News You Might’ve Missed. November 2021

What's new this month in the news for MSPs? New optimized Azure virtual machines from Microsoft; legal pressure allegedly making BlackMatter gang go dark; fake cybersecurity warnings out after hacker accesses FBI server; and Emotet botnet gets resurrected.

Let's see what it's all about.

New Optimized Azure Virtual Machines from Microsoft

Microsoft is bringing two more sets of virtual machines to its Azure public cloud this month. They have designed these specifically to aid confidential computing, a popular method of improving enterprise security apps.

This cybersecurity method allows a server’s CPU to create an isolated data environment from a part of the onboard memory. Access to this data is only through the software using it. The cloud operator owning the server and the operating system on the server cannot access, read, or change the data.

The first set of new virtual machines used in confidential computing are dubbed DCdsv3 and employ Intel-based Xeon processors for servers. Previous virtual machines are known as the DCasv5 and ECasv5 families, and are Advanced Micro Devices-based silicon chips.

These new servers use a technology called SGX, which ships with Intel’s third-generation Xeon processors in the server CPUs. It has one of the most significant upgrades in its Enclave Page Cache, which helps store the code and data that an app will use in a confidential computing workflow.

Another new feature lets the organization encrypt each virtual machine’s memory with an individual encryption key utilizing Intel Total Memory Encryption - Multikey, which enables encryption that is always on and gives protection against other tenants residing on the same node.

The other new set of VMs launched this month are AMD Epyc 7003-based. These chips were introduced by AMD earlier this year and are the latest in AMD’s seven-nanometer Zen 3 core design. These chips contain approximately 64 cores, which run up to 128 processes in total. On average, they provide 19% more instructions per cycle than their predecessors.

Microsoft’s new virtual machines use SEV-SNP technology that AMD includes as a built-in benefit of the Epyc 7003 series to create confidential computing environments. Microsoft plans to make its confidential virtual machines all available as an infrastructure option in the Azure Kubernetes Service.

Legal Pressure Allegedly Making BlackMatter Gang Go Dark

The BlackMatter group that emerged from the remains of DarkSide seems to be shutting down again. According to its website, the group says it is closing down operations because of mounting pressure from law authorities.

“Due to certain unsolvable circumstances associated with pressure from the authorities (part of the team is no longer available, after the latest news) - the project is closed,” the VX-Underground message posted to its Twitter in Russian and English.

The ransomware group, which offers RaaS or ransomware-as-a-service, will permit its systems to continue interacting over mail to businesses for additional information. It also said in its message that it would let its partners continue to get its ransomware decryptors.

The group’s move was likely forced by law enforcement. What’s more, it follows REvil’s announcement that it was shutting down last month after being hacked by a multi-country law enforcement operation.

Many are still skeptical, especially since BlackMatter is a rebranded version of the DarkSide ransomware group known for the Colonial Pipeline attack.

While the group hasn’t said what “latest news” refers to in its website message, many believe it is related to Europol’s arrest of 12 people reportedly involved in “wreaking havoc across the world with ransomware attacks against critical infrastructure.”

BlackMatter appeared first in July and very quickly made its existence known. In September, it conducted three attacks that included two farming co-ops in the US, the NEW Cooperative in Iowa and Crystal Valley in Minnesota, and the Japanese tech giant Olympus.

Many believe that history may repeat itself, and BlackMatter’s remaining members will probably reorganize and begin their activities anew under a different name.

Fake Cybersecurity Warnings Out After Hacker Accesses FBI Server

The Federal Bureau of Investigation’s external email system was compromised by hackers earlier this month, resulting in thousands of fake warning emails being sent to people and companies. According to the FBI, the hackers distributed the fake emails from its Law Enforcement Portal system used to communicate with state and local officials. It’s not part of its more extensive corporate email service.

Cybersecurity professionals close to the situation say that, since the emails didn’t include infected attachments, it could mean the hackers accidentally stumbled on the vulnerability in the portal, with no plan to exploit it.
The Spamhaus Project, an international watchdog that tracks spam and related cyber-threats, such as botnets, malware, and phishing campaigns, posted a copy of the alleged spam email on its Twitter account.

According to the post, the subject line was: “Urgent: Threat actor in systems.” The email portrayed itself as a warning from the Department of Homeland Security about a cyberattack. The hackers scraped the email addresses from the American Registry for Internet Numbers (ARIN) database, a nonprofit that manages the distribution of Internet addresses for North America.

The emails referenced an international hacking group known as the Dark Overlord, which allegedly steals data in order to demand significant ransoms for its return. The group reportedly stole episodes of Netflix shows in 2017, and students’ records in several US states.

Cybersecurity professionals say it could have gone much worse, and the FBI most likely dodged the bullet.

Emotet Botnet Gets Resurrected

The Emotet botnet was once referred to as “the world’s most dangerous malware.” It has reportedly returned and is being installed on Windows computers with TrickBot malware.

The name Emotet denotes both malware and the botnet used to deliver it. It used to be a regular news item, due to its many malware campaigns and, finally, a US Department of Homeland Security (CISA) warning. Up to July of this year, the botnet had been silent since 2020.

This time around, the malware is back through the TrickBot botnet. TrickBot is another botnet, which Microsoft thought it had taken down in October 2020. According to researcher Luca Ebach from the German cybersecurity firm G Data, Emotet is installed using Trickbot on targeted systems.

Emotet’s return was also detailed by the Internet Storm Center. The malware part of Emotet is shared through the use of malicious attachments, such as Excel, Word, and Zip files.

Experts say its return was not unexpected. While there have been some successes that have halted operations for a while, it doesn’t usually last.

That's a Wrap for News You Might've Missed

I hope this update has been helpful. MSP360 is your resource for MSP news. Stay home, stay safe and healthy, and remember to check back next month for more highlights.