Threat Watch

MSPs Being Targeted, Warns US Secret Service

On June 12th, 2020, the US Secret Service sent out an alert that warned the US private sector and government organizations of Managed Service Providers (MSPs) being hacked at an increased rate. Many of these attacks use the MSP’s server component to gain full control of their software clients. A majority of the hacks of MSPs were used to carry out Business Email Compromise (BEC) scams, ransomware attacks, and attacks against Point-of-Sale systems (POS). MSPs have become a popular target in recent attacks that were carried out by the notorious ransomware operators GandCrab and REvil and then used to go after the MSP’s clients.  While no numbers can be confirmed, Kyle Hanslovan believes the number of MSP hacks in 2019 could be “well over 100.” This is actually the second alert warning of attacks against MSPs sent out over the past two years. The National Cybersecurity and Communication Integration Center (NCCIC) sent an alert out in 2018 warning of state-sponsored actors carrying out attacks against MSPs–especially those that offer cloud-based services.


ZDNet was able to acquire a copy of the alert sent out by the Secret Service which included best practices for MSPs, those include:

• Have a well-defined service level agreement
• Ensure remote administration tools are patched and up to date
• Enforce least privilege for access to resources
• Have well-defined security controls that comply with end-user regulatory compliance
• Perform annual data audits
• Consider local, state, and federal data compliance standards
• Proactively conduct cyber training and education programs for employees

The best practices for MSPs customers are as follows:

• Audit Service Level Agreements
• Audit remote administration tools being utilized in your environment
• Enforce two-factor authentication for all remote logins
• Restrict administrative access during remote logins
• Enforce least privilege for access to resources
• Utilize a secure network and system infrastructure, capable of meeting current security requirements
• Proactively conduct cyber training and education programs for employees

Proactive monitoring of workstations and servers at both the MSP and client systems is the best way to detect attacks and prevent serious damage from resulting. A Security Operations Center (SOC) operating 24 hours a day can respond to mitigate threats quickly, as long as the security analysts have visibility into events that happen on the network and endpoints.