What's new this month in the news for MSPs? AWS launches new-generation x86-based workforce instances; OneDrive business storage accidentally lowered by Microsoft; Accenture ransomware attack demand of $50m; and more.
Let's see what it's all about.
AWS Launches New-Generation x86-based Workforce Instances
Amazon Web Services Inc. has added a new generation of Intel x86-based general-purpose compute options to the mix as an update to its family of EC2 compute instances.
Built on the AWS Nitro System, the new instances are expected to provide improved storage, memory balance, computing, and networking resources. The combination of a lightweight hypervisor and dedicated hardware is working to offload traditional virtualization functions, while ensuring better performance and higher availability.
Additionally, Intel Xeon Scalable CPUs are powering EC2 M6i instances, dubbed ICE Lake. They are made specifically for workloads based on x86 instructions. All of them provide an all-core turbo frequency of 3.5GHz, which they expect to ensure an increase of 15% in price-performance over fifth-generation instances offered previously.
OneDrive Business Storage Accidentally Lowered by Microsoft
There is a current and ongoing issue being investigated by Microsoft, impacting OneDrive business customers. Customers have reported finding their storage space reduced, or that file permissions have been changed to read-only. Some have resorted to deleting files to free up space, so they can work on their current projects.
According to the latest update, Microsoft engineers are analyzing each tenant’s change logs. They will then align the users’ quotas to their licenses and revert each impacted user to their previously set state.
Accenture Ransomware Attack Demand of $50m
A cyberattack against Accenture PLC has resulted in stolen customer data. LockBit 2.0 ransomware carried out the attack on August 11th and claim to have taken 6TB of data. The LockBit gang is demanding $50m from Accenture in payment for the decryption key.
Security experts suspect that LockBit had an inside collaborator to carry out the attack. However, the exact method used in the hit is unknown at this time. An Accenture spokesperson speaking to CNN said, “Through our security controls and protocols, we identified irregular activity in one of our environments.”
They went on to say that they had contained the activity and restored their servers from backups. Moreover, there was no impact on operations or client systems as a result of the cyberattack.
Security researchers originally discovered LockBit 2.0 in the wild in September 2019. The LockBit 2.0 operators offer it on a ransomware-as-a-service (RaaS) basis. It is known as a double-tap variant, meaning that files are both stolen and encrypted. Payment is then demanded to prevent publication of the data and to obtain a decryption key.
EOL Cisco Routers Critical Vulnerability Will Remain Unpatched
Recently, CISCO Systems Inc. announced that older routers that they have designated to have reached end-of-life status would remain unpatched for a critical vulnerability.
Cisco Small Business RV130W, RV130, RV110W, and RV214W routers have all been tagged for the “critical” vulnerability, which could cause an impacted device to restart suddenly, resulting in a denial-of-service condition, or allow an unauthenticated, remote attacker to execute arbitrary code.
The outcome of the vulnerability is improper validation of incoming UPnP traffic. A would-be attacker could send a carefully crafted UPnP request to an impacted device to exploit the vulnerability. A successful exploit might make the device reload or grant the attacker root access to the operating system, which would cause a denial-of-service condition. As a workaround prevention method, Cisco suggests that administrators disable UPnP on the LAN interface of impacted devices.
ProxyShell Security Flaws
Orange Tsai, a DevCore security researcher, found the three chained security flaws called ProxyShell when he participated in the Pwn2Own 2021 hacking contest.
As of May 2021, Microsoft has patched the ProxyShell bugs. However, it didn’t assign CVE IDs until July, meaning that some businesses were unaware of vulnerable systems on their networks.
CISA and security researchers have been warning that network admins need to patch their exchange servers since the beginning of August, but Microsoft failed to inform its customers until August 25th.
Microsoft has now issued detailed patching information to all of its customers. They also stated that if you have security updates issued in May and June on your Exchange server, you are already protected.
Microsoft Exchange Servers Targeted by LockFile Ransomware
The LockFile ransomware gang uses the ProxyShell vulnerability in Microsoft Exchange servers to carry out attacks. After hacking into the servers, it encrypts the attached Windows domains.
The attack, which security researchers have dubbed ProxyShell, consists of three connected vulnerabilities. The ProxyShell vulnerability results in unauthenticated remote code execution on unpatched Microsoft Exchange servers.
In May, Microsoft released a patch for the vulnerabilities, but more details subsequently emerged that permitted threat actors and researchers to replicate ProxyShell on other systems. Now threat actors are searching actively for possible victims.
After exploiting the Microsoft Exchange servers, the threat actors drop web shells onto the servers with the intent of uploading and installing other programs.
Right now, there isn’t a lot of intel out there about LockFile ransomware. We know that the LockFile operation uses two vulnerabilities: the Microsoft Exchange ProxyShell and Window Petit Potam NTLM Relay. To protect networks, it is essential to patch devices.
StealthWorker Botnet Targeting NAS Devices with Ransomware
Synology, a Taiwan-based NAS maker, is advising its customers that the StealthWorker botnet is making their network-attached storage devices a target for brute-force attacks that ultimately lead to ransomware cyberattacks.
The Synology NAS devices compromised in the attacks are used in subsequent attempts to breach more Linux systems, according to Synology’s PSIRT (Product Security Incident Response Team).
Synology says system admins and customers should change weak administrative credentials on systems, set up multi-factor authentication, and enable account protection and auto-block.
While Synology didn’t share additional data about the malware involved in the campaign, what was shared lines up with a Golang-based brute-forcer originally discovered by Malwarebytes in February 2019, called StealthWorker.
Malwarebytes noted that the malware had brute-force capabilities that would enable it to log into Internet-exposed devices using passwords generated instantaneously or from previously used compromised passwords.
In 2019, the operators behind StealthWorker moved to a brute-force-only model. They scan the Internet for hosts with vulnerabilities or with weak or default credentials for their attacks.
VMware ESXi Servers Target of Linux-Version BlackMatter Ransomware
New to ransomware operations, the BlackMatter gang has made a Linux encryptor that is targeting VMware’s ESXi virtual machine platform.
On August 4th, the MalwareHunterTeam discovered a Linux EFL64 encryptor originating from the BlackMatter ransomware gang and expressly targeting VMware ESXi servers.
While BlackMatter appears to be a newcomer that started up options in July, it is believed to be the DarkSide gang under a new moniker. DarkSide was shut down after its attack on Colonial Pipeline after facing pressure from the US government and international enforcement.
From the sample of BlackMatter’s encryptor that BleepingComputer received, they determined that it was specifically designed to target VMware ESXi servers.
That's a Wrap for News You Might've Missed
I hope this update has been helpful. MSP360 is your resource for MSP news. Stay home, stay safe and healthy, and remember to check back next month for more highlights.