What's new this week in the news for MSPs? Microsoft introduces Azure Space to power satellite initiatives; Coinbase phishing campaign targets Office 365 credentials; Better Cloud initiates its "Discover" platform to expose employee SaaS use; GravityRAT malware now targets Android and macOS devices; Egregor ransomware hits Barnes & Noble; and Microsoft takes down 94% of TrickBot’s servers.
Microsoft Introduces Azure Space to Power Satellite Initiative
Azure Space, a new portfolio of cloud products, was introduced by Microsoft Corp this week. The new portfolio will offer satellite constellations simulations and provide Internet connectivity to cloud edge devices, among other use scenarios.
As the name suggests, Azure Space will target space-sector customers as a large part of its business. The recently initiated Azure Orbital is also included in the portfolio and provides terrestrial antennas or ground stations to operators for communications with their orbiting craft.
Its first product, Azure Orbital Emulator, was also announced. It will enable its customers to make software versions of satellites or entire constellations to use as testbeds before a launch, in order to validate the components.
Azure Modular Datacenter (MDC) was also in the announcement as a new product offering. This compact data center can be transported on a truck and comes in a ruggedized container. It can continue to operate even without a stable power supply. What's more, the MDC will switch to satellite communications if there is an Internet outage.
Microsoft has made a liaison with SpaceX to offer its Azure customers Internet connectivity over SpaceX's Starlink constellation. According to Microsoft, the connectivity is based on a network of satellites located in low Earth orbit; this is a lower altitude than some traditional communications constellations.
Coinbase Phishing Campaign Targets Office 365 Credentials
A Coinbase-themed email is a new phishing campaign tactic used by hackers to access a victim's email. The phishing campaign emails appear as a notification from Coinbase informing the recipient of new terms of service they need to accept after reading.
The hackers use a modified consent app that appears to be a version of the Office 365 application that allows third parties to access email accounts.
After clicking on the link to "Read and Accept Terms of Service FAQ," they are directed to the real Microsoft website to log in to their account and then give the malware app (called "coinbaseterms.app") read and write access to their email.
The access doesn't permit the hackers to send new emails, but they can still read prior correspondence and edit unsent drafts. Additionally, they may be able to read many messages sent by two-factor authentication service providers.
Analysts suggest that Coinbase subscribers may not be the hackers' specific target and that the emails could be sent out at random.
Better Cloud Initiates Its "Discover" Platform to Expose Employee SaaS Use
BetterCloud introduced its new platform at its virtual Altitude event this week. It's aimed at offering companies a clear view of the SaaS applications in use by their workers. It aims to combat a phenomenon known as shadow IT, where employees use cloud services and other technology products without the IT department knowing about it. The goal is to reduce cybersecurity risks that come from cloud services that are deployed without oversight.
According to BetterCloud, the new platform detects both approved and unapproved apps. Now firms can stem the use of shadow IT by locating instances they may not have discovered before.
GravityRAT Malware Now Targets Android and macOS Device
The GravityRAT malware cybercriminals have rolled out new variants for macOS and Android for the first time. This remote access trojan was first seen in 2015, according to researchers at Kaspersky. Up to now, it has primarily targeted Windows operating systems. What's more, the last major update to it was in 2018, when fundamental changes were made to the code by its developers.
New variants that have been seen recently show updated code in the GravityRAT malware. The updated malware can now retrieve device data, email addresses, contact lists, SMS messages, and call logs. Additionally, it can exfiltrate many kinds of files and documents.
Kaspersky learned that GravityRAT had resurfaced when its analysts noticed malware code inserted in an Android travel app primarily for Indian customers. In all, their analysis uncovered more than ten new variants of GravityRAT , all distributed in trojanized apps, some giving the appearance of secure file sharing apps or media players.
When the modules are used together, they construct a multiplatform code that provides the criminals with access to Android, Windows OS, and macOS.
The analysts noted that the primary change to GravityRAT is the move to multiplatform, and the group behind the malware are using digital signatures to make the apps look more legitimate.
The GravityRAT campaign specifically targets victims in India, which is usual for the group.
Egregor Ransomware Hits Barnes & Noble
On October 10, the US bookstore giant's customers began posting complaints on its Nook's Facebook page and on Twitter that they couldn't access their accounts. The Egregor ransomware group is saying they are behind the cyberattack.
Barnes & Noble is the largest traditional bookseller in the US and has more than 600 outlets across the country. It also operates Nook Digital, which is its platform for e-books and is an e-reader.
Following the complaints from users, Barnes & Noble posted an update on the Nook Facebook page of a severe system failure, stating that they were working on getting systems functioning again.
Last Wednesday, they shared details that they had suffered a cyberattack on October 10. The ransomware attackers infiltrated their corporate network during the attack. Once the attack was discovered, the company shut down their systems to avoid further spreading, which led to their service outage. Nevertheless, they say that none of their customers’ payment details were exposed.
According to Barnes & Noble, email addresses, shipping addresses, billing addresses, and purchase histories were exposed during the attack.
Egregor is a recent entry among ransomware gangs which appeared in mid-September 2020. After getting access to an administrator account, another threat group was given access to the network that encrypted the network drives. They have published data stolen during the attack, which appears to be Windows Registry hives, rather than stolen files.
Microsoft Takes down 94% of TrickBot’s Servers
While TrickBot survived an initial takedown attempt, Microsoft and its partners continued their work to take it down. Microsoft had said it would continue its efforts, and has done so. Since the initial action, Microsoft has successfully taken down 94% of the botnet's C&C servers. This figure includes both new servers brought online after the first takedown and the original servers.
While TrickBot is walking on crutches, it is still alive with a few command and control servers. These are allowing the botnet to continue to control its stash of infected devices.
That's a Wrap for News You Might've Missed
I hope this update has been helpful. MSP360 is your resource for MSP news. Stay home, stay safe and healthy, and remember to check back every week for more highlights.
Read our free guide to learn about:
- Common MSP vulnerabilities;
- How to prepare for a ransomware attack to keep your clients safe;
- Which actions response to a ransomware attack should involve;
- How to manage clients while handling an attack.