News You Might’ve Missed. November 2023

What's new this month in the news for MSPs?

Microsoft says Azure Kubernetes Service is getting many new features; China's ICBC ransomware attack disrupts US Treasury markets; Microsoft warns SysAid vulnerability used to deploy Clop ransomware; spammers abusing exploit in Google Forms quizzes; ransomware attacks will now include SEC complaints; and 8Base ransomware is advancing its tactics.

Let's see what it's all about.

Microsoft Says Azure Kubernetes Service Is Getting Many New Features

Microsoft says that a plethora of updates will strengthen the Azure Kubernetes Service, with the goal of offering improved efficiency, scalability, and cost optimization, along with improvements to security, networking, and advanced capabilities in observability.

Microsoft announced the forthcoming updates at KubeCon + CloudNative Con NA in Chicago, touted as the world’s biggest annual Kubernetes conference. Open-source Kubernetes is currently considered a leader among the most vital enterprise systems. Businesses use it for container-based application management because it can operate anywhere with Kubernetes.

The cloud-based AKS from Microsoft is a fully managed Kubernetes implementation and is Azure-hosted. Additionally, it has grown in popularity and is now a leader among the more popular distributions. Thousands of businesses use it to manage their application portfolios, which can include thousands of apps.

Efficiency Enhanced

In the present macroeconomic environment, Microsoft sees efficiency as a critical priority among its Kubernetes users, which has led it to ensure that AKS is resource-efficient. Microsoft's efforts are clearly visible now that Kube-reserved resource optimization in AKS is publicly available.

To further improve efficiency, Microsoft revealed an AKS public preview of its support for streaming artifacts. This application enables users to scale their workloads and doesn’t require them to wait for Kubernetes clusters to fully load container images.

Updates to Security and Networking

Microsoft representatives have identified some of the main image security and network issues that Kubernetes-using companies still face. A sneak peek of the image integrity component has been newly added to AKS by Microsoft as a means of addressing these concerns. Using this feature, the authenticity of container images can be quickly validated. This feature ensures that the images are from reliable sources and have not been altered in any way, so that they can be used.

It also announced that AKS, which is currently in public preview, now offers dual-stack support for the Azure Container Networking Interface (CNI) Overlay. Microsoft expects that this update will enhance the networking functionalities of AKS. This improvement permits the simultaneous utilization of IPv6 and IPv4 addresses within a singular cluster. This development provides users with enhanced versatility and authority regarding connectivity alternatives within the AKS environment.

Furthermore, the ease with which clients can deploy new web applications is enhanced by a recently introduced add-on for application routing in AKS. According to Microsoft, this add-on obviates the need for ingress controller configuration, security certificate management, and DNS administration. Concurrently, the organization introduced an Azure Backup public preview for AKS, with the objective of streamlining the processes of restoring and backing up container applications along with the data they contain.

Better Scalability

Microsoft says it has a new mesh add-on that is an Istio-based service offering made for AKS that’s in public preview. In addition to simplifying the management of Istio upgrades, it also offers support for access control, enabling customers with their own certificate authority to bring them.

All customers can now generally access an additional Kubernetes add-on that offers event-driven autoscaling, which helps to simplify the process of autoscaling applications.

According to Microsoft, the system works by implementing event-driven autoscaling for each application, responding to user demand by adding resources during peak periods, and then reducing them when they’re not needed.

Microsoft has also made more progress in storage flexibility. With the launch of Azure Container Storage in AKS in preview, customers can now establish dedicated container storage in 26 regions. This addition will allow customers to quickly reduce scale-out volumes and pod failover times; it will lower the total cost of ownership on each application and across options for multiple block storage.

Better Observability and Metrics

Lastly, the updates shared by Microsoft primarily concentrate on enhancing AKS workload observability.

Azure Monitor for Prometheus is now more widely available, thanks to Microsoft, giving a wider range of users the opportunity to gather and examine AKS metrics more extensively using a monitoring platform that is compatible with Prometheus.

This reduces complexity and enables teams to examine and get performance alerts on monitored infrastructure using the Prometheus query language.

China’s ICBC Ransomware Attack Disrupts US Treasury Markets

A ransomware attack significantly disrupted American business operations when the Industrial and Commercial Bank of China Ltd. (ICBC), the largest bank in China, fell victim to the cyber assault. The US Securities Industry and Financial Markets Association revealed on November 6th that ICBC had experienced a ransomware attack, impacting equity trades and preventing the settlement of Treasury trades on behalf of other market stakeholders.

Due to the inability of ICBC to settle trades, most investors rerouted their transactions. Surprisingly, the impact on the Treasury market's liquidity was less severe than anticipated, and the overall market performance remained largely unaffected. In an emergency notice to traders, ICBC referred to the incident as an "attack" but did not disclose the specific ransomware involved.

To address the situation, ICBC temporarily suspended all incoming FIX connections, citing the inability to establish a connection with the Depository Trust & Clearing Corporation or the National Securities Clearing Corporation. Although the exact ransomware variant was not immediately identified, security researcher Kevin Beaumont suggested a potential attack path. He believed that the attackers could have taken advantage of an ICBC-hosted Citrix Netscaler box by using the Citrix Bleed vulnerability.

Citrix Bleed, tracked under CVE number 2023-4966, was identified in October and highlighted in a November 7th alert by the US Cybersecurity and Infrastructure Agency. The vulnerability, affecting NetScaler ADC and NetScaler Gateway when configured as gateways, could lead to the disclosure of sensitive information. Beaumont emphasized that this security hole enables attackers to easily bypass all forms of authentication, providing them with full access to a remote desktop PC on the other end.

While Beaumont pointed to a specific vulnerability, other security experts caution that it is premature to determine precisely how the attackers gained access to ICBC's

Microsoft Warns SysAid Vulnerability Used to Deploy Clop Ransomware

Microsoft is warning organizations using system management software from SysAid Technologies Ltd., an information technology service management company, of a vulnerability currently under active exploitation for deploying Clop ransomware.

Microsoft Corp.’s Threat Intelligence team wrote on X of the discovery of a zero-day vulnerability in SysAid’s IT support software that the Lace Tempest ransomware group is currently exploiting.

This year, Lace Tempest surfaced as a result of attacks on the GoAnywhere MFT and MOVEit Transfer. The group has distinguished itself through the sophisticated attack techniques it uses and frequently accesses networks where it deploys its ransomware by taking advantage of zero-day vulnerabilities.

Lace Tempest, according to Microsoft, exploited the vulnerability and used the SysAid program to send commands that delivered a malware loader for the Gracewire malware.

According to a blog post by SysAid, the identified vulnerability, identified as CVE-2023-47246, was initially identified on November 2nd. It is a path traversal vulnerability that can lead to code execution within the on-premises SysAid software.

Threat researchers have reported that the attackers exploit this vulnerability by uploading a WAR archive that contains payloads and a WebShell into the webroot of the SysAid Tomcat web service.

SysAid has released a patch to address the vulnerability and is urging all customers to verify that their systems are updated to version 23.3.36. This version incorporates the necessary patches to mitigate the risk.

Spammers Abusing Exploit in Google Forms Quizzes

According to the blog post on the Talos Intelligence website, researchers at Cisco Systems Inc. have discovered a novel way to access systems. It involves an exploit that abuses the quiz results feature of Google Forms, leading some commentators to label it as both malicious and sly. The attack starts with the quiz template and continues with a string of online forms.

The creator of the quiz should choose to release grades at a later time when configuring it. This ensures that the form collects email addresses from quiz respondents. By now, we are all aware that spammers are extremely interested in valid and up-to-date email addresses.

There are several other settings that must be answered precisely. These are all outlined by the Talos researchers and, while not critical, they are meticulously chronicled in their blog post that describes the exploit.

However, the crux of the issue is that Google generates emails from its own infrastructure. These emails may contain any phishing message that the spammer provides, including harmful web links.

The emails are generated from the Google account associated with the form's creation. As a result, they are currently evading detection by spam blockers.

This may change if Google develops a solution to block them in the future. This possibility becomes more apparent now that this quiz method has been documented.

Ransomware Attacks Will Now Include SEC Complaints

As if in an ironic stab in the dark, the ransomware group known as ALPHV/BlackCat has lodged a complaint with the US Securities and Exchange Commission.

Certainly, it's an unconventional method to heighten the repercussions of its cyberattacks. In a thorough report on Bleeping Computer, Ionut Ilascu details a formal complaint accusing a probable victim of breaking the SEC's four-day disclosure rule.

Ilascu confirms the breach by citing financial services technology provider MeridianLink. In response, MeridianLink moved quickly to contain the threat and launch an investigation.

This is despite the hackers' claim that the attack occurred on November 7th. MeridianLink representatives did not respond to the ransom demands. Ilascu’s source says that there was no evidence of disruption to its business or unauthorized access.

Security experts who are familiar with such incidents do not express surprise and forecast that other ransomware groups will probably file comparable complaints with regulatory agencies in the United States and the European Union if their victims fail to disclose their breaches in a timely manner.

In this particular scenario, even if the security breach had taken place, it is highly improbable that MeridianLink was required to disclose it. The rule regarding expedited disclosure will not be enforced until next month.

Modern extortion techniques, such as multipoint attacks, are becoming more complex, and this latest ransomware strategy is a prime example of that. When it comes to multipoint groups, ALPHV/BlackCat has been one of the most prevalent.

8Base Ransomware Group Is Advancing Its Tactics

According to a new report from Cisco Talos Intelligence, the ransomware group 8Base, which is responsible for the Phobos malware, is expanding into ransomware as a service and changing up its strategies.

Incidents involving Phobos-based attacks have been documented since 2018. It now seems that the group has elevated its strategies. This includes enhancing its organizational abilities and developing more complex and lethal ransomware.

A list of its victims recently attacked is shared on its well-known leak website, which some refer to as a "wall of shame." As is the case with a great number of other ransomware organizations, they try to force victims to pay by employing this strategy.

Researchers who are monitoring them have discovered a number of Phobos variants, of which the more prevalent are Devos, Faust, Elbie, Eking, and Eight. The group uses a range of commercial email systems, such as AOL.com, ProtonMail, and Tutanota, in its initial communication attempts to ensnare victims by sending out phishing emails.

These emails use custom reply-to addresses for each victim.

The RansomHouse group is one of the entities that has been identified as a possible affiliate. It was responsible for an alleged data theft in June 2022 of 450 gigabytes from Advanced Micro Devices Inc.

According to a report by Avast, the initial exploits associated with Phobos targeted vulnerabilities in Microsoft's Remote Desktop Protocol, which they have detailed in the report. Using this protocol, hackers frequently take advantage of the ease with which they can connect to a variety of systems. This makes it possible for them to facilitate further compromise.

Another discovery by Talos researchers is a common attack strategy used to target a specific segment of an enterprise's infrastructure. A limited number of highly valuable systems were infected with the ransomware. In addition to process-visualization tools, scanners that identify open services and network ports, automated credential collection and password extraction tools, and software for unlocking operational database files, a multitude of other malware tools were introduced.

The objective of these tools is to remove event logs and volume shadow copies from Windows, thereby increasing the challenge of detection and, of course, recovery. This exemplifies the sophisticated nature of the efficacy of a ransomware-as-a-service model and Phobos, which combine criminal services into a unified package.

Phobos' regular maintenance of "do not disturb" lists and the fact that it avoids encrypting files accessed by other affiliate operations is an intriguing feature. Researchers discovered a consistent public encryption key in every file decryption they examined, indicating that a single threat actor is responsible for the operation.

Experts say that system administrators should be reminded of the multifaceted defense needed against a typical ransomware incursion by looking at this extensive arsenal. This highlights a key reason that most ransomware attacks have been so successful: the malware has adapted to handle multiple frontal attacks on Windows, applications, and networks with relative ease.

That's a Wrap for News You Might've Missed

I hope this update has been helpful. MSP360 is your resource for MSP news. Stay safe and healthy, and remember to check back next month for more highlights.