What's new this week in the news for MSPs? US warning over cloud services cyberattacks; Babuk Locker new ransomware for 2021; SolarWinds sued over Orion software hack; new Sunspot malware spotted; and Mimecast certificate compromised by hackers. Let's see what it's all about.
US Warning over Cloud Services Cyberattacks
A warning released this week by the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) addresses concerns over the recent cyberattacks targeting various cloud services.
Information in the warning says phishing and other modes of attack are in use by the cybercriminals, who exploit poor cybersecurity hygiene within a target’s cloud infrastructure. What’s more, analysts say the attacks seem to have a pattern of occurring when employees are working remotely and using a combination of personal and corporate laptops and devices to access corporate cloud services.
Employees received phishing and fake emails that purported to be official but contained malicious links. Other methods show threat actors taking advantage of forwarding rules to collect private information.
Babuk Locker New Ransomware for 2021
Days into the new year, analysts have discovered a new form of ransomware dubbed Babuk Locker.
This ransomware has its own implementation of SHA256 encryption, which is being called ChaCha8. It uses Elliptic-curve Diffie-Hellman (ECDH), which encrypts files and protects its keys for key generation.
SHA256 has its origins in the US NSA, and ECDH is maintained through an anonymous key agreement scheme.
According to BleepingComputer, the threat actors behind Babuk Locker now have a list of victims worldwide, and their ransom demands are between $60,000 and $80,000 in bitcoin. The attacks seem customized to the victim and include a hardcoded extension, a Tor victim URL, and a ransom note.
SolarWinds Sued over Orion Software Hack
Shareholders of the US government software provider SolarWinds Worldwide LLC are suing the company following the news in December that its Orion software was hacked. The lawsuit documents say that the former President, the Chief Executive Officer Kevin Thompson, and the Chief Financial Officer Barton Kalsu made “false and/or misleading” statements in February, May, August, and November during regulatory filings with the US Securities and Exchange Commission.
Timothy Bremer, a shareholder of the company who bought shares in September and October, filed the suit. The extent of the hack may be greater than initially suggested, according to a report published on January 3rd.
New Sunspot Malware Spotted
During the investigation into the SolarWinds hack, cybersecurity firm CrowdStrike discovered the malware used to inject backdoors into the Orion platform. The cybercriminals dropped the malware, called Sunspot by CrowdStrike, into the development environment of SolarWinds’ Orion IT management software.
The malware would monitor and automatically inject a Sunburst backdoor that would replace Orion’s original source code with malicious code. The hackers’ method was devised to avoid detection by the software developers and build teams.
Since the investigation into the hacking began, this is the third strain of malware that has been found.
Last week, CISA, the FBI, and the NSA issued a joint statement in which they stated that the Russian-backed Advanced Persistent Threat (APT) group was likely behind the attack. However, to date they haven’t been able to verify the individual attackers.
Mimecast Certificate Compromised by Hackers
A hacker has compromised a security certificate issued to Mimecast customers to authenticate them for some of its products with Microsoft 365 Exchange Web Services. It was the target of a sophisticated cybercriminal, and about 10% of its customers use the certificate. However, it notes that only a small number of Microsoft 365 users were the hacker’s target.
Saryu Nayyar, chief executive officer of Gurucul Solutions Pvt Ltd. A.G., believes the hackers are the same group who breached SolarWinds and multiple government agencies. He says, “This shows the skill and tenacity state and state-sponsored actors can bring to bear when they are pursuing their agenda. Against this sort of opponent, civilian organizations will need to up their game if they don’t want to become the next headline.”
That's a Wrap for News You Might've Missed
I hope this update has been helpful. MSP360 is your resource for MSP news. Stay home, stay safe and healthy, and remember to check back every week for more highlights.