Professional Documents
Culture Documents
2021 Perch MSP Threat Report
2021 Perch MSP Threat Report
Perch MSP
Threat Report
• Attackers understand MSP tools. They The burden of responsibility makes it dangerous
know how to exploit the vulnerabilities to go alone. Take Perchy with you.
and legitimate uses of the tools MSPs
depend on. Let’s get this party started!
MSPs are
valuable targets 5 Survey results 16
??? - Mespinosa 17
Q1 & Q2 7 aka Pysa
Q3 & Q4 8 Wizard Spider - 17
Ryuk/Conti
ENRAGED DUCK 17
MSPs are Dharma 18
waking up 9 Dark Halo (UNC2452) 18
FIN6 TA2101 Twisted 18
Spider - Maze
The 3 MSP personas 9
Recommendations for the 11
herd
Thoughts from Jason Slagle 12
3M 36,000 32 Billion
Large enterprises might be Big Game, but MSPs are valuable because they control the Big Herd.
Jan. Sodinokibi
A server run by LogicalNet was
Apr. Maze
compromised by hackers, resulting in a Dakota Carrier Network (DCN), a group of
Buffalo Jump that impacted its clients - 14 indepdent broadband companies, was hit
including Albany International Airport, who by Maze, who published some administrative
ultimately paid a ransom to regain access to data on the internet.12
its computers.5
June Maze
Jan. Selling Access Collabera was infiltrated by hackers who
Cyber-criminals were found selling access stole employee personal information and
to sensitive databases and email access to infected systems with ransomware. They
various corporate environments as well as were able to successfully restore access
access to point-of-sale terminals.6 from backup files.13
= Vulnerability
Feb. Insider Threat
= Failed Attack
A team of security professionals from
Huntress, Datto, and ConnectWise helped = Ransomware
federal agents track down a systems
= Warning
engineer at an MSP attempting to sell access
to their employer.10
= Buffalo Jump
= Selling Access
= Vulnerability
= Failed Attack
= Ransomware
= Warning
Front Runners
• “We’ve had a strong focus on security. We • “We support other MSPs and help SMBs that
put a lot of energy into staying on top of do not have the minimum security resources
things. Cautious and wary. It will never end.” to have good cybersecurity hygiene. We
are constantly learning too. We are always
• “We are probably in the top 10% of MSPs with
looking to improve our internal security.”
security, but there is always room to improve.
We are ready to help our clients respond to • “[Jump] in with two feet. Utmost
security incidents, but we are always looking importance!”
at new ways to protect us and our clients.
We regularly verify that our tools, processes,
and policies are the best we can do. We
have a good grasp of the threat landscape,
enough to know we need to constantly
evaluate, change, upgrade and move with the
landscape to be safe.”
Lagging Behind
• “Ignorance is bliss, but we’re concerned • “Clients aren’t adopting the security they
because it’s a crazy world.” need. They only care about security after an
incident. That makes it hard to be proactive
• “We’re having trouble educating leadership
and competitive. Security is expensive, and
about our blind spots and making changes
the solutions are very fragmented. It’s hard to
to keep our customers secure. We’re
know the best way forward.“
understaffed and underskilled in security,
and there is an insufficient budget for • “It’s a challenge to stay on top of the threats
security. We’re uncomfortable with the threat and educate our clients about the seriousness
landscape. It’s a big unknown for us.“ of the issues.“
- Jason Slagle
VP of Technology, CNWR, Inc.
Recommendations
for the herd
As a community, we have the responsibility to
help everyone along their cybersecurity journey.
If not, attackers will keep pursuing those lagging
behind.
Perch was the first security company on the When attackers were successful, they leveraged
scene to discover multiple campaigns targeting their ConnectWise Automate control to perform
MSPs before and after the vulnerability was Buffalo Jumps.
disclosed.
Because of the active campaign and no CVE
Perch observed three active campaigns: one to track the vulnerability details, Perch sought
actor from Russia, one actor leveraging Private CVE registration for the vulnerability, but gave
Internet Access (VPN), and a small amount attribution to Syswarden.
of scanning activity using AWS infrastructure
indicating a third.
What security “A lot of trust is placed in the software vendors MSPs use.
The problem is there is no way for us to know what software
threat trends are
development looks like at these vendors we trust. Simply
you worried about throwing software into the mix without understanding it,
for 2021? auditing it, learning it, and picking it apart can just end up with
you introducing more vulnerabilities...It happens to both small
and large firms.
- Jesse Connor
Chief Business Development
Officer, Simplefusion
Password Reuse /
Weak Passwords /
Password Spraying
Over and over again, passwords are the weak “Tackle the simple things like
link. We do like to blame interns with poor
MFA, passwords, and training.”
passwords, but ultimately the failure is in
the systems. Training for users is important, - Jesse Connor
especially around password reuse. But we should Chief Business Development
be able to architect more secure systems. Officer, Simplefusion
Workers benefit from shorter commute times, • Review the effectiveness of your security
are moving to cheaper housing markets, and now controls in terms of where employees work
can work in pajamas from the waist down. for your MSP and for your customers
Yes
82.2%
Yes
25%
We’re always on the lookout
for potential buffalo jumps. We
No collected these survey results And this year, MSPs are
75% before FireEye announced gearing up for even more
the SolarWinds breach - we security spending, with 75%
imagine this number would be of respondents indicating that
higher now. their spending would increase
on average 12.1%.
However, nearly 73% of MSPs
Have any of your service
reported that at least one
providers reported a security What percentage will your
client had a security incident.
incident to you in the last 12 security budget increase in
months? 2021?
Have any of your clients had a
security incident in the last 12
25
months?
20
15
Yes 10
No 43.2% 5
No
56.8%
27.3% 0
Unsure 21%+6 -10% 11-20% 1-5%
Yes
72.7%
• A significant amount of press reporting has • According to CrowdStrike, they likely operate
focused on the identification of the actor(s) not only the now shutdown Maze, but also
involved, victim organizations, possible Egregor. Egregor is the ransomware to watch
campaign timeline, and potential impact out for in 202123