APT Actors Exploiting Global MSPs: DHS Security Alert

APT actors are spying on and attempting cyber espionage plus intellectual property theft by infiltrating networks of global MSPs (Managed Service Providers), according to a security alert issued by the U.S. Department of Homeland Security (DHS). The APT actors, as per the U.S government, have been targeting different sectors- the healthcare industry, the IT sector, the Energy sector, the communications sector etc.

The security alert issued on October 3, 2018, by the U.S. Department of Homeland Security (DHS) Computer Emergency Readiness Team (CERT) reads, “The National Cybersecurity and Communications Integration Center (NCCIC) is aware of ongoing APT actor activity attempting to infiltrate the networks of global managed service providers (MSPs). Since May 2016, APT actors have used various tactics, techniques, and procedures (TTPs) for the purposes of cyber espionage and intellectual property theft. APT actors have targeted victims in several U.S. critical infrastructure sectors, including Information Technology (IT), Energy, Healthcare and Public Health, Communications, and Critical Manufacturing.”

The presence of an MSP makes things easier for the threat actors by providing a larger attack surface. Once access to MSP networks is worked out, it becomes possible for them to move between MSPs and the shared networks of their customers, avoiding all kinds of detection.

The U.S government security alert explains, “The number of organizations using MSPs has grown significantly over recent years because MSPs allow their customers to scale and support their network environments at a lower cost than financing these resources internally. MSPs generally have direct and unfettered access to their customers’ networks, and may store customer data on their own internal infrastructure. By servicing a large number of customers, MSPs can achieve significant economies of scale. However, a compromise in one part of an MSP’s network can spread globally, affecting other customers and introducing risk.”

It further says, “Using an MSP significantly increases an organization’s virtual enterprise infrastructure footprint and its number of privileged accounts, creating a larger attack surface for cyber criminals and nation-state actors. By using compromised legitimate MSP credentials (e.g., administration, domain, user), APT actors can move bidirectionally between an MSP and its customers’ shared networks. Bidirectional movement between networks allows APT actors to easily obfuscate detection measures and maintain a presence on victims’ networks.”

APT actors gain access to MSP networks by using stolen credentials and pre-installed system tools, like command line scripts. Since these scripts are legitimate tools, they cannot be blocked and the APT actors using the scripts can remain undetected on the victims’ networks. Once they gain access to the networks, they do all kinds of malicious activities including stealing data, spying on your computer, organizations, disrupting business operations etc. They could also end up causing potential damage to the reputation of a business organization.

The data infiltration that these APT actors cause also goes undetected. The DHS security alert states, “When APT actors use system tools and common cloud services, it can also be difficult for network defenders to detect data exfiltration. APT actors have been observed using Robocopy—a Microsoft command line tool—to transfer exfiltrated and archived data from MSP client networks back through MSP network environments. Additionally, APT actors have been observed using legitimate PuTTY Secure Copy Client functions, allowing them to transfer stolen data securely and directly to third-party systems.”

The DHS alert explains how organizations can detect such intrusions by configuring system logs to detect incidents and to identify malicious activities. The DHS also recommends mitigation measures that organizations need to adopt in the wake of such threats and attacks happening rampantly.