What's new this week in the news for MSPs? Peculiar Linux malware targeting VoIP switches; universities under new ransomware attacks; SunCrypt ransomware hits University Hospital in NJ; Google Advanced Protection users now get scans for malicious files; and Equinix hit by NetWalker ransomware Let's see what it's all about.
Equinix Hit by NetWalker Ransomware
Equinix, one of the world’s largest data center providers, disclosed a ransomware attack on September 9. The malware did not affect Equinix’s data centers, managed services, or customer-facing operations, the company says.
The more significant issue may involve stolen data, as the Netwalker operators demand $4.5 million for the decryptor and for not releasing the stolen information.
Datacenter providers and MSPs remain prime targets for ransomware attacks. Their systems often host or interconnect to many end-customer systems. Stealthy approaches that hide from antivirus tools are often used, according to a report from Huntress Labs.
IT service providers and consulting firms were issued warnings about these ongoing attacks by the US Secret Service and other government agencies. Ransomware threat operators are progressively targeting point-of-sale (POS) systems. They often use business email compromise (BEC) and ransomware attacks to infiltrate networks.
Google Advanced Protection Users Now Get Scans for Malicious Files
Seeking to protect high-profile people who are likely to be targeted by online attacks,
Google launched its Advanced Protection program. It has extra security features in Chrome and is now launching a new one. Those enrolled can send files they are concerned about directly to be scanned by Google’s Safe Browsing malware-detection technology.
The new feature adds to other safeguards available that protect Google accounts for public figures, such as activists, politicians, journalists, and others. Two physical security keys are required to use the Advanced Protection program, with one being a backup.
Peculiar Linux Malware Targeting VoIP Switches
Two distinct Voice over IP (VoIP) software switches (softswitches) are the target of some peculiar Linux malware. If compromised, they may allow cybercriminals access to a user's phone data.
According to ESET, a Slovakia-based antivirus and firewall vendor, the malware attacks Chinese-made software switches, such as the Linknat VOS2009 and VOS3000.
A softswitch that is compromised may allow a cybercriminal to exfiltrate private information. It can include call record details that have attached metadata. For example, the metadata may have caller and callee IP addresses, fees, other data, and the call's starting time and duration.
In order to steal the metadata, the malware queries internal MySQL databases that are used by the softswitch.
Currently, it is not known how the malware is being deployed. It is assumed that the hackers are possibly exploiting a vulnerability or using a brute-force attack.
Universities Under New Ransomware Attacks
Academic institutions are being urged to ensure that their networks are resilient enough to protect them against the new string of ransomware attacks making the rounds. This warning was issued by the UK's National Cyber Security Centre (NCSC) – the cyber arm of GCHQ. It comes following a recent spate of hackers targeting universities during August.
The NCSC has already monitored several ransomware attacks against universities, where varying amounts of damage occurred, depending on the level of cybersecurity the institutions had in place.
"This criminal targeting of the education sector, particularly at such a challenging time, is utterly reprehensible," said Paul Chichester, director of operations at the NCSC. Universities have been advised to adopt some new cybersecurity protocols to reduce the severity of ransomware attacks.
These suggestions include securing RDP services with multi-factor authentication, effective vulnerability management, patching, installing antivirus software, and ensuring staff and students are aware of the risks posed by phishing emails.
Up-to-date and tested offline backups for universities have also been recommended.
SunCrypt Ransomware Hits University Hospital in NJ
A massive 48,000-document data breach occurred after University Hospital in NJ suffered a ransomware operation. The University Hospital is a New Jersey State-owned teaching hospital founded in 1994.
Although SunCrypt began operations in 2019, they have become more active since establishing a dedicated leak site.
Data allegedly stolen from UHNJ during a September ransomware attack has been leaked by the SunCrypt operators. The data leak contains patient-information release-authorization forms, social security numbers (SSNs), copies of driving licenses, dates of birth (DOB), and information about the board of directors.
A cybersecurity source informed BleepingComputer that the TrickBot trojan infected a hospital employee in August. Ryuk, and often Maze, ransomware attacks are traditionally known to use TrickBot to lead into their attacks. SunCrypt has confirmed they are a part of the “Maze cartel”.
That's a Wrap for News You Might've Missed
I hope this update has been helpful. MSP360 is your resource for MSP news. Stay home, stay safe and healthy, and remember to check back every week for more highlights.
Read our free guide to learn about:
- Common MSP vulnerabilities;
- How to prepare for a ransomware attack to keep your clients safe;
- Which actions response to a ransomware attack should involve;
- How to manage clients while handling an attack.