Cybersecurity Roundup: MSP Attacks, NCSAM, Exabeam, Comcast Business
During the second quarter, at least three MSPs suffered network breaches that allowed the attackers to leverage legitimate management systems to spread the Sodinokibi ransomware to the MSPs’ customers, according to WatchGuard’s Internet Security Report for Q2 2019. That followed at least four MSPs getting hijacked and exploited in February to spread the Gandcrab ransomware to many of their customers, it said.
To find out more about why MSPs are increasingly being targeted, we spoke with Corey Nachreiner, WatchGuard’s CTO and one of the co-authors of the quarterly report.
Channel Futures: What makes MSPs vulnerable to and a good target for the 2019 Sodinokibi MSP ransomware?
Corey Nachreiner: The primary factor making MSPs a juicy target for Sodinokibi is their multiplier factor. Hacking one MSP can give the attacker access to dozens of other organizations. For example, hacking one MSP might give the attacker the keys to 40 separate customer networks. The specific malware the attacker delivers doesn’t matter as much; it’s just a way to monetize the breach and ransomware is particularly effective at getting returns for criminals. The exact variant, whether it’s Sodinokibi or a different one, matters less.
Another factor is MSPs’ use of remote management tools. In order to provide IT services to customers remotely, MSPs leverage many central remote monitoring and management (RMM) tools. If an attacker gains access to these tools, they have an easy, legitimate vector to control many networks. Like any other software, the security of how these tools are implemented varies widely from company to company.
As an aside, in general MSPs should be, and often are, a harder target for attackers to crack because they often have more technical and security expertise on their staff. However, like any other organization, some MSPs are better at security than others.
CF: Are we likely to see more MSPs targeted?
CN: Yes, absolutely. Hijacking an MSP has a great deal of return on investment for cybercriminals. MSPs have an elevated level of privilege in their customers’ networks, usually admin rights. If a cybercriminal can hack one target – the MSP – they potentially gain full access to tens of networks, if not more. Now that hacking groups have realized this potential, they will certainly continue to look for new MSP victims.
CF: What sort of damage has been sustained by the targeted MSPs?
CN: The damage sustained by the affected MSPs differs greatly by target and depends on what mitigating options the MSP had in place, such as working backups. However, some MSPs have had thousands of their customers’ endpoints encrypted, as well as their own computers. At the very least, recovering all those systems from backups has a huge cost in time, resource and downtime for the customers. This doesn’t take into account the reputation loss the MSPs will likely suffer. While we don’t have specific information on the damage caused by these attacks, it’s reasonably safe to assume that …