DHS Memo: Hackers Exploiting MSPs to Attack Customers’ Networks

• For more than two years, the DHS' National Cybersecurity and Communications Integration Center (NCCIC) has tracked hackers that are using advanced persistent threat (APT) tools aimed at breaking into the networks of both MSPs and CSPs and the infrastructure of their customers.
• The threat actors are exploiting trusted relationship between provider and customer, figuring that the provider commands delicate information that can get the bad actor inside the customer’s network.
• In an alert issued last April, victims had been identified in IT (including service providers), energy, healthcare, communications and critical manufacturing.

• Bad actor activity has increased fueled in part by more customers turning to service providers to support their networks.
• Because service providers “generally have direct and unfettered access to their customers’ networks,” the hackers figure that if they can find a flaw in the provider’s network it can cascade to its customers.
• The NCCIC is urging customers of MSPs and CSPs to implement a “defense-in-depth strategy” to protect their infrastructure assets and minimize risk.

• Ensure MSP accounts are not assigned to administrator groups. MSP accounts should not be assigned to the enterprise administrator (EA) or domain administrator (DA) groups.
• Restrict MSP accounts to only the systems they manage. Place systems in security groups and only grant MSP account access as required. Administrator access to these systems should be avoided when possible.
• Organizational password policies should be applied to MSP accounts. These policies include complexity, life, lockout, and logging.
• Use service accounts for MSP agents and services. If an MSP requires the installation of an agent or other local service, create service accounts for this purpose. Disable interactive logon for these accounts.
• Restrict MSP accounts by time and/or date. Set expiration dates reflecting the end of the contract on accounts used by MSPs when those accounts are created or renewed. If MSP services are only required during business hours, time restrictions should also be enabled and set accordingly. Consider keeping MSP accounts disabled until they are needed and disabling them once the work is completed.
• Use a network architecture that includes account tiering so that higher privileged accounts will never have access or be found on lower privileged layers of the network. This keeps EA and DA level accounts on the higher, more protected tiers of the network. Ensure that EA and DA accounts are removed from local administrator groups on workstations.

"The US Cert office’s warning today about ongoing advanced persistence threat (APT) actor activity attempting to infiltrate global MSP networks is a strong reminder that MSPs need to be vigilant about cyberhygiene. Bad guys will look for the easiest way in, so be sure to take care of the basics. Don’t forget multifactor authentication; turn on AV; patch; monitor logs and look for suspicious activity. The US Cert office lays out a number of these best practices, all of which we consistently cite and agree with."

“This is a serious threat. MSPs should take keen notice of this alert. There are steps that MSPs can and should take today to shore up defenses against such future attacks,” said Ryan Weeks, chief information security officer at Datto. “Scrutinizing their own credential management and authentication as well as network connectivity and remote access by all users is the first place MSPs must start.”

• Take a hard look at credential management and authentication system controls of all accounts and services for key infrastructure or network entry points, including those of their service providers.
• Review the connectivity and topology of their networks and those of their end users.

“ alert from the Department of Homeland Security confirms that small businesses, and their managed service providers, are the new attack vector for cybercriminals, and the risks are severe.  The report, which analyzed a phishing attack on MSPs, has three key details that service providers should be aware of:

• The attack capitalized on stolen credentials, making multi-factor authentication critical to securing end-clients.
• Signature-based malware detection is not enough to protect against the initial infection.
• Once the attackers were inside the service provider, they used common admin tools to move laterally to end-customer networks. This highlights the ineffectiveness of Remote Desktop Protocol (RDP) and heightens the need for more tightly-controlled remote management tools. 

Continuum is strongly recommending that managed service providers evaluate how they connect to and manage their end-customer networks. Today’s report reinforces the need for advanced endpoint protection on all systems, isolating any unprotected systems into a separate network. MSPs should also ensure that they are leveraging DNS protection as a secondary line of defense, that they are using more secure tools than RDP, and that all remote access requires multi-factor authentication.

Amid the Department’s cogent warnings is a clear call for providers to bolster their ‘ability to rapidly respond to and recover from an incident… with the development of an incident response capability… prepared to handle the most common attack vectors.’ MSPs should heed this latest threat, as it is becoming increasingly likely that security will be the number one reason for an MSP to be hired or fired in the months and years to come.”