A US managed service provider NetStandard suffered a cyberattack causing the company to shut down its MyAppsAnywhere cloud services, consisting of hosted Dynamics GP, Exchange, Sharepoint, and CRM services.
According to an email sent to MyAppsAnywhere customers shared on Reddit, the company detected signs of a cyberattack on Tuesday morning and quickly shut down cloud services to prevent the attack’s spread.
“As of approximately 11:30 AM CDT July 26, NetStandard identified signs of a cybersecurity attack within the MyAppsAnywhere environment. Our team of engineers has been engaged on an active incident bridge ever since working to isolate the threat and minimize impact.
MyAppsAnywhere services, which include Hosted GP, Hosted CRM, Hosted Exchange, and Hosted Sharepoint, will be offline until further notice.
No other services from NetStandard have been impacted at this time.” – NetStandard.
The company says that they have engaged their insurance provider to help identify the source of the attack and bring systems back online.
While the company says that only the MyAppsAnywhere services are affected, the attack appears to have had a broader impact, with the company’s main site shut down as well.
The company has been hosting hourly Zoom calls to update customers about the outages, with BleepingComputer told that the company is now engaged with a third-party cybersecurity firm provided by their insurance carrier.
As NetStandard is sharing no further details, it is unclear what type of attack has occurred. However, security researchers believe this is likely a ransomware attack, as we commonly see with cyberattacks like the one on NetStandard.
If you have first-hand information about the attack on NetStandard or other unreported cyberattacks, you can confidentially contact us on Signal at +16469613731.
A coincidence?
In what may be a coincidence, Huntress Lab’s CEO Kyle Hanslovan tweeted a screenshot yesterday of a threat actor’s looking for partners to conduct an attack on a managed service provider.
According to the post on the Russian-speaking Exploit hacking forum, the threat actor claims to have access to an MSP panel managing over 50 companies, 100 VMware ESXi servers, and 1000+ servers.
Source: Kyle Hanslovan
In the forum post, the threat actor is looking for suggestions from other hackers on how to monetize their access.
“In terms of preparation, there were little things left, so my percentage of profit will definitely be high. For details and suggestions – in private messages,” reads the translated forum post.
While it is unclear if this forum post is linked to the attack on NetStandard, it would not be far-fetched for a ransomware member to have contacted the threat actor to partner with them.
MSPs are a high-value target for ransomware gangs as they offer an easy way to encrypt numerous companies at once through a single breach, allowing numerous extortion opportunities for the threat actors. Furthermore, if many companies are encrypted, it may force the MSP to pay a ransom to protect the data and recover the files of their clients.
In the past, there have been numerous attacks on MSPs, with an affiliate for the GandCrab ransomware operation and later, REvil, showing an interest and aptitude in attacks on managed service providers.
However, the most significant attack on MSPs occurred in July 2021, when REvil ransomware conducted a Kaseya supply-chain attack that encrypted thousands of companies.
BleepingComputer has reached out to NetStandard with questions about the attack but has not received a reply at this time.