News You Might’ve Missed. May 2021

What's new this month in the news for MSPs?
Microsoft acquires Linux distribution maker Kinvolk; AWS introduces Saas Boost, an open-source toolkit; AWS launches App Runner for container management; Google and CrowdStrike join hands, and more.

Let's see what it's all about.

Microsoft Acquires Linux Distribution Maker Kinvolk

Kinvolk Gmbh, a Berlin-based startup founded in 2015, is the creator and distributor of Flatcar Linux, launched in 2018. The company was acquired by Microsoft this month. Microsoft announced the acquisition in a post on the Azure blog on April 29th.

According to Brendan Burns, Microsoft’s Corporate Vice President of Azure Compute, Kinvolk’s team will be joining Azure. They will contribute to the Azure Kubernetes Service (AKS), the Azure Arc management platform, and any future projects related to expanding Azure’s hybrid container platform capabilities.

The Kinvolk team will also continue to develop their open-source projects, such as Flatcar Container Linux. Kinvolk is also known for its early contributions to the CoreOS company and the Lokomotive and Inspektor Gadget projects.

AWS Introduces SAAS Boost, an Open-Source Toolkit

This month, AWS announced the release of SaaS Boost, a tool developed as open source by AWS, and which it will distribute under the Apache 2.0 license. They first announced the new development last year during the AWS re:Invent conference. The goal of the new tool is to help companies transform their on-premises applications into cloud-based software as a service (SaaS).

SaaS Boost gives businesses the tools they need to transform apps to sign up users and then use these apps in a multi-tenant cloud context.

SaaS apps are constantly changing. Aside from the industry-standard protocols they use, they need specific capabilities to provision infrastructure, onboard users, and surface essential metrics. With these functions, SaaS providers can grow.

However, if every company decided to invest in developing this independently, the time to market would be slow, because of the lack of necessary resources. To help businesses address this, AWS SaaS Boost includes functions such as data partitioning, tenant isolation, metering, monitoring, and billing. Amazon says they are focused on building an environment that brings everything together in a ready SaaS architecture, taking the heavy lifting out of the equation.

AWS Launches App Runner for Container Management

Developers can now run, build and deploy containerized apps, due to a new, fully managed container app service from AWS. The service is now generally available and will take care of many tasks, making things much simpler for developers.

Since AWS has taken on the heavy lifting, teams can get their new apps ready and in production with only a few taps on the keyboard. What’s more, the tools AWS provides help deploy, develop, and operate container-based apps that run on any platform. It gives developers better control over aspects that include the systems they run on, network traffic encryption, and load balancing.

AWS App Runner lets AWS customers provide the source code, a deployment pipeline, or a container image, and the service builds and launches the app automatically. It takes care of scaling the app as needed, as well as load balancing, while continually monitoring its health. Since it also does this for APIs, users can forget about clusters or servers.

Google and CrowdStrike Join Hands

CrowdStrike and Google have joined together to provide security teams with better insights into threats across hybrid and cloud deployments. The two technology organizations are linking a half-dozen of their cybersecurity tools together to make it easier for teams to detect malware in their networks.

The Falcon platform is CrowdStrike’s flagship product. Many organizations use it to protect employee devices and servers on their network. Due to its large base installation, Falcon tracks roughly 5 trillion security data points weekly.

The platform will now send security information to Google’s Chronicle analytics platform from a company’s environment. It will let cybersecurity analysts study the data for signs of a breach.

Chronicle can store and analyze petabytes of security data all at the same time. It’s been found to be highly effective, since hacking attempts are frequently detected only months after they occur.

With Google and CrowdStrike teaming up together, information from Falcon will now be added and available on Google Cloud’s Security Command Center service. The collaboration of CrowdStrike and Google puts a specific emphasis on keeping public cloud environments secure.

DarkSide Ransomware Group Ending Operations

A Wall Street Journal report says the ransomware group responsible for the Colonial Pipeline company breach is shutting down its operations. The DarkSide ransomware group announced in a message that, after pressure from the US government, it is closing its operations.

While some are celebrating the news, security analysts are skeptical and believe the group may be trying to abscond with its money to disappear from public view. In light of the spotlight being put on the DarkSide group, many other gangs seem to be reevaluating their priorities, at least publicly.

In a recent post, the Russian-language forum XSS announced they would remove all references to ransomware. Avaddon and Sodinokibi, two other ransomware groups, say they will be limiting which hackers can use their services in their attacks. According to Digital Shadows, Avaddon says that it will no longer allow attacks against public education, healthcare organizations, or charities.

The US has taken a strong stance against threats by ransomware groups in recent times. US President Joe Biden signed an executive order that will strengthen national cybersecurity defenses. During his remarks, the President said the Justice Department now has a task force to prosecute ransomware hackers.

Microsoft Intelligence Team Outlines Fake Ransomware Java STRRAT Malware Attack

Microsoft’s Intelligence Team shared details of a massive phishing campaign made to appear as a ransomware attack, spreading trojan-based Java STRRAT malware. The campaign uses email accounts that are compromised to distribute messages claiming to be related to payments.

The phishing email contains an image that makes it appear that there is a PDF attachment containing the details of a supposed transaction. When users click on the attachment, they’re sent to a domain where the malware is downloaded to their device.

Analysts say that the most current version of the malware is more modular and obfuscated, but retains the same backdoor functionality. For example, it can still log keystrokes, collect passwords, run remote commands, run PowerShell, and others. These features ultimately allow the attacker to have complete control over the infected device. This malware is a much sneakier form of attack when compared to ransomware.

Conti Ransomware FBI Flash Alert

Conti ransomware is still actively impacting healthcare providers and others, according to an FBI flash alert warning issued on May 20.

What’s more, the alert says there have been a total of 16 Conti ransomware attacks during the last year, going after first responder and healthcare networks, including emergency medical services, “911” dispatch centers, law enforcement agencies, and municipalities. The cases comprise more than 400 entities that Conti went after and include 290 in the US. The FBI says that ransom demands peak as high as $25 million.

One of the more recent attacks was against Ireland’s healthcare service, where they spread some patients’ stolen data online. Other victims include Sangoma Technologies Corp. and Advantech Co. Ltd., last November and December. This past February, they targeted hospitals in Florida and Texas.

Microsoft Remote Desktop Protocol Vulnerability Allegedly Exposes Passwords

Researchers have found that a handy application used by thousands, if not millions, of people every day has an alarming vulnerability. Recently, Jonas Lykkegård of the Secret Club, a hacker group, shared something he discovered on Twitter. He says that Remote Desktop Protocol (RDP) keeps a user’s password saved in memory.

Replies to his post are showing that others were able to replicate his experience.

Aside from being in clear text, it’s not unusual for a password to be saved in memory for a brief time. What stood out in this case was that it was not correctly cleared and deleted.

What’s more, should an attacker get access hands-on or remotely, they could use it for malicious purposes. This flaw needs to be fixed quickly, in order to prevent further security issues from arising.

Apple Patches MacOS Security Vulnerability

A vulnerability traced back to a discovery made by researchers at Trend Micro Inc. in August has led to a patch for Big Sur 11.4 macOS by Apple Inc. The vulnerability found by the analysts was a form of malware that they have named XCSSET, and which targets Xcode projects.

Researchers at Jamf did further research and found that a related, unpatched vulnerability was being exploited that allowed perpetrators to take screenshots undetected on Macs.

Using the vulnerability, Transparency Consent and Control (TCC), a privacy feature, is bypassed by hackers. TCC aims to flag any app that is part of an activity that can affect a user’s privacy.

An example of this is recording keystrokes or taking photos, which are activities that TCC would flag. So the feature would require permission before allowing the action to proceed.

Hackers can use an installed app with permissions already set through the vulnerability. It would allow them to piggyback when creating a malicious app on top of a donor app. Doing this means that TCC doesn’t prompt for approval from a user.

One example given is that hackers could create a malicious app within Zoom. It would secretly record Zoom meetings happening on the screen. Since the malicious app obtained access permission through Zoom, the user would be unaware of the malware operating on the computer.

That's a Wrap for News You Might've Missed

I hope this update has been helpful. MSP360 is your resource for MSP news. Stay home, stay safe and healthy, and remember to check back next month for more highlights.