MSSPs are vulnerable to the same type of ransomware attack as MSPs.

Edward Gately, Senior News Editor

October 1, 2019

11 Min Read
Security Roundup
Shutterstock

Cybercriminals already have attacked a number of MSPs and more are likely to be targeted in the coming months, according to a new report by WatchGuard Technologies.

During the second quarter, at least three MSPs suffered network breaches that allowed the attackers to leverage legitimate management systems to spread the Sodinokibi ransomware to the MSPs’ customers, according to WatchGuard’s Internet Security Report for Q2 2019. That followed at least four MSPs getting hijacked and exploited in February to spread the Gandcrab ransomware to many of their customers, it said.

To find out more about why MSPs are increasingly being targeted, we spoke with Corey Nachreiner, WatchGuard’s CTO and one of the co-authors of the quarterly report.

Channel Futures: What makes MSPs vulnerable to and a good target for the 2019 Sodinokibi MSP ransomware?

Corey Nachreiner: The primary factor making MSPs a juicy target for Sodinokibi is their multiplier factor. Hacking one MSP can give the attacker access to dozens of other organizations. For example, hacking one MSP might give the attacker the keys to 40 separate customer networks. The specific malware the attacker delivers doesn’t matter as much; it’s just a way to monetize the breach and ransomware is particularly effective at getting returns for criminals. The exact variant, whether it’s Sodinokibi or a different one, matters less.

Nachreiner-Corey_Watchguard.jpeg

WatchGuard’s Corey Nachreiner

Another factor is MSPs’ use of remote management tools. In order to provide IT services to customers remotely, MSPs leverage many central remote monitoring and management (RMM) tools. If an attacker gains access to these tools, they have an easy, legitimate vector to control many networks. Like any other software, the security of how these tools are implemented varies widely from company to company.

As an aside, in general MSPs should be, and often are, a harder target for attackers to crack because they often have more technical and security expertise on their staff. However, like any other organization, some MSPs are better at security than others.

CF: Are we likely to see more MSPs targeted?

CN: Yes, absolutely. Hijacking an MSP has a great deal of return on investment for cybercriminals. MSPs have an elevated level of privilege in their customers’ networks, usually admin rights. If a cybercriminal can hack one target – the MSP – they potentially gain full access to tens of networks, if not more. Now that hacking groups have realized this potential, they will certainly continue to look for new MSP victims.

CF: What sort of damage has been sustained by the targeted MSPs?

CN: The damage sustained by the affected MSPs differs greatly by target and depends on what mitigating options the MSP had in place, such as working backups. However, some MSPs have had thousands of their customers’ endpoints encrypted, as well as their own computers. At the very least, recovering all those systems from backups has a huge cost in time, resource and downtime for the customers. This doesn’t take into account the reputation loss the MSPs will likely suffer. While we don’t have specific information on the damage caused by these attacks, it’s reasonably safe to assume that …

… the target MSPs lost customers, which directly affects their bottom line.

CF: What are some of the other surprising findings in this report?

CN: While it’s obvious in hindsight, the attackers’ use of legitimate MSSP tools to carry out the attack was quite surprising. They used the industry’s own tools against them.

These attacks also illustrate why authentication is the cornerstone of security. Many of our security controls are based on trusted versus untrusted users. You can have the most sophisticated security in the world, but if an attacker can somehow digitally authenticate as a “trusted user,” the security goes out the window. MSPs, and companies in general, need to make sure their authentication process is secure. Everyone needs multifactor authentication (MFA) today.

CF: Does the report point to challenges/opportunities for MSSPs and other cybersecurity providers?

CN: Yes, MSSPs are vulnerable to the same type of attack. Like MSPs, they have remote tools for central management, and a multiplier factor since they manage security for many customer networks. Even worse, if an attacker gains an MSSP’s privileged access, they have the ability to turn on and off security for that MSSP’s customers as part of their attack.

In short, the same things that make MSPs juicy targets also apply to MSSPs. That said, MSSPs really should have top security expertise, so logic would dictate that they have better internal security than most companies.

CF: Does the report point to any progress being made?

CN: At the very least, these incidents have put a spotlight on the weaknesses in MSP networks. Many of the vendors of MSP RMM or central management products have reacted to these incidents by making MFA required in their products. That alone can greatly mitigate these types of attacks.

National Cybersecurity Awareness Month

Today marks the start of National Cybersecurity Awareness Month (NCSAM), a collaborative effort between government and industry to raise awareness about the importance of cybersecurity and to ensure that all Americans have the resources they need to be safer and more secure online.

NCSAM 2019’s theme is: Own It, Secure It, Protect It. This new call to action emphasizes the role each individual plays in maintaining online safety and stresses the importance of taking proactive steps to enhance cybersecurity practices at home, on the go and in the workplace.

Kelvin Coleman, executive director of the National Cyber Security Alliance, tells us regularly scheduled, effective employee cybersecurity training is still lacking in …

… organizations of all sizes and is a critical component of improving the organization’s cybersecurity.

Coleman-Kevin_National-Cyber-Security-Alliance.jpg

NCSA’s Kevin Coleman

“In particular, employees should be trained on email security training prior to having access to company email,” he said. “Over 90% of cyber incidents begin with an email, so the earlier the email security training, the better. Organizations should also better understand their cybersecurity insurance policy (if they have one), and what is/is not covered in case of an incident or breach. Policies vary, so it’s important to know what the organization’s coverage is. We are also still seeing some of the basics not being implemented–such as strong passphrases, MFA and limited privilege, to name a few of the most important ones.”

Cybersecurity providers are always going to face new challenges because the threat actors are working studiously to improve their craft, Coleman said. Therefore, cyber threats are going to “continue to evolve and get better as technology and our knowledge of it evolves — which forces cybersecurity providers to stay current,” he said.

“Furthermore, new technologies are released into the marketplace and deployed across business networks every day,” he said. “Many of these technologies have software vulnerabilities because they are rushed to the market, have little or no security features built into them, and are often not purchased with security in mind — therefore, posing quite a few risks to the organization and creating new challenges for cybersecurity providers. Lastly, MSPs, in particular, are facing an onslought of attacks from threat actors, so (they) must take steps to secure their own organization, while also securing their customers. Criminals know what access to systems and data MSPs have, and are using these supply chain attacks to gain access to many networks from one privileged entry point. ”

The goal of NCSAM is to help businesses and consumers understand the importance of protecting their data and knowing how to protect it, Coleman said.

“We also want people to understand that cybersecurity is a shared responsibility, because what we do online can affect others,” he said. “This year we are also really focusing on behavioral change. More people understand the importance of cybersecurity, but now we need them to do something about it.”

Data shows that small businesses are often victims of cyberattacks as they tend to lack the resources needed to completely protect themselves from threats. In 2018, Ponemon Institute conducted a study showing 72% of small businesses reported malware slipping past their intrusion detection systems.

Ed Marsh, exporting advisor for American Express, provides the following tips for businesses to keep in mind to protect themselves:

  • Don’t carry information you don’t need – consider using a travel phone and laptop with the bare minimum

  • Always use a VPN for internet access

  • Don’t connect automatically to public Wi-Fi

  • Disable your Bluetooth

  • Enable functionality to disable devices remotely or with multiple failed login attempts

  • Change passwords frequently

  • Recognize there are different standards for content (e.g. prurient, religious and or political) and ensure you don’t have documents, movies, music, etc.

Exabeam Enhances SMP

Exabeam, the security information and event management (SIEM) provider, Tuesday unveiled enhancements to its Security Management Platform (SMP), including integrated Mitre Attack framework labels and customized incidents to speed investigations, as well as …

… cross-cluster searches to improve responsiveness for global deployments.

Mitre Attack is s a globally accessible knowledge base of adversary tactics and techniques based on real-world observations of cyberattacks. They are arranged by attack stages, from initial system access to data theft or machine control. SMP detection methods now are mapped to the Mitre Attack framework, allowing security analysts to label adversary behavior and enabling improved collaboration.

The new mapping approach enables security analysts to view and filter Mitre techniques within Exabeam Smart Timelines, machine-created timelines that sequence events into plainly worded narratives. Smart Timelines allow security teams to investigate event details with minimal technical expertise and without querying multiple systems. Analysts can mouse over event labels for Mitre techniques for a pop-up description or click on labels to open the Mitre webpage for a detailed description.

In addition, security analysts can search for Mitre tactics and techniques using Exabeam Threat Hunter across users and devices, using drop-down menus and a point-and-click interface.

Daughney-Trevor_Exabeam.jpg

Exabeam’s Trevor Daughney

Trevor Daughney, Exabeam’s vice president of product marketing, tells us partners now can offer SMP customers new enhancements that improve the security operations center (SOC) experience.

“These updates provide a substantial competitive advantage to Exabeam and our partners,” he said. “The true and tangible difference between Exabeam and other companies is that our tools provide a lot of flexibility and features that security teams need. As an example, one of those tools is the new checklists feature. At its most basic, it is the ability to document a series of tasks. However, it can expand out, providing a way to combat the skills gap concerns currently top of mind for many SOC department leaders. Through this feature, senior analysts can create the checklist, then more junior folks can address more specific incidents. This allows for not only on-the-job training opportunities, but also, and more importantly, it adds a layer of protection by ensuring each analyst is using the same set of processes.”

Comcast Business Unleashes Small Business Protection

Comcast Business has launched its new cloud-based internet security solution, specifically aimed at helping small businesses manage the growing risk of cyberattacks.

Comcast Business SecurityEdge works to protect a business’ network and the devices connected to it against several existing and emerging internet-related threats, including malware, ransomware, phishing and botnet infections, without requiring additional hardware or software beyond the Comcast Business Internet modem.

“Cybersecurity keeps business owners up at night because they face an onslaught of challenges from various, ever-changing forms of cyberthreats that can result in the loss of sensitive information or the disruption of business operations,” said Shena Tharnish, Comcast Business’ vice president of cybersecurity products. “Comcast Business SecurityEdge – a simple yet powerful solution – can help defend companies and their data from serious harm by protecting all devices connected to the network at an affordable price.”

Comcast Business’ internet security solution, developed in partnership with Akamai, blocks access to compromised or malicious domains, which helps prevent business owners, employees or guests from accessing an infected internet site. Businesses also have the ability to filter web content – gaining more visibility into their network safety with a personalized dashboard that provides regular reporting.

The cloud-based solution updates internet domain threats every 10 minutes so companies can be protected from the latest threats with no need for manual downloads or software updates, according to Comcast Business.

Read more about:

MSPs

About the Author(s)

Edward Gately

Senior News Editor, Channel Futures

As news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like