Government Agencies Warn MSPs To Prepare For More Attacks

'The United Kingdom, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities expect malicious cyber actors—including state-sponsored advanced persistent threat (APT) groups—to step up their targeting of MSPs in their efforts to exploit provider-customer network trust relationships,’ said the joint cybersecurity alert from the five countries.

International and U.S. cybersecurity authorities said Wednesday that they are aware of recent reports observing an increase in “malicious cyber activity targeting” MSPs and warned that they expect it to continue with stepped-up attacks on MSPs.

The United Kingdom, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities –including the FBI, National Security Agency and the Cybersecurity and Infrastructure Security Agency (CISA) - said they “expect malicious cyber actors—including state-sponsored advanced persistent threat (APT) groups—to step up their targeting of MSPs in their efforts to exploit provider-customer network trust relationships,” according to a newly released alert issued jointly by cybersecurity officials from the U.S., United Kingdom, Australia, Canada and New Zealand.

“Whether the customer's network environment is on premises or externally hosted, threat actors can use a vulnerable MSP as an initial access vector to multiple victim networks, with globally cascading effects,” said the alert. “The UK, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities expect malicious cyber actors—including state-sponsored advanced persistent threat (APT) groups—to step up their targeting of MSPs in their efforts to exploit provider-customer network trust relationships. For example, threat actors successfully compromising an MSP could enable follow-on activity—such as ransomware and cyber espionage—against the MSP as well as across the MSP’s customer base.”

The 14-page document includes what may well be the most detailed prescriptive steps MSPs and their customers should take to stop the bad actors from what the authorities are calling threat actors who are “targeting MSPs” to access customer networks.

Among the steps government authorities are advising MSPs to take are to: identify and disable accounts that are no longer in use, enforce multifactor authentication on MSP accounts that access the customer environment, monitor for unexplained failed authentication and finally ensure MSP customer contract transparently identify ownership of security roles and responsibilities.

The alert advises all “organizations—whether through contractual arrangements with an MSP or on their own—should implement endpoint detection and network defense monitoring capabilities in addition to using application allowlisting/denylisting.”

The alert comes just six days after ThreatLocker issued a security alert warning MSPs of a sharp increase in ransomware attacks using remote management tools.

That ThreatLocker alert was met with statements from threat researcher Huntress, security behemoth Sophos and MSP platform providers Kaseya and ConnectWise that they had not seen any widespread coordinated MSP ransomware attacks in recent days.

Huntress, which last week said it had not seen “a spike in critical incidents or ransomware activity” based on an analysis of 1.4 million endpoints it has supported in April representing 3,000 MSPs, said the MSP alert should not be interpreted as a “cause for alarm.”

“We are happy to see this messaging from CISA as this alert does contain great recommendations for bolstering MSP security,” said John Hammond, a senior security researcher at Huntress, in a prepared statement for CRN. “This alert should NOT (sic) be interpreted as any cause for alarm, but it is very encouraging that we are seeing CISA shine the spotlight on cyberthreats targeting managed service providers.”

Hammond said MSPs have been doing “a portion of these recommendations: for years. In fact, he said, MSPs “genuinely sell security as part of their own offering — but it’s a strong reminder that they need to take cybersecurity as seriously as their customers do.”

Huntress and the cybersecurity community as a whole, Hammond said, have been “continuously advocating for defense in depth, constant monitoring and logging, access controls and least privilege” as well as the other protections included in alert. “Seeing the same backing from CISA is a clear indicator that the industry is improving and we are creating a safer landscape together,” he said.

Chester Wisniewski, principal research scientist for Sophos, told CRN in an email response that such joint advisories “are not driven by specific intelligence,” but rather “observed scanning, probing or attacks against a set of targets” who have something in common like MSPs. He said MSPs are ripe targets as they often hold the keys to the kingdom for many organizations and “frequently have not deployed multi-factor authentication (MFA) nor employed a least privilege model” to protect their clients from internal staff credential compromise.

“Based on past advisories, I would read this to mean they are observing heightened interest and scanning activity focused on MSPs and that if there are exposed unsecured remote access (RMM) and similar tools that are not using MFA, etc. that these may be of strategic interest to our adversaries,“ said Wisniewski.

The new advisory is in line with a prediction MSP platform powerhouse ConnectWise made in its recent MSP Threat report predicting a continued rise in MSP focused ransomware attacks as well as increased cooperation among governments to combat cybercrime, said Patrick Beggs, chief information security officer for ConnectWise, who once seved as the director of operations at the National Cybersecurity and Communications Integration Center.

“While we are not currently seeing an increase in malicious cyber activity among ConnectWise partners, we are regularly engaging with them to help them better prepare for and deal with the latest threats,” said Beggs in an email response to CRN. “The fact that cyber agencies around the globe are working together to monitor threats and alert the MSP industry of heightened security risks is a good thing, and we applaud their efforts. Collaboration between the public and private sectors is one of the most effective ways to counter cybercrime.”

Kaseya said that it has so far not observed “any indication of an increase in malicious attacks” against its MSP customers. “We’re monitoring closely and always appreciate close collaboration with our Agency partners,” said a Kaseya spokesperson.

Threatlocker CEO Danny Jenkins said he sees new CISA alert as just one more reason why customers should partner with MSPs to provide significant security protections for their businesses. “Having a customer trying to secure their own organization is untenable,” said Jenkins. “The answer here is not to walk away from MSPs but to embrace those MSPs that follow good secure practices as outlined by the international cyber authorities. It should not go unnoticed that among the steps that CISA is advising MSPs to take is to embrace controls such as dual factor authentication and application allow whitelisting.”

Jason Slagle, president of CNWR, a Toledo, Ohio, MSP, said he sees the latest CISA warning as the latest in a long line of alerts of bad actors attempting to prey on MSPs. He said the alert does not contain any “specific concrete” data points to back up the claims of increased attacks on MSPs.

“They are not saying anything they weren’t saying yesterday,” he said of the CISA alert. “They are just reminding MSPs once again to have multifactor authentication in place, make sure your tools are up to date and your security hygiene is good.”

Slagle said he believes CISA and international authorities are worried about increased attacks from Russia in the wake of the Russia invasion of Ukraine.

Some threat watchers have said they have seen a downward trend on MSP attacks related to ransoms not being paid in the wake of the US Russia sanctions, said Slagle. “If you pay a ransom that goes to Russia you are violating sanctions and could be in hot water,” said Slagle.

Slagle said he will continue to stay alert and enforce stringent security policies for himself and his customers. “The reality is that as MSPs we live on the edge everyday with these security threats,” he said. “I don’t think there is anything more to worry about today than there was yesterday. As an MSP we are already doing all the things recommended in the advisory.”

Ultimately the CISA alert solidifies the position of MSPs as trusted advisors to protect businesses, said Slagle. He said when ever CISA issues an alert it helps drive sales growth for MSPs because it makes customers aware of the need for improved security.

“This kind of alert makes customers take security more seriously,” he said. “We already have the recommended practices from CISA in place for ourselves and our customers. The information is out there to protect yourself and customers but it is like drinking from a fire hose because there is so much stuff you have to do correctly to be secure.”

David Stinner, CEO of US itek, a Buffalo, N.Y.-based MSP, said the alert from what is known as The Five Eyes (FVEY), an intelligence alliance comprising Australia, Canada, New Zealand, the United Kingdom, and the United States, shows the critical importance of MSPs in protecting businesses. “If every MSP and MSSP disappeared tomorrow the country would fall apart,” he said. “Having the Five Eyes work together on this cybersecurity initiative is very impactful as cyber threats affect the entire world. Governments need to work together on a unified front to reduce cyber threats. You can’t provide the kind of security that is necessary without this kind of cooperation among governments.”

Stinner said he was impressed with the detailed recommendations from CISA. “Any business looking for an MSP should not hire that MSP unless they meet these well established guidelines,” he said. “If every MSP was audited today on whether they were meeting these new recommendations I would bet the majority of them would fail. On the flip side, MSPs need to use this as a template to fill security gaps like application whitelisting, dual factor authentication, better backup systems, and MSP services for things like incident response and recovery plans, supply chain analysis and data governance hygiene.”