CyberWire Daily - CISA Alert AA22-131A – Protecting against cyber threats to managed service providers and their customers. [CISA Cybersecurity Alerts]
Episode Date: May 12, 2022The cybersecurity authorities of the UK, Australia, Canada, New Zealand, and the US have observed a recent increase in malicious cyber activity against managed service providers (MSPs). Allied cyberse...curity authorities expect state-sponsored cyber actors to increase their targeting of MSPs in an attempt to exploit provider-customer trust relationships. This advisory includes security guidance tailored for both MSPs and their customers. AA22-131A Alert, Technical Details, and Mitigations Technical Approaches to Uncovering and Remediating Malicious Activity Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses APTs Targeting IT Service Provider Customers ACSC's Managed Service Providers: How to manage risk to customer networks Global Targeting of Enterprise Managed Service Providers Cyber Security Considerations for Consumers of Managed Services How to Manage Your Security When Engaging a Managed Service Provider Kaseya Ransomware Attack: Guidance for Affected MSPs and their Customers Baseline Cyber Security Controls for Small and Medium Organizations Actions to take when the cyber threat is heightened Top 10 IT Security Action Items to Protect Internet Connected Networks and Information CCCS's Alert: Malicious Cyber Activity Targeting Managed Service Providers CISA Cybersecurity Alert: APT Activity Exploiting MSPs (2018) CISA Cyber Essentials and CISA Cyber Resource Hub Improving Cybersecurity of Managed Service Providers Shields Up Technical Guidance All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered 11th, 2022.
The cybersecurity authorities of the UK, Australia, Canada, New Zealand and the US have observed a recent increase in malicious cyber activity against managed service providers, also called MSPs.
Allied cybersecurity authorities expect state-sponsored cyber actors to increase their targeting of MSPs in an attempt to exploit provider-customer trust relationships. This advisory includes security guidance tailored for both MSPs and their customers. MSPs and their customers should
implement the baseline security measures and operational controls listed in this alert.
MSP customers should immediately review their contractual agreements and specify that their
MSP takes the necessary mitigation actions. These discussions should result in a re-evaluation of
security processes and contractual commitments to accommodate customer risk tolerance.
In their effort to compromise MSPs, malicious cyber actors exploit vulnerable devices and
internet-facing services, conduct brute force attacks, and use phishing techniques. MSPs and their
customers should ensure they are mitigating these attack methods. Useful mitigation resources on
initial compromise attack methods are listed in the alert documentation and the show notes.
It can be months before incidents are detected. All organizations should store their most
important logs for at least six months. Whether through a security information and event management solution or discrete logging tools, organizations should
maintain a segregated logging regime to detect threats to networks. Organizations should secure
remote access applications and enforce MFA where possible. Russian state-sponsored cyber actors
have recently demonstrated the ability to exploit default MFA protocols and organizations should review configuration policies to protect against the
vulnerable fail-open and re-enrollment scenarios. Organizations should apply the principle of least
privilege throughout their network environment and immediately update privileges upon changes
in administrative roles. Use a tiering model for administrative accounts so that these accounts do not have unnecessary access or privileges.
The alert documentation listed in the show notes includes other immediate mitigation actions for MSPs and their customers.
Additional resources and documentation to support these efforts are also listed in the show notes.
All organizations should report incidents and anomalous activity to CISA's 24-7 Operations Center at central at cisa.dhs.gov or 888-282-0870, and to the FBI via your local FBI field office or the FBI's 24-7 Sidewatch at 855-292-3937 or sidewatch at fbi.gov.
This report was written by CISA, the United States Cybersecurity and Infrastructure Security Agency, and edited and adapted for audio by the Cyber Wire as a public service.
Please visit www.cisa.gov to read the full report, which may include additional details, links, and illustrations.
A link to this report can be found in the show notes. This has been a CISA Cybersecurity Alert.