SolarWinds Hackers’ New Attack Is ‘Another Wake-Up Call’ For Microsoft Partners
“I wouldn’t want to be an MSP who is just starting to think about cybersecurity now as they might not exist in another year,” says US itek President David Stinner. “This is yet another wake-up call for MSPs that you need to get out of the chair in your office and convince your customers to buy the protection they need.”
The latest SolarWinds hackers’ cybersecurity attack on 140 Microsoft IT resellers and service providers with as many as 14 successfully breached is yet another wake-up call for the beleaguered Microsoft partner community, said partners.
“I wouldn’t want to be an MSP who is just starting to think about cybersecurity now as they might not exist in another year,” said David Stinner, president of US itek, a Buffalo, N.Y.-based MSP that has invested heavily in a multi-layered security stack for its customers over the last several years. “This is yet another wake-up call for MSPs that you need to get out of the chair in your office and convince your customers to buy the protection they need.”
Stinner and other MSPs said they were not surprised by the latest attack from the Russian foreign intelligence service (SVR) – which aims to piggyback on any direct access resellers have to their customers’ IT systems and impersonate them to gain access to their downstream customers, said Tom Burt, Microsoft’s corporate vice president of customer security and trust in a blog post .
The U.S. government blamed the SVR in April for the colossal SolarWinds attack, which compromised nine federal agencies as well as more than 100 private sector organizations. Microsoft said the latest campaign is focused on resellers that customize, deploy and manage cloud services and other technologies on behalf of their customers.
“This continues to prove that SMBs need to find a security minded vendor for managed services and cybersecurity who makes every decision through the lens of cybersecurity,” said Stinner. “Microsoft builds the systems we all use. They are the biggest attack vector. This is not going to stop. That is why you need layer upon layer of security to protect data in the new world that we live in.”
US itek relies on a full suite of security software including ThreatLocker which provides whitelisting and application ringfencing to protect customers. “Whitelisting with ThreatLocker has been one of the best decisions we have ever made to protect our customers against threats like this,” he said.
Stinner said he expects the current rash of attacks against Microsoft partners is likely going to get “worse before it gets better” as a result of the relentless pace of attacks from the likes of sophisticated bad actors like the Russian foreign intelligence service. He credited Microsoft with improving security with Windows 11 which was released October 5.
In fact, Windows 11 -besides featuring a TPM 2.0 security chip- is only compatible with CPUs released in the past four years. That ensures that PCs running Windows 11 will have hardware protections against the Intel Spectre and Meltdown vulnerabilities which first came to light three years ago.
“Once we flush out all the Windows 10 computers it will be a much safer environment for the Microsoft ecosystem,” said Stinner. “This is a matter of closing security loopholes. If you know the loophole exists you have to be more draconian. What Microsoft is doing is preventing Windows 11 from running on known compromised hardware. I firmly believe it will get worse before it gets better. But in the long run I think we will come out the other side.”
Stinner said he sees the SolarWinds breach as yet another opportunity to go to his customers and prospective customers all of the security measures that US itek brings to them. “This is a chance for us to tell our customers all the things we are doing to protect them because we know our competitors are not as cybersecurity minded as much as we are,” he said. “We never let our guard down. If it is the fourth quarter and we are up by three touchdowns we play the game hard. We don’t put in our second string.”
Many small businesses simply refuse to invest in cybersecurity software until they see one of their colleagues hit by ransomware, said Stinner. Just last week, a US itek customer who had not invested in the full security stack changed their security posture after a colleague’s business was hit by a costly ransomware attack.
“The customer asked me if they were protected as well as they should be,” said Stinner. “I told them that they needed some added tools they have declined in the past. Many business owners do not respond until they see their friends get hit.”
Microsoft, for its part, is continuing “to assess and identify new opportunities to drive greater security throughout the partner ecosystem, “ said Burt in his blog post.
Among the steps, Burt said, Microsoft is taking are: piloting “new and more granular features for organizations that want to provide privileged access to resellers;” and “piloting improved monitoring to empower partners and customers to manage and audit their delegated privileged accounts.”
Furthermore, Burt said, Microsoft is “auditing unused privileged accounts and working with partners to assess and remove unnecessary privilege and access.”
Finally, Burt said, Microsoft will “make it easier for service providers of all sizes to access our most advanced services for managing secure log-in, identity and access management solutions for free or at a low cost.”
Zachary Kinder, vice president at Net-Tech Consulting, El Paso, Texas-based MSP which has also invested heavily in a cybersecurity stack for customers, said he was not shocked by the latest attack from the SolarWinds hackers.
“I am kind of numb to this kind of cybersecurity breach,” he said. “We have to be more on guard against attacks like this than ever before. We also need to operate on the basis of least privilege access to these systems, only providing access to customer systems when it is absolutely necessary.”
Microsoft’s Burt said the SVR – also known as Nobelium, Cozy Bear and APT 29- is leveraging well-known techniques like password spray and phishing to steal legitimate credentials and gain privileged access to resellers, The attacks on resellers have been part of a larger wave of SVR activities this summer, with Microsoft notifying 609 customers since July 1 that they’ve been attacked 22,868 times by the SVR, with a success rate in the low single digits.
Kinder said Microsoft needs to “step up” its game to keep breaches to a minimum. “You are always going to have breaches but clearly Microsoft has the biggest target on its back,” he said. “The biggest thing we can do to help our customers is practice what we preach, making sure that we follow the security principles that are the rock solid foundation of our company. We are constantly on guard to protect our customers.”
Kinder said he and his team are currently investigating the latest attack from the SolarWinds hackers, but stressed that the ThreatLocker software his company employs with application ringfencing stopped the previous SolarWinds attack from hitting Net-Tech Consulting or its customers.
“This makes us feel good about the investment we have made in whitelisting and application ringfencing with ThreatLocker,” he said. “I have peace of mind when I see something like this because I know that Net-Tech and its customers are protected. I feel like the damage from these supply chain attacks can be minimized or completely eliminated with whitelisting and ringfencing.”
Danny Jenkins, the co-founder and CEO of ThreatLocker, which is adding some 60,000 new seats a week to its whitelisting and application ringfencing platform, said he was not surprised by the latest attack on Microsoft partners.
“Every weekend we literally see at least two to ten API keys or other RMM tools being used to try to push out ransomware,” he said. “We are seeing a big increase in attacks on MSPs.”
In one case, an attacker registered an MSP’s domain and switched out the letter “L” to “I”. That attacker set up a new SPF (Sender Policy Framework) to permit email to the fake domain. “The attackers pretended to be the MSP, reached out to customers who were fooled by the sophisticated attack,” he said. “They thought it came from the MSP and then engaged in a conversation with the attackers. We see these kind of attempted breaches every day.”
Jenkins said MSPs need to take “tangible controls” in place to prevent such breaches with practical controls like dual factor authentication, whitelisting, application ringfencing, firewalls, network access controls, password lockout controls,...etc. “You can’t just close your eyes and hope that anti-virus or email filters are going to stop these attacks,” he said. “We need to put basic controls in place. That is where we are going to be successful stopping the attackers.”
Another simple step MSPs can take to prevent breaches, said Jenkins, is to not provide internet access to their servers. “Every MSP server I have ever seen in my life has full outbound access to the internet by default,” he said. “That does not cost you anything to put that control in place. Most corporations as a standard practice do not allow their servers to connect to the internet.”
MSPs also need to operate on “least privilege” access basis to prevent hackers from gaining access to a customer system by stealing MSP credentials. “I don’t have access to all our servers,” he said. “Our CTO does not have access to all our servers. We only have access to what programs, files and networks we need. We need to limit access to only what people need.”
The ultimate resolution to the barrage of attacks is to take protective measures that make it an unviable business model for the hackers, said Jenkins. “This is something we can do something about,” he said. “In 2005, spam was a big issue for customers. It has not gone away completely but it is not as big an issue anymore because we made it harder for the spammers to earn a living that way.”