What's new this week in the news for MSPs?
AWS Launches AMD-based C5a; IBM Cloud Outage Takes Customer Websites Down Worldwide; Snake Ransomware Attack on Honda Factories; Tycoon Ransomware Uses Obscure Java Image Format; Trickbot Malware Using Fake “Black Lives Matter” Voting Campaign; and a Phishing Campaign Is Targeting Microsoft Office 365 Accounts.
Let's see what's going on.
AWS launches AMD-based C5a
This week AWS rolled out new instances for heavy scientific workloads like analytics applications that run on Advanced Micro Devices, Inc. processors. What's more, these instances, rolled out under the name C5a, are the first to use AMD's second-generation EPYC Rome processors.
These chips are based on a 7-nanometer architecture that allows them to process 23% more instructions per clock than the first-generation version.
According to Channy Yun, the principal developer advocate at AWS, they use a custom processor design for these chips. The instances come in eight sizes, which include 2 to 96 vCPUs, a measure of computing power that correlates to one thread of a specific processor core.
AMD is leveraging the C5a instances to expand its presence and capabilities strategically with AWS, according to Forrest Norrod, the head of AMD's data center and embedded computing businesses.
IBM Cloud Outage Takes Customer Websites Down Worldwide
Global customers of IBM Cloud had a bad week when their websites went down on June 9th, unexpectedly and with little communication coming from IBM, causing considerable confusion. What's more, IBM's cloud status page also went down, which made matters worse.
The surge of outages began from about 2:30 pm PDT and affected websites located in the U.S., Japan, Australia, and parts of South America.
At this point, many of the sites have been restored, but many users were left up in arms at the lack of information from IBM. The company’s latest tweet confirmed the outage and said it was still investigating, but it hasn't yet explained what went wrong.
Snake Ransomware Attack on Honda Factories
Carmaker Honda Motor Co. suffered a ransomware cyberattack that led to its shutting down production in factories worldwide. A spokesperson from Honda confirmed the attack but gave very few details. At present, they haven't revealed anything about the form of the attack and have said that there was no evidence that any data was stolen from them.
What we do know is that Snake ransomware was involved, as reported by cybersecurity researchers. Moreover, Honda production factories in the U.S., Japan, Turkey, India, and Brazil were shut down as a result of the cyberattack.
Snake ransomware, which is sometimes called Ekans, originally surfaced in 2019. Once on a targeted system, it will delete Shadow Volume Copies and proceed to kill SCADA (supervisory control and data acquisition) systems-related processes, virtual machines, remote management tools, and industrial control systems, along with others.
According to Chloé Messdaghi, vice president of strategy at information security firm Point3 Security, Inc., this attack is a timely reminder that enterprise security is essential. "We've all seen global corporations put strong security stacks in place and even so, fall victim to ransomware, and a major takeaway is: Train and invest in your security teams," Messdaghi said.
New Tycoon Ransomware Is Java-Based
A new form of ransomware was uncovered by BlackBerry Research and Intelligence Team and KPMG's UK Cyber Response Services security researchers.
The ransomware has been called Tycoon and is unique in that it is Java-based. According to the researchers, Windows and Linux systems are both targeted. The ransomware is thought to have first been employed in December.
The ransomware uses a method known as Image File Execution Options injection, an option in Windows that permits applications to be debugged by developers. A backdoor can then be implemented via the Microsoft Windows On-Screen Keyboard feature.
The Tycoon ransomware also deactivates any anti-malware software it detects and changes Active Directory passwords that essentially lock the victim out of their system.
The only reason that Tycoon has been undetected until now is the highly targeted nature of cyberattacks using the ransomware. According to the researchers, "Malware writers are constantly seeking new ways of flying under the radar. They are slowly moving away from conventional obfuscation and shifting towards uncommon programming languages and obscure data formats. We have already seen a substantial increase in ransomware written in languages such as Java and Go. This is the first sample we've encountered that specifically abuses the Java JIMAGE format to create a custom malicious JRE build."
Learn about common ransomware attack scenarios and what to do if one of these attacks affects your clients:
Further reading Ransomware Attack Scenarios
TrickBot Malware Using Fake “Black Lives Matter” Voting Campaign
If you've received an email asking you to vote anonymously on “Black Lives Matter”, hold on to your vote, as it may be a phishing campaign that will compromise your system. TrickBot malware started as a banking trojan, but it has evolved and now performs many new, devious tricks.
For example, it can spread throughout a network and steal saved credentials from Internet browsers, Active Directory Services databases, browser cookies and OpenSSH keys, RDP, VNC, PuTTY credentials, and more.
The TrickBot malware is also known to partner with ransomware operators, like Ryuk. It then gives them access to a compromised network to deploy ransomware.
The phishing email from TrickBot runs, "Leave a review confidentially about ’Black Lives Matter’," and then prompts recipients to fill out and return an attached document named ”e-vote_form_3438.doc”. It then provides a link that the victim must click on to enable editing, and this launches the operation of the malware.
Phishing Campaign Targets Microsoft Office 365 Accounts
A phishing campaign that uses emails made to appear as legitimate Small Business Grants Fund (SGF) relief payment messages from the UK government is currently targeting business owners with Microsoft Office 365 accounts.
According to numbers from researchers Abnormal Security, the phishing emails have reached the inboxes of up to 5,000 potential victims. Since global governments are doing their best to assist businesses and citizens in managing financial issues caused by the COVID-19 pandemic, the hackers have picked an excellent time. What's more, they are taking advantage of people's hope for governmental financial aid.
To ensure that Secure Email Gateways (SEG) don't automatically block the messages, the attackers are using Dropbox transfer notifications that come from noreply@dropbox.com. This method adds an appearance of legitimacy and inspires a sense of trust in possible victims.
In the emails, the attackers have a link to a document “COVID-19-Relief-Payment.PDF”, which allegedly contains the documentation that the SMB owners need to file with the authorities in order to prove their eligibility for relief fund programs.
If the recipients click the link embedded in the phishing email, it sends them to a seemingly benign Dropbox Transfer landing page, asking them to download or save the PDF file into their Dropbox account.
"Not only does this bypass traditional mail filters, but it also goes undetected by any existing web proxy and firewall controls," Abnormal Security's researchers explain.
For more information about phishing please refer to our guide on the topic:
Further reading Anti-Phishing Guide
That's a Wrap
I hope this update has been helpful. MSP360 is your resource for MSP news. Stay home, stay safe and healthy, and remember to check back next week for more highlights.
- Phishing response checklist
- Phishing awareness training slides
- Anti-phishing posters
