This is what to expect when a managed service provider gets popped

MSP should just stand for My Server's Pwned!


A Russian-language miscreant claims to have hacked their way into a managed service provider, and has asked for help monetizing what's said to be access to the networks and computers of that MSP's 50-plus US customers.

These kinds of service providers typically remotely manage their many clients' IT infrastructure and software, and so infiltrating one MSP can unlock a route into a great number of organizations.

Kyle Hanslovan, CEO of infosec outfit Huntress, this week said he spotted an exploit[.]in forum post in which someone bragged they had access to 50-plus American companies via an MSP's control panel.

Furthermore, the miscreant said they were looking for a partner in crime to help them turn a profit from this unauthorized access – presumably by extorting the MSP's customers after stealing and encrypted their data – and that the poster's share of the ill-gotten gains will be significant seeing as they did all the initial work.

It's claimed that more than 100 ESXi hypervisor deployments, and at least a thousand servers, can be hijacked via the compromised MSP. If correct, this illustrates how service providers can be the weak links in businesses' security chains.

The message, submitted by a user with the handle "Beeper," was written in Russian, and translates into the following:

Looking for a partner for MSP processing.

I have access to the MSP panel of 50+ companies. Over 100 ESXi, 1000+ servers.

All companies are American and approximately in the same time zone. I want to work qualitatively, but I do not have enough people.

In terms of preparation, only little things are left, so my profit share will be high.

Please send me a message for more details and suggestions.

It's been pointed out that the poster's forum reputation score was zero at the time, so take it perhaps with a pinch of salt. Also the fact that they need help extorting an MSP's clients suggests someone new to this game.

Around the same time Hanslovan noticed Beeper's pitch, Kela security researchers tweeted a screenshot of another forum post, also in Russian, of someone peddling what was said to be initial access into one or more UK companies.

This ad claimed to sell RDP admin-level credentials for one or more businesses generating more than $5 million in revenue – meaning they can cough up a fairly fat demand — and have ransomware insurance, also meaning more chance the money will be paid.

Both of these ads illustrate a couple key points, Huntress's senior incident responder Harlan Carvey wrote in a followup advisory. First, the posts highlight the separate roles within the ransomware economy: in this case, the initial access broker who sells or provides a route into an organization for a fee or cut of the profits. This access is then used by extortionists to siphon sensitive data, encrypt files using ransomware, and demand payment to keep quiet about the intrusion and clean up the mess.

"Both ads illustrate that someone (a hacker) has gained access to an organization, unbeknownst to that organization, for the express purpose of offering that access for sale to other parties," Carvey explained.

This means it's a little easier for criminals, particularly those without vulnerability exploitation skills, to deploy ransomware, copy out data, and so on: they can buy their way into a network and go from there.

Second, the underground forum ads suggest that "MSPs remain an attractive supply chain target for attackers, particularly initial access brokers," Carvey wrote, pointing to a May security alert from Five Eyes' cybersecurity authorities. 

That alert warned that criminals are targeting managed service providers to break into their customers' networks and deploy ransomware, harvest information, and spy on them.

It's also worth noting that a Kansas City-based MSP reportedly was the target of a cyberattack this week.

According to a Reddit post, NetStandard disclosed the attack to its customers after engineers "identified signs of a cybersecurity attack within the MyAppsAnywhere environment" on July 26. The attack took some of the MSP's hosted services offline, and NetStandard noted it couldn't yet provide time to resolution.

"We are engaged with our cybersecurity insurance vendor to identify the source of the attack and determine when the environment can be safely brought back online," the provider said, according to the post.

NetStandard didn't respond to The Register's inquiries. 

When asked about the reported attack against the MSP in light of the Russian-language ads, Carvey said it's too early to know if the two are connected.

"There is nothing in the ad or the article that ties one to the other, and Huntress refrains from speculation," Carvey told The Register. ®


Other stories you might like

Biting the hand that feeds IT © 1998–2022