Managed Service Providers Under Attack

In the past month, a Managed Service Provider (MSP), or what many registered investment advisers might utilize as their outsourced IT Provider, was breached, exposing up to 2000 user endpoints to issues of disruption and perhaps worse.  The IT Vendor was subsequently urged to pay ransom of $2.6 million to have their systems unlocked.

The breach took place through a rather complicated but understood vulnerability avenue within the Managed Service Provider’s Remote Monitoring and Management Tool (RMM).  RMM’s are used by many MSP’s for remote management and access to clients’ systems.

In October of 2018, the United States Computer Emergency Readiness Team issued an Alert warning of Advanced Persistent Threats facing IT providers.  The Alert includes some fundamental configuration and management recommendations which could be challenging for some Managed Service Providers.

For example, and directly from the Alert:

Account Configuration Recommendations

  • Ensure MSP accounts are not assigned to administrator groups. MSP accounts should not be assigned to the Enterprise Administrator (EA) or Domain Administrator (DA) groups.
  • Restrict MSP accounts to only the systems they manage. Place systems in security groups and only grant MSP account access as required. Administrator access to these systems should be avoided when possible.
  • Ensure MSP account passwords adhere to organizational policies. Organizational password policies should be applied to MSP accounts. These policies include complexity, life, lockout, and logging.
  • Use service accounts for MSP agents and services. If an MSP requires the installation of an agent or other local service, create service accounts for this purpose. Disable interactive logon for these accounts.
  • Restrict MSP accounts by time and/or date. Set expiration dates reflecting the end of the contract on accounts used by MSPs when those accounts are created or renewed. Additionally, if MSP services are only required during business hours, time restrictions should also be enabled and set accordingly. Consider keeping MSP accounts disabled until they are needed and disabling them once the work is completed.
  • Use a network architecture that includes account tiering. By using an account tiering structure, higher privileged accounts will never have access or be found on lower privileged layers of the network. This keeps EA and DA level accounts on the higher, more protected tiers of the network. Ensure that EA and DA accounts are removed from local administrator groups on workstations.

We have been discussing the US CERT Alert recommendations with both clients and their MSPs.  We often find that clients, their Managed Service Providers, and the “persons responsible for IT Security” at the business are not receiving information on current threats and vulnerabilities.  They may or may not be aware of high-profile vulnerabilities such as: the WannaCry ransomware attacks of 2017; ongoing Intel AMT Critical Firmware vulnerabilities; basic issues such as the end-of-life for specific devices or applications; much less what some might consider to be an arcane technical Alert concerning MSPs.

Some of the issues mentioned are discoverable through vulnerability scanning and penetration testing.  In our experience and despite the SEC’s discussion of these activities for about three to four years, many firms are just initiating scanning and testing, which can often lead to a healthy discussion of network and system-level vulnerabilities at the Information Security Committee.

Meanwhile, many IT professionals view the subject of looking outward for vulnerability information or “Threat Intelligence” as nonsense due to the random and overwhelming volume of information.  The eye-rolling with respect to Threat Intelligence has to do with the fact that there is simply so much information out there and a persistent cynicism that “even if I follow all this information, how much of it is relevant to my environment and what difference does it make if one of my users is phished or we are hit with a zero day exploit.”  The real challenge is properly distilling Threat Intelligence to what might be relevant to your environment.

We are suggesting a few ways of keeping an eye on current Threats and Vulnerabilities rather than waiting for the nightly news.

  1. The United States Computer Emergency Readiness Team (the US-CERT) remains an important avenue for informing the Critical Infrastructure community, including financial services firms. The US-CERT handles the parsing of information from industry sources plus provides information they believe to be important.  We have mentioned the US-CERT in several posts, and we believe in the past year they have issued seminal alerts of which clients should be aware.  We are listing a few here which can be considered at the Information Security Committee.
  • Securing Network Infrastructure Devices: June 21, 2018: https://www.us-cert.gov/ncas/tips/ST18-001 – More Supervised Persons and key personnel are working remotely, in branch offices and in the home offices. We often find that the home office is secured by Internet Service Provider consumer-grade devices with the network perhaps enhanced by the multi-function wireless router you can by at Staples.  This important Security Tip pointed to some of the vulnerabilities in common devices and pitfalls such as failing to upgrade such devices and/or secure beyond default passwords.
  • Advanced Persistent Threat Activity Exploiting Managed Service Providers: October 3, 2018: https://www.us-cert.gov/ncas/alerts/TA18-276B — It makes perfect sense that MSPs, who hold the keys to the Kingdom for many companies, would be targeted by high-level attackers. This is a daunting document providing considerations for security controls and information security controls at MSPs who must hold themselves to a high standard for security which can be validated by Investment Advisers and other financial services firms.  MSPs also may use an assortment of applications and third-party providers in their respective offerings which must be considered in due diligence or the Vendor Management program of advisers.
  • Subscribe to the US-CERT Security alerts, tips, and other updates at the home page listed below.
  1. Lean on your key Device and Application providers for vulnerability and threat intelligence information. If you are a user of Cisco/Meraki Firewalls, you may wish to subscribe to their Customer Advisories at: https://meraki.cisco.com/blog/cisco-meraki-customer-advisories/ .  If your firm utilizes SalesForce for CRM or other services, you may wish to subscribe to their Security Advisories at:  https://trust.salesforce.com/en/security/security-advisories/ .   You understand the concept: utilize the security information available from your key vendors.
  2. Finally, if you have not already, begin the process of Vulnerability Scanning and Penetration Testing. This process either reveals patching and configuration changes you need to work on with your internal IT personnel/MSP or provides you with validation of your network and system-level security.

SEC Cybersecurity: Ransomware Alert, May 17, 2017
https://www.sec.gov/files/risk-alert-cybersecurity-ransomware-alert.pdf

United States Computer Emergency Readiness Team website https://www.us-cert.gov/