Five Eyes turn spotlight on MSPs: Potential weak links in IT supply-chain security

We can think of one thing the S stands for in some unfortunate cases

Miscreants are targeting managed service providers (MSPs) to break into their customers' networks and deploy ransomware, steal data, and spy on them, the Five Eyes nations' cybersecurity authorities have formally warned in a joint security alert.

"The UK, Australian, Canadian, New Zealand, and US cybersecurity authorities expect malicious cyber actors — including state-sponsored advanced persistent threat (APT) groups — to step up their targeting of MSPs in their efforts to exploit provider-customer network trust relationships," the alert warned

These types of supply-chain or "island-hopping" attacks can prove very lucrative for cybercriminals because once they break into an MSP, they gain access to all of the customers' networks and data being managed, and in turn commit computer crimes and fraud against those customers' customers.

Case in point: the SolarWinds attack in 2020, when Kremlin-backed miscreants slipped malware into SolarWinds' Orion software, which was then pushed to some 18,000 SolarWinds' customers. This allowed the criminals to infiltrate nearly 100 US government and private-sector networks.

That MSPs are a weak point in the IT supply chain isn't Earth shattering for a good number of you in the industry, though it's welcoming to see governments not only recognize the threat but also attempt to highlight it.

"Today's joint advisory is a stark warning of the clear and present danger posed by ongoing attack campaigns against MSPs. Rogue nation states love this method of cyber-colonization," Tom Kellermann, head of cybersecurity strategy at VMware, told The Register. The virtualization biz has seen a 58 percent increase in island hopping over the past year, Kellermann added.

"I am concerned that as geopolitical tension metastisizes in cyberspace, these attacks will escalate and Russian cyber-spies will use this stratagem to deploy destructive malware across entire customer bases of MSPs," he said. "Enterprises must focus on implementing zero-trust and increase active threat hunting, especially across networks and endpoints."

The Five Eyes alert also provides guidance on discussions that should happen between MSPs and their customers about securing sensitive data. 

"These discussions should result in a re-evaluation of security processes and contractual commitments to accommodate customer risk tolerance," the advisory stated. Additionally, customers should check that their contracts specify that MSPs implement certain security controls, according to the agencies, which include CISA, the FBI and the National Security Alliance.

The first step, per usual, is implementing baseline security and operational controls. This includes backing up systems and data, isolating critical systems, applying least-privilege principles across network and device access, and turning on multi-factor authentication (MFA). 

However, the alert noted that Russian state-sponsored criminals can exploit default MFA protocols as they demonstrated in recent attacks that also exploited thePrintNightmare vulnerability. "Organizations should review configuration policies to protect against 'fail open' and re-enrollment scenarios," the alert warned.

How to prevent initial compromise

Because remote-access VPNs, internet-facing services, phishing emails and password spraying are usually involved in an initial compromise, the agencies also point to guidance on hardening and protecting technologies to close up common entry points for attacks.

MSPs should log their delivery infrastructure activities related to providing services to their customers as well as internal and customer network activity, according to the alert. "It can be months before incidents are detected, so UK, Australian, Canadian, New Zealand, and US cybersecurity authorities recommend all organizations store their most important logs for at least six months," it said.

Customers and MSPs should periodically check their attack surface and disable accounts and infrastructure that are no longer in use, such as use accounts after an employee leaves a company.

And, as always, update software and apply patches. "Prioritize applying security updates to software containing known exploited vulnerabilities," the alert suggested. ®

Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022