What's new this month in the news for MSPs? New phishing protection and client-side encryption from Google Workspace; new “Epsilon Red” ransomware targets unpatched Microsoft Exchange servers; ransomware attack forces Fujifilm to shut servers down; and more.Let's see what it's all about.
New Phishing Protection and Client-Side Encryption From Google Workspace
Google LLC has announced new security updates for Google Workspace and Google Drive to combat phishing and malware. The latest updates are due to an effort to enhance their focus on data security. This follows the release of Safe Browsing, a service that aims to protect billions of devices and users of Google’s suite of products, including Chrome, Android, and Gmail.
According to Google, Google Workspace is already using the latest cryptography standards to encrypt data at rest and information being transferred between its facilities. This month’s updates take that a step further and let their customers choose the identity services they want to use to access their encryption keys and give them direct control over the keys themselves.
Google LLC says that by doing this, only their customer and the partner the customer chooses can have access to the contents of encrypted files in Google Workspace. This is particularly significant if a business enterprise stores regulated or sensitive data, such as intellectual property, financial information, or healthcare records.
Google says it will start by rolling out the new security features to Google Drive, Sheets, Docs, and Slides, but client-side encryption across Google Workspace products such as Gmail, Calendar, and Meet will also be available.
New “Epsilon Red” Ransomware Targets Unpatched Microsoft Exchange Servers
Security researchers recently found a new form of ransomware in the wild called “Epsilon Red.” This month it was seen targeting a US-based hospitality-sector business. In its final executable payload in an attack that was hand-controlled, the ransomware sought a 4.29 bitcoin payment, which was about $210,000 at that time.
Security researchers say the tooling and the name in the ransomware attack were specific to the cybercriminals. Although there were grammatical changes, the demand note was similar to the message usually left behind by the renowned REvil ransomware cyber-gang.
According to the researchers, an unpatched Microsoft Exchange server was the most likely cause. They say that the attackers installed other software onto other network devices that were reachable from the Exchange server using Windows Management Instrumentation (WMI).
The name “Epsilon Red,” given by the attackers, references pop culture and is the name of an X-Men comic book character.
The ransomware code is written in an open-source programming language called Golang (Go). It is known to be straightforward to build, efficient and reliable as software. The ransomware attack is prefaced by PowerScripts that get the target ready.
There are multiple stages to this ransomware. It begins by killing services and processes in use for backup programs, databases, security tools, email clients, and Microsoft Office apps. All Volume Shadow Copies are then deleted. The Security Account Manager is next on its task list to steal, since it contains password hashes. It disables Windows Defender and deletes the Windows event logs. Finally, it expands permissions on the system, suspends processes, and removes any security tools.
Now that anything that could obstruct it is gone, it uses WMI that installs software and runs its PowerShell script that deploys the primary executable of the ransomware.
Ransomware Attack Forces Fujifilm to Shut Servers Down
On June 2nd, Fujifilm said in a statement that they became aware of a possible ransomware attack on June 1st. They suspended the affected systems in a coordinated effort with their global entities. On June 4th, they updated their statement, confirming it was a ransomware attack.
Fujifilm began as a Japanese company focused on processing 35mm film in the days before digital cameras and smartphones. Since then, it has diversified; aside from digital cameras and film, it provides document solutions, cosmetics, and pharmaceuticals. It is also developing a COVID-19 vaccine and supplies COVID-19 testing products.
Although Fujifilm hasn’t disclosed which ransomware they were attacked by, BleepingComputer says the Qbot trojan, known to be a partner of the REvil ransomware gang, was the attack vector. Qbot is a form of malware and was seen last August targeting the email threads of Microsoft Outlook.
Since REvil was involved in the attack on the Colonial Pipeline Co. and is regularly in the news, it seems likely they are connected to this attack. The only caveat is that REvil typically makes a public statement to take credit. Up to now, they haven’t done this.
The Japanese filmmaker has refused to pay the ransom to the cybercriminals and is relying on backups to restore its systems.
Hackers Targeting Critical VMware Software Vulnerabilities
The US CISA governmental organization has published an alert advising businesses to update and apply patches to VMware Cloud Foundation software and VMware vCenter Server. According to the notice, cyber-threat actors are attempting to exploit CVE-2021-21985, a remote code execution vulnerability present in VMware Cloud Foundation and the VMware vCenter Server.
VMware made the patches available on May 25th, patching the flaw alongside CVE-2021-21986. It grouped the two under a critical security warning. CVE-2021-21985 has a CVSSv3 score of 9.8/10, and CVE-2021-21986 has a score of 6.5/10. CISA noted that many organizations have not yet patched their systems.
Having unpatched systems makes those businesses an attractive target for would-be attackers, who can exploit these vulnerabilities. Bad Packets spotted hackers searching for vulnerable hosts and posted the information on Twitter on June 3rd.
ADATA Hit in Ragnar Locker Ransomware Attack
ADATA has shared with BleepingComputer that it was a ransomware attack victim on May 23rd, 2021. The attack meant the company needed to shut down some of its affected systems. Following the incident, ADATA upgraded many of its IT security systems to attempt recovery from existing backups.
While ADATA didn’t disclose the operation behind the attack, the Ragnar Locker group claimed the attack, stating they had stolen 1.5 TB of private information from the company. They posted screenshots on their dark-web leak site as proof.
The first Ragnar Locker ransomware activity was spotted in December 2019. Their operators terminate remote management applications such as Kaseya and ConnectWise (used by MSPs to manage their clients’ systems) on compromised business endpoints.
This method would allow them to ensure that logged-in admins don’t block the payload deployment and escape detection. Ragnar Locker operators generally seek between $200,000 and $600,000 in ransom.
ADATA Sustains 700 GB Data Leak as Result of Ragnar Locker Attack
The Ragnar Locker operators published more than 700 GB of the private data they stole from ADATA online after the Taiwanese firm decided not to pay the ransom.
MEGA removed the database very quickly, so there was no way to determine the exact contents of the databases. Still, the metadata reveals ADATA documents on NDAs, finances, and other similar documents.
Cybersecurity experts and law enforcement agencies urge businesses not to pay the ransom and instead educate employees on the risks of phishing attacks. Paying the demands of the cybercriminals only enables them to attack further victims.
While we see many headlines highlighting attacks against large, well-known companies, ransomware operators will attempt attacks on companies of all sizes.
TrickBot Listed as Top Cyber-Threat
TrickBot is a banking trojan and botnet used to steal financial information, personally identifiable information (PII), and account credentials. It was the top cyber-threat in May 2021, according to the Global Threat Index by Check Point Research (CPR), the threat intelligence branch of Check Point® Software Technologies Ltd.
The malware entered the list in April 2019 and now takes the top spot, replacing the Dridex trojan. Experts suggest the Evil Corp gang’s rebranding and change in methodology is behind its fall from the list.
TrickBot is currently the most prevalent malware and has made a global impact on 8% of organizations. It is followed by XMRig and FormBook, which impact 3% of organizations. The list features ten malware families.
That's a Wrap for News You Might've Missed
I hope this update has been helpful. MSP360 is your resource for MSP news. Stay home, stay safe and healthy, and remember to check back next month for more highlights.