What's new this month in the news for MSPs? Amazon DataZone launched by AWS, simplifying enterprise data management; Rackspace says ransomware attack caused outage; healthcare targeted in Royal ransomware group attack surge; MoneyMonger malware exploiting Flutter’s UI to steal personal information and blackmail victims; hackers get access to third-party cloud storage in latest LastPass data breach; and federal civilian executive branch breached by Iranian hackers using Log4Shell vulnerability.
Let's see what it's all about.
Amazon DataZone Launched by AWS, Simplifying Enterprise Data Management
DataZone is a new cloud service that was introduced by AWS this month. The service is meant for companies to use for their internal data and give access to their workers. Amazon presented complete details of DataZone at its re:Invent 2022 conference held in Las Vegas, in addition to its other new products.
Most organizations have their business data spread across several dozen databases and use file storage services and other systems. We often see different business units operating these storage systems, making the task of finding data assets time-consuming and challenging.
If an employee is working on an analytics project that requires information residing on not one but many systems, finding that data can be very difficult. When workers are retrieving larger amounts of information, the time needed to do it is significant. Amazon is trying to reduce the time employees spend finding the data assets they need from multiple systems.
In DataZone, a company's information is organized in a data catalog, making finding data assets quick and easy for employees. Rather than needing to find the specific system where the dataset exists, they can navigate the records directly through the DataZone interface. This will mean considerable savings in the time spent retrieving data for analytics projects.
According to Amazon, DataZone provides an integrated "zone" where all an organization’s employees, all a business's data people, can work together to discover, access, govern and share the data. Moreover, DataZone lets users browse records from many sources, such as Amazon S3, on-prem systems, and other AWS systems.
Most organizations arrange their internal datasets in a way that makes it easy for employees to locate them in order to import them into analytics-based projects. Amazon say they’ve incorporated machine learning features in DataZone that help to automate many aspects of the work. For example, a description of the dataset can be automatically generated that provides details about the source from which it was retrieved, details that usually have to be added manually.
Besides making it easy for employees to work with business data, DataZone incorporates data governance controls. Admins can control who has access to which datasets and how they can access them. For example, admins can require employees to request access, typically from the IT team, before they can download an essential business dataset.
Amazon’s DataZone is now in public preview, and the service is only available in AWS’s Oregon, Northern Virginia, and Ireland infrastructure regions.
Rackspace Says Ransomware Attack Caused Outage
Rackspace Technologies Inc. says an outage affecting its Hosted Exchange customers was the result of a ransomware attack. The company shared the confirmation in a statement. It said the attack was isolated to its Hosted Exchange business and that no other products or services, such as its email platform or product line, were affected.
Besides its internal security team, the company hired a cyber-defense firm to look into the attack. Moreover, they put proactive measures in place in an effort to contain the incident.
Since the attack, Rackspace has introduced additional security and continues to monitor its infrastructure for any suspicious activity. All of its Hosted Exchange customers are receiving support to migrate to new environments as soon as possible.
The December 2nd incident may cause Rackspace to lose revenue from the Hosted Exchange business, which earns approximately $30 million annually for the company. Moreover, incidental losses may be associated with the response to the attack.
Bleeping Computer reports that the outage is still impacting all the Hosted Exchange environment services, such as POP, IMAP, MAPI/RPC, SMTP, and ActiveSync, in addition to the OWA interface providing access to email management online.
Security analysts note that the company hasn’t specified the type of ransomware attack or if cyberattackers successfully stole any data. In a recent update, Rackspace said that it is uncertain of any impact on consumer information caused by the attack and gave its assurance that it would notify customers if it confirms that the cyberattackers stole data.
Healthcare Targeted in Royal Ransomware Group Attack Surge
After first appearing at the beginning of 2022, the Royal ransomware group continued to gain momentum through mid-year, deploying many TTPs during attacks on many global businesses. The cybersecurity platform provider Cybereason Inc. released a report on the group following reports it is targeting the US healthcare sector.
It is suspected that members of the ransomware group hail from other groups, based on similarities seen between Royal and some other groups.
The group is using a different method to evade detection and anti-ransomware defenses by expanding on the technique of partial encryption. Most Royal ransomware attacks incorporate encrypting a set portion of the file content and use flexible percentage encryption. It becomes much more challenging for anti-ransomware solutions to detect it.
Royal ransomware leverages multiple threads that accelerate the encryption process; notably, it runs by itself. Royal doesn’t offer ransomware as a service yet and doesn’t seem to target specific sectors or countries.
Security researchers at Cybereason find Royal ransomware’s threat level high based on how quickly it has increased its attacks in the last 90 days. Royal topped the charts in November as the most prolific type of ransomware, surpassing the infamous LockBit ransomware gang.
One reason Royal stands out is the different deployment techniques it uses. For example, one method was using phishing campaigns that leveraged threat-loaders such as Qbot and BTLOADER which download a Cobalt Strike payload to continue other nefarious activities.
Royal ransomware has added dozens of victims to its website since September, signaling a massive gain in momentum. Many victims come from a global pool, such as the Silverstone racing circuit from the UK, while most are from the US.
It seems Royal may be connected with Conti ransomware, but researchers haven’t confirmed this. They seem to have similar TTPs, such as callback phishing attacks and ransom notes.
Researchers recommend that business users enable anti-ransomware protection, variant payload prevention, app control that blocks malicious file execution, and proactive threat hunting on devices that could be compromised and possibly infected with Royal ransomware.
MoneyMonger Malware Exploiting Flutter’s UI to Steal Personal Information and to Blackmail Victims
Security researchers at Zimperium Inc’s ZLabs have uncovered a previously unknown Android malware campaign leveraging money-loaning apps. It blackmails victims into making payments through the use of personal details stolen from their devices. Zimperium researchers named the activity MoneyMonger and noted that the campaign uses the cross-platform framework known as Flutter to develop these apps.
Flutter is a Google LLC multiplatform UI application development framework. Developers use Flutter to make apps that operate on multiple platforms, including iOS and Android. The malware leverages Flutter's framework to hide its malicious intent and make detection of its activities by static means difficult.
Its malicious code remains hidden behind the Flutter framework, undetected by the limited analysis of mobile security products on legacy devices, according to security researchers.
In addition to installation from third-party app stores, MoneyMonger’s apps come from compromised websites, phishing messages, social media campaigns, and using other TTPs.
Discovered as active beginning in May 2022, MoneyMonger employs many layers of social engineering that successfully compromise its victims. It begins with a loan scheme that promises fast money. The victims then install the infected app and accept the requested permissions it needs on the device to verify they are in good standing for the loan approval. After this, the threat actors have gained the access they need to steal the information from the device endpoint, including GPS location, installed apps, SMS data, contact information, device info, critical and personal data, image metadata, and others.
MoneyMonger uses all the information it takes to threaten and blackmail victims into paying its excessive interest rates. The cybercriminals behind MoneyMonger threaten to reveal the victim’s personal information, send photos from the device, and call their contacts if they don’t pay on time.
Besides the loan scam, security researchers say that MoneyMonger is a risk in other ways to businesses and individuals due to the broad range of information the threat actors are taking from the victims, which can include proprietary and private organization-related content.
Moreover, the threat actors continue to develop and update the app to avoid MoneyMonger’s being detected and have added XOR encryption on the Java side and more detailed info on the Flutter side. At this point, there is no accurate method of estimating the number of victims due to the use of third-party app stores and sideloading distributions. Still, some third-party app stores say there have been more than 100,000 downloads of the compromised malicious apps.
Hackers Get Access to Third-Party Cloud Storage in Latest LastPass Data Breach
LastPass US LP has again been the victim of a data breach when hackers accessed a third-party cloud storage service that both LastPass and its affiliate, GoTo Technologies USA Inc., use.
This breach came as a result of the breach that happened in August 2022. The cybercriminals behind that breach used the information they got in that hack to target employees and gain access to the unnamed cloud provider and customer info. LastPass did not specify what data the threat actors accessed but said that customer passwords weren’t accessed and remained safely encrypted.
This second incident, occurring soon after the one in August, does not give a good image for a security company that many rely on to secure their passwords. However, LastPass began its email to its customers by reaffirming its commitment to transparency and publicly detailing what it knows as positive.
The list of security incidents and hacks is growing and, in addition to two this year, the company’s history includes hacks that go back to 2015. Last year, many LastPass users complained of attempts to use their master passwords that were investigated and found to be the result of credential stuffing. Moreover, in January 2022, the company informed of an outage that LastPass initially denied, saying it was caused by a bug.
Despite password managers being attractive targets for threat actors due to the potential access to private customer data and accounts, experts say using secure password managers is still the best solution to stop the associated attacks and theft of credentials.
Federal Civilian Executive Branch Breached by Iranian Hackers Using Log4Shell Vulnerability
CISA recently disclosed information that an Iranian government-sponsored APT group hacked the Federal Civilian Executive Branch. The breach occurred in February but was first detected in mid-June, and CISA liaised with the FCEB for an incident response engagement that extended through mid-July.
The investigation revealed that Iranian hackers gained access to the infrastructure by compromising an unpatched VMware Horizon server with the Log4Shell vulnerability. The vulnerability is also called Log4j, and researchers discovered it in December 2021. The FTC threatened to take action against organizations that did not patch the vulnerability in January of this year.
Notably, while one part of the government was threatening businesses with legal action, those accountable for cybersecurity were asleep at the wheel, exposing dozens of agencies to hacking. It’s also surprising to note that the FTC is a member of the FCEB.
Once they accessed the infrastructure, the unnamed Iranian hackers proceeded to install the XMRig crypto-mining software and continued to move laterally into the domain controller, where it compromised credentials. To maintain persistence, it then installed reverse proxies on a few hosts.
CISA issued a warning on June 23rd that malicious cyber actors continued to exploit Log4Shell in VMware Horizon systems. However, no one knew at the time that it was linked to the FCEB being hacked, and the warning came out within days of them finding that the FCEB had been compromised.
Experts note that Log4Shell can still compromise 38% to 40% of Log4j, so it is no surprise that APT groups continue to use it in their toolkits. No business should lose sight of locating systems with potentially vulnerable software.
That's a Wrap for News You Might've Missed
I hope this update has been helpful. MSP360 is your resource for MSP news. Stay home, stay safe and healthy, and remember to check back next month for more highlights.