My MSP/IT Provider Was Compromised, Now I am Too

Many organizations choose to hire Managed Service Providers (MSPs) to provision, secure, backup, and manage your servers and desktops, network devices, and other IT infrastructure. Leveraging an MSP usually offers cost savings for organizations but what happens when the MSP is the victim of a cyberattack? 

To supply these services, the provider must often have privileged account access and install software on your systems. Most MSPs place their trust in systems that allow for automation and easy access for their staff to improve profit margin. When these systems are breached, the attackers usually have direct and elevated privileges to the MSP systems, which usually grants similar access to systems across multiple MSP customers. 

Recently, vulnerabilities in remote support tools used by many MSPs, like ConnectWise Control or ScreenConnect, have been exploited. When these systems are not properly maintained or hardened, they pose a risk to both the MSP and its clients. Once an MSP is breached, its clients are breached. We have seen threat actors deploying payloads, such as “Sodinokibi”, through vulnerable ConnectWise Control and ScreenConnect servers using PowerShell scripts. 

Redacted Sodinokibi text file found on compromised systems.

We have seen on multiple occasions that this vector of compromise will get around most of the common endpoint protection suites used by MSPs.

What should MSP clients do if they are attacked? 

  1. Contact your Cyber Insurance Company. 
  2. Alert the MSP, noting the date and time of the contact and the MSP representative.  
  3. Take screenshots/pictures of the ransomware notice. 
  4. Document all events and communications. 
  5. Request images/backups of all affected systems before restoration efforts begin. 
  6. Determine which systems and data assets were affected. 
  7. Be prepared to alert proper regulatory authorities. For example, in Canada, you may be required to inform the Office of the Privacy Commissioner.  
  8. Consult with a skilled security company to confirm the proper remediation steps were taken.  

What can you do to prevent this from happening?  

  1. Ask your provider to provide results of security audits by third-party security companies for the MSP management tools. 
  2. Request evidence from your provider indicating that your systems are not vulnerable to known attacks. 
  3. When you transfer from one MSP to another, request documentation indicating the original MSP management software was removed completely. 

If you have any questions or need another opinion, call Layer0 Security at 1-844-752-9370 or email help@layer0.ca. 


Layer0 Security