Podcast: Play in new window | Download
It’s a new world when a single attack can affect hundreds of thousands of businesses. Software, services, and core components of your business have been progressively migrating to the cloud; the Managed Service Provider. Have we become complacent by thinking they’re too big to be compromized?
Robbie Ferguson takes us on a tour of the past few months with some real world examples of MSP services that were hit recently, and how the businesses who tap into their services were impacted.
Through this short episode, we’ll help you to be prepared for the potential risk of placing your company and client data in the hands of an MSP.
Transcript
In October, 2019, it was revealed that the official Sesame Street online store had been compromised using a piece of malicious javascript code. This man-in-the-middle attack was able to steal every credit card number entered into the site’s ordering system.
Of course, the payment cards were verified by the payment processor as the legitimate transactions took place, so the hackers involved could easily vet which cards were good, and which should be discarded. Their resulting list, no doubt in whole or in part, could then be sold on the Dark Web, and the cardholders would be none the wiser until the bills start coming in.
But perhaps you don’t shop on the Sesame Street store. So you’re safe, right?
Marcel Afrahim, a researcher at security firm Check Point discovered the malicious code, and made a frightful observation: the Sesame Street store utilizes services from a Managed Service Provider (MSP) to run their web-based store. In this case, the MSP offering the services is Volusion, an e-commerce solution provider boasting over 30,000 active merchants using their service, and $28 billion dollars in sales across more than 185 million orders.
Remember, the compromised ordering system, while discovered on the Sesame Street store, was also in place for those 30,000 other merchant sites utilizing Volusion’s services.
Upon learning of the compromise, Volusion was swift to act and had the issue resolved within a day, but the damage is done for those whose credit card information has been stolen.
In an unrelated attack the same month, around 2,500 law firms were impacted when their case management software provider, TrialWorks, was hit by a ransomware attack. This locked lawyers out of their case files for nearly a week. Just think about how that would impact your business.
In yet another story, a Prairieville pediatrics practice came under lock-down when their IT company was targeted by a ransomware attack. The malicious party was able to infiltrate the clinic’s computers by way of the IT firm.
Then in September, the parent portal for all of Alabama’s Mobile County Public Schools were inaccessible when the school board’s external website provider was compromised by a ransomware attack.
At the end of July, insurance providers could not process claims for workers comp, auto, health, or disability when CorVel, a managed service provider for insurance companies was hit by ransomware.
Back in June, more than 20,000 real estate brokers and agents were unable to gain access to listings when MetroList, the largest real estate MLS provider in Northern California came under attack.
The month before that, First American Financial Corp., a title insurance provider, announced that 885 million mortgage documents dating back to 2003 had been exposed by a data breach which potentially exposed bank accounts and statements, mortgage and tax records, Social Security numbers, and wire transaction receipt.
I could go on and on, and those real life examples are just a few I’ve picked from the past few months.
I’m telling you about all these attacks for a simple reason: while there’s no direct connection between any of these attacks, one thing links them all: in each case, thousands of individual companies were impacted by not themselves, but their service provider being compromised. Like Sesame Street: it wasn’t simply the Sesame Street web site stealing credit card information. Oh, no: it was 30,000 independent e-commerce web sites, all linked by their MSP who fell victim to the attack. All these companies have that one thing in common: They’re tapping into MSP services for core components of their business.
MSPs have become a very appealing target for attackers, and perhaps we’ve become complacent, thinking that because they’re big, they won’t fall victim. If there’s anything these examples show, it’s that these centralized services not only do fall victim, but in fact can be lucrative targets for an attacker, which makes them all the more appealing.
The answer is not to stop using MSPs–that’s not practical. But we simply need to wake up to the fact that the MSP is in the crosshairs of attackers, and if all our data is in the MSP datacenter, we are at risk by proxy. Our customers are at risk. Our business is at risk. While many such attacks are ransomware since that tends to turn a quick pay day for the hacker, data theft is also prevalent. So while having and maintaining regular local backups is a must to protect your company against ransomware, it does nothing toward data theft. We must also be diligent in ensuring the companies we do business with are reputable, and that they themselves have systems and procedures in place to prevent data loss, and data theft.
There’s no “magic formula,” but you should be able to open a conversation with your service providers and get answers about how they protect your data and ensure the safety of your customer information. Also, employ local protection, including a bi-directional firewall like that included with ESET Endpoint Protection Advanced. That can help prevent the spread of ransomware within your network. Also be sure you have common entry-points such as remote desktop disabled on all your systems. It goes without saying, but I’ll say it anyways: Backup, backup, backup. The challenge I pose to my customers is this: if everything crashed tomorrow, or if your MSP went belly-up, where are your files? Where are your backups? And how long would it take you to recover. Don’t be ashamed if you don’t know: you’re not alone. But take action and realize that when disaster occurs, the companies that survive are the ones who are prepared.
You already know that having all your data on a single hard drive is just asking for trouble. So now it’s time to equate that to the MSP–the “cloud”–and put systems into place to protect your data, ensure redundancy that can’t be touched by an active ransomware threat, and do everything in your power to preemptively understand and reduce the time involved in recovering should an attack take place.
If you have questions, my team and I are at the ready to help. Visit EndpointSecurity.ca for more information about our products, or give me a call. We’ll figure out together how we can help you to be prepared.
Sources
“Cookie monster eats data from Sesame Street store” BBC News
https://www.bbc.com/news/technology-49986737
“The count of managed service providers getting hit with ransomware mounts” Ars Technica
https://arstechnica.com/information-technology/2019/10/the-count-of-managed-service-providers-getting-hit-with-ransomware-mounts/
“Company” Volusion
https://www.volusion.com/v1/company
“Ransomware Attack Reportedly Hits Practice Management Company, Locking Lawyers Out of their Case Files” LawSites
https://www.lawsitesblog.com/2019/10/ransomware-attack-reportedly-hits-practice-management-company-locking-lawyers-out-of-their-case-files.html
“Prairieville pediatrics clinic working with FBI, notifying patients after computer attack” The Advocate
https://www.theadvocate.com/baton_rouge/news/communities/ascension/article_b6194b7a-eba2-11e9-a388-5b6eedc7c596.html
“MCPSS website is back up after ransomware hack” WKRG News 5
https://www.wkrg.com/news/mcpss-website-hacked-by-virus/
“Calif. MLS Giant Temporarily Shuts Down After Malware Attack” REALTOR Magazine
https://magazine.realtor/daily-news/2019/06/13/calif-mls-giant-temporarily-shuts-down-after-malware-attack
“885M Mortgage, Title Docs Exposed in Data Breach” REALTOR Magazine
https://magazine.realtor/daily-news/2019/05/28/885m-mortgage-title-docs-exposed-in-data-breach
“CorVel’s problem may be ransomware” Joe Paduda
https://www.joepaduda.com/2019/07/26/corvels-problem-may-be-ransomware/

Robbie Ferguson is the host of the Endpoint Security Podcast at Positive E Solutions Inc. His day-to-day includes providing security-related advice and training to companies and individuals across Canada, and offering solutions to protect against modern threats in the workplace.