Initial access brokers selling online access to unsuspecting MSPs
- Initial access brokers are selling access to managed service providers as a means of providing an online gateway to dozens of unsuspecting organizations, according to research from Huntress.
- Researchers disclosed solicitations in online criminal hacker forums where access to MSPs were advertised. Specific metrics regarding the targeted organization provide a virtual roadmap for a potential ransomware attack, including information on access methods, the level of administrative privileges and whether the victim has ransomware insurance.
- The solicitations for access come months after the FBI, the Cybersecurity and Infrastructure Security Agency and the Five Eyes intelligence services warned of MSPs being targeted by advanced persistent threat actors looking to gain entry to vulnerable organizations.
MSPs have become a lucrative target for threat actors. They can provide access to additional downstream customers who may not have the bandwidth, in the form of financial resources, personnel or internal expertise to operate a 24/7 security operations team on their own.
“The focus may be on MSPs because they can provide access to multiple targets,” Harlan Carvey, senior incident responder at Huntress, said via email.
Gaining access to a single MSP may provide a threat actor with access to systems and data belonging to dozens of organizations at the same time.
Researchers suggested a number of steps to protect against being compromised:
- Organizations should limit their online visibility and take inventory of specific systems
- Take basic hygiene measures, including the implementation of multi-factor authentication, least privileged access, security updates and patches
- Maintain an accurate inventory of physical systems, running services and user accounts
- Monitor networks for suspicious activity
- Maintain offline backups