WatchGuard CSO: ‘Bad Guys Realize The Value You Provide’

MSPs are an appealing target for adversaries since they aggregate many end customers at a single point and they tend to have broad access into their customers’ environments, says WatchGuard Chief Security Officer Corey Nachreiner.

MSPs have increasingly found themselves in the crosshairs of ransomware gangs in recent years, culminating in the colossal July 2 attack against RMM provider Kaseya.

WatchGuard Chief Security Officer Corey Nachreiner said MSPs are an appealing target for adversaries since they aggregate dozens, hundreds or even thousands of end customers at a single point and they tend to have broad access into their customers’ environments. MSPs will face significant pressure to pay the ransom if customer data is compromised, he said, or customers might pay the ransom independently.

“MSPs are now a supply chain target,” Nachreiner said during XChange+ 2021, hosted by CRN parent The Channel Company. “Bad guys realize the value you provide to your customers. … If they can get into your central system, you’re a great way to get into a number of different businesses that you protect.”

[Related: ThreatLocker CEO: Thwart Ransomware With Endpoint Controls]

The Kaseya ransomware attack captured the attention of news organizations the world over, but Nachreiner said U.S. officials actually warned MSPs all the way back in late 2018 that known threat actors were starting to probe their networks. The first blow came in February 2019, when hackers capitalized on a ConnectWise Automate vulnerability to access MSP systems and install ransomware.

“PSAs and RMMs, their value to you is making life easy by centralizing everything,” Nachreiner said. “But that makes them the most important target for your organization. Because if I can log in as a privileged user, I can use that same software to do damage on your network.”

Then in June 2019, Nachreiner said adversaries got their hands on a credential belonging to an MSP technician that had either been stolen or shared by a malicious insider. Unlike the ConnectWise or Kaseya comprises, Nachreiner said this didn’t involve a zero-day vulnerability and instead took advantage of fact that the MSP didn’t have multifactor authentication on all of its systems.

“There’s no reason for them to figure out complex attacks or really brand-new, hard-to-find zero days if they can just get one credential from one of your privileged users and walk right through the door as if they’re still that user,” Nachreiner said.

“The trend is these bad guys are going after you,” he said. “Why? You’re a great aggregation point. If I can find one target, that gets me tens if not hundreds of organizations with data.”

As for Kaseya, Nachreiner said the REvil ransomware gang took advantage of some unpatched zero day vulnerabilities the company had been notified about months earlier. REvil was likely in Kaseya’s network for a considerable amount of time before deploying the ransomware, and timed the ransomware rollout so that it would hit the thousands of computers MSPs are responsible for protecting at the same time.

“They’re very smartly staging this to happen all at once, which really puts you in a tough position because it’s not just a few computers, it’s all over,” Nachreiner said. Four different vulnerabilities … allowed the bad guys to get in without privileges, without an account, and to elevate their privileges to do whatever they want.”

Nachreiner said there are certain controls MSPs could have had on their network that would have stopped REvil from installing ransomware on their endpoints. MSPs can minimize the impact of ransomware attacks for smaller customers by helping them put together plans for backups as well as business continuity and disaster recovery, according to Nachreiner.

Smaller businesses often don’t have a business continuity or disaster recovery plan in place since it takes time to develop a plan as well as technical skill to create backup systems and virtualized environments, Nachreiner said. MSPs should also be able to deliver basic incident response services through a Security Operations Center or partnership and have legal counsel on hand for customers who experienced a security incident, he said.

“There’s a lot of opportunity here for you not just to sell a product, but also to sell a service,” Nachreiner said. “To be the CSO for your smaller customers.”

MSPs need to strengthen their customers’ posture around backup since ransomware gangs will often target and disable backups during attacks, Nachreiner said. Specifically, he said companies should retain three copies of their data residing both with a cloud provider as well as with a local backup tool.

Given that adversaries are targeting backup systems, Nachreiner said customers should keep two offline copies of their data. The offline copies will come in handy if the ransomware gang knows which backup provider the victim is using and is able to successfully turn that off, according to Nachreiner.

“If you can get your customers to this standard, they’ll be able to recover from ransomware,” Nachreiner said.

MSPs need to determine who needs access to a particular folder and ensure that ordinary users aren’t given admin-level credentials, said Daniel Ihonvbere, CEO of Round Rock, Texas-based Tech Prognosis. MSPs need to better protect their customers from ransomware attacks by limiting the amount of access they have to nonessential systems, according to Ihonvbere.

“It’s easy if you don’t give customers a choice,” Ihonvbere said.