Operation Cloud Hopper-A wake-up call for MSPs and IT service providers

Operation “Cloud Hopper” or Advanced Persistent Threat (APT) group 10 is focusing on compromising managed service providers (MSPs) to gain access to their customers’ systems. This is a stark reminder of how dangerous the internet landscape is for both end-users and IT providers.

It should come as no surprise that MSPs and IT providers make for excellent targets for cybercriminals—the compromise of a single MSP can give access to multiple networks. This is something we have been publicly talking about for upwards of two years.

You can read the full PwC/BAE Systems report here (PDF warning)

The Executive Summary states:

“Operation Cloud Hopper, has targeted managed IT service providers (MSPs), allowing APT10 unprecedented potential access to the intellectual property and sensitive data of those MSPs and their clients globally.

“APT10 has recently unleashed a sustained campaign against MSPs. The compromise of MSP networks has provided broad and unprecedented access to MSP customer networks.

• Multiple MSPs were almost certainly being targeted from 2016 onwards, and it is likely that APT10 had already begun to do so from as early as 2014.
• MSP infrastructure has been used as part of a complex web of exfiltration routes spanning multiple victim networks.”

In some sense, it’s almost flattering the MSP community has its own cyber protagonist; and for those MSPs and IT Providers obsessing about ransomware infections, the revelation of a justifiable some-what-scary APT group makes everyone concerned. However, here are some key items to take away from this and help ensure you’re on your guard:

1. First Things FirstFor all its sophistication, APT10 starts its attacks with a Phishing email, just like almost every common ransomware attack. If you are filtering email for your customers and for your own MSP organization, this is a great first-line of defense.
2. Lock down your MSP systems This means controlling administrative privileges (for your customers too), using application and IP whitelisting, implementing Two-Factor Authentication (2FA), GPOs, and other security measures to control where and how applications can be installed.
3. Scan your MSP administrative end-points for malware and use web protection (for your customers too)APT10 will try and compromise an MSP end-point with a Trojan to get credentials to use against your customers, don’t make it easy for them.
4. Assess each of your customer’s risks and respond with user security training, SIEM technology, and/or additional security layersAPT10 is primarily interested in conducting espionage activities and exfiltration of data.
5. As an additional precaution, if you are a SolarWinds RMM customer, please pay attention to the RMM LOGICcardsThis is especially key for those relating to indications of compromise, typo squatting, and account tampering. Our data science team has invested a great deal of time and effort in warning against session hijack, password re-use, and account brute-force attacks to let you know if there may be a problem. So, if you receive a warning that something strange has been detected, it’s time to investigate.

I urge everyone to read the APT10 report. It is an excellent way for MSPs to examine their own security and open a discussion with customers on increasing the security for organizations at risk.

Ian Thornton-Trump, CSA+, CD, CEH, CNDA is CTO at Octopi Managed Services Inc. Ian is an ITIL certified Information Technology (IT) consultant with more than 20 years of experience in IT security and information technology. He enjoys and maintains a strong commitment to the security community. From 1989 to 1992, Ian served with the Canadian Forces (CF), Military Intelligence Branch; in 2002, he joined the CF Military Police Reserves and retired as a Public Affairs Officer in 2013.

You can follow Ian on Twitter® at @phat_hobbit.