What's new this week in the news for MSPs? New mystery malware targeting Macs with Intel and M1 chips; SolarWinds hackers didn't launch attacks but downloaded code, says Microsoft; fake FedEx and DHL emails part of a phishing scam on Microsoft users; and ransomware attack hits Finnish IT services conglomerate TietoEVRY.
Let's see what it's all about.
New Mystery Malware Targeting Macs with Intel and M1 Chips
Researchers at Red Canary say there is a new form of malware targeting Apple Inc. computers with Intel Corp. and Apple M1 chips. However,, not much is known about the goal of the attacks. The malware targets a root-level folder known as LaunchAgent, which stores scripts that manage system processes automatically.
Apple initially introduced the folders in 2012, as a method of avoiding malware attacks, so the fact that the folders are being targeted is a strange turn of events.
The malware, dubbed "Silver Sparrow" by the researchers, has been confirmed to exist on new Macs. So far, the researchers haven't seen it do anything malicious. Moreover, this malware doesn't appear to distribute additional malicious payloads.
Nevertheless, with its M1 chip compatibility, global reach, somewhat high rate of infection, and mature operation, researchers see Silver Sparrow as a severe threat.
With it sitting in plain sight, the researchers assume that those behind the malware will leverage to install code that may be damaging to those using macOS. From what we know right now, Silver Sparrow infects macOS installations using JavaScript for execution. According to the researchers, this is unusual as they haven't seen it with other malware types on Apple systems.
What's more, it's also the first type of malware to infect Apple computers with M1 chips since their introduction in November. Many expect that they will replace Macs with Intel processors over time.
SolarWinds Hackers Didn't Launch Attacks but Downloaded Code, Says Microsoft
An internal investigation into the SolarWinds Worldwide LLC breach was completed by Microsoft's Security Response Center this week. Their findings say that, although the hackers downloaded some source code, there was no evidence that they exploited internal systems or products to attack users.
On December 17th, reports first suggested Microsoft was one of the victims in the SolarWinds hacking incident. At the time, Microsoft President Brad Smith denied these claims, but the company still began a full internal investigation into the matter.
Researchers at Microsoft found no case of any single product or service or related repositories being accessed. Nor did they discover that the hackers were successful in accessing the vast majority of source code. At best, where they accessed code repositories, the hackers viewed only specific files.
Additional access to a small number of repositories resulted in the hackers downloading component source code. These repositories held code for a small subset of Intune, Azure, and Exchange components.
Based on the search terms that the hackers used, they were attempting to find secrets. They failed because Microsoft's development policy doesn't permit putting secrets in code and instead uses automated tools to verify compliance.
The researchers recommended a zero-trust "assume breach" methodology be adopted to avoid attacks in the future. It should be a critical part of defense, and is essential in order to protect credentials.
Learn what are the best practices of responding to ransomware attacks in our article: Designing a Ransomware Response Plan
Ransomware Attack Hits Finnish IT Services Conglomerate TietoEVRY
TietoEVRY encountered technical issues for 25 customers in the manufacturing, service-related, and retail industries this week. Later, they found that it was all caused by an attack by ransomware cybercriminals.
When they discovered the attack, TietoEVRY disconnected all services and the affected infrastructure to stop the ransomware from spreading.
IT services providers such as MSSPs and MSPs are a lucrative target for ransomware operators. They use software over remote connections to manage their clients, so that they can quickly deploy fixes and updates when they are needed.
Fake FedEx and DHL Emails Part of a Phishing Scam on Microsoft Users
A new round of phishing attacks is targeting Microsoft email service users. The phishing scam sends fake messages that appear to come from FedEx and DHL.
Armorblox Inc. researchers say the phishing attack has hit 10,000 Microsoft email users with fake links that steal the victim's credentials if followed. The emails claim to have a document sent to the victim and use the title "You have received FedEx files." The fake emails from DHL say that "your parcel has arrived."
The FedEx phishing campaign's email contains some information about the fake document to make it appear authentic. For example, it includes the type of document, the number of pages, and the ID number. If the victim clicks on the link provided, it takes them to a file hosted on Quip, a Salesforce Inc. tool that offers spreadsheets, documents, and other services.
The Quip file redirects the user to a final phishing web page that appears to be the Microsoft login portal. It seems to be hosted on Google's Firebase and fools the victim into believing the link is genuine.
If the victims enter the Microsoft credentials, they see an error message asking them to enter their correct information. It is actually giving the hackers their login details.
In the DHL phishing attack, the users are asked to enter their details on a fake web page. In this case, the hackers are stealing the work email login information or their victim's Adobe credentials.
That's a Wrap for News You Might've Missed
I hope this update has been helpful. MSP360 is your resource for MSP news. Stay home, stay safe and healthy, and remember to check back every week for more highlights.
Read our free guide to learn about:
- Common MSP vulnerabilities;
- How to prepare for a ransomware attack to keep your clients safe;
- Which actions response to a ransomware attack should involve;
- How to manage clients while handling an attack.