Managed service providers (MSPs) and cloud service providers (CSPs) are under attack by advanced persistent threat (APT) groups, the U.S. Department of Homeland Security warns.
“MSPs provide remote management of customer IT and end-user systems. MSPs generally have direct and unfettered access to their customers’ networks, and may store customer data on their own internal infrastructure. However, a compromise in one part of an MSP’s network can spread globally, affecting other customers and introducing risk,” the department’s National Cybersecurity and Communications Integration Center (NCCIC) noted.
“By using compromised legitimate MSP credentials (e.g., administration, domain, user), APT actors can move bidirectionally between an MSP and its customers’ shared networks. Bidirectional movement between networks allows APT actors to easily obfuscate detection measures and maintain a presence on victims’ networks.”
The providers’ customers are the real targets
The ultimate targets are the providers’ customers which, according to the DHS, include enterprises in several U.S. critical infrastructure sectors, including IT, energy, healthcare, communications, and critical manufacturing.
They did not explicitly say which APTs the suspect of mounting the attacks, but have included a link to a threat alert published in April 2017 that details attacks with tow remote administration Trojans/tools called REDLEAVES and PLUGX (aka Sogu). These tools have been tied to APT10 (aka Red Apollo, aka Stone Panda), a group whose actions – mostly espionage and information collection – closely align with strategic Chinese interests.
As the Canadian Centre for Cyber Security helpfully explained, “mitigating the risks associated with using service providers is a responsibility shared between the organization and the MSP or CSP. However, organizations are ultimately responsible for protecting their systems and ensuring the confidentiality, integrity and availability of their data. Organizations that outsource IT infrastructure are recommended to have an open dialogue with their provider and to understand what model they use to manage clients’ services.”
This latest alert contains advice on how to detect incidents and how to prepare an organized response to them, as well as helpful mitigation advice for organizations for managing supply chain risk.
It could also be a reminder to perform an assessment of whether the organization’s service providers are managing their security in an adequate way. The U.K. National Cyber Security Centre also offered advice on what to do.
The DHS has also published on Wednesday an alert detailing best practices for mitigating trusted network exploitation by using rigorous credential and privileged access control.
Additional resources, including links to a search tool for Sogu-related filenames and and other helpful tools for detecting and investigating malicious activity, can be found here.