Black Arrow Cyber Advisory – Targeted Attacks on Managed IT Service Providers - What You Need to Know
Executive Summary
The Microsoft Threat Intelligence Center (MSTIC) have reported increased activity from state-sponsored threat actors, with a particular focus on NOBELIUM. NOBELIUM, a Russian-backed group, have emerged as a prominent threat due to their choice of target – managed IT service providers (MSPs). The activity, observed across the United States and Europe, seeks to exploit the trust and delegated administrative privileges used to manage clients. Much like the SolarWinds compromise of 2020, this new threat shares all the hallmarks of NOBELIUM’s “compromise-one-compromise-many” approach.
What’s the risk to my business?
Delegated admin privileges – allowing MSPs administrative control of your estate for support purposes – presents as an attractive target to bad actors, particularly as the MSPs will often hold the keys to multiple businesses. Should attackers compromise an account with these delegated privileges, access to the managed estates underneath becomes trivial.
What can I do?
Revoking administrative privileges is not realistic as part of a managed service. While the requirement remains, businesses are recommended to gain visibility and understand why and where these accounts might exist for their managed estate. Where these relationships do exist, businesses should look to review the effectiveness of controls and the security practices on any accounts with delegated admin access.
Need help understanding your gaps, or just want some advice? Get in touch with us.