News You Might’ve Missed. October 2022

What's new this month in the news for MSPs? Google Cloud adds new automation capabilities and cybersecurity; Google LLC introduces new software security products and VMS mainframe modernization; Microsoft’s September data breach possibly exposes customer information; and more.

Let's see what it's all about.

Google Cloud Adds New Automation Capabilities and Cybersecurity

Due to new features released by Google LLC's cloud business, businesses will now be able to manage and secure their cloud environments more simply.

Workforce Identity Federation, the first new feature, is being readied for the Google Cloud IAM service. It will let businesses manage secure access centrally to choose which employees have what level of access and which components of their cloud system. Google says this new feature will reduce the workload dedicated to managing staff access.

Typically, businesses have used an IdP platform software in the enterprise to manage employee access to the different assets needed to conduct business. This platform stores the data on employee access to various technology assets and how they access them.

The need to maintain two separate data copies is eliminated with Workforce Identity Federation, resulting in less effort and time to manage employee access to cloud apps by customers.

In addition to the debut of Workforce Identity Federation, Google shared an update to GKE Autopilot, which is available as part of Google Cloud’s Kubernetes Engine Service for running containers. With GKE Autopilot, a company can manage its cloud infrastructure and automatically provision, saving time for its admins.

GKE Autopilot is capable of provisioning cloud instances furnished with Nvidia Corp.’s A100 and T4 graphics processing units. With the addition of support for A100 and T4, customers can apply GKE Autopilot’s features to other use cases in their cloud infrastructures.

One example of a use case of the new GKE Autopilot features is the ability to automate software container cluster management used to run workloads for AI applications.
Google says it can easily customize the number of GPUs assigned to customers’ containers with a small amount of code.

Google is also increasing the number of virtual CPUs that can be added to a Kubernetes pod as part of the GKE update. It makes it possible to configure up to 244 virtual CPUs, an increase from the prior 54, and up to 851 GB of memory.

According to Google, the GKE Autopilot and Workforce Identity Federation updates launched with two other enhancements. Google Cloud’s managed database Cloud Spanner can now run double the data operations at once on a business’s company info. Additionally, the Natural Language API is getting its content classification upgraded.

Google Introduces New Software Security Products and VMS Mainframe Modernization

Many innovations are coming to Google Cloud across its expanding portfolio; this includes block storage and new virtual machine products.

The cloud giant announced these and more cloud regions, more training options for developers, and a new open-source machine-learning-focused initiative at its Google Cloud Next 2022 conference.

C3 Virtual Machines

Google said customers are now faced with the daunting choice of using a platform already optimized for their needs or optimizing their workloads independently. The better option is the optimized platform according to Google, which is why it is putting its focus there.

To make it happen, Google announced the new C3 machine series powered by Intel’s 4th gen Intel Xeon Scalable processor. They are deemed to be Google’s most robust virtual machines to date.

Dual Run Preview

Google also focuses on bringing legacy workloads to Google Cloud. Enterprises still using on-premise mainframes that power financial transactions in addition to other similar workloads are perfect customers for Dual Run.

The launch of the Dual Run Preview means Google can offer mainframe modernization services it believes will make migrating legacy systems to Google Cloud much more manageable and eliminate many of the risks.

It’s a huge opportunity for Google, since over 44 of the top 50 banks and 25 of the largest retail chains still use on-premise mainframes. Until now, moving a mainframe workload infrastructure has been fraught with risks and is overly complex.

The new service, Dual Run, changes that and comes with other capabilities that eliminate many of the previous risks.

Software Delivery Shield for Supply Chain Security

Supply chain security has been a significant challenge for many developers. Google is looking to address this with its newly launched Software Delivery Shield. SDS is a fully managed solution for software supply security that will equip DevOps and security teams and developers with modular abilities to help develop more secure apps.

SDS encompasses many products across Google Cloud services. It begins with developer tools and expands to runtime environments such as Cloud Code, Google Kubernetes Engine, Artifact Registry, and much more.

Cloud Workstations, its new service, will protect software from the start of the dev lifecycle and are fully managed Google Cloud-hosted development environments.

Developer Training, Open Source, and More Cloud Regions

In addition to other announcements, Google said six more cloud regions are set to open in Austria, Greece, the Czech Republic, South Africa, Greece, Norway, and Sweden. This announcement follows other recent news that Google is adding cloud regions in Mexico, Malaysia, Thailand, and New Zealand next year, after data centers opened in France, Italy, and Spain in early 2022.

Meanwhile, open-source supporters may find the OpenXLA ecosystem interesting. It focuses on infrastructure and machine-learning-based compilers.

AWS, Google, AMD, Arm Ltd, Intel Corp., Nvidia Corp., Meta Platforms, Inc., and others all back OpenXLA. The new ecosystem is working on ensuring that ML frameworks such as PyTorch, TensorFlow, and JAX work smoothly on all types of hardware.

Lastly, Google hopes developers will learn more about its cloud platform, which will help developers take their professional skills to the next level. Developers who join will get extensive training and certifications, $500 in Google Cloud credits and exam vouchers, and live learning events.

Microsoft’s September Data Breach Possibly Exposes Customer Information

Microsoft Security Response Center shared a post recently that a server misconfiguration potentially compromised the data of prospective customers in September. Security researchers detected the breach on September 24th and related it to a misconfigured endpoint.

The breach allowed unauthenticated access and exposed some business transaction data that corresponded to communications between Microsoft and prospective customers interested in implementing Microsoft services.

Microsoft hasn’t shared how many possible customers were affected by the breach, but security researchers say the figure is over 65,000, calling it a BlueBleed.

After Microsoft became aware of the breach, it secured the endpoint and investigated its impact. It found no indication that systems or accounts were compromised; however, it notified possibly impacted customers.

VMware Cloud Foundation RCE Bug Fix by VMware

Last week, VMware distributed security updates that addressed a critical security flaw found in its VMware Cloud Foundation product.

The vulnerability can be exploited remotely in low-complexity attacks by unauthenticated cyberattackers without user interaction.

The RCE issue is tracked as CVE-2021-39144. It has a 9.8 rating on the CVSS vulnerability scoring system, relating to an RCE vulnerability by way of the XStream open-source library. Due to the flaw's severity and its somewhat low exploitation threshold, VMware included a patch for EOL products.

VMware has updated XStream to version 1.4.19 to address the vulnerability and block any exploitation attempts targeting unpatched servers. VMware also distributed patches for a second flaw (CVE-31678) that may cause DOS or expose data after an XML external entity injection attack (XXE) is successful. VMware advises users to apply the patches to mitigate possible risks and potential threats. The company is providing a temporary solution if patching devices immediately isn’t possible.

Health Organizations Warned of Daixin Team Targets by US Government

A cybercrime group called the Daixin Team has the US healthcare and public health sectors in its crosshairs, states a warning from the Department of Health and Human Services (HHS), CISA, and the FBI. The agencies also disclosed IOCs and TTPs in a joint statement to help security professionals get ahead of the ransomware strain.

The Daixin Team threat actors have been linked to many ransomware incidents in the healthcare sector since June. In these incidents, they’ve encrypted devices needed for many healthcare services, such as diagnostics, electronic health records storage, imaging services, and intranet services.

The group is also known for stealing PHI and PII and using it for double extortion schemes, where they pressure victims to pay ransoms, threatening to release the stolen info if they don’t. The ransomware gang exploits known vulnerabilities in the business’s VPN servers or by using compromised credentials for users with MFA turned off to gain access.

To launch their ransomware payloads, they escalate privileges using different techniques, such as credential dumping. The federal agencies added that the ransomware is based on the leaked source code of Babuk Locker.

CISA and the FBI warned in August that cyberattackers typically targeting the medical and healthcare industries with Zeppelin ransomware may encrypt files many times to make file recovery more challenging.

Venus Ransomware Is Targeting Exposed Remote Desktop Services

Venus ransomware threat actors are hacking into publicly exposed Remote Desktop services and using them to encrypt Windows systems.

According to reports, Venus ransomware first appeared in mid-August and has spread globally, encrypting victims everywhere. While another ransomware family used the same encrypted file extension, security researchers are still determining whether the two are related.
When Venus ransomware is executed, it will start to terminate the thirty-nine processes pertaining to Microsoft Office apps and database servers. It will also delete Shadow Copy Volumes and event logs and disable Data Execution Prevention.

When encrypting, it appends files with the .venus extension. For example, a file called new.jpg would be encrypted and renamed new.jpg.venus.

The ransomware calls itself Venus in the ransomware note, where the cyberattackers share an email address and a TOX address to use to contact them to negotiate a ransom payment. At the end of the note is a base64 bit of code that security researchers believe is the encrypted decryption key.

The Venus ransomware is currently moderately active, and new submissions are uploaded to ID Ransomware every day. It is vital to put Remote Desktop services behind a firewall, only to be accessed with a VPN.

That's a Wrap for News You Might've Missed

I hope this update has been helpful. MSP360 is your resource for MSP news. Stay home, stay safe and healthy, and remember to check back next month for more highlights.