CISA Alert AA22-131A – Protecting against cyber threats to managed service providers and their customers.

This is a CISA Cybersecurity Alert. ID number Alpha Alpha Two Two tack One Three One Alpha.

​​Original release date: May Eleventh, twenty twenty two.

The cybersecurity authorities of the UK, Australia, Canada, New Zealand, and the US have observed a recent increase in malicious cyber activity against managed service providers, also called MSPs. Allied cybersecurity authorities expect state-sponsored cyber actors to increase their targeting of MSPs in an attempt to exploit provider-customer trust relationships. This advisory includes security guidance tailored for both MSPs and their customers. 

MSPs and their customers should implement the baseline security measures and operational controls listed in this alert. MSP customers should immediately review their contractual agreements and specify that their MSP takes the necessary mitigation actions. These discussions should result in a re-evaluation of security processes and contractual commitments to accommodate customer risk tolerance.

In their effort to compromise MSPs, malicious cyber actors exploit vulnerable devices and internet-facing services, conduct brute force attacks, and use phishing techniques. MSPs and their customers should ensure they are mitigating these attack methods. Useful mitigation resources on initial compromise attack methods are listed in the alert documentation and the show notes.

It can be months before incidents are detected. All organizations should store their most important logs for at least six months. Whether through a security information and event management solution or discrete logging tools, organizations should maintain a segregated logging regime to detect threats to networks.

Organizations should secure remote access applications and enforce MFA where possible. Russian state-sponsored cyber actors have recently demonstrated the ability to exploit default MFA protocols and organizations should review configuration policies to protect against the vulnerable “fail open” and re-enrollment scenarios.

Organizations should apply the principle of least privilege throughout their network environment and immediately update privileges upon changes in administrative roles. Use a tiering model for administrative accounts so that these accounts do not have unnecessary access or privileges.

The alert documentation listed in the show notes includes other immediate mitigation actions for MSPs and their customers. Additional resources and documentation to support these efforts are also listed in the show notes.

All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.

This report was written by CISA, the United States Cybersecurity and Infrastructure Security Agency, and edited and adapted for audio by the CyberWire as a public service. Please visit www dot cisa dot gov to read the full report which may include additional details, links, and illustrations. A link to this report can be found in the show notes.

This has been a CISA Cybersecurity Alert.