The US Secret Service issued a mysterious alert, warning that managed service providers are being targeted by criminals. It doesn’t name names, but we think it’s connected with a vulnerability in software used by many MSPs.
ConnectWise last month patched a serious vuln in its remote-management API. If you think that sounds like a nasty place for a security bug, you’re probably right: software used by many MSPs, which in turn are used by very many IT and DevOps teams.
Talk about putting all your eggs in one basket. In this week’s Security Blogwatch, we cook up a delicious omelette de la mère Poulard.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: AI rights now.
Mismanaged managed service provider service provider?
What’s the craic? Catalin Cimpanu reports—US Secret Service reports an increase in hacked managed service providers (MSPs):
Secret Service officials said [it had] been seeing an increase in incidents where hackers breach MSP solutions and use them as a springboard into the internal networks of the MSP's customers. … They've been seeing threat actors use hacked MSPs to carry out attacks against point-of-sale systems, to perform business email compromise (BEC) scams, and to deploy ransomware.
…
Most MSP services are built around a server-client software architecture. The server part can be remotely hosted with the MSP inside a cloud infrastructure, or installed on-premise with the client. Usually, getting access to the server component of an MSP grants an attacker full control of all software clients.
…
Attacks against MSPs have only recently made the headlines, with a surge in attacks in 2019, when ransomware gangs such as GandCrab or REvil (Sodinokibi) began targeting MSPs.
…
One of the largest MSP vendors on the market, ConnectWise, has had its products and services often targeted by hackers. … In June 2020, ConnectWise patched an Automate API vulnerability that hackers had also used to breach companies and deploy ransomware. … This vulnerability and the subsequent exploitation is what prompted the Secret Service to send out its alert.
Says who? Simon Sharwood says—ConnectWise issues a slightly scary but unusually significant security advisory:
ConnectWise specialises in software that IT services providers use to manage your IT. The 38-year-old company is the dominant force in that market, meaning that if you work with a system integrator, managed services provider or other outsourcer there’s a decent chance that ConnectWise touches some of the tech your business relies on.
…
Earlier this week ConnectWise revealed it’s found an API vulnerability in its “Automate” product, a remote monitoring and management suite. … Which is rather scary … because it’s well understood that many attacks exploit the weakest link in a security chain. And right now ConnectWise is a weak link.
What did the feds say? Information Only Alert – GIOC Reference #20-032-I:
The United States Secret Service is continuing to see an increase in cyber related attacks involving compromised Managed Service Providers. … Due to the fact a single MSP can service a large number of customers, cyber criminals are specifically targeting these MSPs to conduct their attacks at scale to infect multiple companies.
…
Cyber criminals are leveraging compromised MSPs to conduct a variety of attacks including point-of-sale intrusions, business email compromise (BEC), and specifically ransomware attacks. … Best practices for MSP Customers:
- Audit Service Level Agreements
- Audit remote administration tools being utilized in your environment
- Enforce two-factor authentication for all remote logins
- Restrict administrative access during remote logins
- Enforce least privilege for access to resources
- Utilize a secure network and system infrastructure, capable of meeting current security requirements
- Proactively conduct cyber training and education programs for employees
To which, aaarrrgggh screams in frustration:
The Secret Service “best practices” are pretty worthless. … Any good ideas on how to manage the threats for remote management tools?
Our IT consultant uses TeamViewer for desktop support and server management. I can firewall it off with DPI, but that most likely will end up closing the barn door after the horses escaped.
Although ioncloud9 at least agrees with bullet No. 3:
MSPs, even smaller ones should utilize 2FA.
Okay, but which MSPs are we talking about? Alex Scroxton mentions one possible victim—Xchanging attacked in ransomware incident:
Xchanging, a managed services provider (MSP) specialising in the insurance and financial services industry, is recovering its systems after a ransomware attack by an as-yet unknown actor. The firm, owned by US-based services provider DXC, alerted authorities to the incident on the evening of Sunday 5 July 2020.
…
“The company is confident that this incident is isolated to the Xchanging environment,” DXC said in a statement. “DXC does not have any indication … that data has been compromised or lost. … DXC is actively working with affected customers to restore access to their operating environment.”
…
Service providers and supply chain partners of all stripes – not just tech businesses – are particularly at risk from cyber criminal activity because they frequently have some degree of privileged access to their customers’ IT systems, which means threat actors can easily move laterally and compromise an array of targets. … At the time of writing, no ransomware operator had yet claimed responsibility for the attack.
So let’s all point the finger of blame at MSPs? Dan Panesar thinks not:
It is important to remember that even though you rely on an MSP or MSSP, you are still culpable for the information that you own.
…
Reports that managed service providers are increasingly targeted by ransomware attacks and other exploits prove that security is not understood to the extent that it should be. Organisations that process sensitive information should prioritize security.
This means increasing the budget for cybersecurity and conducting courses to educate employees about how to best protect delicate information. Even though it may seem expensive, it will be significantly cheaper than a data breach.
Time for a farming analogy? Ilia Kolochenko is happy to oblige:
Attackers concentrate their malicious efforts on MSPs because they are now a low-hanging fruit. Worse, most of the successful intrusions are never detected or reported, given that the attackers have strong incentives to conceal the breach that may otherwise trigger an investigation that may depreciate the value of stolen data or even bring a SWAT team to their homes.
…
[MSPs’] third-party risk management [is] mostly based on obsolete one-size-fits-all questionnaires. … This bureaucratic approach can be unreasonably burdensome and complex for some small vendors; for others, they are inadequate and otherwise flawed.
Organizations should rethink their third-party risk management strategies, making them adjustable and proportional to the risk on a case-per-case basis.
But Pascal Monett has his own interpretation:
So, ConnectWise is basically connected to all big companies' IT systems? It did not discover a "vulnerability", it discovered an undocumented NSA backdoor, and now there's an NSA agent that is seriously pissed off.
Meanwhile, to illustrate that the naysayers are still out there, here’s omnichad, saying “nay”
The cloud is just someone else's computer.
The moral of the story?
Using an MSP is no substitute for defense in depth, redteaming, surface minimization, etc.
And finally
AI slavery: A “thought exploration”
You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
This week’s zomgsauce: Matt Popovich (cc:0)
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.