Malicious Cyber Activity Targeting Managed Service Providers

Number: AL17-004
Date: 04 April 2017

Purpose

The purpose of this alert is to bring attention to ongoing malicious cyber activity targeting managed service providers (MSP).

Assessment

CCIRC is aware of ongoing malicious cyber activity targeting managed service providers (MSPs) internationally. The level of sophistication associated with this activity requires a heightened level of awareness from organizations in order to detect possible compromises. A variety of organizations rely on MSPs to provide a wide range of infrastructure support to client organisations such as: security and specialized consulting, software, hardware and cloud hosting solutions.

Mitigating the risks associated with using service providers is a responsibility shared between the organization (referred to as the “tenant”) and the MSP or CSP. However, organizations are ultimately responsible for protecting their systems and ensuring the confidentiality, integrity and availability of their data. Organizations that outsource IT infrastructure are recommended to have an open dialogue with their provider and to understand what model they use to manage clients’ services.

The actors behind this activity are leveraging MSPs as conduits in attempts to acquire sensitive client information. This is facilitated by the necessarily close relationship between MSPs’ networks and those of their clients. This makes MSPs an attractive target for malicious actors, as the compromise of one MSP network could offer access to multiple client networks. Ultimately, the client, which could be in the public or private sector, is the likely target of the compromise attempts.

Given the apparent sophistication of the cyber activity and the potential extent of the compromise, it is possible that this activity has given the malicious actor access to companies around the world in a variety of critical infrastructure sectors. No evidence suggests the general public or small to medium enterprises are being targeted. CCIRC is currently working with international partners and the private sector to establish the scale and determine any impact on Canadian organizations. Reporting of any suspected activity to CCIRC will greatly help in understanding the nature and scope of this activity.

Suggested Action

CCIRC recommends that organizations review the following mitigation information and consider their implementation in the context of their network environment.

References:

CCIRC – Information Note IN17-003 – Cyber Security Best Practices: Contracting with Managed Service Providers
https://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2017/in17-003-en.aspx

International Partners
https://acsc.gov.au/global-targeting-enterprises-managed-service-providers.html

https://www.ncsc.gov.uk/news/advice-managing-enterprise-security-published-after-major-cyber-campaign-detected

Get CyberSafe Guide for Small and Medium Businesses:
https://www.getcybersafe.gc.ca/cnt/rsrcs/pblctns/smll-bsnss-gd/index-en.aspx%20-%20s6-2

Using Passwords:
https://www.getcybersafe.gc.ca/cnt/prtct-yrslf/prtctn-dntty/usng-psswrds-en.aspx

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: