What's new this month in the news for MSPs? AWS introducing new data storage features, says Amazon; IoT Core service retired by Google Cloud; Google making VMTD malware detection service available to all; Yanluowang gang breaches Cisco; Blackbyte ransomware gang’s resurgence accompanied by new multi-layered approach to attacks; and Zepplin ransomware may now encrypt devices in multifarious ways.
Let's see what it's all about.
AWS Introducing New Data Storage Features, Says Amazon
Amazon says that within the Amazon Elastic Block store, it is moving toward placing more importance on data resiliency by adding a new feature called crash consistent snapshots, which it’s making available for EBS volume subsets.
Typically, AWS customers use EBS to back up mission-critical apps, workloads, and other data as a critical part of their disaster recovery and backup plan. Customers can create backups using a few different methods.
Some customers create multi-volume EBS snapshots linked to one specific AWS EC2 instance, while others opt for a snapshot of a particular EBS volume. Either way, the snapshots contain the data from all the completed I/O operations, letting users restore the EBS volumes to the original state when the snapshot was taken.
Before this improvement, when users wanted multi-volume snapshots of the AWS EBS volumes that would only contain specific volumes linked to an individual instance, they needed to make multiple API calls. The crash-consistent snapshots feature has made it simple. Users can choose the volumes they don’t want to be included in the snapshot.
In addition to more flexible snapshots, another new feature from Amazon is the Amazon File Cache. It’s expected that this will simplify and accelerate hybrid workloads.
AFC provides high-speed caching on AWS, making processing data fast and easy, no matter where it’s stored. Amazon says it is making it possible to create dispersed datasets, which are then made available to file-based apps on AWS.
IoT Core Service Retired by Google Cloud
Customers received the news from Google LLC’s cloud business that Google will discontinue the IoT Core service they use to manage connected devices on August 16, 2023. It recommended moving IoT Core-based apps to other same-category products.
Many businesses, such as factories, use internet devices to boost efficiency in operations. One such use-case scenario is a manufacturer's sensors that collect data about probable malfunctions. The data is then typically transmitted to a cloud-based analytical app for processing.
IoT Core is used by businesses to define the configuration settings for devices they have recently connected. After establishing a network connection, IoT Core can connect to other connected devices and send their data to the cloud.
Google says that its network of partners specializing in the IoT sector will address its customers' needs more effectively. It will continue to maintain a presence in the connected device market through its Coral series of processing modules.
Google Cloud’s value proposition includes the many cloud services it offers in addition to IoT Core for connected device businesses. Companies use Google’s BigQuery data warehouse to process the logs collected by IoT sensor logs and scan for specific data points and hardware malfunction indicators, for example.
Microsoft’s IoT Hub and the AWS IoT Core are similar services offered by Google’s major competitors in the public cloud sector.
Google Making VMTD Malware Detection Service Available to All
Google released the VMTD Malware Detection Service as a public preview six months ago. Now it has announced that the services are generally available to all. Moreover, it has since added new features and functionality.
The VMTD service lets users scan their Google cloud for hacking attempts from the Security Command Center. Moreover, the scanning technology is directly built into the hypervisor of the data center's environment, and VMTD scans the data searching for crypto-mining traffic and software.
While many cybersecurity products can detect hacking attempts by threat actors that attempt to use the business’s infrastructure for crypto-mining, most require apps known as agents in cloud instances. The Google VMTD service is agentless, which means it can’t be disabled when there is a cyberattack.
What’s more, Google says VMTD has many advantages over typical cybersecurity products. One method VMTD uses to find malware is to scan cloud instances’ patterns of memory use. This method provides valuable insights into probable malicious activity.
The service runs every 30 minutes all day and then summarizes its analysis at the end of it. Google has more functionality coming for VMTD in the future. So, stay tuned.
Yanluowang Gang Breaches Cisco
Cisco now confirms that Yanluowang breached their business network at the end of May and threatened to leak the data they stole for the purpose of extortion. The data they stole contained non-sensitive information and came from a Box folder attached to an employee’s compromised account.
The breach did not negatively impact the company’s business. According to Cisco’s investigation, the incident didn’t affect any products, services, private employee data, sensitive customer data, supply chain operations, or intellectual property.
BleepingComputer said that the Yanluowang ransomware gang gained access by leveraging an employee’s stolen credentials by hijacking the individual’s Google account, which contained credentials they had synchronized from their browser. The cybercriminals tricked the Cisco employee into responding to multi-factor authentication requests. They also phished the employee by using voice to convince them that the requests were genuine.
This ransomware gang is a relative newcomer to the scene and was first noticed by the Symantec Threat Hunter Team last October. Trend Micro analyzed the files used by the Yanluowang group and described them, saying they are code-signed using a valid digital signature. The ransomware gang’s moniker comes from a Chinese deity, Yanluo Wang.
Some security experts say that attacks involving users' personal assets are much more challenging to detect. Without visibility into personal assets and endpoints, the risks involved are much higher when personal and professional credentials are combined on the same systems.
BlackByte Ransomware Gang’s Resurgence Accompanied by New Multi-Layered Approach to Attacks
The BlackByte ransomware group, with known ties to Conti, is back with new methods for extortion borrowed from LockBit 3.0. Moreover, it has added numerous Twitter profiles into the mix, signaling a new social media presence. BlackByte is using Twitter to promote its new extortion method, data auctions, and leak site.
The new method of extortion lets victims pay a fee to delay the publishing of their private files and information for up to 24 hours ($5,000); they can also opt to download the data ($200,000) or destroy it all ($300,000). This scheme was pioneered by LockBit 3.0, and few observers are surprised by the move.
So far, BlackByte seems to be holding its own as one of the more resilient ransomware brands, infecting businesses everywhere. Its previous ransomware came with wormlike capabilities that run close to Conti’s predecessor Ryuk. Experts note that BlackByte is among many ransomware-as-a-service (RaaS) operations with the potential to deliver much disruption using common TTPs (tactics, techniques, and procedures).
The FBI and the US Secret Service issued an advisory in February on BlackByte, cautioning that the attackers launching the ransomware had infected businesses in a minimum of three US critical-infrastructure sectors.
Zepplin Ransomware May Now Encrypt Devices in Multifarious Ways
Zepplin ransomware comes from the Delphi-based RaaS family known as VegaLocker or Vega, first observed at the start of 2019. More recently, CISA (the Cybersecurity and Infrastructure Security Agency) and the FBI (Federal Bureau of Investigation) noted that they have seen the malware reappear, exploiting firewall vulnerabilities and RDP to target a range of critical-infrastructure organizations and verticals.
The agencies also shared TTPs (tactics, techniques, and procedures) and IOCs (indicators of compromise) to assist cybersecurity professionals in detecting activity and blocking attacks that use this ransomware.
The Zepplin ransomware operators are known for stealing files and information to use in double-extortion schemes and demanding ransom in Bitcoin, where the demands range from several thousand to over a million dollars.
The FBI has requested that IT and cybersecurity professionals share any related information when Zepplin ransomware is detected within their networks. The type of information they seek includes boundary logs that show communications to and from foreign IP addresses, communication with Zepplin actors, a sample ransom note, Bitcoin wallet details, a benign sample of an encrypted file, and decryptor files.
The FBI and CISA have also advised businesses to take steps to defend their networks against Zepplin ransomware attacks. The advice includes training employees and other users to recognize phishing attempts and report them, prioritizing patching vulnerabilities that are exploited in the wild, and enabling and enforcing secure multi-factor authentication.
That's a Wrap for News You Might've Missed
I hope this update has been helpful. MSP360 is your resource for MSP news. Stay home, stay safe and healthy, and remember to check back next month for more highlights.