Attacks on MSPs: How Threat Actors Kill Two Birds (and More) With One Stone
Yael Kishon, Threat Intelligence Analyst
Managed service providers (MSPs or MSSPs) have become a vital part of many companies, providing a range of IT services and support to keep operations running smoothly. At the same time, MSPs become attractive targets for cybercriminals aiming not only to compromise assets of a single company, but also to increase the number of potential victims and to target a wide range of third parties. In this blog, we examine the ongoing interest of threat actors in the cybercrime ecosystem targeting MSPs and IT companies.Initial access brokers (IABs) — threat actors who sell network access on cybercrime forums — seem to actively compromise MSPs.
Network access is a broad term that is used to describe multiple different vectors, permission levels, and entry points. The offering can include SQL injection, remote desktop protocol (RDP) credentials, or the ability to change from user to admin privileges. The actors selling such network access types provide an initial entry point to a compromised network that can be further leveraged by other cybercriminals. The most common type of access is offered through RDP or VPN access. Threat actors define specific attributes of their ideal victim based on the geographies, sectors and revenue of the victim.