October 04, 2018
ALERT: Advanced Persistent Threat Activity Exploiting MSPs
In the Technical A18-276B cyber security alert issued by the National Cyber Security and Communications Integration Center’s (NCCIC) yesterday, we learned that MSPs are a key target of advanced attackers, also referred to as Advanced Persistent Threat (APT) groups.
The alert states specifically:
“By using compromised legitimate MSP credentials (e.g., administration, domain, user), APT actors can move bidirectionally between an MSP and its customers’ shared networks. Bidirectional movement between networks allows APT actors to easily obfuscate detection measures and maintain a presence on victims’ networks.
MSPs need to account for this new threat and update their understanding of the cyber risk landscape they operate within as well as how it may affect their end users. Specifically, there are some immediate actions as well as some near-term action items that managed service providers should take.
Immediate response activities should follow along two tracks:
- Take a hard look at credential management and authentication system controls of all accounts and services for key infrastructure or network entry points, including those of your service providers.
- Enable two-factor authentication everywhere you can. Preference hard tokens or TOTP mobile applications over SMS.
- Disable unnecessary or defunct accounts.
- Consider rotating passwords for all privileged accounts that remain active.
- Avoid storing passwords in known weak locations such as the built-in browser password manager, text files, documents, outdated and unpatched offline password managers, and the like.
- Review account privileges on all IT equipment and critical SaaS services and drop privileges on accounts that don’t need them.
- Review authentication system logs, ideally in an automated way, to alert for suspicious activity, such as logins from anonymising infrastructure such as TOR, etc.
- Subscribe to dark web monitoring services to become aware when credentials associated with your MSP or end users have become compromised.
- Verify remote access virtual private network (VPN) connections into MSP or End User networks, that use a single factor, have strong passwords that are difficult to guess or crack.
- Consider rotating and setting hard-to-guess or crack passwords for all accounts used on single factor remote-access VPN endpoints.
- Disable any network address translations (NATs) for remote connections, such as remote desktop protocol (RDP) or secure socket shell (SSH), that exist through the firewall as they may be subject to brute force or low and slow attacks.
- Review the egress (public) IP for ports and services that are exposed to the internet.
- If your firewall supports intrusion detection systems (IDS) or intrusion prevention systems (IPS), enable critical alerts so that you are informed of malicious activity and can take action.
- Ensure your network appliances have the latest firmware.
- Disable any services on the appliances that are not actively in use to reduce future exposure.
More in-depth response activities should include additional analysis that accounts for the targeted nature of attacks in the MSP space that results in an increased likelihood of risk exposure.
Lastly, MSPs should revisit their layered defenses for effectiveness against motivated and capable adversaries.
- Analyse controls using a framework such as the Lockheed Martin Cyber Kill Chain and the MITRE ATT&CK framework.
- Whiteboard attacks that you may face including information from the frameworks, such as a motivated attacker that has gained access to a compromised credential and has local-area network (LAN) access. Conversely, an attacker without LAN access.
- Assure that endpoint controls are capable of detecting attacks that use native tools of the OS, including powershell and VB scripts.
- Establish monitoring activities to assure that key controls continue to operate effectively and notify you of any strange or unexpected changes.
In total, MSPs should take keen notice of this alert and begin today to take steps to shore up defenses against such future attacks.