Third-party vendors are a growing target for hackers using ransomware to attack local government or school district networks, according to new research from the cloud security company Armor.
In 2019 alone, 13 managed service providers, or MSPs, have been compromised by ransomware, according to Armor, which tracks ransomware occurrences across the U.S. Municipalities and small businesses often use third-party vendors to host websites or run portions of their networks. Those vendors, which aren’t necessarily held to government’s strict security standards, frequently manage the networks of multiple businesses, towns or school districts, said Chris Hinkley, the head of Armor’s threat resistance unit.
“There’s an inherent trust between an MSP and an organization,” Hinkley told StateScoop. “You’re going to have network access … between the MSP and an [agency] system, and you’re going to have open firewall rules.”
An attack on an MSP has the potential to devastate virtually any business, from dental offices to law firms to local governments. In August, more than 20 Texas municipalities were hit by ransomware simultaneously, which officials said could have spread from TSM Consulting services, an MSP that offered billing and scheduling services to local courts and police departments. The coordinated attack was the first of its kind, according to security researcher Allan Liska.
Other attacks through MSPs gained less attention but were also harmful. School districts in Alabama were infected by ransomware in September via an attack on SchoolinSites, a cloud-based educational technologies company. Of the 13 MSP-related ransomware cases that Armor has found this year, the majority provided services to private clients, including those in the health care, payroll and even cybersecurity industries.
“As far as efficiency and monetizing [the hack], it makes sense to go after the MSP if they can get their hands into everything they’re connected to,” Hinkley said.
Hinkley said one way organizations can protect themselves from third-party attacks is by vetting the providers and setting clear cybersecurity clauses in any contracts. An MSP, for example, shouldn’t be able to access payroll systems, Hinkley said, which is similar to what happened when Target’s data was breached in 2013.
“[Allow] the minimum level of access to infrastructure, data and only what you need to complete the job,” Hinkley said.