Managed service providers (MSPs) have been a boon to midsize enterprise. They allow for offloading technical debt to an agent with the skills and resources to manage it, thereby giving an organization room to focus on growing a business, rather than the particulars of infrastructure.
For a long while, third-party service providers were not targeted directly for their security failures, as lucrative targets were more directly available. But with security best practices gaining slow adoption across enterprise organizations, MSPs have gradually become subject to threats—with their clients as the ultimate objective—as they are seen as an easier win than attacking clients through the front door.
Today, an MSP can expect to be targeted not just in their own right, but as a soft pivot point to obtain client data that might otherwise be better defended against direct attack.
But how bad is the threat landscape for managed service providers, really? MSPs typically operate in a resource-constrained environment, and surely secondary attacks wouldn't be nearly as common as direct attacks, right?
Let's take a look at what third-party service providers are facing today in attempts to keep those clients safe and happy.
Managed service providers would not be pleased to see this ransom note.
Ransomware can be used in a secondary attack leveraged against specific client data. It can also be deployed in an opportunistic attack, just as with individual end users. Or it can serve as a targeted attack against a market segment hurt severely by downtime, as it has been for US cities and schools.
In June 2019, attacks against MSP customers were observed using PowerShell to push Sodinokibi ransomware to managed endpoints. These tactics were previously employed by GandCrab ransomware actors, who used a vulnerability in remote administration software in an attempt to infect all of the MSP's clients at once.
While ransomware is a constant in the threat landscape for both end users and enterprises of all sizes, multi-vector targeted attacks using ancillary software as a pivot point were previously only seen with APT groups. Given the potential for threat actors to monetize an MSP's large client base all at once, defenders should expect complex attacks like these to increase in the future.
APT attacks are the focus of much hand-wringing in enterprise security conversations, despite the fact they're rather rare. Ninety percent of organizations would be better served by focusing on the OWASP top 10, asset management, and default configuration errors over even beginning to address APT attacks.
That said, MSPs with high-value targets as customers can fall into the 10 percent of businesses subject to secondary, targeted attacks. Previously seen most commonly with law firms servicing sensitive clients, some APT movement has expanded to address all service providers that hold data on their primary targets.
Between 2017 and 2018, the MenuPass group used stolen credentials to gain access to a Norwegian MSP with roughly 850,000 total customers. They subsequently enumerated network data and exfiltrated proprietary information, with the likely intent of obtaining intelligence on specific MSP clients.
Notable in this campaign was the surreptitious use of legitimate credentials to gain a foothold on the victim networks. These tactics were observed in the wild to the extent that USCERT released an advisory to IT service providers to implement a defense-in-depth strategy to mitigate future APT attacks.
Defenders should note here the use of legitimate credentials. APT groups are most commonly known for using zero-day vulnerabilities or other attacks requiring high resources and institutional support. But like other less sophisticated threat groups, they are under no obligation to continue doing so—poor credential management in conjunction with unpatched third-party software are sufficient to allow APT actors a clear path to a client's proprietary data via MSP network.
So how do you know if your client list includes "sensitive targets" subject to this sort of attack? Threat modeling is a topic in itself that can go a long way toward identifying at risk clients. (See our take on threat modeling here.) But prior attacks indicate that clients involved in law, defense contracting, manufacturing, or organizing political dissent are potentially subject to APT attacks, whether directly or via your networks.
Having reviewed some intriguing operations specifically focused on MSP data and customers, we would be remiss if we failed to mention the attacks that, by weight, make up the bulk of threats that all organizations face.
Though used by APT 10 to breach an Australian MSP, mishandling of administrator credentials is not an advanced attack. Failure to vet and appropriately patch third-party software introduces significant risk that doesn't require a sophisticated actor to exploit. (More on third party application security here.)
For a recent example, cloud management platform OnApp has been found to have a vulnerability allowing access to all managed servers with a cloud provider—provided they start with access to one.
Lastly, poor asset management and lack of appropriate log analysis tools (or in some cases, failure to use them) has been responsible for escalating a relatively minor security incident to a significant breach in many instances, whether the attack was targeted or not. Although IT service providers face unique challenges as enumerated above, ignoring the basics can result in opportunistic attacks as damaging as a potential APTs.
An MSP looking to provide top tier service to a valuable client can no longer focus exclusively on uptime as the only measure of quality. A shifting threat landscape has made high-value data a prominent target, regardless of whose network it sits on. Increased security awareness across enterprise organizations will only continue to increase the payoff of attacking ancillary targets like service providers in furtherance of threat actor objectives.
Third-party IT service providers generally aren't overtly negligent, but can find themselves behind the curve on security due to a lack in up-to-date subject matter expertise, a failure to cover the basics, and most prominently, the idea that security is a cost center to be minimized as aggressively as possible.
Enterprise security is in fact an investment in public trust that is required for sustained capital growth. The successful MSP over the long term with be the one best able to maintain and capitalize on customer trust. Ignore that trust at your peril.