Attacks on MSPs: How Threat Actors Kill Two Birds (and More) With One Stone

Yael Kishon, Threat Intelligence Analyst

Managed service providers (MSPs or MSSPs) have become a vital part of many companies, providing a range of IT services and support to keep operations running smoothly. At the same time, MSPs become attractive targets for cybercriminals aiming not only to compromise assets of a single company, but also to increase the number of potential victims and to target a wide range of third parties. In this blog, we examine the ongoing interest of threat actors in the cybercrime ecosystem targeting MSPs and IT companies.

Network access to MSP: The perfect entry vector with many possible targets

Initial access brokers (IABs) — threat actors who sell network access on cybercrime forums — seem to actively compromise MSPs.

Network access is a broad term that is used to describe multiple different vectors, permission levels, and entry points. The offering can include SQL injection, remote desktop protocol (RDP) credentials, or the ability to change from user to admin privileges. The actors selling such network access types provide an initial entry point to a compromised network that can be further leveraged by other cybercriminals. The most common type of access is offered through RDP or VPN access. Threat actors define specific attributes of their ideal victim based on the geographies, sectors and revenue of the victim.

IT sector - among the most targeted

In 2022, the technology sector, which also includes MSPs and other IT companies, was among the top three targeted sectors by IABs. Compromising such companies significantly expands future possibilities for a threat actor since MSPs have access to corporate networks and internal data of different enterprises. Cybercriminals can steal a vast amount of information stored in a single company’s system, as well as leverage this data to further compromise MSPs’ clients. This allows actors to target those organizations immediately through a single compromised MSP’s network.

Demand and Supply

At KELA, we have been seeing a stable demand and supply of access to MSPs and IT companies on cybercrime forums. For example, in January 2023, the threat actor ‘570RM’ was selling access to an Australian IT cloud company that saves backup files of its clients. The access was offered for sale in an auction and sold for USD 1,500 in a few days.

The actor also provided screenshots of available information of the company’s clients, including redacted login credentials. The actor specified that a potential buyer can gain access to such sensitive information as credentials to VPNs, emails, and more. A buyer would also be able to download backup files. The actor provided a list of more than 30 companies that might be compromised (mainly located in Australia, from sectors such as finance, media, construction, and professional services, with a range of USD 5 million to around USD 175 million in revenue).


An actor is selling access to an Australian IT company and sharing details of the victim’s clients: “It is possible to load any files” 

Access on Sale

In another incident in December 2022, the actor ‘remotedesktop’ was selling access to a Brazil-based IT company with USD 5 million in revenue. The actor claimed the access was provided through the admin panel of the MSP’s custom software. It allowed RDP access to domain controllers of around 1,500 companies from the travel, finance, lifestyle, media, and e-commerce industries. The access was offered for sale in an auction, starting at a bid of USD 2,000. A potential buyer would be able to steal confidential data from multiple companies at once, as well as deploy malware in their infrastructure.

Another actor called ‘LummA’ has been recently selling access to an IT company based in Europe, with USD 5 million in revenue. The actor claimed the domain’s admin-privileged access was provided through VPN-RDP and would enable the buyer to access clients’ servers, including MSSQL servers. That said, it was not clear if the servers belonged to an IT company or to its clients. The access was offered for sale in an auction, starting at a bid of USD 1,000; the winning bid was listed as USD 5,000.

On the same day, the actor increased the winning bid to USD 15,000 and claimed the access also included “VMware, HPE storage, and Veeam backup servers,” which was apparently the reason for increasing the price. This access could potentially enable buyers to conduct further malicious activity on more than 1,000 corporate systems, and steal their credentials and sensitive files.

An actor is selling access to a European IT company, including access to clients’ information

Network access to MSPs and IT companies appears to be expensive — pricing at the range of USD 1000-15,000 — compared to the median price of single access observed in 2022 across all industries, which was USD 300. IABs say the prices are high since their buyers can easily gain access to multiple companies through one target.

MSPs’ customers are at risk of a data breach

One outcome of a compromised MSP is data breach consequences for the company’s clients.. In November 2022, we observed the actor ‘leaksmart’ (also known as ‘Shadowhacker’) selling a database of an Indian hospital. The actor claimed that the database had been allegedly stolen from an IT company that designs systems for hospitals, meaning the Indian hospital and its patients were compromised through the attack on their IT service provider.

Threat actor selling Indianl IT company network access

An actor is selling Indian hospital data that was stolen from an IT company

Companies' databases leaked

In January 2023, the actor ‘Leakbase’ shared a database of an Indonesia-based software company. According to the actor, the leak exposed approximately 25 million records including full names, emails, phone numbers, physical addresses, and ID numbers. While analyzing data, we found that it contained sensitive medical records from different companies, who were apparently customers of the software company. The records included patient documentation of previous surgery and medical history, medication information, disease background, diagnostics, physical exams, and treatment protocols.

In August 2022, the threat actor ‘Kelvinsecurity’ shared a database of a US-based IT services provider for the healthcare industry. According to the actor, the records exposed data of 15,000 companies and access to mail servers of different hospitals and medical centers. The actor provided a sample of companies’ data that included names, emails, phone numbers, and positions, apparently belonging to patients or employees.

A third-party vendor attack can be catastrophic, potentially exposing PHI and impacting millions of patients. Therefore, it is crucial for MSPs to prioritize third-party risk management strategies to prevent such incidents from occurring.

Ransomware attacks on MSPs causing damage to customers

At KELA, we have already observed how network access victims can be targeted by ransomware attacks which usually also result in data breaches or financial loss due to ransom payments and costs of data restore. In the case of MSPs and other IT companies, the damage could be even bigger, as their networks may include sensitive information about their clients. IABs tend to highlight it for their buyers.

In January 2023, we observed the threat actor ‘SebastianDAlex’ (also an active participant in the GhostSec hacking group) selling access to an India-based technology company for USD 5,000. The actor claimed the access enabled users to log in to an admin-privileged machine. A potential buyer would gain access to additional services such as the company’s database, control panel, source code on GitHub, and Jenkins software. The actor specifically advised buyers to exploit this access for deploying ransomware or supply-chain attacks.

Ransomware access

The GhostSec hacking group is selling access to an Indian IT company, calling users to conduct further malicious activities such as ransomware or supply-chain attacks

High-Profile Attacks

Two examples of high-profile attacks targeting MSPs are related to SolarWinds (2020) and Kaseya (2021). These attacks had an impact on hundreds of companies and government agencies worldwide. In 2022, KELA observed an escalation in this third-party reach-out. Specifically, the LockBit ransomware group made numerous attempts to gain additional financial benefits from their attacks. They did this by examining the stolen files to collect information about the victim’s clients, vendors, and partners, as well as discovering potential entry points into their systems.

For example, in December 2022, LockBit claimed to have compromised Accuro, a New Zealand-based non-profit insurer. Accuro had previously disclosed a cyberattack, but according to a statement on the company’s website, an external IT infrastructure provider of Accuro, Mercury IT, was the victim of the attack, which led to the exposer of Accuro’s information as well.  

Mercury IT indeed appeared on LockBit’s blog in December. During the same month, the group disclosed additional New Zealand companies, apparently from the same incident. LockBit’s posts were claiming that “Thanks to our work with MercuryIT, we have the company’s files in our hands.” It is unclear whether LockBit indeed compromised the infrastructure of Mercury IT’s clients or “just” stole clients’ data through victims.

Another example is LockBit’s ransomware attack against the British MSP Advanced. In August 2022, the United Kingdom’s National Health Services (NHS) suffered disruption in their services due to a cyber attack targeting Advanced. Advanced confirmed they fell victim to a ransomware attack that impacted its clients, mainly healthcare providers. Based on the company’s blog posts, on August 2, 2022, a threat actor accessed the company network using legitimate third-party credentials to establish an RDP session with one of the company’s Citrix servers. During the initial logon session, the attacker moved laterally through Advanced’s Health and Care environment and escalated privileges. This enabled him to conduct reconnaissance and deploy ransomware.

In addition, the threat actor copied and exfiltrated a limited amount of data. The LockBit ransomware gang hasn’t listed the victim on its blog, and it is currently unclear whether the targeted company decided to pay the ransom demanded by the attackers or not.

Some attacks on MSPs involve Advanced Persistent Threats (APTs) – state-sponsored groups that are usually espionage motivated and not driven by financial gain. APT10, a Chinese-backed espionage group, is known to have targeted MSPs in past campaigns focusing on Japanese, US, and Norwegian organizations. The FBI, CISA, and other cybersecurity agencies issued a warning in May 2022 that APTs have been increasingly targeting MSPs.

Mitigations and recommendations: Safeguarding MSPs

Cyberattacks targeting MSPs can potentially have far-reaching consequences, regardless of their origin. As a result, both MSPs and their customers should prioritize the security of sensitive information and take proactive measures to prevent such attacks. To that end, the following measures and controls are recommended:

  • Improve logging. Organizations should store their important logs for at least six months and use logging to identify unusual activity.
  • Enforce multifactor authentication (MFA). Organizations should secure remote access applications and enforce MFA where possible to protect the infrastructure that enables access to networks and systems.
  • Monitor cybercrime sources. Cybercriminals work together to share information about potential targets, develop tools and strategies for attacks and even buy and sell stolen data on cybercrime marketplaces, so it’s essential that enterprises monitor cybercrime sources such as forums, illicit markets, instant messaging platforms, and more,  to track cybercriminals’ activity and stay ahead of threats. 
  • Research past breaches not only in your company but in others too. It is crucial to comprehend how past attacks were carried out. For instance, if a breach occurred in another company due to an unsecured API, it is important to identify the vulnerability and take measures to prevent comparable attacks. 

Minimize attack surface. Not only by technical measures (better firewall configuration, least privilege access controls, application whitelisting, and so on), but also by implementing organizational measures such as segregating duties to avoid concentrating too much power on one individual, providing security training to employees, and building a security plan based on accurate threat intelligence data.

Start preparing your organization today

Sign up for our Cyber Intelligence Platform free trial.