In an unexpected development, the cybersecurity authorities of the “Five Eyes” countries issued an alert warning of an increase in malicious cyber activity targeting managed service providers (MSPs), with these agencies saying they expect this trend to continue. The alert is the result of a collaborative effort among the United Kingdom (NCSC-UK), Australia (ACSC), Canada (CCCS), New Zealand (NCSC-NZ), and the United States (CISA, NSA, FBI).
The agencies said they are “aware of recent reports that observe an increase in malicious cyber activity targeting managed service providers (MSPs) and expect this trend to continue” and point to a report by a significant MSP IT solutions provider, N-Able. That report notes that “almost all MSPs have suffered a successful cyberattack in the past 18 months, and 90% have seen an increase in attacks since the pandemic started.”
“As this joint advisory makes clear, malicious cyber actors continue to target managed service providers, which can significantly increase downstream risk to the businesses and organizations they support – why it’s critical that MSPs and their customers take action to protect their networks,” CISA Director Jen Easterly said in the alert. “Securing MSPs is critical to our collective cyber defense, and CISA and our interagency and international partners are committed to hardening their security and improving the resilience of our global supply chain.”
The joint advisory recommends standard cybersecurity practices
The agencies’ joint advisory outlines a detailed list of actions MSPs and their customers can take to reduce their risk of falling victim to a cyber intrusion. The advisory defines MSPs as entities that “deliver, operate, or manage ICT [information and communications technology] services and functions for their customers via a contractual arrangement, such as a service level agreement.” It notes that MSP services typically require trusted network connectivity and privileged access to and from customer systems.
Organizations are encouraged to read the advisory in conjunction with NCSC-UK guidance on actions to take when the cyber threat is heightened, CCCS guidance on Cyber Security Considerations for Consumers of Managed Services, and CISA guidance provided on the Shields Up and Shields Up Technical Guidance webpages.
The advisory lays out a wealth of standard cybersecurity practices that large organizations with robust cybersecurity operations have long embraced. These recommendations offer numerous security practices that fall under the following categories outlined by CISA, including:
- Preventing initial compromise
- Enabling and improving monitoring and logging processes
- Enforcing multi-factor authentication
- Managing internal architecture risks and segregating internal networks
- Applying the principle of least privilege
- Deprecating obsolete accounts and infrastructure
- Applying updates
- Backing up systems and data
- Developing and exercising incident response and recovery plans
- Understanding and proactively managing supply chain risk
- Promoting transparency
- Managing account authorization and authentication
No single identifiable cause for the alert
It’s not clear why the intel agencies were now motivated to issue such a detailed list of recommendations for MSPs. Kyle Hanslovan, CEO and co-founder of Huntress, tells CSO that his firm is unaware of any single event that might have prompted the joint advisory. “We are not aware of any one specific incident. But, unfortunately, we’re aware of dozens of smaller incidents where everyone is taking notice of MSPs.”
Last week MSP-focused cybersecurity firm ThreatLocker issued a security alert warning its clients of a “sharp” increase in ransomware attacks using remote management tools. ThreatLocker created a script to block the attackers using a new security patch.
But Huntress, Sophos and Kaseya all say they haven’t seen the widespread coordinated MSP ransomware attacks described by ThreatLocker in its alert. “We were one of the companies that came out and said, ‘We have data on 3,000-plus managed service providers. We are not seeing an uptick that warrants doom and gloom,'” Hanslovan says.
Hackers can reach hundreds of companies at a time
Hanslovan believes it’s not a single risk that motivated the intel agencies to issue the alert. “It isn’t one single risk. It is just a whole change in the environment that hackers have taken notice of and are actually making full playbooks to say, ‘You know what? Why play whack-a-mole with one company at a time when I could go fishing with dynamite and go after hundreds of companies at a time.”
He also thinks the intel agencies could be withholding information that would shed light on why the MSPs might need more significant guidance. “I have no doubt they probably have analysis,” he says.
It’s also possible that the cybersecurity authorities are generally trying to get ahead of the curve when it comes to problems that might blow up down the road. “I think this is them doing a very good job of early warning and transparently identifying these are risks,” says Hanslovan.
MSPs should talk to their clients about their vendors
Mary J. Hildebrand, partner, founder and chair of the Privacy and Cybersecurity practice at Lowenstein Sandler, says that one thing missing from the joint alert is a directive for MSPs to understand their clients’ security posture better. “When I represent an MSP, one of the things I suggest is that depending on the role they’re going to undertake when they’re engaged, they should have a conversation and maybe some follow up with the company on what kind of diligence it has done on its vendors,” Hildebrand tells CSO. “The reason I suggest a deeper dive into that for MSPs is that vendor error, vendor problems, and vendor breach is a huge issue for companies. Many security incidents and data breaches derive from either employee error or, in this case, an MSP employee error, or problems with the vendor.”
Hildebrand doesn’t know why the joint alert has been issued now but suggests it’s possible that intel agencies have identified the predominately small-sized MSPs as highly vulnerable links in the technology chain. “The perpetrators here are very skilled at picking out the weak link,” she says.
Hanslovan echoes this sentiment. “Remember, a managed service provider isn’t like Hewlett-Packard,” he says. “A managed service provider is a small business. Sometimes they only have a dozen technicians. The CEO might be the only salesperson. That’s how small and immature some managed service providers are.”