DHS issued an alert on attacks aimed at Managed Service Providers

The United States Department of Homeland Security (DHS) is warning of ongoing activity from an advanced persistent threat (APT) actor targeting global managed service providers (MSPs).

The DHS issued an alert on ongoing attacks aimed at global managed service providers (MSPs) that are carried out by an advanced APT group.

Managed services is the practice of outsourcing on a proactive basis certain processes and functions intended to improve operations and cut expenses. It is an alternative to the break/fix or on-demand outsourcing model where the service provider performs on-demand services and bills the customer only for the work done.

The use of MSP is increasing the attack surface for attackers, the DHS’ alert TA18-276B, is related to activity that was uncovered by DHS’ National Cybersecurity and Communications Integration Center (NCCIC) in April 2017.

“The National Cybersecurity and Communications Integration Center (NCCIC) is aware of ongoing APT actor activity attempting to infiltrate the networks of global managed service providers (MSPs).” reads the alert issued by DHS.

“Since May 2016, APT actors have used various tactics, techniques, and procedures (TTPs) for the purposes of cyber espionage and intellectual property theft. APT actors have targeted victims in several U.S. critical infrastructure sectors, including Information Technology (IT), Energy, Healthcare and Public Health, Communications, and Critical Manufacturing.”

Security firms attributed the attacks to a Chinese threat actor referred as APT10 (aka menuPass and Stone Panda).

The group has been active at least since 2009, in April 2017 experts from PwC UK and BAE Systems uncovered a widespread hacking campaign, tracked as Operation Cloud Hopper, targeting managed service providers (MSPs) in multiple countries worldwide.

In July 2018, FireEye observed a series of new attacks of the group leveraging spear-phishing emails using weaponized Word documents that attempt to deliver the UPPERCUT backdoor, also tracked as ANEL.

The ANEL malware was already seen in the previous attack as a beta version or release candidate. In September, researchers from FireEye uncovered and blocked a campaign powered by the Chinese APT10 cyber espionage group aimed at Japanese media sector

The hackers used a broad range of malware in their campaigns, including PlugX RAT, ChChes, Quasar, RedLeaves, the UPPERCUT backdoor, NetTraveler, and ZeroT.

DHS alert also provides technical information on detection, response and mitigation for this specific threat.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – China, managed service)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.