Breaking News: Advanced Persistent Threat Activity Exploiting MSPs

On Wednesday, October 3, the U.S. Department of Homeland Security (DHS) issued a warning to managed services providers (MSPs) and cloud services providers (CSPs) that hackers are exploiting MSP and CSP systems to reach end-client networks.

This alert from the DHS confirms that small businesses, and their managed service providers, are the new attack vector for cybercriminals, and the risks are severe. In this post, we’ll explain the threat MSPs and their clients are facing, and provide our advice to help mitigate these threats.

What’s the Threat Activity and How Did It Unfold? 

Hackers are attacking MSPs, MSSPs, and CSPs as the weak link in a supply chain to get to their customers, exploiting the trusted relationship between provider and customer. The attacks occur by using compromised legitimate MSP credentials (e.g., administration, domain, user) and implanted malware on systems owned by the MSP, allowing remote access for the attacker while advanced persistent threat (APT) actors move laterally between an MSP and its customers’ shared networks. It’s this lateral movement between networks that lets APT actors easily evade detection measures and maintain a presence on the victims’ networks. The attacker could then launch attacks on the end-customer, using the MSP’s systems, so all the activity would appear to come from the MSP. 

According to the alert, which analyzed a phishing attack on MSPs, there are three key details that service providers should be aware of:

  1. The attack capitalized on stolen credentials, making multi-factor authentication critical to securing end-clients.
  2. Signature-based malware detection is not enough to protect against the initial infection.
  3. Once the attackers were inside the service provider network, they used common admin tools to move laterally to end-customer networks. This highlights the need for layering additional security onto Remote Desktop Protocol (RDP), such as strong authentication for remote connections, and heightens the need for more tightly-controlled remote management tools.

Threat Prevention Advice for MSPs

Continuum is strongly recommending that managed service providers evaluate how they connect to and manage their end-customer networks. This incident reinforces the need for advanced endpoint protection on all systems, isolating any unprotected systems into a separate network. MSPs should also ensure that they are leveraging DNS protection as a secondary line of defense, that they are using more secure tools than RDP, and that all remote access requires multi-factor authentication.

Detection and response capabilities are also critical. Amid the Department’s cogent warnings is a clear call for providers to bolster their “ability to rapidly respond to and recover from an incident… with the development of an incident response capability… prepared to handle the most common attack vectors.” MSPs should heed this latest threat, as it is becoming increasingly likely that security will be the number one reason for an MSP to be hired or fired by their clients in the months and years to come.


To successfully disrupt APT activity, MSPs need a more advanced security solution. Discover how Continuum Security can help you provide the protection your clients demand.