Experts Warn Of Brazen New Attacks Facing IT Service Providers

‘These attacks are not going away,’ Austin Roberts of cybersecurity firm Huntress Labs, says at CRN parent The Channel Company’s first-ever XChange Security conference.

Three cybersecurity experts issued stark warnings on Monday about the array of threats now confronting IT service providers, from brazen phishing attacks via phone to threat actors who run their criminal organizations like modern corporations.

The alerts were issued as MSPs and other channel players become increasing targets of cyberattacks aimed at disrupting services, such as the July Fourth weekend malware attack against SHI International, some of whose systems were knocked out for more than a week before recently being restored.

“These attacks are not going away,” Austin Roberts, sales manager at cybersecurity firm Huntress Labs, told a roomful of mostly IP service providers attending this week’s first-ever XChange Security 2022 conference in Reston, Virginia. The conference, which runs through tomorrow, is hosted by CRN parent The Channel Company.

Roberts noted that financial losses tied to cybercrimes have risen from about $1.4 billion to nearly $7 billion just in the past four years, based on federal data. That makes hacking one of the fastest growing “industries” in the world right now, Roberts said.

He noted that cyber-gangs now even model themselves like businesses, with their own criminal affiliate networks, revenue sharing plans, and even HR-like organizations.

“They have actual playbooks,” he said of how cybergangs organize and conduct themselves.

In a conference session entitled “How to Rob a Bank Over the Phone,” Joshua Crumbaugh, chief executive of Huntsville, Ala.-based PhishFirewall Inc., a cybersecurity consulting firm, regaled XChange attendees with a tale of how he was once hired by the FDIC to conduct “ethical hacks” against banks to see whether their cybersecurity defenses worked.

At one bank, Crumbaugh said he called a vice president, who was in charge of IT at the bank and who had been warned about the pending FDIC-ordered security tests, and convinced him via phone to insert bogus code in the bank’s system.

Crumbaugh, who played audio recordings of his phone conversation with the hapless bank executive, said he even convinced the vice president to meet with him in person at the bank on the following Monday – which they ultimately did.

Crumbaugh said he was then promptly given access to the bank’s IT center and individual employees’ work computers. He said he even snuck into the bank’s vault and took selfie-photos of himself with wads of cash.

One of the lessons learned: Not all phishing attacks start via email or text And another lesson learned: successful phishing attacks are often the fault of management, not employees.

“It’s the lack of training – lack of education,” he said, noting that lack of training and education applies to top brass too.

As the third speaker at Monday’s XChange Security conference, Danny Jenkins, CEO and co-founder of security vendor ThreatLocker, said institutions simply need more controls over how their IT operations are run, such as controls on software and access to system.

Jenkins, whose XChange Security keynote talk was titled “Zero Trust for Applications,” later told CRN that the key is not to necessarily catch and “chop off the heads” of cyber-hackers.

Instead, the goal is to build up a solid enough defense to deter hackers and make their exploits less lucrative.

“You need to make it more difficult and less profitable for them,” he said. “At that point, they’re start to disappear a bit.”