Blog Articles
Read MSP360’s latest news and expert articles about MSP business and technology
News You Might've Missed

News You Might’ve Missed. 25 – 29 May

News You Might’ve Missed. 25 – 29 May

What's new this week in the news for MSPs? Docker and Microsoft Join to Make Azure Container Projects Simpler; Fake COVID-19 Map Delivers New Ransomware in Italy; Ransomware Are Using Virtual Machines to Deploy; Maze Hackers Leak Credit Card Data from the Bank of Costa Rica; a Russian Hacking Group Uses Gmail to Deliver Turla Malware Commands; and more.

Let's see what's going on.

Docker and Microsoft Join to Make Azure Container Projects Simpler

Docker's relationship with Microsoft dates back to its earliest days. So this new partnership of collaboration on development projects for their customers should come as no surprise. Software teams already interact with Docker's namesake container platform, Docker CLI, to code projects on their local machines before moving them to cloud-based environments when they need more hardware resources.

Today, Microsoft and Docker previewed the new integrations that will let developers create cloud-based application environments directly in Azure from the Docker CLI, using only a handful of commands. This innovation relies on Azure Container Instances, Microsoft's managed container service. Developers will be able to copy the configuration of their local desktop development environment to the cloud with a single command with this integration, which will shorten the initial setup process.

Collaboration between Docker and Microsoft also extends to other products.

Fake COVID-19 Map Delivers New [F]Unicorn Ransomware in Italy

The Computer Emergency Response Team (CERT) of the Agency for Digital Italy (AgID) published an advisory about a domestic ransomware threat called [F]Unicorn, which is spreading throughout the country. It uses a rather convincing social-engineering strategy that makes it appear that the malicious executable comes from the Italian Federation of Pharmacists (FOFI).

This ransomware gets on to the victim's system under the guise of the contact tracing app Immuni for mobile devices, which the Italian government had declared would be released at the end of the month. Users are attracted through an email in Italian notifying them that a beta release of the Immuni app for PC is available. When the malware is executed, it shows a fake dashboard, allegedly from the Center for Systems Science and Engineering at Johns Hopkins University with COVID-19 information.

As the victim watches the map, the ransomware is already encrypting their data. Victims are notified that their files are locked via a ransom note written in Italian. The ransom note asks victims to pay 300 euros in three days, or their data will be lost.

According to the security researcher MalwareHunterTeam, it appears to be heavily based on Hidden Tear, with many modifications.

Learn about common ransomware attack scenarios and what to do if one of these attacks affects your clients:

Further reading Ransomware Attack Scenarios

Ketrum Malware From Recycled Backdoors by Ke3chang Hacking Group

A new malware called Ketrum by the Ke3chang hacker group, which operates out of China, has been made by blending attributes and source code from their Ketrican and Okrum backdoors. Among others, Ke3chang has a wide range of military and oil industry entities, government contractors, and European diplomatic missions and organizations on its target list.

The new report by researchers Intezer reveals how they found three specimens of the malware. From the samples, they learned that the hacking group hasn't strayed much from their past habits. They follow the same system of using a basic backdoor that permits the Ke3chang operators to take command of a victim's system, connect to it from a remote machine, and manually go through the remaining actions of the operation.

"Both Ketrum samples resemble a similar layout to previous Ke3chang tools, apart from low-level implementation and use of system APIs," Intezer explained.

ON-DEMAND WEBINAR
Ransomware: Prevent or Recover
Watch the webinar and prepare yourself and your customers with the right approach and the right tools
New call-to-action
Webinar icon

Operators of the RagnarLocker Ransomware Are Using Virtual Machines to Deploy

The UK-based cybersecurity firm Sophos was the first to spot RagnarLocker ransomware's new technique of installing Oracle's VirtualBox and running virtual machines on the computers they infect. It is a testament to how far cybercriminals will go to hide their ransomware attacks from a victim's antivirus or other security software.

  New call-to-action

According to Sophos, the group behind RagnarLocker is known for stealing data from targeted networks before launching a ransomware attack to encourage victims to pay.

The RagnarLocker group has used exploits of MSPs or attacks on Windows Remote Desktop Protocol (RDP) connections in past attacks to get into targeted networks.

Maze Hackers Leak Credit Card Data from the Bank of Costa Rica

Maze ransomware operators have published credit card data taken from the Bank of Costa Rica (BCR) online to prove their claim of breaching the network in the past. They are threatening to release more files every week.

The group claims they are not interested in money but want to expose the bank's security lapses.

On April 30, Maze ransomware operators declared that they have more than 11 million cards from BCR. They say that 4 million are unique, and 140,000 belong to "US citizens."

Mathway Loses 25m Customer Records Stolen by Shiny Hunters Hacking Group

Security researchers at Cyble, Inc. were the first to find the data on the dark web. The stolen customer records include email addresses and passwords and are being offered for a payment of $4,000 by either bitcoin or Monero.

Mathway confirmed the hack in a statement, saying it has retained "a leading data security firm to investigate, address any vulnerabilities and remediate the incident." Robert Prigge, CEO of identity verification solutions firm Jumio Corp, says it's time organizations moved to use biometric methods of authentication to ensure that only the legitimate user has access to their account.

Russian Hacking Group Uses Gmail to Deliver Turla Malware Commands

Security researchers have advised that one of Russia's highest-level state-sponsored hacking groups has new tools in its arsenal. Even though the Turla group still uses the v4 version of ComRAT malware, ESET researchers caution that it's been updated with two new features:
extraction of the victim's antivirus logs
the ability to control the malware using a Gmail inbox

In January, parliaments and foreign affairs ministries of three unidentified European governments were discovered to have been targets of the malware.

The Gmail control mechanism is another new function, which permits the malware operators to control the victim's browser. It then loads a predefined cookie file and initiates a session in the Gmail web dashboard.

At this point, the Turla operators send an email to the Gmail account, containing instructions in an attached file.

Matthieu Faou, an ESET researcher, believes collecting antivirus logs may help tweak the malware to avoid antivirus detection in the future.

That's a Wrap

I hope this update has been helpful. MSP360 is your resource for MSP news. Stay home, stay safe and healthy, and remember to check back next week for more highlights.

WP icon

New call-to-action
The MSP’s Response Guide to a Ransomware Attack

Read our free guide to learn about:

  • Common MSP vulnerabilities;
  • How to prepare for a ransomware attack to keep your clients safe;
  • Which actions response to a ransomware attack should involve;
  • How to manage clients while handling an attack.