The U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with cybersecurity authorities from the UK, Australia, Canada and New Zealand, are warning that cybercriminals are increasingly targeting managed service providers (MSPs) in an attempt to compromise their downstream customers.
MSPs deliver and manage platform, software, IT infrastructure and security services, as well as providing business process and support functions for customers. They are part of a partner ecosystem made up of resellers and technology service providers that has been targeted in recent years by threat actors in cyberespionage or ransomware attacks. Because these companies store customer data and support sensitive processes, they are in a unique position where they have trusted network connectivity and privileged access to customer systems.
“Whether the customer's network environment is on premises or externally hosted, threat actors can use a vulnerable MSP as an initial access vector to multiple victim networks, with globally cascading effects," according to the joint advisory on Wednesday. "The UK, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities expect malicious cyber actors—including state-sponsored advanced persistent threat (APT) groups—to step up their targeting of MSPs in their efforts to exploit provider-customer network trust relationships."
While no specific incidents were mentioned as part of the Wednesday advisory, previously actors have successfully exploited the “trusted relationships” in MSP networks in order to gain access to a large number of customers. Luke McNamara, principal analyst with Mandiant, said in recent years researchers have observed a growing focus from some cyber espionage groups - especially Chinese threat actors - on targeting the “information supply chain.”
“A shared commitment to security will reduce risk for both MSPs and their customers, as well as the global ICT community.”
"Managed service providers can be one vector into that and presents an avenue for these actors to compromise trusted partners for the purpose of conducting intrusions into multiple end targets," said McNamara. "As various espionage groups mature their capabilities, we should expect to continue to see some of these actors prioritize targets that enable them to collect at scale.”
In the well-known July Kaseya attack, attackers leveraged a vulnerability in the software of Kaseya VSA on-premises products in order to execute ransomware attacks against MSPs and their customers. In October, Microsoft warned that Nobelium (the actor behind the SolarWinds intrusion) was compromising resellers and technology service providers in order to target their delegated administrative privileges, which allows admins to delegate administrative responsibilities to partners, including the ability to add users or domains, or reset passwords. Delegated administrative privileges are infrequently audited for approved use, and oftentimes they are not disabled by a service provider or downstream customer once use has ended, making them a lucrative target for cybercriminals.
However, this is just one of many avenues attackers can leverage when targeting a service provider's environment. Due to the sheer amount data being managed, MSPs and their customers should have "transparent discussions" around how sensitive data is secured and whether MSP-customer contracts identify ownership of security roles and responsibilities, said CISA. Part of these discussions should also include a hard look at supply-chain risk across security, legal and procurement groups.
When it comes to security controls, MSPs should disable accounts that are no longer in use and enforce multi-factor authentication (MFA) on MSP accounts with access to customer environments. MSPs should also ensure that monitoring and logging controls, as well as response and recovery plans, are in place.
“These discussions should result in a re-evaluation of security processes and contractual commitments to accommodate customer risk tolerance,” according to the advisory. “A shared commitment to security will reduce risk for both MSPs and their customers, as well as the global ICT community.”