Miscreants are targeting managed service providers (MSPs) to break into their customers' networks and deploy ransomware, steal data, and spy on them, the Five Eyes nations' cybersecurity authorities have formally warned in a joint security alert.
"The UK, Australian, Canadian, New Zealand, and US cybersecurity authorities expect malicious cyber actors — including state-sponsored advanced persistent threat (APT) groups — to step up their targeting of MSPs in their efforts to exploit provider-customer network trust relationships," the alert warned.
These types of supply-chain or "island-hopping" attacks can prove very lucrative for cybercriminals because once they break into an MSP, they gain access to all of the customers' networks and data being managed, and in turn commit computer crimes and fraud against those customers' customers.
Case in point: the SolarWinds attack in 2020, when Kremlin-backed miscreants slipped malware into SolarWinds' Orion software, which was then pushed to some 18,000 SolarWinds' customers. This allowed the criminals to infiltrate nearly 100 US government and private-sector networks.
That MSPs are a weak point in the IT supply chain isn't Earth shattering for a good number of you in the industry, though it's welcoming to see governments not only recognize the threat but also attempt to highlight it.
"Today's joint advisory is a stark warning of the clear and present danger posed by ongoing attack campaigns against MSPs. Rogue nation states love this method of cyber-colonization," Tom Kellermann, head of cybersecurity strategy at VMware, told The Register. The virtualization biz has seen a 58 percent increase in island hopping over the past year, Kellermann added.
"I am concerned that as geopolitical tension metastisizes in cyberspace, these attacks will escalate and Russian cyber-spies will use this stratagem to deploy destructive malware across entire customer bases of MSPs," he said. "Enterprises must focus on implementing zero-trust and increase active threat hunting, especially across networks and endpoints."
The Five Eyes alert also provides guidance on discussions that should happen between MSPs and their customers about securing sensitive data.
"These discussions should result in a re-evaluation of security processes and contractual commitments to accommodate customer risk tolerance," the advisory stated. Additionally, customers should check that their contracts specify that MSPs implement certain security controls, according to the agencies, which include CISA, the FBI and the National Security Alliance.
The first step, per usual, is implementing baseline security and operational controls. This includes backing up systems and data, isolating critical systems, applying least-privilege principles across network and device access, and turning on multi-factor authentication (MFA).
However, the alert noted that Russian state-sponsored criminals can exploit default MFA protocols as they demonstrated in recent attacks that also exploited thePrintNightmare vulnerability. "Organizations should review configuration policies to protect against 'fail open' and re-enrollment scenarios," the alert warned.
How to prevent initial compromise
Because remote-access VPNs, internet-facing services, phishing emails and password spraying are usually involved in an initial compromise, the agencies also point to guidance on hardening and protecting technologies to close up common entry points for attacks.
MSPs should log their delivery infrastructure activities related to providing services to their customers as well as internal and customer network activity, according to the alert. "It can be months before incidents are detected, so UK, Australian, Canadian, New Zealand, and US cybersecurity authorities recommend all organizations store their most important logs for at least six months," it said.
Customers and MSPs should periodically check their attack surface and disable accounts and infrastructure that are no longer in use, such as use accounts after an employee leaves a company.
And, as always, update software and apply patches. "Prioritize applying security updates to software containing known exploited vulnerabilities," the alert suggested. ®Get our Tech Resources