Huntress: New Evidence MSPs Heavily Targeted by Hackers
The hacker boasted a high profit share, with only little left to do before exploiting the data.
Shutterstock
Here’s the malicious hacker-recruitment ad that Huntress found translated to English:
Looking for a Partner for MSP processing.
I have access to the MSP panel of 50+ companies. Over 100 ESXi, 1000+ servers.
All companies are American and approximately in the same time zone. I want to work qualitatively, but I do not have enough people.
In terms of preparation, only little things are left, so my profit share will be high.
Please send me a message for more details and suggestions.
This reiterates the message that MSPs are particularly vulnerable, said Huntress’ Harlan Carvey.
“They’re particularly an attractive target for threat actors, because as we saw in this particular case, accessing one organization gave them access to at least what they said were 50 or more additional customers,” he said. “So by compromising one organization and getting access, you could potentially have access to multiple potential victims, as well across a wide range of verticals. So it presents something of a target rich environment, if you will.”
In previous years, an actor or group of actors would perform the entire life cycle of an attack, Carvey said.
“What we’re seeing now, and I think this is what the ad really demonstrates, is a separation and specialization of skill sets and almost compartmentalization of skill sets,” he said. “We think that what we saw in that ad was what’s referred to as an initial access broker. So by breaking up the specialization, they’re able to monetize that access.”
The other aspect of this is it reduces the required skill sets to be able to get in and deploy ransomware or to steal data, Carvey said.
“Now the threat actor no longer has to say, ‘Well, I first of all have to do reconnaissance, and then I have to have’ what we generally refer to as penetration testing capabilities,” he said. “They don’t have to have that skill set. All they have to do is find a broker that has a menu of organizations. And all they have to do is pay the initial access broker and they have access.”
MSPs can protect themselves and their customers by practicing basic cyber hygiene as far as passwords, patching systems and establishing roles with least privilege, Carvey said. Also, applying multifactor authentication (MFA) can help.
“I think a big step is understanding your asset inventory and not just from a physical perspective, like how many systems do we have out there,” he said. “It’s very, very important to understand what’s running on each of those systems.”
As part of a business continuity plan, it’s important to have verified backups and to make sure they’re offline, Carvey said.
“I can point to multiple organizations that I’ve been engaged with where they would say, ‘We’ve got six months of backups’ and you go get a tape, you take a look at it and it’s completely blank,” he said. “So you want to make sure you verify your backups, keep them offline and keep them accessible.”
The alert from all Five Eyes countries said threat actors can use a vulnerable MSP as an initial access vector to multiple victim networks, with globally cascading effects. They expected malicious cyber actors — including state-sponsored APT groups — to step up their targeting of MSPs in their efforts to exploit provider-customer network trust relationships. For example, threat actors successfully compromising an MSP could enable follow-on activity, such as ransomware and cyber espionage, against the MSP, as well as across the MSP’s customer base.
The alert from all Five Eyes countries said threat actors can use a vulnerable MSP as an initial access vector to multiple victim networks, with globally cascading effects. They expected malicious cyber actors — including state-sponsored APT groups — to step up their targeting of MSPs in their efforts to exploit provider-customer network trust relationships. For example, threat actors successfully compromising an MSP could enable follow-on activity, such as ransomware and cyber espionage, against the MSP, as well as across the MSP’s customer base.
Huntress has discovered fresh evidence that MSPs remain an attractive supply chain target for hackers.
Huntress researchers discovered an ad posted on July 18 on an exploit[.]in forum from a user with the name “Beeper” looking for a partner to help process stolen data from over 50 MSP customers, 100 VMware ESXi servers and more than 1,000 servers. The hacker boasted a “high profit share,” with only little left to do before exploiting the data.
Huntress’ discovery comes shortly after a May 11 warning for all Five Eyes countries (Australia, Canada, New Zealand, the United Kingdom, and the United States) urging MSPs to prepare for malicious hackers and advanced persistent threat (APT) groups to step up their targeting of MSPs in their efforts to exploit provider-customer network trust relationships.
Huntress’ Harlan Carvey
Harlan Carvey is Huntress‘ senior incident responder for research and development.
“The ad appeared in Russian,” he said. “When the Russian was translated into English, it was pretty clear that somebody had gained access to what they described as an MSP. And it appears that they had access to the customer management portal or something similar, and were able to identify up to 50 customers. Apparently there was extensive use of virtualized systems as well. And it appeared on the surface that this threat actor was looking for assistance. Specifically, what kind of assistance wasn’t clear. If they were looking to take advantage of it or to do some additional work. But it seemed that they were looking for some help and then directed folks to reach out through direct messaging.”
Scroll through our slideshow above for more from Huntress on the continuing threat to MSPs.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like