MSPs A Tantalizing Target As Major APT Group Ups Number Of Attacks

Managed service providers are being targeted by a major APT group, a recent report said, as they serve as a third-party vector of attack into end-target customer accounts.

The report, by the National Cyber Security Centre, BAE Systems and PricewaterhouseCoopers UK, found that China-based hacking group APT10 has been targeting managed service providers and others with "common as well as custom malware."

A blog post by BAE Systems said MSPs offer a tantalizing target for attacks because while they offer a way for companies to enable their businesses around technology, the "network connectivity which exists between MSPs and their customers also provides a vector for attackers to jump through."

[Related: Analyst: Cybersecurity Spending To Hit $1 Trillion Over Next 5 Years, Presents Opportunity 'Ripe For VARs']

Sponsored post

"Successful global MSPs are even more attractive as they become a hub from which an intruder may access multiple end-victim networks," the blog post said. The post said companies have been tracking attacks at "several major MSPs" since late 2016, attributing them to this APT10 group. It said activity by this group increased in the middle of last year.

FireEye also issued a blog post following the PwC and BAE Systems report, saying its own iSight threat intelligence had seen a "resurgence" in APT10 activity in June 2016, targeting universities, construction, engineering, aerospace and telecom firms. It said it had also seen APT10 activity at "multiple IT service providers worldwide."

FireEye said APT10 seems to be using spearphishing attacks and "accessing victims through global service providers," which it said have access to customer networks and traffic and data exfiltration is likely deemed benign. The PwC and BAE Systems report said it is also seeing malware and spearphishing as the main attack tactic used to target MSPs.

"We believe these companies are a mix of final targets and organizations that could provide a foothold in a final target," FireEye said in its blog post. "APT10 is a threat to organizations worldwide. Their abuse of access to service provider networks demonstrates that peripheral organizations continue to be of interest to a malicious actor – especially those seeking alternative angles of attack," it said.

Stephen Boyer, CTO of Cambridge, Mass.-based BitSight, which offers a way for companies to evaluate their third-party risk, said he is seeing third-party attacks "continuing to go up," especially as companies look to outsource more of their data and operations. He said MSPs and VARs are one such third-party attack vector, one he said is particularly appealing to attackers because of their extensive supply chain and list of clients, services and access to systems.

"I only need to get one [attack to work to get access to all of these clients]. … That’s why it's so juicy," Boyer said.

It's a concern solution providers themselves also have.

"We think a lot about it. Even today we saw some unique stuff coming at us that we acted on," said Justin Kallhoff, CEO of Infogressive, a Lincoln, Neb.-based managed security services provider.

Kallhoff said his business works to protect itself from being a third-party vector of attack to its clients. He said MSPs are "just as susceptible as everyone else" to attack but pose a "target-rich environment" for attackers, with admin-level access to dozens or hundreds of clients. On top of that, he said MSPs are often small businesses and aren't as focused on security, focusing instead on tickets and operational efficiency.

"I think that’s a really smart move by attacker groups and it should be really scary to the world, especially to MSPs," Kallhoff said. "A lot of MSPs are small businesses. They're not huge, so they lack the enterprise resources. It’s a crime of opportunity," he said. Kallhoff said he sees more MSPs turning to partner with MSSPs, as a result, to keep pace with client security demands, which he said have been driven up drastically by the recent wave of ransomware attacks.