What's new this week in the news for MSPs?
Azure Maps Previewed by Microsoft; USBCulprit Malware Group Stealing SE Asia Government Data; NASA Contractor Allegedly Attacked by DopplePaymer Ransomware Group; Valak Malware Lifting Credentials from Exchange Servers; Cisco Servers Hacked; More US Colleges Hit by Netwalker Ransomware; and Office365 Targeted with Phishing Scam. Let's see what's going on.
Azure Maps Previewed by Microsoft
Microsoft Corp. has a new tool in its public cloud platform which allows companies to make indoor maps that can be used when locating missing employee devices or augmented-reality apps. According to the announcement, Azure Maps Creator joins Microsoft's suite of location services.
Additionally, Roberto Lucchi, a senior program manager with the Azure Maps team, had this to say in his recent blog post: "You could also build cross-platform, mixed reality solutions with Azure Spatial Anchors accessible across HoloLens, iOS, and Android devices."
With help from Creator, Azure may now be more competitive with Google LLC's public cloud on the mapping front.
USBCulprit Malware Group Stealing SE Asia Government Data
If you believed your air-gapped devices were safe, it now seems that this might not be the case.
Cycldek or Conimes, the newly discovered USBCulprit malware from the group known as Goblin Panda, was made to target air-gapped devices. Cycldek is a Chinese APT group that has continued to have its sights set on Southeast Asian nations. Its goal has been to take state secrets and government intel.
This week, Kaspersky observed USBCulprit, finding the stealthy tool to have advanced data leeching abilities. It gets access through an RTF file or other means and then performs a thorough scan of the victim's system. It then begins grabbing documents and passing them on, and also replicates itself onto removable media.
A new report by Kaspersky on the malware says that the APT group has taken a demonstrable interest in "large organizations and government institutions in Vietnam."
NASA Contractor Allegedly Attacked by DopplePaymer Ransomware Group
A U.S. National Aeronautics and Space Administration (NASA) contractor has allegedly been the victim of a ransomware attack. The group behind it says it has stolen the company's files. This apparent attack comes from the DopplePaymer ransomware group.
The hit involves Digital Management LLC, a Bethesda, Maryland-based firm which offers business intelligence and cybersecurity services to U.S. federal government agencies and Fortune 1000 companies.
The ransomware group itself wrote about the attack in a dark web blog post. It said, "We congratulate SpaceX and NASA with successful launch [sic]. But as for NASA, their partners again don't care about the data…"
According to ZDNet's report on the issue, it's not clear how far inside DMI's network the DopplePaymer group had penetrated.
DMI hasn't yet responded to the report. If DopplePaymer's claim is valid, the breach is hugely embarrassing at the very least for a company that provides cybersecurity services to government departments and major companies.
Learn about common ransomware attack scenarios and what to do if one of these attacks affects your clients:
Further reading Ransomware Attack Scenarios
Valak Malware Lifting Credentials from Exchange Servers
Valak, which was first noticed in 2019, has morphed into an information stealer. It targets Microsoft Exchange servers to steal login credentials and certificates from enterprises.
New variants of this malware family found in recent campaigns show significant developments. It seems to have a preference for enterprise environments, mainly in the U.S. and Germany.
The abilities of the latest Valak samples include checking the geographic location of an infected machine, taking screenshots, downloading other payloads (plugins and malware), and infiltrating Microsoft Exchange servers.
Campaigns that deliver the Valak malware begin with an email providing Microsoft Word documents that contain malicious macro code. The files are in the language of the targeted victim.
Cisco Backend Servers Infiltrated
As detailed by the company, the culprits were able to access six backend infrastructure servers. After detecting the attack, Cisco repaired and updated the servers on May 7th, 2020, applying patches that addressed the issues that had caused them to be exposed. These were the directory traversal (CVE-2020-11652) and the authentication bypass vulnerability (CVE-2020-11651) that have been affecting SaltStack servers.
They say that Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE) and Cisco Modeling Labs Corporate Edition (CML) are also susceptible to attacks, whether in standalone or cluster configurations.
Cisco is not alone in experiencing a security breach caused by SaltStack server flaws. DigiCert, LineageOS, Vates (Xen Orchestra creators), and the Ghost blogging platform have also reported breaches.
More U.S. Colleges Hit by Netwalker Ransomware
Operators of the Netwalker ransomware revealed that they had successfully attacked the University of California San Francisco (UCSF). According to their claim, they were able to encrypt computers and take unencrypted data.
The Netwalker ransomware movement has targeted U.S. colleges and said it would release their data over the last week. On May 28th, Netwalker revealed that they had encrypted Michigan State University, and Columbia College of Chicago followed shortly behind it.
Netwalker is becoming a more significant threat, as it has steadily been making a name for itself with a stream of successful attacks, including one against the Australian transportation company Toll Group.
As their latest victims have been colleges, this may indicate a vulnerability in a commonly used application or device, or exposed Remote Desktop servers.
Office 365 Targeted with Phishing Scam
Phishing campaigns have been targeting Microsoft Office 365 customers by using bait messages that appear to come from their company. The messages request them to update their VPN configurations used to access their company assets while working remotely.
According to researchers at email security company Abnormal Security, the phishing emails impersonating VPN configuration update requests have landed in the inboxes of 15,000 targets.
With the massive torrent of new remote workers using VPNs to connect to their company resources, these phishing emails are a considerable danger.
The attackers spoof the sender's email address in the phishing emails to match the domains of their targets' organizations. They embed hyperlinks to appear to direct them to new VPN configs. Instead they are directed to phishing landing sites that steal their Office 365 credentials.
These phishing attacks can easily be handled by setting up custom Office 365 block rules. These rules take advantage of the Office 365 ATP Safe Links feature, which automatically blocks them.
For more information about phishing please refer to our guide on the topic:
Further reading Anti-Phishing Guide
That's a Wrap
I hope this update has been helpful. MSP360 is your resource for MSP news. Stay home, stay safe and healthy, and remember to check back next week for more highlights.
- Phishing response checklist
- Phishing awareness training slides
- Anti-phishing posters
