US Secret Service warns of spike in cyberattacks against managed service providers (MSPs)

Organizations are increasingly relying on managed service providers (MSPs) to remotely manage IT infrastructure and other resources. Outsourcing the care and feeding of their network, applications, or security, allows an organization to save time and money, especially if it lacks the necessary internal staffing and capabilities.

However as MSPs become more popular, they’ve also become more of an open target for cybercriminals. Since each MSP typically has access to vital resources for multiple clients, a single data breach can unlock the door to a treasure trove of sensitive data.

The level of risk can be even higher if the MSP is home to a server and other physical hardware for a customer. A recent alert from the US Secret Service warns of a rise in hacks of MSPs and offers advice on what providers and customers should do to beef up their security.

Noting the increase in cyberattacks against MSPs, the Secret Service’s June alert explains that since an MSP can service a large number of customers, hackers are targeting them as a way of attacking multiple companies through the same vector. Further, MSPs use various open-source and enterprise applications to remotely manage the environments of their clients. As such, cybercriminals are exploiting these applications to conduct ransomware attacks, Business Email Compromise (BEC) campaigns, and point-of-sale intrusions.

As described in a Monday story from ZDNet, threat intelligence firm Armor said in October that it identified at least 13 MSPs that were hacked in 2019, triggering the deployment of ransomware on the networks of their customers. Further, in a phone call with ZDNet, Kyle Hanslovan, CEO at Huntress Labs, said that his company provided support in at least 63 incidents of MSP hacks in 2019 that led to ransomware attacks on customer networks. However, Hanslovan believes that the total number of such incidents could have been more than 100 last year.

The alert from the Secret Service is far from the first such notice in recent years. In October 2018, The National Cybersecurity and Communications Integration Center (NCCIC) warned of ongoing attempts from state-sponsored hacking groups to breach MSPs, especially targeting cloud-based service providers.

“Attackers concentrate their malicious efforts on MSPs because they are now a low-hanging fruit,” Ilia Kolochenko, founder & CEO of web security company ImmuniWeb, told TechRepublic. “Worse, most of the successful intrusions are never detected or reported given that the attackers have strong incentives to conceal the breach that may otherwise trigger an investigation that may depreciate the value of stolen data or even bring a SWAT team to their homes.”

In its advisory, the Secret Service offered advice for both MSPs and their customers to grapple with the rise in hacks and breaches.

Best practices for MSPs

• Have a well-defined service level agreement.
• Ensure remote administration tools are patched and up to date.
• Enforce least privilege for access to resources.
• Have well-defined security controls that comply with the regulatory compliance of end users.
• Perform annual data audits.
• Take into consideration local, state, and federal data compliance standards.
• Proactively conduct cyber training and education programs for employee.

Best practices for MSP customers

• Audit Service Level Agreements.
• Audit remote administration tools being utilized in your environment.
• Enforce two-factor authentication for all remote logins.
• Restrict administrative access during remote logins.
• Enforce least privilege for access to resources.
• Utilize a secure network and system infrastructure capable of meeting current security requirements.
• Proactively conduct cyber training and education programs for employees.

Risk management is another area that MSP customers need to reevaluate, according to Kolochenko.