Five Eyes agencies warn of rising attacks against MSPs

Attackers are increasingly using MSPs' own tools against them

Image:
Attackers are increasingly using MSPs' own tools against them

Intelligence services have issued a warning of rising attacks against managed service providers by nation-state actors and other threat groups.

A new advisory from US government agencies and Five Eyes intelligence partners indicates an increase in hostile cyber activities targeting MSPs - a trend they expect to continue.

MSPs are entities that companies contract to deliver, run or manage ICT services and functions for their clients. An attacker who successfully breaches an MSP can provide a ready vector to target the MSP's customers for follow-on activity, such as cyber espionage and ransomware.

'The UK, Australian, Canadian, New Zealand, and US cybersecurity authorities expect malicious cyber actors - including state-sponsored advanced persistent threat (APT) groups - to step up their targeting of MSPs in their efforts to exploit provider-customer network trust relationships,' the notice reads.

'Whether the customer's network environment is on premises or externally hosted, threat actors can use a vulnerable MSP as an initial access vector to multiple victim networks, with globally cascading effects.'

Successful supply-side cyberattacks can have disastrous consequences, because these companies often have privileged access to customers' networks. This was demonstrated in last summer's big supply-chain attack against Kaseya, which offers remote IT monitoring software.

Although only around 60 of Kaseya's MSP customers were compromised, due to their position high in the supply chain the attack affected 1,500 further businesses further downstream.

The cybersecurity agencies are urging MSPs to focus on cyber hygiene. The note also details tactics MSPs and clients can take to lower their chances of being hacked.

These include: identifying and disabling accounts that are no longer in use; implementing multi-factor authentication on MSP accounts that access the customer environment; and keeping an eye on authentication that fails for no apparent reason.

MSP customers were also urged to ensure their contractual agreements stipulate that their MSP implements the measures and controls outlined in the advisory. For example, deploying mitigation resources to protect vulnerable devices and services from attack methods like password spraying, brute force and phishing.

The advisory was co-signed by the NSA, the FBI, and cybersecurity centres in the UK, Australia, Canada and New Zealand.

It comes just six days after ThreatLocker published a security alert warning MSPs of a spike in ransomware attacks involving remote management tools.

The Acronis Cyberthreats Report, released last year, found that MSPs are particularly vulnerable to ransomware and supply chain attacks because cyber actors are now attempting to use MSP's own management tools, such as RMM or PSA, against them.