US, allies warn of nation-state attacks against MSPs
The joint advisory did not name any specific nation-states, though co-sponsor agencies expect threat actors to 'step up their targeting' of managed service providers (MSPs).
A new joint advisory from U.S. government agencies and Five Eyes intelligence partners warned of increasing cyber attacks by nation-state threat actors and others against managed service providers.
The Wednesday advisory focused entirely on managed service providers (MSPs), which are companies that remotely manage the IT infrastructure of other organizations. In addition to U.S. agencies like the Cybersecurity & Infrastructure Security Agency (CISA), the FBI and the NSA, the advisory is co-sponsored by Five Eyes Alliance members including the United Kingdom's National Cyber Security Centre, Australian Cyber Security Centre, Canadian Centre for Cyber Security and New Zealand National Cyber Security Centre.
The advisory included information to "enable transparent discussions between managed service providers (MSPs) and their customers on securing sensitive data." Though it does not mention any specific threats, the joint advisory noted reports of increased malicious activity against MSPs and warned of potential attacks by nation-state actors and others.
"The UK, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities expect malicious cyber actors -- including state-sponsored advanced persistent threat (APT) groups -- to step up their targeting of MSPs in their efforts to exploit provider-customer network trust relationships," it read. "For example, threat actors successfully compromising an MSP could enable follow-on activity -- such as ransomware and cyber espionage -- against the MSP as well as across the MSP's customer base."
No specific nation-state APTs were named, and CISA did not respond to SearchSecurity's request for additional information.
In an email, Sophos principal research scientist Chester Wisniewski said that joint advisories like this one are "often not driven by specific intelligence, but rather observed scanning, probing or attacks against a set of targets who have something in common" like MSPs.
"MSPs are ripe targets as they often hold the keys to the kingdom for many organizations and frequently have not deployed multifactor authentication (MFA) nor employed a least privilege model to protect their clients from internal staff credential compromise," he said. "Based on past advisories, I would read this to mean they are observing heightened interest and scanning activity focused on MSPs and that if there are exposed unsecured remote access (RMM) and similar tools that are not using MFA, etc. that these may be of strategic interest to our adversaries."
Because MSPs have privileged access to its customer networks at any given time, successful cyber attacks against these companies can have devastating consequences.
This was illustrated in the massive supply-chain attack against Kaseya last summer. When Kaseya, which makes remote IT management software, was compromised by REvil ransomware actors, around 60 of its MSP customers were compromised in the process. But due to the nature of these providers, 1,500 of those MSPs' clients were also affected by the attack.
The advisory made a large number of recommendations to both MSPs and MSP customers. Overall, much of the advice is applicable to organizations both inside and outside the MSP ecosystem. For example, the agencies recommended applying multifactor authentication and strict authentication principles to networks, as well as managing internal architecture risks and deprecating obsolete accounts.
For MSP customers specifically, the joint advisory stressed understanding supply chain risks that stem from granting access to third-party vendors and subcontractors.
"Customers should also set clear network security expectations with their MSPs and understand the access their MSP has to their network and the data it houses," the advisory said. "Each customer should ensure their contractual arrangements meet their specific security requirements and that their contract specifies whether the MSP or the customer owns specific responsibilities, such as hardening, detection, and incident response."
Alexander Culafi is a writer, journalist and podcaster based in Boston.