Cloud Security

Exchange vulnerability may have led to attack on NetStandard MSP, researchers say

Computers are plugged into a server at Joint Base Elmendorf-Richardson, Alaska, Nov. 20, 2017. (U.S. Air Force)
Managed service provider NetStandard experienced a cyberattack Tuesday, leading it to take down its MyAppsAnywhere. (U.S. Air Force)

A report posted on Reddit on Tuesday said that Overland Park, Kansas, managed service provider (MSP) NetStandard experienced a cyberattack and had to take down its MyAppsAnywhere cloud-based environment.

The Reddit post said NetStandard’s team of engineers were working to isolate the threat and minimize the impact to the MyAppsAnywhere services, which included Hosted GP, Hosted CRM, Hosted Exchange, and Hosted SharePoint. The post also said those applications would stay offline until further notice and that NetStandard would communicate with customers on a Zoom bridge.

Efforts to reach NetStandard were unsuccessful Thursday afternoon.

Although no information has been released by NetStandard, the attack may have begun by exploiting a remote code execution (RCE) vulnerability on the MSP's hosted Exchange servers, such as CVE-2021-31206, said Phil Neray, vice president of cyber defense strategy at CardinalOps.

“Based on the Shodan report, there are still more than 20,000 Exchange servers that have not yet been patched for this vulnerability alone,” Neray said.  

Neray said along with patching, organizations should forward all relevant logs to their SIEM and implement detection rules for all relevant MITRE ATT&CK techniques. These include T1595 (Active Scanning) — to alert on reconnaissance attempts to discover exposed Exchange ports — and T1505.003 (Server Software Component: Web Shell) — to alert on attempts to install malicious software on critical servers, among many other MITRE techniques.

Aaron Turner, chief technology officer of SaaS Protect at Vectra, said when it comes to incidents like what has been announced with MyAppsAnywhere, try thinking like an attacker. Turner said people should ask: what’s the most-efficient way to gain unfettered access to the target?

“If the target organization relies on an MSP, then testing their security through a series of probes would be the best place to start,” Turner said. “Not only would you get access to the intended target, but the frosting on top of the compromise cake would be access to any of the MSP's other customers' environments. As the digital supply chain gets longer and more complicated, and with the current economic environment forcing more organizations to rely on MSPs for IT service delivery, we will likely see more attacks like the one with MyAppsAnywhere.“

Related

New Muddled Libra attacks set sights on cloud

Attacks by the Muddled Libra threat operation — also known as UNC3944, Scattered Spider, Scatter Swine, and Starfraud — have been redirected at cloud service providers and software-as-a-service apps as part of efforts to bolster its data extortion efforts, reports The Hacker News.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.