Hackers have leveraged Managed IT Services Provider (MSP) software to spread ransomware to their customers’ systems.
The attackers have hacked and gained access into an MSP-centric cybersecurity console from Webroot, while also exploiting Remote Monitoring and Management (RMM) software from Kaseya. Both software makershave saidthat the issues involve compromised credentials and not any software vulnerabilities in their products. Webroot has made the two-factor authentication mandatory as an extra precaution.
About 200 hosts were encrypted and this is very small fraction of the MSPs using this widely used software.
In a statement Webroot assured MSPs, “was not breached and our products were not compromised. To ensure the best protection for the entire Webroot customer community, we decided it is time to make two-factor authentication mandatory. We did this by conducting a console logout and software update the morning of June 20.”
In a comment from Kaseya said, “We are aware of limited instances where customers were targeted by threat actors who leveraged compromised credentials to gain unauthorized access to privileged resources.The industry continues to see MSPs and IT administrators as targets in order to gain credentials for unauthorized access. No matter what the system or software worldwide, 80% of security breaches involve compromised credentials. As we’ve investigated recent instances experienced by customers, all available evidence to us points to the use of compromised credentials to gain unauthorized access.”
We have studied and identified this as a major issue earlier this year on how the trusted relationship between the customers and their IT Service Providers is being exploited by these threat actors and the trend seems to be continuing.
FBI, Department of Homeland Security: MSP Ransomware Warnings
This is the latest in a growing list of attacks targeting managed IT service provider (MSP) software platforms and the end customer computers linked to such systems.
What’s happening: Hackers are attacking IT & Cloud Service Providers as the weak link in a supply chain to get to their customers. The DHS is strongly advising service providers to lock down their systems and data.
The Technical Alert provides information and guidance to assist MSP customer network and system administrators to detect malicious activity on their networks and systems and the mitigation of associated risks. It includes an overview of tactics used by bad actors in MSP network environments, recommended mitigation techniques, and information on reporting incidents.
Here’s what the DHS is worried about:
- For more than two years, the DHS’ National Cybersecurity and Communications Integration Center (NCCIC) has tracked hackers that are using advanced persistent threat (APT) tools aimed at breaking into the networks of both MSPs and CSPs and the infrastructure of their customers.
- The threat actors are exploiting trusted relationship between provider and customer, figuring that the provider commands delicate information that can get the bad actor inside the customer’s network.
- In an alert issued earlier, victims had been identified in IT (including service providers), energy, healthcare, communications and critical manufacturing.
“Threat actors appear to be leveraging stolen administrative credentials (local and domain) and certificates, along with placing sophisticated malware implants on critical systems,” the NCCIC noted. “Depending on the defensive mitigations in place, the threat actor could possibly gain full access to networks and data in a way that appears legitimate to existing monitoring tools.”
- Bad actor activity has increased fueled in part by more customers turning to service providers to support their networks.
- Because service providers “generally have direct and unfettered access to their customers’ networks,” the hackers figure that if they can find a flaw in the provider’s network it can cascade to its customers.
- The NCCIC is urging customers of MSPs and CSPs to implement a “defense-in-depth strategy” to protect their infrastructure assets and minimize risk.
A set of best practices specific to MSPs, included in the Technical Article.
- Ensure MSP accounts are not assigned to administrator groups. MSP accounts should not be assigned to the enterprise administrator (EA) or domain administrator (DA) groups.
- Restrict MSP accounts to only the systems they manage. Place systems in security groups and only grant MSP account access as required. Administrator access to these systems should be avoided when possible.
- Organizational password policies should be applied to MSP accounts. These policies include complexity, life, lockout, and logging.
- Use service accounts for MSP agents and services. If an MSP requires the installation of an agent or other local service, create service accounts for this purpose. Disable interactive logon for these accounts.
- Restrict MSP accounts by time and/or date. Set expiration dates reflecting the end of the contract on accounts used by MSPs when those accounts are created or renewed. If MSP services are only required during business hours, time restrictions should also be enabled and set accordingly. Consider keeping MSP accounts disabled until they are needed and disabling them once the work is completed.
- Use a network architecture that includes account tiering so that higher privileged accounts will never have access or be found on lower privileged layers of the network. This keeps EA and DA level accounts on the higher, more protected tiers of the network. Ensure that EA and DA accounts are removed from local administrator groups on workstations.
Our recommendation to IT is:
- Take a hard look at credential management and authentication system controls of all accounts and services for key infrastructure or network entry points, including those of the service providers.
- Review the connectivity and topology of their networks and those of their end users.
- Include additional analysis that accounts for the targeted nature of attacks in the MSP space that result in an increased risk exposure.
- MSPs should revisit their layered defenses for effectiveness against motivated and capable adversaries.