News You Might’ve Missed. 19 – 22 Apr

What's new this week in the news for MSPs? REvil ransomware allegedly strikes Quanta Computer, takes blueprints for Apple; hacking campaign against Pulse Secure VPN devices breaches government agencies; Qlocker ransomware attack leverages 7-Zip to encrypt QNAP devices; and Codecov supply-chain attack hacks hundreds of networks, according to reports.Let's see what it's all about.

REvil Ransomware Strikes Quanta Computer, Takes Blueprints for Apple

According to a report in The Record this week, the REvil ransomware group attacked Quanta Computer, based in Taiwan, taking blueprints of several computer manufacturers, including Apple.

To prove they had successfully hacked Quanta, REvil posted 21 screenshots to show the MacBook blueprints, while threatening to post more until they get the payment. It is believed that they are demanding $50 million, which is the same amount they required from Acer in March.

REvil ransomware team is negotiating to sell confidential items with a number of major brands. They also wrote, "We recommend that Apple buy back the available data by May 1st."

The approach they have employed, targeting Apple after failing to get a ransom paid by Quanta, is a new twist. Attackers usually only go after a single victim that is not any of the customers.

Hacking Campaign Against Pulse Secure VPN Devices Compromises Government Agencies

FireEye Inc. and Pulse Secure confirmed that multiple US government agencies had been hacked by suspected Chinese state-sponsored attackers beginning in June. The hackers are leveraging vulnerabilities found in Pulse Secure LLC VPN devices.

Pulse Secure LLC patched three of the vulnerabilities in 2019 and 2020, after detecting them. Another vulnerability was noticed this month, although it only affected a limited number of clients. According to Ivanti Inc., who acquired Pulse Secure LLC in December, it is working with its customers with a few strategies to mitigate the problems until it issues a patch, expected to be in early May.

The threat actor leverages access provided by the weaknesses to place web shells on the Pulse Connect Secure devices that permit further access and persistence. Moreover, the functions provided by the web shells are wide-ranging. These include multi-factor authentication bypass, authentication bypass, persistence through patching, and password logging.

China denies involvement in these attacks, with a Chinese Embassy spokesperson stating that the country firmly opposes and cracks down on all types of cyberattacks.

Qlocker Ransomware Attack Leverages 7-Zip to Encrypt QNAP Devices

Qlocker started targeting QNAP devices in ransomware campaigns on April 19th, 2021. Since then, BleepingComputer says it noticed many reports in its support forum related to this and that ID Ransomware has seen an uptick in submissions from victims.

According to reports from victims, the threat actors use 7-Zip to move QNAP devices' files into password-protected archives. During the process of the files being locked, the QNAP Resource Monitor displays many 7z functions. Once complete, the ransomware stores the files in a password-protected 7-Zip archive. To get into the archive, the password, known only to the threat actor, needs to be entered.

According to BleepingComputer, the victims need to pay 0.01 in Bitcoin (roughly $557.74) to receive the password to access their files. If you know your device is encrypted, QNAP says do not reboot it; instead run the malware scanner immediately.

Codecov Supply-Chain Attack Hacks Hundreds of Networks, According to Reports

According to updated information about the incident, Codecov's hack influenced their customers’ processes. US investigators say that the attackers managed to leverage the Codecov software and compromise a massive number of its customers’ networks by using the organization as a launchpad.

They first discovered the compromise and the backdoor in the Bash Uploader script on April 1st. With more than 29,000 customers, this incident is a noteworthy supply-chain incident.

According to federal investigators, the Codecov attackers' goal was to use the collected customer credentials to tap into hundreds of client networks, and they deployed automation in order to do so. The hackers could conceivably gain credentials for thousands of restricted systems by abusing the customer credentials collected via the Bash Uploader script.

The extent and scope of the incident led US federal investigators to step in and thoroughly investigate the incident.

That's a Wrap for News You Might've Missed

I hope this update has been helpful. MSP360 is your resource for MSP news. Stay home, stay safe and healthy, and remember to check back every week for more highlights.