Shocking Anti-Virus Stats for MSPs In 2024
A collection of shocking stats on Antivirus strategies for MSPs along with other intrusion risks such as malware and ransomware will be the topic of today’s article and I will also list a few gold nuggets of information that may help you implement a couple of useful countermeasures into your own environment.
No doubt you are aware that the technology and MSP industry is targeted more than any other sector with 25% of reported virus intrusions in 2024 leaving the second most targeted industry in the dust which is the financial industry which collectively made up 7% of the total intrusion attempts.
Join me on this terrifying ride as I detail the unrelenting and overwhelming level of attacks that are going on in an attempt to take profit out of your pocket and put it in the pocket of unpleasant individuals devoid of humanity.
While you are here, Take a look at some of our other IT Business Consulting related articles below that may interest you:
- What MSP App to Use for Client Documentation
- Dealing with Talented Technicians
- Is Your MSP Toxic for Employees
- What Makes a Technician Engineer Consider Leaving
- Charging an Offboarding Fee
Kim Jong Un And The Seven Dwarfs
It is hard to reconcile, this jolly fat man with his humorous smile, all I want to do is rub his belly and throw him in the trunk as my lucky charm however, he is not the passive tummy rubbing lucky charm we would like to imagine him being, no, turns out, he is not actually very nice.
North Korea is the largest and most aggressive source of state sponsored virus based intrusion attempts & they tend to specifically target the financial sector. This of course includes technology organizations that support both Financial SaaS applications as well as MSPs that focus on financial organizations.
Kerberoasting Intrusion Method
Kerberoasting, which attacks the Kerberos protocol, is the offline bruteforce cracking method used to break in using the kerberos authentication protocol. This is about the most used protocol when it comes to Microsoft Windows OS devices and works off of a ticket granting methodology.
The faceless individuals of low moral fiber will crack tickets that are associated with service principal names which are assigned to Active Directory accounts. Once these cretins break the code, plain text passwords are unceremoniously unsheathed. Because the processing and grunt work is done offline by shady little men in dark rooms we don't like talking about, they actually do not need elevated privileges to carry out this style of attack.
This is quite insidious because they often target service accounts which of course do not have quite the visibility of normal domain admin accounts and yet often carry the same level of permissions. Services accounts also tend to generate impossibly large amounts of log entries that nobody actually takes notice of. It really is a dreadful situation.
Once these morally bankrupt individuals gain access this way, you may as well drop your trousers and prepare yourself for a very unpleasant experience.
There is a silver lining however, actually that is a lie, there is nothing to balance out the bad news and because these viral attacks are so effective they have increased since they were first reported in 2022 by around 700%, I suppose the silver lining is at least it is not 1400%.
Kerberoasting Countermeasures
While it is true, kerberoasting sounds like something you do with marshmallows around a campfire, it is actually a nasty little monster but I can at least impart a few techniques that you can apply to reduce the chance of being assaulted by this type of threat.
3rd Party Windows Logs Tools
Get your credit card out and pay for a half decent application that will help sort through all of the junk log files that are created so that you can competently filter them which will allow you to be alerted quickly and so you can respond like a coiled spring.
I know what you are thinking "We will just get Damo the Level 1 support desk guy to read through the logs for 30 minutes each day” or even better have our RMM tool trigger on certain event IDs (4769 and 4771)
If you trust your RMM to send alerts straight to your support email queue then that could work however as far as Damo is concerned, nobody should be made to manually look through windows log files, it is bordering on inhumane. It is straight up inefficient and threats are likely to be overlooked or missed. There are plenty of quality applications that do a great job of monitoring and filtering log files if your RMM tool cannot handle this task.
Show Me The Honey
You know the drill, set up a sacrificial VM in front of your production machines with easy passwords and a big bow wrapped around it. Then pay particular attention to the log files on this virtual machine looking for the relevant Event IDs. Ensure that the service tickets are automatically triggered on the selected eventIDs and ensure that the ticket is set to a high priority.
RC4 Encryption Priority
RC4 is well known as being quite a pushover in that it is insecure. Either disable RC4 or ensure any EventIDs relating to RC4 traffic triggers a support ticket with a high priority. RC4 is EventID 4769. Where you can, try and use AES Kerberos encryption as it is much stronger than RC4.
Auditing SPN Registered Service Accounts
These are the types of accounts most at risk of this type of attack. Audit them and act accordingly.
Cloud Instance Metadata API Hoovering
Cloud instance metadata APIs are often used by retrobates to gather secret keys and various credentials and this infiltration type has increased by 170% year on year since 2019 (back when the world was normal)
Pass The Hash Attacks
Pass The Hash Attacks have nothing to do with people sporting dreadlocks and owning a couple of Bob Marley records. It is an attack where someone pilfers a hashed user credential and is able to use that hashed credential without actually needing to crack it. It deceives the system into creating a second authenticated AD session.
Pass-the-hash attacks have seen a year on year rise of 230%
Pass the Hash falls under a lateral movement technique which to use an analogy, is like when a thief has the keys to your house and uses them to break in and then after breaking in is able to steal your car keys, that is the best way I can describe it.
So the attackers are already inside and they then use Pass the hash attacks to unlock other things.
Often the low life scoundrels will breach your fortress of solitude using remote access usually triggered using malware or a virus and once in, they then crab walk from account to account until like solving a rubik's cube, they obtain access to an account like a domain admin account with which they can then do whatever they damn well please.
The Achilles heel when it comes to these attacks is the SSO or single sign-on that Windows uses where it caches credentials so they can be used across multiple machines by a single sign-on action.
Pass The Hash Countermeasures
Pretty depressing isn't it? I have been in IT for 20 years and would have a great deal of difficulty accessing my computer if I forgot my password and yet it just seems these hackers are unstoppable if they decide you are a viable target. I will however give a few tips on counteracting this attack. While I do enjoy putting the fear of god into people, it is always good to balance things out with a few positives.
Lock Down Domain Controllers
It is recommended to lock down domain controllers so that they can only be accessed via trusted systems without internet access.
Yeah right....Of the 400 or so clients or clients of clients I have worked with over the last 10 years I can think of only one client that even came close to implementing that level of security and that was a large water supply company on the west coast and even then I was able to access their DC via RDP once I logged in to a local workstation using Connectwise Control.
Still, these days, we are no longer playing games out there and some sacrifices likely need to be made on the usability side of things. This is where onsite visits may need to be reviewed and deployed once more.
Two Factor Authentication
This is sort of a given these days, 2FA with tokens needs to be activated in every area where it is an option. I am a massive fan of the Duo 2FA authentication application, once setup it really is a breeze to use and to date it has never let me down both for service techs as well as client use.
Principle Of Least Privilege
This is a bit like the old need to know protocol where a person is only given access to the material they need to do the job they need to do.
When setup correctly, it is a great system but it means users need to be users, no local admin privileges, no ability to add remove programs, support staff should not really have unfettered access to run every single powershell script on the planet, random batch files found off of some suspicious looking utility site should be restricted to a single account, things like that.
3rd Party Windows Logs Tools
Either your RMM alerting tool or a third party windows log analysis tool is again a great component of your overall suite of defense measures that you can use in increasing the odds of early detection.
It is a lot of work and takes a lot of planning but once it is dialed in, in theory, you can even run desktops without virus scanners if you wanted to live life on the edge and you could probably get away with it too (That is humor).
Fun Fact 1
97% of 2,000 businesses surveyed in 2019 had experienced an intrusion that involved a pass the hash attack.
Fun Fact 2
40% of the aforementioned businesses suffered some form of financial loss due to the successful intrusion.
Fun Fact 3
75% of the businesses ended up with increased operational costs (think Cyber Insurance Policy and bolstered threat detection among other increased costs)
Fun Fact 4
There is approximately one potential intrusion event every seven minutes occurring in a business of average size today.
Fun Fact 5
There has been a 44% year on year increase in intrusion attempts across all businesses.
AD CS Abuse
Active directory certificate services are another attack vector commonly used when they have been either misconfigured or obtaining privilege escalation using a SAN with the right EKU. Powershell is often recruited to run under the radar.
I do not really pretend to understand this particular intrusion as it is quite complex, however the best way to ensure protection is to check and double check that your AD CS does not have any misconfigurations and should always be running the latest agent and content version.
AD CS Abuse Countermeasures
Rather than attempting to explain how to harden your environment against these sorts of attacks, I am just going to link to a really good whitepaper that steps you through the mitigation and hardening process here.
Remote Monitoring Tools Used By Virus Infiltration
Below is a table of remote monitoring tools from most used to least used out of the 14% of intrusions where RMM tools were used. The most common form of infiltration when RMMs are used is with Powershell scripts.
| RMM Tool | Percentage Of Attacks |
|---|---|
| AnyDesk | 6.5% |
| Connectwise Control | 2.1% |
| Atera | 1.3% |
| TeamViewer | 1.2% |
| RDP | 1% |
| RustDesk | .9% |
| SplashTop | .7% |
| FleetDeck | .6% |
| TightVNC | .5% |
| Nable RMM | .4% |
RMM Intrusion Countermeasures
Allow List
Take the time to create an application allow list. This prevents unauthorized application execution within the MSP and or client environment.
General Application Monitoring
Ensure monitoring for unauthorized application execution is set up through your RMM alert console and if possible create a blocklist of known RMM tools that you do not use and that have no business running on endpoints or servers.
Firewall Modification
RMM tools will often modify software firewall settings when they are first installed and this will occur automatically. It is recommended to ensure you have monitoring setup of your software firewalls and a configuration standard so that any changes that are made get reported back to the support desk.
Hardware Firewall Access
Lock it down tight and if the RMM app permits, modify default port numbers and change protocols where possible so that scanning applications will have a tougher time. It is always a good idea to use ports other than standard TCP/UDP ports when configuring your RMM or any apps for that matter.
Put effort into curating your allow lists and deny everything not explicitly in the allow list.
It takes time but is worth the effort.
Cloud Computing Is The Pretty Girl At The Dance
There has been a 110% year on year increase in virus and infiltration threats specifically aimed at cloud based infrastructure. The tough part with online cloud infrastructure is the complexities involved in setting it up correctly in a way that can competently defend against viruses and ransomware.
Cloud Computing Intrusion Countermeasures
There are a number of complex threats aimed specifically at online computing services and realistically there is a higher level of technical competence required to ensure that a cloud environment is set up in the most secure way possible.
Treat The Cloud The Same As Local
Now is not the time to put your guard down, there are as much if not more risks involved with running your infrastructure from a cloud platform as there is from running hardware locally.
Treat firewalls and switches with the same level of restriction as you would locally. Create an allow list and block all other traffic. Have a process for the approval of opening ports through the network firewall.
Also by denying outgoing traffic (to your office) other than approved ports, it makes it much more difficult for the attackers to successfully extract the stolen information from the cloud location.
3rd Party Best Of Bread Security Apps
Investing in something like CrowdStrike’s cloud native application platform protection takes the guesswork out of your current risk and provides visibility to ongoing attempts to infiltrate your cloud network. Spend money on good quality applications and it is likely it will end up more cost effective than wasting excessive labor on doing it manually.
Other Miscellaneous Antivirus Stats
Below are a few nuggets of information that quite frankly was news to me. I always thought Linux was impossible to crack. At least that is what I picked up over the years from a collection of shower dodgers who would rant for no less than 15 minutes at a time about how great Unix is.
Well now I know, it suffers the same security and virus issues as Windows operating systems do.
Linux Virus Statistics
It is probably no surprise to know that the biggest industry where Linux is targeted is technology/MSPs followed closely by telecommunications and then a very distant third is Academic organizations.
Bash and PAM are the most common vectors of attack.
MAC OS Virus Statistics
I would have bet money that the most affected sector regarding MAC OS virus infections would have been either education or desktop design and yet it is actually the financial sector by a significant margin.
I had no idea that MACs were utilized so much in the financial sector and the impact to finance organizations is about twice as high as the second on the list which is technology/MSP organizations.
Conclusion
There is no doubt at all that we are seeing a massive surge in instances of virus infections, malware and ransomware, not only an increase in instances but a massive surge in the financial cost to businesses these events are causing.
It goes without saying that in today’s environment it is absolutely a requirement to operate under the cover of a good quality cyber insurance policy. That does not mean you can slacken off and not continue to implement sensible countermeasures to prevent the worst occurring but it means you can rest easy knowing that you have the big guns in the background if needed.
I also advocate for making it a mandatory requirement that all clients take out their own cyber insurance policy and I go into more detail as to why in the article here.
We have a number of other I.T strategy and consulting articles listed below that will provide you with more detailed information on a number of related topics:
https://optimizeddocs.com/blogs/consulting/consulting-index-page-01
Our team specializes in strategies for IT risk management organizations and we assist in improving profit margins through standardization and consistent record keeping strategies, so you can be confident that our content is tailored to your needs.
Please feel free to explore our other articles and click on any that interest you. If you have any questions or would like to learn more about how we can help you with your documentation needs, please click the "Get In Touch" button to the left and we will be happy to assist you. Thank you for choosing us as your trusted source for technology documentation.