News You Might’ve Missed. December 2023

What's new this month in the news for MSPs?
High-speed Amazon S3 Express One Zone goes live; new AWS cloud application monitoring features publicly available; Lazarus group shifting to new Telegram tactics; Microsoft exposes three OAuth-based hacking campaigns; Google starts urgent Chrome update to address critical vulnerability; and credit unions hit by new Citrix ransomware threat.

Let's see what it's all about.

High-speed Amazon S3 Express One Zone Goes Live

AWS has launched a new object storage service tier called Amazon S3 Express One Zone. The service offers speeds that are approximately 10 times faster than AWS's standard edition.

AWS currently offers a variety of custom S3 versions. For example, Glacier storage tiers offer lower pricing as a trade-off for faster speeds. These let businesses run apps more cost-effectively without requiring the full performance of a data repository or standard S3 storage container.

Express One Zone, alternatively, is focused on demanding workloads that require faster data transfers than the typical S3 infrastructure manages. AWS says Express One Zone is an excellent option for building large AI models that need to be able to access training datasets millions of times per minute.

The new offering from AWS is also suitable for other use cases and applications. AWS sees enterprises using it for varied tasks, such as powering analytic projects or delivering personalized ads.

Businesses using S3 store their data in containers called buckets. An individual Express One Zone bucket processes several hundred thousand data requests every second. Besides, it can complete those requests with minimal millisecond latency.

According to AWS, Express One Zone not only surpasses standard S3 storage but is typically much more cost-effective. Amazon says that, under the Express One Zone offering, enterprises could see savings of roughly 60%, and data request expenses could see reductions of up to 50%.

Express One Zone is already available in AWS’s Stockholm, Northern Virginia, and Tokyo cloud zones. Amazon is working on releasing the storage tier offering to more locations soon.

New AWS Cloud Application Monitoring Features Publicly Available

In December, AWS introduced myApplications, a new application management tool that will help its customers determine the best way to operate their cloud workloads cost-effectively.

Additionally, administrators can use the app to track hardware usage by workloads and scan them to identify possible cybersecurity gaps. The tool also displays information about potential technical problems using another new feature, Amazon CloudWatch Application Signals, which was also recently launched.

Better Cloud Performance

Tracking the costs that go along with businesses’ cloud workloads is one of the specific use cases for myApplications. During AWS re:Invent 2023, Amazon Inc.’s CTO presented a set of seven best practices he called “The Frugal Architect” that enterprises can put into practice to save unnecessary expenses.

A list of all the business’s workloads in its AWS environment is shown in the myApplication interface. Administrators can display a dashboard that shows all the hardware resources and AWS services in use by a selected workload, as well as the associated costs. For example, they might see that the Amazon RDS database, where an app keeps its records, takes up about 20% of the monthly costs.

Additionally, admins also see higher-level spending information in the myApplications interface. It shows the costs that an application has accrued since the beginning of the current month. It will also show whether the costs are higher or lower than they were in the prior month. This information will help admins see the patterns that shed light on unexpected increases in costs that require investigation.

Many AWS customers who have been trying to trim their cloud costs to offset macroeconomic pressures will likely be interested in this new tool.

Streamlining of Application Instrumentation

The myApplications tool claims to simplify more than just cost tracking. For instance, it enables businesses to keep an eye on several distinct areas of their cloud environments.

One feature AWS highlighted is a built-in cybersecurity dashboard that appears when it detects an insecure configuration in a business’s workloads. In addition, there is a dashboard that displays application health and performance data derived from CloudWatch Application Signals.

Incorporating what is called instrumentation code helps to collect an application’s diagnostic data. Deploying the code can take a long time in container workloads, which are complex, especially if there are more software modules involved. Automating the process will make it more straightforward for developers to establish monitoring workflows for applications. Amazon says that CloudWatch Application Signals is a game-changer.

A display of an application's availability, the latency of its request processing, and the volume of requests it receives is one of the system metrics that the tool tracks for each workload it monitors. Administrators have the option to set up the tool to watch for particular events, like when the latency of a workload exceeds a predetermined threshold.

As part of AWS's CloudWatch observability service, CloudWatch Application Signals is already accessible in preview. The dashboard of the AWS Management Console already allows anyone to access the myApplications tool.

Lazarus Group Shifting to New Telegram Tactics

Talos Intelligence from Cisco Systems Inc. shared new findings on the Lazarus group from North Korea. In their report, they shared an outline of the new methods the group is using to target attacks.

Specifically, Talos security analysts noted the group targeting businesses in the agricultural, manufacturing, and physical security industries. Furthermore, and perhaps more significantly, the group was responsible for WannaCry ransomware attacks in 2017 and, in 2022, targeted Log4j vulnerabilities.

Lazarus has been quite active over the past year, employing a number of remote access Trojans under peculiar development frameworks. More recently, it has been observed utilizing the DLang programming language. Like many other threat organizations, Lazarus is always trying to get better, writing faster, smaller-footprint code. It also looks for new ways to obfuscate its intrusions that let it avoid early detection.

Additionally, the group has been perfecting social engineering lures. GitHub shared information on how the group has tried using different methods to invade cryptocurrency application developers. According to a report by analysts at Recorded Future, during the last six years, the group has managed to collect cryptocurrencies equaling roughly $3 billion.

To put it in perspective, this makes up a considerable part of North Korea’s defense budget, in addition to about half of the total stolen funds that has been tracked until now.

Its more recent efforts, dubbed Operation Blacksmith, use the VMware Horizon servers’ Log4Shell vulnerabilities to initially gain access to its targets’ computers. These operations have continued for the last two years. According to Veracode, more than a third of servers continue to run applications that have vulnerabilities.

Currently, Lazarus is behind a new campaign that is using Telegram channels and bots as its mechanism for command and communications. It also uses Telegram to transfer files. This current method is making it challenging to track, since the activity seems like normal user traffic.

The hackers start a reverse proxy as soon as the malware is operational on a network. This enables them to establish direct communication with their victims and use other tools. Overall, this demonstrates how much the Lazarus group is still learning and creating new methods to enter the environments of its targets.

Microsoft Exposes Three OAuth-based Hacking Campaigns

Microsoft has revealed details about three hacking attempts that made use of the OAuth protocol, which employees typically use to access corporate applications through their Google or Microsoft accounts.

Three distinct threat groups were behind these campaigns. The first campaign's main goal was to compromise cloud environments used by businesses; the other two focused on phishing and spam distribution.

An employee account at an unidentified company was compromised by a threat actor who was tracked while Storm-1283 carried out the initial campaign. Utilizing that Azure environment, the hackers built virtual machines for cryptomining.

Storm-1283 provisioned virtual machines that the user was logged into by abusing multiple legitimate business applications. According to Microsoft, the user's account had access to the company's Azure environment. It also said the account was logged into those services with OAuth.

The second hacking campaign targeted multiple businesses and, as part of the campaign, the hacker breached employees’ Microsoft accounts, using them to access emails containing financial details.

Analysts say the goal was to plan a targeted social engineering attack using the collected information. The hackers hoped the information taken from the financial emails would help trick organizations into sending them funds.

The first part of the cyberattack used emails containing malicious links. Any user who clicked on the link was taken to Microsoft’s legitimate log-in page, but the redirect’s configuration allowed the hackers to steal the users’ credentials, providing access to their accounts.

Using OAuth, hackers gained access to multiple employee accounts at an undisclosed company in the third campaign. Additionally, the hackers used OAuth to link each account to a few third-party apps. With those apps, they could send thousands of spam emails every day.

Microsoft informed the organization about the hacking campaigns before it published its research. Additionally, it has made guidelines available to any business that might be the target of similar attacks.

Google Launches Urgent Chrome Update Addressing a Critical Vulnerability

After discovering a critical vulnerability, Google has launched an urgent security update for its Chrome browser.

Described as an integer overflow in Skia in Google Chrome affecting versions prior to 119.0.6045.199, the vulnerability is tracked under CVE-2023-6345 and lets remote attackers who compromised the renderer process possibly perform a sandbox escape using a malicious file. The Skia 2D open-source graphics library helps Google Chrome render webpages.

Two analysts from Google’s Threat Analysis Group, Benoit Sevens and Clement Lecigne, discovered and reported the vulnerability. The current update from Google also includes patches for six high-severity vulnerabilities.

Organizations and users are urged to make sure they have the latest version of Chrome, regardless of their operating system. Users who haven’t set Chrome to update automatically should manually run the update process.

Credit Unions Hit by New Citrix Ransomware Threat

The Citrix Bleed vulnerability is being leveraged in new ransomware attacks.

Recently, over 60 credit users had their activities disrupted by attacks due to Trellance Corporation, a common technology services provider, having unpatched NetScaler servers. The company owns Ongoing Operations LLC and Fedcomp. Both providers informed their customers of outages affecting their environment, and Ongoing also sent out a note on December 2nd regarding a cybersecurity incident from November 26th. Fedcomp posted and then removed a notice about a possible incident and wouldn’t respond to reporter inquiries.

Kevin Beaumont, a cybersecurity researcher, says the issues were related to Citrix Bleed, which he said attacked two unpatched Ongoing Operations servers. A patch for the Citrix Bleed vulnerability was made public in October following its discovery.

Since Citrix servers include a wealth of authentication knowledge in their operations as load balancing appliances, Citrix Bleed has grown popular among ransomware actors as a means to compromise their victims. Intruders can circumvent multifactor authentication measures by stealing session tokens.

All federally insured unions are now required to report any breaches within 72 hours, according to new rules put in place by the National Association of Credit Unions. These rules became effective in September. After that, the first month saw 146 reports, which is more than the number of incidents seen in a year.

That's a Wrap for News You Might've Missed

I hope this update has been helpful. MSP360 is your resource for MSP news. We wish everyone an excellent 2024.