Is your MSP an insider threat?

A growing number of managed services providers (MSPs) from around the world are being targeted and compromised by hackers. Such breaches can have a serious impact on their customers’ business, as compromised MSPs can serve as launchpads into their clients’ corporate networks. MSP compromises highlight why it’s important for organizations to consider the risk they pose and be ready to block threats coming through trusted business partners.

Two weeks ago, a ransomware attack hit IT services firm Everis, a subsidiary of NTT and one of the largest MSPs in Spain. Based on internal communications leaked on Twitter, the company directed employees to shut down their computers and decided to cut the network links between its offices and its clients.

The attack directly impacted Everis’s customers who relied on the company to manage various aspects of their IT infrastructure, and some of them started internal investigations into whether they were infected with ransomware themselves.

The malware program that hit Everis encrypted files using the .3v3r1s ransomware, and the ransom note warned the company against making the incident public. This suggests the MSP was not just a random victim in an indiscriminate attack, but that hackers chose it on purpose and customized the ransomware for the attack.

Not the first MSP attack

Attacks against MSPs and managed security service providers (MSSPs) have been ramping up this year with a first wave of attacks in February by GandCrab ransomware pushers who exploited a known vulnerability in a plug-in that integrated ConnectWise with Kaseya, two platforms used by MSPs to manage systems.

In June, another string of attacks hit MSPs and deployed Sodinokibi ransomware through the Webroot Management Console, another tool popular with managed services providers. The incident prompted Webroot, a cybersecurity company, to send a letter to customers and force the use of two-factor authentication.

Last month, security firm Armor published a report listing 13 MSPs and cloud-based service providers that were hit by ransomware this year. In many cases, the incidents resulted in ransomware infections on their customers’ networks, affecting educational institutions, law firms, healthcare organizations, real-estate brokers and more.

More than ransomware 

While most of the MSP compromises so far have been leveraged to deploy ransomware, this is not the only type of threat that MSP customers are exposed to. State-sponsored cyberespionage groups could also use this technique to reach their targets and so could sophisticated cybercriminal groups like Carbanak or FIN7, whose modus operandi involves compromising networks, moving laterally to critical systems, learning internal workflows over an extended period of time and then stealing money or credit card data from organizations.

The 2013 network breach at Target, which resulted in over 40 million payment card details being compromised, started with hackers using credentials stolen from a heating, ventilation and air conditioning (HVAC) supplier who had access to the company’s system through a portal. While that was not the first breach that resulted from a supply-chain compromise, it was the one that put this threat vector on the map.

In the years that followed there were many incidents where hackers compromised organizations after breaching their partners or software suppliers. The NotPetya ransomware outbreak in 2017 started in Ukraine through a poisoned update for a popular tax accounting program called MeDoc.

Even when MSP attacks don’t result in compromised systems or networks downstream, they can still cause downtime and impact customer business if the MSP is forced to temporarily shut down its normal operations.

How to limit damage from compromised MSPs 

According to Verizon’s 2019 Data Breach Investigations report, over a third of breaches last year have been caused by insiders. Attacks through trusted partners who have legitimate access into your infrastructure qualify as insider threats.

“Mitigating this threat is, of course, difficult as most supply chain threats are,” says Ioan Constantin, cybersecurity expert at telecommunications provider Orange Romania, which also offers managed security operations center solutions for businesses. “Enterprises trust MSSPs and MSPs with their data and, at the same time, avoid operational overhead by sourcing most of the traditional mitigation techniques through this supply chain — think things like pentesting, monitoring and training.”

“Learning from the [tactics, techniques and procedures] of some of the attacks against MSPs and MSSPs, there are some takeaways for enterprises to better protect against upstream compromises in their security supply chain,” Constantin says. Those takeaways include:

• Secure remote access
• Enforce least privilege policies for access to resources
• Review and update service-level agreements (SLAs) with service providers
• Audit and improve policies regarding external access to your resources from consultants, vendors or service providers
• Regularly scan for and address vulnerabilities
• Communicate with and train your employees and other users

Constantin says the last item is probably the most important aspect of cyber threat mitigation. “Awareness is key, as always, to better security irrespective of the supply chain.”

According to well-known hacker, author and penetration tester Jayson Street, the first thing organizations should do to prevent attackers abusing legitimate connections into their network is to isolate them. “I firmly believe that segmentation is the number one thing all companies should be doing when it comes to having anyone connecting into their internal network via the internet,” Street, who currently serves as vice president of InfoSec at SphereNY, tells CSO. “Each vendor, MSP, MSSP, etc. should be isolated once they’re in the company network and any communication to internal sources should be strictly controlled and monitored.”

Many of the typical recommendations for mitigating insider threats from employees or preventing lateral movement from threat actors apply to partners and MSPs as well. This includes making sure they are using unique credentials that are sufficiently strong and rotated frequently, enabling two-factor authentication, restricting access to the assets they need to manage or the information they need to do their job, monitoring their connections and movement inside the network and having systems in place that are capable of flagging unusual behavior and policy violations.