In parallel to the massive digital transformation that changed the way we work, consume and interact through the digital medium, threat actors also revamped their capabilities. In recent years, supply chain attacks have gone from rare to increasingly common, and the payoff for threat actors of all stripes that successfully compromise a Managed Service Provider (MSP) far outweighs either the investment or risk.
In this post, we will describe how MSPs have become the most lucrative targets for cybercrime and nation-state attacks. We’ll cover the recent history of attacks and what MSPs should do keep themselves – and their clients – safe.
Kaseya VSA – In July 2021, attackers targeted Kaseya VSA servers used by MSPs to deliver REvil ransomware to thousands of corporate endpoints in what appears to be the largest mass-scale ransomware incident to date. The attackers exploited a zero-day vulnerability in a VSA component and leveraged that in an exploit chain that bypassed Windows Defender and other native OS security measures. The attackers claimed to have infected “more than a million systems”.
SolarWinds Orion – In December 2020, news broke of a supply chain attack affecting some 18,000 or more public and private organizations. The victims were compromised through a trojanized SolarWinds Orion software update which delivered the SUNBURST backdoor. While SUNBURST is widely believed to have been the work of Russian Intelligence threat actors, a separate attack attributed to a different threat actor and dubbed SUPERNOVA was also discovered within a week of SUNBURST. The SUPERNOVA malware takes the form of a webshell implant that can distribute and execute additional malicious code on victims’ devices.
Wipro, Infosys, Cognizant – In April 2019, a mass phishing campaign was identified that had successfully infiltrated Wipro, a major trusted vendor of IT outsourcing for U.S. companies. It is believed the actor had also targeted Cognizant and Infosys. Once breached, the MSPs’ trusted networks were used to launch cyber attacks against the company’s clients.
CloudHopper (APT10) – In 2017, an investigation into China-backed threat actor APT10 revealed a mass espionage campaign targeting MSPs and their clients dubbed ‘Operation Cloud Hopper’. Researchers found that the threat actor, previously associated with attacks on government and defence organizations, had turned to targeting enterprise service providers and cloud hosting companies as part of a sustained and wide scale series of supply chain attacks. In early 2018, Norwegian MSP Visma was believed to have been targeted by the same threat actor, indicating China’s strategic targeting of MSPs around the globe.
With the increasing demand to support business needs, more organizations outsource IT and security to MSPs. According to MarketsAndMarkets research, the global managed IT services market will reach $354.8 billion by 2026, up from $242.9 billion in 2021.
Many small to midsize businesses (SMBs) rely on MSPs to assist them with cost-effective IT infrastructure management, monitoring, and general support. In addition, companies regularly trust MSPs to protect their data, but we have to remember that MSPs are often small businesses themselves. And as attack vectors increase by the minute, there seems to be no end in sight to the growing pressures on MSPs.
Like any other organization, MSPs need to cease considering security as a liability and understand cybersecurity is now part of the cost of doing business. This should translate into employee awareness, budget and mindset. Here are a few steps to start with.
ActiveEDR
See how, with a single IOC, you can see an entire attack, with full context, without needing a full IR team.
Looking at historical attack data, you can see that attackers are looking for the easy way in. Sometimes it’s a phishing email; in other cases, it’s just an endpoint facing the internet that is unprotected. Once a foothold is achieved, the attack becomes much more straightforward to implement. Additionally, we’ve seen attacks utilizing vulnerabilities and using Active Directory to access more places.
To be on top of these, MSPs should ensure no endpoint is unprotected. Remember that any internet-connected computer, no matter how insignificant in your workflows, provides an entrypoint to the rest of your network, and therefore should be protected by an endpoint security solution. In addition, be sure to implement tools against phishing, and educate your users on how to identify, avoid and report phishing attempts.
We all know that MSPs are working on relatively small margins and need to be efficient. Unfortunately, most MSPs cannot afford to hire a big enough security team to manage and respond to threats as they come. That means you need technology that is autonomous – using the power of the computer itself to make security decisions – and which can be automated and integrated within the rest of your technology stack.
Tools that are simple to use that don’t require certified professionals to operate and which can be programmed with automated tasks through simple click-and-point interfaces are the means to better security with less cost. Can your security solution be automated to identify and deploy itself to unprotected endpoints? Can an endpoint be configured to harden its own security policy if a breach is detected? These and other tasks are simple configurations that can be set up once by a human operator and left to take care of themselves going forward.
On our corporate networks today, we have our employees’ desktops and laptops, their mobile devices, and a long list of IoT devices, starting from a coffee machine to network routers and other devices. Each of these increases the attack surface of your network, because they can have vulnerabilities, weak (or no) passwords, and introduce other ways entry points for attackers.
How can you keep track of the growing number of devices? It all starts with visibility and understanding what you have. To make it bullet proof, you should also be able to disconnect devices which introduce risk. When you reach the maturity level of knowing what is connected to your network, you’ve gone a long way toward protecting your network.
MSPs not only suffer from big and devastating attacks that hit the headlines; they are also targeted by common malware and ransomware attacks like every other organization today.
To effectively defend against ransomware, the first step is to ensure your critical files and data are backed up on a regular basis, including remote backups. The next critical factor is to deploy best-of-breed endpoint protection. That includes both endpoint protection (EPP) and endpoint detection and response (EDR).
The right EDR to detect and prevent ransomware and other malware attacks, which occur at machine speed, is one with automated responses that can react just as fast. Once an attack occurs, you cannot base the heart of your defense on human resources that only react minutes, hours or days after the fact. Ransomware operators pride themselves on delivering products to their customers that encrypt faster than their crimeware rivals. Your EDR needs to be equally as fast: reacting in real time to keep you safe from such attacks.
In this post, we covered why MSPs, perhaps more than other organizations today, need to be safe and consider security as part of their business strategy. MSPs are expected to assist and ease the lives of their customers, and if they become an entry point for malicious activities, the consequences can be catastrophic for both the MSP itself and the many clients who rely on them.
SentinelOne Storyline Active Response (STAR)
Customize EDR to adapt to your environment