What’s new this week in the news for MSPs?
Google introduces Certificate Authentication Service in beta in Google Cloud; Canon confirms Maze ransomware cyberattack; Interpol reports American SMBs the target of LockBit ransomware; Garmin pays WastedLocker ransom after cyberattack; and WastedLocker is abusing Windows memory to hide from detection. Let’s see what it’s all about.
Google Introduces Certificate Authentication Service (CAS) in Beta in Google Cloud
Google LLC announced the introduction of a new cloud-based service to help companies developing applications to create the certificates they require for public key infrastructure (PKI). The general idea is to have trusted entities certify that specific cryptographic keys belong to individual users or devices.
“Recently, we’ve seen increased interest in using public key infrastructure (PKI) in DevOps and device management, particularly for IoT devices. But one of the most fundamental problems with PKI remains—it’s hard to set up Certificate Authorities (CA), and even harder to do it reliably at scale.”
Traditional digital certificates issued by a private Certificate Authority hosted on-premises have an expiration date far off into the future, which is one reason they are problematic. They are generally associated with a device or application-specific certificate enrollment process that happens infrequently. This system is excellent for an IoT device but, where emerging workloads are involved, Google says this is not as suitable. Examples are using private certificates in DevOps that protect software containers, virtual machines, microservices, and service accounts.
This new service will be priced using a pay-as-you-go model once it is released for general availability; however, as of right now, Google says it is free to use.
Canon Confirms Maze Ransomware Cyberattack
On July 30th, the Canon website went offline for about six days, providing only status updates on the outage until the site was restored to operation on August 4th. According to Maze, they were able to hack the website and steal 10 TB of Canon’s data, including private databases, as part of their attack on the company. When BleepingComputer contacted them, they wouldn’t share any other details about the attack.
Maze is a human-operated ransomware that targets enterprises. It gains access in order to compromise a network by gaining control of an administrator account and the system's Windows domain controller, whereupon it stealthily spreads laterally throughout the network. It then steals unencrypted files from servers and backups and uploads them to its own servers. After they have harvested all files possible, they spread their ransomware throughout the network to encrypt all devices.
Interpol Reports American SMBs Target of LockBit Ransomware
According to a report from Interpol (International Criminal Police Organization), American medium-sized businesses are the target of LockBit ransomware operators.
LockBit is a human-operated operation that is ransomware-as-a-service (RaaS)-based. It surfaced in September 2019, targeting enterprises as a private operation, but was subsequently observed by Microsoft aiming at healthcare and critical services.
The ransomware’s operators use the CrackMapExec penetration-testing tool to move laterally, once inside their victim’s network. Maze has recently partnered with LockBit to create an extortion cartel to exchange tactics and intelligence and share the same data-leak platform during their operations.
Organizations exposed to ransomware attacks are recommended to keep their software and hardware up to date. Interpol also suggests that by backing up their data using offline storage devices, they can thwart ransomware operators from accessing and encrypting them.
Learn about common ransomware attack scenarios and what to do if one of these attacks affects your clients:
Further reading Ransomware Attack Scenarios
Garmin Pays WastedLocker Ransom
Sky News recently revealed that Garmin, a fitness brand, has paid millions of dollars in ransom after a cyberattack took its products and services offline last month. Garmin worked with Arete IR, a ransom negotiation company, to make the payment.
Last week, BleepingComputer revealed that Garmin had gotten a decryption key to access their encrypted data and that the initial demand was for $10 million.
The attack began on July 23rd and kept many of Garmin’s products and operations offline for days. On July 27th, Garmin confirmed that it had been the victim of a cyberattack when its services were beginning to be restored. From the beginning, it was believed that WastedLocker was the perpetrator of the attack.
While neither the company nor the negotiation firm will confirm, BleepingComputer believes that Garmin paid the ransom. They point out that WastedLocker has no known weaknesses and, therefore, it would seem the likely way Garmin was able to restore its operations.
WastedLocker Abusing Windows Memory Management to Hide from Detection
As we know, WastedLocker ransomware has become notorious since it was linked with the sanctioned Evil Corp group and was involved in the cyberattack on Garmin. Sophos security researchers recently shared how WastedLocker uses the Windows cache manager to evade detection in a new report shared with BleepingComputer.
WastedLocker includes a routine that opens a file, reads it into the Windows cache manager, and then closes the original file to avoid detection by anti-ransomware software. WastedLocker then encrypts the file's contents stored in the cache, instead of the file stored on the file system, since the data is already stored in the Windows cache manager.
The files stored in the Windows cache become ‘dirty’ when they are modified. The Windows cache manager will write the encrypted cached data back to their original files when enough of the data becomes dirty. Since the Windows cache manager runs as a system process, security software sees the writing of the encrypted data as being from an allowed and legitimate Windows process. This method allows WastedLocker to encrypt all the files and effectively bypass the security solution's ransomware protection modules.
That’s a Wrap
I hope this update has been helpful. MSP360 is your resource for MSP news. Stay home, stay safe and healthy, and remember to check back next week for more highlights.