Cyberattacks on managed service providers increasing, US and allies warn

Cybersecurity agencies from the Five Eyes intelligence alliance warned of increased cyberattacks targeting managed service providers (MSPs) on Wednesday morning. 

The agencies from the U.S., U.K., Australia, Canada and New Zealand said to “expect state-sponsored advanced persistent threat (APT) groups and other malicious cyber actors to increase their targeting of MSPs against both provider and customer networks.” 

MSPs are companies paid to manage IT infrastructure and provide support. The companies typically provide remote IT services to smaller businesses lacking an IT department.

In July 2021, dozens of MSPs were attacked by the REvil ransomware group through Kaseya, a provider of remote management solutions. More than 1,500 organizations around the world were affected by the ransomware attack, largely through their MSPs’ connections to Kaseya.  

The government agencies said on Wednesday that they are “aware of recent reports that observe an increase in malicious cyber activity targeting managed service providers (MSPs) and expect this trend to continue.” The alert does not refer to any specific incidents.

The allies recommend measures MSPs should take to protect themselves to “reduce their risk of falling victim to a cyber intrusion," such as hardening defenses against password spraying and phishing by potential attackers.

“As this joint advisory makes clear, malicious cyber actors continue to target managed service providers, which can significantly increase downstream risk to the businesses and organizations they support – why it’s critical that MSPs and their customers take action to protect their networks,” said Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly. 

The alert was co-signed by the FBI, NSA and the cybersecurity centers in the UK, Canada, Australia and New Zealand.

Abigail Bradshaw, head of the Australian Cyber Security Centre, noted that MSPs are “vital” to hundreds of businesses around the world, making them an ideal target for cybercriminals and state-sponsored hackers. 

“These actors use them as launch pads to breach their customers’ networks, which we see are often compromised through ransomware attacks, business email compromises and other methods,” Bradshaw said.  

Managed service providers make attractive targets for malicious actors to scale their attacks. MSPs and their customers should use these recommendations for handling the shared responsibilities of securing sensitive data. https://t.co/pZPluNVLQr

— Rob Joyce (@NSA_CSDirector) May 11, 2022

They all urged MSP customers to make sure their contractual arrangements specify that their MSP implements the measures and controls in the advisory, which included implementing mitigation resources to protect initial compromise attack methods from vulnerable devices, internet-facing services, brute force and password spraying, and phishing.

It also urges MSPs to take a range of other actions like enabling monitoring and logging, securing remote access applications, enforcing multifactor authentication, developing incident response and recovery plans and proactively managing supply chain risk across environments.

Canadian Centre for Cyber Security Sami Khoury tacitly referenced the controversy around Kaseya, noting that they have “seen the damage and impact cyber compromises can have on supply chains, managed service providers, and their customers.”

Khoury added that compromises involving MSPs can result in costly mitigation activities and lengthy downtime for clients.

“Supply chain vulnerabilities are amongst the most significant cyber threats facing organizations today,” said Director of New Zealand’s National Cyber Security Centre Lisa Fong. 

“As organizations strengthen their own cyber security, their exposure to cyber threats in their supply chain increasingly becomes their weakest point. They also need to be prepared to effectively respond to when issues arise.” 

Former Obama administration cybersecurity commissioner Tom Kellermann, who now serves as head of cybersecurity strategy at VMware, told The Record that cybercrime cartels have studied the interdependences of financial institutions and now understand which MSPs are used.

"In turn, these organizations are targeted and hacked to island hop into banks. Rogue nation states love this method of cyber-colonization," Kellermann explained.

“We have seen a 58% increase in island hopping over the past year, proving that this method of attack is preferred by cybercriminals in order to hijack an organization's digital transformation. I am concerned that as geopolitical tension metastasizes in cyberspace, these attacks will escalate and Russian cyber-spies will use this stratagem to deploy destructive malware across entire customer bases of MSPs.”