News You Might’ve Missed. June 2023

What’s new this month in the news for MSPs? Google clashes with Microsoft over its locking customers into Azure Cloud; new Google Workspace security flaw discovered; CISA warning on major security flaw in the MOVEit file sharing app; Romanian threat actor 'Diicot' heading beyond cryptojacking in new campaign; Bitdefender warning on new exfiltration malware targeting RDP workloads; and Deep Instinct finds new JavaScript-based malware dropper.

Let's see what it's all about.

Google Clashes With Microsoft Over Its Locking Customers Into Azure Cloud

In a letter to the FTC, Google LLC said that Microsoft's licensing restrictions force customers to use Azure cloud services to receive substantial savings.

CNBC says that, according to the copy it obtained, Google insists that Microsoft Corporation is taking advantage of the popularity of Microsoft Office and Windows Server and pressuring customers to use Azure. The letter referred to a "complex web" of restrictions in licensing designed to keep organizations from expanding their network of software vendors.

What Google means is that, due to Microsoft's policy that charges third-party cloud platform providers, such as AWS and Google Cloud, to run Office and Windows Server software on those platforms, providers pass these additional costs on to customers. However, there aren't any extra costs for running Microsoft applications on the Azure cloud platforms.

Citing the fact that numerous cyberattacks have hit Microsoft in the last few years, Google says that the policy isn't only anticompetitive behavior, but many will see it as a national security risk.

The FTC asked Google for comment on how cloud providers' business policies can impact competition in the market in March.

The cloud computing market is intensely competitive, since billions in annual revenue are at stake. Presently the market is led by AWS, followed by Microsoft Azure, with Google Cloud not far behind. There has been an increase in regulatory scrutiny more recently as a result of who the companies in leading positions are, and at a time when a rising number of organizations are shifting to the cloud.
Some say that this protest may seem off-base, since Google is the subject of many anti-trust inquiries in its own business policies. The DoJ has two lawsuits pending against Google regarding its online search and advertising businesses. Significant state attorney groups also have separate lawsuits against the cloud giant, and inquiries are happening in Europe.

Despite all this, Google isn't holding back and has accused Microsoft and Oracle of making overly complex agreements to lock businesses into their cloud platforms. In the letter, Google insists that these companies are increasing customer costs, limiting choices, and disrupting thriving and growing digital ecosystems both globally and in the US.

New Google Workspace Security Flaw Discovered

Mitiga Security researchers recently shared details about a previously undiscovered flaw in Google Workspace Enterprise plans that allows hackers to invisibly remove data. According to the researchers, this vulnerability is due to a forensic type of deficiency allowing hackers to exfiltrate data without generating any record of it. It's specifically related to the activities of users not attached to paid Google Workspace enterprise licenses.

By default, Google Driver enterprise users begin with the license called Cloud Identity Free, until an admin assigns a paid license. Until then, no logs are generated on any activities in the user's private drive. Since there is no visibility on this, threat actors can steal or manipulate the user's data without any detection.

Hackers leverage this security vulnerability in a couple of ways. For example, if a user's account gets compromised, they can manipulate their license to remove or access the user’s private files, leaving license reassignment and revocation logs behind. In another method, they look for employees canceling their paid license. If the license is revoked before the user’s account is disabled, hackers can use the account access to a personal drive and remove sensitive files.

Before publicly sharing their findings, the researchers contacted Google about them.
Experts advise that businesses should regularly monitor Admin Log Events in Google Workspace, and focus on license revocation and assignment actions, especially sudden upticks that could be indicative of a threat actor's manipulation of licenses.

CISA Warning on Major Security Flaw in the MOVEit File Sharing App

The Cybersecurity and Infrastructure Security Agency recently added a critical flaw found in Progress Software Corp's MOVEit file transfer app to its Known Exploited Vulnerabilities Catalog. It told all federal agencies to patch systems on June 23rd.

This managed file transfer software is designed and developed to give compliant and secure file transfers when users send sensitive data between and within organizations. Moreover, the software can view and manage all file transfer actions, ensure predictable and reliable file transfers, and automate complex workflows. It offers encryption in transit and at rest and supports several secure protocols, such as HTTPS, FTPS, and SFTP.

Threat actors are already exploiting the vulnerability, tracked as CVE-2023-34362, and are successfully stealing data from many organizations. All that's needed to exploit the vulnerability is for an unauthenticated remote threat actor to inject custom SQL into a vulnerable MOVEit transfer instance.

The threat actor will gain access to the underlying MOVEit transfer instance if the exploit is successful. The attacker may be able to determine information on the contents and structure of the database, depending on the specific database engine in use.

The current advice is to refer back to the vendor for mitigation and remediation techniques to be used. CISA advises all users of MOVEit to review the advisory on its site.

Romanian Threat Actor 'Diicot' Heading Beyond Cryptojacking in New Campaign

Cado Security's cloud forensics and incident response platform has released a new report that provides details and warns about a new campaign from what appears to be an emerging Romanian cybercriminal, Diicot. The threat actor, previously known as Mexals, is running campaigns that include malware payloads using brute-force techniques.

The new name copies the acronym for the Directorate for Investigating Organized Crime and Terrorism (DIICOT), a law-enforcement agency in Romania that investigates and prosecutes cybercrime under its organized crime mandate.

Security analysts say they are notorious for malware-as-a-service offers and cryptojacking campaigns and have been active since 2020. They also note that artifacts from campaigns by the group illustrate its connections to an anti-terrorism policing unit called Diicot and to Romanian organized crime.

Cado Lab researchers discovered that Diicot is deploying a botnet agent that is Mirai-based, called Cayosin. Its specific targets include routers running Linux-based embedded devices using the OpenWRT operating system. Its use of Cayosin is indicative that the group is moving beyond the cryptojacking and other tactics first documented by Bitdefender and Akamai and becoming more versatile in its attacks.

The latest campaign by Diicot is concerning, as it reveals an escalation from its previous activities. An interesting twist in the report is the discovery by researchers of a doxing video in Romanian that features an argument between other online participants and the group. According to the researchers, it suggests that the group exposes personal details, including full names, home addresses, photographs of individuals, along with its other activities.

The discovery of undisclosed brute-force payloads from previous campaigns shows that Diicot intends to target SSH servers with password authentication. Its ongoing campaign includes a small number of password/username pairs and some with defaults or credentials that are easy to guess.
Due to the basic obfuscation methods and complex execution chains, researchers say the analysis was labor-intensive.

Security researchers advise that, due to the severity of Diicot’s activities, organizations should implement effective measures to protect their data and infrastructure.

Bitdefender Warning on New Exfiltration Malware Targeting RDP Workloads

Researchers at Bitdefender Labs say new custom malware is looking for RDP targets to steal data.
They discovered the activity originally as part of RedClouds, an East Asian state-sponsored espionage group. The server-side malware implant is called RDStealer and will watch for RDP connections looking for those having client drive mapping enabled. It will then infect RDP clients that are connecting using a Logutil back door, removing sensitive data.

The researchers say that the RDStealer malware is notable due to its advanced dynamic link library that employs a sideloading technique. The malware uses a stealth technique that chains several DLLs together; and integrates seamlessly into the system it triggers using the WMI subsystem. The coding of this malware and the Logutil back door uses the Go programming language, which is what enables them to operate across many systems.

The Bitdefender Labs team of researchers says that this is the first time anyone has encountered any activity using this attack method. It clearly demonstrates an escalation in the sophistication of cybercriminal activities. It also illustrates how they are using new ways to make use of older and widely employed technologies. It emphasized the need for organizations to deploy more robust, multilayered security measures.

While the Bitdefender Labs report details how RDStealer operates, it also emphasizes the bigger picture of security recommendations that counter the risks of getting compromised – for example, reducing attack surfaces, identifying and fixing existing system vulnerabilities, and continually updating access policies. Entry points should have automated protection controls that include integrated reputation measures of the Nextgen antivirus, intellectual property, domains, and web addresses.

Due to the possibility of a threat actor bypassing many of these controls, it is critical that businesses also employ endpoint detection and response (EDR) and XDR or MDR services. These help to minimize the time that a threat remains undetected.

Deep Instinct Finds New Javascript-Based Malware Dropper

Deep Instinct's Threat Research Lab recently shared details on a new JavaScript-based dropper called PindOS that's installing two types of malware onto its target devices. The dropper gets its name from a user-agent string in the code. It's also noted that there are some comments in Russian in the code and that it installs IcedID and Bumblebee malware.

Researchers discovered the Bumblebee malware in March 2022, which has ties to the Conti ransomware group. There is a shift in the dropper for the Bumblebee component in that it now uses JavaScript instead of PowerShell to execute. The researchers say this illustrates an attempt by its developers to refine their techniques, which also maximizes the efficiency of the malware and helps it avoid detection.

The method by which they use IcedID has also changed, according to the researchers. The installation through PindOS shows a shift from it being strictly a banking malware and an indication it may be following the path of Emotet. The change is concerning, since Emotet has evolved into what many describe as the "world's most dangerous malware."

The PindOS dropper uses a straightforward format to download and run a payload DLL from the target URL. Should it fail, it tries again using another URL. The researchers noted that the dropper’s features and design show that it is an efficient and resilient tool. They make it useful for cybercriminals to infiltrate infrastructures and deliver payloads.

Payloads are generated pseudo-randomly to help the dropper avoid detection, a commonly used method. Still, it is only partially effective, since its continual indicators remain, so detection at some level is possible.

Security experts say the combination of IcedID and Bumblebee malware strains is concerning, as it poses a significant threat to individuals and organizations, and the new use of JavaScript introduces new challenges for security defenses.

That's a Wrap for News You Might've Missed

I hope this update has been helpful. MSP360 is your resource for MSP news. Stay safe and healthy, and remember to check back next month for more highlights.