Acronis warns MSPs to check tools sitting on their networks

Security player has seen a trend for cyber criminals to install their own clean software monitoring tools to deepen their visibility of a victim’s infrastructure

Cyber criminals are targeting managed service providers (MSPs) to gain access to a wider number of victims in the supply chain.

Recent research from Acronis has highlighted the trend of MSPs being in the sights of criminals and urged more visibility of systems to prevent some malicious actions going unnoticed.

One of the methods used by criminals is to install their own help desk tools, which appear legitimate on the network, to monitor activity across the MSP network.

Candid Wuest, vice-president of product management at Acronis, said that going after MSPs was one of the major trends across the security landscape.

“We see that attackers specifically go after service providers or managed service providers, trying to hijack their infrastructure, because many of those might have 10 to 100 small and midsize businesses that they manage. So, if the attackers get in, there’s a lot of attacking possibilities,’ he said.

Wuest added that there are dangers in assuming that all applications on a network have been put there legitimately.

“[Cyber criminals] can even misuse any of the installed applications – remote monitoring tools, professional service automation tools, PSA tools – to then deploy their own ransomware or other malware,” he said.

“We see that even if they don’t have anything like this installed, they will install their own legitimate application, like [a desktop monitoring tool] or any other remote monitoring tool is often installed. They’re legitimate, they’re clean, but of course they can be abused by the attackers,” he added.

Wuest advised MSPs to take a close look at what applications were sitting on the network and to be prepared to ask questions about their legitimacy.

“Do you actually, as a company, monitor for security or administrative tools, which are clean and legitimate, but shouldn’t be in your environment? For that, of course, you need to have the visibility you need to have the kind of overview and the software inventory to know what’s happening inside your organisation,” he said.

The firm tracks threats and has seen the volume of malware hit 300,000 new samples on any given day, with many of those threats only hanging around for a 48 hours to make it difficult for traditional tools to log the threats and block them.

“Each of these [malware] samples on its own usually lives less than two days. So, that’s from the first time that we see a specific variant with a specific given hash value, till the last time we see it in our telemetry, meaning they’re usually quite short lived. If you just go by the traditional signature-based detections, you might be too slow in catching up,” said Wuest.

The vendor also cautioned that phasing emails were taking advantage of AI tools and large language models to translate their messages to convince users to interact with more customised attacks.

“We can generate hundreds of different text messages in different languages. We, for example, have even seen phishing emails in Swiss German, the local dialect here in Switzerland, where I’m based, which normally no bank would send you an email in Swiss German, but it’s easy to automate this. We also see that information is used to kind of personalise those attacks,” said Wuest.

Last month, the vendor improved the protection it could offer users with the launch of  Cyber Protect 16, which integrates backup, disaster recovery, cyber security, and remote endpoint management.

Read more on Managed IT Services