What’s new this week in the news for MSPs?
Google plans upgrades to improve cloud connectivity; new vulnerability impacts Linux and Windows installations; a new open-source tool from CyberArk to identify shadow admin accounts in MS Azure and AWS; new Ensiko malware aimed at Windows, macOS and Linux web servers; and Emotet malware has a new email-attachment-stealing feature. Let’s see what it’s all about.
Google Plans Upgrades to Improve Cloud Connectivity
This week Google LLC revealed a series of infrastructure upgrades that will provide customers with more ways to connect to its cloud computing services. The announcement came out during its Cloud Next OnAir online conference, which will run through September 8. There is some good tech coming soon.
Transatlantic Subsea Cable
Google has commissioned a new transatlantic subsea cable called Grace Hopper. It is expected to go live on September 22 and run between the US, Spain, and the UK. It is the first subsea cable to go live since 2003.
Private Service Connect
Google is also launching a new, more secure way for its customers to connect, called Private Service Connect. It is a more service-centric approach to networking which abstracts the infrastructure below it. It creates service endpoints in consumer virtual private connections, which provide private connectivity and policy enforcement. The new service will make it simple to connect services across different networks and organizations.
The traffic on the service is not exposed to the public Internet, which makes it secure for customers to access their services directly over Google's global network.
Network Intelligence Center Updates
Two new modules have been added to the NIC. First, a new Performance Dashboard is now available which gives a real-time per-project view into packet loss and latency. Second on the list is Firewall Insights, currently in beta, which provides proactive management features and intelligence for network security teams.
Google Cloud CDN Updates
Finally, Google’s Cloud CDN will now support providing content from multiple locations (on-site data centers and other public clouds), in addition to Google’s cloud.
New Vulnerability Impacts Linux and Windows Installations
There is a newly found weakness that impacts both Linux and Windows installations, and this includes servers. The “BootHole” weakness was identified by security researchers at Eclypsium Inc., an enterprise device security firm. According to them, it was seen residing in the GRUB2 bootloader utilized by most Linux systems. It also is seen in systems using Secure Boot, and any Windows device with the standard Microsoft third-party UEFI certification authority.
BootHole exploits a vulnerability in GRUB2, a piece of software that runs when a system is started, in order to gain arbitrary code execution during the boot process. Even when Secure Boot is enabled, the vulnerability is present. What’s more, attackers who are exploiting this are said to be using it to install persistent and stealthy malicious bootloaders or bootkits that may provide them with near-total control over the victim’s device.
Eclypsium has already contacted operating system providers and computer manufacturers to make them aware of the issue.
A New Cyberark Open Source Tool to Identify Shadow Admin Accounts in MS Azure and AWS
A new open-source tool to detect shadow admin accounts in Microsoft Azure and Amazon Web Services was launched this week by CyberArk Software Ltd, a cybersecurity software firm.
Shadow admin accounts have sensitive privileges and are often overlooked, because they are not members of a privileged Active Directory group. Instead, they get their privileges through the direct assignment of permissions.
Hackers and network attackers look for these accounts, as they come with the administrative privileges they need in order to carry out an attack, while having a lower profile than better-known admin group members.
AzureStealth and AWStealth are the two modules by SkyArk for scanning Azure and AWS environments. It requires only read-only permissions, since it directly queries cloud entities and their permissions in order to carry out an analysis and report the results.
New Ensiko Malware Aimed at Windows, macOS and Linux Web Servers
Threat researchers have uncovered a new feature-rich malware that can encrypt files on any system running PHP. As a result, Windows, macOS, and Linux web servers are at extremely high risk.
Ensiko is a web shell written in PHP malware that attackers can use to remotely control and run a host of malicious activities on a compromised system. While Ensiko has a range of features, the standout is its file-encryption component, since it could be used for ransomware attacks against servers. The malware was analyzed at Trend Micro by researchers who found that it uses the symmetric Rijndael-128 cipher in CBC mode to encrypt files. Ensiko appends a .BAK extension to processed files after it encrypts them in a web shell directory and subdirectories.
Ensiko can load several tools that it downloads from Pastebin and keeps in a directory called “tools_ensikology”, in order to expand its capabilities. The malware gives extended access to threat actors to run brute-force attacks on cPanel, FTP, and Telnet.
Emotet Malware Has a New Email-Attachment-Stealing Feature
For the first time, the Emotet malware botnet has been seen using stolen attachments to add credibility to emails, according to Binary Defense threat researcher James Quinn.
According to Marcus ’MalwareTech’ Hutchins, the attachment-stealer module code — which also steals email content and contact lists — was added around June 13. The malware botnet now takes 131,072-byte or smaller attachments and email contents, based on research by Cryptolaemus.
The new tactic adds to the leveraging of hijacked email conversation threads by the gang behind Emotet. Emotet was initially discovered in 2014 as a banking trojan, but has now evolved into a malware botnet that threat actors use to download other, more nefarious malware families.
That’s a Wrap
I hope this update has been helpful. MSP360 is your resource for MSP news. Stay home, stay safe and healthy, and remember to check back next week for more highlights.