In an unexpected development, cybersecurity authorities in “Five Eyes” countries have issued a warning of an increase in malicious cyber activity targeting managed service providers (MSPs), with these agencies saying they expect this trend continues. The alert is the result of a collaborative effort between the United Kingdom (NCSC-UK), Australia (ACSC), Canada (CCCS), New Zealand (NCSC-NZ) and the United States (CISA, NSA, FBI).
The agencies said they were “aware of recent reports that observe an increase in malicious cyber activity targeting managed service providers (MSPs) and expect this trend to continue” and point to a report from a leading MSP IT solutions provider, N-Able. This report notes that “nearly all MSPs have experienced a successful cyberattack in the past 18 months, and 90% have seen an increase in attacks since the start of the pandemic.”
“As this joint advisory makes clear, malicious cyber actors continue to target managed service providers, which can significantly increase downstream risk to the businesses and organizations they support – why it’s critical that MSPs and their customers are taking steps to protect their networks,” the CISA director said. Jen Easterly said in the alert. “Securing MSPs is critical to our collective cyber defense, and CISA and our interagency and international partners are committed to strengthening their security and improving the resilience of our global supply chain.”
Joint advisory recommends standard cybersecurity practices
The agencies’ joint advisory outlines a detailed list of steps MSPs and their customers can take to reduce their risk of becoming a victim of a cyber breach. The notice defines MSPs as entities that “provide, operate or manage ICT [information and communications technology] services and functions for their customers through a contractual agreement, such as a service level agreement. He notes that MSP services typically require reliable network connectivity and privileged access to and from client systems.
Organizations are encouraged to read the advisory in conjunction with advice from NCSC-UK on what to do when the cyber threat is heightened, advice from CCCS on cybersecurity considerations for consumers of managed services and advice from CISA provided on technical advice Shields Up and Shields Up. webpages.
The advisory outlines a host of standard cybersecurity practices that large organizations with robust cybersecurity operations have long adopted. These recommendations provide many security practices that fall into the following categories defined by CISA, including:
- Prevent initial compromise
- Enabling and improving monitoring and logging processes
- Applying Multi-Factor Authentication
- Internal architecture risk management and segregation of internal networks
- Apply the principle of least privilege
- Deprecation of outdated accounts and infrastructure
- Applying updates
- Backing up systems and data
- Development and implementation of incident response and recovery plans
- Understand and proactively manage supply chain risks
- Promote transparency
- Managing Account Authorization and Authentication
No single identifiable cause for the alert
It is unclear why the intelligence agencies were now motivated to publish such a detailed list of recommendations for MSPs. Kyle Hansloven, CEO and co-founder of Huntress, told CSO that his company was not aware of any single event that could have triggered the joint notice. “We are not aware of any specific incidents. But, unfortunately, we are aware of dozens of smaller incidents where everyone is noticing MSPs.”
Last week, cybersecurity firm ThreatLocker, which specializes in MSPs, issued a security alert warning customers of a “sharp” increase in ransomware attacks using remote management tools. ThreatLocker has created a script to block attackers using a new security patch.
But Huntress, Sophos and Kaseya all say they haven’t seen the coordinated and widespread MSP ransomware attacks described by ThreatLocker in its alert. “We were one of the companies that said, ‘We have data on over 3,000 managed service providers. We’re not seeing an uptick that justifies the catastrophe,” Hansloven said.
Hackers can reach hundreds of businesses at once
Hansloven thinks it was not a single risk that prompted the intelligence agencies to issue the alert. “It’s not a single risk. It’s just a complete change in the environment that pirates have taken note of and are actually doing complete manuals to say, ‘You know what? Back when I could go fishing with dynamite and prosecute hundreds of companies at once.”
He also thinks intelligence agencies could withhold information that sheds light on why MSPs might need more important advice. “I have no doubt they probably have an analysis,” he says.
It’s also possible that cybersecurity authorities usually try to get ahead of issues that might explode later. “I think they are the ones doing a very good job of early warning and transparently identifying these risks,” says Hansloven.
MSPs should tell their customers about their suppliers
Mary J. Hildebrand, partner, founder and president of the Privacy and Cybersecurity practice at Lowenstein Sandler, says the Joint Alert is missing one thing: a guideline for MSPs to better understand their clients’ security posture. “When I represent an MSP, one of the things I suggest is that depending on what role they’re going to take on when they’re hired, they should have a conversation and maybe follow up with the company about what type due diligence he has done on his vendors,” Hildebrand told CSO. “The reason I suggest digging into this for MSPs is that vendor error, vendor issues, and vendor breach are a huge problem for businesses. Many security incidents and data breaches stem from either an employee error or, in this case, an MSP employee. error or problems with the supplier.”
Hildebrand isn’t sure why the joint alert has been issued now, but suggests it’s possible intelligence agencies have identified the mostly small MSPs as highly vulnerable links in the tech chain. “The attackers here are very adept at spotting the weak link,” she says.
Hansloven echoes this sentiment. “Remember that a managed service provider is not like Hewlett-Packard,” he says. “A managed service provider is a small company. Sometimes they only have a dozen technicians. The CEO may be the only salesperson. That’s how small and immature some managed service providers are.”
Copyright © 2022 IDG Communications, Inc.