MSP Cybersecurity: Why MSPs Are Big Targets for Cyberattacks

What is MDR managed detection and response

5 Bite-Sized Ways to Improve Your Business Every Week

NinjaOne Newsletter

Join fellow growth-minded MSPs and feed your business with new tips and tutorials delivered straight to your inbox.

Don't miss any promotions, free tools, events & webinars and product updates. Subscribe to receive the NinjaOne Newsletter.

Grow faster. Stress less.

Visit our Resources Center for more MSP content.
Jonathan Crowe      

Without a doubt, these past few years have been rough on the IT security front. Particularly concerning is the growing number of attacks explicitly targeting MSPs and their customers. Cybersecurity experts and authorities from multiple governments, including the U.S., UK, New Zealand, and Australia, all declare that cyberattacks targeting MSPs are increasing and will continue to rise.

In case you haven't been keeping score at home let's review some of the biggest active threats and dive into what you can be doing to better protect yourself. If you're more interested in going straight to the tips, take a look at our MSP cybersecurity checklist.

3 MSP cyberattacks & threats to be aware of

1) REvil cyberattack

Especially after 2020, cyberattacks targeting MSPs began to rise. One of the more serious attacks occurred in July of 2021, when a ransomware gang known as REvil orchestrated a malicious cyberattack that was attached to a Kaseya update.

The incident came to light via MSPs’ posts on Reddit. Unfortunately, this attack had severe consequences for MSPs and their clients. Over 1,500 organizations and 40 MSPs worldwide suffered severe consequences, and most of these organizations were affected because of their connections to their MSPs.

 

REvil cyberattack key facts & tips

  • Attackers gained access to Kaseya’s infrastructure and used them to attack
  • REvil, posing as Kaseya, used a malicious update to install ransomware on enterprise networks
  • 40 MSPs were severely affected by this attack, and over 1,500 organizations worldwide were affected as a result
  • Pro tip: If tools & solutions require an update, always check with the provider before installing blindly; most businesses that offer IT solutions and tools will publicly post what their next updates will be and when they will occur

 

2) Solarwinds cyberattack

Solarwinds’ network monitoring platform Orion was infiltrated in December of 2020 by Russian hackers who installed malware within many organizations and MSPs to gain access to critical data and information. The hackers are a part of a group now known as Nobelium, or APT29. It was a severe cyberattack that negatively affected the supply chain and multiple industries, including the IT, consulting, government, and telecom industries.

According to Kaspersky’s MSP cyberattack statistics, “As a result of the SolarWinds incident, among those MSPs who were affected (28%), almost all (98%) took at least some action to respond to the incident and prevent more attacks in the future. The most common steps were switching to other IT security software providers (44%), updating contract terms and liability with suppliers (42%), and hiring additional security experts (39%). In addition to this, 35% now see the need to hire an expert in risk management.”

 

Solarwinds cyberattack key facts & tips

  • Russian hackers, posing as Solarwind’s network monitoring platform Orion, installed malware within many organizations and gained access to important data and information
  • This attack affected multiple industries, such as IT, consulting, government, and telecom organizations
  • Of all the organizations that were affected, 28% were MSPs
  • Pro tip: After the incident, the MSPs tightened security by switching to other providers, updating contract terms with providers, and/or hiring security and risk management experts

 

3) NetStandard cyberattack

At the end of July in 2022, the MSP known as NetStandard was targeted by a cyberattack that affected its MyAppsAnywhere cloud service, forcing them to shut down their service. Additionally, the company’s main website was shut down for a short period of time as well.

The amount and type of damage that was done is uncertain since NetStandard continues to stay silent on the issue, but it is known for certain that its MyAppsAnywhere services, such as CRM services, Dynamics GP, Exchange, and SharePoint, were affected and shut down.

 

NetStandard cyberattack key facts & tips

  • NetStandard was forced to shut down its MyAppsAnywhere services for clients
  • NetStandard’s main website was shut down as well due to the cyberattack
  • NetStandard alerted clients immediately and communicated with them via Zoom bridge
  • Pro tip: A cyberattack such as this can reflect poorly on an MSP, causing clients to lose trust and the MSP to lose business, which is why it’s important to make security a priority. However, if a cyberattack does occur, MSPs should notify their clients immediately and explain how they will fix the issue to keep their trust and respect

Why are MSPs being targeted by cyber criminals?

Client access

In a word: access. MSPs serve numerous clients who entrust them with the keys to their kingdoms. MSP infrastructures are designed to provide technicians with easy direct access to those clients so they can hop on and off to troubleshoot, perform maintenance, deploy software, etc. It's easy to understand why cyber criminals find those capabilities incredibly appealing. Compromise just one MSP and they can find themselves with access to a score of potential victims.

Extortion money

In addition, because the core offering MSPs provide is keeping their client networks secure and running smoothly, the threat of client-facing disruption and damage makes MSPs prime extortion targets. If you woke up one morning to find all of your clients had been infected with ransomware how much would you be willing to pay to make the problem go away? Paying ransoms is never advisable (nor a simple or a sure thing), but you can see why attackers may believe infecting MSPs and their customers gives them even more leverage than usual.

Limited security

Finally, like many of the businesses they serve, MSPs are often small operations with limited staff and resources. While they have more knowledge and tools at their disposal, they still often lack dedicated security personnel (not to mention hours in the day to make absolutely sure they're covering all their bases). As a result, they make softer targets than major corporations many times their size, but can still offer attackers potential access to just as many endpoints via their clients.

What happens when MSPs are compromised?

The stakes are high. Attackers are increasingly leveraging initial access to MSPs to gain access to their customers. As the recent wave of cyberattacks show, the very tools and capabilities that make it possible for MSPs to serve their customers can easily be shut down and compromised. When that happens it can irreparably erode the trust at the heart of any MSP-client relationship.

No trust = No business.

5 keys to protecting your MSP business against this surge in targeted attacks

Securing your business isn't a one-time activity, but there are concrete things you can do now to make it much more difficult for attackers to land and expand in your network. We'll cover some of the more pressing items below, but you should also see our MSP cybersecurity checklist.

1) Restrict access across your network

Each of the attacks described above made use of legitimate privileges that can often be better locked down. The best way to do that is by establishing barriers between your users and assets. Start by taking a tiered approach to privileged access and adhering to a zero trust security model— always limit privileges to the bare minimum required to get the job done.

Avoid sharing or reusing login credentials, and use a password manager to create strong, unique passwords. Enable multi-factor authentication whenever possible.

But don't stop there. Make sure you're using unique local admin passwords (Microsoft's LAPS can help), and that you've removed end users from the local admin group. Don't admin accounts unless it's specifically necessary. It’s also important to lock down your systems to block lateral movement across workstations.

2) Secure your RMM and other remote access tools

Each of these RMM tools should come with a reminder that says, "With great power comes great responsibility." At a minimum, you should make sure you have MFA enabled and that you're keeping your RMM software and MSP software up to date. Yes, patching can be difficult, but these need to be a priority.

In addition, limit users who have access to these tools — and what they have access to within them — to the bare minimum necessary for them to do their jobs. In an ideal scenario, you should have logging enabled and be able to see who has accessed what, when.

And for the love of all that is holy, secure RDP.

3) Protect your users and lock down their endpoints

For as much as the threat landscape is changing, the vast majority of cyber attacks still start off the same way — with a user getting fooled by a malicious email. Hackers often target team members to gain access to systems since the majority of cyberattacks are caused by human error. Protect your employees with email and web filtering tools that can help prevent them from making mistakes. If you haven't already, it's a good idea to set up DMARC, SPF, and DKIM, too.

In addition, take time to disable or restrict built-in Windows tools and functionality that attackers love to abuse. Restricting PowerShell should be at the top of the list, but you should also adjust endpoint settings to restrict the launch of script files, disable/restrict macros and OLE in Microsoft Office, and block a variety of programs like certutil, mshta, and regsvr32 from making outbound requests.

4) Actively monitor your own network for signs of compromise

RMM tools make monitoring your clients' networks easy, but you should be keeping a close eye on your own network, as well. In the attack situations described above, alerts notifying the MSP of key events like new service installation, scheduled task creation, and registry changes may have been able to provide victims with critical early warning signs.

We've worked to make establishing these types of alerts easy thanks to the out-of-the-box alert templates in NinjaOne.

5) Have an incident response plan ready

When a security incident does occur (it's unfortunately a matter of when, not if) you need to be able to act quickly under pressure. That takes clear guidelines and effective planning. Take time to sit down with your team and work those things out. Establish roles and responsibilities. Have a plan for communicating — internally, with customers, authorities, and the public (if necessary). Research firms that specialize in incident response and have one on call should you ever need to escalate things quickly.

Finally, don't just have a plan, test it. Run fire drills so you can uncover blindspots and things you should do differently. There will definitely be something.

Next steps

Taking all these suggestions in at once can make things seem too difficult. Who has time for any of this stuff, anyway? The key thing to remember is that you don't need to do everything at once. You just need to do something. Progress can be gradual. Focus on one thing at a time. Keep in mind any improvements you can make now will be worthwhile and far less time-consuming/expensive than dealing with an active attack.

The alternative — doing nothing — is easy now, but disastrous in the long run. You can only dodge the bullet for so long. As these attacks show, the risk is only mounting. To help you get started, download our MSP checklist packed with practical tips and links to free resources.

 

5 Bite-Sized Ways to Improve Your Business Every Week

NinjaOne Newsletter

Join fellow growth-minded MSPs and feed your business with new tips and tutorials delivered straight to your inbox.

Don't miss any promotions, free tools, events & webinars and product updates. Subscribe to receive the NinjaOne Newsletter.