US-Cert recently released the following warning to businesses, governmental units, and other organizations who contract their computer support to computer support companies that are known as Managed Service Providers or MSPs. An MSP provides support principally by using remote monitoring, remote access, and remote control software products. They install a monitoring tool called an “agent,” and a command and control device on the client’s LAN that polls the connected computers and reports on the status of these devices to the support group, or the NOC (Network Operations Center) at the MSP. This allows the MSPs help desk personnel to proactively monitor and manage their clients’ computers, servers and other network devices. All in all this is a good way to manage your IT assets.
But if the terms “remote access,” “remote control,” “remote monitoring,” and “command and control,” sound like malicious exploits we have discussed in previous articles, this is not your imagination. The same kinds of tools that are used by MSPs to provide higher levels of service to their clients are very similar to exploit tools used by cyber-attackers.
The US-CERT warning is reporting evidence that Chinese cyber-attackers are targeting MSPs in order to use their remote monitoring and management (RMM) tools to access the networks of their client companies. The alert follows.
12/20/2018 11:21 AM EST Original release date: December 20, 2018
The Department of Homeland Security (DHS) Cybersecurity and Infrastructure and Security Agency (CISA) released information on Chinese government malicious cyber activity targeting global information technology (IT) service providers—such as managed service providers and cloud service providers—and their customers. These threat actors are actively exploiting trust relationships between IT service providers and their customers.
NCCIC, part of CISA, encourages users and administrators to review the page on Chinese Malicious Cyber Activity for more information.
If you use an MSP click through the link for Guidance for IT Service Provider Customers from US-CERT and the NCCIC. You should have a discussion with your MSP about this alert, and ask them if they have undertaken an audit or vulnerability assessment to determine if they are clear of this threat. If they downplay this threat or blow you off, you may want to find a new support company.
If you are an MSP, US-CERT and the NCCIC have detection and remediation information in their reports Guidance for IT Service Providers and APTs Targeting IT Service Provider Customers. You need to being looking for this attack. It may be better to hire an outside firm to preform the security audit, since using your own IT or security staff will tend to create results that would be positive to the group. Seriously, if they missed the attack in the first place, what is the likelihood they will find it now? Another great solution is to add a SOC (Security Operations Center) to your NOC (Network Operations Center) by adding a UTM (Unified Threat Management) tool to your support operations. I happen to like and have used Alien Vault. A UTM would allow the MSP to monitor both THEIR OWN and their clients’ networks for incidents of attack. I have seen this in action, and once it is configured for your network, it works great.
Whether you are an MSP or a customer, you own it to your business to get in front of this new attack.Share