What's new this week in the news for MSPs? This week Google's Cloud for Healthcare is ready to launch, and BeyondCorp remote access for virtual workers is launched. Amazon's AppFlow debuts, IT giant Cognizant is hit by Maze ransomware, and the City of Torrance in LA County is targeted by DoppelPaymer ransomware. Finally, beware of a new phishing campaign using fake customer complaints to access corporate networks.
Let's see what's going on.
Google Cloud Healthcare API Ready
Google Healthcare API is a service that aims to help the exchange of data between healthcare apps and services that run on Google's cloud. Google LLC announced this week that this API would help patients to access their healthcare information using third-party applications.
Healthcare workers will be able to enter and manage data from multiple inputs and systems. They can then analyze the data using AI and machine-learning-based tools. New government directives to healthcare providers specify giving patients more convenient access to their healthcare data. Due to this, many believe that providers are likely to embrace this new API.
Google Cloud Healthcare API is a managed, scalable environment to build clinical and analytics applications. It also supports HIPAA compliance and incorporates several data loss prevention schemes, and policy and identity management tools, according to Google.
BeyondCorp Remote Access for Virtual Workers Launched from Google
To assist businesses in securing their most critical applications and data during this challenging time when many workers are doing work from home, Google LLC has updated its BeyondCorp security framework.
With BeyondCorp's "zero trust" security framework, employees can work from anywhere without needing a traditional VPN. It moves away from using access control based on whether users' access requests are internal or external to the corporate network. Instead, it assumes that users requesting access from inside the network are just as untrustworthy as those seeking remote access.
This change results in access being granted based on details about the particular users, their jobs, and the security status of the devices they're using. In short, this is a zero trust model.
Debut of AppFlow from Amazon
Developers can now make use of Amazon's AppFlow to manage the flow of data between AWS and other SaaS applications like Google Analytics, Marketo, Salesforce, ServiceNow, Slack, Snowflake, and Zendesk.
This managed service enables users to create and automate bidirectional data flows without the need to write custom integration code. The flows use event triggers or can be scheduled to run at preset times or on-demand, according to the announcement from Amazon.
Despite Amazon’s statement that the data flows can be bidirectional, it appears that the service is more focused on moving data from SaaS apps to other AWS services. From there, to other AWS services, where the data can be analyzed. Amazon AppFlow comes with many tools for transforming data to help with this.
Cognizant Hit by Maze Ransomware
The information technology services company Cognizant Technology Solutions Corp. was the object of an attack by Maze ransomware. In its statement, Cognizant acknowledges a security incident involving its internal systems, saying that its issues were related to a Maze ransomware attack.
At the time of the announcement, it also disclosed that its internal security teams, supplemented by leading cyber-defense firms, were actively taking steps to contain this incident, as well as reporting the attack to law-enforcement authorities.
Over the last two months, Maze ransomware has frequently been in the news. Most recently, it was used in the attack on Chubb Group Holdings Inc. on March 26th, in addition to Hammersmith Medicines Research Ltd., a company working on developing a COVID-19 vaccine. This attack resulted in private data being disclosed on March 22nd.
Sam Roguine, a director at Arcserve LLC, noted that the attack shows that the Maze ransomware gang isn't backing down.
DoppelPaymer Ransomware Hits Torrance, CA
The City of Torrance, which is part of the Los Angeles metropolitan area in California, has allegedly been hit by DoppelPaymer ransomware actors. As a result, they have had unencrypted data stolen and devices encrypted.
DoppelPaymer created a site called "Doppel Leaks" in February 2020. In its most recent update, it has added a page titled "City of Torrance, CA", which contains many leaked file archives allegedly stolen during the attack.
In an email to BleepingComputer, the DoppelPaymer operators claimed that in the attack on March 1st, they erased the city's local backups and encrypted about 150 servers and 500 workstations.
DoppelPaymer requires 100 bitcoins, or approximately $680,000, to provide a decryption key.
As part of the attack, they also claim to have stolen approximately 200+ GB of files.
New Phishing Campaign Masquerades as Customer Complaint
If your clients have received any emails purporting to be from their corporate lawyer, it could be the latest phishing scam at work. This new phishing campaign targets a company's employees with fake customer complaints that install a new back door, which is then used to compromise the network.
The suspect emails utilize subjects like "Re: customer complaint in [insert company name]" or "Re: customer complaint for [recipient name]" and state that the recipient's employer has received a customer complaint about them and that, at a result, the employee will be fined and have the amount deducted from their salary. The rest plays out like this:
- The employee is instructed to download and review the complaint from an included Google Docs link, as the "Corporate Lawyer" would like to meet with them to discuss it
- When the user visits this link, they will see a stylized Google Docs document masquerading as a customer complaint, with information on how to download it
- When the user clicks the "Expand and Preview" link, the Prevew.PDF.exe file is downloaded containing a back door called “bazaloader” (based on the domain used by its command and control server)
- When executed, bazaloader releases malware that injects itself into the legitimate C:\Windows\system32\svchost.exe
- Bazaloader proceeds to connect to a remote server command and control server, where it sends data and receives additional commands or payloads
To be safe, always enable file extensions in Windows, so that you can quickly determine what kind of file is being downloaded.
That's a Wrap
That's the news for MSPs this week in summary. I hope this has been helpful. MSP360 is your resource for MSP news. Stay home, stay safe and healthy, and remember to check back next week for more highlights.