Sophisticated threat groups are increasingly targeting managed service providers (MSPs) and using the compromise as a foothold to launch supply-chain attacks against their small and medium-sized downstream customers.
Analysis of data from over 200,000 small and medium-sized businesses (including regional MSPs) between the first quarter of 2022 through the first quarter of 2023 showed the increased interest from APTs in this segment as a way to initiate attacks on a large number of companies in one geography.
MSPs, along with solution providers and resellers, assist end users in deploying, customizing and managing cloud services and other technologies. Regional MSPs in particular service customers in concentrated geographic areas. For attackers, compromising these organizations could allow them to target the “trusted relationships” between the MSP and their customers.
“Regional MSPs often protect hundreds of SMBs that are local to their geography and a number of these maintain limited and often non-enterprise grade cyber security defenses,” according to Proofpoint in a
Wednesday analysis. “APT actors appear to have noticed this disparity between the levels of defense provided and the potential opportunities to gain access to desirable end user environments.”
In an attack in mid-January, for instance, the Iran-linked MuddyWater APT (also known as TA450) sent phishing emails to two Israeli regional managed service providers and IT support firms. The phishing emails included a URL that, if clicked, delivered a Zip archive that deployed the legitimate Synchro remote administration tool. Researchers said that threat actors used the tool like a remote access trojan to conduct additional threat activities.
“The targeting of regional MSPs within Israel aligns with TA450’s historic geographic target set,” according to Proofpoint researchers. “Further this recent campaign indicates TA450 maintains an interest in targeting regional technology providers to gain access to downstream SMB users via supply chain attacks originating against vulnerable regional MSPs.”
This isn’t a new problem, but it’s one that is gaining traction. In 2021,
Microsoft warned that UNC2452 (also known as Nobelium or APT29) was compromising technology providers in order to target their delegated administrative privileges, which allows admins to delegate administrative responsibilities - such as adding users or domains, or resetting passwords - to partners.
Overall, according to Proofpoint data, threat actors aligned with Russian, Iranian and North Korean state interests have increasingly targeted small and medium-sized businesses, which often don’t have the
resources or budget to implement security measures. Threat actors then use their compromised infrastructure for phishing campaigns, financial theft and supply-chain attacks.
duo.com
