If you are an MSP or use the services of one, you should be aware that the level of cyberthreat for MSPs has increased dramatically over the last year.
As we’ve previously pointed out, the range of threat vectors faced by the average MSP is now huge, from social engineering attacks to cryptojacking, alongside the ever-present threat of phishing.
Recent hacks against MSPs have illustrated that MSPs not only face an increased threat level, but that the sophistication of these attacks has been slowly increasing. In this article, we'll review a few recent hacks against MSPs, look at why MSPs are becoming a major target for hackers, and then cover what you can do to protect yourself.
Recent Hacks Against MSPs
The most recent review of the scale of hacking that MSPs face has come not from cybersecurity analysts or industry groups, but from the US government. Back at the beginning of last year, the US Department of Justice released a detailed report that highlighted the threats that MSPs face from state-sponsored hackers.
The report claimed that two Chinese nationals had “conducted global campaigns of computer intrusions targeting, among other data, intellectual property and confidential business and technological information at managed service providers (MSPs).”
Unfortunately, many in the industry didn’t pay the report the attention it was due. That might have been because the DoJ made something of a mistake in the way they titled the report. Many MSPs thought, given the connection between the hacks and the Chinese government, that they were primarily targeting governmental and military systems.
That is not the case.
In fact, the last year has seen a huge increase in the number of attacks on MSPs of all sizes, in all sectors, and across all systems. Many popular WordPress-based websites - including several high-profile MSPs - have been subjected to DDoS attacks, and others have reported sophisticated spear phishing attempts.
The most high-profile of these was reported in Dark Reading earlier this year, and concerned an MSP that was breached and then held to ransom. “The attack resulted in some 1,500 to 2,000 systems belonging to the MSP’s clients getting cryptolocked,” the report stated, “and the MSP itself facing a $2.6 million ransom demand.”
Though cyberattacks against companies of all types are growing, the level of growth in the threats that MSPs face is increasing exponentially.
The reason hackers are now targeting MSPs is precisely the reason that many companies turn to MSPs to manage their IT systems. The typical MSP holds sensitive (and potentially lucrative) data across many clients.
The benefits of this for companies are clear enough: contracting an MSP to handle high-value systems can dramatically decrease overheads, while increasing security. This is the reason why the MSP market has grown so rapidly over the past few years, and is expected to grow from $180.5 billion in 2018 to $282.0 billion by 2023.
Unfortunately, MSPs have become a victim of their own success.
For hackers, a major advantage of going after MSPs is not just the sheer number of MSPs around. More than that, some basic features of the MSP business model mean that the data held by these companies is extremely valuable.
For example, MSPs will often have agreements with payment processors to provide merchant services to companies in order to act as a payment gateway to process transactions. Since processors like this are built to handle virtually all payment situations (including point-of-sale systems or payment submissions over mobile apps), there is a massive amount of financial data being collected.
This data is a huge temptation for criminals, whether their crime model is ransoming mission-critical data or stealing high-value intellectual property. One hack can be used to obtain valuable data on multiple targets, all of whom meet the appropriate victim profile.
Further reading Why Are Cybercriminals Targeting MSPs?
The increased threat level that MSPs face requires a multi-channel response.
The first and most critical response that MSPs must make is to conduct a comprehensive security audit. Even if you complete security audits on a regular basis, now is the time to complete a one-off assessment.
The threats that are covered in the DoJ report were likely not included in your last such audit, and they need to be. The warnings that have come over the last year also mean that it is now impossible for MSPs to claim that they were unaware of an increased threat level, and cyber insurance should be looked at accordingly.
Secondly, look at the technical tools you have in place to defend against hackers. In this regard, it’s useful to look at the Australian government’s document on “Implementing the Essential Eight for MSPs,” which was released in direct response to the DoJ warning. The “essential eight” of the title are a set of security measures that the Australian Cyber Security Centre has put together.
In summary, these measures are application whitelisting, application patching, application hardening, restricting administrative privileges, multi-factor authentication, OS patching, hardening backup systems, and adjusting Microsoft Office macro settings.
To this, we would add that all of your endpoints – whether enterprise- or consumer-facing – need to be covered by a quality cybersecurity suite. This includes basic steps like moving to https and ensuring that your systems have security certifications to protect yourself against more-exotic attack vectors, such as Bluetooth security vulnerabilities. And it goes without saying that all public systems should be protected by two-factor authentication and IoT-device security audits.
Expect the Unexpected
For many in the MSP sector, news of increased threats will not come as a surprise. In fact, some have been expecting such a rise, as hackers recognize the value of the data held by MSPs. In this context, MSPs should see the recent uptick in attacks as an opportunity to improve their security measures, rather than as an opportunity to panic.
In truth, the recent increase in attacks is just the latest in the long arms race between hackers and their victims. Many of the techniques used in the recent attacks against MSPs have long been staples of the cybersecurity industry, and - apart from besides their increased frequency - will represent little that is new to experienced cybersecurity pros.
For now, MSPs are on top. It remains to be seen when – if ever – new types of attack, such as those utilizing sophisticated deepfakes, will be seen in the wild. But it is as important as ever that companies in all sectors, and especially MSPs, prepare for the worst.