What's new this month in the news for MSPs? Flexible instances for high-performance computing workloads launched by Amazon; 12-year-old vulnerability in a Linux system tool gives hackers root privileges; new warning to NAS users from QNAP on DeadBolt ransomware; prepare for data-wiping cyberattacks says CISA; and more.
Let's see what it's all about.
Flexible Instances for High-Performance Computing Workloads Launched by Amazon
A new series of high-performance computing workloads is available from the Amazon Web Services cloud. AWS says they provide higher price-performance compared to its competitors.
The new workloads, also called “Hpc6a instances”, are powered by third-generation EPYC-powered CPUs developed by Advanced Micro Devices Inc. They are purpose-built to handle HPC workloads and offer up to 65% better price-performance over similar products.
Apart from the cost-effectiveness of Amazon’s offering, the new instances are excellent for companies that might be considering a more significant investment in on-prem installations to cope with the performance requirements of HPC. Amazon also said it is working to solve complex scientific, academic, and business issues that can be costly due to their high-speed data processing requirements, as well as storage and memory resources.
The AMD 3.6GHz processors provide 100GB per second of Elastic Fabric Adapter network and up to 384GB of memory, meaning they can support scalable, cost-effective HPC cluster deployment. What’s more, they can scale to tens of thousands of cores. Examples of businesses to which they will appeal are those working on genomics, computational fluid dynamics, molecular dynamics, weather forecasting, seismic imaging, financial risk monitoring, and computer-aided engineering, said Amazon.
The new Amazon EC2 Hpc6a instances are available as Reserve Instances, On-Demand Instances, or through the AWS Savings Plans. Look for them in the AWS GovCloud (US-West) and US East (Ohio) regions, with availability in more regions coming soon.
12-Year-Old Vulnerability in a Linux System Tool Gives Hackers Root Privileges
Researchers at Qualys Inc. have uncovered a 12-year old flaw in Linux’s PolicyKit pkexec tool. The PolicyKit vulnerability was causing command-line arguments to be mishandled in a way that could lead to local privilege escalations. The danger here is that anyone using a GNU/Linux distribution could leverage ill-gotten escalated privileges and run programs as an admin (root).
The vulnerability in the PolicyKit pkexec tool was sitting for more than 12 years, in essence since May 2009 when it was created, and can be exploited even when the polkit daemon isn’t running.
Patches for the vulnerability have been published, and most distributions have already received the patched versions of the polkit package. Still, if your distribution hasn’t received a patch, Qualys researchers recommend removing the SUID-bit from the pkexec tool as an interim solution. You can do this by running this command in a terminal emulator:
sudo chmod 0755 /usr/bin/pkexec
You should keep your Linux distribution up to date at all times. It is an excellent practice always to install updates and security patches as soon as they become available.
New Warning to NAS Users from QNAP on DeadBolt Ransomware
QNAP, a Taiwanese network-attached storage provider, came out strong in advising customers to update their systems after learning that the DeadBolt ransomware gang was targeting all internet-exposed NAS instances.
Along with a statement, they attached a detailed guide for their customers. In it, they advised customers to go to the Security Counselor on their QNAP NAS dashboard to check if "The System Administration service can be directly accessible from an external IP address via the following protocols: HTTP". If it can, they are at high risk.
The guide and announcement came after dozens of people put posts on Reddit and QNAP message boards that the DeadBolt ransomware group had hacked them. Some of the victims, including an MIT professor, lost videos, photos, and irreplaceable files spanning decades.
The ransom note from DeadBolt demands .03 Bitcoin to get the decryption key, and states, "You have been targeted because of the inadequate security provided by your vendor (QNAP)." One Reddit user stated that they didn’t receive the decryptor, even after paying the ransom.
The DeadBolt ransomware group contacted QNAP with two offers, one where they demanded a Bitcoin payment from QNAP of 5 BTC for details on the zero-day vulnerability used to attack their devices, and an alternative demanding payment of 50 BTC for a universal decryptor.
QNAP hasn’t commented on whether zero-day was used in the attack.
TellYouThePass Ransomware Back as Cross-Platform Golang Threat
TellYouThePass ransomware is back as a Golang-compiled malware. The new format makes it easier for its operators to target more operating systems, such as Linux and macOS, in particular.
Last month, threat actors signaled the reappearance of the malware strain when they leveraged it against the Log4Shell vulnerability to attack susceptible devices. A new report from CrowdStrike focuses on the code changes expected to make it easier to compile and target operating systems beyond Windows.
We first saw malware operators leveraging the Golang programming language in 2019. The move was primarily due to its versatility and cross-platform capabilities. What’s more, Golang reduces detection rates by putting dependency libraries into one binary file, which results in a smaller footprint of CNC (C2) server communications.
The Glupteba botnet is one example of successful malware written in Golang. It was active until Google’s security team disrupted the botnet last month.
According to the report by CrowdStrike analysts, the code similarity between Windows and Linux samples of TellYouThePass is 85%. The small margin of dissimilarity shows that only minor changes are required to run the ransomware on different operating systems.
The randomization of function names is a significant change in the latest samples. Before starting the encryption routine, TellYouThePass kills services and tasks that might result in incomplete encryption or risk the process. To prevent bricking the system and making it unbootable, some directories aren’t included in the encryption.
Some of the directories not encrypted on Windows include: EFI Boot, EFI Microsoft, Windows, Program Files, All Users, Boot, IEidcache, ProgramData, desktop.ini, autorun.inf, netuser.dat, iconcache.db, thumbs.db, Local Settings, bootfont.bin, System Volume Information, AppData, Recycle.Bin, and Recovery.
Some of the directories not encrypted on Linux include: /bin, /boot, /sbin, /tmp, /etc, /lib, /proc, /dev, /sys, /usr/include, and /usr/java.
The TellYouThePass ransom note asks for 0.05 BTC, or about $2,150, to receive the decryptor tool.
So far, there haven’t been any macOS samples observed by any security analysts.
Prepare for Data-Wiping Cyberattacks Says CISA
Following attacks observed to be targeting the Ukrainian government, the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning urging US organizations to boost their cybersecurity defenses against data-wiping attacks.
According to BleepingComputer, the Ukrainian government and corporate organizations were hit in coordinated cyberattacks earlier this month. During the attacks, websites were marred, and the threat actors deployed malicious data-wiping malware to make Windows devices inoperable and corrupt their data.
It’s suspected that threat actors leveraged the CVE-2021-32648 vulnerability in the OctoberCMS platform to deface websites. The Ukraine Cyber Police are looking into stolen credentials and the use of Log4j vulnerabilities as possible entry methods used to gain access to the servers and networks.
Ukraine authorities are blaming the attacks on Russia and attribute them to Ghostwriter, a state-sponsored cyber-gang having ties to Belarus.
CISA urges US organizations and business leaders to take the actions and advice detailed in a new CISA Insights bulletin to ensure similar attacks don’t occur on their networks.
Cybersecurity and IT personnel are recommended to read CISA’s recent bulletin with mitigation advice against the possibility of Russian state-sponsored threats impacting US critical infrastructure.
Experts Warn Critical H2 Database Console Vulnerability Has Similarities with Log4j
H2, an open-source Java SQL database, serves as an in-memory solution to eliminate the need to store information on a disk. The database can be embedded in Java applications or run in client-server mode. It is also one of the leading Maven packages and is estimated to have 7,000 artifact dependencies.
This new vulnerability was first discovered by researchers at JFrog Inc. and is being tracked as CVE-2021-42392. Researchers say it has similar root causes to Log4Shell, as they both relate to the Java Naming and Directory Interface (JNDI) lookup feature. As yet, the impact hasn’t spread as broadly, and this is primarily due to the console not being used consistently with the H2 database. It’s also because the default for the console is to listen to localhost.
Even though they have classified the vulnerability as critical, researchers say that for H2 to be at risk, some configurations and conditions need to be met. They recommend that users of H2 quickly update the H2 database to 2.0.206, especially where the WAN or LAN exposes the H2 console.
That's a Wrap for News You Might've Missed
I hope this update has been helpful. MSP360 is your resource for MSP news. Stay home, stay safe and healthy, and remember to check back next month for more highlights.
- Main steps for creating a DR plan
- Best practices to keep in mind
- Disaster recovery plan basic template
