News You Might’ve Missed. 05 – 08 Apr

What's new this week in the news for MSPs? New security and compliance certifications for Google Cloud; Microsoft cloud outage boots Teams, Azure, and Office 365 offline; password changes to auto-login in safe mode from REvil ransomware; and unpatched Fortinet VPN devices the target of new Cring ransomware.

Let's see what it's all about.

New Security and Compliance Certifications for Google Cloud

As a component of its pledge to be the most trusted cloud and serve as a security transformation partner, this week Google outlined its roadmap to achieve that goal.

In addition to government and security compliance certifications across Canada, Europe, and Asia, new certifications are being added to Google Cloud’s compliant programs, including Cloud DNS.

The program is designed to ensure security authorization and assessment, and monitoring for cloud services and products offered to federal government agencies are all standardized. Federal data must remain consistently protected and at the highest level in the cloud. The goal of the program is to make sure that this is the case.

Clients can use Assured Workloads for Government if they wish to have access to the support. This service lets customers of the Google Cloud Platform build controlled environments in a straightforward way, where personnel access controls and US data locations are kept strictly enforced.

Microsoft Cloud Outage Boots Teams, Azure, and Office 365 Offline

Most of Microsoft’s Internet services were taken offline when the IT giant was hit by a mammoth cloud outage this week.
The services affected were Microsoft Teams, OneDrive, Office 365, Skype, Xbox Live, Bing, and its Azure cloud services.

Users on Twitter were the first to report the outage, which was later confirmed by the DownDetector website. According to DownDector, thousands of notices came in from Teams, Xbox Live, and Office users.

A domain name system error was the cause of the outage, as the Microsoft 365 Twitter account status stated. About 90 minutes later, it seemed Microsoft had gotten the situation mostly under control.

Some experts say that the outage is a considerable embarrassment for Microsoft, since it is the second such occurrence in 30 days.

Microsoft says the issue occurred due to recent changes to one of its authentication systems.

Password Changes to Auto-Login in Safe Mode from REvil Ransomware

A recent change to the code of REvil ransomware allows its threat actors to modify the Windows password in safe mode, allowing them to automate encryption.

In March, BleepingComputer shared that the threat actors changed the REvil/Sodinokibi ransomware code to add a new encryption mode in Windows safe mode. They use the -smode command-line argument to enable this mode, which reboots devices in safe mode, allowing them subequently to encrypt the files.

Security experts believe that the threat actors added the mode to avoid security software detection. It also enables the shutdown of backup software mail servers and database servers, which improves their success rates in encrypting files.

The ransomware also changes the Windows Registry so that the device is automatically logged into with the account’s new information.

Unpatched Fortinet VPN Devices the Target of New Cring Ransomware

A specific vulnerability in Fortinet VPN devices is making them the target of a new ransomware strain that is human-operated and called Cring. It allows the threat operators to access and encrypt industrial sector businesses’ networks.

To gain the initial access, Cring operators leave custom Mimikatz samples; CobaltStrike follows this. Then they use the legitimate Windows CertUtil certificate manager to bypass security software detection to spread the ransomware payloads. Cring operators can move laterally on the targets' enterprise network, stealing Windows user credentials through Mimikatz to control the domain admin account using the Fortinet VPN device.

The ransomware payloads are then installed on the victims’ network using the Cobalt Strike threat simulation framework in a malicious PowerShell script. Only certain files on the compromised devices are encrypted by the ransomware, using robust encryption algorithms.

That's a Wrap for News You Might've Missed

I hope this update has been helpful. MSP360 is your resource for MSP news. Stay home, stay safe and healthy, and remember to check back every week for more highlights.