MSPs are once again under increasing risk of cyberattacks and this heightened risk shouldn’t end anytime soon. That’s according to a new multinational security alert.

The cybersecurity authorities of the United States, United Kingdom, Canada and New Zealand issued the security alert. The US. authorities include the FBI, National Security Agency (NSA), and Cybersecurity and Infrastructure Security Agency (CISA).

Whether the customer’s network environment is on premises or externally hosted, threat actors can use a vulnerable MSP as an initial access vector to multiple victim networks, with globally cascading effects. The authorities expect malicious cyber actors, including state-sponsored advanced persistent threat (APT) groups, to step up their targeting of MSPs in their efforts to exploit provider-customer network trust relationships.

Destructive Follow-On Activity

Threat actors successfully compromising an MSP could enable follow-on activity, such as ransomware and cyber espionage, against the MSP as well as across the MSP’s customer base, according to the security alert.

“MSPs provide services that usually require both trusted network connectivity, and privileged access to and from customer systems,” the authorities said. “Many organizations, ranging from large critical infrastructure organizations to SMBs, use MSPs to manage information communications technology (ICT) systems, store data, or support sensitive processes. Many organizations make use of MSPs to scale and support network environments and processes without expanding their internal staff or having to develop the capabilities internally.”

The security alert recommends MSPs prevent initial compromise by improving security of vulnerable devices, protecting internet-facing users, defending against brute force and password spraying, and defending against phishing.

It also recommends enabling/improving monitoring and logging practices, enforcing multifactor authentication (MFA), managing internal architecture risks and segregating internal networks, and more.

The authorities have previously issued general guidance for MSPs and their customers. A shared commitment to security will reduce risk for both MSPs and their customers, as well as the global ICT community.

‘Serious, Serious’ Issue

Roger Grimes is KnowBe4‘s data-driven defense evangelist. He said this is a “serious, serious issue” and has been going on for nearly a decade now.

KnowBe4’s Roger Grimes

“MSPs need to become as strongly secured as the top security at trusted government top-secret sites,” he said. “Every device must be locked down with strict application controls, phishing-resistant MFA, great security awareness training for employees, and the strongest security they themselves can implement. Most people would be surprised, but most MSPs aren’t configured in the strongest security configuration possible. That’s because for a long time it wasn’t needed. But now as they are increasingly under direct attack by nation-states and ransomware gangs, they have to treat themselves like top-secret government agencies with no quarter for half-measures.”

Chris Clements is vice president of solutions architecture at Cerberus Sentinel, an MSSP.

“MSPs often necessarily have complete control over their customer’s environments in order to do their job,” he said. “Unfortunately, many do not have robust internal security programs themselves and can be soft targets for cybercriminals who in turn can leverage the MSP’s elevated access to compromise dozens or hundreds of downstream organizations. This makes MSP’s compelling targets for cybercriminals. After all, why work to compromise dozens of organizations one at a time when you can instead focus efforts on a single MSP that can give the same results in a single attack?”

Immediate Action Needed

MSPs need to understand the outsized level of cybersecurity risk and take immediate action to ensure they have addressed today’s most popular attack vectors, Clements said.

“To keep themselves and their customers safe in the long run, however, they must adopt a culture of security that ingrains awareness, controls and monitoring into every business operation,” he said. “Cybercriminals are continuously adapting their techniques to bypass controls and evade detection. Defending against these evolving threats takes a holistic organization-wide approach.”

At the same time, MSPs’ customers need to ask hard questions about their security posture as well as their provider’s own internal cybersecurity maturity level, Clements said.