According to a recent post on reddit, a hacker has attacked an MSP and spread GlobeImposter 2.0 ransomware across customer networks and servers. It seems there is one MSP and five different customers who were impacted by the attack.
The hacker accessed and disabled the backups and disaster recovery appliances that were set in place. Essentially, customers were left with everything encrypted and no way to mitigate the damage. It will be weeks before affected companies recover. Unfortunately, this attack isn’t new or unique. Quite a few MSP’s in North America, Europe, and Australia have all suffered from attacks that disable backup systems and spread ransomware to the customer. You can read more about them in ChannelE2E’s report.
Now, you may be asking, why is this such a big deal?
Cloud service providers (CSP’s) that work closely with MSP’s, providing network services, infrastructure, business applications in the cloud, and backups, are a growing trend in ransomware attacks. This poses a risk because MSP’s and CSP’s provide services to cities, counties, and a vast majority of businesses in operation today. Additionally, the DHS issued a memo outlining steps to prevent these attacks and warning how prominent they are becoming—but it has fallen on deaf ears. If MSP’s and CSP’s don’t start making changes, their industry could face a serious crisis of credibility.
These are the best MSP-specific practices included in the memo:
- Ensure MSP accounts are not assigned to administrator groups. They should not be assigned to domain administrator (DA) or enterprise administrator (EA) groups.
- Restrict MSP accounts to only the systems they manage. Only grant MSP account access as required.
- Organizational password policies should be applied to MSP accounts. These include complexity, password life, lockout, and logging.
- Use service accounts for MSP agents and services. If a MSP requires the installation of an agent or other local service, create service accounts for this purpose. Disable interactive logon for these accounts.
- Restrict MSP accounts by time and/or date. If MSP services are only required during business hours, time restrictions should be enabled and set accordingly. Consider keeping MSP accounts disabled until they are needed and disabling them once the work is completed.
- Use a network architecture that includes account tiering so higher privileged accounts will never have access or be found on lower privileged layers of the network.
These practices can increase the security of an MSP to prevent attacks. Something not included on this list that could easily be added is the use of two-factor authentication (2FA). 2FA has been gaining traction and is likely easy and familiar to most. It adds an additional layer to the authentication process and makes it that much harder for an attacker to gain access.
EVAN is more than just a great source of technology information. We have Master Certified Professionals waiting to meet your IT needs right now.