Cybersecurity authorities in the U.S., U.K., Australia, Canada and New Zealand released a joint advisory Wednesday warning that they “expect malicious cyber actors — including state-sponsored advanced persistent threat (APT) groups — to step up their targeting” of managed service providers, and urged a renewed focus on cyber hygiene.
Managed service providers, typically referred to as “MSPs,” manage and sometimes provide IT services for other entities, such as hosting or platform services, creating a situation where businesses and many governments have to trust that the MSP is secure.
“Whether the customer’s network environment is on premises or externally hosted, threat actors can use a vulnerable MSP as an initial access vector to multiple victim networks, with globally cascading effects,” the notice read. The nations said they “are aware of recent reports that observe an increase in malicious cyber activity targeting managed service providers (MSPs) and expect this trend to continue.”
An attacker gaining access to an MSP can provide a ready vector to target that MSP’s customers for “follow-on activity — such as ransomware and cyber espionage,” the authorities warned.
REvil, the Russia-based ransomware group, was able to compromise as many as 50 MSPs in its July 2021 attack on IT tech management firm Kaseya, which enabled attacks on as many as 1,500 MSP clients.
The authorities pointed out that they’ve offered guidance on security matters to MSPs and their customers multiple times in the past. But Wednesday’s notice, which included detailed guidance for best practices, was an effort to enable discussions between the MSPs and their customers.
“These discussions should result in a re-evaluation of security processes and contractual commitments to accommodate customer risk tolerance,” the notice read.
The nations offered detailed recommendations as to how MSPs and their customers should work to deter attacks, including general cyber hygiene, enforcing multi-factor authentication and applying software updates to address known vulnerabilities.
MSPs are particularly attractive targets because they have access to customer networks. Rob Joyce, a senior NSA cybersecurity official, tweeted Wednesday that attacks on MSPs allow attackers “to scale their attacks.”
In July 2020 StateScoop reported that Louisiana Secretary of State Kyle Adroin assailed the MSP industry for having “not been upfront” with clients about cybersecurity matters, pointing to a July 2019 cyber attack on an MSP causing several Louisiana school districts having their systems locked up and the governor having to declare a state of emergency.
The “Cloud Hopper” hacking campaign — a Chinese operation first uncovered in 2016 — is another infamous example of this kind of problem.