Multiple cybersecurity authorities from Australia, Canada, New Zealand, the U.K., and the U.S. on Wednesday released a joint advisory warning of threats targeting managed service providers (MSPs) and their customers.
Key among the recommendations include identifying and disabling accounts that are no longer in use, enforcing multi-factor authentication (MFA) on MSP accounts that access customer environments, and ensuring transparency in ownership of security roles and responsibilities.
MSPs have emerged as an attractive attack route for cybercriminals to scale their attacks, as a vulnerable provider can be weaponized as an initial access vector to breach several downstream customers at once.
The spillover effects of such intrusions, as witnessed in the wake of high-profile breaches aimed at SolarWinds and Kaseya in recent years, have once again underlined the need to secure the software supply chain.
The targeting of MSPs by malicious cyber actors in an effort to "exploit provider-customer network trust relationships" for follow-on activity such as ransomware and cyber espionage against the provider as well as its customer base, the agencies cautioned.
The major security measures and operational controls outlined in the advisory are as follows -
- Prevent initial compromise by securing internet-facing devices and implementing protections against brute-forcing and phishing attacks
- Enable effective monitoring and logging of systems
- Secure remote access applications and mandate MFA where possible
- Isolate critical business systems and apply appropriate network security safeguards
- Apply the principle of least privilege throughout the network environment
- Deprecate obsolete accounts through periodic audits
- Prioritize security updates for operating systems, applications, and firmware, and
- Regularly maintain and test offline backups for incident recovery.
The Five Eyes alert arrives a week after the U.S. National Institute of Standards and Technology (NIST) published updated cybersecurity guidance for managing risks in the supply chain.
"MSPs should understand their own supply chain risk and manage the cascading risks it poses to customers," the agencies said. "Customers should understand the supply chain risk associated with their MSP, including risk associated with third-party vendors or subcontractors."