If someone decides to rob a bank in 2024 without sleeping in a cryochamber for 40 years, he probably won’t be looking for a revolver. Instead, they may turn to cybercrime (or rethink their plans altogether). They can take it a step further – not just targeting one bank or attacking them one by one, but attacking them en masse. By hacking a managed service provider (MSP), they can gain access to the infrastructure of many customer organizations, including banks.
The example may seem ridiculous, but the reality is serious. Cyber criminals are increasingly targeting MSPs and this growing threat is being reported globally, including in the US, UK and other countries.
Role of MSP in cyber security breaches
The acronym MSP refers to contractors who offer customers comprehensive management of IT products using an Infrastructure-as-a-Service (IaaS) model. According to IBM, the primary reason for successful attacks on MSPs is the compromise of the credentials of both the providers’ employees and their customers. Weak and compromised passwords are responsible for one-third of these incidents. The most commonly found user accounts on the dark net include Microsoft Outlook and WordPress.
Another significant threat is software vulnerabilities. According to IBM, the number of vulnerabilities in cloud services has tripled in the past year, increasing by nearly 200%. Here too, criminals exploit security flaws in Microsoft Outlook and other widely used business products. However, there are also instances where specific applications for MSP become problematic.
One of the most notable examples involves a vulnerability found in the ConnectWise MangedITSync plugin. Service providers use this plugin to integrate the ConnectWise Manage Automation platform with Kasia VSA, which handles remote monitoring and asset management. The discovered flaw allowed modification of the database, adding new users, granting them full permissions, and delegating any tasks. In simple terms, criminals can remotely download malware onto MSP customers’ devices.
Although the bug was immediately fixed, other issues with Kasia VSA emerged later. In 2021, at least three major MSPs and their customers were affected by the vulnerability. For example, in Sweden, the web services of the large retail chain Coop were compromised, forcing the company to temporarily close about 800 stores.
Reading: Top 10 APAC data breaches
Blackmailing and spying
Attacks on the MSP sector often involve the same criminal groups, many of whom are ransomware gangs or who lease their rogue software to other black hat hackers through subscription models. Sometimes, criminals demand ransom from the provider itself, but more often, they target its customers. Hackers usually threaten to leak data. To illustrate the scale, consider three incidents involving well-known gangs.
1. Black Hunt
In January 2024, an attack on Tigo Business, the market leader in mobile communications, cloud services and hosting in Paraguay, was revealed. The provider was targeted by the Black Hunt ransomware group. As a result of the attack, 330 of the provider’s servers were encrypted, leading to an immediate failure. As a result, web services of more than 300 customer companies were disrupted.
Black Hunt hackers first emerged in late 2022 and are active in South America. Typically, criminals gain access to corporate networks and user devices, from which they launch ransomware attacks. Additionally, in their communications with victims, they mention the possibility of selling the obtained data on the dark net.
The primary entry point for these attacks is the insecure Remote Desktop Protocol (RDP). Once they gain access, the criminals clear the Windows event logs on victims’ computers, delete shadow copies of NTFS records, disable system restore capabilities, and terminate Microsoft Defender. . All these actions happen secretly without the user’s awareness.
2. Condemnation
Another ransomware group has taken advantage of vulnerabilities in well-known software – Kasia VSA. The most notable incident involving REvil Group and MSP contractors occurred in 2021. The group claimed to have infected both Kaseya and other service providers using its products. According to the criminals, this resulted in one million operating systems being affected worldwide. Earlier, the group had carried out a similar attack using Sodin ransomware. Hackers mainly targeted MSPs through webroot remote access consoles.
Reading: Five Ransomware Gangs and Their Tactics (Part Two)
3. apt29
In late February 2024, the Cybersecurity and Infrastructure Security Agency (CISA) reported that the APT29 group had begun specializing in attacks on cloud services. Previously, they focused on exploiting on-premises vulnerabilities.
APT29, also known as Midnight Blizzard and Cozy Bear, is believed by some security experts to be operated by the Russian foreign intelligence service. Typically, this group targets government structures and organizations in the US and European countries. Such incidents often result in confidential information being leaked.
Typically, criminals gain access to a victim’s network through brute force attacks. However, according to a CISA report, in attacks on cloud servers, APT29 hackers often use tokens, which allows them to access accounts without requiring passwords. The group also frequently uses multi-factor authentication (MFA) bypass techniques. Once they gain access to an organization’s cloud storage, group members add new devices to it and begin reconnaissance.
defense strategies
The principle is simple: the fewer IT service providers you have, the less likely you are to be attacked by them. Another obvious piece of advice: it’s better to verify a contractor’s credibility in advance. It’s not just about whether attackers targeted them first or not. A company may be new enough to have a significant history of such incidents, yet still be as reliable as its competitors. Additionally, not all market players are willing to share such information about themselves.
That is why it is advisable to check whether the service provider has the necessary regulatory and market compliance certifications. It is important to consider both industry-specific certifications such as PCI DSS and general certifications such as ISO 27001.
download: Threat Report 2024: Cybersecurity in the age of AI
The important thing to remember is that having a closed case with paper security does not always ensure effective data protection in practice. If you are unsure, it is best to ask the provider questions that fall within their area of responsibility. These include:
1. What type of data center contains its equipment?
Sometimes, what is labeled as a data center may be a server room within a business center. In terms of physical security, this setup is usually less robust than a standalone data center with a fenced area. Also check how the access system is managed, whether there is round-the-clock security and whether there is indoor and outdoor video surveillance.
2. How is network security arranged?
You should not only be concerned about the mandatory network segmentation, which separates the provider and customer networks. It is important to understand how DDoS protection is organized: is the attacked company driven into a blackhole, or is the entire cloud protected at the L3/L4 level? The latest method allows to detect threats earlier and prevent the victim’s IP address from being suddenly blocked.
3. What identity and access management practices are implemented?
It is better if provider and customer administrators connect to resources using MFA and through remote desktop (VDI). Additionally, it is good if the contractor not only mandates updating access credentials every 90 days but also verifies the password hash to prevent brute-force attacks.
4. Which vulnerability scanners are used?
All MSPs regularly scan their internal and cloud infrastructure. However, there are instances where, as per the agreement, some of the resources made available to the client by the contractor are also scrutinized.
5. How is monitoring done and logs collected?
Many providers use logs from cloud software and devices to quickly detect anomalies and reduce potential risks to themselves and their customers. This data facilitates rapid incident response and investigation.
6. Are backups created and stored at a remote location?
It is important not to confuse backups with disaster recovery orchestration (and such misconceptions occur in practice). In the case of ransomware, there is a risk of copying encrypted data to the backup site, just like the primary site. Make sure your MSP backup strategy comprehensively addresses these concerns.
7. Do they provide training to employees?
Since people are the weakest link, staff training should focus on things like recognizing social engineering tactics. They should practice strong password habits and secure browsing. Employees also need to know how to report security incidents promptly.
All the criteria mentioned represent the basic standards that a trustworthy service provider should meet. Ideally, the provider goes beyond regulatory and customer demands. For example, conducting pre-incident response (pre-IR) testing is an optional step. If the provider takes this initiative and achieves positive results, it reflects an increased commitment to security concerns.
Although there are many dangers related to MSP, the reality is not as serious as one might think. Like other industries, only a small percentage of companies become victims of hackers. In most cases, service providers implement robust measures and security that are proven to be effective in all areas. If you are a daring cybercriminal attempting to break into a trusted service provider, I pity your dark endeavors, but chances are, achieving your goal will be a difficult task.
