How to Fight Cyberattackers Who Target MSPs
2019 already has been a bit of a rough year security-wise, to no one’s surprise. There are of course the usual suspects, but there is one growing trend in particular that hits a bit too close to home. Turns out, managed service providers (MSPs) make pretty attractive targets for cybercriminals.
According to MSP-focused computer software company NinjaRMM, there are three primary active threats wreaking havoc on MSPs and their customers. Here’s a look at them, and what providers can do to better protect themselves.
1. China-Based Hacking Group APT10
Back in October, the United States Computer Emergency Readiness Team (US-CERT) sounded an official alarm on a wide-ranging and sustained effort by advanced persistent threat (APT) actors to infiltrate MSPs and their customers. Experts say that the campaign, or Operation Cloud Hopper as it’s known, has been active since 2016. The damage? Hackers are said to have gained unprecedented access to MSP customer networks.
To give an idea how deep the rabbit hole went, among those affected were tech giants Hewlett Packard Enterprise (HPE) and IBM. Alastair MacGibbon, head of Australia’s Cyber Security Centre, shed light on the full estimated extent of the damage, saying that likely tens of thousands of companies may have been put at risk via their MSPs. He described the operation as “the biggest and most audacious campaign I’ve ever seen … massive in its scope and its scale.”
Here are some key facts of the attack:
- Attackers gain initial access to MSPs via good old-fashioned spear phishing emails
- They then spread to MSP customer networks by means of legitimate, stolen MSP credentials and remote access tools like RDP.
- They fly under the radar, avoiding detection by using legitimate, built-in administration tools like PowerShell, Robocopy and PuTTY to mine data and conduct other mischief and unscrupulous shenanigans.
- Attackers gain persistence on compromised machines by using scheduled tasks or Windows services.
- The primary goal of the campaign reveals itself to be espionage and intellectual property theft.
2. Ryuk Ransomware
This is a unique type of ransomware. This one reeeally gets in there, requiring careful, meticulous planning and the laying of some really specific groundwork.
Ryuk attacks are different from other similar types of ransomware in a few key ways. First come trojans that establish footholds across victim networks, allowing attackers to scope things out and identify and encrypt their target’s most valuable assets. Then it’s a waiting game. Attackers will lie in wait, biding their time, analyzing the network, messing with security and backups, and then, boom — the bomb will drop. On a weekend or holiday or whenever there’s the potential for the most damage due to sluggish response, the ransomware will be released.
A case like this happened to Data Resolution, a California-based MSP and cloud hosting provider. This past Christmas Eve, instead of visions of sugar plums dancing in their heads, the company found itself in the grips of a Ryuk ransomware infection. The ransomware locked the company out of its systems, forcing them to shut down the network and scramble to hire security consultants, which would have been a bear on Christmas Day.
To add insult to injury, Data Resolution had to come clean to their 30,000 customers, explaining why many may have …