The National Cybersecurity and Communications integration center identified ongoing APT (advanced persistent threat) attempting to infiltrate networks of managed service providers (MSPs). APT actors are leveraging legitimate credentials to exploit trusted network relationships and allowing these actors to access other trusted networks.
MSPs provide remote management of their customers IT systems and have direct access to their customers’ networks and a compromise in one part of an MSP’s network can spread to all their customers. Compromised MSP credentials can allow an attacker bidirectional movement between MSP and its customers shared networks.
Successful network intrusion can have severe impacts to the affected organization and can result in loss of sensitive or proprietary information. Financial losses from the breach and potential harm to the organization reputation.
In accordance with NCCIC and the U.S. Government, SKOUT recommends that you review credential and privileged access management, as well as remote access control. We also recommend auditing legitimate remote access logs to verify if the activity is authorized. If you use an MSP to provide a service, restricting access to networks and system deemed critical will contain an APT’s actor’s movement. Restrict MSP accounts by time or date and ensure MSP accounts are not assigned to administrator groups.
For more in-depth information about the recommendations, please visit the following link at US-CERT: