Managed Service Providers (MSPs), organizations that allow companies to outsource a variety of IT and security functions, are a growing market. Because they are a potential gateway to lots of company networks they make a very attractive target for cybercriminals.
In a recent threat advisory Huntress noticed that an increasing number of Initial Access Brokers (IAB) are focusing on MSPs. In a recent example, a US-based MSP called NetStandard suffered a cyberattack causing the company to shut down its MyAppsAnywhere cloud services.
NetStandard
On July 27, 2022 NetStandard reported a cyberattack on some of its hosted services to its customers. However, details are sparse, and the MSP is staying silent on the issue. The firm’s website was down at first but it moved it to the cloud relatively fast. But I could find no mention of the attack there.
The information it shared with its customers said:
“As of approximately 11:30 AM CDT July 26, NetStandard identified signs of a cybersecurity attack within the MyAppsAnywhere environment. Our team of engineers has been engaged on an active incident bridge ever since working to isolate the threat and minimize impact.”
MyAppsAnywhere is an integrated suite of cloud-based hosted services including Dynamics GP, CRM, Exchange, and SharePoint.
Other targets
Huntress reports that it also noticed a cybercriminal using the handle "Beeper" looking for help to process an MSP. It concluded that the cybercriminal had probably gained initial access to an MSP and found that it was more than they can handle on their own. Their, translated, forum post says:
“I have access to the MSP panel of 50+ companies. Over 100 ESXi, 1000+ servers.
All companies are American and approximately in the same time zone. I want to work qualitatively, but I do not have enough people.”
Around the same time another threat actor going by "vesiyr" posted they had found RDP access to UK companies with an expected revenue of $5 million plus. They were willing to sell that access. The multiple RDP access could mean that vesiyr also gained initial access to an MSP.
Why MSPs are targets
While these incidents are very likely unrelated, they show the interest that IABs have in breaching MSPs. Hardly surprising, since it provides them with an opportunity for supply chain attacks or orchestrated attacks on a multitude of victims.
MSPs are an attractive target because a succesful breach can give the attacker enormous leverage, as well as access to some or all of the computer systems of the MSP's customers. Those customers often rely on the same MSP for security as well, so there is one less hurdle to clear when the threat actor focuses on the MSP’s clients.
Attacks on MSPs are nothing new. In 2018 the Cybersecurity & Infrastructure Security Agency (CISA) released an alert saying it was aware of ongoing APT actor activity attempting to infiltrate the networks of global managed service providers (MSPs).
The holy grail of MSP attacks are unpatched vulnerabilities in software used by MSPs to perform security or administration tasks on customers' computers. The 2021 attack on Kaseya VSA—an attack that leveraged a vulnerability in a tool used by MSPs to launch ransomware on hundreds of MSP customers' networks simultaneously—is widely regarded as the worst ransomware attack of all time.
In another ransomware attack, threat actors gained access to an MSP’s ConnectWise control tool and took down operations in 22 small Texas cities in a coordinated attack.
Mitigation
MSPs should be aware of both the trust invested in them by their clients and the heightened attention they are likely to receive from IABs.
MSP clients that do not conduct the majority of their own network defense should work with their MSP to determine what they can expect in terms of security. MSP clients should understand the supply chain risk associated with their MSP.