Federal agencies are alerting the public to an active campaign of cyber attacks against managed service providers (MSPs) in the IT sector.
A technical alert published last week by the U.S. Computer Emergency Readiness Team (US-CERT) says advanced persistent threats (APTs) have exploited MSPs and other IT companies since at least May 2016.
The term “APT” has several meanings but most commonly refers to elite hacker groups associated with nation states.
APTs typically have geopolitical aims – such as performing espionage, intellectual property theft, or large-scale cyber crime – and they often breach and “persist” inside targets.
Famous examples include APT29, a Russian group blamed with hacking the Democratic National Committee in 2015, and APT19, a Chinese group that compromised Forbes.com in 2014 to perform a watering hole attack against multiple targets.
Who is behind the MSP attacks?
The CERT alert (TA18-276B) does not blame a specific group or government, only “APT actors”.
However, a thread between several sources suggest the attacks may originate from a group associated with the Chinese government. Here’s the thread…
Last weeks’ alert says the attacks are related to activity described in another CERT alert (TA17-117A) from April 2017. This earlier alert has more technical analysis and indicators of compromise (highly recommended reading).
This one does not point fingers, either, but notes, “The most unique implant observed in this campaign is the REDLEAVES malware.” REDLEAVES is a remote administration trojan.
Multiple sources attribute REDLEAVES to APT10, a hacker group backed by the Chinese government.
The thread tying this back to last week’s CERT alert is hardly iron-clad, but the connection appears legitimate.
Why target MSPs?
MSPs have almost unparalleled access to their clients’ networks. Especially in the small business space, clients are often completely reliant on the MSP to manage and troubleshoot systems.
Compromising an MSP (especially one without proper controls in place) can give an advanced hacker group deep access into dozens, hundreds, or even thousands of businesses.
Many MSPs also offer data storage and backup services, meaning attackers who compromise any who are unprepared can potentially gain direct access to client data.
Protect Your Business and Clients
In this campaign, the number-one way attackers penetrate networks is with stolen credentials, according to the alert.
Once inside, they often use “live-off-the-land” techniques that leverage common off-the-shelf applications and trusted credentials. This makes their efforts difficult to detect.
The best protection against such adversaries is a multi-layered approach to security. No single solution will stop them.
The alert lists several pages of mitigation techniques – which we highly recommend reading.
Last year’s related alert includes even more helpful information, such as detection and mitigation techniques and indicators of compromise.
Highlights from the latest alert are below.
MSP accounts should not be assigned to the Enterprise Administrator or Domain Administrator groups in Active Directory. They should have access to only the systems they manage, and they should be limited by time and date.
Enable logging on all network systems and devices. Send logs to a central service that is separate from other servers and workstations. Local logs should store at least seven days of data, and centralized logs should store at least one year of data. Install and properly configure a security information and event management (SIEM) system, and implement a log review process.
Network device configurations and Group Policy Objects (GPOs) should be checked every six months. Privileged account groups should be reviewed weekly and inactive accounts should be removed or deactivated. Create a baseline for system and network behavior to make it easier to detect anomalies. And of course, ensure your systems are updated and patched.
Virtual Private Network
Remote MSP connections should be made via VPN, and the connection should terminate within a demilitarized (DMZ) zone. VPN access should be restricted to only the networks and protocols necessary. Authentication certificates should be updated annually, and VPN connections should be centrally managed, logged, and reviewed.
Internet-facing systems should reside on a network separate from the primary business network. Internal networks should also be separated by function, location, and risk profile to apply security controls accordingly. Private VLANs and host-based firewalls (in addition to physical firewalls) should also be used.
Develop an incident response plan – establish written guidelines that prioritize incidents based on impact and periodically update the plan.
Only authorized network services should be permitted to make outbound connections – such as TCP 80 and TCP 443. Outbound connecting should also be monitored to ensure unencrypted traffic is not sent via ports associated with encrypted traffic. DNS queries should be performed by dedicated servers. Access to unauthorized file shares – such as Dropbox, Google Drive, and OneDrive – should not be allowed.
Prepare for Client Questions
In case this alert reaches your clients, you should prepare to answer the questions it raises.
For example, from the alert:
“Using an MSP significantly increases an organization’s virtual enterprise infrastructure footprint and its number of privileged accounts, creating a larger attack surface for cyber criminals and nation-state actors.”
“MSP clients that do not conduct the majority of their own network defense should work with their MSP to determine what they can expect in terms of security. MSP clients should understand the supply chain risk associated with their MSP.”
So, how does your company mitigate this additional exposure? What policies do you follow to prevent stolen credentials from becoming a free pass to all client networks?
The alert also urges MSP clients to review cloud computing security controls published by the U.S. National Institute of Standards and Technology (NIST).
Even if your clients never ask questions about this alert, security questions are inevitable, especially as the demands of data privacy laws and regulations escalate. Better to prepare now than to be caught off guard.