Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
John Hammond
John Hammond
Connect Directly
E-Mail vvv

Why MSPs Are Hacker Targets, and What To Do About It

Managed service providers are increasingly becoming the launching pad of choice for ransomware and other online malfeasance.

It's commonly understood that smaller businesses have smaller IT budgets, which often does not leave much room for IT security. Even in 2020, many of these companies have never heard of NIST, ISO 27001, or other security frameworks, let alone implemented them. And with more than 30 million businesses falling in the category of fewer than 1,000 employees, small businesses represent a significant part of the American economy. For an attacker, this is a gold mine of potential opportunity, but the key to that financial reward means operational scalability, putting the target squarely on managed service providers (MSPs). 

Why MSPs?
Many small to midsize businesses (SMBs) rely on MSPs to assist them with cost-effective management of IT infrastructure, monitoring, and general support. Companies regularly put their trust in MSPs to protect their data, but we have to remember that MSPs are often small businesses themselves. And as attack vectors increase by the minute, there seems to be no end in sight to the growing pressures on MSPs

Related Content:

Eight Flaws in MSP Software Highlight Potential Ransomware Vector

State of Endpoint Security: How Enterprises Are Managing Endpoint Security Threats

New on The Edge: CFAA 101: A Computer Fraud & Abuse Act Primer for InfoSec Pros

So, why are MSPs a major target for cyberattacks? The obvious answer is that an MSP may service a myriad of SMBs; having access to one MSP is an easy gateway to all of their supported SMB networks. Not to mention that nearly two-thirds of organizations use MSPs for at least one IT function.  

Unfortunately, MSPs are now being used more and more as a pawn for hackers' malicious plans. Recently, Ragnar Locker ransomware hit Portuguese energy giant EDP, demanding a $10.9 million ransom. The operators behind the ransomware strain are known to furtively target software used by MSPs to avoid being detected. My company reported earlier this year that it detected Ragnar Locker being deployed via common MSP remote management and monitoring tools. As attacks like these proliferate, MSPs must remain vigilant with their security practices.

The MSP Security Challenge
Cyber defense doesn't come for free, and this is a significant challenge for MSPs. There are really only two places where an MSP can look to increase security standards for their end customers: The first is convincing the SMB to spend more on security, which is often a difficult upsell given already tight IT budgets. The second is to eat into their thin margins while still maintaining the ability to update defenses as needed by the threat landscape. 

The vast majority of cybersecurity defense solutions are purpose-built for the enterprise, bringing in a plethora of technology bells and whistles often too overwhelming or unnecessary for the SMB. All too often, there's chatter around cybersecurity proselytizing the merits of artificial intelligence, machine learning, and behavioral analytics — all of which come with high costs. The truth is, MSPs need solutions that cater to their specific needs, not just from a technical point of view but also financial and operational perspectives in order to get to the coveted 80/20

Small businesses have gained operational agility with the rise of the cloud and software-as-a-service, and with that, attackers have evolved to go after the lowest-hanging fruit. In order to quickly combat these constantly changing threats, small businesses — which make up 99% of corporations — need cybersecurity solutions specifically streamlined to easily fit within their financial business models. 

Some Advice for MSPs
With the current landscape and a predominantly remote workforce, malicious actors are even more prone to taking advantage of MSPs. So, what can MSPs do now to ensure the businesses they serve are receiving the same, if not better, service during this time? 

  • Get to know your customers and understand what matters to them. If you support accounting firms, understand the vulnerabilities and heightened exposure around tax season and show how you are focusing security efforts around key assets and priorities. 
  • Find ways to push customers into adopting key high-impact security services such as multifactor authentication (MFA) and suppress the latest and greatest cybersecurity buzzwords. 
  • Invest time in the tools you already have. Evaluating and deploying a new tool takes a lot of time and effort, which often comes with license fees and vendor management headaches. There are tons of tools right at your fingertips to help secure your customers built into your remote management tools — tools such built-in inventory, audit reports, or even Windows Security Baselines.
  • Know your response plan. Whether it's your customer that suffers a breach or even the chance that your own MSP business is targeted, it's important to have a plan in place in order to react quickly. Designate people who will be responsible for handling communications, assign the right technical team to handle incident investigation, and pull together your triage process. Doing this upfront will save you precious minutes in the event an incident occurs.

Above all, constant communication, monitoring, and staying on top of the latest threats will prove valuable and establish new protocols to be referenced in the future. The 99% of small businesses may have 99 problems, but hopefully with the right solutions and a base level of due diligence, their MSP won't be one.

John Hammond is a Security Researcher at Huntress as well as a cybersecurity instructor, developer, red teamer, and CTF enthusiast. John is a former Department of Defense Cyber Training Academy curriculum developer and teacher for the Cyber Threat Emulation course, educating ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the han...
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of GE Reason RPV311 14A03. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware and filesystem of the device. The firmware and filesystem contain hard-...
PUBLISHED: 2021-06-16
Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This...
PUBLISHED: 2021-06-16
Apollos Apps is an open source platform for launching church-related apps. In Apollos Apps versions prior to 2.20.0, new user registrations are able to access anyone's account by only knowing their basic profile information (name, birthday, gender, etc). This includes all app functionality within th...
PUBLISHED: 2021-06-16
FOGProject v1.5.9 is affected by a File Upload RCE (Authenticated).