Managed Service Providers MSP Compromised by Known Threat Actor

A cyber actor using previously documented intrusion tools has targeted major international Managed Service Providers (MSP’s) within Enterprise Services and Cloud Hosting businesses since at least May 2016.

Threat ID:: CC-1308
Category:
Threat Severity:: Medium
Threat Vector:
Published:: 5 April 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Threat details

This activity has been linked strongly to a known threat actor whose operations have previously targeted end-victims directly, predominantly through tailored spear-phishing emails as the primary attack vector, re-crafting relevant open source content and embedding implants within attachments.

The threat actor has shown the ability to remain undetected for months, utilising a combination of tailored malware and internal system administrator toolsets, facilitated by privilege escalation enabling lateral movement across the network. They have also demonstrated a persistence in re-infecting a network post-remediation.

Managed Service Providers are particularly attractive to attackers because they often have highly privileged access to systems and data. As part of your procurement, you should have ensured that your service providers all manage their security to a level broadly equivalent to that you would expect from your internal functions.

Remediation steps

Type	Step
	If your MSP uses cloud services as part of their delivery, you should ensure that you understand how that affects the security of your data and systems, and the cloud security principles (https://www.ncsc.gov.uk/guidance/cloud-security-collection) should help. If your MSP has administrative rights over infrastructure or services that process personal data, you must assess the security against the bulk personal data protection principles (https://www.ncsc.gov.uk/guidance/protecting-bulk-personal-data-introduction). As well as the technical architecture used, you should understand their personnel security policies, restrictions placed on the people who perform day-to-day activities in your MSP, how they store and manage access to your key credentials and how they monitor and manage audit for their customer system accesses. You should also understand how your MSP ensures separation between their customers, ensuring that compromise of one does not allow compromise of all. As part of that assessment, you should consider how the MSP’s own corporate network may bring risk to your systems and data and how they manage that on your behalf. You should ensure that you have monitoring and audit that is independent of your MSP. This is critical for security monitoring and management, but also for contractual enforcement and investigations of both cyber (e.g. this campaign) and non-cyber (e.g. insider-led data theft) incidents. An organisation that has engaged an MSP (or outsourced a service function in another way) without maintaining independent monitoring is unlikely to be able to manage their risk effectively. Ensure your MSP is operates at an acceptable baseline level of security via contractual agreement and/or audited compliance against security standards such as ISO 27001, Cyber Essentials or the 10 Steps to cyber security.

Type

Step

If your MSP uses cloud services as part of their delivery, you should ensure that you understand how that affects the security of your data and systems, and the cloud security principles (https://www.ncsc.gov.uk/guidance/cloud-security-collection) should help.

If your MSP has administrative rights over infrastructure or services that process personal data, you must assess the security against the bulk personal data protection principles (https://www.ncsc.gov.uk/guidance/protecting-bulk-personal-data-introduction).

As well as the technical architecture used, you should understand their personnel security policies, restrictions placed on the people who perform day-to-day activities in your MSP, how they store and manage access to your key credentials and how they monitor and manage audit for their customer system accesses.

You should also understand how your MSP ensures separation between their customers, ensuring that compromise of one does not allow compromise of all. As part of that assessment, you should consider how the MSP’s own corporate network may bring risk to your systems and data and how they manage that on your behalf.

You should ensure that you have monitoring and audit that is independent of your MSP. This is critical for security monitoring and management, but also for contractual enforcement and investigations of both cyber (e.g. this campaign) and non-cyber (e.g. insider-led data theft) incidents. An organisation that has engaged an MSP (or outsourced a service function in another way) without maintaining independent monitoring is unlikely to be able to manage their risk effectively.

Ensure your MSP is operates at an acceptable baseline level of security via contractual agreement and/or audited compliance against security standards such as ISO 27001, Cyber Essentials or the 10 Steps to cyber security.

Last edited: 17 February 2020 11:34 am