zephyr_p - stock.adobe.com

Ransomware has MSPs in its sights

Peter Geytenbeek, senior manager of channels EMEA at Thycotic, shares a warning about the need for managed service providers to take their own security seriously

Cyber criminals will look for any vulnerability to infiltrate a corporate IT network. If they can’t attack an organisation directly, they will try getting in through the back door via the supply chain. Among the possible partner targets, the most valuable to any attacker is the managed services provider (MSP).

MSPs hold the keys to their clients’ kingdoms, particularly with credentials. If an attacker gets hold of client credential databases, they may gain instant access in one fell swoop to thousands of businesses’ systems. It goes without saying that an MSP suffers huge reputational damage when this happens  – the likes from which it may never fully recover.

MSPs in the crosshair

A top attack method is ransomware. Cyber criminals frequently use this technique to lock systems and exfiltrate data. In the case of an MSP, it starts with an attack on the network and, if successful, it may then spread to client systems.

MSPs are a prize target because they are a gateway to many – sometimes hundreds – of business networks. Threat actors also know the pandemic has placed them under pressure to continue delivering services 24/7, even though many employees are now having to work from home.

Their hope is that MSPs simply did not have the time to check security precautions as thoroughly as they would wish in the rush to avoid disruption to services.

At the end of May 2020, IT services giant Conduent suffered a ransomware attack against its European operations. While the MSP claimed that disruption was minimal, having restored most systems within eight hours, this highlights a growing trend of threat actors hitting MSPs with ransomware.

Further, while services were back up and running, it also looks like the attackers – believed to be the Maze ransomware group – also managed to exfiltrate data, posting stolen customer audits on its dark web page.

The Maze group was also responsible for a ransomware attack against Cognizant in April, with the MSP estimating that it has lost up to $70m in various costs clearing up the incident. While the attack did not affect any customers, many were reported to have suspended their Cognizant services as a result.

Threat actors know that infiltrating an MSP and then encrypting all the data of its customers can be very profitable. To stay in business, MSPs would have to resolve a wide-ranging ransomware attack rapidly or risk losing all its customers. 

For all their IT expertise, MSPs are as vulnerable to attack as any other business,. Threat actors will probe away for areas of weakness to exploit – they may stumble on unpatched software, or systems left open on the internet via remote desktop protocol (RDP) or unsecured Amazon Web Services (AWS) buckets or through plain old-fashioned phishing.

Once inside the network, a cyber criminal could take weeks to detect, which is plenty of time for them to harvest credentials and release further ransomware or other malware. One effective way to prevent the possibility of migration from the host network to those of clients is to deploy privilege account management (PAM).

Use secure cloud vaulting to protect remote workers

Like most of the working population, MSP technical staff have found themselves having to work from home.

To effectively service their client accounts, IT professionals need access to client credentials and privileged accounts. These are usually stored in a vault deep within the MSP network in a bid to stop unauthorised access from outside.

Yet this can hamper the work of technical staff when working remotely as they need to continuously use virtual private networks (VPNs) to get into the MSP internal network, as well as contend with the associated routing and security.

To save time and effort, administrators might keep credentials on their own systems locally, or reuse passwords to avoid having to remember several. These are clearly huge security risks. 

To combat devastating attacks such as ransomware, PAM helps MSPs to further secure, manage and monitor access to their privileged accounts and those of their clients.

According to Gartner, PAM is top of mind for every chief information security officer (CISO) wanting to harden the security posture of their organisation. Implementing PAM will remove the need for client techs to have to locally store passwords as all credentials are kept in a secure cloud vault protected by high-level encryption (usually AES 256-bit).

In fact, IT admins do not even need to see the credentials. Software-as-a-service (SaaS) options are available that will automatically fetch them from the vault using a Secure Shell (SSH) or RDP. The vault can also be connected to identity management tools or Active Directory to offer role-based access controls to ensure different levels of functionality to different levels of users.

PAM not only addresses securing passwords in a vault, it also helps MSP’s to provide documentation to their customers. Documentation that is mandatory because of local regulations and or for compliance reasons. With PAM, an MSP is able to deliver proof to their customers who has access to what and at what times.

Collaboration is key

As more businesses face the new reality of having their workforce operating remotely, they will be turning to MSPs to keep operations running normally. MSPs, in turn, have much to gain from partnering with specialist security tool vendors and deploying them in their own networks.

It’s a win-win scenario. Customers will be confident their MSP is protecting them against direct attacks while their network is secured from supply-chain related threats.

Read more about security in the channel

Next Steps

Backup vendors aid ransomware recovery with data vaults

Read more on Data Protection Services