Alert - Malicious Cyber Activity Targeting Managed Service Providers

Number: AL17-004
Date: 04 April 2017

Purpose

The purpose of this alert is to bring attention to ongoing malicious cyber activity targeting managed service providers (MSP).

Assessment

CCIRC is aware of ongoing malicious cyber activity targeting managed service providers (MSPs) internationally. The level of sophistication associated with this activity requires a heightened level of awareness from organizations in order to detect possible compromises. A variety of organizations rely on MSPs to provide a wide range of infrastructure support to client organisations such as: security and specialized consulting, software, hardware and cloud hosting solutions.

Mitigating the risks associated with using service providers is a responsibility shared between the organization (referred to as the “tenant”) and the MSP or CSP. However, organizations are ultimately responsible for protecting their systems and ensuring the confidentiality ConfidentialityThe ability to protect sensitive information from being accessed by unauthorized people. , integrity IntegrityThe ability to protect information from being modified or deleted unintentionally or when it’s not supposed to be. Integrity helps determine that information is what it claims to be. Integrity also applies to business processes, software application logic, hardware, and personnel. and availability AvailabilityThe ability for the right people to access the right information or systems when needed. Availability is applied to information assets, software, and hardware (infrastructure and its components). Implied in its definition is that availability includes the protection of assets from unauthorized access and compromise. of their data. Organizations that outsource IT infrastructure are recommended to have an open dialogue with their provider and to understand what model they use to manage clients’ services.

The actors behind this activity are leveraging MSPs as conduits in attempts to acquire sensitive client information. This is facilitated by the necessarily close relationship between MSPs’ networks and those of their clients. This makes MSPs an attractive target for malicious actors, as the compromise CompromiseThe intentional or unintentional disclosure of information, which adversely impacts its confidentiality, integrity, or availability. of one MSP network could offer access to multiple client networks. Ultimately, the client, which could be in the public or private sector, is the likely target of the compromise attempts.

Given the apparent sophistication of the cyber activity and the potential extent of the compromise, it is possible that this activity has given the malicious actor access to companies around the world in a variety of critical infrastructure Critical infrastructureProcesses, systems, facilities, technologies, networks, assets, and services essential to the health, safety, security, or economic well-being of Canadians and the effective functioning of government. Critical infrastructure can be stand-alone or interconnected and interdependent within and across provinces, territories, and national borders. Disruptions of critical infrastructure could result in catastrophic loss of life, adverse economic effects, and significant harm to public confidence. sectors. No evidence suggests the general public or small to medium enterprises are being targeted. CCIRC is currently working with international partners and the private sector to establish the scale and determine any impact on Canadian organizations. Reporting of any suspected activity to CCIRC will greatly help in understanding the nature and scope of this activity.

Suggested Action

CCIRC recommends that organizations review the following mitigation information and consider their implementation in the context of their network environment.

• Consider implementing a strong password policy.
• Keep your operating system and software up-to-date with the latest patches.
• Consider limiting administrative and other privileges to those accounts which require them for business purposes.
• Monitor antivirus scan results and other network logs for suspicious activity on a regular basis.
• Employ a data backup and recovery plan for all critical information.
• When engaging an MSP, consider factors such as ownership of the data, where the data is stored, how it is backed up and what security measures are in place. A MSP solution should satisfy organizational security, privacy and legislative requirements.
• Organizations using Managed Services Providers are encouraged to contact their service provider to discuss risks.
• For additional mitigation information and best practices on managing relationships with MSPs, please see CCIRC’s Information Note IN17-003 – Cyber Security Best Practices: Contracting with Managed Service Providers.

References:

CCIRC – Information Note IN17-003 – Cyber Security Cyber securityThe protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability. Best Practices: Contracting with Managed Service Providers
https://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/in/in17-003-en.aspx

International Partners
https://acsc.gov.au/global-targeting-enterprises-managed-service-providers.html

https://www.ncsc.gov.uk/news/advice-managing-enterprise-security-published-after-major-cyber-campaign-detected

Get CyberSafe Guide for Small and Medium Businesses:
https://www.getcybersafe.gc.ca/cnt/rsrcs/pblctns/smll-bsnss-gd/index-en.aspx%20-%20s6-2

Using Passwords:
https://www.getcybersafe.gc.ca/cnt/prtct-yrslf/prtctn-dntty/usng-psswrds-en.aspx