What’s new this week in the news for MSPs?
Amazon launches AWS Outposts support for its Relational Database Service; ransomware used by hackers to attack and threaten victims for GDPR breaches is targeting MongoDB users; MSP Xchanging suffers ransomware attack; Office 365 users hit by phishing attacks through OAuth apps; and more. Let’s see what it’s all about.
Amazon Launches AWS Outposts Support for Its Relational Database Service
Amazon recently announced that it has added support for its Amazon Relational Database Service in AWS Outposts. The addition will allow customers to include RDS database instances in their data centers.
The announcement came during the company’s recent re:Invent conference, held in December 2019. AWS Outposts is used by Amazon customers to extend native AWS or VMware cloud deployments in their data centers.
AWS Outposts is most suitable for workloads requiring low-latency access to on-premise systems or apps. According to Amazon’s announcement, it may be applicable to those that work with real-time IoT data or databases used to run manufacturing plants.
Still, there are a few areas where customers should be wary. For example, AWS Outposts can’t store all data locally yet and cannot manage or replicate data across regions for high availability and disaster recovery uses. These shortcomings may be addressed in future updates.
Ransomware Used by Hackers to Attack and Threaten Victims for GDPR Breaches Is Targeting MongoDB Users
22,900 MongoDB databases have been the target of an unknown hacker in a ransomware attack where victims are threatened with being reported for breaching the European Union General Data Protection Regulations unless they pay.
This attack was discovered by security researcher Victor Gevers from the Dutch Institute for Vulnerability Disclosure and was first noticed in April. ZDNet reported that the hackers are employing a script that searches for unsecured active MongoDB installations. The script proceeds to remove the contents of the database and delivers a ransom note requiring payment of 0.015 in bitcoin ($137) within 48 hours in order to get the transferred data returned.
“In case of refusal to pay, we will contact the General Data Protection Regulation, GDPR and notify them that you store user data in an open form and is not safe,” the ransom note reads in somewhat broken English. “Under the rules of the law, you face a heavy fine or arrest.”
Although these types of attacks are commonplace, this attack is unusual because the 22,900 databases represented 47 percent of all MongoDB databases accessible online and were successfully targeted.
US Secret Service Issues an Advisory Warning for MSPs
An advisory warning was issued for MSPs by the US Secret Service due to the increase in cyberattacks against managed service providers. The attacks are being conducted to compromise the customer companies of the MSPs, according to the advisory.
It was noted that MSPs are usually compromised through their own tools, and these include enterprise applications in addition to open-source software.
These applications and their vulnerabilities are the targets of these bad actors, allowing them to penetrate the MSPs’ IT infrastructure.
The attacks that use this method include point-of-sale intrusions and business email compromise (BEC), in addition to various ransomware attacks. The US-based Xchanging MSP is one of the latest victims, and their attackers are still unknown.
MSP Xchanging Suffers Ransomware Attack
Global IT services and solutions provider DXC Technology disclosed an attack on systems of its MSP subsidiary Xchanging. Xchanging is mainly known as a managed service provider for companies in the insurance industry; nevertheless, companies from financial services, aerospace and defense, automotive, education, consumer packaged goods, healthcare, and manufacturing fields also appear on its list of customers.
When DXC Technology reported the incident on July 5th, it expressed confidence that it hadn’t spread beyond the Xchanging network.
The cyberattack affected an undisclosed number of customers. According to the company’s notification, the attack resulted in a denial of access to their operating environment. DXC Technology is working with law enforcement and authorities on the investigation, which is usual in cases like this.
Learn about common ransomware attack scenarios and what to do if one of these attacks affects your clients:
Further reading Ransomware Attack Scenarios
Office 365 Users Hit by Phishing Attacks Through OAuth Apps
With the increase in the number of employees shifting to remote work, customers are becoming exposed to additional security threats. One of these is consent phishing, which comes in addition to conventional credential theft and email phishing attacks.
Consent phishing is similar to an application-based attack, where the targets are scammed by malicious Office 365 OAuth applications (web apps registered by the attackers with an OAuth 2.0 provider) and provide access to their Office 365 accounts.
After successfully getting access to the target’s account, the attackers can access their email, contacts, notes, profile, and files. These may include sensitive information and resources, and anything kept on their corporate SharePoint document management/storage system or OneDrive for Business cloud storage.
“While application use has accelerated and enabled employees to be productive remotely, attackers are looking at leveraging application-based attacks to gain unwarranted access to valuable data in cloud services,” Microsoft Partner Group PM Manager Agnieszka Girling said.
Microsoft has also classified — by evaluating and monitoring trillions of signals — and disabled malicious Office 365 OAuth apps to block users from accessing them, besides taking legal action to take down domains used in consent phishing attacks.
New Phishing Scam Using Fake ZoomSuspension Alerts Targets Office 365 Users
A new phishing campaign that uses fake Zoom alerts is targeting Microsoft Office 365 users. These alerts warn people working in business environments that their Zoom accounts have been suspended, with the aim of stealing their Office 365 logins.
The phishing campaign portrays itself as automated Zoom account-suspension alerts and has landed in 50,000 mailboxes, according to data from researchers from Abnormal Security who identified these continuing attacks.
The emails use a spoofed email address and an email body that is nearly free of grammar errors or typing mistakes (aside from a visible ‘zoom’ rather than ‘Zoom account’), which makes the phishing messages more convincing and potentially a lot more effective.
The targets are warned that their Zoom accounts have been temporarily suspended and are directed to click on an activation button embedded within the message in order to restore their account. After they click on the “Activate Account” button, they are redirected to a fake Microsoft log-in page. The victims are asked to input their Outlook credentials in the phishing landing page, in such a way that their account details can be extracted to servers controlled by the attackers.
For more information about phishing please refer to our guide on the topic:
Further reading Anti-Phishing Guide
That’s a Wrap
I hope this update has been helpful. MSP360 is your resource for MSP news. Stay home, stay safe and healthy, and remember to check back next week for more highlights.
- Phishing response checklist
- Phishing awareness training slides
- Anti-phishing posters
