A single ransomware attack on a New Zealand managed service provider (MSP) disrupted several of its clients' business operations overnight, most belonging to the healthcare sector. According to the country's privacy commissioner, "a cyber security incident involving a ransomware attack" in late November upended the daily operations of New Zealand's health ministry when it prevented the staff from accessing thousands of medical records. The Ministry of Justice, six health regulatory authorities, a health insurer, and a handful of other businesses also number among those affected by second-hand damage from the attack. There are ways to recover from a ransomware attack, but the damage often extends into that attacked organization's customers and vendors.
The targeted MSP in this incident is Mercury IT, a business based in Australia. Te Whatu Ora, the New Zealand health ministry, was unable to access at least 14,000 medical records because of the outage at Mercury IT. This includes 8,500 bereavement care services records going back to 2015, and 5,500 cardiac inherited disease registry records from 2011. Although Te Whatu Ora said in a public statement that their healthcare services were not affected by the ransomware attack, one can easily see how poor security posture could inadvertently harm medical patients.
In the private sector, health insurance firm Accuro reported an illegal download and dissemination of corporate data following the Mercury IT attack. Most of the stolen data pertained to the company's finances, according to Accuro in a statement, which was then leaked onto the dark web. Some of the stolen data includes member contact information and policy numbers, Accuro adds, but states that there has been no observed misuse of the stolen personal data.
MSP Attacks: Killing Several Birds with One Stone
This incident shows how MSPs are attractive targets for attackers because of the vast amount of client data stored in a single company's systems. Cybercriminals need only to exploit the security vulnerabilities of one MSP to steal confidential data from dozens of companies at once. Investigators are too early in their investigation to determine the attacker's objective and motive, but there is a clear lesson for IT admins in this story—audit an MSP's security practice before you pay.
Passwords: The Weakest Link
The 2021 MSP Threat Report by ConnectWise revealed that 60% of MSP client incidents were related to ransomware. Ransomware groups only need the lowest hanging fruit to launch a successful attack – weak passwords. Even while new forms of authentication are being developed to make passwords obsolete, passwords remain the most common and most vulnerable method of securing data.
Consequently, one of the most common methods for distributing ransomware is an RDP brute-force attack. Attackers launch brute-force attacks by using an automated program to try a long list of password combinations on an account until they guess the right one, after much trial and error. Once inside, an attacker is free to steal data from the target's organization and paralyze their systems with ransomware. A common defense against brute-force attacks involves setting a finite number of login attempts before the account is temporarily locked down.
Auditing Vendor Passwords
Organizations risk inheriting the security weaknesses of their vendors without conducting a security audit beforehand. Specops Password Auditor is a free read-only password auditing tool that aids the decision-making of IT admins by scanning active directory for password-related security weaknesses. Using this tool, admins can view every account's security posture so that no accounts with breached passwords will go unnoticed.
Specops Password Auditor gets to the root of weak passwords by identifying the password policies that enabled their creation in the first place. With the interactive reports generated by Specops Password Auditor MSPs can identify if their policies are compliant and which ones rely on default password policies. They can also compare their password policies with various compliance standards, such as NIST, CJIS, NCSC, HITRUST, and other regulators. IT Admins can request vendors and their MSPs to run this free scan and then get a read-only report. For precise security planning, admins can customize the Password Policy Compliance report to display only the standards relevant to their organization.
Download Specops Password Auditor for free here.