What's new this month in the news for MSPs? Google adds rate-limiting, threat intelligence, bot management, and other capabilities to Google Cloud armor; Google launching Google Public Sector cloud division; Cybersecurity warning from CISA on Karakurt data extortion; New evasive Symbiote malware infecting Linux systems; and more.
Let's see what it's all about.
Google Adds Rate-Limiting, Threat Intelligence, Bot Management, and Other Capabilities to Google Cloud Armor
Google Cloud announced the addition of new capabilities to Google Cloud Armor. They said the new additional capabilities are an effort to ward off cyberattacks, since the attacks have increased in intensity and sophistication.
According to the announcement, features such as per-client rate-limiting, machine learning-based Adaptive Protection, and bot management with reCAPTCHA Enterprise will now be generally available in Cloud Armor.
Rate-limiting will be available with two types of rules that include throttle, which means throttling traffic per client with a user-configurable threshold, and rate-based ban, which means customers can ban clients for specific time periods in addition to rate-limiting requests or user-configured limits.
Cloud Armor clients can use it to implement and enforce specific rate limits based on location, scraping, inventory hoarding, or other threat types and to block attempts of brute-force logins.
Google Cloud Armor is empowering companies to engage in a “defense-in-depth strategy” by offering the Google Cloud Threat Intelligence preview for Cloud Armor. This service will provide continuously updated and ready-to-use threat intelligence for its customers. This feature will allow them to enhance their network security in line with the latest techniques and the threats they can expect to face.
Google also said that to cover additional types of workloads, it’s extending Cloud Armor through the addition of support for proxy load balancers and by introducing new edge security policies.
Google Launching Google Public Sector Cloud Division
Google LLC is spinning off its public-sector cloud division from Google Cloud. The new entity will be a separate subsidiary of Google LLC called Google Public Cloud. According to the announcement by Google LLC, the new division will be focused on state, federal, local governments and the education sector.
The CTO of Google Cloud, Will Grannis, will be leading the setting up of the new division as its CEO and it will operate as an independent legal business entity from Google Cloud with its own board of advisers.
Google Public Cloud’s primary focus will be assisting companies to adopt its public cloud platform and Google Workspace suite. What’s more, it will assist its public-sector customers with Google’s cybersecurity products.
More recently, Google has been expanding public-sector business leading up to the move. Its government-contracted customers include the Department of Energy, Department of Veteran Affairs, the US Postal Service, the Department of Defense, along with the US Air Force, Navy and the Defense Innovation Unit.
Google says that the areas that have driven Google Cloud’s work with the public sector include IT infrastructure modernization, collaboration tools, cybersecurity, and advanced analytics. Google Public Cloud will continue to focus on them.
Google has been working to obtain more cybersecurity certifications and has achieved FedRAMP High authorization in 2021 for Google Workspace. It also successfully qualified for Impact Level 4 authorization for its US cloud data centers. Google LLC customers can now use its cloud platform to store and process controlled unclassified information as a result of this.
Google Public Cloud will increase its focus on compliance and certifications, as well as other support mechanisms specific to the public sector.
Cybersecurity Warning From Cisa on Karakurt Data Extortion
The US Cybersecurity and Infrastructure Security Agency warned businesses in an alert about the data extortion group Karakurt. The group aims to steal data from businesses and has been active since June 2021.
Intel collected from recent attacks shows that the group employs many TTPs that create challenges for mitigation and defending against attacks. For example, victims report that files and devices are not encrypted, but the Karakurt group criminals claim they have the data and threaten that they will sell it or release it publicly unless paid the ransom. Typically, the ransom payments demanded have been in bitcoin and between $25,000 and $13,000,000. Deadlines to send payment are set a week after the first contact with the victim. Karakurt sends copies of the stolen file directories or screenshots to prove they have the stolen data.
In a more threatening tactic, Karakurt actors contact the victims’ business associates, staff, and customers, pressuring the victim to engage or pay them. Included in emails sent by the group to others is stolen data, such as payment accounts, social security numbers, private emails, and other sensitive business information that belongs to customers or employees.
According to security analysts, Karakurt may have partners such as better-known ransomware gangs like Conti. Analysts have observed that Conti has uploaded stolen data to Karakurt servers and that cryptocurrency wallets used by Karakurt belonged to Conti. It makes a plausible case that Karakurt has a business relationship with Conti, or is Conti’s side business.
New Evasive Symbiote Malware Infecting Linux Systems
The Symbiote malware was first observed in November 2021, according to Blackberry Research’s blog post, and analysts say it seems to have been developed to target Latin America’s financial sector.
Symbiote is a shared object (SO) library that uses LD_PRELOAD (T1574.006). Unlike previous Linux threats, it seeks to infect other running processes on compromised devices to inflict damage. This method of infection sets it apart from other Linux malware.
Once it has infected all the running processes, Symbiote then harvests credentials. These provide remote access for the cybercriminals behind it, and it also acts as a rootkit to hide itself from detection. Once the machine is completely infected, the malware lets you see what it wants; in essence, you shouldn’t trust what the machine is saying.
An interesting technical caveat noted by analysts is the Berkeley Packet Filter (BPF) with its hooking functions. Symbiote is the first Linux malware to employ this feature. The malware is designed to use BPF to filter out its traffic from packet capture tools’ results as another layer of stealth.
Where other malware uses BPF to send and receive commands from CNC servers, Symbiote uses it to hide network activity, in essence covering its tracks and making it more challenging to detect.
Analysts suggest focusing on the techniques the malware uses and this will help ensure that you can detect and protect against them. There are also a few endpoint tools available that can identify changes on a victim’s device.
P2P Botnet “Panchan” and SSH Worm Hijacking Linux Servers
Akamai Technology Inc. researchers revealed a new SSH worm and p2p botnet that they uncovered actively hacking Linux servers, which is dubbed “Panchan”.
The malware is written in Golang programming language and was first observed in March. Panchan installs malware modules on the devices it targets and installs built-in concurrency characteristics that maximize its spreadability.
Besides “basic” SSH dictionary attack capabilities, Panchan will harvest SSH keys that allow it lateral movement. It also has a “god mode”, where the malware has an administration panel baked into it. Accessing the panel requires a specific key, but Akamai researchers were able to override it and decompile it to analyze the malware’s extent of infection.
To reduce traceability and avoid detection, Panchan drops crypto miners as memory-mapped data that have no presence on the disk. If it detects any monitoring of the process, it kills any crypto miner processes.
Based on Panchan’s activity and geolocation of its victims, the threat actor’s Discord user activity, and admin panel language, experts believe the threat actor is Japanese. Moreover, researchers say they don’t think there is an organization behind it. Of its targets, Asia is at the top, making it plausible that the threat actor finds it easier to stay with countries that are familiar and nearby.
Phishing Technique Cleverly Bypassing MFA Using Microsoft Webview2 Applications
A new phishing technique that can steal login cookies and bypass MFA has been created by a cybersecurity researcher using Microsoft’s Edge Webview2.
Webview2 is software and instructions or runtime that is installed when a program is running. It provides web-based characteristics in PWAs or Microsoft 365 apps that use an MS Edge rendering engine.
On Jun 21, 2022, mrd0x revealed the proof of concept of the phishing attack, named Webview2-Cookie-Stealer, which injects JavaScript containing malicious code into sites loaded in apps that use WebView 2.
In the example provided by mrd0x, a JavaScript keylogger was injected into an actual Microsoft login form loaded utilizing WebView 2. The webpages load normally, but in the background, the JavaScript malicious code is running. The code captures anything a user enters into a form and then sends it over to the chosen web server.
Beyond keylogging, the method allowed mrd0x to steal any cookies the remote server sent after the user logs in and that included authentication codes. mrd0x explained that WebView2 can be used to steal all the cookies available for the current user in Google LLC’s Chrome browser. Additionally, Webview 2 lets a cyberattacker start an attack using an existing user data folder (UDF) instead of making a new one. The UDF will contain all sessions, passwords, and bookmarks that belong to the user.
Using a simple Chrome extension such as “EditThisCookie” would easily let an attacker import and steal cookies using this method.
While MFA has been considered an excellent deterrent to phishing attacks until now, this attack scenario demonstrates that it’s no silver bullet against them. Other tactics should be employed to ensure accounts are secured and businesses are protected against attacks.
These types of attacks rely on a user downloading a program from the internet in order to work. User education on the dangers of doing this lead the way in protecting businesses against an attack like this one.
New ZuoRAT Malware Targeting SOHO Routers in US and EU
ZuoRAT is a newly uncovered multistage remote access trojan (RAT) observed targeting remote workers via SOHO (small office/home office) routers in Europe and North America beginning in 2020.
Lumen Black Lotus Labs’ security researchers say the TTPs of the attackers make this a highly complex and targeted campaign that points to this being a state-backed cybercriminal. Moreover, the timeline of the campaign aligns with the quick move to remote work following the start of the COVID-19 pandemic, where there was a dramatic increase in the number of SOHO routers from manufacturers such as ASUS, DrayTek, Cisco, and NETGEAR, used by staff accessing business assets while working remotely.
Lumen says the move to remote work gave threat actors new ways to use at-home devices like SOHO routers. These devices are not usually monitored or patched while broadly in use and are easily manipulated to hijack connections, collect information in transit, and compromise adjacent network devices. Sophisticated adversaries seized these opportunities to subvert the defense-in-depth posture traditionally in place at many renowned businesses.
When ZuoRAT malware is deployed on an unpatched router with the help of an exploit script that allows it to bypass authentication, the multistage RAT provides attackers with deep-dive traffic collection and network reconnaissance characteristics using passive network sniffing.
Moreover, the ZuoRAT permits lateral movement that lets it compromise more devices on the network and deploy further malicious payloads, such as Cobalt Strike beacons, for example, using HTTPS and DNS hijacking.
The security researchers also observed two or more custom trojans installed on hacked devices during these attacks.
While the attacks they observed appear limited, the level of sophistication led the researchers to believe it’s likely that the attacks were more extensive. Businesses should ensure that all SOHO routers accessing business assets are patched, that patch planning includes every device, and that they have the latest software to help mitigate these threats.
That's a Wrap for News You Might've Missed
I hope this update has been helpful. MSP360 is your resource for MSP news. Stay home, stay safe and healthy, and remember to check back next month for more highlights.
Simple. Reliable.
