The year 2019 saw a huge uptick in the number of cases where managed service providers (MSPs) were infiltrated by criminals. We’re aware of a half-dozen cases that were reported in some detail by various security sites, although the actual number could be 50 or more. The number of businesses ultimately affected, however, was in the hundreds or perhaps thousands. The multiplier effect happened because the perpetrators then used the MSP’s privileged credentials to plant ransomware on all of their clients’ networks.
MSPs are a great target for criminals because they have privileged and direct access to the networks of multiple organizations. The MSPs often specialize in serving an industry or type of customer — so criminals who want to target certain types of businesses can take hundreds hostage by infiltrating just one organization. Large numbers of municipalities and law enforcement agencies, dental offices and nursing homes have all been impacted by attacks through specialist MSPs.
The Criminal Intent
It’s worth a criminal’s time to make a focused, targeted effort on an individual MSP — the return on investment is far greater than attacking all of the clients individually. Even if there are backups, the sheer effort required to restore the data and systems of each and every customer might be enough for the MSP to simply pay the ransom to get the decryption key. In at least one case, the impacted MSP chose to go out of business, and took an unknown number of their customers with them.
The criminal’s aim is to gain access to the RMM (remote monitoring and management) consoles that are a mainstay of MSP operations. These systems allow MSPs to monitor hundreds of client systems and push out updates. If criminals can gain control of the RMM, they can then use the MSP’s own tools to push out and execute ransomware.
How do they get control? Determined criminals have used a variety of methods to gain access to MSP networks. Some take advantage of software vulnerabilities, notably known-but-unpatched vulnerabilities or zero-day exploits that take advantage of the management consoles that MSPs typically use. In many cases, the original means of compromise is unknown, but common suspected causes include login credentials stored on a compromised machine, gaining entry through remote desktop protocol (RDP), or phishing emails.
Questions to Ask Your MSP
If you rely on an MSP to manage your IT environment, ask the following.
- Do you have a formal patch management policy and protocol? Patches for all tools and systems used by the MSP, for MSP internal use as well as to manage your systems, should be regularly checked for availability and applied.
- Do you use multi-factor authentication (MFA) for all administrator access to my systems? This one measure alone could have stopped the vast majority of ransomware attacks on MSP clients’ systems.
- Do you require use of a VPN to connect to my systems? Each VPN should require MFA to establish the connection, and have a separate login (no shared credentials among clients) so a compromise of one client doesn’t expose all of the others.
- Do you require cybersecurity training for all of your staff? Successful phishing attacks on MSP personnel have figured in some of the reported incidents.
- Do you have a password policy? Strong passwords, regular changes and prohibitions against re-use are basic security, but unfortunately some MSPs cut corners to make administering large numbers of clients easier.
- If your service includes backing up my systems, are those backups stored offline? Regular, up-to-date backups are the best fail-safe protection against ransomware, but they’re useless if the ransomware is able to reach and encrypt them, too.
- Is your network monitored for security 24x7? Even if the frontline defenses fail, proactive monitoring can spot a trespasser before the intruder can execute criminal intentions.
- Do you have regular penetration tests on your network? Third-party penetration tests by a cybersecurity expert can spot holes in your security before a criminal can find and take advantage of them. Your MSP should undergo this testing as regularly as you should.
On the last item, even though we offer penetration tests as a service to our clients, we contract testing of our own network out to a third party. Cybersecurity is constantly evolving, and nobody can claim to know everything or have all the answers.
At SOCBOX, we serve a number of MSPs as well as some of their end-customers. The MSPs we work with tend to be extremely security-conscious. If they know enough to know they need a SOC-as-a-service provider to protect themselves and their customers, they know their other security risks as well. If you’d like to know more about the security risks you face, contact us, email email@example.com, or call 877-284-7789.