Dear Securitarians,
You are all special. And I do mean special. Each and every one of you is a valued member of a small and very important community, a community of talented and trusted people with access to a lot of valuable client resources. As employees of a Managed Service Provider, you have a level of access and trust that is difficult to come by. It takes years of building strong relationships, by performing services above and beyond the call of duty, and maintaining open and honest communications with our clients. Because of this high degree of trust, our clients give us great access to all of their data, and it is that privilege, the ability to access everything in a lot of places, that makes us a hot target.
Starting back in 2006, China decided that breaking into firms, one at a time, to steal intellectual secrets and other valuable data, took too much time. Each system had to be probed, tested, researched and then tried again before some vulnerability could be found and the goods could be extracted. They decided to save time by focusing on Managed Service Providers (MSPs), since MSPs have access to *lots* of valuable systems and have administrative rights to boot. Breaking into an MSP and stealing the credentials to all of the MSP clients saves a bucket load of time.
The Chinese hacking group named APT10 developed a campaign that used a sophisticated set of tricks against MSPs in dozens of countries. Malware downloaded by APT10 victims posed as legitimate software to fool AV systems. They also leveraged Dynamic DNS in conjunction with hundreds of IP addresses and over 1,300 unique domain names to avoid Command and Control (C&C) addresses being blacklisted. This campaign has gone on for years, and continues to this day, as seen in the recent Cloud/Island Hopper attacks. And other groups beyond APT10 have dogpiled on.
Back in February, a very good security friend of ours (Tim!) sent me a link to a very bad story where an MSP was hacked due to a vulnerability in their RMM tool (Kaseya). More recent attacks by unknown assailants have been via drive-by downloads, and via a Webroot Management Console. Other attackers have shifted just slightly to attacking and compromising software providers, as seen last week when hundreds of dentist offices in the US were hit by ransomware.
With the increasing complexity of firewalls and intrusion defense tools, Social Engineering attacks have become the more common and easier way to gain entry into a target, even against MSPs. Because of this, Social Engineering attacks continue to rise. A Q1 2019 Proofpoint survey of 7,000 IT professionals details the extent of social engineering attacks:
- 83% of survey respondents said they experienced e-mail phishing attacks in 2018
- 64% of InfoSec professionals experienced e-mail spear phishing in 2018
- 49% of respondents who said they experienced vishing (phone calls) and smishing (SMS text messages) attacks
The numbers for e-mail phishing and spear phishing attacks are not terribly surprising, and while the number of attacks is high, they have been going up for a long time. However, as the adoption of mobile devices for work duty has also continued to rise, the shifting of Social Engineering attacks towards mobile devices via vishing and smishing becomes much more important and to which we should pay attention. Mobile devices do not always display all of the visual cues, such as hover display, that you get on a desktop or laptop system, so busy workers often trust the content on their phones far more than they should.
Since we are doing more and more work on our mobile devices and since more attacks are coming at us through them, we must be ever vigilant to protect our clients when we are out and about. Verify sensitive and unexpected requests with a follow-up phone call before launching into the work. This is not a bother for the client. Calling a client to verify that the request is real, and to codify details, tells the client that you take the security of their data seriously.
Comments? Questions? Grave concerns? Please holler.
Hal