Agencies from Australia, Canada, New Zealand, United Kingdom, and the United States warned that attacks against MSPs could be a springboard for subsequent malicious activity such as ransomware deployment or nation-state cyber espionage.
The U.K’s National Cyber Security Centre (NCSC-UK), the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), New Zealand’s National Cyber Security Centre (NZ NCSC), and U.S. Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) jointly issued the advisory.
The joint advisory predicted that “malicious cyber actors, including state-sponsored advanced persistent threat (APT) groups” would scale the targeting of MSPs “to exploit provider-customer network trust relationships.”
In 2021, over 1,500 organizations were affected after the REvil ransomware group breached Kaseya, a remote management solution provider.
Securing MSPs from supply chain cyber attacks is a priority
The agencies warned that cyber attacks on MSPs could seriously affect organizations. They explained that many organizations, including SMBs and critical infrastructure entities, rely on MSPs to manage communication systems, store data, and support sensitive processes.
Additionally, organizations depend on MSPs to manage their infrastructure without expanding or developing their in-house staff.
“This is a serious, serious issue and has been going on for nearly a decade now,” Roger Grimes, Data-Driven Defense Evangelist at KnowBe4 said. “MSPs need to become as strongly secured as the top security at trusted government top-secret sites.”
CISA Director Jen Easterly said that securing MSPs against cyber attacks was critical in guaranteeing the alliance’s collective cyber defenses. She added that the agencies were committed to improving cybersecurity and the resiliency of the global supply chain.
The director of New Zealand’s National Cyber Security Centre, Lisa Fong, noted that the supply chain was becoming the weakest link as organizations strengthened their internal cyber defenses.
“Managed Service Providers are always under attack,” Christopher Prewitt, Chief Technology Officer at MRK Technologies said. “They are often primarily focused on IT operations and service desk related services, and usually do not have a depth of knowledge or capability in cyber security practices.”
Mitigating cyber attacks on MSPs
The advisory issued directives for MSPs and their customers to mitigate cyber threats posed by the nation-state and other malicious cyber actors.
The agencies advised MSPs and their customers to prevent initial compromise by securing vulnerable devices through vulnerability scanning and hardening remote access tools such as VPNs.
Additionally, MSPs and their customers should prevent targeted cyber attacks by protecting internet-facing services and defending against password spraying, brute force attacks, and phishing.
Other security recommendations from the Five Eyes intelligence alliance include:
Promoting and enforcing multi-factor authentication and segregating internal networks to reduce the impact of successful cyber attacks
Applying the principle of least privilege to internal, customer, and provider accounts
The deletion of obsolete accounts and infrastructure during personnel transition and the end of contracts for MSPs no longer managing the infrastructure.
Regular application of security updates.
Frequent backup of organizations’ data to avoid losing critical information after successful cyber attacks
Implementing incident response and recovery plans
Understanding and managing supply chain risks
Managing account authentication and authorization
Additionally, MSP customers should have contractual arrangements allowing the providers to implement the mitigations in the report. The contracts should clearly specify cyber security services that MSPs would provide and those beyond the scope of the agreement.
“Every device must be locked down with strict application controls, phishing-resistant MFA, great security awareness training for employees, and the strongest security they themselves can implement,” Grimes added.
He added that the days of lax security practices by managed service providers were over.
“Most people would be surprised, but most MSPs aren’t configured in the strongest security configuration possible. That’s because for a long time it wasn’t needed. But now as they are increasingly under direct attack by nation-states and ransomware gangs they have to treat themselves like top secret government agencies with no quarter for half-measures.”
Supply chain cyber attacks have always been a concern because of the access given to MSPs, according to Dave Cundiff, CISO at Cyvatar.
“MSPs provide for a single entry point to access a bevy of targets not only stopping at the MSP’s direct customers but also their customers’ customers,” Cundiff said. “This is the true threat of a supply chain attack, many small to medium enterprises have made the business decision to outsource their IT functions.”