Alert - Malicious Cyber Activity Targeting Managed Service Providers

Number: AL17-004
Date: 04 April 2017

Purpose

The purpose of this alert is to bring attention to ongoing malicious cyber activity targeting managed service providers (MSP).

Assessment

CCIRC is aware of ongoing malicious cyber activity targeting managed service providers (MSPs) internationally. The level of sophistication associated with this activity requires a heightened level of awareness from organizations in order to detect possible compromises. A variety of organizations rely on MSPs to provide a wide range of infrastructure support to client organisations such as: security and specialized consulting, software, hardware and cloud hosting solutions.

Mitigating the risks associated with using service providers is a responsibility shared between the organization (referred to as the “tenant”) and the MSP or CSP. However, organizations are ultimately responsible for protecting their systems and ensuring the confidentiality, integrity and availability of their data. Organizations that outsource IT infrastructure are recommended to have an open dialogue with their provider and to understand what model they use to manage clients’ services.

The actors behind this activity are leveraging MSPs as conduits in attempts to acquire sensitive client information. This is facilitated by the necessarily close relationship between MSPs’ networks and those of their clients. This makes MSPs an attractive target for malicious actors, as the compromise of one MSP network could offer access to multiple client networks. Ultimately, the client, which could be in the public or private sector, is the likely target of the compromise attempts.

Given the apparent sophistication of the cyber activity and the potential extent of the compromise, it is possible that this activity has given the malicious actor access to companies around the world in a variety of critical infrastructure sectors. No evidence suggests the general public or small to medium enterprises are being targeted. CCIRC is currently working with international partners and the private sector to establish the scale and determine any impact on Canadian organizations. Reporting of any suspected activity to CCIRC will greatly help in understanding the nature and scope of this activity.

Suggested Action

CCIRC recommends that organizations review the following mitigation information and consider their implementation in the context of their network environment.

  • Consider implementing a strong password policy.
  • Keep your operating system and software up-to-date with the latest patches.
  • Consider limiting administrative and other privileges to those accounts which require them for business purposes.
  • Monitor antivirus scan results and other network logs for suspicious activity on a regular basis.
  • Employ a data backup and recovery plan for all critical information.
  • When engaging an MSP, consider factors such as ownership of the data, where the data is stored, how it is backed up and what security measures are in place. A MSP solution should satisfy organizational security, privacy and legislative requirements.
  • Organizations using Managed Services Providers are encouraged to contact their service provider to discuss risks.
  • For additional mitigation information and best practices on managing relationships with MSPs, please see CCIRC’s Information Note IN17-003 – Cyber Security Best Practices: Contracting with Managed Service Providers.

References:

CCIRC – Information Note IN17-003 – Cyber Security Best Practices: Contracting with Managed Service Providers
https://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/in/in17-003-en.aspx

International Partners
https://acsc.gov.au/global-targeting-enterprises-managed-service-providers.html

https://www.ncsc.gov.uk/news/advice-managing-enterprise-security-published-after-major-cyber-campaign-detected

Get CyberSafe Guide for Small and Medium Businesses:
https://www.getcybersafe.gc.ca/cnt/rsrcs/pblctns/smll-bsnss-gd/index-en.aspx%20-%20s6-2

Using Passwords:
https://www.getcybersafe.gc.ca/cnt/prtct-yrslf/prtctn-dntty/usng-psswrds-en.aspx

Date modified: