One of the largest sustained global cyber espionage campaigns is targeting managed IT service providers (MSPs) in order to gain access to MSP customer networks, known as Operation Cloud Hopper, according to a report by PricewaterhouseCoopers (PwC) and BAE Systems.
The threat actor group is known as APT10, said to be based in China. In operation since 2009, they’ve been known to steal a high volume of intellectual property and other sensitive data from MSP networks. More recently, the group has significantly increased the scale and scope of their campaigns to target many different industries, which can be attributed to the compromise of MSP networks and their large cache of diverse customers.
Leveraging Unfettered Cloud & Hosting Provider Access
Since MSPs are often responsible for remotely managing their customer’s IT and user systems, they typically have direct, privileged access to their clients’ networks. If they’re cloud or hosting providers, they may also house a large amount of customer data - sometimes sensitive or confidential - on their own internal infrastructure, according to the PwC report. Targeting just one MSP can give an attacker access to a large number of different organizations.
According to the report, several MSPs have been breached, including those that provide enterprise services or cloud hosting. The industries targeted include retail, technology, energy, industrial manufacturing, engineering and construction, business and professional services, pharmaceuticals and the public sector.
There has also been a separate custom malware campaign targeting Japan-based organizations. APT10 has posed as different public sector entities like the Ministry of Foreign Affairs, the Liberal Democratic Party of Japan and others to gain access to commercial companies and government agencies.
Same Old Story: Phishing, Exploits and Stolen Credentials
Their main attack method is via phishing emails sent with an executable attachment. To trick users, the hacking group has registered a number of spoofed domains to send emails from, including religious and academic organizations, like salvationarmy.org. After a user has clicked on a link to download the attachment that contains an exploit payload, the threat actor can leverage known vulnerabilities to gain access to the target’s network.
According to the report, the hacking group continued to use MSP credentials to gain further credentials with the help of credential theft tools like mimikatz, which targets Windows computers to steal password hashes and dump plaintext passwords, and can effectively evade antivirus software. Most of the stolen MSP credentials have given attackers administrator or domain administrator privileges. Additionally, the attackers rely on systems with shared access and credentials to easily hop between MSP networks and their clients.
Security Tips for MSPs
To protect their networks and their clients’ networks and data, MSPs should:
- Never share credentials between different users. Create unique user accounts and credentials, and restrict access to the least amount required to do the job in order to reduce the scope of what an attacker can access if they manage to steal or compromise one account.
- Use two-factor authentication to protect every account against remote unauthorized access, including both administrative accounts and accounts to systems that seem noncritical (attackers have been observed targeting low-profile systems to avoid detection).
- Don’t rely on antivirus software alone to detect a breach. Consider taking more proactive security measures, like conducting internal phishing simulations in order to assess risk and educate users.
- Invest in endpoint security. Get insight into your users’ devices and see who is authenticating into your network.
- Protect against exploit kits leveraging known vulnerabilities. A good endpoint security solution gives you the ability to create policies that block access from risky devices attempting to authenticate into to your network and systems.
Download the The Essential Guide to Securing Remote Access to learn more about security concerns with third-party providers and cloud access.