News You Might’ve Missed. 23 – 27 Nov

What's new this week in the news for MSPs? AWS Cloud Kinesis Data Stream outage fixed; Amazon starts fully managed Apache Airflow; FBI warning on Ragnar Locker activity; data stolen in a cyberattack against Belden; and TrickBot 100 “debuts” with new features.

Let’s see what it’s all about.

AWS Cloud Kinesis Data Stream Outage Fixed

The Kinesis Data Stream Service by Amazon Web Services Inc. began experiencing technical issues this week. These caused disruptions for Roku Inc., Roomba maker iRobot Corp., Adobe Systems Inc., and other companies that rely on AWS’s cloud platform.

The outage on Kinesis Data Streams was in one specific AWS data center cluster: the US-EAST-1 Region in Northern Virginia. The US-EAST-1 cluster contains six availability zones. A malfunction in a subsystem responsible for handling incoming requests was the cause of the issue, which made it difficult for the service to read and write the information required by the related systems.

The outage affected AWS customers with applications relying on Kinesis Data Streams to transport information.

According to a recent update by Amazon on Wednesday, it had made significant progress toward fixing the problem. On Thursday, Amazon said the issue was fully resolved.

Amazon Starts Fully Managed Apache Airflow

To help customers execute data processing workloads in the cloud, AWS added a new service this week, called Amazon Managed Workflows for Apache Airflow (MWAA). According to Amazon, it's meant to help its customers using the open-source Apache Airflow tool. AWS customers use the tool to author, schedule, and track data workflows.

According to Danilo Poccia, chief evangelist at AWA for Europe, the Middle East, and Africa region, AWS clients use Apache Airflow to facilitate simpler data processing pipelines. It works by breaking them into sets of smaller tasks and then executing them as part of a workflow.

Any company using analytics and machine learning tools to gain insights from its large stored-data resources knows that data processing is a necessary component.

Amazon MWAA is a fully managed service that removes the necessity to install and ensure and maintain the security of Apache Airflow. With this service, customers can use the same familiar platform. It manages their data processing workloads, and they enjoy better scalability, safety, and availability without needing the underlying infrastructure.

FBI Warning on Ragnar Locker Activity

In a warning to their private partners, the cyber division of the US Federal Bureau of Investigation shared concerns over increased Ragnar Locker ransomware activity. The warning comes after a confirmed attack from April 2020.

An MU-000140-MW flash alert was sent to partners from the FBI and was coordinated with DHS-CISA. The notice provides security professionals and system admins with the indicators of the compromise. These will help them safeguard their systems against this ransomware cybergang’s ongoing malicious activities.

The FBI first noticed Ragnar Locker in April 2020, when unknown cybercriminals locked a large firm’s corporate files using the malware, demanding a ransom of $11 million to decrypt them. They also threatened to expose 10TB of data, according to the FBI.

Data Stolen in a Cyberattack Against Belden

Belden, a network device maker, was hit by a cyberattack. The attack let threat actors steal files containing information about its employees and business partners.

In a 'Data Incident' disclosure by the company, it shared details about the attack. The statement went on to say that Belden had suffered a sophisticated attack by an outside party and that the attackers had gained access to a small number of company file servers.

Belden hasn’t fully disclosed the cyberattack details. Still, experts believe the notice shared indicates a ransomware attack. The phrase "sophisticated attack" is now commonly used by lawyers when describing a ransomware attack in disclosure notices.

Belden is now notifying those affected by the attack and is offering them free monitoring and support services.

TrickBot 100 With New Features

The hundredth version of the TrickBot malware, loaded with additional features to evade detection, has been released by the cybercrime gang. TrickBot is a malware infection that is known to come in phishing emails or other malware. TrickBot quietly runs on a victim's computer in the background, downloading other modules to perform different tasks after installation.

It is also known to finish an attack by giving access to other threat actors. They have previously partnered with Ryuk and Conti ransomware, adding bigger payloads for the cybergangs involved.

Hoping it would take them some time to recover, Microsoft and its partners performed a coordinated attack against the TrickBot infrastructure last month. As evidenced by the release of the TrickBot malware's hundredth build, the TrickBot gang is still active.

Advanced Intel’s Vitali Kremez found the most recent build. His analysis also revealed new features meant to make it more challenging to detect. It now injects its DLL into the genuine Windows wermgr.exe (Windows Problem Reporting) executable from memory directly, using code from the 'MemoryModule' project.

After initially starting as an executable, TrickBot will inject itself into wermgr.exe. It then terminates the original TrickBot executable. When injecting the DLL, it will do so using Doppel Hollowing, or process doppelganging, to evade detection by the security software, according to Kremez.

The release of the new version of TrickBot means that, unfortunately, the malware is here to stay for the foreseeable future. Consumers and businesses should remain diligent and careful about which email attachments they open.

That's a Wrap for News You Might've Missed

I hope this update has been helpful. MSP360 is your resource for MSP news. Stay home, stay safe and healthy, and remember to check back every week for more highlights.