The MSP and CSP: a Hacker’s Gateway to Clients

The number one rule that MSPs and CSPs need to follow is, “Practice what you preach”.

Written by guest contributor Edward van Biljon,

You may have done a great job by ensuring your clients security but what if you failed to ensure that your team follows the same guidelines? You are the bridge in-between. You may have advised a client not to open an attachment from a bank, for example, as it can contain malware/viruses/ransomware. But then, you receive an email on your machine and don’t check it properly while you are connected to your client’s environment, and you open the attachment. You have not only infected your own environment but your client’s as well which can result in major downtime and loss of revenue. Do not overlook that small phishing attack or brush it off. This can lead to bigger issues like Malware in the environment or Ransomware …just by simply opening up a mail or clicking a link.

The MSP and CSP: a Hacker’s Gateway to Clients Service providers provide customers with a range of environments. This can be virtual firewalls, hosted email, virtual machines on your backend or assist with services like Azure which you will have an account in or in short, PAAS (Platform as a Service) or SAAS (Software as a Service).

Your environment will be hosted in a data center where you will have racks to keep your servers, switches and any other equipment in. Your customers will access this environment from a Firewall you provide to them or they may have a direct uplink into your environment.

Here are some of the reasons why:

Data centers have many ISPs in them. These ISPs provide bandwidth to you and attackers are targeting data centers because they need the bandwidth to be able to set up their platform to carry out attacks or use the bandwidth for their own requirements.
Each month you are billed for power consumption within the data centers. The high backend servers are becoming more power-efficient as technology improves but in order for an attacker to do bitcoin mining they need power.

Data centers provide a lot of this and have backup power as well (two feeds) so if one goes down the other one is available. Bitcoin mining will push the power consumption up on your servers and this will increase your monthly spend as the systems are running harder than they should. Your monitoring systems should detect an unusual spike in power, Netbotz has the ability to monitor this in your environment.

Why and How are Exchange Online Users, MSPs and CSPs Targeted?

As an MSP or CSP, you will be working with multiple customers that have tenants in Office 365 as your customer may be running Hybrid, meaning they have on-premise servers and users/applications in the cloud. Your customer could also be using Office 365 fully with no on-premise hardware. You will most likely be a global admin in most of these tenants or you have access from your portal to their tenant and this is where the risk comes in. If your machine is compromised and the attacker can get the credentials of a global admin account or multiple global admin accounts, these attackers can then access these tenant environments including your own and cause serious damage. These global admin accounts need to be secured with multifactor and long complex passwords.
Office 365 gives you the ability to let it create a password for an account you create and to email the password to another account. Accounts that are created should have complex passwords setup from the beginning so they cannot be brute-forced by attackers. Key people in the organization like financial staff or executives should also have multifactor enabled on their accounts along with having strong passwords. Office 365 gives you the ability to monitor accounts and see which ones are being attacked in the portal.

You can go to the https://admin.microsoft.com URL and check an account or you can go to the Security and Compliance Center at https://protection.office.com and perform additional functions like removing a user account from a specific group that maybe has admin rights.

Microsoft 365 (also known as Office 365) best practice regarding passwords mention that hackers can predict a user’s password based on a previous password. Also expiring passwords can also cause more damage as users will use predictable passwords. Ensure that your users have passwords that have a minimum of 8 characters and also include uppercase, lowercase and non-alphanumeric characters. Customers should not be allowed to use common passwords as they will most likely be part of the dictionary attack as mentioned. Ensure that you educate your customers and staff to not use name and surname in a password as an example or a password that has consecutive characters like 123456.
Attackers try to lure users to fake sites and some of them look legit. This is a way to steal the information entered on the site. If they do open up a compromised site that deploys exploits like Mimikatz, it can pass the hash of the accounts on the system and if you login with the global admin account they could get that information. Provide your customers with the most commonly used URLs like portal.office.com or outlook.com and advise them not to use anything sent by email. Ask them to rather contact their local IT or MSP/CSP