The Department of Homeland Security (DHS) United States Computer Emergency Readiness Team (US-CERT) published a notification regarding increased Chinese malicious cyber activity focusing on IT service providers for instance Managed Security Service Providers (MSSPs), Managed Service Provider (MSPs), Cloud Service Providers (CSPs) and their clients.
The attacks exploit trust relationships between customers and IT service providers. A successful cyberattack on a MSP, CSP, or MSSP allows the attackers to access healthcare systems and sensitive patient information.
The DHS Cybersecurity and Infrastructure Security Agency (CISA) published technical information on the practices and tactics that the Chinese threat actors use to obtain access to clients’ and service providers’ networks.
The information was distributed to enable network defenders to do something to stop the threats and minimize exposure to the activities of the Chinese threat actors. CISA issued the guidance for IT service providers and their clients to know what steps to take to enhance security and avert successful attacks. Although a variety of mitigations were given, no one solution will be effective for all establishments and fighting these malicious activities could be a complicated process.
Guidance for Consumers of IT Service Providers
It is recommended for healthcare providers that use IT service providers to:
- Make sure their providers have performed an analysis to identify a security concern or compromise.
- Be sure that IT service providers have employed security solutions and tools that pick up on cyberattacks.
- Evaluate and check links between healthcare networks and those utilized by IT service providers.
- Check that all IT service provider accounts are used for valid reasons.
- Deactivate IT service provider accounts that are not used.
- Be sure that business associate agreements necessitate IT service providers to use proper security controls, logging and overseeing of client systems including links to their networks, and the promptly send alerts when there is suspicious activity noticed.
- Incorporate system log files and system monitoring information into intrusion detection and security tracking systems for independent connection, collection and detection.
- Make sure service providers see US-CERT pages associated to APT groups focusing on IT service providers, particularly TA-18-276A and TA-18-276B.
Guidance for IT Service Providers
It is recommended for IT service providers to do the subsequent actions to minimize the risk of cyberattacks:
- Be sure the mitigations specified in US-CERT notifications are completely enforced.
- Be sure the principle of least privilege is employed on their environments, clients’ information are logically segregated, and access to clients’ systems isn’t shared.
- Employ advanced system and host-based tracking systems that search for anomalous behavior that specify malicious activity.
- Aggregate and correspond log data to maximize the likelihood of discovery of malicious activity and misuse of account.
- Work tightly with clients to make sure that all hosted infrastructure is diligently supervised and taken care of.