APM IT Alert: Some Service Provider networks have been compromised and that can spell serious problems for your business.
If your Service Providers has been compromised, your data may be in the control of cybercriminals, not your provider. This is an active and ongoing concern.
In the past two weeks, there has been a noticeable spike in crypto ransomware distribution exploiting a common Remote Monitoring and Management tool widely used by Managed Service Providers and IT Departments. The result is likely thousands of malware-encrypted servers and PCs, shutting down businesses, while their data is being held for ransom. Effectively once a hacker gains access to the MSP infrastructure they have the keys to the kingdom and can run the system as their own command and control infrastructure to deliver malware, steal and exfiltrate data, hold systems or ransom and destroy or delete data.
Hackers have targeted Managed IT Service providers in the past two years at a very high rate. They have realized, by attacking a Managed IT Provider and gaining control over their respective infrastructure and management tools, they can effectively gain control of dozens, hundreds or thousands of company’s data all from on convenient command system. Hackers at that point become super admins in previously legitimate management systems. From this point they can proceed to perform data exfiltration, data destruction and pretty much do absolutely anything they want to those business digital assets. At any point of [the hackers] choosing, with a couple of clicks, they can then deploy crypto-ransomware to hundreds or thousands of devices and clients and bring businesses to their knees. There are dozens of documented, but potentially obscured, cases involving this type of attack and exploit by cybercriminals. Recently, there has been a spike in the distribution of crypto-ransomware which is shutting down the operation of businesses, while the business data is held encrypted for massive ransom fees. An exploited MSP with encrypted client systems even came to my attention this week, within only a few miles from my Philadelphia area office.
In large part, there is one specific vulnerability that is currently the subject of mass exploit. The vulnerability was discovered in the summer of 2017 and providers were quickly notified by the software manufacturers to address and patch the issue with patches released by the respective companies. Many MSPs did not address the issue and in turn their systems may have been compromised. MSPs are known to have been targeted by cyber espionage groups, since at least 2017, and it is very likely that low hanging fruit such as blatant and easy to use vulnerabilities, have been quickly and easily exploited.
This brings up a long list of questions and concerns clients should have about the MSP they pay to secure their networks. Is the MSP following all the best practices they may or may not be evangelizing to their clients? If the MSP is not evangelizing security best practices, are you to believe they are following practices they never mention in a consulting conversation? How secure is your MSPs infrastructure? Does the MSP vigilantly maintain their infrastructure with the latest application and security software? Does the MSP maintain their license agreements with vendors to ensure they are always running the latest and most secure release of software? Is the MSPs own management infrastructure old and outdated? These are critical questions. Is it possible that a large provider loses a handle on their security framework? Is it possible that a small provider is cutting corners to save money to offer clients better pricing? At what cost does better pricing come? Is it at the cost of all your organization’s data being lost? Is it at the cost of your data being encrypted and at the cost of your business going out of business?
Is your business being put at risk by the very folks you trust with your most critical assets? These are tough questions to face, but it is undoubtedly the present reality in the Managed IT Services realm. Does your provider practice what they preach? Do they even preach it?
In addition to the questions I just presented, here are a few more unasked questions that I might bet have not come up during conversations with your MSP or “vCIO”. Give them a whirl and see what you find:
1. Does your MSP use a Privileged access management system? How does your MSP store and access your passwords and in turn your IT infrastructure systems?
(Hint most managed service providers don’t have a privileged access management system in place folks. Such a system is not cheap, nor easy to implement. And using one requires rigor, discipline, standards and procedures to implement and use correctly.)
2. Are our passwords stored in an encrypted, protected and audited system?
3. How does your MSP access the infrastructure that they use to manages your cloud services, applications, devices, servers and other infrastructure including providing helpdesk services? How do they maintain and secure this powerful infrastructure?
4. Does your MSP use MFA to access any and all of your internet accessible applications?
(Hint – many providers I have spoken with don’t, last I checked, including one that has been bought and sold for $150-200 million dollars. I am serious, I have spoken with some of employees and principals, but off the record of course. I find it shocking. MFA is not by any stretch an end all be all solution; it can be hacked and that is well documented. However, it is a relatively easy security control. If an IT organization does not use MFA, they simply do not take security seriously and probably will be easily hacked without it.
5. What other measures, firewalls, security practices, standards and procedures does your MSP follow to ensure the continuity, integrity and availability of your data and technology services?
(Hint: Managing operating system patches, maintaining endpoint antivirus and providing helpdesk support is not the answer. That is level 1 support. While those services are important, the responsibility of an MSP is much greater than that.)
And there are many, many other questions. Those are just a handful your MSP probably never brought up. Reason being is they have not addressed those concerns in large part and have their head in the sand while they claim to be securing your technology assets in some marketing material. Again, I have first-hand knowledge of this fact, and have been especially shocked by what I have found speaking employees and principles of very well-known and large service providers locally and nationally that have not even addressed these most basic and vulnerable concerns.
In conclusion, I do want to add that, no system is 100% secure and if a hacking organization puts enough resources towards a target, they will usually find a way to get into their target. My organization has flaws in its security practices as does every single organization from your local bank to the NSA. However, in reality, hacking and cybercrime groups are looking to get data and make money in the easiest, most scalable and profitable way possible. When system access and exploits are left exposed, those will be targeted and compromised first and foremost. Also, any Managed Service provider system left open for easy access by cybercriminals will be or, more likely, already has been compromised. Many MSPs simply do not practice what they preach. And often even what they preach is not even close to baseline security requirements of today’s digital age. And when it comes to small companies that rely on MSPs, they especially push back on strong security standards; I know this, I experience it every single day. MSPs and their customers need to take technology security much, much more seriously and understand what exposures they have and ensure they are truly putting the proper effort and investment into securing their systems from cybercriminals and hacking organizations.
References:
This “op-ed” was fueled by and references the following information:
1. The ongoing exploits by cybercriminals of CVE-2017-18362 - https://nvd.nist.gov/vuln/detail/CVE-2017-18362
2. Local MSP hacked and all clients Cryptolocked
https://www.reddit.com/r/msp/comments/ani14t/local_msp_got_hacked_and_all_clients_cryptolocked/
3. Nine Global MSPs hit in APT10 attack
https://www.zdnet.com/article/at-least-nine-global-msps-hit-in-apt10-attacks-acsc/
4. Chinese Hackers targeted firms through IT MSPs
https://www.computerweekly.com/news/450416203/Chinese-hacking-group-targeted-firms-though-IT-MSPs
5. What if your MSP gets hacked?
https://smartermsp.com/ask-msp-expert-msp-gets-hacked/
6. Chinese hacked HPE, IBM and then clients
https://www.cnbc.com/2018/12/20/china-hacked-hpe-ibm-and-then-attacked-clients--sources.html
7. And then there is this for comic relief if you read this far. Google internet security chief says not to worry, lol. https://www.cnbc.com/2019/02/09/google-infosec-head-heather-adkins-ignore-scare-stores.html
8. Contradicting Google Security Chief, Google pays millions for hackers to discover security flaws
The way most companies, including MSPs are hacked, is through disregard of good security practices. The way this exploit has exploded on the scene is by a combination of attackers targeting MSPs and some MSPs grossly lacking in good IT security practices. Is it possible that the very company you pay to secure your own network has not secured the network that manages your network? Crazy right?
Written by Aleks P. Mednis
APM Systems