MSPs in cybercriminals’ crosshairs

Red padlock representing a security hack

Managed Service Providers (MSPs) are often charged with safeguarding their customers' IT systems from cyberattacks. But what if the MSP has now become the target?

The past several months have seen several incidents where IT providers have fallen victim to cyberattacks. One of the most high profile was the Cloudhopper attacks, which targeted a handful of large MSPs at the end of 2018, with Chinese hackers looking to gain access to their clients' networks and steal sensitive information.

Just recently, the channel has also been subject to a phishing campaign where attackers attempted to take control of users' PCs before sending the same phishing email to the victim's client list.

Elsewhere, MSP software provider Datto's 2019 ransomware report says that 80% of MSPs are being increasingly targeted by ransomware attacks.

Rather than having to breach several individual companies, attacking the supply chain in this way allows for access to many potential victims at one fell swoop, says Dan Garcia, senior security engineer at Datto.

But with MSPs now used an entry point into the customer by criminals, can the channel still ensure their customers' networks and sensitive data remain secure?

"MSPs need to manage their cyber risk based on the makeup of their customer base. While it's important that the services provided by an MSP align to the security needs of each customer, MSPs in turn also need a security programme that understands the cyber risks imposed by their customers. Customers should have an open dialogue with their MSP to better understand the security programme that's in place for both parties," Garcia tells Channel Pro.

Security software vendor Barracuda conducted research in June that shows the channel is increasingly falling victim to brand impersonation attacks. A third (35%) said criminals have impersonated them to target their customers, and almost half of the customers fell for it. Conversely, 57% have had criminals impersonating their customers, although only 9% of those were taken in by the ruse.

"MSPs are a natural target for cyber attackers, due to the large amount of organisation networks they have access to. If an organisation gets breached because of their MSP, who is actually meant to be protecting their network from such attacks, that constitutes a huge breakdown in trust which may result in the MSP losing that customer," Jason Howells, director international MSP business at Barracuda, tells Channel Pro.

Howells says MSPs need to think proactively about their security with the recent targeted attacks, and uses the example of Wipro, one of India's largest and most successful MSPs, which this year saw hackers gain entry to its network via a phishing campaign and launch cyberattacks against its customers.

"MSPs can avoid the same fate by providing correct security training to all staff, controlling and closely monitoring network access as well as making sure they have proper backups in place. This ensures the trust between client and MSP remains intact and secure," he says.

Brian Downey, VP of product management, security at Continuum, which provides a security platform to MSPs, says it's "completely fair and should be expected" that clients question their MSP's ability to guard and protect their data.

"This classic 'hitting multiple birds with a single stone' situation is why MSPs need to implement appropriate security measures in their environment and have the ability to clearly articulate to their clients how they protect their valuable data," he says.

The increase in attacks on MSPs calls for a change of mindset, says Tim Lasonde, SVP of managed services at MSP, Focus Technology Solutions.

"MSPs have historically been laser focused on protecting their customers' assets and overlooking their own, but recent events like the Cloudhopper attacks are a reminder that MSPs need to prioritise protecting their own personal information as well," he tells Channel Pro.

"Change is occurring as more MSPs are putting in place the same security measures for customers into their own organisations. It's important to not only have a team of engineers dedicated to internal IT, but also implement security measures internally first to work out any bugs before rolling out to customers."

Here are some practical measures suggested by Datto to help prevent attacks:

  • Enabling multi-factor authentication on all public-facing services reduces the likelihood that compromised credentials will be used to breach internal systems.
  • If RDP is directly exposed to the internet, remove it and find alternative ways of connecting to the environment.
  • If Microsoft Office Suite is used, disable macros by default and make them requestable by individual users.
  • If PowerShell is not used to support the environment, disable it.
  • Segmenting internal MSP networks, as well as customer networks, will limit the lateral movement of attackers. If supported, client isolation provides great protection.

MSPs looking to improve their technology stack should investigate:

  • Educating users as a preventative measure. Security awareness training should include phishing simulations.
  • Basic email filtering solutions included in Office 365 or G Suite are not adequate. Implementing an advanced email protection solution will further reduce the number of phishing emails and the likelihood of a successful attack.
  • Mainstream antivirus solutions fall short of protecting against advanced threats. Find an endpoint solution that can detect and respond more adequately to advanced attacks.
Christine Horton

Christine has been a tech journalist for over 20 years, 10 of which she spent exclusively covering the IT Channel. From 2006-2009 she worked as the editor of Channel Business, before moving on to ChannelPro where she was editor and, latterly, senior editor.

Since 2016, she has been a freelance writer, editor, and copywriter and continues to cover the channel in addition to broader IT themes. Additionally, she provides media training explaining what the channel is and why it’s important to businesses.