Identity Theft Attacks to MSPs in 2019…


Looking back, 2019 was a tough year for MSPs in terms of security breaches. Just to highlight a few:

  • February: A ConnectWise plugin vulnerability was exploited by attackers and used to distribute GandCrab ransomware into MSPs and their customers
  • June: At least three large MSPs using Webroot software had credentials stolen, which allowed attackers to spread the Sodinokibi ransomware to their customers
  • August: Several Texas government entities had ransomware distributed through their MSP connections

The list goes on and on, and you can learn more about the attacks by listening to this 443 – Security Simplified podcast episode. But most of these incidents have something in common: They start with credential theft and then move on to spreading ransomware whenever possible – including MSPs customers. Wondering why cyber crimes targeting MSPs are increasing? First, the number of MSP organizations is growing quickly due to ongoing market demand. Small and midsize businesses don’t have the capacity (staff and resources) to handle all their IT and security management, so more and more are relying on service providers to handle IT needs in order to stay focused on their core business.

Resellers in the field are noticing the high demand for service providers and are transforming their business model to become MSPs. This brings us to the second and main reason for these targeted cyber attacks.

Remember when hackers used to randomly attack an entity or user just for the sake of showing off their skills? Those days are over. Cyber attackers are now focused on profitability, which comes by maximizing the number of machines infected with malware. This is where an MSP becomes an ideal target. While attacking some companies with phishing scams can work, hackers have realized that by targeting companies that manage IT for other organizations, they automatically have access to more victims in their customers.

This is a growing trend that puts the MSP community at the center of cyber threats. So, what are the fundamental actions to improve your security and keep your customers secure? A good rule of thumb is to protect admin credentials for all of your technical staff to avoid compromising access to their management tools, including remote access to computers and servers, as well as software distribution tools.

It takes only one vulnerable credential to compromise remote access to dozens of customers, so the best way to protect them is certainly with multi-factor authentication. For MSPs, push-based authentication can be particularly necessary. While time-based, one-time passwords (OTPs) are quite effective, an attacker could still use social engineering or a phishing attack to get a valid OTP and use it in a short timeframe. But a well-implemented push-based authentication not only provides context information about who is trying to authenticate, but also triggers an alert when your credentials have been stolen and someone is trying to use them.

After their identity-theft incident, Webroot’s SVP, Chad Bacher, shared that “to ensure the best protection for the entire Webroot customer community, we decided it is time to make two-factor authentication mandatory.” Some users still see 2FA as optional, but failure to implement strong security measures in businesses like MSPs compromises both staff and client populations.

Multi-factor authentication is a key requirement for remote access. I’ve been encouraging this practice in my 20+ years working on authentication technology. Multiplying remote access by the number of managed customers makes it even more critical. So, to all MSPs out there: think about MFA as a strong tool that can protect your staff while also opening the door to new business and profit opportunities.

Author Alexandre (Alex) Cagnoni is director of authentication for WatchGuard. Read more WatchGuard guest blogs here.