Top US law enforcement agencies have cautioned MSPs against targeted cyberattacks from malicious hackers. Along with other agencies from the Five Eye intelligence alliance, the FBI, CISA, and NSA released a joint advisory highlighting the threat of supply chain attacks. Such attacks target MSPs with the intent of compromising their customers, and other businesses down the supply chain.
Why protecting yourself from supply chain attacks is so important
The advisory highlights an increase in malicious cyber activity against MSPs in recent months, and warns that this trend is expected to continue.
All MSPs and MSP customers should take a note of this advisory. Especially the guidance it provides on securing their systems. This is important. Vulnerable and compromised MSPs pose significant risk to the businesses and organizations that they support. This is because MSP providers generally have trusted network connectivity and privileged access to and from customers. In addition, MSP services are used to support and manage computers, networks, ICT systems, and store sensitive data as well.
Threat actors can use this privileged access, and hack into customer networks. This in turn can be used to steal credentials, exfiltrate business data, install malware, and carry out ransomware attacks. The attack can continue down the supply chain as well.
Kaseya Cyberattack
One of the worst examples of such an attack was the Kaseya attack of 4th of July, 2021. During the 4th July weekend, the REvil ransomware gang, first, compromised Kaseya’s VSA software that is in use by MSPs across the globe. Then, they used the software to hack into MSP accounts. The attack filtered down to the MSPs’ customers as well. The privileged access was then used to install ransomware.
More than 1000 businesses globally were impacted by the Kaseya supply chain attack. Each of whom was demanded a ransom payment to unlock their systems by the ransomware gang.
Tactical Guidance against supply chain attacks
In lieu of this, you should look at the advisory, and the security guidance it provides. The guidance covers actions that you can take to protect yourself and your customers from cyberattacks. For instance, consider the suggested tactical actions that you can implement immediately. This includes
- Identify accounts that are no longer active, and disable them
- Put in place Multi factor authentication (MFA) for all MSP accounts that can access customers’ systems.
- Ensure your MSP contracts clearly identity the ownership of security roles and responsibilities
The document lists several security measures and operational controls that MSPs and businesses using MSPs should implement. Businesses should also ensure that they have contractual agreements with their MSPs forcing the service provider to put in place the necessary security.
Recommended measures and controls
Listed below, is the list of measures and controls recommended by the Five Eye advisory. You can find detailed information on these recommendations over CISA’s websites.
- Put in place systems and tools to prevent initial compromise
- Enable and improve the monitoring and logging processes
- Enforce MFA (multi factor authentication)
- Understand your inherent architectural risks and segregate internal networks as required
- Put in place systems based upon least privilege
- Disable accounts and MSP infrastructures that are no longer in use
- Keep your systems updated
- Regularly take back ups and test them regularly as well
- Be ready with your incident response and recovery plans
- Understand your supply chain risks and be prepared to mitigate them
- Put in place account authorization and authorization processes and policies, and adhere to them strictly
Once you go through the advisory, you’ll find action items for both your MSP and you as a customer, or vice versa, if you’re an MSP. Along with the advisory, CISA recommends few other documents that go in conjunction with it. This includes:
- NCSC-UK guidance on actions to take when the cyber threat is heightened
- CCCS guidance for Consumers of Managed Services
- CISA’s Shields Up webpage
- CISA’s Shields Up Technical Guidance webpage
In conclusion
In essence, the guidance provided in the advisory can help you, your customers and your MSPs to reduce the risk of falling prey to a cyber instruction. And this is important. Since December 2020, when the first reports of SolarWinds cyberattack filtered in, we have experienced a spike in supply chain attacks. The May 4 ransomware attack on Omnicell, a healthcare technology business might be one of the latest example of such attacks that target a technology service provider in order to compromise their customers.
Note: Along with the US CISA, NSA, and the FBI the Five eye intelligence alliance includes the UK NCSC, Australian ACSC, Canadian CCCS, and New Zealand’s NCSC as well. The May 11 advisory was joint advisory by these agencies.