Cyberattacks involving compromised Managed Service Providers (MSPs) are on the rise according to a recent warning sent to private sector and government organizations by the US Secret Service.
MSPs are a particularly attractive target since a single MSP can service a large number of customers and cybercriminals use this to their advantage to launch attacks against multiple companies through the same vector.
In a security alert sent out last month, Secret Service officials said that their Global Investigations Operations Center (GIOC) had observed cybercriminals using compromised MSPs to launch attacks against PoS systems, to carry out business email compromise (BEC) attacks and to deploy ransomware.
Attacks against MSPs surged in 2019 when ransomware gangs including GandCrab and REvil began targeting them as a way to infect their customers.
According to a report from the threat intelligence firm Armor, the company revealed that it had identified at least 13 different MSPs which were hacked in 2019 in order to deploy ransomware on the their customers’ networks.
The Secret Service also provided best practices for MSPs and MSP customers to follow to avoid falling victim to an attack in its security alert.
The US federal agency recommends that MSPs have a well defined SLA, ensure remote administration tools are patched and up to date, enforce least privilege for access to resources, have well defined security controls, perform data audits and proactively conduct cyber training and education programs for their employees. At the same time, the Secret Service recommends that MSP customers audit SLAs and their remote administration tools, enable two-factor authentication for all remote logins, restrict administrative access during remote logins and utilize a secure network and system infrastructure.