The United States Secret Service issued an advisory warning of an increase in cyberattacks against managed service providers (MSP) in an effort to compromise companies using their services.
MSPs are companies that offer security services to other organizations, usually managing the IT infrastructure remotely. They also have a portfolio with numerous clients, prompting attackers to target MSPs as they seek to compromise multiple organizations at once.
MSPs are usually compromised through their own tools, which range from open-source software to enterprise applications. Bad actors will target these applications and their vulnerabilities, allowing them to move up the chain inside the managed organizations' IT infrastructure.
Some attacks that use this vector include point-of-sale intrusions, business email compromise (BEC) and various ransomware attacks. One of the latest victims is the US-based Xchanging MSP, and their attackers are still unknown.
The United States Secret Service has also issued some advice for both MSPs and their clients. MSPs should have a well-defined service-level agreement, to make sure all their remote administration tools are patched and up to date, enforce the least privilege for access to resources and use well-defined security controls that take into account end-users’ regulatory compliance.
Also, MSPs should also undergo annual audits, follow local, state, and federal data compliance standards, and conduct cyber training and education programs for employees.
Not surprisingly, MSP customers have their share to do. At the very least, organizations managed by MSPs should audit service-level agreements, audit remote administration tools used in your environment (ensure that the latest versions are used at all times), and enforce two-factor authentication for all remote logins. It's also a good idea to restrict administrative access during remote logins, deploy a secure network and system infrastructure, and train employees to be wary of possible cyberattacks.