Analysis
Attacks and Vulnerabilities
CISA
Critical infrastructure
Malware, Phishing & Ransomware
Managed Services
News
Regulation, Standards and Compliance
Risk & Compliance
Threat Landscape
Vulnerabilities

Global cybersecurity agencies issue guidance to secure MSPs, their customers from cyber threats

May 12, 2022
Global cybersecurity agencies issue guidance to secure MSPs, their customers from cyber threats

Transnational cybersecurity agencies warned organizations of recent reports that observe an increase in malicious cyber activity targeting managed service providers (MSPs) and expect this trend to continue. MSPs provide services that usually require both trusted network connectivity and privileged access to and from customer systems. Several organizations, ranging from large critical infrastructure organizations to small- and mid-sized businesses, use MSPs to manage ICT systems, store data or support sensitive processes. 

“Whether the customer’s network environment is on-premises or externally hosted, threat actors can use a vulnerable MSP as an initial access vector to multiple victim networks, with globally cascading effects,” according to a joint cybersecurity advisory released by the United Kingdom National Cyber Security Centre (NCSC-UK), the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), the United States’ Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI).

The advisory comes as part of wider efforts to protect organizations in the wake of Russia’s invasion of Ukraine, following high-profile supply chain attacks, including the SolarWinds compromise.  

The U.K., Australian, Canadian, New Zealand, and U.S. cybersecurity authorities expect malicious hackers, including state-sponsored advanced persistent threat (APT) groups, to step up their targeting of MSPs in their efforts to exploit provider-customer network trust relationships, the advisory said. “For example, threat actors successfully compromising an MSP could enable follow-on activity—such as ransomware and cyber espionage—against the MSP as well as across the MSP’s customer base,” it added.

The cybersecurity authorities have previously issued general guidance for MSPs and their customers. “This advisory provides specific guidance to enable transparent, well-informed discussions between MSPs and their customers that center on securing sensitive information and data. These discussions should result in a re-evaluation of security processes and contractual commitments to accommodate customer risk tolerance. A shared commitment to security will reduce risk for both MSPs and their customers, as well as the global ICT community,” it added.

MSPs are entities that deliver, operate, or manage information and communications technology services and functions for their customers. They also make attractive targets for malicious actors, including nation-state actors, because compromising an MSP network allows for access to and compromise of the provider-customer trust relationships.

Apart from offering their own services, an MSP may offer services in conjunction with those of other providers. Offerings may include platform, software, and IT infrastructure services; business process and support functions; and cybersecurity services. MSPs typically manage these services and functions in their customer’s network environment, either on the customer’s premises or hosted in the MSP’s data center.

“This joint guidance will help MSPs and customers engage in meaningful discussions on the responsibilities of securing networks and data,” Rob Joyce, NSA cybersecurity director, said in a media statement. “Our recommendations cover actions such as preventing initial compromises and managing account authentication and authorization.”

“We are committed to further strengthening the UK’s resilience, and our work with international partners is a vital part of that,” Lindy Cameron, NCSC CEO said in a statement. “Our joint advisory with international partners is aimed at raising organisations’ awareness of the growing threat of supply chain attacks and the steps they can take to reduce their risk,” she added.

“I strongly encourage both managed service providers and their customers to follow this and our wider guidance – ultimately this will help protect not only them but organisations globally,” said Jen Easterly, CISA director. “As this advisory makes clear, malicious cyber actors continue to target managed service providers, which is why it’s critical that MSPs and their customers take recommended actions to protect their networks.”

“We know that MSPs that are vulnerable to exploitation significantly increases downstream risks to the businesses and organisations they support,” according to Easterly. “Securing MSPs are critical to our collective cyber defense, and CISA and our interagency and international partners are committed to hardening their security and improving the resilience of our global supply chain,” she added.

“Managed Service Providers are vital to many businesses and as a result, a major target for malicious cyber actors,” according to Abigail Bradshaw CSC, head of the ACSC. “These actors use them as launch pads to breach their customers’ networks, which we see are often compromised through ransomware attacks, business email compromises and other methods. Effective steps can be taken to harden their own networks and to protect their client information,” she added. 

“We’ve seen the damage and impact cyber compromises can have on supply chains, managed service providers, and their customers,” Sami Khoury, head of the CCCS, said. “These compromises can result in costly mitigation activities and lengthy downtime for clients. We strongly encourage organizations to read this advisory and implement these guidelines as appropriate.”

“MSPs are typically given a lot of privileges on their customer networks. They can be a portal for attackers to get into victim networks such as what happened in the Kaseya attack,” Saumitra Das, CTO and co-founder, Blue Hexagon, wrote in an emailed statement. “Organizations that use MSPs should be vigilant about their MSPs’ security posture and assess the risk of what happens if the MSP software is compromised. Convenience often means the MSPs get a lot of privileges for remote maintenance and this convenience can increase the chance of a supply chain attack escalating into a victim network,” he added.

“Attackers are more and more targeting organizations that have a cascading effect, and one compromise allows them to gain access to a large number of organizations. Sunburst supply chain attack and now the MSP targeted attacks are some of the examples,” Aimei Wei, CTO and founder at Stellar Cyber, wrote in an emailed statement. “Implementing the measures recommended by CISA and following their guidance to harden the MSP environment and increase the security posture, will greatly reduce the chances of getting compromised. It is especially critical for MSP to be able to detect the attack early and stop it before it spreads and cause more damages,” Wei added.

Global cybersecurity authorities had in April assessed that in 2021 malicious cyber hackers aggressively targeted newly disclosed critical software vulnerabilities against broad target sets, including public and private sector organizations worldwide. To a lesser extent, malicious cyber hackers continued to exploit publicly known, dated software vulnerabilities across a broad spectrum of targets. Critical infrastructure owners and operators have been urged to remediate top routinely exploited vulnerabilities identified in 2021, and take appropriate action to mitigate risks.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation