Managed service providers: A gateway for cyber attacks

If someone decides to rob a bank in 2024 without having slept in a cryochamber for 40 years, they probably will not be searching for a revolver. Instead, they might turn to cyber crime (or reconsider their plans altogether). They could take it a step further – not just targeting one bank or going one by one, but attacking them en masse. By hacking into a managed service provider (MSP), they can gain access to the infrastructure of numerous client organizations, including banks.

The example might seem humorous, but the reality is grim. Cyber criminals are increasingly targeting MSPs, and this rising threat is being reported globally, including in the US, UK and other countries.

The role of MSPs in cyber security breaches

The abbreviation MSP refers to contractors who offer clients comprehensive management of IT products using the infrastructure-as-a-service (IaaS) model. According to IBM, the primary reason for successful attacks on MSPs is compromised credentials of both the providers’ employees and their customers. Weak and compromised passwords account for one-third of these incidents. The most commonly found user accounts on the dark net include Microsoft Outlook and WordPress.

Another significant threat is software vulnerabilities. Over the past year, the number of vulnerabilities in cloud services has tripled, increasing by almost 200%, according to IBM. Here, too, criminals exploit security flaws in Microsoft Outlook and other widely used business products. However, there are also instances where specialized applications for MSPs become problematic.

One of the most notable examples involves a vulnerability found in the ConnectWise ManagedITSync plugin. Service providers use this plugin to integrate the ConnectWise Manage automation platform with Kaseya VSA, which handles remote monitoring and asset management. The discovered defect allowed for the modification of databases, the addition of new users, granting them full permissions and assignment of any tasks. In simpler terms, criminals could remotely download malware onto the devices of MSP customers.

Although the bug was quickly fixed, other issues with Kaseya VSA surfaced later. In 2021, at least three major MSPs and their clients were impacted by a vulnerability. For example, in Sweden, the web services of the large retail chain Coop were compromised, forcing the company to temporarily close about 800 stores.

READ: The top 10 APAC data breaches

Blackmailing and spying

Attacks on the MSP sector often involve the same criminal groups, many of which are ransomware gangs or those who lease their rogue software through a subscription model to other black hat hackers. Sometimes, criminals demand a ransom from the provider itself, but more frequently, they target its customers. Hackers commonly threaten to leak data. To illustrate the scale, consider three incidents involving well-known gangs.

1. Black Hunt

In January 2024, an attack on Tigo Business, a market leader in mobile communications, cloud services and hosting in Paraguay, came to light. The provider was targeted by the Black Hunt ransomware group. As a result of the attack, 330 of the provider’s servers were encrypted, causing immediate failure. Consequently, the web services of more than 300 client companies were disrupted.

The Black Hunt hackers first emerged at the end of 2022 and are active in South America. Typically, the criminals gain access to corporate networks and user devices, from which they launch ransomware attacks. Additionally, in their communications with victims, they mention the possibility of selling the obtained data on the dark net.

The primary entry point for these attacks is unsecured remote desktop protocols (RDPs). Once they gain access, the criminals clear the Windows event logs on the victims’ computers, delete shadow copies of NTFS records, disable the system restore capability and terminate Microsoft Defender. All of these actions occur covertly without the user’s awareness.

2. REvil

Another ransomware group has exploited vulnerabilities in famous software – Kaseya VSA. The most notable incident involving the REvil group and MSP contractors occurred in 2021. The group claimed to have infected both Kaseya itself and other service providers using its products. According to the criminals, this resulted in a million operating systems worldwide being affected. Previously, the group executed a similar attack using Sodin ransomware. Hackers primarily targeted MSPs through the Webroot remote access console.

READ: Five ransomware gangs and their tactics (part two)

3. APT29

At the end of February 2024, the Cybersecurity and Infrastructure Security Agency (CISA) reported that the APT29 group started to specialize in attacks on cloud services. Previously, they focused on exploiting on-premises vulnerabilities.

APT29, also known as Midnight Blizzard and Cozy Bear, is believed by some security experts to be operated by the Russian Foreign Intelligence Service. Typically, this group targets government structures and organizations in the US and European countries. The incidents often result in leaks of confidential information.

Typically, criminals gain access to a victim’s network through brute force attacks. However, according to a CISA report, in attacks on cloud servers, APT29 hackers more frequently use tokens, which allow them to access accounts without needing a password. The group also often employs the multi-factor authentication (MFA) bypass technique. Once they have accessed an organization's cloud storage, group members add new devices to it and begin reconnaissance.

Defense strategies

The principle is straightforward: the fewer IT service providers you have, the lower the likelihood of attacks stemming from them. Another obvious piece of advice: it is better to verify a contractor’s reliability in advance. This is not just about whether attackers have previously targeted them. A company might be too new to have a significant history of such incidents, yet it can be just as reliable as its competitors. Additionally, not all market players are willing to share such information about themselves.

That is why it is advised to check if the service provider has the necessary regulatory and market compliance certificates. It is important to consider both industry-specific certifications like PCI DSS and general ones like ISO 27001.

DOWNLOAD: Threat report 2024: Cyber security in the era of AI

The important thing to remember is that having a closed case with paper security does not always ensure effective data security in practice. If you are unsure, it is best to ask the provider questions that fall within their area of responsibility. These include:

1. What type of data center houses its equipment?

Sometimes, what is labeled as a data center might just be a server room within a business center. In terms of physical security, this setup is typically less strong compared to a standalone data center with a fenced area. Also check how the access system is managed, whether there is round-the-clock security and if there is indoor and outdoor video surveillance.

2. How is network security arranged?

You should be concerned not only about mandatory network segmentation, which separates the provider and client networks. It is vital to understand how DDoS protection is organized: does the attacked company get routed to a blackhole, or is the entire cloud shielded at the L3/L4 level? The latest method allows for detecting threats earlier and avoiding an abrupt shutdown of the victim’s IP addresses.

3. What identity and access management practices are implemented?

It is preferable if provider and client administrators connect to resources using MFA and through remote desktop (VDI). Additionally, it is good if the contractor not only mandates updating access credentials every 90 days but also verifies password hashes to prevent brute-force attacks.

4. What vulnerability scanners are used?

All MSPs routinely scan their internal and cloud infrastructure. However, there are instances where, as per the agreement, some resources provided by the contractor to the client are also subjected to checks.

5. How is monitoring conducted and logs collected?

Many providers use logs from cloud software and devices to promptly detect anomalies and mitigate potential risks for themselves and their clients. This data facilitates faster incident response and investigations.

6. Are backups created and stored at a remote location?

It is important not to confuse backups with disaster recovery orchestration (and there are such misconceptions in practice). In the case of ransomware, there is a risk of replicating the same encrypted data to the backup site as on the primary one. Ensure your MSP backup strategy addresses these concerns comprehensively.

7. Do they provide training for staff?

Since people are the weakest link, staff training should focus on things like recognizing social engineering tactics. They should practice strong password habits and safe browsing. Employees also need to know how to report security incidents promptly.

All the mentioned criteria represent the basic standards that a trustworthy service provider should meet. Ideally, the provider goes beyond regulatory and client demands. For example, conducting pre-incident response (Pre-IR) tests is an optional step. If the provider takes this initiative and achieves positive results, it demonstrates a heightened commitment to safety concerns.

While there are many MSP-related threats out there, the reality is not as dire as one might think. Similar to other industries, only a small percentage of companies fall victim to hackers. In most cases, service providers employ strong measures and protections that prove effective across the board. If you happen to be that daring cyber criminal attempting to breach a reliable service provider, I pity your dark endeavors, but chances are, achieving your goal will be a tough nut to crack.