A Tale of Two Incidents

Back to Blog
08Sep2020

A Tale of Two Incidents

I have two stories to share today. Both are from individuals who contacted me about recent Cybersecurity incidents that their MSP had suffered. Both incidents were very different, and yet they share some common threads and lessons that I think we would be wise to heed. And this is all applicable beyond MSP’s, but it also highlights just how much Managed Services Providers are being targeted right now, too.

Incident #1: The BYOD/WFH device

In this first incident, which unfolded over the summer, an MSP had about a dozen customers get ransomware on the same day. It was not the customers who were individually compromised but rather the MSP. At first they thought there must be some kind of new global worm like Wannacry, but nope, it was just them–they were the common thread between all these incidents.

What happened? They were so dumbfounded because they believed they had done everything right: MFA on all of their major systems, antivirus and EDR agents on all their endpoints. They have what they feel is a really good (third-party) anti-spam/phish solution in front of their email (which is in turn hosted at O365).

Now they were a little surprised that only a portion of their overall client base got taken down–maybe more were about to get compromised just around the corner? They had to send communications out to their entire customer base about the unfolding attack, just in case. But at the end of the day, they traced the compromised customers back to one single tech who had all of these accounts in common.

During the pandemic, of course all of their technicians are working from home, and, some of them chose to work on personal (rather than work-issued) devices. And in this case, the tech had their personal device compromised (none of the MSP’s owned systems had even been part of the event). On this device was stored the keys to the kingdom: credentials and other access information, as well as details about the customers’ networks. The tech had been keeping “convenience copies” of customer information handy, in personal apps and storage locations.

Hard to say how the initial compromise happened, as this tech ended up wiping/reloading that home machine before they could try to preserve any artifacts as evidence, etc. But, had it been a managed device, certainly the risk of compromise would have been lower (provided the MSP does a decent job of protecting their endpoints–including local admin privilege, application control, and so on).

CIS Critical Security Control #1 states:

Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or process information. This inventory shall
include all assets, whether connected to the organization’s network or not.

Center for Internet Security, CSC 1.4

(Italics added for emphasis).

So it is totally cool that this provider was doing “the right things” as far as MFA and so on–but this incident demonstrates that when you don’t follow the basics of Cybersecurity hygiene, you are undermining any subsequent protection that you may choose to employ. MFA doesn’t protect you against all types of threats–especially when you are allowing unmanaged devices and applications to store and process corporate data.

Biggest lesson here is that you should not allow unmanaged devices to store or process corporate data if you are an MSP–especially if that device has the potential to expose customer information. You should absolutely bake language akin to this into your Acceptable Use Policy; also consider adopting additional technical controls to prevent access to and prevent exfiltration from your systems on unmanaged devices.

Unfortunately, you could still be open to issues on a managed device, and possibly this same outcome, if you are ignoring other critical security controls such as application control, limiting admin privileges, and monitoring the audit logs for example. Once you have limited access to a set of managed devices, you do still have to manage them, after all.

Incident #2: Phishing with an additional OAUTH app angle

In the previous story, it is unfortunate we do not have more details about the initial events that lead to compromise on that unmanaged device. But here is an interesting one where we do have some more detail, and it is interesting how the attack was targeted against a specific cloud service–Microsoft’s Partner Center. If you are a Cloud Service Provider (CSP) and use the Partner Center, you know that this will allow you administrative access to numerous other tenants under your watch.

Last year, Microsoft required all CSP’s to enable Multi-factor (and disable Basic Auth). That’s good. But it sounds like the adversaries are now starting to make adjustments to their approach–they will move around this problem in other ways.

A non-technical user who administers the CSP and billing relationships at this MSP received a phishing email that looked almost identical to other notifications that come from Microsoft regarding Billing, etc. It made some claims about expiring subscriptions that needed immediate attention or else data loss, etc.–and these do also come from MSFT some times, so very hard to tell the difference here. The only tip would have been that the from address is not actually a Microsoft domain.

So this person clicked on the link in the email and was taken to a Microsoft authentication page, which she completed with MFA included, and was then greeted with a consent request for an application called “Office 365 Billing Account.” Upon accepting the prompt, she unknowingly granted access to an outside party through a new application identity that had been added to their tenant. That identity had extremely wide reaching permissions, and was quickly used to establish new accounts in the organization.

Now this provider was extremely lucky. They had read a blog of mine advocating for the addition of Microsoft Cloud App Security. Taking my advice to heart, they had enabled all of the out-of-box alerts, including the OAuth application alerts. So they quickly investigated this anomalous event and removed the app along with the additional footholds it had created–before the attacker had a chance to cause any damage to their environment or that of their customers.

Note that you can also enable Admin consent requests to mitigate the risk of OAuth apps, although sadly in this case the person who was targeted had full global administrator credentials (another no-no for which I scolded them)–so the admin consent requests would not have helped in this case.

Here are some relevant CIS Critical Security Controls:

#2: Inventory and Control of Software Assets

Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.

Center for Internet Security, CSC 2.6

#4: Controlled Use of Administrative Privileges

Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not Internet browsing, email, or similar activities.

Center for Internet Security, CSC 4.3

#14: Controlled Access Based on the Need to Know:

Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.

Center for Internet Security, CSC 14.6

Knowing that this kind of email campaign exists, in addition to all of the above, I would also caution anyone who administers Microsoft 365 billing and especially CSP/Partner Center for their customers as follows:

Do not click on the links in these emails, even if they seem legit. Instead, navigate in a browser to the Microsoft Admin Center or Partner Center directly to review the claims that are being made in these emails.

Conclusions

In both cases, the folks I was chatting with believed they were doing “everything” they were supposed to be doing. Yet in just a short conversation I learned that they had not been following some of the Basic CIS Controls, which I often harp on (for obvious reasons). What these individuals meant to say is that they were doing everything that the herd collectively believes they should be doing. And that “common sense” knowledge may share some threads with an actual evidence-based, real-world Cybersecurity Framework like the CIS Controls, but it very often comes up a few fries short of a Happy Meal, if you know what I mean.

Better to make sure you are following and documenting your progress against a formal framework. If you do the basics really well you will be out ahead of many of your peers. But as we can see in the examples above, you also have to stay on your toes. You never know what your adversary’s next move will be, and many folks are surprised to learn where they still have blind spots.

I also enjoy collecting these stories. If you are willing to share them with me, I will share them with the world along with an analysis of what we can do to avoid these same things happening again, to another of our peers. You can choose to remain anonymous, or not. The parties above chose to remain unnamed.

Business, News , , , , 0 Comments
Share:

Leave a Reply

Back to Blog

Related Posts

29Oct

New updates to the BP guides PLUS the Office 365 Security Checklist

I have heard from so many people about the Microsoft 365 Best Practices checklists--you guys & gals seem to really like them! I'm pleased to hear it. Although all of this content is available for FREE on my website, I still hear from folks... read more
31Aug

The next evolution of SBS

In a previous article, I compared two alternative deployments for a new kind of "Small Business Server" (being defined in this case as a network of 25 users or less). Microsoft used to have a widely adopted product for this market called Small Business Server, but... read more
The three opportunities for MSP's moving forward
30Jul

The three opportunities for MSP’s moving forward

The writing has been on the wall a while now; with a mass exodus to cloud services such as Microsoft 365 from traditional on-premises infrastructure, it was only a matter of time before those selling MSP services had to either evolve or die off. And... read more
06Mar

Can OneDrive and SharePoint replace my file server? Probably, with Files On-Demand.

The real answer to this question is: it depends. But the shorter version is: probably. You'll just want to enable Files On-Demand first.* OneDrive has been great for personal files for a long time--I usually recommend clients start by replacing redirected "Documents" folders with OneDrive for... read more
16Jul

How to bundle even more security into your Office 365 subscription

In a previous post, I covered some of the most common SKU's that are frequently purchased by small businesses, who are migrating to the Office 365 platform. In a nutshell, by FAR the most common of those are Office 365 Business Premium and Office 365... read more
17Jul

The new and confusing Microsoft 365 SKU’s

I have written one post on Microsoft 365 (Business edition) so far. And I haven't had as much time to continue playing with it as I like. But, here is what I can tell you: the literature out there on these SKU's can be confusing,... read more
17Jun

Updated Licensing Graphics

With the recent changes to Microsoft 365 Business (which now includes Conditional Access--hooray!), it was time to dust off the old licensing guide page, which is also linked on the top banner of my site. Here are the resulting images which were updated just this month,... read more
31Mar

Comparing Costs: Azure IaaS vs. On-Premises Server Hardware

Most people do not compare costs of running infrastructure in Azure to traditional on-premises deployments appropriately. To begin with, it is almost impossible to compare them apples-to-apples. For example: as soon as you deploy a VM in Azure, all of your data will be written into 3 different storage locations... read more
21Nov

When would I recommend Windows Virtual Desktop to a customer?

Call me crazy: I don't see the value in a Remote Desktop or Virtual Desktop experience for its own sake. The purpose of this kind of solution is to provide centralized management and remote access to specifically Windows-based applications. In short: Remove your dependency on... read more
16Nov

Three Azure solutions to SMB problems: The first rule of Azure is you don’t sell Azure

Different MSP's out there embrace the cloud to more or less extent. Most providers are doing Office 365 nowadays, but Azure (or IaaS solutions like it) is still nebulous or even a little scary: Some providers feel threatened by services like Azure, because deploying and... read more

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.

Contact Me