Huntress CEO: Microsoft Calling Out Russia’s SVR In Latest Attack Will Hopefully Drive Resellers To Act Now
‘If you think about the budget required to stop a nation state … Fortune 500 businesses, the largest in the world, fail to stop nation- state actors, let alone midmarket resellers or midmarket technology service providers. ... The vast majority aren’t prepared to deal with cybercriminals, let alone nation-state actors,’ Huntress CEO Kyle Hanslovan tells CRN.
Kyle Hanslovan, CEO of threat research firm Huntress, believes Microsoft blaming the Russian foreign intelligence service (SVR) for the latest threat will bring renewed awareness to resellers to better prepare for attacks.
The threat is from the same hackers responsible for the December 2020 SolarWinds attack. Microsoft said more than 140 IT resellers and service providers were targeted and as many as 14 have been compromised since May, according to a blog post.
“This is like post-No.-10-plus since December,” Hanslovan told CRN. “What’s really wild is this is only the second time that Microsoft has been willing to call out Russia and say it was a nation-state actor behind it.”
Hanslovan said he believes Microsoft called out Russia because it wants to drive industry awareness.
“I think it’s actually more than that, I think they’re struggling to drive industry awareness,” he said.
Research company Forrester estimates that there are more than 1 million channel service providers worldwide, according to Hanslovan, and he believes only 5 percent of those are prepared to handle an attack from a nation state.
“If you think about the budget required to stop a nation state … Fortune 500 businesses, the largest in the world, fail to stop nation- state actors, let alone midmarket resellers or midmarket technology service providers. ... The vast majority aren’t prepared to deal with cybercriminals, let alone nation-state actors. They’re just not prepared.”
The resellers that just resell products and do not have managed services “are where we see a disproportionate amount of lack of preparation,” he said.
“It’s not negligence,” Hanslovan added. “They’re just not designed to be an MSSP.”
It’s a chain, he said, where the actors go from one service provider to another to another to get to the bigger partner.
“They’ll compromise these tiny little ones and swim upstream,” he said. “Why waste time going through the well-fortified front door when you could swim upstream going through these smaller ones?”
Not only are the threat actors getting in and looking at the delegated access, they’re getting very familiar in how to pivot, he added.
“They‘re not having to use sexy zero days to get in,” he said. “They get in with some basic mechanisms and use and abuse the delegated privileges to eventually swim upstream to that high-value target.”
The threat oftentimes lies in misconfigurations and people giving out way too many privileges, he said.
“They’re allowing a reseller to have administrative access, and the reseller isn’t prepared … to take on a nation-state adversary.”
Hanslovan believes Microsoft has been stressing to its partners the dangers of SVR, but the idea to call out the bad actors this time was to wake up the resellers.
“I think part of their decision to be much more verbose that this is Russia’s SVR is to hopefully gain some awareness like, ‘Will you please open your eyes? Will you please audit your stuff because you’re not,’” he said. ”They’re just not following the guidance.”