NCCIC has received multiple reports of advanced persistent threat (APT) actors actively exploiting trust relationships in information technology (IT) service provider networks around the world. The number of organizations using IT service providers—such as managed service providers (MSPs) and cloud service providers (CSPs)—has increased in recent years because IT service providers enable customers to scale and support network environments at a lower cost than financing these resources internally. IT service providers generally have direct and unfettered access to their customers’ networks, and may store customer data on their own internal infrastructure. By servicing a large number of customers, IT service providers can achieve significant economies of scale. However, a compromise in one part of an IT service provider’s network can have globally cascading effects, impacting other customers and introducing significant risk.
NCCIC encourages customers of MSPs and CSPs to implement a defense-in-depth strategy to protect their infrastructure assets and increase the probability of successfully disrupting APT activity. NCCIC recommends MSP and CSP customers review the resources below to help formulate and build their defense-in-depth strategy.
Managed Service Provider Customers
NCCIC is aware of ongoing APT actor activity attempting to infiltrate the networks of global MSPs. Since at least May 2016, APT actors have used various tactics, techniques, and procedures for the purposes of cyber espionage and intellectual property theft. APT actors have targeted victims in several critical infrastructure sectors, including IT, Energy, Healthcare and Public Health, Communications, and Critical Manufacturing. See the products and resources below for information to help build a defense-in-depth strategy.
- NCCIC Publications
- Tools to Detect Intrusions and Identify Compromised Systems
Network defenders use a variety of tools, appliances, and methodologies to detect intrusions and identify compromised systems within their organization. The tools below were developed in response to TA17-117A, which reports on APT actors using Sogu (also called PlugX) to compromise MSP systems. NCCIC recommends that network defenders use these tools to help identify APT activity.
- Sogu File Search Tool
Sogu malware is a Trojan used to open a backdoor on a compromised system. The Sogu File Search Tool is a script that generates a list of possible Sogu filenames based on serial numbers of active endpoint devices. This script is designed to identify Sogu-related filenames and can be deployed across a Windows network domain to find potentially compromised computers.
- Australian Cyber Security Center Sysmon and Windows Management Instrumentation Tools
The Australian Cyber Security Center (ACSC) Sysmon and Windows Management Instrumentation (WMI) tools support the detection and investigation of malicious activity and complement existing host-based intrusion detection and prevention systems. For guidance, consult ACSC Technical Guidance document on Windows Event Logging.
- Sogu File Search Tool
- Additional Resources
- United Kingdom National Cyber Security Center: Global targeting of enterprises via managed service providers
- United Kingdom National Cyber Security Center: Advice on managing enterprise security published after major cyber campaign detected
- Canadian Centre for Cyber Security: AL17-004 Malicious Cyber Activity Targeting Managed Service Providers
Cloud Service Provider Customers
The resources below provide a foundational reference point to aid CSP customers with the risks and challenges associated with using commercial cloud environments.
- DHS Resources for Governement Users
- Additional Resources
- National Institute of Standards and Technology (NIST): Special Publication 800-144 Guidelines on Security and Privacy in Public Cloud Computing
- NIST: Special Publication 800-53 Security Controls and Assessment Procedures for Federal Information Systems and Organizations
- NIST National Cybersecurity Center of Excellence Trusted Cloud: VMware Hybrid Cloud IaaS Environments
- National Security Agency Security Tip: Cloud Security Basics
NCCIC is aware of ongoing APT actor activities against organizations operating trusted network relationships. Potential targets include parent companies, connected partners, and contracted MSPs and CSPs. APT actors can leverage legitimate credentials to expand unauthorized access, maintain persistence, exfiltrate data, and conduct other operations under the guise of authorized activity. Leveraging legitimate credentials also allows APT actors to access other devices and trusted networks, enabling them to maintain persistence and obfuscate detection tools. See the resources below for further information.
Federal Government High Value Assets
Federal departments and agencies are responsible for the IT assets and personal information entrusted to them by hundreds of millions of Americans. Federal government High Value Assets (HVAs) enable essential functions and operations, provide services to citizens, generate and disseminate information, and facilitate greater productivity and economic prosperity. The resources in the links below provide additional contextual detail and hardening recommendations for HVAs.
IT Service Provider Customer Contracts
MSP and CSP customers should be aware that the decision to centralize information with an IT service provider can present risks to the confidentiality and integrity of their proprietary information. MSP and CSP customers should consider contract language that supports the customer’s needs and requirements for both virtual and physical security, including supply chain risk management. See the resources below for more information.