A string of cyber attacks are targeting IT providers, likely in attempt to compromise their clients, according to research from Symantec.
The attacks are described as probable “supply chain” attacks – meaning the ultimate targets are the IT Providers’ customers.
Many organizations hardened their networks in recent years and are more vigilant in patching and maintaining systems.
However, to facilitate system integration, maintenance, and other day-to-day tasks, trusted services are often given greater access to network resources.
IT providers are typically in this group. They use broad, easy access to clients’ systems – including remote access – to ensure they can troubleshoot and solve problems quickly.
By compromising the clients’ supply chain – in this case, the technology service supply chain – attackers gain the same broad, easy access afforded to the service provider.
Also, rather than targeting many organizations individually, attackers get greater returns by choosing one target that provides access to many victims.
It’s not clearly known how attackers initially breached their targets in the attacks described by Symantec.
The first hint of malware was discovered in a web shell, in one case. This points to a web server as a potential initial point of compromise.
As expected, the attackers deploy tools to gather information once inside the target. In a few cases, they were able to configure tools to automatically execute when new clients logged into the domain.
“This activity indicates the attackers had achieved domain admin level access on these networks, meaning they had access to all machines on the network,” according to Symantec.
As attackers reached further into the network, hundreds of machines were infected with malware in some cases.
So far, the attack described by Symantec has targeted IT providers in Saudi Arabia – but other attacks targeting the IT industry have surfaced in recent months.
For example, reports surfaced earlier this year of attacks targeting remote monitoring and management (RMM) tools used by MSPs.
By using stolen credentials to access RMM and cybersecurity tools, attackers were able to infect the MSPs’ customers’ systems. In one case, the attack cost the MSP more than $150,000 in bitcoin to decrypt the clients’ systems.
Last year, US-CERT also warned of a growing number of sophisticated attacks targeting Managed Service Providers (MSPs) and other IT providers.