What's new this week in the news for MSPs?
Pentagon asks for more time on the JEDI contract; SANS Institute data breach; Agent Tesla upgraded to steal passwords; Dharma ransomware being exploited by hackers in attacks; and Microsoft allowing Office 365 admins to manage phishing simulations. Let's see what it's all about.
Pentagon Asks for More Time on the Jedi Contract
The US Department of Defense has been reviewing the award of a contract to Microsoft Corp. It has requested a thirty-day extension before it gives its final decision.
The Joint Enterprise Defense Infrastructure (JEDI) project entails an infrastructure for cloud computing for the Pentagon. This project will create a link between many military systems and put them under an individual, unified architecture. According to the Department of Defense (DOD), artificial intelligence projects under JEDI will move ahead to the next level.
The award of JEDI to Microsoft Corp. ahead of a bid by Amazon Web Services, Inc. that experts say was the favorite, has been a matter of controversy.
Amazon and Microsoft have been at loggerheads since the award. Last May, Drew Herdener, VP for AWS, commented that the award decision was "fatally flawed on all six of the technical evaluation factors." Frank Shaw, Microsoft's corporate VP of communications, responded, claiming Amazon was "trying to bog down JEDI in complaints, litigation and other delays" to overcome its failed bid.
Sans Institute Data Breach
The SANS Institute, a cybersecurity training and certification firm, confirmed in a statement this week that it had suffered a data breach. According to the announcement, the hackers took the records of approximately 28,000 clients. The breach began from a phishing attack on an employee which contained an infected Office 365 attachment.
In its statement, SANS revealed that it had detected the breach on August 6th. It then "quickly stopped any further release of information" from the compromised account. The email account was forwarding the data to a suspicious external email address.
The company suggested that there was no evidence that it was a targeted attack.
Tim Wade at Vectra AI, Inc., a threat detection and response firm, said in a comment to SiliconANGLE, "The real hallmark of modern security is about resilience to attacks – the capacity to perform timely detection and response before material damage is done even after preventative controls have failed."
Ilia Kolochenko, from ImmuniWeb, also noted, "Attackers will now gradually focus their attention on cybersecurity companies and organizations to get their clients' privileged information or credentials." He also offered praise for the SANS Institute's response to the incident.
Agent Tesla Upgraded to Steal Passwords
Agent Tesla, an information-scraping trojan, has new variants that have modules aimed at stealing credentials from applications. Some of the apps include VPN software, web browsers, and also FTP and email applications.
Agent Tesla is a .Net-based trojan with password-stealing and key-logging abilities. It has been active since 2014, according to most experts.
Currently, the malware is trending among business email compromise (BEC) gangs. They use it to record keystrokes and take screenshots of compromised systems of their victims. Another way it is used is to steal victims’ clipboard contents data, kill anti-malware software and analysis processes, and collect system information.
According to Jim Walter, a senior threat researcher from Sentinel One, "The malware can extract credentials from the registry and related configuration or support files."
At present, Agent Tesla seems to be one of the more active malware strains in use in attacks that target both business and home users, according to a list of the top 10 malware variants analyzed by Any.Run.
Dharma Ransomware Being Exploited by Hackers in Attacks
Dharma ransomware-as-a-service is trending among cybercriminals in attacks on SMBs this year, according to the British cybersecurity company Sophos. The hackers leverage different variants of the Dharma source code that have been offered for sale or dumped online.
According to Coveware, a ransomware recovery company, 85 percent of attacks are using Dharma against SMBs in 2020. The objective of their attacks was to expose access tools like the remote desktop protocol (RDP).
Sophos senior threat researcher Sean Gallagher says that Dharma represents “fast-food franchise ransomware.” He further noted that it uses a mass-market, service-based business model, which puts it in this category. Because of this, Dharma has rapidly grown to be one of the world’s most lucrative ransomware families.
Sophos has these suggestions for SMBs to protect them from Dharma threats:
- Update all network devices regularly
- Internet-facing RDPs should be deactivated
- Use offline storage devices for backups
- Be aware of the warning signs of ransomware attacks
- Layered security models can help ensure that SMBs are well armed. They equip them to address and identify ransomware and other cyberattacks before they inflict long-term harm.
Learn about common ransomware attack scenarios and what to do if one of these attacks affects your clients:
Further reading Ransomware Attack Scenarios
Microsoft Allowing Office 365 Admins to Manage Phishing Simulations
Microsoft has added new support to allow security admins to run phishing training sessions or simulations. This self-remediation portal permits security admins to select items that could contain threats and land in recipients’ inboxes. They first pass through the Office 365 Exchange Online Protection (EOP) filtering stack.
The EOP is a cloud-based filtering service. It blocks spam and emails with an infected or malicious attachment from reaching Exchange Online mailboxes.
The primary purpose is to assist their customers in controlling the blocking of simulation emails. The new portal gives admins a way to allow or block specific types of attachments and URLs in their Office 365 tenants by using the new portal.
They hope to roll out the Tenant Allow/Block list portal during the third quarter of 2020, and it will be available to all clients with an Advanced Threat Protection plan in all Office 365 environments.
That's a Wrap
I hope this update has been helpful. MSP360 is your resource for MSP news. Stay home, stay safe and healthy, and remember to check back next week for more highlights.