In 2019, hacking activity shifted to focus on managed service providers (MSPs). It became clear that MSPs needed more business-specific information to protect their business and customers proactively, so ConnectWise created the annual MSP Threat Report. We are pleased to announce that the 2022 MSP Threat Report is now available.
In 2021, ConnectWise created the Cyber Research Unit (CRU), a dedicated team of threat hunters that identifies new vulnerabilities, researches them, and shares what they find for all to see in the community. The CRU monitors ransom leak sites and malicious botnets for new threats, uses OSINT resources, and uses data from the ConnectWise SIEM powered by Perch to help create content and complete research. Throughout 2021, the CRU collected data regarding 500 cybersecurity incidents from our MSP partners and their clients. The 2022 MSP Threat Report is the output of this research.
Two significant events that changed the threat landscape
The 2022 MSP Threat Report includes a timeline of significant cybersecurity in 2021. The threat landscape changed drastically in 2021 due to a few significant events. The most impactful events for our MSP partners included the Colonial Pipeline ransomware attack in May by DarkSide and the buffalo jump attack during the July 4 weekend, which impacted over 40 MSPs and 1500 of their clients in a single day using a vulnerability in Kaseya VSA.
1. Impact of the Colonial Pipeline attack
The Colonial Pipeline attack caused a shutdown of a major oil pipeline that carries gasoline, diesel, and jet fuel from Texas to the East Coast. It resulted in fuel shortages and panic buying throughout the region. The attack prompted several official responses by the US government, and the attention disrupted the cybercrime community.
After the attack, popular cybercrime forums, XSS and Exploit, which have been used for years by ransomware-as-a-service (RaaS) gangs to recruit new affiliates, banned the advertisement of RaaS programs. DarkSide, the RaaS gang believed to be responsible for the Colonial Pipeline attack, released a public statement that said attacks by their affiliates against critical infrastructure were banned. In fact, after the attack and US response, many ransomware groups have become more selective, avoiding critical infrastructure or victims that could create a political impact.
2. Impact of the July 2 MSP attack
After the attack targeted more than 40 MSPs in a single day, ransomware operators increased their focus on attacking MSPs directly. It should come as no surprise that CRU observations match others that the ransomware problem continues to get worse. For example, as a report by SonicWall indicates, there was a 148% surge in global ransomware attacks in 2021. Similarly, the CRU observed a 10-15% increase in ransomware incidents by quarter in 2021, with 56% of all incidents occurring in the second half of 2021. When filtering the data collected only to include MSPs and not their clients, our data shows that 72% of ransomware attacks directly targeting MSPs occurred in the second half of 2021. This data suggests that, at least for ConnectWise partners, ransomware threat actors were more focused on targeting MSPs directly rather than their clients.
Common cyberattack tactics
MITRE ATT&CK© is a knowledge base of tactics and techniques used by threat actors. It’s based on real-world observations, some of those observations coming from the CRU. Threat researchers use this framework to describe the tactics, techniques, and procedures (TTPs) of threat actors using a common language that can help us understand which TTPs and related controls defenders should prioritize. In the “2022 MSP Threat Report,” the CRU mapped out the TTPs for the five ransomware threat actors most actively targeting MSPs and their clients.
When comparing these TTPs, the report shows that phishing and stolen account credentials are the most common methods used by threat actors for initial access, and all top five threat actors use phishing. MSPs can significantly reduce their attack surface by focusing on controls to mitigate these two techniques. This includes email filters and user training to combat phishing attacks, good password hygiene, and multi-factor authentication (MFA) everywhere to prevent the re-use of stolen credentials.
Detailed profiles on the top five threat actors and suggested mitigation tactics for each can be found on the ConnectWise CRU page.
The “2022 MSP Threat Report” concludes with four predictions for 2022. (We covered these predictions in a webinar at the end of 2021, available here.) These four predictions include:
- How the anatomy of an MSP will change
- Federal regulators and legislators will create rules on ransomware payments in 2022
- The SMB market will spend more in 2022
- Threat actors will change tactics to stay under the radar