Blog Articles
Read MSP360’s latest news and expert articles about MSP business and technology
News You Might've Missed

News You Might’ve Missed. May 2022

News You Might’ve Missed. May 2022

What's new this month in the news for MSPs? Google Cloud zeroing in on cloud governance, zero trust, open source software, etc.; 5 new critical vulnerabilities in enterprise network switches; Trend Micro finds Linux-based ransomware ”Cheerscrypt” targeting VMware ESXi servers; vulnerabilities in VMware and F5 products warning from CISA; and more.

Let's see what it's all about.

Google Cloud Zeroing in on Cloud Governance, Zero Trust, Open Source Software, etc.

Google says it’s zooming in on its “invisible security” concept with an offering of new security services.

They want to encourage the adoption of zero-trust architecture by enterprise clients to help to secure software supply chains, transform security operations and boost cloud governance overall.

Since many customers of its cloud services remain reliant on open-source software for their infrastructures and critical apps, Google says that’s their weakest link, where patching is far behind the vulnerabilities that continue to appear in rapid succession.

What’s worse is that cybercriminals are increasing their attacks because they realize this. According to Sonatype Inc. in a recent report, cyberattacks against open-source software suppliers increased by over 650% over the last year.

At the Google Cloud Summit, Google Cloud announced the launch of the Assured Open Source Software service (Assured OSS) to rebuild the confidence of its subscribers.

Assured OSS lets Google Cloud subscribers include the same OSS packages that Google developers leverage in their workflows. This service will enable businesses to use open-source software and not need to develop packages or operate and maintain the complex processes necessary to handle dependencies securely.

What’s more, the OSS packages are frequently analyzed, scanned, and “fuzz-tested” for vulnerabilities. Google then signs them, and they are distributed from a protected and secured artifact with Google. This process does the heavy lifting for each business when securing the software supply chain.
To further its concept of zero-trust security, Google says it’s expanding its Beyond Enterprise services with a new solution it’s dubbed Beyond Enterprise Essentials. This service is aimed at helping businesses zero-trust their architectures with ease. After implementing it, companies will gain context-aware access controls for SaaS apps, URL filtering, and threat and data protection directly included in the Google Chrome browser.

Google also announced the launch of its Security Foundation service and updates to the Security Command Center. It’s targeting two pain points for developers using APIs: misconfigured application programming interfaces and “bad-bots” detection responsible for malicious API calls. Google is launching the public preview of Apigee Advanced API Security.

5 New Critical Vulnerabilities in Enterprise Network Switches

Armis Inc. has uncovered five critical vulnerabilities when implementing TLS in the network switches used by millions of businesses. The vulnerability, dubbed TLStorm 2.0, is a sequel to three vulnerabilities discovered in APC Smart-UPS by Armis last year and stems from a shared design flaw in the devices.

In the original TLStorm, attackers were able to gain control of Smart-UPS devices from the internet and required no user interaction. The UPS overloaded and destroyed itself and eventually burned out in a cloud of smoke. The misuse of the NanoSSL TLS Library by Mocana is the cause of these vulnerabilities.

So far, Armis researchers have identified dozens of devices using the Mocana NanoSSL TLS Library, including those from Avaya Inc. and Aruba Networks, owned by Hewlett-Packard Enterprise Co. While network switches differ from UPS devices in how they function and the levels of trust in the network, the TLS issues in their implementation still allow for devastating results.

What’s more, the vulnerabilities from TLStorm 2.0 can give an attacker total control of the network switches found in hospitals, airports, hotels, and many other organizations globally. The potential exploits due to the vulnerabilities include possibly spreading to other devices by changing switch behavior, data exfiltration of sensitive or private information of corporate network traffic from the internal network to the public internet, and “captive portal” escape.

Trend Micro Finds Linux-Based Ransomware ”Cheerscrypt” Targeting VMware ESXi Servers

Linux-based ransomware dubbed “Cheerscrypt” targets VMware Inc. by using the ESXi hypervisor they developed to deploy virtual PCs, say researchers at Trend Micro Inc.

The ransomware shares some similarities with other ransomware groups like Hive, LockBit, and RansomEXX that have targeted ESXi servers before. Cheerscrypt ransomware encrypts all VMware-related files. Its name is derived from the ransomware’s activities.

After it gets into an ESXi server, it will search for all .vmdk, .log, .vswp, .vmem, and .vmsn extension files connected to ESXi snapshots, log files, paging files, swap files and virtual disks. Before encryption, it adds “.Cheers” to the end of the file names.

The researchers say Cheerscrypt ransomware is a double-tap type of ransomware. The group behind it not only demands payment for the decryptor but threatens to share the stolen files if the victim doesn’t pay the ransom.

Researchers say a proactive and robust security profile is necessary to maintain cybersecurity defenses solid against these types of threats. It is wise to adopt stringent best practices and set up security frameworks that keep pace with modern ransomware families.

FREE WHITEPAPER
The Value of Backup in Ransomware Protection Strategy
What your ransomware protection strategy should look like? Learn in this whitepaper:
New call-to-action
Ransomware WP icon

Vulnerabilities in VMware and F5 Products Warning from CISA

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings on five software vulnerabilities expected to affect many businesses. They found four of these in VMware Inc. products, and they discovered the fifth in an F5 load balancer.

Patches from VMware came out on April 6 for two of the vulnerabilities in CVE 2022-22954 and CVE 2022-22960. VMware’s One Access, vRealize Automation, Identity Manager, vRealize Suite Lifecycle Manager, and VMware Cloud Foundation products are affected.

According to the alert published by CISA, the cybercriminals reverse-engineered VMware’s April 6 patch in only 48 hours. They then began attacking vulnerable networks. Systems with vulnerabilities are susceptible to many types of attacks, and these hackers can run malicious scripts on the affected devices and get admin access and root access.

Independently of this warning, CISA issued an emergency directive on two newer vulnerabilities found in identical VMware products. They are tracked as CVE-2022-22972 and CVE-2022-22973.

CISA released a fifth security vulnerability alert that affects BIG-IP, a load balancer from F5 used by organizations to manage network traffic. They discovered that specific versions of the load balancer contain a vulnerability tracked as CVE-2022-1388.

On May 4th, F5 released a patch for the vulnerability. Nevertheless, CISA states in the alert that threat actors publicly released proof-of-concept code that demonstrates how hackers can use the weakness and launch cyberattacks. CISA also warned that threat actors are already targeting affected systems.

CISA and the Multi-State Information Sharing and Analysis Center expect widespread attacks that target affected systems soon. Agency officials “strongly urge” businesses to secure vulnerable devices.

Cado Labs Says Denonia Malware Is Going After AWS Lambda Environments

Security researchers have uncovered a new malware variant seen targeting AWS Lambda. In May, Cado Security published their research findings about Denonia, a malware that threat actors use in cyberattacks targeted against Lambda.

Businesses use Lambda, a scalable computer service from AWS (Amazon Web Services), to run code, for OS and server maintenance, operating many backend services, and logging.

Cado Security says that with the advent of this new malware strain, the cloud service used by many small and medium businesses (SMBs) globally is in jeopardy of being infected by it. The malware should not be confused with Lambda Ransomware, as the code used is written in the Go programming language and is completely different, despite having the file name “python.”

They took the name “Denonia” for the malware based on the site it connects to and shares data with – gw.denonia.xyz.

The sample the researchers conducted dynamic analysis on revealed that DoH (DNS over HTTPS) is used, rather than the traditional method of DNS. The new process encrypts the DNS queries to send out inquiries that appear as typical HTTPS network traffic to DNS over HTTPS resolvers.

While researchers say the first sample seemed innocuous because it only runs software for cryptomining, it does indicate that cyberattackers are turning to cloud-specific knowledge, intending to exploit cloud environments. It sets the stage for future, much more malicious attacks.
A second sample has since been added to VirusTotal.

NAS Customers Warned by QNAP of New Deadbolt Ransomware Attacks

The network-attached storage (NAS) manufacturer QNAP, based in Taiwan, warned of a new onslaught of cyberattacks that push payloads for Deadbolt ransomware and urged customers to take steps to secure their devices.

Some of the steps suggested by QNAP included updating public-facing devices to the latest software version. The update will help to protect them from remote access over the internet.

QNAP’s PSIRT (Product Security Incident Response Team) says the attacks target NAS devices using QTS 4.4.1 and QTS 4.3.6 on the TS-X53 and TS-X51 series.

The new warning comes on the heels of another customer advisory posted in January that urged those with public-facing devices to:

  • Turn off the Port Forwarding function of the router
  • Turn off the UPnP function of the QNAP NAS

The manufacturer also gave detailed instructions that showed users how to turn off Telnet and SSH connections, change the system port number, change device passwords and turn on account access and IP protection.

In April, customers of QNAP were warned to turn off UPnP (Universal Plug and Play) and port forwarding to stop exposure to internet attacks.

Should customers need access to their NAS devices (with no direct access to the internet), they can turn on their router’s VPN feature, which will allow them to use the QuWan SD-WAN or QVPN Service app solution.

In late January, researchers first noticed Deadbolt ransomware attacks against QNAP devices. The ransomware steals the login page of the device and displays a message that reads, "WARNING: Your files have been locked by DeadBolt" in its place.

Michael Gillespie, a ransomware expert, offers a Windows-based decryptor for free to help victims decrypt their files without the executable from the ransomware. Still, QNAP owners must pay the ransom if hit by Deadbolt ransomware to get a valid decryptor.

Microsoft Says It Mitigated Vulnerability in Third-Party Azure Synapse Data Connector

Microsoft mitigated an Azure Synapse and Azure Database Connectivity (ODBC) pipeline vulnerability. Microsoft says it was specific to the third-party ODBC driver that customers use to link to the Azure Data Factory Integration Runtime (IR) and Amazon Redshift in Azure Synapse pipelines. On the whole, it did not impact Azure Synapse.

This weakness could have allowed the execution of remote commands throughout the IR infrastructure by an attacker that was not limited to a single customer’s tenant.

Subsequently, to determine if there were any cases of abuse, Microsoft conducted a thorough internal investigation. Orca Security, the company that reported the vulnerability, was the only activity that was identified. No evidence of malicious activity or misuse was found during the investigation. The vulnerability was mitigated on April 15, 2022.

That's a Wrap for News You Might've Missed

I hope this update has been helpful. MSP360 is your resource for MSP news. Stay home, stay safe and healthy, and remember to check back next month for more highlights.

MSP360 Managed Backup.
Simple. Reliable.
Powerful cross-platform backup and disaster recovery that leverages the public cloud to enable a comprehensive data protection strategy.
New call-to-action
MBS CTA image