Blog Articles

What's new this month in the news for MSPs? Cofense's Q1 Phishing Intelligence report shows a 527% increase in credential phishing; Magecart malware is hitting e-commerce sites again; and more. Continue reading

What's new this month in the news for MSPs? Google LLC announces a reorganization to Google Cloud Consulting for professional services offerings; Google is releasing new cybersecurity features for ChromeOS; and more.

Let's see what it's all about.

Google LLC Announces Reorganization of Google Cloud Consulting for Professional Services Offerings

Google LLC is moving its cloud business professional service offerings to a centralized portfolio dubbed Google Cloud Consulting.

This announcement comes after a year in which Google Cloud invested significantly, enabling it to expand its professional services practice, which allows organizations to use Google Cloud products more efficiently and train employees to use them.

Google LLC created the Google Cloud Consulting portfolio to combine services, offerings, and specializations. Google says there are two primary objectives behind launching Google Cloud Consulting.

One reason is to make it easier for businesses to get professional services from Google. With the practice, customers will find detailed descriptions and examples of each service in the catalog. Another reason is to make it easier for partners to work with Google's professional service teams.

Alphabet Inc. says that, at launch, the Google Cloud Consulting portfolio will have more than six professional services, and the offerings will be spread across a few categories.

Another set of Google Cloud Consulting services is focused on assisting businesses in optimizing their cloud environments. For example, a company can work with an organization that verifies whether its cloud services contain vulnerabilities in its security settings.

Training options in the Google Cloud Consulting portfolio equip admins with all the necessary skills to set up and manage Google Cloud environments. Some training offerings are for specializations like building AI apps using Google’s Vertex AI suite of ML tools.

Google Is Releasing New Cybersecurity Features for ChromeOS

A new set of cybersecurity features for ChromeOS will help organizations protect employee devices and sensitive business information from hackers. They debuted the new features at the RSA Conference, held in Las Vegas.

In recent times, Google has added tools to ChromeOS to expand its adoption in enterprise environments by making it simpler to manage and secure.

The Google-developed operating system leverages the Chrome browser as its primary interface, and the education sector uses it widely.

The ChromeOS Data Controls are the main highlight of the new features. Google says it will make it much easier to keep business records and information from being accessed and used without authorization.

Admins can stop users screen-sharing, copying and pasting, or taking screenshots with this tool. ChromeOS Data Controls allows businesses to choose when and how usage restrictions are applied. For example, admins can prohibit copying and pasting when staff use critical business apps. They can also stop users from pasting information into cloud-based storage services that admins haven't approved.

With enhanced settings and ChromeOS Data Controls, Google is making it easier to control privacy. Employees can now turn off the microphone and camera with a single click directly from the operating system’s settings.

Also included in the updated features is a grouping of integrations of external cybersecurity tools. The goal is to simplify ChromeOS computer fleet integrations with those tools.

Organizations can now leverage CrowdStrike Inc.'s Falcon Insight XDR cybersecurity platform for malware monitoring on ChromeOS devices. The platform supports Mac, Windows, and Linux, and admins can monitor ChromeOS machines centrally in a unified console.

Most enterprises use security analytics from cloud-based platforms that help detect indications of a breach. These collect and check data from numerous systems and devices, including ChromeOS machines searching for symptoms that indicate malicious activity. Besides simplifying the process of collecting data from ChromeOS teams, Google has added an integration that will simplify sharing security logs from the OS with Chronicle, its cybersecurity analytics platform.

In addition to user logins and logouts, ChromeOS can share information about remote desktop access requests and USB activity. It can also share the identical data with Palo Alto Network’s Cortex XDR and Crowdstrike’s Falcon LogScale security analytics platforms.

Campaigns Targeting Android, iOS, and Chrome Detailed by Google Researchers

Google LLC's Threat Analysis Group says threat actors are leveraging "zero-day" iOS, Chrome, and Android exploits.

Analysts say the first bit.ly-linked SMS campaign appeared last November, targeting victims in Italy, Kazakhstan, and Malaysia. Before redirecting the targets to genuine websites, the compromised links will send visitors to sites that host the exploits when clicked.

iOS 15.1 and earlier, Chrome, and Android versions earlier than 106 are vulnerable to these exploits. The campaign targeted two common vulnerabilities, exposures, or CVEs. The first leverages a PAC bypass technique patched by Apple in March 2022; another exploits a privilege escalation and sandbox escape flaw in AGXAccelerator that Apple patched in its iOS 15.1 update.

The Android exploit chain targeted victims using devices with an Arm Ltd GPU running versions of Chrome earlier than 106. As with Apple devices, the threat actors targeted known CVEs patched in Chrome 107 and later, with a bug in the Arm privilege escalation that was repaired in August 2022.

In December, security analysts discovered the second campaign, which involved multiple exploits and targeted the current version of the Samsung Internet Browser. Samsung Electronics Ltd installs the browser as standard software on all devices.

Similarly to the first campaign, ‌targeted victims were sent one-time links over SMS, although this campaign focused on targeted users in the UAE. Users clicking on the link were sent to a site that mimicked one created by Variston IT SL, a spyware provider. Google researchers say that the threat actor behind the campaign might be a partner or customer of Variston or in some way working closely with them.

Researchers discovered that the targeted vulnerabilities in the campaign were linked to those patched through 2022 in Chrome. ‌Samsung uses Chrome 102 as the basis for its internet browser. Since the base code isn’t updated, Samsung hasn’t fixed its browser, which has left it susceptible to threats.

Azure Patched Vulnerability Allowed RCE Access

Orca Security Ltd. shared details about a previously unknown Microsoft Azure vulnerability that lets hackers use remote code execution (RCE).

The "Super FabriXss" vulnerability was demonstrated at the BlueHat IL 2023 conference. It was clearly seen how the hackers behind it could escalate in reflected cross-site scripting.

During the demonstration, they showed how the Cluster Type toggle could be accessed by an unverified RCE, with hackers abusing the metrics tab and enabling a specific setting in the dashboard.

Orca warns that the Super FabriXss is a dangerous XXS (cross-site scripting) vulnerability and affects the Azure Service Fabric Explorer. Orca analysts note that remote hackers can run code on Service Fabric containers without authentication.

According to Orca, to exploit Super FabriXss requires two steps. The first step initiates a fetch request that uses an iframe that’s embedded. Then the hackers' code overwrites the existing distribution with a malicious one by taking advantage of the upgrade process. A CMD instruction in the new deployment in its Dockerfile downloads a .bat file from a remote server.

After the .bat gets downloaded, it runs its process, which results in an additional file that contains an encoded reverse shell. The hackers get remote access to the device targeted through the reverse shell. This access gives the hackers control of the cluster node, which is typically the host of ‌the container.

Orca Security provided a report on the issue to Microsoft's Security Response Center before making the information publicly available. Subsequently, Microsoft investigated and assigned the issue CVE-2023-23383 with a Common Vulnerability Scoring System rating of 8.2, meaning a severity of “important.” In its March 2023 Patch Tuesday release, Microsoft released a fix for the vulnerability.

Security Analysts Call New Alienfox Malware Toolkit a Cloud Spammer’s Swiss Army Knife

Security researchers at SentinelLabs recently warned of a new toolset being used to harvest credentials from providers of cloud services. The researchers say the toolset is best described as a cloud hacker’s Swiss Army knife.

Threat actors are using AlienFox to collect API interface keys in addition to secrets from services such as Microsoft Office 365 and Amazon Simple Email Service (SES).

AlienFox is said to be a modular toolset that involves the sharing of source code archives. While researchers note that it’s shared on Telegram, hackers can also get some modules from GitHub. Since many of the tools that are a part of AlienFox are open-source, this means they can be modified and customized to the specific needs of those using them.

Hackers will begin an attack using the AlienFox toolset to harvest lists of misconfigured devices from security scanning providers such as Security Trails and LeakIX. They then use several scripts that extract private information like API keys and secrets stored in configuration files on compromised web servers.

According to security analysts, later versions of the malware toolkit can establish account persistence and privilege escalation on AWS. It can also automate spam campaigns and harvest send quotas through services and its victims’ accounts.

Security researchers say AlienFox’s spread shows a previously unknown trend of attacks against less substantial cloud services that are not suitable for cryptomining, which extends and enables future campaigns.

Mirai Malware Exploiting TP-Link Archer WiFi Router Flaw

Hackers are using the Mirai botnet to exploit the TP-Link Archer A21 (AX1800) WiFi router vulnerability. Tracked as CVE-2023-1389, the vulnerability lets attackers put devices into DDoS swarms.

Researchers first demonstrated the abuse during the Pwn2Own Toronto hacking event in December 2022. During the demo, two independent hacking teams used different pathways to breach the device – WAN and LAN interfaces.

TP-Link was informed about the vulnerability in January 2023 and released a complete fix during a firmware update last month, after previously addressing the problem in February with a patch that didn’t stop the exploits.

Zero Day Initiative detected exploit attempts that initially focused on Eastern Europe before spreading internationally. The source of the vulnerability is the lack of input sanitization in the language settings of the local API, which doesn’t filter or validate the information it receives. This missing protection lets hackers inject commands they can execute on the device.

The command-injection problem in the TP-Link Archer A21 (AX1800) WiFi router exists in the device firmware before version 1.1.4 Build 20230219; this version contains a fix for the flaw. An unverified hacker can use this flaw to exploit this hole and inject commands leading to RCE, letting attackers take control of the system from anywhere.

TP-Link automatically pushed a firmware update to routers attached to a TP-Link Cloud account. Others using the TP-Link Archer A21 (AX1800) WiFi router will need to update the router manually. TP-Link has already issued a notice requesting users to install the firmware update.

That's a Wrap for News You Might've Missed

I hope this update has been helpful. MSP360 is your resource for MSP news. Stay home, stay safe and healthy, and remember to check back next month for more highlights