Managed service providers – the latest targets2 min read

If you have outsourced elements of your IT to a managed service provider (MSP), you may be in for a shock. While MSPs offer a wide range of benefits – not least of which is cost – reports are coming in that cyber criminals are exploiting weaknesses in account credentials in the systems installed by MSPs.

The MSP phenomenon has been one of the success stories in the IT world over the last decade. In 2005, estimates valued the MSP sector at $44bn. By next year it could be worth half a trillion dollars. Inevitably, the emergence of such a valuable trend has attracted the hackers, who are exploiting weak account credentials to gain access to systems installed by MSPs and launch ransomware attacks.

According to reports via Reddit, hackers have targeted customers via the remote monitoring and management tools provided by at least two companies – Webroot and Kaseya – in order to deploy the Sodinokibi malware.

Security company Huntress Labs found that MSPs were being targeted with the ransomware by exploiting remote desktop protocol (RDP) for initial access. In two incidents, after gaining admin privileges, the attackers then uninstalled Webroot and ESET software, as well as endpoint-based backup Veeam.

Another report found that Webroot’s management console was used to execute a PowerShell based payload to download additional malware. Kaseya’s VSA was also used to deliver Sodinokibi in a separate incident.

The scale of the incident is not fully known, but Huntress Labs suggest it could affect thousands of clients. The affected MSP, which has not been named publicly, is being offered technical assistance from Huntress Lab’s CEO.

UBX Cloud, the company which originally created a thread about these reports, described the situation as “insanity” and suggested that several Kaseya customers were affected. Both Webroot and Kaseya have confirmed a portion of their customers have been infiltrated by threat actors, and have pointed the finger at inconsistent and lax password management. The integrity of their own products has apparently not been affected.

The rise of such supply chain cyber attackers were previously flagged by a National Cyber Security Centre (NCSC) report released last year. A large number of MSPs were subject to attacks in 2017, with the report suggesting that, when done well, these compromises are difficult and sometimes impossible to detect.

Find out more via the link.