The Cybersecurity and Infrastructure Security Agency (CISA) issued a warning for Managed Security Providers (MSPs) and Cloud Security Providers (CSPs) that they were at high risk of cyber attacks.  Why the focus on MSPs and CSPs?  Gaining access to these types of companies often can allow hackers access into their customer’s networks as well.

What has happened since the alert?

A ransomware attack on a Colorado MSP spread to more than 100 of their customers through remote access software that did not have multi-factor authentication activated. Do you have MFA in place?

A Wisconsin CSP of online backup services suffered a ransomware attack that encrypted the cloud backups of over 400 customers. Although it has not been confirmed publicly, statements by the company indicated that they paid a ransom for the decryption key to restore their customer’s files. Would you be able to come up with a ransom to get client data restored, and would your commercial insurer cover this cost?

A hosting provider and MSP in New York exposed the Albany County Airport’s network when they experienced a ransomware attack, and also reportedly had to pay a ransom to provide a decryption key before they were fired by the airport.  Could you be at risk of losing a major client from this type of incident?

The most recent MSP with a public attack hit by malware first began disconnecting their access to customer’s networks to try and stop the malware from spreading.  According to the company’s ‘Customer FAQ Regarding Malware Incident’ the MSP was breached by threat actors who installed Cobalt Strike beacons on several systems in their environment.

These beacons allow remote threat actors access to the network to steal data, spread to other machines, and ultimately deploy the ransomware, which the threat actors deployed on February 28th. The MSP is reportedly expecting over $20 million in losses following the attack. Would you be able to survive this kind of hit?

What should MSPs and CSPs do TODAY, to protect themselves?

  1. Review access to customer’s networks and control of key entry points.  Make sure multi-factor authentication is in use!
  2. Review detection capabilities to monitor your network 24/7 with threat intelligence that can detect suspicious activity or patterns.  Signature-based malware detection does not alert on these attacks until it is too late.
  3. Review your cyber insurance coverage with your commercial carrier to make sure your coverage is aligned to your risks.  Know what the carrier will provide for incident response if you need it, and get a resource in place if your carrier does not provide help with cyber incidents.