a strong and well-managed security suite, remembering that “endpoint” includes file servers, mail servers, and servers in the cloud. Furthermore, if you are not yet running endpoint detection and response software I suggest you give that serious consideration (I made the case for EDR here).
Some reports of ransomware incidents impacting MSPs indicate that RDP is also being used as an attack vector. At the very least you need to make sure all RDP access is protected with strong passwords and rate-limited lockout of failed login attempts (remember, the attackers who hit the Colorado Department of Transport with ransomware in 2018 got in because they were allowed to try 40,000 different passwords). You really should be using two-factor authentication for all your remote access (preferably a 2FA system that does not use SMS). For more on ransomware attacks via RDP see my ESET white paper: Ransomware: An enterprise perspective.
Another critical security measure, which should perhaps be first on the list, is to make sure that you know about, and have secured, all of the things that are on the networks you manage. Just yesterday an MSP told me of a client that had installed 400 smart thermostats on the corporate network, without telling IT. If you don’t think that criminals are looking for ways to exploit such devices as a conduit to corporate network compromise, then you don’t know criminals.
If you do get attacked, you will benefit greatly from having a comprehensive and well-rehearsed incident response plan in place. There are some good incident response plan templates on peerlyst (you will need to sign up to access them, but peerlyst is well worth joining). In terms of security incident response strategies, there is a good article and discussion on peerlyst that is worth checking out: How to Handle Information Security Incidents. This article on CSO has some good response tips specific to MSPs.
MSPs: Who, what, why?
This section provides background on the managed service provider model. If you are reading this article on a computer or other device that your employer provided to you, the odds are about one-in-three that it was actually provided by a managed service provider. An MSP can be defined as “a company that remotely manages a customer's IT infrastructure and/or end-user systems, typically on a proactive basis and under a subscription model” (TechTarget). Those odds vary from country to country, but the MSP model for providing organizations with the information technology that they need is proving to be very popular in many parts of the world.
Globally, the managed services market is expected to grow from USD 180.5 billion in 2018 to USD 282.0 billion by 2023; that represents a 9.3% compound annual growth rate (CAGR). That statistic is from a 2018 report by MarketsandMarkets which described the major factors driving the managed services market as “the increasing dependence of organizations on IT assets to boost their business productivity and the need for specialized managed service providers who can offer cloud-based managed services.”
So let’s look at MSPs from the bad actor perspective. In North America, the number of companies that could be described as MSPs varies according to whom you ask, but if you exclude one and two person operations, I think 20,000 might be a reasonable count for the number of MSPs that serve multiple clients. A survey by Datto indicates that 20% are serving 101-200 clients, with 60% serving up to 100.
These numbers imply that many MSPs have privileged access to data and systems within a large number of client networks, access that those clients authorize so that the MSPs can provision and manage their IT needs. This fact has not escaped the attention of people who take an unhealthy interest in other people’s data, people like criminals and state intelligence services. In other words, if you want to gain access to the digital assets of a bunch of companies or government agencies at once, breaking into an MSP could be worth the effort.
For criminals, the appeal of targeting MSPs is not just the sheer number of potential victims. The very nature of the MSP business model serendipitously enables sector-specific targeting. For example, it is not unusual for an MSP to build its business by understanding and meeting the IT needs of a particular profession, such as doctors, accountants, dentists, architects, engineers and so on. Other MSPs specialize in serving government agencies. So, whether the crime model is ransoming mission critical data, or stealing high value intellectual property, knowing that you can hit multiple targets that meet the appropriate victim profile via penetration of a specialized MSP makes that an appealing proposition.
Knowing that bad actors are investing time and effort into compromising MSPs means that now is time for MSPs to check their defenses and be vigilant for suspicious activity. They should also be prepared respond to clients made anxious by these developments. Those MSPs that have confidence in their security strategy may want to consider proactive reassurance.