DHS Memo: Hackers Exploiting MSPs to Attack Customers’ Networks
The U.S. Department of Homeland Security (DHS) is warning managed services providers (MSPs) and cloud services providers (CSPs) that cyber gangsters are exploiting them to creep unnoticed into their customers’ networks.
It goes without saying that in its new Alert (TA18-276B): Advanced Persistent Threat Activity Exploiting Managed Service Providers dated October 3, 2018, the DHS is cautioning managed security service providers (MSSPs) as well.
What’s happening: Hackers are attacking MSSPs, MSP and CSPs as the weak link in a supply chain to get to their customers. The DHS is strongly advising service providers to lock down their systems and data.
The updated Technical Alert provides information and guidance to assist MSP customer network and system administrators to detect malicious activity on their networks and systems and the mitigation of associated risks. It also includes an overview of tactics used by bad actors in MSP network environments, recommended mitigation techniques, and information on reporting incidents. See details of the warning to MSPs and CSPs here.
Here’s what the DHS is worried about:
- For more than two years, the DHS’ National Cybersecurity and Communications Integration Center (NCCIC) has tracked hackers that are using advanced persistent threat (APT) tools aimed at breaking into the networks of both MSPs and CSPs and the infrastructure of their customers.
- The threat actors are exploiting trusted relationship between provider and customer, figuring that the provider commands delicate information that can get the bad actor inside the customer’s network.
- In an alert issued last April, victims had been identified in IT (including service providers), energy, healthcare, communications and critical manufacturing.
“Threat actors appear to be leveraging stolen administrative credentials (local and domain) and certificates, along with placing sophisticated malware implants on critical systems,” the NCCIC wrote at the time. “Depending on the defensive mitigations in place, the threat actor could possibly gain full access to networks and data in a way that appears legitimate to existing monitoring tools.”
What’s in the updated Technical Alert (TA):
- Bad actor activity has increased fueled in part by more customers turning to service providers to support their networks.
- Because service providers “generally have direct and unfettered access to their customers’ networks,” the hackers figure that if they can find a flaw in the provider’s network it can cascade to its customers.
- The NCCIC is urging customers of MSPs and CSPs to implement a “defense-in-depth strategy” to protect their infrastructure assets and minimize risk.
Included in the TA is a set of best practices specific to MSPs:
- Ensure MSP accounts are not assigned to administrator groups. MSP accounts should not be assigned to the enterprise administrator (EA) or domain administrator (DA) groups.
- Restrict MSP accounts to only the systems they manage. Place systems in security groups and only grant MSP account access as required. Administrator access to these systems should be avoided when possible.
- Organizational password policies should be applied to MSP accounts. These policies include complexity, life, lockout, and logging.
- Use service accounts for MSP agents and services. If an MSP requires the installation of an agent or other local service, create service accounts for this purpose. Disable interactive logon for these accounts.
- Restrict MSP accounts by time and/or date. Set expiration dates reflecting the end of the contract on accounts used by MSPs when those accounts are created or renewed. If MSP services are only required during business hours, time restrictions should also be enabled and set accordingly. Consider keeping MSP accounts disabled until they are needed and disabling them once the work is completed.
- Use a network architecture that includes account tiering so that higher privileged accounts will never have access or be found on lower privileged layers of the network. This keeps EA and DA level accounts on the higher, more protected tiers of the network. Ensure that EA and DA accounts are removed from local administrator groups on workstations.
MSP Technology Providers Offer Guidance
Among those weighing in on the warning: Tim Brown, VP of security of SolarWinds MSP, offered this advice:
“The US Cert office’s warning today about ongoing advanced persistence threat (APT) actor activity attempting to infiltrate global MSP networks is a strong reminder that MSPs need to be vigilant about cyberhygiene. Bad guys will look for the easiest way in, so be sure to take care of the basics. Don’t forget multifactor authentication; turn on AV; patch; monitor logs and look for suspicious activity. The US Cert office lays out a number of these best practices, all of which we consistently cite and agree with.”
Datto Chief Information Security Officer Ryan Weeks also offered guidance to MSPs, stating:
“This is a serious threat. MSPs should take keen notice of this alert. There are steps that MSPs can and should take today to shore up defenses against such future attacks,” said Ryan Weeks, chief information security officer at Datto. “Scrutinizing their own credential management and authentication as well as network connectivity and remote access by all users is the first place MSPs must start.”
Weeks believes MSPs should focus on two major priorities:
- Take a hard look at credential management and authentication system controls of all accounts and services for key infrastructure or network entry points, including those of their service providers.
- Review the connectivity and topology of their networks and those of their end users.
More in-depth response activities should include additional analysis that accounts for the targeted nature of attacks in the MSP space that results in an increased likelihood of risk exposure, he added. Lastly, MSPs should revisit their layered defenses for effectiveness against motivated and capable adversaries, Weeks said.
And from Brian Downey, Senior Director of Product Management, Continuum:
“[The] alert from the Department of Homeland Security confirms that small businesses, and their managed service providers, are the new attack vector for cybercriminals, and the risks are severe. The report, which analyzed a phishing attack on MSPs, has three key details that service providers should be aware of:
- The attack capitalized on stolen credentials, making multi-factor authentication critical to securing end-clients.
- Signature-based malware detection is not enough to protect against the initial infection.
- Once the attackers were inside the service provider, they used common admin tools to move laterally to end-customer networks. This highlights the ineffectiveness of Remote Desktop Protocol (RDP) and heightens the need for more tightly-controlled remote management tools.
Continuum is strongly recommending that managed service providers evaluate how they connect to and manage their end-customer networks. Today’s report reinforces the need for advanced endpoint protection on all systems, isolating any unprotected systems into a separate network. MSPs should also ensure that they are leveraging DNS protection as a secondary line of defense, that they are using more secure tools than RDP, and that all remote access requires multi-factor authentication.
Amid the Department’s cogent warnings is a clear call for providers to bolster their ‘ability to rapidly respond to and recover from an incident… with the development of an incident response capability… prepared to handle the most common attack vectors.’ MSPs should heed this latest threat, as it is becoming increasingly likely that security will be the number one reason for an MSP to be hired or fired in the months and years to come.”
Find the Department of Homeland Security warning to MSPs and CSPs here, with deeper October 3 info specifically for MSPs here.
Teaser story by Joe Panettieri. Updated detailed blog (October 3, 9:00 p.m. ET) by DH Kass. Blog also updated through October 4 to reflect technology industry views. Story updates on this piece are now closed. We will post a separate blog if/when new developments on this story surface.