What's new this month in the news for MSPs? New AMD-based instances for high-performance workloads from Google; Amazon to include 32 international AWS Local Zones to expand the edge of its global cloud; active cyberattacks, threats and their targets; and more.
Let's see what it's all about.
New AMD-Based Instances for High-Performance Workloads From Google
In February, Google Cloud announced the general availability of C2D instances, based on AMD’s newest Epyc server processors. Memory-bound workloads such as gaming, semiconductor design software, databases, and memory-bound, high-performance computing workloads (HPC) are well suited for C2D instances.
Within the Compute Optimized lineup, the new AMD-powered C2D instances are specialized and target workloads that require large amounts of memory in addition to their significant processor capacity needs.
Configuration options include up to 896 GB of memory, 112vCPUs, which is 56 cores, and 3 TB of local SSD. To better align with workloads, the instances are available in high-CPU, standard, and high-mem, and each of them offers seven machine types for optimal memory-to-core ratios. The CPUs leverage the Zen 3 core architecture, a seven-nanometer-based processor that can conduct 19% more instructions than prior-generation silicon by AMD could manage.
The L3 cache reaches up to 32 megabytes in speed, also attributed to the AMD third-generation processors. The L3 cache is an essential repository used by the CPU core to store the data it processes for rapid access. The larger the capacity of the cache, the more data the processor can ingest.
Google’s C2D series includes 21 configurations for instances organized into three groups. Along with seven standard instances, seven machines feature increased memory, and another seven provide higher performance.
Amazon to Include 32 International AWS Local Zones to Expand the Edge of Its Global Cloud
The first 16 of its new AWS Local Zones in the US are complete, says Amazon in its announcement this month. It is part of its plans to establish even more in 32 city areas in approximately 26 countries globally.
According to AWS, the AWS Local Zones assure extremely low latency and allow customers outside the US to adhere to mandatory local data residency regulations, making this a huge deal.
The service will make it feasible to launch apps that need cloud-based single-digit-millisecond latency by placing the resources so near to customers.
These zones can be used as hosts for all types of services for storage, compute, database, and others right at the outer edge of the cloud and super-close to industry, large populations, and information technology centers. This is why AWS suggests considering AWS Local Zones as edge locations.
The majority of apps can leverage AWS Regions with no issues. Still, some applications need ultra-low latency. Some of these include media and entertainment content creation, remote real-time gaming, machine learning inference, live video streaming, along with augmented and virtual reality apps. Workloads like these reap huge benefits from closer proximity to end users, due to the reduced latency.
According to Amazon Web Services, it plans to launch more AWS Local Zones globally later this year in cities such as Bangkok, Bengaluru, Berlin, Amsterdam, Auckland, Athens, Bogota, Brussels, Brisbane, Buenos Aires, Copenhagen, Chennai, Delhi, Helsinki, Hanoi, Kolkata, Lima, Manila, Lisbon, Munich, Nairobi, Perth, Queretaro, Oslo, Prague, Santiago, Rio de Janeiro, Toronto, Vienna, Vancouver, and Warsaw.
In addition to meeting local data residence ordinances, foreign customers will also enjoy the ability to connect their on-prem data centers to AWS Local Zone to ensure ultra-low latency for hybrid application launches, AWS said. Connectivity options include public internet or AWS Direct Connect.
Active Cyberattacks, Threats, and Their Targets
Analysts have spotted many allegedly related cyberattacks and threats with specific targets active in the wild. We continue to see cybersecurity alerts, and warnings were issued about these and other malware families reportedly involved.
This technical overview highlights these malware families known to be in use.
HermeticWiper Destructive Malware
ESET research analysts say they found a new data wiper malware called HermeticWiper. It uses a signed Windows hardware driver as its delivery method. After execution, it will alter the MBR of the system volume, resulting in boot failure, according to Sentinel Labs Reports.
It also leverages what seems to be a harmless partition management driver by EaseUS named empntdrv.sys. This adds to the difficulty of analyzing HermeticWiper, as a lot of its functionality is deferred to DeviceIoControl calls with specific I/O control codes.
At the moment, mitigation is seen to be difficult, as not much is known about the vector of the signed driver. Also, searching for IOCs post-infection may not be possible, since the malware carries out its damage swiftly after being executed.
Government Authorities Issue Joint Advisory on Cyclops Blink Malware
New malware called Cyclops Blink has been discovered by researchers. They believe it has appeared in place of the VPNFilter malware associated with the Sandworm group.
According to the joint advisory, the malware has strictly targeted devices from the networking hardware company WatchGuard. WatchGuard estimates that around 1% of their active firewall devices have been affected by Cyclops Blink. Its business customers mainly use these devices.
Cyclops Blink malware also comes loaded with specific modules created to exfiltrate and collect device information, download and upload files back and forth to its CNC server, and run malware updates.
Finding a Cyclops Blink infection is not a sign that a business is a primary target. However, devices on its network could be leveraged in cyberattacks on others. In any case, the best advice is to remove the machines from your network to begin remediation on affected devices.
Google Cloud’s Agentless Threat-Detection Service Protects Against Crypto-jacking
To expand its Security Command Center, Google Cloud is making Virtual Machine Threat Detection (VMTD) available in public preview. This security capability expansion will include detection for cryptocurrency mining in virtual machines. This feature will address a common but challenging threat for most threat hunters to spot.
Cyberattacks targeting computing resources that mine cryptocurrencies continue to be on the rise. A Google Cloud report published last November revealed that 86% of damaged instances found on the public cloud also included crypto-mining campaigns.
The Security Command Center lets businesses see an overview of the Google Cloud environments. This capability helps them gain more visibility into cloud assets and weed out vulnerabilities and cyber-threats that may be honing in on them. This helps businesses needing to adhere to industry benchmarks and standards to maintain their compliance.
VMTD enriches those capabilities with the use of agentless memory scanning, which detects threats inside Google Cloud-hosted VM-based architectures.
Cuba Ransomware Deployed Via Hacked Microsoft Exchange Servers
Microsoft Exchange vulnerabilities are being exploited by the Cuba ransomware operation to provide initial access to corporate infrastructure in order to encrypt devices.
Mandiant tracks the ransomware group as UNC2586; its ransomware is called COLDDRAW. Due to the group's increase in activity, the FBI issued a ransomware alert last December, saying that the group had breached 49 critical-infrastructure businesses in the US.
In a new report by Mandiant, researchers revealed that the Cuba operation primarily targets the United States and Canada. Since August 2021, this ransomware gang has been seen leveraging Microsoft Exchange vulnerabilities to deploy RATs, web shells, and backdoors to access target networks.
The planted backdoors include the NetSupport Manager remote access tool, or Cobalt Strike. The group also uses homegrown varieties:
- Wedgecut - comes as an executable called “check.exe,” a reconnaissance tool that itemizes the Active Directory through PowerShell.
- Bughatch - a downloader that pulls PowerShell scripts and files from the CNC server. It loads in memory from a remote URL to escape being detected.
- Burntcigar - a utility using a flaw in an Avast driver to terminate kernel-level processes.
Termite - a memory-only dropper that pulls the above payloads and then drops them.
Termite has been seen in use by other threat groups, as well.
Analysts say they expect the Cuba operation will change its course when it runs out of valuable targets running unpatched Microsoft Exchange servers.
ASUSTOR Devices Targeted by DeadBolt Ransomware
ASUSTOR NAS devices are now being targeted by DeadBolt ransomware, and the operators are demanding $1,150 in BTC. The current surge in attacks was seen on the Reddit and BleepingComputer forums, followed by mentions in ASUSTOR forums.
The threat actors claim to use zero-day vulnerabilities to encrypt the breached devices.
ASUSTOR is investigating the attacks impacting their devices, but it’s not currently clear how the operators are gaining access.
If your device has already been infected by DeadBolt, unplug the ethernet cable and force the shutdown of your NAS device by holding the power button for three seconds.
That's a Wrap for News You Might've Missed
I hope this update has been helpful. MSP360 is your resource for MSP news. Stay home, stay safe and healthy, and remember to check back next month for more highlights.
- Main steps for creating a DR plan
- Best practices to keep in mind
- Disaster recovery plan basic template
