News You Might’ve Missed. February 2023

What's new this month in the news for MSPs? Microsoft services suffer massive outage after update to its WAN; Hive ransomware infrastructure disrupted in joint international operation; North Korean hacking group Lazarus targeting research enterprises; and more.

Let's see what it's all about.

Microsoft Services Suffer Massive Outage After Update to Its WAN

After a wide area network (WAN) update, Microsoft customers faced an outage affecting many of their services for nearly three hours. The affected services included Microsoft Azure, Teams, Exchange Online, SharePoint Online, OneDrive for Business, Microsoft Graph, Microsoft 365 Admin Portal, Microsoft Defender for Cloud, PowerBi, Microsoft Intune, Microsoft Defender for Identity, and Outlook.

The cause of the outage came from a planned update to Microsoft's wide-area network that began at 2:00am EST on January 25.

Microsoft had informed customers about the planned update, suggesting they should expect some latency in their services. The update caused many more ‌issues than latency and impacted network devices across the Microsoft WAN. The network issue led to dropped connections between services in data centers and others.

Microsoft’s initial solution was to roll back the changes implemented in the update. Following this, it was 4:35am before Azure services were back, and the other services came back around the same time.

Microsoft conducted a post-incident review after the incident, where its monitoring system discovered issues in its domain name service (DNS) and WAN issues. Following this, engineers found a “problematic command” at the root of the matter when automatic recovery was underway.

To avoid similar problems in the future, Microsoft says it is blocking highly impactful commands from being executed on devices. It also requires all command executions on network devices to follow safe change guidelines.

It will publish a final posit incident report quickly.

Hive Ransomware Infrastructure Disrupted in Joint International Operation

A joint international task force was led by the US Federal Bureau of Investigation and included law enforcement agencies from both ‌North America and Europe. It has successfully disrupted and taken down the Hive ransomware group’s infrastructure.

According to the Department of Justice (DOJ), the takedown ends the extortion from victims that include infrastructure operators, schools, and hospitals, paying around $130 million ransom.

Hive used a network of affiliates in its network. They attacked infrastructure operators, hospitals, school districts, financial institutions, and more in around 80 countries internationally. Hive used malware to encrypt the victims’ computer systems after its affiliates stole private documents. Then its affiliates would demand a ransom payment both for the data and for providing a decryption key.

The DOJ began infiltrating the group in July 2022, it said in a release. It said it delivered decryption keys to about 300 organizations that were currently under attack. It has also provided 1,000 decryption keys to previous victims of the ransomware group. According to the DOJ, Hive had targeted over 1,500 victims globally.

Experts say cybersecurity attacks on critical infrastructure remain a looming and severe threat. Following a ransomware attack on Colonial Pipeline, causing a five-day shutdown in the US, public concerns over gas shortages led to rising prices.

North Korean Hacking Group Lazarus Targeting Research Enterprises

'No Pineapple’ is a new cyber hacking campaign attributed to ‌the North Korean hacking group Lazarus. This campaign has let the hackers secretly steal about 100GB of data from victims without destruction.

The campaign targeted research organizations, including healthcare, energy, defense, a leading research university, chemical engineering, and medical research from August to November 2022.

Security analysts from WithSecure discovered the operation while investigating a possible ransomware incident for one of its clients. Due to an operational error by the Lazarus hackers, they found the connection to the North Korea APT.

Besides attributing the hacking campaign through several pieces of evidence, the analysts also noted new developments in the Lazarus campaign:

• the campaigns now use IP addresses without domain names
• the Dtrack info-stealer malware was updated to a new version
• the GREASE malware used to create admin accounts and bypass protection was updated to a new version

The name comes from the '< No Pineapple! >' error seen sent by ‌remote access malware when uploading stolen information to a hacker’s servers.

The Lazarus hackers were able to drop a web shell on the target's mail server and compromise the victim's network on August 22, 2022. It was able to leverage the CVE-2022-37042 (authentication bypass) and CVE-2022-27925 (remote code execution) Zimbra vulnerabilities.

Although ‌security analysts installed patches for the RCE flaw in May 2022, it wasn’t the complete solution. Zimba didn’t release the security update for the authentication bypass flaw until August 12, 2022. Due to the delay in releasing the update needed to complete the fix, threat actors were already busy exploiting the vulnerability.

The Lazarus hackers were able to deploy ‌the tunneling tools Plink and 3Proxy, which would create reverse tunnels back to their infrastructure. The reverse tunnels allowed the threat actors to bypass the firewall.

In under a week, the attackers extracted about 5GB of email messages from the server using modified scripts. They would then save them to a CSV file saved locally and later upload the file(s) to the attacker’s server.

The cybercriminals spread laterally through the victim’s network during the following two months. They spent this time stealing information from devices and acquiring admin credentials.

Lazarus was deploying custom tools while it was spreading throughout the network. These included Dtrack, a data-stealing backdoor typically used by Lazarus, and GREASE, a malware related to Kimusky, another North Korean state-sponsored cyber hacking group.

This attack finally ended on November 5, 2022, with the group stealing 100GB while lurking in the victim's network for over two months.

VMware and Government Agencies Warn Ransomware Targets Unpatched ESXi Servers

Users of VMware ESXi received a warning from European government agencies to ensure that their servers installed the latest software versions. The warning follows the ransomware campaign widely targeting servers running unpatched software.

The attacks target a VMware ESXi server flaw officially patched in 2021 and detailed in CVE-2021-21974. The heap overflow flaw in OpenSLP is the root of the issue, and is used in ESXi, specifically in versions 7.0, 6.7, and 6.5 of the software. OpenSLP is an open-source version of the IEFT Service Location Protocol.

In February 2021, when VMware released the patch, it warned EXSi users about the flaw, which could be leveraged by bad actors and result in RCE. However, even though two years have passed, many VMware EXSi users left unpatched servers.

VMware noted in a recent blog post that these unpatched installations are the target of the current attacks, along with devices at the end of the support life cycle or significantly out of date.

Due to the widespread attacks, government agencies are paying close attention. Authorities in France and Italy have already issued warnings, and the French cybersecurity agency warned of the attack in a technical bulletin. According to the Italian Premier, the attack affecting computing devices leveraged ransomware that was already in the wild.

The warning from Italy came after Telecom Italia’s internet outage, which impacted several sports games streaming services. It is unclear whether the ransomware campaign and the outage are in any way connected.

Security experts request that all VMware ESXi server users take steps to update and patch their devices, even if it means disabling critical sections of their IT infrastructure.

FBI and CISA Jointly Release Recovery Script for Ransomware-Targeted VMware ESXi Servers

A free recovery script from the US Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation is now available as a response to the widespread ransomware campaign that targets unpatched installs of VMWare’s ESXi.

Earlier, VMware Inc. and European government agencies gave warnings regarding the ransomware attacks and said that threat actors were targeting a flaw in the VMware ESXi servers.

The new EXSiArgs recovery script is available on GitHub and gives businesses victimized by EXSiArs ransomware a way to try to recover and restore files. CISA says it believes more than 3,800 EXSi servers have been compromised.

The script attempts to create new configuration files and doesn’t delete the encrypted config files. This method enables access to affected virtual machines. Before any organization deploys the ESXiArgs recovery script, it should carefully assess whether it is appropriate for its environment.

Cybersecurity Analysts Release Details of Popular and Rapidly Growing Stealc Malware

Stealc is a rapidly growing information-stealing malware seen on dark web marketplaces. Researchers recently shared details about the malware that was first spotted for sale in January on a forum under the username “Plymouth.” According to the advertisement, the malware is a fully featured and ready-to-use stealer based on previous stealer malware such as Raccoon, Vidar, Mars, and Redline.

Following this discovery, the researchers found a new malware family that was later determined to be directly connected to Stealc.

Stealc targets private data from extensions for cryptocurrency wallets, desktop cryptocurrency, and web browsers. It also targets information it can extract from additional applications such as messenger software and email clients. This data collection can also be customized so that the malware is tailored to the customer’s specific needs.

The malware will install a customizable file grabber that lets clients steal files that match their particular grabber rules. The stealer also has loader capabilities typical of data stealers sold as malware as a service (MaaS).

Roger Grimes from KnowBe4, Inc. notes that an interesting behavior in Stealc is that it explicitly targets password managers. Specifically, it will target at least 13 browser extensions that password managers and authenticators install – something everyone should note and watch out for.

That's a Wrap for News You Might've Missed

I hope this update has been helpful. MSP360 is your resource for MSP news. Stay home, stay safe and healthy, and remember to check back next month for more highlights.