Cyberattacks on managed service providers are on the rise. If hackers are able to compromise the systems of MSPs, they can gain access to the systems of MSP clients. One successful attack on an MSP can give hackers access to the systems of dozens of companies. That is far easier than conducting attacks on each of those businesses individually.
These attacks can have a globally cascading effect. For instance, on July 2, 2021, over the Independence Day weekend, the REvil (Sodinokibi) ransomware gang conducted an attack on Kaseya. Kaseya is the leading provider of unified IT management and security software for managed service providers (MSPs). That attack allowed the ransomware gang to gain access to the systems of around 60 MSP clients and conduct attacks on around 1,500 downstream businesses.
Recently, the Five Eyes alliance of cybersecurity agencies from the United States, United Kingdom, Canada, Australia, and New Zealand issued a joint security advisory to MSPs and their customers about the increased risk of attacks and made recommendations on measures that can be implemented to secure sensitive data, protect systems, and improve their resilience to cyberattacks.
Attacks on MSPs exploit the trust relationships between MSPs and their customers. In order to provide IT services to customers, MSPs need to have privileged access to customers’ systems; however, many managed service providers lack the appropriate safeguards to block attacks, which means that can be an easy target for cyber threat actors.
The Five Eyes agencies recommend MSPs and their customers ensure measures are implemented to prevent the initial compromise, such as improving the security of vulnerable devices, protecting Internet-facing services, defending against brute force and password spraying attacks, and having sufficient defenses against phishing attacks in place.
The Five Eyes agencies recommend all businesses that use managed service providers review their contractual arrangements with their MSPs and ensure their contracts state the responsibilities of MSP with respect to cybersecurity. The contracts should state that MSPs must enforce multi-factor authentication on all accounts used to access their environments, and have MFA enabled on all products and services provided. Contracts should mandate MSPs to apply the principle of least privilege for provider and customer network environments, and that there is effective monitoring and logging of their network environments.
Customers of MSPs should ensure they understand the policy of their MSP covering patching and software updates and should request that updates are delivered as an ongoing service and backup services are included in their contracts that meet their resilience and disaster recovery requirements. Customers should also understand the supply chain risk associated with using an MSP and should set clear network security expectations.
An extensive list of recommendations for MSPs and their customers for improving cybersecurity is detailed in the alert, a copy of which is available from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on this link.