MSPs ‘high value’ targets for ransomware attackers
Managed service providers have become hot property for cyber criminals seeking a larger net of companies to attack.
According to a new report, MSPs and managed security service providers are seen as high-value targets for threat actors, which use partners as a foothold to “easily” gain access to their customers.
The report by security vendor Cylance, argued the practise was likely to draw more attention as hackers distribute attacks against up to “hundreds” of organisations.
Worryingly, the attackers are choosing ransomware as their attack method of choice, which has come back “with a vengeance” following a brief decline in 2018. Of particular concern is a ransomware called Sodinokibi, which caused mass disruption to US government agencies by infiltrating hosted environments last year.
According to Cylance, the initial compromise usually comes via targeted phishing attacks aimed at an MSP managing IT and security for other organisations.
“The threat actors would leverage a foothold in the target organisation by using remote management tools like Go2Assist or NinjaRMM,” the report explained.
Once inside at environment, the next step used is deploying tools like Passcape’s password recovery tool to steal credentials, alongside breaching and disabling security servers. When they are connected to domain controllers, the attackers use existing software deployment tools to push ransomware to every machine in the environment
One such attacker to use this tactic last year was the group commonly known as Fin9, which targeted MSSPs in the United States and abroad in an attempt to commit gift card fraud after obtaining access to networks.
“Making sure MSPs and MSSPs use effective cyber security tools will be critical for organisations in 2020,” the report added.
Meanwhile, Cylance claimed that misconfigured cloud networks will become a critical concern this year as cloud investments are expected to reach $49.1 billion, according to Gartner. This issue led to seven billion records being publicly exposed in 2019, a number than is expected to increase in 2020.
“This number comes as no surprise as organisations continue to struggle with balancing their needs for continuous integration with safe deployment practices,” the report said. “Security measures are often implemented as an afterthought and may be driven by the pressures of regulatory compliance.”
At the same time, security operations centres (SOCs) are becoming “fatigued” by non-contextualised high-volume alerts, leading to the possibility of potentially malicious activity slipping off the radar.
IDG News Service