News You Might’ve Missed. July 2021

What's new this month in the news for MSPs? Cloud PCs coming from Microsoft for any device with Windows 365; Amazon announces cloud-based SAN with EBS io2 block express volumes; MSP supply-chain of 1000+ companies hit by REvil ransomware; and more.

Let's see what it's all about.

Cloud PCs Coming From Microsoft for Any Device With Windows 365

Microsoft is launching a new service it’s calling Windows 365. It’s letting organizations stay secure while remote workers stream their office PC in any modern Internet browser or through Microsoft’s Remote Desktop and on any device.

While remote access and virtual desktops have been around for more than a decade, Microsoft is taking it to the next level. It’s launching Cloud PCs for organizations just when they are shifting to a hybrid combination of remote work and office. The direct connection will allow workers to continue their work right where they left off without skipping a beat.

The new services launch from August 2 and will be available to businesses via a per-user subscription every month. While Microsoft won’t share the pricing specifics until after the launch, it has said the service scope is companies of all sizes. From one-person businesses to organizations with thousands of workers, every business size can use the service.

Windows 365 is being offered in two editions: Enterprise and Business. Azure Desktop powers both of them, and individual Cloud PCs can use a single CPU with 64GB of storage and 2GB of RAM at the lowest end for configurations. Setups can use up to eight CPUs, 512GB of storage, and 32GB of RAM.

In all, Microsoft has twelve different options for Windows 365 Enterprise and Business.

Although the new service from Microsoft doesn’t differ much from the mix of choices businesses could select for virtualization, it’s hedging its bets on the ease of management and use it offers. Cloud PCs can be set up in only minutes to be assigned to workers.

By putting entire Windows PCs in the cloud, secure access to the corporate network for temporary workers or remote employees is a feature many organizations may find advantageous.

Amazon Announces Cloud-Based San with EBS io2 Block Express Volumes

With the announcement by Amazon Web Services of the general availability of its Amazon EBS io2 Block Express volumes, AWS is fulfilling its goal to simplify block storage. In essence, the new service from AWS is a cloud storage area network.

Amazon gave a preview of Amazon EBS io2 Block Express at its re:Invent 2020 conference. It’s part of a broader effort to make database migrations and mission-critical storage quicker and easier.

According to Mai-Lan Tomsen Bukevac, AWS Vice President of Storage, the volumes change the game in storage. Scaling capacity by petabytes comes at half the cost of a typical SAN and only takes a few minutes.

The EBS io2 Block Express idea came as a solution for issues customers were facing due to being locked into legacy systems and architecture or managing SANs. The new volumes handle workloads such as SAP HANA, SAS Analytics, Oracle databases, and Microsoft SQL Server.

The benefit for customers is that there are no upfront costs, and they only pay for the storage space they use. Customers are making the switch to EBS io2 Block Express due to its high performance and 99.999% availability, Amazon says. Amazon EBS io2 Block Express is currently available in regions where Amazon EC2 R5b is provided.

MSP Supply-Chain of 1000+ Companies Hit by REvil Ransomware

In what appears to be a Kaseya VSA supply-chain attack, the REvil ransomware gang known as Sodinokibi launched an attack against roughly 50 MSPs and more than a thousand business customers on July 2.

Following the attack, Kaseya issued an alert on its support site to warn all its customers to shut down their VSA servers to prevent further spread of the attack.

The attack came in the form of an auto-update where an agent[.]crt file is put into the c:\kworking folder. It leads to the launch of a PowerShell command that will disable several features of Microsoft Defender, such as Controlled Folder Access, real-time monitoring, network protection, and script scanning.

Using the actual Windows Certutil[.]exe command, it will decode the agent[.]crt file to the same folder. It’s then launched and begins its encryption process.

Kaseya received a decryptor key without payment directly or indirectly of the $5 million ransom demand. It is using it to help MSPs and their customers but requires the clients to sign an NDA to receive it.

This guidance for MSPs and customers that run Kaseya’s VSA software was issued by the Cybersecurity and Information Security Agency (CISA). As of July 11, Kaseya has issued a patch for on-prem VSA servers and begun restoring its SaaS servers.

TrickBot Returns After Microsoft Takedown

Despite being taken down by Microsoft last October, TrickBot’s renowned botnet has returned with a new campaign leveled at network computing services. The comeback isn’t astounding, since it has happened before, and most recently in 2019. It kicked off a campaign called “season four” of TrickBot and related it to a zombie-type TV series.

TrickBot lives on a network of over one million systems and dates back to 2016. It began as a banking trojan and was targeted at stealing user credentials. Since then, it has gone through several transformations.

Researchers at Bitdefender revealed that the botnet is currently more active than ever. The return was first observed in May, distributing a new version of the vncDll module that selects high-profile victims.

The new module used for intelligence collection and monitoring is being called tvncDll. Since it is being updated frequently, researchers say they believe it is still in development.

The command-and-control servers that the resurrected bot uses were also found across Europe, North America, New Zealand, and India, which is a definite indication that TrickBot has returned. As of now, the number of infected systems is unknown.

The return of the botnet does prove that the war on cybercrime has a long way to go. As some groups are taken down, others return, and new ones appear. It’s going to be a long war.

Critical Microsoft Hyper-V Vulnerability May Affect Businesses Long-Term

There is a vulnerability affecting Hyper-V, Microsoft's native hypervisor in the Azure cloud and Windows systems used to create virtual machines.

The vulnerability, named CVE-2021-28476, has a critical severity rating of 9.9 out of 10. When exploited on an unpatched system, the results can be devastating, including executing arbitrary code or crashing the host (denial of service).

The flaw affects Windows Server 2012-2019 and Windows 10 in Hyper-V’s vmswitch[.]sys (the network switch driver). In May this year, a patch was released after the flaw appeared in an August 2019 build.

The cause of the flaw stems from the fact that Hyper-V’s virtual switch isn’t validating the value of an object identifier (OID) request that’s meant for a network adapter. The OID requests may include Internet protocol security (IPsec), single root I/O virtualization, and hardware offloading requests.

Access to a guest virtual machine (VM) and sending a specially crafted packet to the Hyper-V host are necessary for an attacker to use the vulnerability in a successful attack. This results in crashing the host and terminating all its virtual machines or getting remote code execution on the host, giving complete control over the host and attached VMs.

Some local Hyper-V deployments will still be vulnerable, since many admins are slow to update Windows machines when patches are released, but the Azure service is safe.

LockBit Ransomware Using Group Policies to Encrypt Windows Domains

There is a new version of LockBit ransomware on the loose. It uses Active Directory group policies to automate the encryption of Windows domains.

LockBit ransomware was launched in September 2019 as ransomware as a service (RaaS). The ransomware operators recruit threat operators to encrypt devices and breach networks and, in return, earn 70-80% of each ransom payment.

LockBit began promoting the new LockBit 2.0 ransomware on their data leak site when ransomware topics were banned on hacking forums.

While many of the listed features align with other prior ransomware operations, one of the promoted features stands out. The LockBit developers claim the new ransomware has automated distribution through a Windows domain.

The usual method that threat operators use is to control the domain controller and then utilize third-party software to disable antivirus and security tools and deploy the scripts that execute ransomware on devices across the network.

The ransomware will also make new group policies on the domain controller. Then the policies are pushed out to every device on the network.

While MountLocker had previously used Windows Active Directory APIs to perform LDAP queries, LockBit is the first ransomware that automates the distribution of its malware through group policies.

That's a Wrap for News You Might've Missed

I hope this update has been helpful. MSP360 is your resource for MSP news. Stay home, stay safe and healthy, and remember to check back next month for more highlights.