“Here’s an MSP for sale, like you’re having a yard sale or something,” Hanslovan says of the discovery. “It blew my mind.”
Datto, Huntress, and ConnectWise hoped that publicizing the incident, after properly ensuring the victim and its clients were safe, would similarly grab the attention of MSPs, and clarify the risks they now face. There’s a lot of fear, uncertainty, and doubt about those risks at present, according to Weeks.
“Usually, a lack of understanding is what breeds fear, and so our main goal with sharing this information was to make this a little bit more accessible and give them a little bit more insight into how these attackers are doing what they’re doing and why they’re doing it, so that [MSPs] can begin to understand a little bit better this ecosystem, and maybe leverage some of that insight to figure out how they want to prioritize improvements to their own security programs,” he says.
Or to put it more bluntly, according to Hanslovan, few people growing up truly appreciate why they shouldn’t touch a hot stove until they get burnt. “Somebody here got burnt,” he says. “We were going to give that victim some time to clean up, but we felt it was imperative to educate the community.”
There are plenty of potential lessons in this story to learn from, Hanslovan adds. The attacker claims to have used phishing to gain entry to the target MSP’s software, for example. That means better security awareness training might have prevented the breach from happening, and two-factor authentication could have kept it from mattering.
Weeks had a second motivation for calling attention to the hack. “If I’m being super honest, my hope is that other security vendors in the channel space with capable, qualified security teams will want to join this community and work with us to continue to try and keep MSPs safe,” he says.
There’s no shortage of issues for the fledgling group to think its way through, from funding and staffing itself to enhancing its effectiveness against newly found threats. The work Huntress did to block this recent attack is impressive but not scalable, Weeks observes.
There are thornier topics to ponder as well, Hanslovan notes, like when and how to pull law enforcement agencies into an investigation, and how to disseminate threat information without making bad situations worse. What, for example, if someone in the group exposes information about a breach before the attacker’s identity has been verified, or the victim has been shielded from harm? What if someone in the organization takes vigilante action against a hacker?
“It’s not just about growing and making sure people can collaborate, it’s making sure we’re doing this responsibly,” Hanslovan says.
Weeks wants to make further progress on matters like that before opening the MSP-ISAC’s doors widely. “I believe that it needs to start with the vendor community, and then once we really get really moving with this, then we figure out how to expand this knowledge out to MSPs,” he explains.
That said, MSPs impatient to join the group now can email [email protected] or [email protected]. There’s certainly more than enough work to go around. Within just the past few weeks, MSP-ISAC members have spotted multiple dark web posts from a new attacker claiming to have penetrated an MSP management system that oversees 86 “active hosts,” which could mean 86 servers across multiple end users or a single end user with 86 compromised devices.
“You really don’t know until you really start learning more about the hacker,” Hanslovan says. There will be plenty more hackers to research in the coming months and years, he warns.
“This is not a one and done,” Hanslovan says. “This is just the beginning.”