Nations Warn of Cyber Threats to Managed Service Providers

May 12, 2022 - Cybersecurity authorities from the United States, United Kingdom, New Zealand, Canada, and Australia issued a joint alert warning critical infrastructure entities of increased cyber threats to managed service providers (MSPs) and their customers.

The alert defined MSPs as “entities that deliver, operate, or manage [information and communications technology (ICT)] services and functions for their customers via a contractual arrangement, such as a service level agreement.”

The five nations have observed an increase in malicious cyber activity against MSPs and expect the trend to continue.

“MSPs provide services that usually require both trusted network connectivity and privileged access to and from customer systems. Many organizations—ranging from large critical infrastructure organizations to small- and mid-sized businesses—use MSPs to manage ICT systems, store data, or support sensitive processes,” the alert continued.

“Many organizations make use of MSPs to scale and support network environments and processes without expanding their internal staff or having to develop the capabilities internally.”

Due to widespread use, cyberattacks against MSPs could be especially damaging. The alert noted that threat actors may use a vulnerable MSP as an initial access vector to multiple victim networks, whether the customer’s network is on-premises or externally hosted.

“The UK, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities expect malicious cyber actors—including state-sponsored advanced persistent threat (APT) groups—to step up their targeting of MSPs in their efforts to exploit provider-customer network trust relationships,” the alert stated.

“For example, threat actors successfully compromising an MSP could enable follow-on activity—such as ransomware and cyber espionage—against the MSP as well as across the MSP's customer base.”

The authorities recommended that MSPs and their customers implement improved security of known vulnerable devices, protect internet-facing services, and defend against phishing, password spraying, and brute force activity.

“Sophisticated cyber actors continue to target strategic nodes within health care and other sectors to gain broad access to individual organizations. Think of this as the ‘hub and spoke’ targeting strategy. If they gain access to the ‘hub’ (MSP) they gain access to all the ‘spokes’ (customers),” John Riggi, the American Hospital Association’s national advisor for cybersecurity and risk, explained in a separate statement.

“This is a highly effective strategy, which has been used in the past by state-sponsored actors related to the governments of China and Russia.”

The alert noted that threat actors who gain access to an MSP and its customers could cause damage with “globally cascading effects.”

“The Chinese government has been historically focused on using this methodology for cyber espionage campaigns. The Russian government and their military intelligence services have used this methodology in the past to gain access to networks for espionage and to pre-position for potential future disruptive or destructive malware attacks,” Riggi explained.

“This threat also highlights the need for robust third-party risk management programs, which fully identify and evaluate the increased cyber risk organizations may incur by outsourcing of services and technology.”

The five nations urged MSPs and their customers to keep reliable data backups, develop and exercise incident response and recovery plans, and apply the principle of least privilege throughout their network environments.

The alert also emphasized the importance of promoting transparency between MSPs and customers. MSPs should provide clear incident response and recovery explanations in contracts, and customers should ensure that they have a full understanding of any security requirements that fall within or outside of the MSP’s services.