MSPs Beware: US Department of Homeland Security Warns Cybercriminals Are Attacking IT Providers

Hackers go where the money, the control and the ability to inflict damage lie. An individual enterprise or SMB is a pretty good score. But a service provider that controls the IT of multiple clients is far more enticing.

That’s why service providers such as MSPs must take special care. If your systems are cracked, criminals can gain control of all your clients. Your reputation and business could be gone in an instant. And your clients could fare just as badly.

In a recent report, Intrusions Affecting Multiple Victims Across Multiple Sectors, The National Cybersecurity and Communications Integration Center (NCCIC), which operates under Homeland Security, said it has

become aware of an emerging sophisticated campaign, occurring since at least May 2016, that uses multiple malware implants. According to preliminary analysis, threat actors appear to be leveraging stolen administrative credentials (local and domain) and certificates, along with placing sophisticated malware implants on critical systems.

The targets are troubling. “Some of the campaign victims have been IT service providers, where credential compromises could potentially be leveraged to access customer environments. Depending on the defensive mitigations in place, the threat actor could possibly gain full access to networks and data in a way that appears legitimate to existing monitoring tools.”

That is the scary part. It is a multiplier effect where an incursion into one service provider turns into compromises of perhaps hundreds of client companies – or more.

NCCIC understands this issue and is hoping service providers take additional security measures. “To achieve operational efficiencies and effectiveness, many IT service providers often leverage common core infrastructure that should be logically isolated to support multiple clients. Intrusions into these providers create opportunities for the adversary to leverage stolen credentials to access customer environments within the provider network,” NCCIC argued.

Credential Cracking

A key to these attacks is the use of compromised credentials. “The actors use malware implants to acquire legitimate credentials then leverage those credentials to pivot throughout the local environment. NCCIC is aware of several compromises involving the exploitation of system administrators’ credentials to access trusted domains as well as the malicious use of certificates,” the report said.

Cracking an end user’s password is one thing. But when you can get an administrator’s credentials, you really have the keys to the IT kingdom.

Once these admin rights are in hand, the hackers can impersonate service provider technical professionals. But there is another technique these cybercriminals use. After breaching service provider infrastructures, the hackers implant malware that increases their access to these systems.

“A secondary technique to maintain persistence and provide additional access into the victim network is the use of malware implants left behind on key relay and staging machines. In some instances, the malware has only been found within memory with no on-disk evidence available for examination. To date, the actors have deployed multiple malware families and variants, some of which are currently not detected by anti-virus signatures,” the report said. “Although the observed malware is based on existing malware code, the actors have modified it to improve effectiveness and avoid detection by existing signatures.”

Protect Your Network Against Credential Cracking

The report offers a wealth of advice, first and foremost being to adopt two-factor authentication (2FA) or multi-factor authentication (MFA). It also suggests, as should be customary practice, that users be given only the level of privilege they actually need, the so-called least-privilege doctrine.

As is also a best practice, you should require complex passwords, such as those with at least 15 characters.

And, of course, use 2FA for anyone who touches the service provider network.

More on Two-Factor Protection

2FA is a verification process that adds one more layer of credential confirmation to a login process. Also recognized as an MFA, 2FA requires the input of the standard password/username combination, as well as a second piece of information that can be provided only by the authorized individual. With the incorporation of 2FA, cyberhackers find it far more challenging to access the account to steal an identity or obtain crucial confidential information.

In the cyberworld, 2FA is now used on a variety of large websites including Yahoo!, MSN, Google, and Twitter along with a plethora of financial services firms and other highly regulated institutions. By incorporating 2FA into the login process, organizations can dramatically lower the rate of credential cracking.

Check out our 2FA Buyers Guide to learn more about how you can protect your business and your customers.

dougbarney

Doug Barney was the founding editor of Redmond Magazine, Redmond Channel Partner, Redmond Developer News and Virtualization Review. Doug also served as Executive Editor of Network World, Editor in Chief of AmigaWorld, and Editor in Chief of Network Computing.

Leave a Reply

Your email address will not be published. Required fields are marked *