What's New This Month in the News for MSPs? Google Cloud launches new storage and services; new analytics and security capabilities for Google Cloud launches; VMware says new ChromeLoader variants pose severe risks; and more.
Let's see what it's all about.
Google Cloud Launches New Storage and Services
Google has introduced six new storage solutions for data-intense cloud workloads to give a much-needed boost. It also announced a bevy of new cloud storage products and services it says will meet global businesses’ growing needs.
It announced the newly launched services at Google’s Spotlight on Storage digital event, saying they’re made for “data-rich” workloads. Storage needs to be more and more flexible to handle the needs of data lakes, ML and AI, simulation and modeling, HPC, and big data. Guru Pangal explained in a blog post that Google is seeing customers collecting more data than ever before and from many sources.
To meet the needs of applications, they are launching six new storage services, Google said. These include Google Cloud Hyperdisk, which Google says is the company’s first next-gen persistent disk. This service will let companies fine-tune block storage performance dynamically, targeting individual workloads that include independent throughput and I/O operations per application.
Google Kubernetes Engine (GKE) is getting Filestore Enterprise multi-share, which will let storage admins quickly create GKE clusters on the fly. It will also offer non-disruptive upgrades to storage in the background, which guarantees 99.99% regional availability.
The Google Cloud Storage Autoclass feature is expected to simplify managing object storage volumes and optimizing costs. Policies for moving data to cold or hot storage classes are also included.
Google introduced Storage Insights for analytics, which will offer actionable insights from the large volumes of customer objects stored in Google Cloud. It also lets customers run object queries and combine them with BigQuery. DR and Cloud Backup services bring fully integrated data protection forward, keeping businesses’ critical databases and apps under the same umbrella, along with Google Cloud VMware Engine and SAP Hana.
The last announcement was the introduction of Google Cloud Backup for the GKE service, which will let users protect Kubernetes persistent data and apps. Google says it is the first hyperscale cloud provider to do this.
New Analytics and Security Capabilities From Google Cloud
To help its customers simplify data analysis to give better protection from cyberattacks, Google has launched several features, it says.
The new features are included as part of existing Google Cloud services.
In addition, Google has infused its data warehouse, BigQuery, with a new capability called Analytics Hub, which makes it easy for workers to find business records.
The Pub/Sub service in Google Cloud helps users load data into BigQuery from other systems. In the past, businesses would have needed to create customized software workflows to send data to BigQuery. The prepackaged software workflow Google has added to Pub/Sub eliminates the need for custom coding, and Google says it will reduce cloud costs, too.
BigLake store engine is now generally available, according to Google. Companies should now find it easier to manage data lakes and data warehouses, even on other cloud platforms.
The cloud platform’s suite of cybersecurity services was not left out, and Google has released some improvements there, too. The Cloud Firewall and Container Scanning API services are receiving some new enhancements.
For example, Google’s Container Scanning API service can now scan code written in the Go programming language. It can also catch vulnerabilities in Java code files processed with Maven.
In addition, Google’s Cloud Firewall service is getting a Tags feature, which will simplify applying cybersecurity rules to cloud resources. Additionally, a second feature, called Network Firewall Policies, is being added to assist admins in managing firewall configuration settings in cloud environments.
Google also announced a new tool in preview called Log Analytics. This is part of the Google Cloud service called Cloud Logging, which lets businesses gather information on potential errors. It allows them to analyze the collected information to find helpful patterns using the Log Analytics tool.
Google says the tool will let users run analytics using SQL queries. Businesses can also integrate data from Log Analytics with data in BigQuery environments, and the combination will allow for more advanced data analysis.
VMware Says New Chromeloader Variants Pose Severe Risks
New variants of the ChromeLoader malware deliver more malicious payloads, and threat actors are using them for other evil purposes, according to a report from the Carbon Black Managed Detection and Response team.
VMware researchers recently shared that threat actors are dropping ZipBombs onto infected devices. Typically, a ZipBomb will be dropped with the initial infection in an archive that the victim downloads. After the user double-clicks the file, the ZipBomb gets launched, destroying the system with an overload of data.
VMware researchers first caught Windows variants of ChromeLoader in January, and macOS variants appeared in March. There are a few known variants of ChromeLoader, such as Choziosi Loader and ChromeBack. Unit 42 researchers also evidenced that the real first Windows variant compiled a malicious executable that dropped version 1.0 of the malware using the AutoHotKey (AHK) tool.
Typically, developers of this type of malware intend to feed adware to their victims. Still, researchers note that the ChromeLoader browser hijacker that appears as a browser extension increases the attack surface of an infected device, which can subsequently lead to other, more severe attacks, including ransomware.
VirtualPita and VirtualPie Target VMware ESXi Servers
Threat actors have discovered a new method of taking control of VMware ESXi Hypervisors that allows them to control vCenter services and virtual machines for Linux and Windows and avoid detection.
Researchers from Mandiant, recently acquired by Google, found that threat actors used vSphere Installation Bundles (VIBs) to drop VirtualPita and VirtualPie malware. Following this, the hacker could take actions including: maintain persistent admin access with the hypervisor; send commands routed to the guest VM for execution through the hypervisor; transfer files between guest VM and the ESXi hypervisor; tamper with logging services; and run random commands from one guest VM to another running on the same server.
A Linux variant of VirtualPita was discovered persistent during research as an init.d startup service on Linux vCenter devices and hidden under the genuine binary ksmd.
The Python-based VirtualPie distributes a daemonized IPv6 listener on a hardcoded port on VMware ESXi servers.VirtualPie supports random command line execution, and can set up a reverse shell and transfer files.
On Windows guest VMs, researchers also found a separate malware called VirtualGate. The malware includes a memory-only dropper that deobfuscates a second-stage DLL payload.
Threat actors must have admin privileges to the hypervisor to carry out an attack. While it may seem that this lowers the risk, some threats remain hidden on the network and await an opportunity. The US Cybersecurity & Infrastructure Agency has shared guidance from VMware on the cyber threat.
Windows, Linux Devices Susceptible to Chaos Malware DDoS Attacks
Chaos is the name of a botnet that is spreading rapidly throughout networks. It targets and infects both Linux and Windows devices to use them to run DDoS attacks and crypto mining.
The Go-based malware does not stop at one specific architecture but can infect many types, including X86-64, x86, AMD64 MIPS64, MIPS, AArch64, ARMv5-ARMv8, and PowerPC, which are used by a broad range of systems from enterprise servers to small and home office routers.
Typically, Chaos spreads through attacks on unpatched devices exposed to SSH brute-forcing and many security vulnerabilities. It will hijack more devices using stolen SSH keys.
In addition, it will backdoor infected devices by setting up a reverse shell that allows the threat hackers to reconnect whenever they want to for more exploitation.
Researchers at Lumen’s Black Lotus Labs analyzed approximately 100 samples found in the wild. They uncovered that its developers wrote Chaos in Chinese, and its command-and-control (C2) system is China-based.
The Chaos botnet has an extensive and continuously growing list of target industries.
Ransomware Groups May Use New Data Corruption Functionality Added to Exmatter
Exmatter is a data exfiltration malware with ties to the BlackMatter ransomware group. More recently, the malware was upgraded with data corruption functionality, indicating a new tactic for ransomware partners to use in future attacks.
Malware analysts from the Cyderes Special Operations team discovered the sample in the wild during an incident response after a BlackCat ransomware attack.
It’s the first time researchers have seen Exmatter with a destructive module. Experts believe the new tactic may be a way to avoid detection. It’s also thought that the malware is still in development.
Some of the issues include:
- The lack of a mechanism to remove files from the corruption list results in some files getting
- overwritten multiple times before the program ends and others not even getting selected.
The Erase function doesn’t seem to be implemented completely or to compile properly. What’s more, the second file used to overwrite the first file has a randomly chosen length that may be only one byte long in some instances.
While the data corruption feature is a curious development and used to evade detection by the security software, researchers believe it is part of a more significant shift in the strategy used by ransomware gangs, moving from attacks where data is stolen and encrypted to a new format where data is corrupted or deleted after being stolen.
This method allows a ransomware affiliate to keep all the funds from an attack, as they’ve eliminated the encryptor developer’s role.
FARGO Ransomware Targets Vulnerable Microsoft SQL Servers
According to security researchers, a new bevy of attacks using FARGO ransomware have targeted vulnerable Microsoft SQL servers. The ransomware is also known as TargetCompany and Mallox.
While there were reports in February of this year of Cobalt Strike beacons being used, and again in July when threat actors hijacked vulnerable MS SQL servers to steal bandwidth for proxy services, the recent attacks are more severe. The threat actors are looking for a fast profit gained by blackmailing the owners of the databases.
AhnLab Security Response Center (ASEC) researchers say that FARGO is one of two prominent ransomware strains targeting MS SQL servers, with the other being GlobeImposter.
The ransomware begins by using cmd and PowerShell to download a .NET file whichaids in installing additional malware along with retrieving the locker. It also generates and runs a BAT file that terminates all the processes and services.
Next, it self-injects itself into AppLaunch, which precedes an attempt to remove an open-source registry key for the ransomware vaccine.
The ransomware doesn’t encrypt all software and directories in order to keep the system operable. For example, Microsoft Windows system directories, Tor Browser, boot files, Internet Explorer, user settings and customizations, the debug log, and the thumbnail database are all exempted from encryption.
Following the encryption, all the locked files are renamed with the “.Fargo3” extension, and a ransom note named “RECOVERYFILES.txt” is generated. FARGO ransomware warns its victims that their files will be leaked on the cyber-criminal’s Telegram channel unless they pay the ransom.
Administrators of MS SQL servers are advised to use complex, strong, and unique passwords. In addition, they should keep servers up to date with the latest patches and fixes for security vulnerabilities.
That's a Wrap for News You Might've Missed
I hope this update has been helpful. MSP360 is your resource for MSP news. Stay home, stay safe and healthy, and remember to check back next month for more highlights.