It wasn’t long ago that one of the world’s largest cyber espionage organizations, ‘Advanced Persistent Threat Group 10’ (APT10), launched a threat campaign called, ‘Operation Cloud Hopper’ that specifically targeted Managed Service IT Providers (MSPs) to gain access to their client networks.
Why we shouldn't forget about APT10
In April 2017, PricewaterhouseCoopers UK (PwC UK) and BAE Systems exposed APT10 through an initial research report after observing them for several years. 'Operation Cloud Hopper' successfully deployed sophisticated cyber attacks on MSPs and their clients, allowing for unprecedented access to their intellectual property and sensitive data. See the PwC full report here referenced in this article.
Disguised as multiple identities: Red Apollo, CVNX, StonePanda, and MenuPass Team, APT10 refocused their target on MSPs after discovering that compromising MSP's networks was an efficient method of information collection. The data of interest that was successfully exfiltrated was easily channeled back through compromised MSP networks, creating a tough trail to follow or trace.
Several countries were targeted worldwide
APT10 directly targeted government organizations and universities in Japan, simultaneously targeting MSP businesses in Canada, US, Australia, Europe, South America, and Asia. Given the scale of the launched campaigns, the activity identified is likely to reflect only a small portion of the threat actor’s operations in total. Intrusion activity indicated a pattern of work that aligned with China Standard Time (UTC+8), thus assessing APT10 as likely to be a China-Based threat actor.
Multiple MSP businesses were targeted from 2016 onwards, and it is likely that APT10 had already begun to do so since 2014. Ever since 2009, APT10 and its predecessors have been observed by Threat Intelligence Organization, FireEye. FireEye identified APT’s primary targets as US Defense Industrial Base (DIB), and businesses in the construction, engineering, technology, and telecom sector. Only recently has MSPs been a focus for such treat organizations.
Why MSPs are a high-payoff targets for espionage
It is hard to overlook the attractiveness of an MSP, its network, and the vast array of service offerings it may provide. Since MSPs operate with a high-level control of their clients, once this is hacked, the path of the actor is straightforward. Once the gateway is open, it allows them to move on to other networks and it’s end-points. Thus, leaving MSPs and their clients vulnerable for greater amounts of intellectual property or sensitive data to be stolen.
Attractive features for hackers, does your MSP offer the following?
- Remote management of customer IT and end-user systems
- Unfettered and direct access to their clients’ networks
- Stores significant quantities of client data on MSPs internal infrastructure
- Provides enterprise services or cloud hosting
- Direct supply-chain access
Two mains exploits hackers use against MSPs
This may sound like old news to you, but the matter of fact is, hackers use phishing because they succeed. Two variations of phishing exist: phishing and spear phishing.
- Phishing is a generalized exploit through email where the threat actor masquerades themselves as a trustworthy organization to broadly target a mass group of victims.
- Spear phishing, the exploit that APT10 utilized, is specifically targeted and personalized towards the victim themselves. In spear phishing scenarios, it is common for the threat actor to research its victim for successful areas exploitation.
Approximately 91% of attacks account for phishing exploitation that embeds or attaches malicious-yet-common file types: Adobe PDF, Microsoft Word or Excel. Once the victim clicks the attachment or link, a zip file of the payload (the malicious malware), is automatically downloaded from the hacker’s servers
2) Stolen Credentials
Another common technique that many MSPs may overlook are how credentials are created, rotated, and stored. Once the threat actor cracks the credentials to a MSPs network, you might as well say game-over. Hackers such as APT10, search for systems sharing credentials across the client and the MSP network. They use these shared credentials to gain access to new areas of the network and many stolen MSP credentials provide administrator or domain administrator privileges. This allows for network hopping.
How hackers steal your intellectual property:
- Use legitimate MSP credentials to MSP management systems to bridge MSP and its clients
- Use Remote Desktop Protocol (RDP) to remotely access systems in both MSP and its clients
- Use open source command tools, ‘t.vbs’ script, to compress and “push” files
- Use PSCP or Robocopy to “pull” back or transfer data across compromised systems
Top 3 security recommendations for MSPs
After investigating how hackers, such as APT10, successfully exfiltrated sensitive data across a multitude of MSPs and their clients worldwide, top three learnings emerged that MSPs can consider today.
1) Credential Management
Avoid sharing credentials amongst users or networks. Create and rotate unique password combinations that follow a SOC2 compliance approach of a complex 16 character count using upper and lower case, symbols, and numbers.
2) Multi-Factor Authentication
Layer your approach to security by using multi-factor authentication (MFA), a must have for MSPs today. MFA is an additional step to a computer login, where the user is granted access after entering two or more factors for entry. Typically, MFA complements a computer password combined with a smartphone app generated code or the likes.
3) Test for Exploit Vulnerabilities
Show your SMBs they don’t have to worry. Conduct Internal phishing simulations, run dark web scans, and train them on essential security measure.
Karla Poznikoff, Digital Marketing Manager