Subscribe To Our Daily Enewsletter:

Hackers Disable MSP Backups, Launch Ransomware Attacks

The other shoe has dropped in the MSP security market. Indeed, hackers are now breaking into MSP networks, secretly disabling backup and disaster recovery (BDR) systems, and then launching ransomware attacks, ChannelE2E has confirmed with multiple sources.

In a typical scenario, the ransomware attacks spread from MSP systems to end-customer networks. When the MSP attempts a data restore, the service provider discovers BDR systems were disabled days, weeks or even months before the ransomware attack occurred, sources say. The net result, in some cases: Encrypted MSP and customer systems, and outdated or deleted backups.

These dramatic attacks are spreading internationally. ChannelE2E is aware of MSPs in North America, Europe and Australia that have been hit by such attacks. Recoveries, if possible at all, can take multiple weeks — putting multiple MSP businesses at risk for customer lawsuits and/or complete company shutdowns.

In some cases, the backup provider has archived systems (a backup of the backup) to assist the MSP with longer-term recoveries. But even in that scenario, the archived backup may be a bit dated.

Safeguarding Against Attacks

To safeguard against such attacks, ChannelE2E recommends the following MSP steps:

1. Embrace Multi-Factor Authentication: Activate two-factor/multi-factor authentication (2FA/MFA) on all systems — including MSP software platforms, administrator systems and end-user systems where ever possible. Longer-term: Check in with all of your vendors to understand the current state of their 2FA / MFA strategies, upcoming enhancements and multi-vendor relationships.

2. Configure BDR and Security System Alerts: Check in with security and business continuity platform suppliers. Learn how to properly configure BDR and security systems so that administrators receive alerts whenever system settings are changed or adjusted. Longer-term: Potentially explore third-party 2FA/MFA platforms that can assist this effort. Strive to ensure that BDR and security setting updates/changes require an approved MSP administrator who has 2FA/MFA access.

3. Embrace an MSP Documentation Platform to document your data protection and cybersecurity processes, disaster recovery plans, etc.

4. Stay Informed: Sign up immediately for U.S. Department of Homeland Security Alerts, which are issued by the Cybersecurity and Infrastructure Security Agency. Some of the alerts specifically mention MSPs, CSPs, telcos and other types of service providers.

5. Build Your Long-term Plan: Study the NIST Cybersecurity Framework to understand how to mitigate risk within your own business before moving on to mitigate risk across your customer base.

6. Boost MSP Employee and End-user Awareness: Explore cybersecurity awareness training for your business and your end-customers to drive down cyberattack hit rates.

7. Integrate Wisely: Connect the dots between your cybersecurity and data protection vendors. Understand how their offerings can be integrated and aligned to (A) prevent attacks, (B) mitigate attacks and (C) recover data if an attack circumvents your cyber defenses.

8. Partner With MSSPs: All MSPs need to get more serious about managed security services. But it’s unwise to suggest that all MSPs will transform into full-blown MSSPs. As an MSP, decide which pieces of the risk mitigation puzzle you can truly manage, then partner up with a true MSSP to fill your gaps. (Related: Top 100 MSSPs, from MSSP Alert.)

9. Refocus Your Travels: Continue to attend channel-related conferences, but extend to attend major cybersecurity events — particularly RSA ConferenceBlack Hat and Amazon AWS re:Inforce.

10. Additional Suggestions: If you are aware of such attacks and have best practices for risk mitigation and recovery, email me: Joe@AfterNines.com.

Memo to MSP Industry: Unite and Take Action

The FBI and U.S. Department of Homeland Security have issued multiple warnings about MSP-centric hacker and ransomware attacks.

Generally speaking, ransomware attacks against MSPs and their technology providers are not vendor-specific. Admittedly, hackers in some cases have exploited software vulnerabilities. But in most cases, the attacks have involved compromised MSP or end-customer credentials — i.e., stolen user names and passwords.

Amid that reality, the MSP industry needs to accelerate various best-practices efforts — such as the universal use of 2FA / MFA. Without a united stand, the MSP industry could soon face a “crisis of credibility,” ChannelE2E believes.

What’s Next

Several MSPs and their backup providers may offer detailed case studies about the break-ins in the days and weeks ahead. Again, the break-ins typically involved compromised credentials rather than technology product vulnerabilities. Check in with your technology vendor for the latest information about documented attacks. And tune into both ChannelE2E and MSSP Alert for the latest updates.

Related Content

Return Home

2 Comments

Comments

    John Watkins:

    “When the MSP attempts a data restore, the service provider discovers BDR systems were disabled days, weeks or even months before the ransomware attack occurred, sources say.”

    There is absolutely NO excuse for this, it is complete incompetence by the MSPs.

    If one of our scheduled jobs doesnt run, we get an alert. If a job is modified or suspended, we get an alert.

    In addition to the automated alerting, backup and replication jobs are checked daily for issues across all clients, automated test restores are done weekly and backups are tested by our NOC running full VM restores monthly.

    I’m really tired of shady/lazy IT consultants half assing the basics and giving MSPs as a whole a bad name.

    Raffi Jamgotchian:

    We need to get away from victim blaming. Its not useful. We can all do more to protect ourselves and our clients.

    Regardless, if someone had a back door access to your BDR platform and wiped all your client’s data, it wouldn’t matter if you just tested all of your restores 10 minutes before the breach.

Leave a Reply

Your email address will not be published. Required fields are marked *