MSPs Beware: Hackers Targeting Critical Software to Infiltrate Your Customers
June 3, 2024


In the world of cybersecurity, the threat landscape is evolving with alarming speed and complexity. Hackers are continually developing new strategies to bypass traditional security defenses, often remaining undetected for prolonged periods. This has resulted in significant breaches at companies that provide essential software and services to Managed Service Providers (MSPs), with profound consequences for the MSP community and their clients. This article explores these breaches, their impacts, and how businesses can respond effectively.

Understanding the Breach Dynamics

Hackers have adeptly exploited vulnerabilities in network and cloud environments, targeting companies and software integral to the MSP ecosystem. Firms like Ivanti, Connectwise, Ipswitch (MOVEit), Kaseya, Microsoft and SolarWinds have all fallen prey to sophisticated cyber-attacks. This poses a significant threat to MSPs and their customers. These breaches are not just incidental; they are part of a calculated assault on the very tools MSPs use to manage and protect customer IT environments. The fallout from some of these attacks:

        • Ivanti: Ivanti Connect Secure (CS) and Ivanti Policy Secure (PS) – CVE-2023-46805 and CVE-2024-21887. Notable breaches
          • U.S. cybersecurity agency CISA
          • The Norwegian Security and Service Organization (DSS)
        • Connectwise: CVSS score of 10, CVE-2024-1709CVE-2024-1708 
          • UnitedHealth’s Change Healthcare massive breach – $1.6 billion
          • Multiple U.S. Federal Agencies
        • MOVEit
          • 2,611 organizations affected
          • 85 million individual victims
        • Kaseya
          • 50 MSPs
          • Between 800 and 1,500 businesses
          • 37,000 Kaseya customers 
        • Microsoft
          • 60,000 emails from the U.S. State Department
          • Unauthorized access to Microsoft’s source code repositories and internal systems
        • SolarWinds 
          • SolarWinds Orion network-management software compromised
          • Hackers used Orion to push out malicious updates to attack hundreds of businesses and government agencies

Hackers have adeptly exploited vulnerabilities in network and cloud environments, targeting companies and software integral to the MSP ecosystem

The ramifications of these and similar breaches are severe. Hackers exploit the Remote Monitoring and Management (RMM) and other critical functionalities of these programs to gain access to the networks and cloud environments of MSPs’ customers. This places the MSPs’ end-customers in a precarious position, as trusted partners like MSPs generally have significant administrative control over their customers’ IT infrastructures.

Why the attacks on software and services companies are so successful

In today’s environment, it is just not possible to fully prevent cybercriminals from infiltrating an organization’s computing environment, because of techniques and tactics available to hackers such as Zero-day exploits, social engineering tactics, supply-chain attacks and VPN takeover strategies:

        • Zero-day exploits: Vulnerabilities in software or hardware that are unknown to the vendor or developers.
          • Cyber attackers leverage these vulnerabilities to launch attacks before a fix or patch is developed and released, and exploit them to gain unauthorized access to systems, steal sensitive data, or execute malicious code.
          • Even after these vulnerabilities are discovered, they often continue to be significant problems for IT staff for months and even years afterward, because of difficulties in deploying complex patching routines and work overloads on IT departments.
        • Social engineering: Tactics that involve manipulating individuals to divulge confidential information, perform certain actions, or grant access to systems or data. Attackers exploit human psychology rather than technical vulnerabilities to achieve their objectives.
          • Common social engineering techniques include phishing emails, pretexting (creating a false scenario to obtain information), baiting (enticing victims with promises of rewards), and impersonation.
          • By exploiting trust, curiosity, fear, or urgency, attackers deceive individuals into compromising security measures, leading to unauthorized access.
        • Supply-chain attacks: These target the software or hardware supply chain to compromise the security of a broader ecosystem of users. Attackers infiltrate trusted suppliers, vendors, or manufacturers to inject malicious code or tamper with products during the development or distribution process.
          • When these compromised products are deployed or used by organizations or individuals, they serve as vehicles for cyber-attacks that can have far-reaching consequences.
          • They frequently affect multiple organizations and individuals who rely on the compromised products or services.
        • Neutralization and takeover of VPN traffic: A recently identified attack method, dubbed “TunnelVision,”  works on any VPN, regardless of the VPN provider, the VPN technology or how the VPN is implemented. It capitalizes on a DHCP vulnerability to enable attackers to redirect traffic intended for a VPN to an untrusted network, allowing hackers to read the traffic unencrypted, and drop or modify it. This presents a significant threat to anyone using VPNs for security.

    In today’s environment, it is just not possible to fully prevent cybercriminals from infiltrating an organization’s computing environment, because of techniques and tactics available to hackers

    This evolving world of cybercrime means that some level of hacker infiltration is becoming increasingly likely. Zero-day exploits, social engineering, and supply chain attacks bypass authentication and Endpoint Detection and Response defenses. Identity & Access Controls (IAC) and firewalls are generally blind to these advanced tactics. Zero Trust architecture often will not detect these cutting-edge cyberattacks. These criminal tactics allow hackers to establish a foothold within your network or cloud environment, plant malware remotely, and establish persistent access. Once inside, they can move laterally, escalate privileges, and deploy ransomware or other malicious payloads. After the initial breach, the hackers can gain control of critical systems and obfuscate their identity while conducting malicious campaigns. The compromised systems become the hackers’ base of operations, and their tactics and techniques make it difficult to detect their presence.

    The Consequences for MSPs

    The fallout from such breaches is severe. The MSPs’ end customers suffer as their sensitive data is exposed or their operations are disrupted. This also damages the trust placed in MSPs, who are often viewed as guardians of IT security. Furthermore, MSPs often face blame—whether for being the breach conduit or for not advocating stronger defensive measures.

    The Root of the Problem

    Despite the best efforts of MSPs, the sophisticated techniques used by hackers, such as zero-day exploits, social engineering, supply-chain attacks and VPN exploits, make it nearly impossible to guarantee full security. These methods allow attackers to sidestep conventional security measures like identity and access controls, multi-factor authentication, anti-virus and anti-malware solutions, firewalls and VPNs, which are designed to guard against more predictable threats.

    What approach should an MSP take to secure its clients’ IT infrastructures? 

    Let’s explore a standout example of cybersecurity in action: major financial institutions. These institutions have mastered the art of blocking cyber threats. Their approach involves continuous surveillance and the sophisticated handling of massive data volumes from in-house networks and the cloud, processing billions of logs each day. This process demands advanced data gathering techniques and powerful analytical tools. They further bolster their defenses by integrating this data with threat intelligence platforms that enable ongoing vulnerability checks and immediate action when threats are detected. All of this is supported by round-the-clock security operations centers (SOCs), manned by expert analysts and engineers. Such robust cybersecurity practices have proven highly effective for these financial giants.

    The sophisticated cybersecurity infrastructure of these large institutions often comes with a high cost, however, making it inaccessible for small to medium-sized businesses (SMBs) and mid-market enterprises. This poses a significant dilemma as these entities strive to find a balance between affordable cybersecurity solutions and the need to safeguard their assets and client information effectively.

    Our innovative approach to solving this problem

    At SECNAP, we understand the need for a comprehensive cybersecurity solution that emulates the holistic approach being applied successfully at major financial institutions, but affordable for everyone. That’s why we created CloudJacket , a complete security platform that matches the robust defenses used by large enterprises. 

    The use of security tools such as authentication, identity & access controls, firewalls, Zero Trust architecture, EDR systems and VPNs can be powerful, but they are not foolproof. Even with strong access controls, sophisticated threat actors can find ways past these defenses. This is where CloudJacket steps in, acting as a powerful complement to your existing security infrastructure. It provides continuous, real-time visibility across your and your client’s entire network and cloud environment, analyzing and understanding the organization’s dynamic digital environment, identifying both normal and unusual patterns across networks, cloud services, platforms, and remote endpoints, thus solidifying your security strategy and informing future security decisions:

          • Unparalleled Visibility: CloudJacket goes beyond traditional solutions, giving you a complete picture of your entire network. This grants organizations a unified view of activity across all endpoints, networks, cloud environments, and user behavior. This comprehensive visibility allows for early detection of suspicious activity and potential breaches.
          • Data collection techniques: Using both software agents (lightweight and multi-purpose, installed on endpoints such as laptops, desktops, servers, cloud instances, and virtual machines) and agentless monitoring (for firewalls, switches, routers, etc.), CloudJacket collects data from all key sources in network and cloud environments.
          • Advanced Threat Detection: CloudJacket leverages its cutting-edge threat intelligence engine and machine learning to identify and neutralize even the most sophisticated cyberattacks. CloudJacket’s extended intelligence engine analyzes all system logs as well as cloud APIs to detect anomalies and identify potential threats before they can compromise data or disrupt critical systems. It uses our proprietary software to analyze and correlate the data to accurately parse through the 100’s of millions of potential threats and behavioral anomalies that occur daily in a network or cloud, identifying those that are potential threats, and presenting these threats to our U.S.-based SOC analysts for final analysis via our proprietary security operations centers’ dashboard.
          • Proactive Threat Hunting: CloudJacket goes beyond passive detection. Our team of cybersecurity experts actively hunts for threats within your network, proactively identifying vulnerabilities and potential attack vectors before they can be exploited. This proactive approach significantly reduces the risk of successful cyberattacks.
          • Compliance Reporting: Many industries are subject to a myriad of complex compliance regulations, including Payment Card Industry (PCI DSS), National Institute of Standards and Technology 800-53 (NIST 800-53), Trust Services Criteria (TSC), General Data Protection Regulation (GDPR), and Health Insurance Portability and Accountability (HIPAA). CloudJacket provides robust compliance reporting capabilities that help organizations adhere to regulatory standards such as PCI DSS, NIST 800-53, TSC, GDPR, HIPAA, and more.
          • Eliminate Alert Fatigue — 24/7/365 Security Operations Center (SOC): Our dedicated team of highly-trained security professionals based in the USA monitors your network around the clock, providing real-time threat detection, investigation, and response. This eliminates the hundreds (or even thousands) of daily alerts your IT staff would otherwise need to handle from traditional cybersecurity solutions, and ensures your organization has access to the expertise needed to effectively respond to any security incident.

    We understand the need for a comprehensive cybersecurity solution that emulates the holistic approach being applied successfully at major financial institutions, but affordable for everyone.

    Don’t Wait Until It’s Too Late

    Cyberattacks are a constant threat for businesses and governmental entities of all sizes. Don’t wait for a breach to expose the vulnerabilities in your IT environment. Discover how CloudJacket can transform your cybersecurity posture. Contact us to learn more and take the first step towards ensuring your organization has the comprehensive security solution needed to protect your employees, your customers, your data. Complete the contact form or call 954-350-0712.

    SECNAP CloudJacket

    Ensure your organization has robust cybersecurity protection that quickly identifies and contains potential breaches.

    I want to learn more about SECNAP's solutions.

    Stay up-to-date with the latest news and trends in cyber security. Follow SECNAP Network Security’s social media channels and get valuable insights, tips, and information to help protect your organization from online threats:

    More Related Posts