What's new this month in the news for MSPs? Microsoft previews its first ARM-based Azure Virtual Machines; Spring Cloud Function could be the next Log4Shell vuln; Microsoft Exchange servers the target of Hive ransomware affiliate; files are destroyed by Onyx ransomware, not encrypted; and Emotet malware leveraging Windows PowerShell shortcuts for installation.
Let's see what it's all about.
Microsoft Previews Its First ARM-Based Azure Virtual Machines
Earlier this month, Microsoft made its first batch of Azure Virtual Machines (VM) powered by Ampere Computing LLC’s ARM-based Altra server chips available in preview.
The new VMs, which are software-based computers, include memory-optimized Epsv5 and general-purpose Dpsv5 and can provide a 50% price performance increase over x86-based VMs. They have been engineered to efficiently run scale-out workloads, application servers, web servers, cloud-native, open-source databases, .NET applications, gaming servers, Java applications, media servers, and more.
The VMs currently in preview include support for CentOS, Canonical Ubuntu Linux, and Windows 11 Professional and Enterprise Edition on ARM. Support for other operating systems, including Red Hat Enterprise Linux, Debian, Flatcar, SUSE Linux Enterprise Server, and Alma Linux, is under development, according to an authorized spokesperson.
For now, the ARM preview is only available in the West Central US, West US 2, and West Europe Azure regions.
Spring Cloud Function Could Be the Next Log4Shell Vulnerability
Security researchers uncovered a vulnerability in the Spring Cloud Function that they’re calling Spring4Shell, and they say it could be the next Log4Shell. Researchers are seeing this vulnerability in versions 3.16, 3.22, and older.
The Java platform development framework known as Spring is open-source and lightweight. It has millions of users, which is why there are concerns it could have similar results to Log4Shell.
While there are different points of view on the severity of Spring4Shell, it is apparent that a risk exists. BleepingComputer shared a report of an exploit being leaked online and quickly removed. That an exploit already exists is significant to note.
Researchers say there isn’t enough information to quantify how dangerous the vulnerability may be in the wild, how quickly it will spread, or its extent if it does become a serious threat.
The good news is that there are mitigations ready for organizations to leverage both in code at the WAF level and by using the Spring framework. Besides, the developers of Spring may be working on a patch.
Security teams need to identify what devices on their networks are at risk. This process can be challenging if up-to-date records aren’t maintained. It also makes it challenging to detect software types and versions.
Microsoft Exchange Servers the Target of Hive Ransomware Affiliate
Microsoft Exchange servers are the target leveraged by an affiliate of the Hive ransomware group to install their malware. Hive is a ransomware-as-a-service operation that appeared in 2021, and its purveyors provide customer service and the code to affiliates, who then organize the attacks themselves.
Researchers at Varonis Systems detailed a Hive attack on Exchange on April 19th, after one of its clients was the target of a ransomware attack.
The ransomware used multiple ProxyShell Exchange security vulnerabilities in the attack. Attacks on Exchange are not new; they have been the target of previous attacks by ransomware gangs such as Conti. ProxyShell is an evolved version of an earlier vector known as ProxyLogon.
The ProxyShell attacks three vulnerabilities in Exchange, categorized as CVE-2021-34523, CVE-2021-34474, and CVE-2021-31207. While Microsoft provided patches in April and May last year, not everyone downloads and installs the patches to their Exchange installation in a timely fashion.
Once the Hive affiliate gained access, it placed a malicious web shell backdoor script in a publicly accessible region directly on the Exchange server. It then downloaded a remote command-and-control server (CNC) related to the Cobalt Strike framework and followed this by installing other tools.
The affiliates then scanned for sensitive data and deployed the ransomware.
Security researchers recommend leveraging a third-party VPN to be implemented in a mesh topology that can protect public cloud traffic, eliminate vulnerabilities and obfuscate.
Files Are Destroyed by Onyx Ransomware, Not Encrypted
The MalwareHunterTeam recently uncovered a new ransomware operator called Onyx, destroying files larger than 2MB and thus making decryption impossible, even if victims pay the ransom.
Onyx cybercriminals steal data from a network before encrypting devices, like most ransomware gangs. They then use the data in double-extortion plots where they threaten to publicly expose it unless the victim pays the ransom.
So far, the Onyx gang has had some success and lists six victims on its data leak page.
MalwareHunterTeam found a sample of the encryptor recently that exposed the technical functionality of its ransomware. The inner workings of this malware are concerning, since it overwrites files with random junk data instead of encrypting them.
While files less than 2MB will be encrypted by Onyx ransomware, it overwrites any files larger than 2MB with junk data, according to the MalwareHunter team.
The decryptor can recover only the smaller, encrypted files, even if a victim pays. Experts strongly advise that victims should not pay the ransom, since the destructive nature of the encryption routine seems to be intentional rather than a bug.
Forensic analysts at the Czech Republic’s CERT say this ransomware is a variant of the Chaos ransomware.
Emotet Malware Leveraging Windows PowerShell Shortcuts for Installation
The Emotet malware has been making the news since its resurgence last November. Recently, security researchers found it using Windows shortcut files [.]LNK containing PowerShell executables to spread its malicious infection to its victims' computers. This new process is a move away from Microsoft Office macros, which are now disabled by default .
Since the Emotet gang used to use [.]LNK files, along with Visual Basic Script, in previous campaigns, it’s not a new method. Still, leveraging them directly to run PowerShell commands is new.
The new technique that the Emotet threat actors are leveraging appends a malicious string to the [.]LNK file, which is padded with nulls and obfuscated, so that it doesn’t appear in the target area (where the file points to) when viewing the file’s properties. The [.]LNK file includes several compromised website URLs that Emotet uses to keep the payloads for the PowerShell script under a random name.
The script launches and generates an additional PowerShell script that then downloads the Emotet malware in a DLL format from a compromised sites’ list and stores it in the %Temp% folder. Using the regsvr32[.]exe command, the DLL is then launched.
According to security researchers, the use of this new technique by Emotet is quickly increasing. In addition to switching to PowerShell in [.]LNK files, the Emotet threat actors have made several other changes since they resumed operations. For example, they moved to the use of 64-bit modules.
The Emotet malware and others are typically used to launch other, more malicious payloads, such as ransomware like Ryuk and Conti.
That's a Wrap for News You Might've Missed
I hope this update has been helpful. MSP360 is your resource for MSP news. Stay home, stay safe and healthy, and remember to check back next month for more highlights.