Hackers Target MSP Platforms
Hackers are now targeting Managed IT Services Providers (MSPs). They are spreading ransomware via the remote monitoring and management (RMM) platforms and cybersecurity consoles MSPs use to ensure their clients’ IT systems function reliably and securely. This has raised fresh cybersecurity concerns across the Managed IT Services Provider ecosystem.
How Did This Happen?
The attackers may have gained access into a Managed IT Service Provider MSP cyber-security management dashboard
from Webroot. And they also attacked Kaseya RMM software.
Representatives from both companies report that the ransomware compromised their credentials but didn’t result in any data breaches. However, one of the MSPs paid hackers more than $150,000 in bitcoin to recover from the attacks, according to UBX Cloud.
Huntress Labs is working to help research and resolve the situation. They report that up to 200 hosts were encrypted. The good news is that this is a very small number when compared to the number of clients that MSPs manage.
What Precautions Are Being Implemented?
Webroot has now made two-factor authentication mandatory to prevent further compromises. And they’ve encouraged customers to use the Webroot Management Console’s built-in 2FA for some time to come.
Both Webroot and Kaseya report that they are closely monitoring the threat environment and taking proactive measures to provide the best protection possible for their customers. Kaseya urges their customers to employ best practices around securing their credentials, and regularly rotate passwords because 80% of security breaches involve compromised credentials.
The FBI & Department of Homeland Security Warned That This Could Happen
The FBI and U.S. Department of Homeland Security have repeatedly warned MSPs and their technology platform providers about these type of attacks. They warned that hackers are attacking MSSPs (Managed Security Service Providers), MSPs and CSPs (Cloud Service Providers) as the weak link in a supply chain to get to their clients. The DHS strongly advises that service providers lock down their systems and data.
What Are MSPs Doing To Protect Their Clients?
We asked a number of MSPs around the country how they are dealing with these attacks…
Keith Marchiano, VP of ICT at Kyocera Intelligence Mid-Atlantic
“At Kyocera Intelligence Mid-Atlantic, we put in the same measures for our clients that protect us, including:
- Dual factor authentication. For us to access our systems that monitor and manage our clients’ data, we implement dual factor authentication at each login. We also work with our clients to implement this same practice when they access their critical line of business applications.
- A password change policy through active directory by changing passwords every 90 days at the end user level and server level.
- Business Continuity Planning and implementation to allow recovery of any ransomware attacks. Our solution also includes ransomware detection and alerts us immediately to any issues so we can lock things down for our clients.
- Security Training for our clients and their employees along with “friendly phishing emails” to provide a baseline and determine if the company is improving and doing the training.
- Baseline security with anti-virus, anti-malware, and anti-spyware software. Also, cloud-based protection of the network to protect clients from employees inadvertently clicking on a malicious website.”
Tom Boyles, Owner of Alltek Services
“We have a layered approach for this.
- A Firewall with all the gateway services active to catch any new zero-day threats, and block all accessible ports from the outside.
- We utilize DPI (Deep Packet Inspection) for both SSL and non-SSL traffic.
- Enforce Windows Firewall and anti-virus/malware software.
- Require SSL-VPN (Virtual Private Network) connectivity for remote access.
- Enforce GEO-IP filtering to block the foreign bad actors.
- Require 2-factor authentication with complex passwords and password policies.
- Enforce GEO-IP filtering for email spam filtering, and we whitelist blocked entities when needed and vetted.”
Scott Clarke, Owner of Menark Technologies Inc.
” We concentrate on protecting the inner circle of our clients’ networks… meaning from the firewall down to the individual PC. We install Sonic Wall TZ firewalls and monitor them and make sure all firmware is up to date.
We provide enterprise anti-virus and security, along with anti-spyware software, to cover the entire network. This is all included in our one price unlimited support contracts. We give our clients what they need to keep their networks protected.”
Ilan Sredni, President of Palindrome Consulting, Inc.
“The attack on an MSSP provider makes a lot of sense, in particular, because the MSP holds the keys to the kingdom for many additional targets.
It is this exact topic that I just discussed at the United Nations last week. I believe we are at the very early stages of a silent digital epidemic, and people are choosing to look the other way instead of understanding what a great situation this is.
To protect ourselves and our clients, we continue to apply the three T’s, which are training, tools & testing. We offer continuous training in a variety of different methodologies in order to ensure our audience is knowledgeable on the variety of different ways that these types of attacks can get into a network.
Without going into the specific tools that we use, in particular, because they change as the threats become more advanced; we implement a variety of different proactive and reactive tools that help identify the threat, resolve the impact and restore the network back to full functionality. Amongst the tools that we use include our endpoint protection, advanced threat protection, artificial intelligence and machine learning, as well as state-of-the-art business continuity and disaster recovery solutions.
No matter how much training you have done for your staff or how advanced the tools might be, we must be realistic that the bad actors are trying to hack into our data. They are better funded and therefore are much more advanced and aggressive. We therefore continuously test the tools and the training to make sure there are no obvious issues.
The most important items on hand are still common sense and vigilance from everyone involved.”
Anthony Buonaspina CEO of LI Tech Advisors
“Hackers targeting MSPs was just a matter of time, and we knew that. We have been very proactive on this front since it was only a matter of time before hackers came around to start attacking the motherload of cyber breaches.
Knowing that MSPs are responsible for many thousands of sensitive computer systems and are embedded deeply into their clients’ networks and systems, we always considered ourselves as a target for hackers and have always treated our networks, client networks and security with the utmost regard in safeguarding their networks and information.
Besides using strong and unique passwords for each service and client system, we 2-factor everything that allows multi-factor authentication, and we encrypt secure data for ourselves and our clients wherever possible. At a minimum, we make all our clients aware of this issue and stress the importance of increasing security.”
Scott Ostergard, President of NTConnections
“NTConnections has always maintained two-factor authentication. A single password isn’t enough. Additionally, NTConnections maintains cyber-security insurance to help protect both our clients and ourselves.”
Jason Simmons, VP from ICS
“Security is always a concern for MSPs. We address these items in the following manners:
- We keep our MSP software up to date with all security patches to ensure we cover any known vulnerabilities.
- We utilize dual authentication to ensure hackers cannot access our software even if they get a user’s password.
- Employ checklists and multiple audits by multiple people to ensure that ex-employees do not have access to the system.
- We perform third-party security scans on our environment to scan for possible vulnerabilities.
- We use IDS (Intrusion Detection System) monitoring to detect unwanted people within our network.
- We use cloud-managed firewalls, anti-virus and DNS (domain name service) management to prevent and detect malware and viruses from penetrating the network. These items are kept up to date with the latest software to help prevent intrusions.
- And we always deploy… Patch management, patch management, patch management!”
Aaron Fox, CEO and Owner of Globalquest Solutions
“Enhanced Security is a priority for all MSPs, two-factor authentication and regular password changes is a must to ensure all of our clients are protected. Penetration and vulnerability assessments must be completed on a regular basis to ensure all security holes are closed.”
Alex Pirkhalo, President & Co-Founder of Infiniwiz
“We make sure we lock down all outside access to only machines that are provided by the company. No admin access is ever allowed. We always encrypt endpoints and require 2FA. All traffic is monitored 24/7 by a SOC (Security Operations Center).”
Joe Young, Founder and President of GDS Connect
“All of our internal systems require 2-factor authentication, including CRM, RMM, & Document Management platforms. Our CRM and our RMM are also tied via LDAP (Lightweight Directory Access Protocol) to our Active Directory, which requires complex passwords and expiration policies.
We have a Tiered Access Plan for permissions to all internal and client firewalls. We have strict change management policy for all our and client systems. We also conduct Risk Assessments, which includes Penetration Testing. We also require Annual Security Awareness Training for our employees.
Our email system is protected by an Anti-Virus/Anti-Spam/URL Filtering/Attachment Filtering System that utilizes sandbox technology that enforces attachment defense and URL defense. Lastly, all our endpoints have up-to-date virus protection. Most of our Managed Services clients utilize the same Platform.
Additionally, all our systems are backed up to a location geographically separated from our primary location now, and we can be back online in 15 minutes to an hour. We do a Disaster Recovery test every 8 weeks on our internal Systems.”
Jorge Rojas, Partner at Tektonic Inc.
“We have been using strong passwords and 2-factor authentication, to keep our accounts safe.”
Shane Kimbrel VP of Data Magic
We have a combination of solutions to protect ourselves and clients from hackers. We have multi-factor authentication for any software we access. We use a SPAM filter to take out the low hanging fruit. Then we make sure there is a solid backup platform with local virtualization and offsite storage.
We create procedures for password complexity and make sure they are set to expire. The best part of our Cyber Security Solution is a SOC (Security Operations Center) to monitor endpoints and firewalls for unauthorized access to any exposed devices like firewalls or servers and close down any unnecessary ports like RDP (Remote Desktop Protocols).
We use SentinelOne AV (anti-virus) which reports back to the SOC and leverages VSS Shadow Copy which is built into windows. In the event of an attack it will stop the process of encryption and rollback any encrypted files. This solution will also monitor access to a Microsoft Office 365 account. So if someone tries to login to the Office 365 account outside of our geographic area, the account will be disable and we are notified.
Finally, we have a $1,000 Insurance policy per infected PC up to $1 Million per network. There is not a single solution to fight this so you have to use a multitude of tools to protect against unauthorized access to a network.”
Was Your IT Service Company Affected?
If they were, you probably would have been alerted by now. Many have taken actions to shore up their own networks to protect their clients.
If you have any concerns, reach out to them. Plus, ensure that you regularly update your passwords and that you have a layered cybersecurity defense in place like the experts above report that they use.