For several years now, MSP security has been a common concern and a total of eleven have been compromised since July 2018. One of the main motives in targeting a service provider is to gain access to their customers.

This strategy is nothing new for cybercriminals, in fact, attackers have been known to target some organizations with the sole initiative of reaching their business partners. Perhaps ironically, cybercriminals have gone so far as to target security vendors, who like IT service providers, are often hired to protect clients from cyber attackers. With this logic in mind, we must be reminded that no organization in the invulnerable attack; knowing that hackers will seek the proverbial low-hanging-fruit, it is crucial to explore the logic and merit behind third party targeting strategies.

Some of the more common motives identified include credential theft, network access to target clients, concealing their true motive or target and malicious software updates.

MSP Security Background

To provide context, it is helpful to review an attack group that gained significant attention in mid-2018. According to researchers at Symantec in the Fall of 2019, a previously undocumented attack group, known as Tortoiseshell, has been active since at least July 2018. According to researchers, Tortoiseshell’s planning and execution demonstrate a level of skill and coordination that goes well beyond the use of off-the-shelf hacking tools indicating the group is highly skilled. 

Adding to their notoriety, the group effectively targeted and compromised 11 IT service providers, purportedly with the motive of gaining access to their customers’ networks. Of these 11 IT service providers, the group managed to obtain admin level access, giving them complete control over all connected machines.

The most advanced part of this campaign is the planning and the implementation of the attacks themselves. The attacker had to have multiple objectives achieved in an operational fashion in order to compromise the true targets which would have relationships with the IT provider.”  

Symantec Research Team

Network Access to Target Client

The targeting of IT service providers presents the strong likelihood that these attacks are what is referred to as supply chain attack, with the objective of gaining access to the networks of form of the IT service providers’ customers. According to Symantec, supply chain attacks have been on the uptick since 2018, with a whopping 78% increase. IT service providers are the ideal target for attackers considering their privileged access to their clients’ computers.

Privileged Access & Malicious Software Updates

The level of privileged access an attacker can gain by targeting IT service providers makes them an attacker’s ideal target. This access also holds the potential to allow the attacker to send malicious software updates to target machines and further, it may even provide them with remote access to customer workstations. This level of access allows the attacker to peruse the targets networks, without having to compromise the network itself as in a typical breach situation.

Concealing True Targets and Objectives

In addition to concealing the attackers breach, by targeting the IT service provider, the attacker significantly reduces the risk of begin discovered. Further, by targeting an IT service provider, the attacker makes it significantly more difficult for anyone to identify the attacker’s true targets and objectives. This makes it much harder to predict and track the attackers next move.

Summary and Conclusion

As for how Tortoiseshell infected each of these 11 networks, Symantec notes they have yet to figure it out. The only indication is evidence of a web shell that was uploaded to one of the targets, purportedly as a means to provide the attackers with remote administration access to the machine in question.

In the end, attackers are always on the lookout for their next victim. Using IT service providers as a conduit to breach their next target allows them the benefits of lessened risk of discovery, reduced exposure of their objectives and presence. As a result of such targeting, it is critical that IT service providers take every precaution to ensure the security of not only their own assets, but their customers as well.

For an IT service provider, a breach can prove especially damaging because their customers rely on them to have their security measures in place. From a business perspective, the risk of a service provider losing clients becomes a very real possibility with the logic that, if they cannot protect themselves, how can they hope to protect their clients?

MSP Security: We’re here to help!

If you have questions pertaining to anything you read here or would like to learn more about Packetlabs service offerings, and how we can help secure your organization, please contact us for more details.