The warning likely comes in response to an increase in attacks on managed service providers, through which threat actors can access their clients. Credit: St_Aurora72 / Getty Images / Insspirito In an unexpected development, the cybersecurity authorities of the “Five Eyes” countries issued an alert warning of an increase in malicious cyber activity targeting managed service providers (MSPs), with these agencies saying they expect this trend to continue. The alert is the result of a collaborative effort among the United Kingdom (NCSC-UK), Australia (ACSC), Canada (CCCS), New Zealand (NCSC-NZ), and the United States (CISA, NSA, FBI).The agencies said they are “aware of recent reports that observe an increase in malicious cyber activity targeting managed service providers (MSPs) and expect this trend to continue” and point to a report by a significant MSP IT solutions provider, N-Able. That report notes that “almost all MSPs have suffered a successful cyberattack in the past 18 months, and 90% have seen an increase in attacks since the pandemic started.”“As this joint advisory makes clear, malicious cyber actors continue to target managed service providers, which can significantly increase downstream risk to the businesses and organizations they support – why it’s critical that MSPs and their customers take action to protect their networks,” CISA Director Jen Easterly said in the alert. “Securing MSPs is critical to our collective cyber defense, and CISA and our interagency and international partners are committed to hardening their security and improving the resilience of our global supply chain.”The joint advisory recommends standard cybersecurity practicesThe agencies’ joint advisory outlines a detailed list of actions MSPs and their customers can take to reduce their risk of falling victim to a cyber intrusion. The advisory defines MSPs as entities that “deliver, operate, or manage ICT [information and communications technology] services and functions for their customers via a contractual arrangement, such as a service level agreement.” It notes that MSP services typically require trusted network connectivity and privileged access to and from customer systems. Organizations are encouraged to read the advisory in conjunction with NCSC-UK guidance on actions to take when the cyber threat is heightened, CCCS guidance on Cyber Security Considerations for Consumers of Managed Services, and CISA guidance provided on the Shields Up and Shields Up Technical Guidance webpages.The advisory lays out a wealth of standard cybersecurity practices that large organizations with robust cybersecurity operations have long embraced. These recommendations offer numerous security practices that fall under the following categories outlined by CISA, including: Preventing initial compromiseEnabling and improving monitoring and logging processesEnforcing multi-factor authenticationManaging internal architecture risks and segregating internal networksApplying the principle of least privilegeDeprecating obsolete accounts and infrastructureApplying updatesBacking up systems and dataDeveloping and exercising incident response and recovery plansUnderstanding and proactively managing supply chain riskPromoting transparencyManaging account authorization and authenticationNo single identifiable cause for the alertIt’s not clear why the intel agencies were now motivated to issue such a detailed list of recommendations for MSPs. Kyle Hanslovan, CEO and co-founder of Huntress, tells CSO that his firm is unaware of any single event that might have prompted the joint advisory. “We are not aware of any one specific incident. But, unfortunately, we’re aware of dozens of smaller incidents where everyone is taking notice of MSPs.”Last week MSP-focused cybersecurity firm ThreatLocker issued a security alert warning its clients of a “sharp” increase in ransomware attacks using remote management tools. ThreatLocker created a script to block the attackers using a new security patch.But Huntress, Sophos and Kaseya all say they haven’t seen the widespread coordinated MSP ransomware attacks described by ThreatLocker in its alert. “We were one of the companies that came out and said, ‘We have data on 3,000-plus managed service providers. We are not seeing an uptick that warrants doom and gloom,'” Hanslovan says.Hackers can reach hundreds of companies at a timeHanslovan believes it’s not a single risk that motivated the intel agencies to issue the alert. “It isn’t one single risk. It is just a whole change in the environment that hackers have taken notice of and are actually making full playbooks to say, ‘You know what? Why play whack-a-mole with one company at a time when I could go fishing with dynamite and go after hundreds of companies at a time.”He also thinks the intel agencies could be withholding information that would shed light on why the MSPs might need more significant guidance. “I have no doubt they probably have analysis,” he says.It’s also possible that the cybersecurity authorities are generally trying to get ahead of the curve when it comes to problems that might blow up down the road. “I think this is them doing a very good job of early warning and transparently identifying these are risks,” says Hanslovan. MSPs should talk to their clients about their vendorsMary J. Hildebrand, partner, founder and chair of the Privacy and Cybersecurity practice at Lowenstein Sandler, says that one thing missing from the joint alert is a directive for MSPs to understand their clients’ security posture better. “When I represent an MSP, one of the things I suggest is that depending on the role they’re going to undertake when they’re engaged, they should have a conversation and maybe some follow up with the company on what kind of diligence it has done on its vendors,” Hildebrand tells CSO. “The reason I suggest a deeper dive into that for MSPs is that vendor error, vendor problems, and vendor breach is a huge issue for companies. Many security incidents and data breaches derive from either employee error or, in this case, an MSP employee error, or problems with the vendor.”Hildebrand doesn’t know why the joint alert has been issued now but suggests it’s possible that intel agencies have identified the predominately small-sized MSPs as highly vulnerable links in the technology chain. “The perpetrators here are very skilled at picking out the weak link,” she says.Hanslovan echoes this sentiment. “Remember, a managed service provider isn’t like Hewlett-Packard,” he says. “A managed service provider is a small business. Sometimes they only have a dozen technicians. The CEO might be the only salesperson. That’s how small and immature some managed service providers are.” Related content news Google Chrome zero-day jumps onto CISA's known vulnerability list A serious security flaw in Google Chrome, which was discovered under active exploitation in the wild, is a new addition to the Cybersecurity and Infrastructure Agency’s Known Exploited vulnerabilities catalog. By Jon Gold Oct 03, 2023 3 mins Zero-day vulnerability brandpost The advantages and risks of large language models in the cloud Understanding the pros and cons of LLMs in the cloud is a step closer to optimized efficiency—but be mindful of security concerns along the way. By Daniel Prizmant, Senior Principal Researcher at Palo Alto Networks Oct 03, 2023 5 mins Cloud Security news Arm patches bugs in Mali GPUs that affect Android phones and Chromebooks The vulnerability with active exploitations allows local non-privileged users to access freed-up memory for staging new attacks. By Shweta Sharma Oct 03, 2023 3 mins Android Security Vulnerabilities news UK businesses face tightening cybersecurity budgets as incidents spike More than a quarter of UK organisations think their cybersecurity budget is inadequate to protect them from growing threats. By Michael Hill Oct 03, 2023 3 mins CSO and CISO Risk Management Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe