What’s in the news this week for MSPs?
More security features coming to Gmail and G Suite; Orange S.A. suffers ransomware attack with data stolen; Emotet botnet rapidly spreading QuakBot malware; Netwalker ransomware strikes Lorien Health Services; GEDmatch the DNA matching service suffers a data breach; and hackers compromise Twilio’s TaskRouter JS SDK. Let’s see what it’s all about.
More Security Features Coming to Gmail and G Suite
Google announced new updates coming to Gmail and G Suite as part of its effort to help remote workers. They made the announcement at their event Google Cloud Next OnAir, which runs until September 8th.
The updates will include the Brand Indicators for Message Identification (BIMI) standard support that is being introduced in Gmail. This lets email users know that the email they are receiving is genuine. According to management at Google LLC, BIMI will let a business verify that they own their business logos by securely transmitting them to Google.
The logos can then be viewed in a sender’s email avatar location. The concept aims to help organizations create more trust in their brand.
Orange S.A. Suffers Ransomware Attack with Data Stolen
French telecommunications company Orange S.A. recently suffered a ransomware attack that originated from the Nefilim ransomware group. The group is now offering the stolen data on its leak site.
The attack focused on Orange’s business services, where it offers enterprise solutions like virtual workstations, remote support, system security, cloud hosting, and cloud backups.
In Orange’s confirmation of the attack, it said it had been targeted overnight on July 4th and into July 5th. Its security team was “mobilized to identify the origin of the attack and has put in place all necessary solutions required to ensure the security of our systems.” They added that those behind the ransomware attack had compromised data from about 20 customers on its virtual hosting service.
No other services were affected. The company has 266 million customers internationally.
Emotet Botnet Rapidly Spreading QuakBot Malware
Researchers tracking the Emotet botnet recently noted that the malware has begun pushing the QakBot banking trojan more rapidly. QakBot seems to have replaced TrickBot, which had been used previously.
What’s more, it was only last week that Emotet reappeared after an absence of about five months. Initially, after their reappearance, the malware operators were for a brief moment installing TrickBot on compromised Windows systems again. They then changed gear, and QakBot began appearing instead. A bit of the malware code reveals that this trojan is now the go-to malware bot for the Emotet botnet.
It’s unclear what the QakBot payload is on infected systems, but some victims may get ransomware as a special surprise -- in particular, ProLock. Emotet is still using emails for malware distribution; the threat is usually delivered in an attached infected document.
Netwalker Ransomware Strikes Lorien Health Services
Lorien Health Services is a family-owned nursing home for the elderly with nine locations in Carroll, Baltimore, Harford, and Howard counties in Maryland, in addition to a rehabilitation and fitness facility. In early June, it announced that it had suffered a ransomware attack, during which data was stolen and then encrypted.
After a review of their systems, it was found that personal information had been accessed and “may have included residents’ names, Social Security numbers, dates of birth, addresses, and health diagnosis and treatment information.” It’s possible that they also accessed employee data.
The number of impacted individuals is 47,754, as disclosed in the notification of the breach sent to the Secretary of Health and Human Services.
Learn about common ransomware attack scenarios and what to do if one of these attacks affects your clients:
Further reading Ransomware Attack Scenarios
Hackers Compromise Twilio’s TaskRouter JS
According to Twilio, a cloud communications platform as a service (CPaaS) company, attackers compromised its TaskRouter JS SDK, giving them access to one of their misconfigured Amazon AWS S3 buckets. The SDK’s path was left publicly exposed, writable and readable for approximately five years.
Only version 1.20 of the TaskRouter JS SDK library, employed by clients to route tasks to processes or agents using the Twilio TaskRouter attribute-based routing engine, was compromised by the hackers, who introduced the infected code into it, according to the incident report published by Twilio.
“Due to a misconfiguration in the S3 bucket that was hosting the library, a bad actor was able to inject code that made the user’s browser load an extraneous URL that has been associated with the Magecart group of attacks,” Twilio said. There’s so far no evidence that the attackers gained access to any customer information or data, according to the company. Still, Twilio has urged its customers to update the impacted SDK immediately if the version they are currently using was downloaded while it was compromised.
That’s a Wrap
I hope this update has been helpful. MSP360 is your resource for MSP news. Stay home, stay safe and healthy, and remember to check back next week for more highlights.