The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) recently put out an alert warning MSPs about state-sponsored attacks on MSPs by the Chinese government. And it’s not just China that sees illicit opportunity in MSPs; singular access to tens, hundreds, or thousands of customer networks is highly desirable for cyber criminals.
In May of this year, the cloud service provider CloudJumper was hit with Ryuk ransomware in an attempt to infect their MSP customers (and, in turn, the end-customers of those MSPs). Hitting service providers is of growing interest for cybercriminals. Think about it: would it be better to attack 100 companies with varying levels of success, or just one MSP with access to 100 customers? If you were a cybercriminal, which route would you choose?
There are three specific ways cybercriminals leverage an attack on an MSP. Each provides an attacker with the ability to carry out specific types of attacks:
- Island Hopping – The act of using one company as a jumping point to access another, “island hopping” makes perfect sense for an MSP-customer scenario. As an MSP, you have all kinds of elevated access to multiple customer networks. Attackers can use this access to get their hands on valuable data that can be held for ransom or exfiltrated.
- Lateral Phishing Attacks – also known as an email account takeover, this method seeks to compromise an email account within an MSP with the intent to then send emails to customers, tricking them into infecting endpoints as part of a larger attack effort.
- Fraud – Some cybercriminals peruse networks to locate and access accounts payable systems. By knowing who will be paying you, how much, and when, it’s merely a matter of spoofing an email to your customer pretending to be a member of your accounts payable team, and informing the customer they should change the banking details they normally use to send a payment.
The method used depends on the attacker. Just like any other business, people become good at providing a particular good or service and cyberattacks are no exception. In each of these three methods, the attacker leverages the weakest security segments to access to credentials, email, applications, and data they can use to further their attack.
MSPs must take their own security seriously, implementing the same layered defenses they provide for their customers. Defenses should include protection at the following layers:
- (Logical) Perimeter – the perimeter today largely consists of email coming in and users going out to browse the web. Putting DNS, web, and email scanning in place will minimize the number of threats that can make their way onto your network.
- Endpoint – Putting an antivirus on endpoints to stop viruses and malware is necessary for stopping known threats.
- User – Your employees are either part of your security stack or enablers of attacks. Enrolling them in continuous security awareness training will elevate readiness for potential attacks, suspicious web and email content, and obvious tactics they may encounter, ensuring employees don’t become the reason for a successful attack.
- Privileged Access – Attackers need elevated access to move around your network and/or your customers’. Having some form of privileged access password vault for all credentials which provide such access will help to reduce the risk of compromised accounts.
You’ve taken the time to establish a relationship with your customers – one built on trust that you will take care of their needs. This should include the securing of your own environment to protect them from possible attack. With MSPs now a focus for cybercriminals and state-sponsored attacks, it’s imperative that you take the security of your network seriously, putting in place the necessary precautions for keeping your environment from becoming the launching pad for attacks on your customers.