The Cybersecurity and Infrastructure Security Agency (CISA) has received multiple reports of advanced persistent threat (APT) actors actively exploiting trust relationships in information technology (IT) service provider networks around the world. The number of organizations using IT service providers—such as managed service providers (MSPs) and cloud service providers (CSPs)—has increased in recent years because IT service providers enable customers to scale and support network environments at a lower cost than financing these resources internally. IT service providers generally have direct and unfettered access to their customers’ networks, and may store customer data on their own internal infrastructure. By servicing a large number of customers, IT service providers can achieve significant economies of scale. However, a compromise in one part of an IT service provider’s network can have globally cascading effects, impacting other customers and introducing significant risk.
CISA encourages customers of MSPs and CSPs to implement a defense-in-depth strategy to protect their infrastructure assets and increase the probability of successfully disrupting APT activity. CISA recommends MSP and CSP customers review the resources below to help formulate and build their defense-in-depth strategy.
IT Service Provider Customers
- Organizations that rely on IT service providers should ensure their providers have conducted a review to determine if there is a security concern or compromise, and have implemented appropriate mitigation and detection tools for this cyber activity.
- IT service provider customers should also:
- Review and verify all connections between customer systems, service provider systems, and other client enclaves;
- Verify service provider accounts in their environment are being used for appropriate purposes and are disabled when not actively being used;
- Ensure contractual relationships with all service providers implement:
- Security controls as deemed appropriate by the client,
- Appropriate monitoring and logging of client systems provided by the service provider,
- Appropriate monitoring of service provider’s presence, activities, and connections to the customer network, and
- Notification of confirmed or suspected security events and incidents occurring on the provider’s infrastructure and administrative networks.
- Integrate system log files—and network monitoring data from IT service provider infrastructure and systems—into customer intrusion detection and security monitoring systems for independent correlation, aggregation, and detection.
- See the Managed Service Provider Customers and Cloud Service Provider Customers sections below for additional information, tools, and resources.
Managed Service Provider Customers
CISA is aware of ongoing APT actor activity attempting to infiltrate the networks of global MSPs. Since at least May 2016, APT actors have used various tactics, techniques, and procedures for the purposes of cyber espionage and intellectual property theft. APT actors have targeted victims in several critical infrastructure sectors, including IT, Energy, Healthcare and Public Health, Communications, and Critical Manufacturing. See the products and resources below for information to help build a defense-in-depth strategy.
- CISA Publications
- Tools to Detect Intrusions and Identify Compromised Systems: Network defenders use a variety of tools, appliances, and methodologies to detect intrusions and identify compromised systems within their organization. The tools below were developed in response to TA17-117A, which reports on APT actors using Sogu (also called PlugX) to compromise MSP systems. CISA recommends that network defenders use these tools to help identify APT activity.
- Sogu File Search Tool: Sogu malware is a Trojan used to open a backdoor on a compromised system. The Sogu File Search Tool is a script that generates a list of possible Sogu filenames based on serial numbers of active endpoint devices. This script is designed to identify Sogu-related filenames and can be deployed across a Windows network domain to find potentially compromised computers.
- Australian Cyber Security Center Sysmon and Windows Management Instrumentation Tools: The Australian Cyber Security Center (ACSC) Sysmon and Windows Management Instrumentation (WMI) tools support the detection and investigation of malicious activity and complement existing host-based intrusion detection and prevention systems. For guidance, consult ACSC Technical Guidance document on Windows Event Logging.
- Additional Resources
- United Kingdom National Cyber Security Center: Global targeting of enterprises via managed service providers
- United Kingdom National Cyber Security Center: Advice on managing enterprise security published after major cyber campaign detected
- Canadian Centre for Cyber Security: AL17-004 Malicious Cyber Activity Targeting Managed Service Providers
Cloud Service Provider Customers
The resources below provide a foundational reference point to aid CSP customers with the risks and challenges associated with using commercial cloud environments.
- DHS Resources for Government Users
- Additional Resources
- National Institute of Standards and Technology (NIST): Special Publication 800-144 Guidelines on Security and Privacy in Public Cloud Computing
- NIST: Special Publication 800-53 Security Controls and Assessment Procedures for Federal Information Systems and Organizations
- NIST National Cybersecurity Center of Excellence Trusted Cloud: VMware Hybrid Cloud IaaS Environments
- National Security Agency Security Tip: Cloud Security Basics
IT Service Providers
- Providers should fully implement the mitigation actions on this page to protect against this malicious activity. Additionally, providers should implement the following specific actions.
- Apply the principle of least privilege to their environment, which means customer data sets are separated logically, and access to client networks is not shared.
- Implement robust network and host-based monitoring solutions that looks for known malicious activity and anomalous behavior on the infrastructure and systems providing client services.
- Ensure that log information is aggregated and correlated to enable maximum detection capabilities, with a focus on monitoring for account misuse.
- Work with their customers to ensure hosted infrastructure is monitored and maintained, either by the service provider or the client.
- Providers may consult the Operation Cloud Hopper private industry report. Note: CISA does not endorse any commercial products or services identified in this report. Any hyperlinked websites do not constitute endorsement by CISA of the website or the information, products, or services contained therein.
Identity Management
CISA is aware of ongoing APT actor activities against organizations operating trusted network relationships. Potential targets include parent companies, connected partners, and contracted MSPs and CSPs. APT actors can leverage legitimate credentials to expand unauthorized access, maintain persistence, exfiltrate data, and conduct other operations under the guise of authorized activity. Leveraging legitimate credentials also allows APT actors to access other devices and trusted networks, enabling them to maintain persistence and obfuscate detection tools. See the resources below for further information.
- CISA Publications
- Additional Resources
Federal Government High Value Assets
Federal departments and agencies are responsible for the IT assets and personal information entrusted to them by hundreds of millions of Americans. Federal government High Value Assets (HVAs) enable essential functions and operations, provide services to citizens, generate and disseminate information, and facilitate greater productivity and economic prosperity. The resources in the links below provide additional contextual detail and hardening recommendations for HVAs.
IT Service Provider Customer Contracts
MSP and CSP customers should be aware that the decision to centralize information with an IT service provider can present risks to the confidentiality and integrity of their proprietary information. MSP and CSP customers should consider contract language that supports the customer’s needs and requirements for both virtual and physical security, including supply chain risk management. See the resources below for more information.
- Resources