Chinese Attacks Against MSPs and IT Support Companies Puts Clients At Risk

US-Cert recently released the following warning to businesses, governmental units, and other organizations who contract their computer support to computer support companies that are known as Managed Service Providers or MSPs.  An MSP provides support principally by using remote monitoring, remote access, and remote control software products.  They install a monitoring tool called an “agent,” and a command and control device on the client’s LAN that polls the connected computers and reports on the status of these devices to the support group, or the NOC (Network Operations Center) at the MSP.  This allows the MSPs help desk personnel to proactively monitor and manage their clients’ computers, servers and other network devices. All in all this is a good way to manage your IT assets.

But if the terms “remote access,” “remote control,” “remote monitoring,” and “command and control,” sound like malicious exploits we have discussed in previous articles, this is not your imagination.  The same kinds of tools that are used by MSPs to provide higher levels of service to their clients are very similar to exploit tools used by cyber-attackers.

The US-CERT warning is reporting evidence that Chinese cyber-attackers are targeting MSPs in order to use their remote monitoring and management (RMM) tools to access the networks of their client companies.  The alert follows.

Chinese Malicious Cyber Activity

12/20/2018 11:21 AM EST  Original release date: December 20, 2018

The Department of Homeland Security (DHS) Cybersecurity and Infrastructure and Security Agency (CISA) released information on Chinese government malicious cyber activity targeting global information technology (IT) service providers—such as managed service providers and cloud service providers—and their customers. These threat actors are actively exploiting trust relationships between IT service providers and their customers.

NCCIC, part of CISA, encourages users and administrators to review the page on Chinese Malicious Cyber Activity for more information.

If you use an MSP click through the link for Guidance for IT Service Provider Customers from US-CERT and the NCCIC. You should have a discussion with your MSP about this alert, and ask them if they have undertaken an audit or vulnerability assessment to determine if they are clear of this threat.  If they downplay this threat or blow you off, you may want to find a new support company.

If you are an MSP, US-CERT and the NCCIC have detection and remediation information in their reports Guidance for IT Service Providers and APTs Targeting IT Service Provider Customers.  You need to being looking for this attack.  It may be better to hire an outside firm to preform the security audit, since using your own IT or security staff will tend to create results that would be positive to the group.  Seriously, if they missed the attack in the first place, what is the likelihood they will find it now?  Another great solution is to add a SOC (Security Operations Center) to your NOC (Network Operations Center) by adding a UTM (Unified Threat Management) tool to your support operations.  I happen to like and have used Alien Vault.  A UTM would allow the MSP to monitor both THEIR OWN and their clients’ networks for incidents of attack.  I have seen this in action, and once it is configured for your network, it works great.

Whether you are an MSP or a customer, you own it to your business to get in front of this new attack.


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.
  Related Posts

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.