Thousands of computers that belong to customers of managed services providers (MSPS) have suffered from ransomware attacks over the last year. Often times, this begins with a phishing email that leads to a compromising installation of malware, or the bad guys find an open avenue to exploit on a server or system controlled by MSPs.
Small businesses often lack the internal skill set to manage their I.T. or cybersecurity services, so they outsource MSPs to fulfill this role. However, far too often, poorly secured MSPs become the weak link in the supply chain, leaving their users exposed.
Analysis of these attacks suggests that attackers use remote monitoring and management (RMM) tools or cybersecurity products being used by the MSPs.
Management portals from Webroot, as well as RMMs from both Kaseya and ConnectWise, were instrumental in carrying out the attacks. In these particular cases, it has been confirmed by the affected vendors that the attackers used stolen credentials from MSPs to access their tools.
During a major wave of attacks this year, hackers used a common remote management console from Webroot to execute a PowerShell based payload that downloaded ransomware on client systems. Webroot announced that the tool hackers accessed to carry out attacks is used by MSPs to view and manage devices protected by Webroot's AV software.
The payload often 'Sodinokibi', is a ransomware tool that is known to encrypt data on infected systems.
The evolving cyber threat landscape is creating vast opportunities for MSPs and MSSPs alike. It is wise for small businesses to use an MSP that has comprehensive knowledge and suitable toolsets to protect them. However, MSPs need to understand they are now being targeted and should protect their systems using the same solutions as a large enterprise. Hackers will always use the fastest and most effective method to steal as much data or encrypt as many systems as possible. MSP toolkits are an effective way to attack hundreds of businesses and thousands of endpoints in a single attempt.
Further analysis of the actual MSP's that have been targeted or compromised with ransomware is much more telling. According to Armor, a cloud security company, more than thirteen MSPs have spoken about being exploited or have been publicly notified of their involvement in these exploitation operations.
- Billtrust—Lawrence Township, New Jersey.
- TrialWorks—Coral Gables, Florida.
- PM Consultants– Portland, Oregon.
- iNSYNQ—Gig Harbor, Washington.
- CloudJumper— Garner, North Carolina.
- PercSoft—West Allis, Wisconsin.
- TSM Consulting Services Inc.— Rockwall, Texas.
- IT By Design —Jersey City, NJ.
- Unnamed IT Services Provider.
- MetroList—Sacramento, California.
- SchoolinSites—Saraland, Alabama.
- CorVel— Irvine, California.
- Apex Human Capital Management—Roswell, Georgia.
In October of last year, the U.S. Department of Homeland Security issued Alert TA18-276B, which is titled "Advanced Persistent Threat Activity Exploiting Managed Service Providers". This notification detailed the ways in which malicious actors are now targeting MSPs to gain access to their clients’ networks. While there is no specific evidence that previous ransomware attacks are related to the DHS alerts, the exploits do show that hackers and nation-states are targeting MSPs to provide themselves with a launching point. Hacking an MSP gives hackers access to a variety of other networks and infrastructures without the overhead of targeting each client individually, thus reducing the attacker’s overhead costs.
According to the FBI and DHS "Threat actors appear to be leveraging stolen administrative credentials (local and domain) and certificates, along with placing sophisticated malware implants on critical systems,". Because MSPs typically have direct and unfettered access to their customers' networks, the hackers figure that if they can find a flaw in the provider's infrastructure, it can cascade to its customers. The advisory from the experts at the federal level advise the following to prevent these types of attacks:
- Ensure MSP accounts are not assigned to administrator groups.
- Place systems in security groups and only grant MSP account access as required.
- Organizational password policies should be applied to MSP accounts. These policies include complexity, life, lockout, and logging.
- Use service accounts for MSP agents and services where possible.
- Disable interactive logon for these accounts.
- Restrict MSP accounts by time and date. Set expiration dates reflecting the end of the contract on accounts used by MSPs when those accounts are created or renewed.
- Use a network architecture that includes account tiering so that higher privileged accounts will never have access or be found on lower privileged layers of the network.
- Disabling unused applications on endpoints that are potentially accessed by MSPs.
- Cordon off or micro-segment data repositories from MSP accesses that are not explicitly authorized.
MSP's are highly beneficial to organizations that need to add the capability to a limited human capital issue, but the access and control that are given to MSPs can be problematic. Possessing the "keys to the kingdom" and a variety of avenues of exploitation opens MSPs up to the possibility of becoming the threat distribution engine they were hired to target in the first place. Hackers and nation-states are aware of this and are using these vulnerabilities as a means of expanding their attack surface. Managed service providers that take security seriously are an asset to SMBs around the world.