What's new this week in the news for MSPs? Cloud-Native Buildpacks launched by Google; Software AG suffers an attack by Clop ransomware; global law firm Seyfarth reports ransomware attack; Windows Defender used by Qbot malware to infect PCs; takedown of TrickBot botnet plotted by Microsoft and others; and Trickbot botnet survives takedown attempt.
Let's see what it's all about.
Cloud Native Buildpacks Launched by Google
Cloud Native Buildpacks is an open-source technology meant to increase the speed of creation of containerized applications, according to an announcement by Google. It has also shared open-source technology templates to simplify the process of adoption of this technology for customers.
The goal of the buildpacks is to expedite the assembly process of container projects. These projects generally have many supporting modules and operating system images in addition to the core software code contained in them.
Buildpacks help automate much of the process. What's more, the technology can scan an application's source code and determine the supporting components. The necessary security modules and operating system images are primary examples and it collects everything it needs without any manual input.
According to Google, they are making buildpacks the primary method for deploying software on Google Cloud's App Engine application hosting platform.
Software AG Suffers an Attack by Clop Ransomware
On October 3rd, Software AG, a German tech company, was forced to shut down services when a ransomware attack hit them.
Clop ransomware has been named the culprit in the attack, and its operators demanded a payment of $20 million or the company's stolen private data would be published.
According to a report by ZDNet, Software AG did not pay the ransomware, and the operators of Clop have started publishing their data.
The ransomware group behind Clop has been linked to other attacks, such as data being stolen from ExecuPharm in April.
Global Law Firm Seyfarth Reports Ransomware Attack
According to the company, they were hit by an aggressive and sophisticated malware attack. In the company's notice, they say that they understand that several companies were hit simultaneously, indicating a coordinated attack. It is cooperating with the FBI to track down those behind the attack.
There is nothing to suggest that internal or client data was accessed or stolen. Their IT teams have shut down computer systems, as many of them were encrypted, say Seyfarth.
Seyfarth is working continuously to resolve the incident.
Windows Defender Used by Qbot Malware to Infect PCs
The botnet operators are using a new method in their email campaigns to deploy the Qbot malware. It includes a fake Windows Defender antivirus theme in an infected document. The approach aims to trick users into allowing Excel macros to deploy the malware in use by the Qbot botnet.
BleepingComputer says the Qbot gang started with this new theme in their email attacks on August 25th this year. Besides the Windows Defender branding, they have also used a few other renowned security firms in their campaigns.
While easily noticed by security professionals as fake, the messaging could easily persuade more casual computer users to click the ”Enable Content” button, which activates the malicious macros.
Qbot is known for taking data and giving digital attackers remote access to its successful campaign targets. Its use of antivirus alerts as a disguise and its growth in the last quarter should alert companies to ensure they have strong defenses against malware.
Takedown of TrickBot Botnet Plotted by Microsoft and Others
After an in-depth review of TrickBot's back-end system of servers and malware modules, a group of tech companies banded together to take it down. The coordinated effort included FS-ISAC, Lumen's Black Lotus Labs, Microsoft Defender, and Broadcom's cybersecurity division, Symantec, to halt the botnet's activities.
The partners spent months collecting samples of the malware, analyzing them, and mapping data regarding its internal processes. This data included all the servers being used by the botnet to control infected computers and distribute other modules.
With all the data in hand, Microsoft requested a judge to control the TrickBot servers, and the court granted them approval. According to Microsoft's press release, "With this evidence, the court granted approval for Microsoft and our partners to disable the IP addresses, render the content stored on the command and control servers inaccessible, suspend all services to the botnet operators, and block any effort by the TrickBot operators to purchase or lease additional servers."
According to the group's members, TrickBot has infected more than one million computers to date. Along with Emotet, it is one of the most active MaaS platforms and frequently works with ransomware gangs such as Conti and Ryuk.
Trickbot Botnet Survives Takedown Attempt
The attempted takedown of the TrickBot botnet organized by a group of tech companies led to the TrickBot operator replacing their current system with a new infrastructure. Praise for Microsoft and its partners for their efforts resounded, although the botnet was able to recoup and survive.
In private interviews, the group said they knew it was unlikely that they would be able to take TrickBot down for good with only one attempt. What's more, they had planned follow-up actions if the effort wasn't successful.
The goals weren't entirely focused on taking down TrickBot servers, as they knew that this would only be temporary. Other targets included delaying current malware operations or causing the TrickBot operators to incur added costs.
It was also a goal to damage TrickBot's reputation among cybercrime gangs. The rationale was that if they could show that TrickBot wasn’t reliable from a business standpoint to its customers paying high fees, or that there was a risk of being tracked by law enforcement, this could constrain some of the botnet's ability to operate.
Observers among research firms are hoping for an impact across TrickBot's business from the recent action.
That's a Wrap for News You Might've Missed
I hope this update has been helpful. MSP360 is your resource for MSP news. Stay home, stay safe and healthy, and remember to check back every week for more highlights.