It seems MSPs are moving on security. According to a recent Kaspersky survey, 28% of managed service providers (MSPs) reported that a massive supply chain attack on an MSP software provider, revealed in December 2020, had affected their organization in some way. The breach also had a wider impact on the majority of MSPs: overall, 72% of providers took action in response to the attack, even though they were not affected. That is in survey data released by Zawya.
A letter from the deputy national security advisor and National Cyber director was issued from the White House urging the private sector to boost cyber defenses for the holidays. “Historically, we have seen breaches around national holidays because criminals know that security operations centers are often short-staffed, delaying the discovery of intrusions,” they wrote.
A recent breach disclosure of an Oregon healthcare organization appears to have accidentally revealed that the FBI believes the HelloKitty ransomware group operates out of Ukraine. This is new information not previously released.
And in Log4J news, CISA said they had not confirmed reports by multiple security companies of ransomware installations or attempts by other governments to steal secrets. “We are not seeing widespread, highly sophisticated intrusion campaigns,” Eric Goldstein, executive assistant director for cybersecurity at CISA, said in a call with reporters. On the same day, Microsoft’s Threat Intelligence Team indicated that hackers associated with the governments of China, Iran, North Korea, and Turkey have been trying to find ways to leverage the Apache Log4j vulnerability. The first public case of the vulnerability being used to download and install ransomware has been discovered by researchers. BitDefender reported they found it directly.
Finally, some details of cyber security that made it into the approved National Defense Authorization Act. It greenlights CISA’s CyberSentry program, focuses on critical infrastructure, and also requires DoD to submit a report on how its Cybersecurity Maturity Model Certification (CMMC) program impacts small businesses.
Why do we care?
I’m reserving judgment on CMMC. I’ve heard strong voices saying it’s critically important for smaller providers, and others I trust saying it isn’t … and that version 2.0 is too neutered to matter. Hearing from the DoD itself on what THEY think the impact will seem savvy to me.

