A Wipro security incident involving an advanced, persistent phishing campaign has brought additional attention to MSP vulnerabilities; more news from the week.
By
John Moore and Spencer Smith
Published: 19 Apr 2019
Wipro, a global consulting, integration and managed services provider, this week acknowledged a security incident, a development that illustrates the threat environment MSPs currently face.
The Wipro security incident was first reported on the Krebs on Security website. Wipro executives later discussed the event during the $8.5 billion company's fiscal fourth-quarter conference call. Bhanumurthy B.M., chief executive of application services and strategic alliances at Wipro, said the company became aware of "potentially abnormal activity within our network that involved a few of our employee accounts."
Those employees were targeted with an advanced, persistent phishing campaign, the executive said. Phishing attacks concern MSPs because they can lead to larger issues such as ransomware or malware.
In the Wipro incident, an MSP software tool may have been used by the cyberattackers. Krebs on Security, citing an anonymous source, reported the intruders used ConnectWise's ScreenConnect remote access tool (now known as ConnectWise Control) "to connect remotely to Wipro client systems."
Officials at Wipro couldn't be reached for comment on that reported aspect of the security incident.
Jeff Bishop, ConnectWise's chief product officer, said ConnectWise Control and similar products are typically used by IT teams to remotely fix issues and apply updates, but added "malicious actors ... utilize remote control products in scams to exploit a consumer or company through misrepresentation, network vulnerabilities or phishing."
Bishop said ConnectWise works to "prevent the misuse of our products in these scenarios through online training, educational material, and by implementing AI to help us look for bad actors in our community. When detected or reported, we will work with the appropriate authorities to assist them to take action against these malicious actors."
Account compromise attacks like this one at Wipro resemble an insider threat from a detection standpoint.
Saryu NayyarCEO, Gurucul
An attack scenario exploiting typical MSP tooling is on track with a warning US-CERT, the Department of Homeland Security's Computer Emergency Readiness Team, issued in October 2018. At the time, US-CERT said attackers are using "trusted off-the-shelf applications and pre-installed system tools present in MSP customer networks."
In addition, a penetration test that Infogressive, a managed security services provider (MSSP) based in Lincoln, Neb., conducted at one of its MSP customers revealed vulnerability to phishing, social engineering and the potential for cybercriminals to access remote monitoring and management (RMM) systems. The MSSP launched a phishing attack to obtain credentials and used them to get onto the MSP's VPN. From there, the testers were able to obtain access to the MSP's RMM tool.
Commenting on the Wipro security incident, Justin Kallhoff, CEO at Infogressive, said ScreenConnect should have a multi-factor authentication method enabled if it is an administrative tool. He said stolen credentials shouldn't imperil administrative-level access at large enterprises, noting that such companies can avail themselves of privileged access management offerings from vendors such as BeyondTrust, CyberArk and Thycotic.
Kallhoff said the phishing attack also raises questions.
"I would be interested in the initial phishing message and what techniques were used in it to bypass a solid email gateway that is configured correctly and combined with a sandboxing mechanism," he said.
Phishing-related breaches exposed employee, customer and patient records last year.
Saryu Nayyar, CEO at Gurucul, a cybersecurity company in El Segundo, Calif., suggested cases like Wipro point to the need for a holistic view of user and device activity.
"Account compromise attacks like this one at Wipro resemble an insider threat from a detection standpoint," she said in a statement. "Therefore, unless an organization is monitoring the entire system stack, they won't be able to identify subtle behavior anomalies that are indicators of account compromise. Since hackers will exploit whatever accounts they can successfully compromise to break into the organization including user accounts, system accounts [and] service accounts ... it's critical to actively monitor not just user activity, but also device and identity behavior."
Bhanumurthy, meanwhile, said Wipro has identified and isolated the affected employee accounts and has initiated remedial steps to contain the incident and mitigate its potential effects. He said Wipro is using its own cybersecurity practices and its partner ecosystem as it pursues those steps.
Rackspace sees Google Cloud uptake around Service Blocks
Large enterprises are tapping Rackspace's Service Blocks, modular public cloud services, as they adopt Google Cloud Platform (GCP).
Rackspace, an IT-as-a-service provider based in San Antonio, launched managed services around the Google Cloud in late 2017. The Service Blocks offerings emerged in October 2018. Service Blocks covers areas such as architecture, deployment, operational support, costs optimization and complex cloud operations. Blocks are packaged for AWS, Microsoft Azure and Alibaba, as well as GCP.
Prashanth Chandrasekar, senior vice president and general manager of cloud and infrastructure services at Rackspace, recently provided an update on the company's managed GCP business. He said large customers at differing levels of maturity on their cloud journeys are purchasing GCP services, as well as services for other public clouds, in a modular fashion. He said such Service Blocks customers gravitate toward the flexibility and agility they provide.
"That is really what is resonating with large GCP customers," Chandrasekar said.
He noted that smaller organizations have also been purchasing managed GCP services over the past 18 months.
Chandrasekar's vision is to enable customers to use a combination of Service Blocks to solve problems across clouds, extending "this concept for managed public clouds to be even more hybrid in nature."
Google's technology plays into this hybrid thinking. Chandrasekar said Google has taken on hybrid clouds earlier and in a more aggressive way than other cloud platform providers, noting the company's open source philosophy. In addition, Google's recently debuted Anthos, which lets customers deploy and manage applications on GCP and third-party cloud platforms, fits into the company's multi-cloud and hybrid-cloud approach, he noted. Rackspace is one of Google's Anthos launch partners.
Anthos has plenty of potential, Chandrasekar said, but noted that customers will not be deploying it overnight. "Customers are looking to leverage it in a way that makes sense," he said.
ConnectWise security resources
Companies or individuals who believe their ConnectWise Control instance has been exploited, or used in an exploit, may report the activity on the following page:
Bitdefender, a cybersecurity and antivirus company, said it aims to grow its presence in the MSP space.
The initiative is being led by Bitdefender's head of global cloud and MSP, Jason Eberhardt. Eberhardt joined Bitdefender in February from Symantec, where he served as North America cloud channel leader.
Eberhardt said that Bitdefender has invested in hiring more than forty people to focus on its global MSP and cloud business. Previously, the company had five or six people focused on that segment, he noted.
Apart from traditional distribution, Bitdefender is looking to engage MSPs through their RMM platforms; he said Bitdefender integrates with a number of widely used RMM providers, including ConnectWise, Kaseya, Naverisk, SolarWinds MSP and Datto.
StoredTech, an MSP based in Queensbury, N.Y., uses Bitdefender's antivirus technology integrated with Kaseya's platform. StoredTech also operates as a master MSP, providing Kaseya and Bitdefender technology to other MSPs worldwide.
According to Mark Shaw, president of StoredTech, his company played an active role in developing Bitdefender's Kaseya plugin. He noted that StoredTech has enjoyed a uniquely collaborative relationship with Bitdefender for several years. Bitdefender's receptiveness to StoredTech's feedback is one of the vendor's differentiating features, he said.
Eberhardt said MSPs are increasingly realizing they need to protect their businesses, especially since hackers can exploit them to compromise their customers' security. "If you don't have security in your company, you are hurting the security posture of the industry. You are hurting people, because [cybercriminals] are using your access to get into other companies," he said.
Shaw agreed that internal security is a growing concern for MSPs, citing this week's Wipro security breach as fresh evidence that MSPs are being targeted. StoredTech, which services about 47,000 endpoints globally, has been bolstering its security capabilities to thwart potential attackers, he said.
"What we did maybe 10 years ago would seem so lax compared to today," Shaw said.
Other news
Cloudian, an object storage systems vendor, unveiled an MSP program that the company said aims to make it easier for service providers to build value-added services on the company's AWS S3-compatiable storage. The company said its offerings can support a range of MSP use cases, including storage as a service, backup as a service and disaster recovery as a service. While Cloudian has worked with large MSPs for years, the company has seen increased interest of late among small- and medium-sized providers. Such companies "often need help getting such services up and running and then marketing the services, so we created our new MSP program to support them," a company spokeswoman said. Cloudian has more than 350 channel partners worldwide, a subset of which are MSPs.
Service management vendor Cherwell Software rolled out a global channel program. Headed by Cherwell's newly appointed vice president of worldwide channel, Matthew Peeples, the program targets resellers, delivery partners, global systems integrators and technology alliance partners. Support and benefits include technical guidance, sales alignment, enablement and financial incentives, the vendor said.
Intelligent automation provider LatentBridge has released a cloud-based managed services platform. Dubbed Albai, the platform combines robotic process automation, analytics, AI and proprietary tools, LatentBridge said. Albai's features include managed services for running customers' robots.
ActiveCampaign, a marketing automation platform vendor, named Cory Snyder as its director of channel sales. The vendor said Snyder will look to build out ActiveCampaign's team and partners, which include affiliates, resellers and certified consultants.
Market Share is a news roundup published every Friday.
