Posted by Geraldine Hunt on Mon, Jan 28th, 2019
Hackers are always looking for the weakest link. Just one weak link could mean exploit of a vulnerability that gives the attacker millions of records. Spear-phishing attacks prey on the weakest employee link, but attackers have a new target in their sights – MSPs. Attackers know MSPs have a plethora of data from client credentials to the accessibility of critical systems. This is why security experts have noticed a recent trend in attacks focusing on MSPs.
Threats Targeting MSPs and CSPs
Managed service providers (MSPs) and cloud service providers (CSPs) can potentially have dozens of clients to support. Most providers manage small businesses that can’t support their own infrastructure or don’t have the staff that can build internal systems for their applications. These SMBs hire MSPs and CSPs to create the right solutions, and then these providers stay on retainer to maintain, upgrade and service current and future infrastructure.
In October 2018, the US computer emergency readiness team (US-CERT) published a notification specific to MSP and CSP providers that attackers were focusing efforts on these IT support providers. The primary reason that attackers target these providers is because of the administrator access and escalated privileges with no restrictions.
Spear-phishing attacks focus on specific employees such as financial people or IT administrators. These employees have privileges with access to important data and system configurations. These attacks are still ongoing, but more companies have realized the importance of education and filtering content. Big businesses have the IT budget to add systems that block content and emails that could lead to a successful phishing attack.
SMBs need the same kind of cybersecurity defenses, but they rely on MSPs to provide the right systems in place. These systems could be content filters or cloud email services that protect from phishing attacks. Using these content and email filters, attackers find it more difficult getting their phishing emails to get through normal business defenses.
The people who put these protections in place are an SMB’s managed provider. To create the right infrastructure, managed providers need full access to the internal systems. This includes administrator passwords, router credentials, cloud provider credentials, VPN access and any other unfettered access that the MSP needs to build the system. For some small businesses, the MSP builds infrastructure from the ground up, so the MSP has all credentials and connects using VPN. Other MSPs maintain the system onsite, but many SMBs have cloud infrastructure that the MSP can configure remotely.
With this massive amount of permissions on a small business system, attackers target providers and then have full administrator rights to the organization. An attacker no longer needs to find ways to trick an enterprise system into allowing email to pass through cyber security defenses. Instead, they focus on an MSP that might not have their own cybersecurity systems in place due to their remote workflow.
What an MSP Can Do to Avoid an Attack
With so many clients to support, MSPs can be too busy to recognize a phishing attack. It only takes a few minutes for an attacker to trick an MSP into clicking a link and sending credential information. If the attacker is aware of the MSP’s clients, a link can be sent to the MSP with the client’s information. After the targeted user clicks the link and enters credentials, an attacker can immediately log into critical client systems.
Content filtering is the one main way to stop phishing attacks. DNS-based content filtering stops attacks before the user can download content to a local network machine. It also blocks malicious websites, so when a user clicks a link that leads to a phishing website, the DNS-based content filtering application blocks access to the website.
User education works to an extent, but busy MSPs flooded with work can sometimes accidentally miss the signs of a phishing email and click a link or reply to it with personal information. Attackers have several tricks up their sleeves, and they use each one until they are able to find just one targeted user that falls victim to an attack. It’s these kinds of targeted attacks that MSPs should recognize and immediately delete.
Combine user education with the right content filtering, and MSPs will avoid becoming victims of a targeted attack. It’s especially important for MSPs to always stay vigilant with cybersecurity because they have a lot to lose. Just one breached client can mean the loss of reputation for an MSP, so keep content filtering systems in place and always be cautious when receiving email from unknown senders.