Malicious Hackers Exploiting MSPs, DHS Warns

Written by Allison Francis
December 27, 2018

Cybercriminals are targeting MSPs as a way to get inside their customers’ networks.

Back in October, the U.S. Department of Homeland Security (DHS) issued a warning aimed at managed services providers (MSPs), managed security service providers (MSSPs) and cloud services providers (CSPs) that cyber gangsters are exploiting them to hack into their customers’ networks. And that they are doing so undetected.

The alert, called the Advanced Persistent Threat Activity Exploiting Managed Service Providers, cautions all providers, and highlights the exact nature of the attacks.

So what exactly is happening?

Clever and cunning as ever, malicious hackers are aiming at the “weak links” – i.e. MSSPs, MSP and CSPs – to get to their customers. DHS’ National Cybersecurity and Communications Integration Center (NCCIC) has been tracking this for more than two years, focusing on bad actors who are using advanced persistent threat (APT) tools designed specifically to break into the networks of both MSPs and CSPs and thereby the infrastructure of their customers.

The worst part about this is that the threat actors are exploiting the trusted relationship between provider and customer. They know that providers share sensitive information back and forth with their clients, and they are using these opportunities to slip into the customer’s network unnoticed.

“Threat actors appear to be leveraging stolen administrative credentials (local and domain) and certificates, along with placing sophisticated malware implants on critical systems,” stated the NCCIC in the alert. “Depending on the defensive mitigations in place, the threat actor could possibly gain full access to networks and data in a way that appears legitimate to existing monitoring tools.”

Victims of these attacks have been identified in the areas of IT (service providers included), energy, health care, communications and critical manufacturing. The DHS is strongly advising service providers to lock down their systems and data and develop a “defense-in-depth strategy” to protect their assets and prevent against further risk and attacks.

In addition, included in the report is a set of best practices for MSPs for this specific scenario.

“[The] alert from the Department of Homeland Security confirms that small businesses, and their managed service providers, are the new attack vector for cybercriminals, and the risks are severe,” says Brian Downey, senior director of product management at Continuum. “The report, which analyzed a phishing attack on MSPs, has three key details that service providers should be aware of:

The attack capitalized on stolen credentials, making multi-factor authentication critical to securing end-clients.
Signature-based malware detection is not enough to protect against the initial infection.
Once the attackers were inside the service provider, they used common admin tools to move laterally to end-customer networks. This highlights the ineffectiveness of Remote Desktop Protocol (RDP) and heightens the need for more tightly-controlled remote management tools.”

Downey goes on to say that the report reinforces the need for advanced endpoint protection on all systems, isolating any unprotected systems into a separate network.

“MSPs should also ensure that they are leveraging DNS protection as a secondary line of defense, that they are using more secure tools than RDP, and that all remote access requires multifactor authentication,” urges Downey.

Tim Brown, VP of security of SolarWinds MSP, says that the ongoing advanced-persistence-threat (APT) actor activity attempting to infiltrate global MSP networks is a healthy, strong reminder that MSPs need to be vigilant about cyberhygiene.

“Bad guys will look for the easiest way in, so be sure to take care of the basics,” says Brown. “Don’t forget multifactor authentication; turn on AV; patch; monitor logs and look for suspicious activity. The U.S. Cert office lays out a number of these best practices, all of which we consistently cite and agree with.”

Obviously this is a developing story, but it’s a good kick in the pants in terms of buckling down on basic “cyberhygiene,” as Tim Brown calls it. Don’t be the “weak link” cybercriminals are looking to target.

Find the Department of Homeland Security warning to MSPs and CSPs here, with more in-depth info specifically for MSPs here.