How to Fight Cyberattackers Who Target MSPs

This takes a look at three primary active threats, and what MSPs can do to fight back.

Allison Francis

March 28, 2019

5 Min Read
Boxing Gloves

2019 already has been a bit of a rough year security-wise, to no one’s surprise. There are of course the usual suspects, but there is one growing trend in particular that hits a bit too close to home. Turns out, managed service providers (MSPs) make pretty attractive targets for cybercriminals.

According to MSP-focused computer software company NinjaRMM, there are three primary active threats wreaking havoc on MSPs and their customers. Here’s a look at them, and what providers can do to better protect themselves.

1. China-Based Hacking Group APT10

Back in October, the United States Computer Emergency Readiness Team (US-CERT) sounded an official alarm on a wide-ranging and sustained effort by advanced persistent threat (APT) actors to infiltrate MSPs and their customers. Experts say that the campaign, or Operation Cloud Hopper as it’s known, has been active since 2016. The damage? Hackers are said to have gained unprecedented access to MSP customer networks.

To give an idea how deep the rabbit hole went, among those affected were tech giants Hewlett Packard Enterprise (HPE) and IBM. Alastair MacGibbon, head of Australia’s Cyber Security Centre, shed light on the full estimated extent of the damage, saying that likely tens of thousands of companies may have been put at risk via their MSPs. He described the operation as “the biggest and most audacious campaign I’ve ever seen … massive in its scope and its scale.”

Here are some key facts of the attack:

  • Attackers gain initial access to MSPs via good old-fashioned spear phishing emails

  • They then spread to MSP customer networks by means of legitimate, stolen MSP credentials and remote access tools like RDP.

  • They fly under the radar, avoiding detection by using legitimate, built-in administration tools like PowerShell, Robocopy and PuTTY to mine data and conduct other mischief and unscrupulous shenanigans.

  • Attackers gain persistence on compromised machines by using scheduled tasks or Windows services.

  • The primary goal of the campaign reveals itself to be espionage and intellectual property theft.

2. Ryuk Ransomware

This is a unique type of ransomware. This one reeeally gets in there, requiring careful, meticulous planning and the laying of some really specific groundwork.

Ryuk attacks are different from other similar types of ransomware in a few key ways. First come trojans that establish footholds across victim networks, allowing attackers to scope things out and identify and encrypt their target’s most valuable assets. Then it’s a waiting game. Attackers will lie in wait, biding their time, analyzing the network, messing with security and backups, and then, boom — the bomb will drop. On a weekend or holiday or whenever there’s the potential for the most damage due to sluggish response, the ransomware will be released.

A case like this happened to Data Resolution, a California-based MSP and cloud hosting provider. This past Christmas Eve, instead of visions of sugar plums dancing in their heads, the company found itself in the grips of a Ryuk ransomware infection. The ransomware locked the company out of its systems, forcing them to shut down the network and scramble to hire security consultants, which would have been a bear on Christmas Day.

To add insult to injury, Data Resolution had to come clean to their 30,000 customers, explaining why many may have …

… lost access to their email and databases. Even further, as you can imagine, the ransom was not cheap. Bye bye, Christmas bonus …

3. GandCrab Ransomware

And the award goes to … GandCrab as the most prolific ransomware variant in terms of sheer volume of infections! This thing is an MSP nightmare. And unfortunately, that nightmare came to life recently.

In early February, a midsize MSP’s 80 clients became infected with ransomware. An estimated 1,500-2,000 client systems were encrypted, with a ransom demand of $2.6 million. $2.6 million! Yikes.

Again, adding insult to injury (hackers are so good at that, aren’t they … ), attackers had utilized the MSP’s own RMM tool to deploy the ransomware, making them the ones at fault.

The culprit? An outdated ConnectWise ManagedITSync integration plug-in for Kaseya VSA. Apparently the issue had been raised, but updates resolving the issue had not been applied correctly, if at all.

As a result, attackers were able to sneak in and gain administrative access to the MSP’s Kaseya RMM tool and use it to deploy GandCrab to every … single … endpoint under the MSP’s management.

The targeted nature of the attack and the high ransom amount is new territory for GandCrab actors. Until this instance, they had mostly deployed the ransomware using exploit kits and haphazard/random spam campaigns. It’s yet another arrow pointing to the fact that there has been a significant shift and a growing trend of coordinated, targeted attacks.

OK, So Now What?

Attackers are going after the MSP-client relationship. If the recent wave of GandCrab attacks is any evidence, the very tools that MSPs use to serve their customers can be used against them. Not so great for the MSP-client relationship.

Brian Downey, senior director of product management, security, at Continuum, weighs in on the implications for MSPs.


Continuum’s Brian Downney

“The channel is now the target for cybercriminals,” says Downey. “Gaining access into an MSP’s service network can provide access to the individual customers they serve.

“The implications for MSPs are significant. End-clients will be asking their providers if their businesses are safe, if they’re at risk, and what steps the MSP is taking to prevent a similar attack,” he added. “If an MSP can’t confidently answer these questions in detail, they risk losing their clients to a provider who can. The liabilities to the MSP are becoming existential.”

Pretty dismal-sounding, but there are things MSPs can do to make it much harder for attackers to parachute in a wreak havoc on your network and precious data. Here are five key things to remember:

  • Restrict access across your network (duh).

  • For the love of God, secure your RMM and other remote access tools.

  • Protect your users and lock down their endpoints.

  • Actively monitor your own network for signs of compromise.

  • Have an incident response plan ready (again, duh).

Read more about:


About the Author(s)

Allison Francis

Allison Francis is a writer, public relations and marketing communications professional with experience working with clients in industries such as business technology, telecommunications, health care, education, the trade show and meetings industry, travel/tourism, hospitality, consumer packaged goods and food/beverage. She specializes in working with B2B technology companies involved in hyperconverged infrastructure, managed IT services, business process outsourcing, cloud management and customer experience technologies. Allison holds a bachelor’s degree in public relations and marketing from Drake University. An Iowa native, she resides in Denver, Colorado.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like