News You Might’ve Missed. July 2023

What's new this month in the news for MSPs? Azure Active Directory rebrands to Microsoft Entra ID; more Google Workspace users get Google's AppSheet no-code app builder; banking users in the US, UK, and central EU the target of 'Anatsa' malware; alert on 8Base ransomware issued by VMware researchers; cloud workloads under attack from PyLoose malware; and Microsoft Azure Cloud attack by Chinese hackers worse than thought.

Let's see what it's all about.

Azure Active Directory Rebrands to Microsoft Entra ID

More than a year after launching Entra Permissions Management and Entra Verified ID, Microsoft announced a rebrand of its long-standing service for identity and access management. Azure Active Directory will now be known as Microsoft Entra ID.

The rebranding is part of Microsoft's effort to simplify its suite of identity and access resources under a single moniker. So, it is placing Entra ID alongside Entra Permissions Management and Entra Verified ID, which fall into the same primary category.

Of course, Azure Active Directory has been around the longest and, according to its July 11th blog post, business customers using the service total around 720,000.

Since launching the Entra brand last year, Microsoft has introduced several new products, such as Entra Internet Access and Entra Private Access. Entra Internet Access protects users' access to the internet, Microsoft's own 365 apps, software-as-a-service applications, and other resources. Entra Private Access is a zero-trust or ZTNA, an identity-centric service securing access to private resources and applications.

Microsoft says the rebrand of Azure Active Directory is to make it easier for customers to navigate and use its expanded and unified Microsoft Entra portfolio. It goes on to say that everything else will remain the same, aside from the product's name. Integrations and configurations will continue to work without any further action needed.

The standalone names will also change; for example, Azure AD Free will now be Microsoft Entra ID Free.

Customers and users may have to wait to see the changes but can expect to see them before the end of the year.

More Google Workspace Users Get Google's AppSheet No-Code App Builder

Google LLC announced that AppSheet will now be included in nine Google Workspace plans without additional cost. According to the announcement, AppSheet will be available in Starter and Standard editions as part of Google Workspace's Business, Enterprise, and Frontline packages. The Frontline edition targets users performing most of their work away from a computer.

Additionally, AppSheet will also be available in Workspace's Business Plus, Education Standard, and a non-profit-geared edition. Up to this point, Google Workspace's enterprise and education tiers have included it in three plans. Additionally, users can purchase individual subscriptions separately.

Google acquired AppSheet as part of a startup purchase. Its primary function is to let business users develop desktop and mobile apps without writing a single line of code. It also allows them to create chatbots for the Google Chat platform that comes as part of Workspace.

Typically, businesses will use AppSheet to create apps that track day-to-day business activities. For example, a traditional business might create an app for tracking inventory at its stores, and a shipping company could make an app to list pending deliveries.

The version that Google released this month costs $10 per user per month when purchased as a standalone. But this version includes only some of the features available in the more pricey tiers, such as being able to embed machine learning models in no-code apps.

As part of the update, business admins can expect to see enhancements to the Workspace management console. The new controls being launched will let admins easily regulate employees' use of AppSheet.

Google says admins will be able to block users from making AppSheet apps available to external connections. Additionally, it will be possible to keep applications from sending notifications via email to external users. What's more, admins will be able to regulate whether employee-created apps can access data saved on external systems.

With the inclusion of AppSheet in more Workspace editions, Google could see an uptick in the tool's adoption. Workspace had more than 3 billion users as of the end of 2022. Additionally, with AppSheet being available without extra cost, it will be a more competitive option than the other low-code development tools.

Microsoft's Power Apps service is one of those tools. Microsoft 365 includes it in some of the enterprise editions. It is also available as a standalone and is available for purchase by businesses.
AI is becoming the bigger priority for both Microsoft and Google. Both companies have recently unveiled products that enable users to build applications by utilizing natural language commands.

Banking Users in the US, UK, and Central EU the Target of 'Anatsa' Malware

According to threat researchers at Threat Fabric, a banking trojan named Anatsa is targeting banking app users in the US, UK, and central Europe. The malware comes through compromised apps on Google Play and, since March 2023, there have been over 30,000 installs. Anatsa can avoid detection by using its advanced device-takeover abilities.

Although its focus has changed since the malware was first discovered in 2020, with the current campaign targeting banking apps, especially in Germany, Anatsa's total worldwide target list includes nearly 600 financial apps, with the end goal of initiating fraudulent transactions after stealing users' banking application login credentials.

After the compromised app is installed, a request goes out to a page hosted on GitHub, where the malware gets another URL. The app will then download the payload from the URL, also hosted on GitHub. The payload gives the appearance of being an add-on to the initial app.

In March, Threat Fabric researchers observed a malware-compromised app and quickly reported it to the search giant, who then removed it from the Play Store without delay. Despite this, the malicious actors returned with a fresh application disguised as a PDF reader; the malware was included as an extension.

The researchers say malicious apps choosing to pose as these specific types of apps on Play confirm a trend they've been observing. Droppers are impersonating file-management types of apps as a trend.

After it was reported, Google took down the new malicious application, yet threat actors quickly added another to supplant it in this unending game. The analysts additionally noted that the speed with which new droppers showed up after Google had removed one was remarkable.

Alert on 8Base Ransomware Issued by VMware Researchers

VMware Inc. researchers issued a warning about a family of obscure ransomware in whose activity they've observed an increase. Researchers first identified 8Base ransomware in March of 2022. It uses extortion tactics and encryption to force its victims across many industries to pay a ransom.

Although 8Base ransomware is relatively unknown, based on its recent activities, researchers say the threat actor behind it is well organized and experienced. The current operations of the 8Base ransomware group have distinct features in common with other ransomware efforts. Observations of its recent activities and the similarities noted led researchers to say that it suggests a high level of experience and sophistication, even though it has only recently emerged.

Like most ransomware groups, 8Base maintains a leak site. It uses intimidation extortion tactics and discloses information about victims to coerce them into a ransom payment.

In addition to 8Base's ability to encrypt data, its use of intimidation tactics makes it a substantial threat.

The similarities to other ransomware groups aren't just tactics alone. Researchers say its language and the way it communicates is quite similar to another known group, RansomHouse.

VMware's threat analysis team has suggested that 8Base may have used a variation of the Phobos ransomware in some of its strikes. Phobos is a ransomware-as-a-service provider well known for its personalization capabilities.

Given the advanced strategies employed by organizations like 8Base, researchers suggest that businesses upgrade their cybersecurity safeguards.

Cloud Workloads Under Attack from PyLoose Malware

The team at Wiz Inc. reported on a new malware called PyLoose. It targets cloud computing workloads and uses the Python language.

A fileless attack uses tools and features in the victim's system software. This method diverges from the usual technique of employing executable files to execute the attack. Due to the evasion techniques it employs, it's more challenging for typical security solutions to detect it.

The PyLoose attack loads an XMRig Miner directly into memory by using memfd, a Linux fileless technique. The attack bypasses the need to write payloads to the disk by exploiting OS abilities.

Researchers first detected PyLoose in June; it gained access through a public service of Jupyter Notebook. After gaining access, the threat actors behind PyLoose downloaded a fileless payload from a site resembling Pastebin into Python's runtime memory. This method allowed it to avoid needing disk storage, optimize the attack process, and simplify the command structure.

So far, researchers haven't linked the attack to a specific group of threat actors. However, the fileless execution adaptation and embedding of the XMRig miner suggest that the threat actor is very skilled.

Even though PyLoose is likely the first documented case of a Python-based fileless attack, businesses can take specific steps to protect themselves against it. For example, users should avoid using the public services of Jupyter Notebook that can allow code execution. Robust authentication methods such as MFA and a central identity platform can help further protect.

Microsoft Azure Cloud Attack by Chinese Hackers Worse Than Thought

New research by Wiz Inc. reveals that the security incident involving Chinese hackers breaching several US government email accounts is much worse than initially thought.

The researchers now believe that the incident could end up being worse than, and with a similar scope and reach to, the SolarWinds supply chain compromises from last year. Microsoft also shared information in a recent blog on the Storm-0558 attack and further explained some of the causes. They also detailed the tracked movements the attackers made through its network and services on Azure cloud.

While the blog from Microsoft explained a lot, it needed to connect all the dots. A design flaw allowed the threat actor to get new access tokens by presenting one previously used from the API. The flaw has since been fixed, but it allowed the threat actors access to email accounts using Outlook Web Access and outlook.com services.

Beyond OWA and outlook.com, the signing key obtained could be used to access many services connected to Azure AD or AAD for authentication where "login with Microsoft" authentication is used.
The researchers recommend that all customers identify potentially affected apps. They can do this by searching for forged API keys and updating any Azure SDK instances. They should also check that chased versions of Microsoft OpenID certificates are not in use. If any are found, refresh caches to resolve.

Microsoft says that claims by Wiz are not evidence-based, but other experts say that, based on the telemetry data provided, the Wiz report findings are likely valid.

That's a Wrap for News You Might've Missed

I hope this update has been helpful. MSP360 is your resource for MSP news. Stay safe and healthy, and remember to check back next month for more highlights.