The Department of Homeland Security (DHS) United States Computer Emergency Readiness Team (US-CERT) has issued a warning to IT service providers and their clients amid concern of increasing malicious cyber activity by Chinese threat actors. Those attacks are targeting Cloud Service Providers (CSPs), Managed Security Service Providers (MSSPs) and Managed Service Provider (MSPs). Attacks on IT service providers such as MSPs, CSPs, and MSSPs can allow threat actors to gain access to healthcare networks by abusing trusted relationships.
The DHS Cybersecurity and Infrastructure Security Agency (CISA) has made a technical resource available that details some of the methods being used by Chinese threat actors to gain access to IT service providers’ networks.
The guidance can be used by network defenders to limit exposure to cyberattacks. Several mitigation measures have been suggested. Unfortunately there is no single solution that will provide protection from attack. CISA notes that mitigating these targeted attacks can be a complex process.
Advice for IT Service Providers’ Clients
Healthcare providers that use IT service providers should:
- Ask their providers to conduct a risk analysis to identify security concerns and determine whether their systems have already been compromised.
- Ask IT service providers to use security tools that can detect cyberattacks.
- Examine network links between healthcare providers and IT service providers.
- Check all IT service provider accounts to ensure they are all valid and are still required.
- Disable IT service provider accounts that are not active.
- Have business associate agreements that require IT service providers to have appropriate security controls in place; log and monitor network activity; and send alerts promptly in case any suspicious activity is detected.
- Integrate system log files and network monitoring data into intrusion detection and monitoring systems.
- Be certain service providers visit US-CERT pages related to APT groups targeting IT service providers, specifically TA-18-276A and TA-18-276B.
Advice for IT Service Providers
It is advisable for IT service providers to take the following steps to minimize risk:
- Make sure that all mitigations described in US-CERT notifications are implemented.
- Employ the principle of least privilege; logically separate clients’ information; Do not share access to clients’ systems.
- Use advanced network and host-based tracking programs that can detect anomalous behavior and identify potential malicious activity.
- Aggregate and correlate log information to maximize the probability of detecting malicious activity and account misuse.
- Work closely with clients and diligently monitor and maintain all hosted infrastructure.