Cyberthreats Targeting IT Service Provider Customers
A successful network intrusion can have severe effects on the affected organization, particularly if the compromise becomes public.
Since May 2016, APT actors have used various tactics, techniques, and procedures for cyberespionage and intellectual property theft worldwide. APT actors have targeted victims in several U.S. critical infrastructure sectors, including IT, energy, healthcare and public health, communications, and critical manufacturing.
A successful network intrusion can have severe effects on the affected organization, particularly if the compromise becomes public. They include:
- Temporary or permanent loss of sensitive or proprietary information.
- Disruption to regular operations.
- Financial losses to restore systems and files.
- Potential harm to the organization’s reputation.
The NCCIC said potential targets include parent companies, connected partners, and contracted managed service providers and cloud serviced providers. APT actors can leverage legitimate credentials to expand unauthorized access, maintain persistence, exfiltrate data, and conduct other operations under the pretext of authorized activity. Leveraging legitimate credentials also allows APT actors to access other devices and trusted networks, enabling them to maintain persistence and obfuscate detection tools.
Pravin Kothari, CEO of the San Jose, Calif.-based CipherCloud, said, “The new and recent DHS alerts about the Chinese APT10 RedLeaves cyberattack on cloud providers highlight the impossible problem faced by both enterprise and municipal government.” Kothari elaborated the impossible problem is that enterprise and government cannot face off against well-funded nation-state attackers or large-scale organized crime. “It is a ridiculous proposition to believe otherwise. The U.S. government needs to step in and defend our internet infrastructure so that normal commerce and communications can continue unhindered.” In addition, the CipherCloud CEO suggested enlisting the support of allies to ensure its success.
“It is critically important for cyberthreat intelligence like this to be disseminated, as companies can take extra precautions to secure the supply chain. These steps include discovering assets that hackers can target, identifying vulnerabilities and remediating any cybergaps,” Matan Or-El, CEO and co-founder of New York City-based Panorays, stated. “However, the sophistication of these attacks means that companies will have to continuously review their digital assets and that of their third-party vendors and business partners to ensure that all vulnerabilities are detected and patched.”
The NCCIC provided information and guidance to assist MSP customer network and system administrators with the detection of malicious activity on their networks and systems and the mitigation of associated risks. This TA included an overview of tactics, techniques and procedures used by APT actors in MSP network environments, recommended mitigation techniques, and information on reporting incidents.
The alert noted APT actors use a range of “living off the land” techniques to maintain anonymity while conducting their attacks. These methods include using legitimate credentials, trusted off-the-shelf applications and pre-installed system tools present in MSP customer networks. By using compromised legitimate MSP credentials (e.g., administration, domain, user), APT actors can move between an MSP and its customers’ shared networks.
The warning recommended an organization’s ability to rapidly respond to and recover from an incident begins with the development of an incident response capability. MSP clients that do not conduct most of their own network defense should work with their MSP to determine what they can expect in terms of security. MSP clients should understand the supply chain risk associated with their MSP organizations.