Sophisticated threat groups are increasingly targeting managed service providers (MSPs) and using the compromise as a foothold to launch supply-chain attacks against their small and medium-sized downstream customers.
Analysis of data from over 200,000 small and medium-sized businesses (including regional MSPs) between the first quarter of 2022 through the first quarter of 2023 showed the increased interest from APTs in this segment as a way to initiate attacks on a large number of companies in one geography.
MSPs, along with solution providers and resellers, assist end users in deploying, customizing and managing cloud services and other technologies. Regional MSPs in particular service customers in concentrated geographic areas. For attackers, compromising these organizations could allow them to target the “trusted relationships” between the MSP and their customers.
“Regional MSPs often protect hundreds of SMBs that are local to their geography and a number of these maintain limited and often non-enterprise grade cyber security defenses,” according to Proofpoint in a Wednesday analysis. “APT actors appear to have noticed this disparity between the levels of defense provided and the potential opportunities to gain access to desirable end user environments.”
In an attack in mid-January, for instance, the Iran-linked MuddyWater APT (also known as TA450) sent phishing emails to two Israeli regional managed service providers and IT support firms. The phishing emails included a URL that, if clicked, delivered a Zip archive that deployed the legitimate Synchro remote administration tool. Researchers said that threat actors used the tool like a remote access trojan to conduct additional threat activities.
“The targeting of regional MSPs within Israel aligns with TA450’s historic geographic target set,” according to Proofpoint researchers. “Further this recent campaign indicates TA450 maintains an interest in targeting regional technology providers to gain access to downstream SMB users via supply chain attacks originating against vulnerable regional MSPs.”
This isn’t a new problem, but it’s one that is gaining traction. In 2021, Microsoft warned that UNC2452 (also known as Nobelium or APT29) was compromising technology providers in order to target their delegated administrative privileges, which allows admins to delegate administrative responsibilities - such as adding users or domains, or resetting passwords - to partners.
Overall, according to Proofpoint data, threat actors aligned with Russian, Iranian and North Korean state interests have increasingly targeted small and medium-sized businesses, which often don’t have the resources or budget to implement security measures. Threat actors then use their compromised infrastructure for phishing campaigns, financial theft and supply-chain attacks.
For instance, researchers found that the APT actor TA473 (also known as Winter Vivern) had compromised SMB infrastructure and was using it in targeted attacks against U.S. and European government agencies between November 2022 through February 2023. On top of using compromised SMB infrastructure to send emails, the group also used domains of compromised SMBs (including a Nepal-based artisanal clothing manufacturer and a U.S.-based orthopedist) for delivering malware payloads.
“Advanced persistent threat actors have realized that there is value in targeting non-enterprise scale organizations for both the valuable intelligence they may offer and the softer links in the supply chain that they may represent,” Michael Raggi, threat researcher at Proofpoint, said. “Proofpoint anticipates seeing a continued rise of SMB targeting throughout 2023 originating from the entire geographic gamut of APT actors that we track.”