News You Might’ve Missed. August 2023

What's new this month in the news for MSPs?

Cloud storage at Google Cloud gets an upgrade; Cadis Security shares malware campaign aimed at Redis; Mitiga Security warning on possible post-exploitation of AWS System Manager agent; Threat Horizons report by Google exposes upcoming cloud security challenges; new phishing campaign leveraging Facebook and Salesforce; and EvilProxy phishing malware on the rise.

Let's see what it's all about.

Cloud Storage at Google Cloud Gets an Upgrade

Google announced enhancements to cloud storage options. With these changes, Google aims to support and enable its customers to handle the new challenges arising from using artificial intelligence (AI) in their workloads. Notably, using AI for workloads is very data-intensive.
According to the announcement, Parallelstore, Cloud Storage FUSE, and Google Cloud NetApp Volumes are all part of the new storage options. According to Google, all are available through the Google Cloud Console, which lets enterprises experience more capable and cost-efficient data storage solutions for AI apps.

Parallelstore

Google says that Parallelstore is for the most demanding high-performance and AI computing apps that depend on GPUs and is a parallel file system. Parallelstore is now available in public preview. It serves the needs of customers who look to save GPU resources while they wait for their storage to catch up.

Parellelstore is based on a next-generation distributed asynchronous object storage system, or DAOS. The system architecture guarantees that all GPUs within the business structure have the same level of access to storage.

Cloud Storage FUSE

Cloud Storage FUSE is a revolutionary storage solution focused on AI applications that require file system capabilities. This option is generally available and lets customers create local file systems by accessing and mounting Google Cloud Storage buckets.

Google Cloud NetApp Volumes

Lastly, Google Cloud NetApp Volumes is aimed at customers already running the architecture, and lets their enterprise apps work on NetApp storage arrays.

In addition to providing high performance, it also provides fully managed storage resources to migrate the apps to Google Cloud without changes, which makes the process very simple.

Cado Security Details Malware Campaign Aimed at Redis

Cado Security researchers disclosed details of their discovery of a malware campaign targeting Redis data store deployments.

Redis is an open-source in-memory data structure store that businesses typically use as a database, message, and cache broker and supports many data structures.

The malware that researchers identified is called "P2Pinfect” and is in the Rust programming language. It acts as a botnet agent, and the sample analyzed by the researchers had an embedded Portable Executable. The researchers also noted Extended and Linkable Format executables in the sample, indicating cross-platform compatibility.

According to Palo Alto's Unit 42, the Windows version of the malware leverages an exploitation of a vulnerability in Redis for delivery, and NIST is tracking the malware as CVE-2022-0543. The Cado researchers discovered another initial access method, which shows the malware is very adaptable.

The malware has different capabilities, including attempting simultaneous Redis exploits and using Rust to develop payloads. They both make analysis challenging. P2Pinfect uses different methods to evade dynamic analysis, and also actively scans for SSH and Redis servers. The malware can also self-replicate, similarly to a worm, which again shows its resiliency.

By exploiting the replication feature, the malware compromises available Redis instances, which allows it to run in a distributed leader or follower topology. This method allows the data store to have high failover and availability. Additionally, by connecting to vulnerable Redis instances and executing specific instructions, malicious actors successfully achieve repetition.

The researchers note that the vector employed in P2Pinfect is not new. Other malware campaigns, such as M2miner and Headcrab, have also leveraged it.

P2Pinfect uses a number of well-known Redis exploit techniques, but the replication strategy successfully penetrated Cado's honeypot network. With the use of a sequence of commands that increase Redis's capability, it enables threat actors to load malicious modules and provides reverse shell access.

The main payload, which combines Rust and C code, is an ELF. According to researchers, the payload modifies the host's SSH configuration, facilitating the maker's access to the server that updates certain files and drops particular binaries.

To help its distribution, the malware uses infected servers as nodes on its peer-to-peer network. Due to its decentralized structure, it achieves robust communication without the need for a central CNC server. The binary delivers payloads using a simple HTTP server, listens on random ports, and uses HTTPS for actual botnet coordination.

Mitiga Security Warning on a Possible Post-Exploitation Technique on the AWS System Manager Agent

Mitiga Security released details of a potential post-exploitation technique on the AWS System Manager Agent.

The exploit leverages the SSM agent’s potential use by threat actors as a remote access trojan (RAT) virus, on both Windows and Linux devices. It is controlled through an attacker-owned account on AWS. According to the researchers from Mitiga, we could see the exploit involved in real-world attacks.

DevOps engineers use the Amazon Web Services Systems Manager tool to help them with routine tasks like patching OS environments across EC2 instances. SSM's ability to automate these tasks is an excellent method of handling configuration management, system monitoring, and patching in an integrated way.

The SSM Agent software component is available for installation on EC2 instances, virtual machines, and on-prem servers. It is frequently pre-installed on AWS images, which indicates the high potential for many current EC2 instances to already be running the SSM agent.

Although malicious use of the SSM service by threat actors is nothing new, the research from Mitiga Security reveals new, unique techniques to exploit it and make it work as an integrated RAT. Additionally, the method has the potential to let the endpoint's agent communicate with another AWS account, likely owned and controlled by the threat actor, instead of the original account, which makes detection of the threat's activity much more challenging.

The SSM agent must be installed and operational for the described attack technique to be used, and the attacker must be authorized to issue commands on the target device. After gaining initial access to the device, the attackers will upload and run backdoors and trojans that give them persistent access and control over the endpoint.

Gaining the described access provides the attackers with the ability to undertake other malicious activities such as encrypting the file system, committing data theft, misusing resources for cryptocurrency mining, or spreading the malware to other devices on the network.

Threat Horizons Report by Google Exposes Upcoming Cloud Security Challenges

The Google Cloud and Google LLC Cybersecurity Action Team released a report with information on security threats affecting cloud business environments.

The August 2023 Threat Horizons report explains the many security incidents and risks seen by its team. It starts with a discovery made in the first quarter of 2023, which showed that in more than half of the reported incidents, credentials were a contributing factor.

Authentication mechanisms and continual monitoring are critically important considering that credentials resulted in over half of all compromises. Improper handling of access keys, weak passwords, the abuse of credentials, and compromised authentication tokens are common vectors for unauthorized access and can result in serious security breaches.

The report also discusses a growing issue where malicious mobile application developers avoid cloud enterprise detection by using versioning. Threat actors avoid detection algorithms that depend on static identifiers or patterns by employing various mobile app versions. The method makes it more challenging for security teams to find malicious applications, which could result in risks for the mobile infrastructure of an organization.

Security professionals should develop a more proactive and dynamic approach to mobile application security, since static methods and typical monitoring systems are becoming ineffective. In order to identify unusual patterns, the report advises businesses to use machine learning and AI to continuously assess the behavior of mobile applications.

Another highlight of the report is issues within the telecommunications sector. According to the report, threats from cybercriminals and nation-states are likely to persist as the sector adopts cloud services. This comes in addition to the already-existing cyber risks that can be solved through the use of modern cybersecurity approaches, including zero trust.

Raising awareness of the impact of source code leaks and compromises that help cybercriminals facilitate their activities was the final point raised in the report. These activities include unauthorized reproduction of leaked software, abuse and exposure of legitimate certificates and credentials, supply chain compromise, and inserting or developing vulnerabilities.

New Phishing Campaign Leveraging Facebook and Salesforce

Guardio Labs' security researchers have discovered a new exploit. The phishing email campaign it employs is quite skilled. A thorough analysis of the process for locating and repairing the issue clearly shows that security teams should collaborate to combat phishing.

The campaign spoofs the email servers and domain names of Salesforce Inc. and is directed towards Salesforce Inc. customers.

According to researchers, this attack, known as PhishForce, looks quite cunning. The malware developers made it so it could evade detection by Facebook and Salesforce. The method used isn't new; it sends out malicious emails that are concealed behind mail gateways that are typically trusted so that defense mechanisms won't detect them.

The email that the researchers discovered and that started their investigations displayed a Salesforce domain but was labeled as Meta Platforms. This alone demonstrated that the email was a phishing scam. It also has a sizable blue button that was mislabeled with the phrase "Request a Review," even though it doesn't. The user is sent to a phishing page when clicking this button, which is designed to steal Facebook credentials.

Additionally, despite the fact that Facebook and a game are purportedly hosting the phishing page, much of the content is unrelated. The cunning part is that the phishing email contains an actual link to Facebook [.]com and comes from an email address of Salesforce [.]com, using its gateway services. The attackers tie it all together by taking advantage of the support ticketing system by using the email address case.salesforce.com. Typically, this is used to receive emails, but in this case, it was used to send them instead.

The attack's entire strategy revolved around the role reversal. Once Salesforce was informed about the vulnerability, a patch was deployed within a month across the Salesforce infrastructure. The researchers also contacted Facebook, which removed the malicious gaming accounts.

While the battle against phishing attacks is not yet over, the PhishForce takeaway was to continue to monitor elements that don't seem to match. Additionally, never assume an email is harmless based on the sending domain.

EvilProxy Phishing Malware on the Rise

A recent report by Proofpoint Inc. shares that the malware EvilProxy is again increasing. It is a very popular phishing kit and is used to steal credentials that let it bypass MFA. The Proofpoint report details its focus on compromising Office 365 accounts of C-level executives at large organizations and its rise in popularity. Cybercriminals prefer these kits since special skills and programming proficiency aren't required.

The Proofpoint researchers noted a surge from March through June in EvilProxy phishing activity. The data collected included over 120,000 infected emails sent based on its own customer telemetry. Analysis of the emails revealed that they made use of brand impersonation and used other third-party services such as Concur Solutions CRM, DocuSign, and Adobe Inc. products to trick users into clicking on the malware links.

Additionally, the campaigns include many obfuscation methods, such as avoiding signs of VPN use and encoding parts of the email. They also employed several steps to install the malware.

Tracking the crafted phishing lures was made easier due to the mistakes the cybercriminals made in their redirection URLs. For example, they used hhttps rather than https. Another indicator included in the report was geographical data that could indicate that the attackers are based in Turkey or avoided targeting Turkish users on purpose.

The researchers suggest that businesses adopt Yubico or other hardware-based security keys to protect their accounts.

That's a Wrap for News You Might've Missed

I hope this update has been helpful. MSP360 is your resource for MSP news. Stay safe and healthy, and remember to check back next month for more highlights.