What's new this month in the news for MSPs? VMware and Google Cloud announce partnership expansion to focus on cloud migration; AWS says it’s investing over $2.3bn in data centers in the UK; Linux “Dirty Pipe” vulnerability allows attackers to gains data overwrite access; Microsoft confirms Lapsus$ hacking; Hive ransomware hides payload using “IPfuscation” trick; and Suncrypt is still busy and humming in 2022.
Let's see what it's all about.
VMware and Google Cloud Announce Partnership Expansion to Focus on Cloud Migration
VMware Inc. and Google LLC’s cloud business are expanding their partnership to help companies migrate their on-prem apps to the cloud more easily. Google Cloud’s VMware Engine service is at the center of the enhanced collaboration. The service will soon be a part of VMware Cloud Universal’s subscription offering, according to Google.
The VMware Engine service simplifies the migration of on-prem VMware workloads to Google Cloud. Depending on the size of the workload, companies can migrate some workloads in less than an hour without any code changes needed.
With Google adding the service to the VMware Engine service subscription, enterprises can purchase VMware’s core software products more effortlessly than before. Moreover, VMware significantly enhanced its portfolio offerings with its announcement last March.
The market reach of VMware’s products is a significant achievement for Google. VMware Cloud Foundation and Tanzu alone are two product bundles currently used by many of the world’s biggest companies.
The two companies say that customers can achieve considerable savings when combining their cloud offerings. According to their estimates, an average of over $2 million per year in savings is achievable for businesses deploying Google Cloud VMware Engine with VMware Cloud Universal.
AWS Says It’s Investing over $2.3bn in Data Centers in the UK
Amazon Web Services (AWS) says it plans to invest about $2.37 billion in UK data centers over the next two years. This move will double the investment it has made in the UK since 2016.
It is common for Amazon and its competitors to add to their data center networks to keep pace with burgeoning demand as businesses adopt cloud services. In the most recent sign that cloud adoption continues to grow, AWS’s revenues grew 40% to $17.78 billion last quarter.
An increase in data centers brings a few benefits for cloud providers, for example reduced latency for their customers. Besides, when data centers are closer to customers’ facilities, the time taken for data to travel back and forth is reduced, which helps speed up apps. Lower latency makes it practical to implement cloud use cases of real-time data analytics for some enterprises.
While AWS didn’t share any specific details regarding its planned data center investment, it shared updates on its current initiatives in the UK. Amazon estimates that its direct investments have exceeded £32 billion since 2010, including operating expenses and capital expenditure.
Linux “Dirty Pipe” Vulnerability Allows Attackers to Gain Data Overwrite Acces
Max Kellermann shared details regarding a new Linux vulnerability that lets attackers overwrite random read-only data files. Dubbed “Dirty Pipe”, the vulnerability leads to escalated privileges. CVE-2022-0847 in the Mitre database affects Linux kernel 5.8 or later, even on Android devices. It has been fixed in Linux versions 5.16.11, 5.10.102, and 5.15.25.
Kellermann found the vulnerability after getting a support ticket regarding corrupt files. His customer said they couldn’t decompress access logs after downloading. He fixed the problem manually, but the issue reoccurred.
Kellermann reviewed the file's contents, which appeared correct at first glance. However, after digging deeper, he noticed a specific type of corruption with a pattern. Later, he broke down what was involved and submitted all the details to his security team. Fixes were released for Linux on February 20th and the Android kernel on February 24th.
Analysts recommend prioritizing remediation and patching for this vulnerability, as attackers can use it to take over systems to exfiltrate or destroy private data.
Microsoft Confirms Lapsus$ Hacking
In a blog post, Microsoft confirmed that the hacking group it calls DEV-0537 had compromised one of its employees’ accounts, giving them limited access to repositories containing source code. While Microsoft hasn’t shared specifics about this breach, it did share TTPs used by the group. Microsoft says no customer data or code was seen in any of the activities by the threat actor.
The Lapsus$ group focuses on getting credentials to access corporate networks, using these methods:
- Deployment of the malicious RedLine password stealer to get session tokens and passwords
- Buying session tokens and credentials from illegal underground forums
- Paying employees at target companies, suppliers, or business partners for multifactor authentication approvals and credentials
- Searching for exposed credentials in public code repositories
Microsoft analysts note that the RedLine password stealer is currently the malware of choice for the purpose of getting credentials and is frequently spread through watering holes, phishing emails, YouTube videos, and “warez” sites.
Once Lapsus$ gets the access information they need, they use it to log into public-facing devices such as Virtual Desktop infrastructure, VPNs, or identity management services.
After gaining access to a network, they use Active Directory Explorer to find accounts that have higher privileges. They then target collaboration and development platforms such as Confluence, SharePoint, JIRA, Slack, and Microsoft Teams, where they steal other credentials.
The Lapsus$ gang will also use the stolen credentials to access source code repositories found on GitHub, GitLab, and Azure DevOps, which they did in the Microsoft attack.
Microsoft suggests that businesses implement the following to protect themselves:
- Boost MFA implementation
- Only allow trusted and healthy endpoints
- Choose modern authentication for VPNs
- Monitor and make your cloud security posture robust
- Make employees aware of social engineering attacks
- Review and implement security operation processes in response to DEV-0537 attacks
Recently, Lapsus$ has successfully coordinated many attacks against corporate entities. The attacks’ victims include NVIDIA, Ubisoft, Vodafone, Mercado Libre, Samsung and, most recently, Microsoft.
Hive Ransomware Hides Payload Using “IPfuscation” Trick
Threat analysts have uncovered a previously unseen obfuscation technique used by the Hive ransomware gang that leverages IP4 addresses. After a series of conversions, it eventually leads to the downloading of a Cobalt Strike beacon.
Threat actors hide the activities of their malicious code by leveraging code obfuscation, which keeps human eyes and security software unaware, helping them to evade detection.
While threat actors use many ways to achieve obfuscation, this new one, found in a recent incident response involving Hive ransomware, is novel. It also underscores the fact that cybercriminals are developing new, stealthy ways to achieve their goals.
Analysts at Sentinel Labs shared details on the new technique, which they have dubbed “IPfuscation”. This is another real-world example of how effective these smart and simple methods are.
The technique was discovered while analysts were reviewing Windows 64-bit executables, where each contained a payload that delivers Cobalt Strike. They obfuscated the payload itself by taking the form of an array of ASCII IPV4 addresses, making it appear as a non-threatening list of IP addresses.
The key takeaway from this is that relying only on static signatures for protection against malicious activity is not sufficient.
SunCrypt Ransomware Is Still Busy and Humming in 2022
One ransomware-as-a-service operation that peaked in 2020 is still alive and kicking. SunCrypt is still seen to be active, and its operators seem to be working on adding new capabilities.
While SunCrypt was a pioneer of triple extortion that included threats to publish stolen data, file encryption, and DDoS (distributed denial of service) attacks if victims didn’t pay, it has failed to progress. Most say it hasn’t grown beyond being a small private RaaS that includes no more than a few affiliates.
Still, a new report from Minerva Labs shows that the slow progress hasn’t prevented the threat actors from working on improvements to the strain.
Its new features include process termination, wiping the machine clean for ransomware execution, and stopping services. Of its previous features, one important one has been retained – the use of I/O completion ports, which allow for faster encryption through process threading.
ID Ransomware stats show that SunCrypt is still actively encrypting targets; however, the activity is limited.
Analysts say it may be that the ransomware group has specific targets and is keeping negotiations and ransom payments private.
While SunCrypt is still real, it’s uncertain whether it will grow into a bigger threat.
That's a Wrap for News You Might've Missed
I hope this update has been helpful. MSP360 is your resource for MSP news. Stay home, stay safe and healthy, and remember to check back next month for more highlights.
- Main steps for creating a DR plan
- Best practices to keep in mind
- Disaster recovery plan basic template
