DarkReading.com reported that often using MSPs means that “Sadly, much of the new processes involve checking a box, rather than implementing technical cybersecurity steps that could make a difference in threat prevention.” The July 25, 2022 article entitled “Getting Ahead of Supply Chain Attacks” included these comments:
What also has changed is the noted sophistication level of adversaries. A willingness to set up an entire replicated network, purchase domains, and persist for months and possibly years represents a significant increase in investment in concerted campaigns. Kaseya reminded us that everyone in the ecosystem is a target. We have always had cyberwarfare. Now we have more heavily funded, more vastly staffed attackers pounding on our supply chains (and everything else).
What has not changed? The idea of using legitimate distribution of code to distribute illegitimate backdoors. As far back as at least 2002, attackers used Trojan-horse techniques to backdoor security tools and email servers. Hackers have always sniffed and surveyed customer and supplier environments to look for the mundane, the routine, the usual. It's there that they find unguarded corners to slip in malicious code, as humans are lulled into daily routines. Kaseya and especially SolarWinds show more complex, persistent techniques and they are very widely used enterprise apps, yet the supply chain attack idea has been around for decades.
No surprises about MSPs with just checking the boxes!