Guest Column | February 14, 2020

MSP ‘Gatekeepers' Face New Wave Of Malicious Threats To Their Credibility

By Vince Crisler, Dark Cubed

Sophos Has Revealed PDF Cloaking Threat

This is the first of a two-part series examining the current state of MSP security. Click here for Part Two.

Cybersecurity threats and breaches have been making headlines for years – actually decades in one way or another. New types of attacks emerge with such frequency that they rival other certainties, like death and taxes.

What’s far more pronounced today beyond the normal headlines is how vulnerable managed service providers have become. To better understand this apparent reality, we conducted a comprehensive study of network traffic from a globally distributed group of managed service providers. The approach we took monitored their “normal” operations using our threat identification and protection platform. Rising nation-state hacking against cloud and managed service provider infrastructures was another relatively new aspect of this study titled, “Attacking the Gatekeepers: MSP Report.”

Most other reports and news coverage to date center on end customers and corresponding challenges they face. When it comes to MSPs, however, the reality is one of escalating proportions and increasingly alarming concerns. To better understand the intensifying pressures and shortcomings these companies are striving to address – often inadequately – we aggregated quantitative and qualitative data with the input and observations of these front-line arbiters of the growing crisis.

Inside The Conflict
As we gathered this deep insight into what’s occurring on the MSP front, we found the level of organization and sophistication of attacks has reached an unprecedented order of magnitude. Malicious actors are directly targeting MSPs to inflict more damage, gain greater illicit access and basically wreak havoc in ways not previously seen or realized.

One MSP CEO who participated in the study said they feel like they are “fighting a losing battle” that’s “unlike anything I have ever seen before… and is getting worse.”

In another instance, an MSP network suffered a botnet attack composed of 20,000 unique IP addresses representing 149 individual countries and 3,607 different organizations.

MSPs represent the first and most important line of defense when it comes to their clients’ security. Attackers that exploit a single MSP have the potential to access the data of every customer the MSP engages. It goes almost without saying that the results can be utterly catastrophic.

Hidden Realities And Consequences
And that’s another offshoot of the study’s findings worth underscoring – how no MSP wants it broadcast or known that they failed to protect a client’s network or data. In other words, although you can’t sweep it under the rug, legions of MSPs have no vested interest in going public with such news. The blow to their reputations could be even more devastating to their businesses than the proliferating malware, viruses, Trojan horses, spyware, worms, phishing scams and rootkits they are expected to continuously address.

In the U.S. alone, MSPs serve more than 64 percent of the small-and-midsize business market. Criminal actors are aware of this vital connection and see it as an exponential opportunity for a bigger return on their nefarious investments.

The barrage of attacks MSP networks now face can be particularly cataclysmic if the epidemic remains relatively unchecked from a big-picture standpoint. Taken collectively, which was the purpose of our study, we as an industry must adopt more concrete measures to better combat and thwart the mounting range of intrusions, which can be especially stealth today. For example, “Attacking the Gatekeepers” revealed that more than 81 percent of so-called “benign” IP addresses scanning MSP networks are actually showing up on one or more lists of threats!

In IT Together
We are now essentially in a new era of cyber risk that cannot be ignored. The “cure” begins with a heavy dose of MSP self-reflection and realization as well as a new level of end-to-end internal assessment. Security vendors aren’t centered on the unique vulnerabilities and challenges MSPs encounter. More information sharing, more analysis, and more sophisticated solutions are warranted and available.

Attacking the Gatekeepers showed that 100 percent of MSPs reviewed suffered either automated attacks, directed attacks, or both. Without question, the risks are rising on these fronts, but answers are few and far between. MSP gatekeepers are under siege, and once they fall, their clients are easy prey.

Geofencing and cloud hosting are not effective countermeasures, as adversaries can either find workarounds or secure hosting space in “friendly” countries. Attacks primarily focus on exploiting Windows Remote Desktop, followed by insecure remote access, file transfer, and hosting services.

Obviously, finding solutions to the confluence of threats is easier said than done. First, MSPs must accept greater accountability and responsibility. Instead of chasing every known issue, however, they need to know where they are most and least vulnerable. Our whitepaper verified nearly 700,000 malicious hosts actively targeting MSP networks.

So where do we as an industry begin? In the second half of this two-part series, I’ll share details into the remediations and recommendations MSPs should take to get started.

About The Author

Vince Crisler, CEO and president of Dark Cubed, has more than 20 years of IT and cybersecurity leadership within the Department of Defense, federal civilian government, and the private sector. A Former Chief Information Security Officer of the White House, Crisler is a proven cybersecurity and IT strategy leader.