MSP Cybersecurity: Best practices for mitigating targeted ransomware attacks

[harlan4096]

MSPs, often tasked with providing customers with IT security services, have found themselves in the crosshairs as ransomware groups increasingly focus their attacks on the MSP market, where a single incident can enable threat actors to deploy ransomware to dozens of businesses.

For MSPs, this poses a significant security challenge – but it also presents an opportunity. Prioritizing internal security protocols allows service providers to better protect themselves and, by extension, their customers. It also enables security-conscious MSPs to differentiate from competitors who may be more vulnerable to compromise.

In this article, we’ll explore why ransomware groups are targeting MSPs and discuss best practices for mitigating ransomware attacks.

Why do attackers target MSPs?

MSPs are a logical target for ransomware groups. In 2018, the Department of Homeland Security issued an alert stating that threat actors had been targeting MSPs since May 2016.

Since that warning was issued, dozens of MSPs have fallen to ransomware, leading to tens of thousands of endpoints being encrypted and ransomware groups generating millions of dollars.

Sadly, the trend doesn’t seem to be stopping any time soon. But why exactly are MSPs such popular targets?

Easy access to targets

MSP infrastructure enables attackers to gain direct access to clients. By using the legitimate credentials of a compromised MSP, attackers can move freely between an MSP and its customers’ shared networks, where ransomware can be deployed with little effort.

As the Department of Homeland Security noted: “MSPs generally have direct and unfettered access to their customers’ networks, and may store customer data on their own internal infrastructure. By servicing a large number of customers, MSPs can achieve significant economies of scale. However, a compromise in one part of an MSP’s network can spread globally, affecting other customers and introducing risk.”

Leverage

Most ransomware attacks are financially motivated. While companies are typically discouraged from paying the ransom, MSPs are often more inclined to pay because failure to do so will result in significant downtime for their entire client base and may cause irreparable damage to the MSP’s reputation.

Given that the average North American MSP has 52 active customers, according to a report by SolarWinds and The 2112 Group, the collective financial impact of a ransomware attack on an MSP can be enormous.

Lack of resources

MSPs are often much smaller than the companies they serve – in fact, 65 percent of MSPs have less than 10 full-time employees, according to the above report.

Smaller MSPs are typically operating with limited resources, may lack dedicated security personnel and are often so busy that they simply don’t have the time to maintain strict cybersecurity practices.

Consequently, MSPs can be easier targets than larger corporations, while still giving attackers access to potentially hundreds or thousands of endpoints.Biggest ransomware threats for MSPsRyukFirst discovered in August 2018, Ryuk was infamous for targeting large enterprises and making ransom demands that were, at the time, more than 10 times the average. Ryuk is typically dropped onto systems that have been compromised by Emotet and/or Trickbot, two trojans that are usually distributed via phishing emails. A number of MSPs have been affected by Ryuk, including Data Resolution, CorVel and CloudJumper.

SodinokibiSodinokibi, sometimes referred to as REvil, was first spotted in April 2019. Threat actors typically use Sodinokibi to target MSPs by exploiting RDP vulnerabilities, stealing privileged credentials and leveraging commonly used remote monitoring and management (RMM) software to deploy ransomware to an MSP’s customers’ endpoints. Many MSPs have been affected by Sodinokibi, including Complete Technology Solutions, PerCSoft and Synoptek.

Best practices for mitigating ransomwareAdhering to proven cybersecurity fundamentals can go a long way toward securing both internal and client endpoints.

The following recommendations should not be considered comprehensive but rather a collection of best practices for mitigating ransomware.

1. Secure remote access tools

One of the most effective things an MSP can do to mitigate ransomware is to ensure remote access tools are as secure as possible. This might involve:

• Enforcing MFA: Multifactor authentication (MFA) is a simple and very effective way to prevent attackers using compromised credentials to log in to remote access tools. Enable and enforce MFA wherever possible, with no exceptions.
  
• Implementing IP restrictions: Consider using IP restrictions to only allow users connected to the MSP’s local network to access remote administration tools.
  
• Update RMM software: Vendors regularly release software updates to fix known vulnerabilities in their software. While patching may be inconvenient at times, it should always be considered a priority.
  
• Secure RDP: Remote Desktop Protocol (RDP) is Windows’ native remote administration tool, which has been repeatedly exploited in ransomware attacks. This guide from UC Berkeley is a good starting point for MSPs that wish to learn more about securing RDP, while this blog post offers some advice for preventing RDP brute force attacks.
  

2. Restrict network access

Ransomware attacks on MSPs frequently involve the use of stolen credentials. MSPs should operate on the assumption that their accounts will be compromised at some point and take steps to restrict network access accordingly.

• Adopt the principle of least privilege: Employees should only have access to the minimum resources necessary to do their jobs. Limit access rights and regularly audit permissions to ensure privileges are in line with current requirements. Staff should not have local administrator rights unless it’s specifically needed for them to do their work.
  
• Practice good authentication hygiene: Staff should understand the fundamentals of creating strong passwords and avoid sharing or recycling login credentials. Consider using a password manager and enable MFA where possible.
  
• Prevent lateral movement: When an attacker gains access to one asset within a network, they’ll typically try to obtain a stronger foothold by spreading laterally across the network. Application whitelisting, MFA, network segmentation and good password management may be useful tools for preventing lateral movement. See this guide from the U.K.’s National Cyber Security Centre for more information.
  

3. Disable PowerShell if it’s not used

PowerShell is Microsoft’s built-in framework for task automation and configuration management. While it has many legitimate uses, PowerShell is often used by threat actors to deploy ransomware as it can execute macros, provide full access to many Windows system functions and execute payloads from memory.

MSPs should disable PowerShell if it is not critical to operations. MSPs that must use PowerShell should closely monitor all PowerShell activity so that suspicious behavior can be identified and stopped as quickly as possible.
...

Continue Reading