News You Might’ve Missed. October 2023

What's new this month in the news for MSPs?

AWS European sovereign cloud introduced by AWS; Lockbit 3.0 tops August hacking list as most active threat actor; scammers target Microsoft’s AI chatbot with malicious ads; Google announces new requirements for bulk email senders; AWS to require customers to use MFA for management console in 2024; Linux ‘looney tunables’ vulnerable to malicious code execution; and new Magecart malware concealment tactics.

Let's see what it's all about.

AWS European Sovereign Cloud Introduced by AWS

This month, Amazon Web Services Inc. introduced the AWS European Sovereign Cloud. It’s a new network of data centers for strictly regulated organizations and government agencies located in the European Union.

These data centers will be independent of the eight cloud regions already in operation throughout the bloc. AWS has declared that personnel based in the EU will manage the European Sovereign Cloud. Current AWS users will need to create a new cloud account to access the new infrastructure.

Max Peterson, VP for Sovereign Cloud at AWS, shared these insights on the new offering: “For more than a decade, we’ve worked with governments and regulatory bodies across Europe to understand and meet evolving needs in cybersecurity, data privacy and localization, and more recently, digital sovereignty. With this new offering, customers and partners across Europe will have more choice to achieve the operational independence they require.”

Businesses and government agencies in the financial industry and other strictly regulated industries face rigorous data management regulations. Often those require businesses to maintain their data in the geographic area where it originates.

Amazon Web Services Inc's European Sovereign Cloud is designed to aid organizations in adhering to European Union data rules. AWS says the new platform allows businesses to maintain metadata in the EU bloc.

In addition to the standard availability zone, European Sovereign Cloud customers will have access to AWS Outposts. This service will facilitate customers that want to use their businesses’ data centers to deploy the AWS infrastructure.

A new European Sovereign Cloud region, which encompasses several zones or clusters of data centers, is being introduced in Germany. The multiple data centers composing an AWS region are located at separate sites, each with its own cooling and power mechanisms. This means that problems occurring in one center are unlikely to cause disruption at the other centers.

Government and public-sector customers in the U.S. can use GovCloud to access data centers. This is similar to what's offered by AWS Sovereign Cloud. The data centers are run independently from Amazon Web Services Inc.’s standard cloud infrastructure.

LockBit 3.0 Tops August Hacking List as Most Active Threat Actor

NCC Group plc recently published a report that indicated that LockBit 3.0 was still the most prominent cyber threat. This is despite a decline in ransomware incidents during‌ August.

The NCC Group's Monthly Threat Pulse for August 2023 outlines 390 ransomware attacks in the month. This is a significant dip of 22% from July.The back-to-back record months of June and July were largely due to exploitation of the MOVEit file transfer app’s vulnerabilities by the Clop ransomware gang.

LockBit 3.0 topped the list, with 125 ransomware attacks. This was 32% of the total attacks in August and an increase of 150% when compared to July. The ALPHV/BlackCat ransomware group came next, with 41 attacks, and 8base followed them, with 32.

Additionally, the report says there was a huge decrease in Clop activity since the MOVEit exploitation had subsided. Still, Clop was linked to an attack that included 890 universities.

NCC Group noted only three Clop MOVEit attacks, which accounted for only 1% of all the attacks during the month. It was a decrease of 98% from July, when there were 161 attacks.

The Akira ransomware group that was first noted in April reached fourth place in August, up from eighth place in July.

The industrial sector, followed by machinery, heavy vehicles, tools, trains, and ships, headed the most-targeted industries list. Construction and engineering placed third in the list.

Geographically, North America is the most popular target, with 47% of ransomware attacks targeted at it; Europe was second, with 28% of all attacks. Attacks that targeted industries in Asia were third, with ‌15% of all August attacks.

The highest incidence of attacks in August came from Chinese groups primarily targeting Taiwanese organizations. These attacks, according to the report, highlighted political tensions and posed risks to manufacturing, education, and critical infrastructure.

Scammers Target Microsoft’s AI Chatbot With Malicious Ads

There is a new opportunity for scammers in Microsoft’s artificial intelligence chatbot, Bing Chat, according to a report from Malwarebytes Labs. The researchers say the Bing Chatbot is being used to deliver malicious ads.

Several methods can be used to include the ads in conversations in Bing Chat. For example, hovering over a link causes the ad to deploy ahead of the organic results.

For example, when it was asked from where Advance IP scanner could be downloaded, Bing Chat responded with a malicious ad. Although the ad seems genuine, it directs users to a phishing site that also delivers malware. Additionally, a search for a genuine Australian business returned two malicious ads. One targeted lawyers and another network administrators.

The interesting aspect of the malicious campaign is that the website sorts through traffic, distinguishing between bots, genuine victims, security examiners, and sandboxes. This is accomplished by examining the user's IP address, time zone, and other system settings. For example, web rendering can be used to detect virtual machines. The humans are then sent either to a fake website that appears to be the official site, or to a page that is designed to mislead them.

The report doesn’t say whether the ads are being delivered from the Bing search engine or somewhere else. It's bad that there are malicious ads in Bing Chat. Still, it's possible they're being injected into the chatbot through Bing search ads.

Microsoft’s Bing Chat, which is powered by OpenAI’s ChatGPT-4, was launched in February. In March, ‌Microsoft began testing ad delivery.

Experts point out that ads have been a source of malicious behavior for a long time, and this is just the latest version that uses AI. It is vital that users be knowledgeable about malicious ads, and that they can identify them and not be tricked into clicking on them.

Until filtering tools become more sophisticated in detecting and blocking these threats, the only way to protect networks is through education and training.

Google Announces New Requirements for Bulk Email Senders

New requirements are coming for bulk email senders, according to an announcement from Google LLC. The aim is to keep Gmail user-friendly, spam-free, and safe.

Google plans to introduce the new requirements in February 2024. These requirements are made to tackle malicious emails and spam. Google says that Gmail’s AI-based defenses already stop over 99.9% of spam, malware, and phishing emails from landing in inboxes. Additionally, they are also blocking almost 15 billion unwanted emails every day. Still, threats today are much more complex and critical than they were before.

Under the new requirements, bulk email senders (those sending over 5,000 messages to Gmail addresses daily) must authenticate their emails according to well-established best practices. Since introducing general authentication, which reduced delivery of unauthenticated mail by 75%, Google says expanding the authentication requirement to bulk-email senders will close the gaps attackers exploit.

In addition, those who send bulk emails need to allow Gmail users to opt out of commercial emails with a single click. Senders must fulfill the unsubscribe requests within two days.

Google will also impose a strict limit on the amount of spam the sender can send. This is to make sure that Gmail users won't be overloaded with unwanted messages. Google expects users to experience a dramatic drop in the amount of spam reaching their inboxes as a result of the changes.

AWS to Require Customers to Use MFA for Management Console in 2024

Changes are coming to the way customers of Amazon Web Services Inc. log into their AWS Management Console in mid-2024. To strengthen the security posture of AWS, users will be required to use MFA to log in.

Steve Scmidt, Amazon's Vice President of Security Engineering and Security Officer, shared that the decision was intended to reinforce the security posture for its customers’ environments and starts with the users that are the most privileged.

By the middle of 2024, MFA will have to be enabled to log in as the root user on the AWS Management Console for any business. AWS will be informing its customers who haven’t yet opted to activate MFA about the upcoming change in various ways, including a warning when they sign into the console.

In addition to this, MFA will also be expanded to include accounts that are not associated with any organization, such as standalone accounts, and will require them to use MFA as well.

While many companies offer MFA as an optional security feature, Amazon plans to make it compulsory as early as next year. The option is already available to any AWS customers wanting to start now.

Linux ‘Looney Tunables’ Vulnerable to Malicious Code Execution

Researchers at Qualys' Threat Research Unit have uncovered a security vulnerability in Linux. They’ve dubbed it ‌'Looney Tunables' for the GLIBC_TUNABLES environment variable involved, which has been present in several Linux distributions for the past two years. The danger posed by this vulnerability is that threat actors may use it to run malicious code with elevated privileges.

The GLIBC_TUNABLES environment variable allows users to change different behavior and performance parameters of applications that are linked to the GNU C Library. GLIBC is a basic part of many Linux systems. It provides features like memory allocation, system calls, and input/output processing that are critical for the operation of many programs.

Still, the exploitation or misuse of this mechanism critically affects system performance, security, and reliability, which is where the Looney Tunables vulnerability is used. If the exploit is used successfully, it can lead to full root privileges. Moreover, even though the code for the exploit hasn’t been released, researchers say that due to the ease with how the buffer overflow can smoothly change into a data-only attack, they anticipate seeing others releasing exploits soon.

So far, the researchers at Qualys have replicated the vulnerability on basic installs of Fedora 37 and 38, Debian 12 and 13, and Ubuntu 23.04 and 22.04, but suggest that other distributions may also be susceptible.

According to Saeed Abbasi, Qualys’ manager of vulnerability and threat research, the Looney Tunables vulnerability has the potential to jeopardize confidentiality and system integrity for millions of Linux devices, and most specifically those using Ubuntu, Fedora, and Debian.

New Magecart Malware Concealment Tactics

The Magecare malware group is continuing to be on top of plain-sight hiding tactics. In a new report, an Israeli security researcher from Akamai Technology shows three obfuscation methods spotted by its telemetry infrastructure.

Magecart has been around and infecting many e-commerce sites for years. More notably, sites running WooCommerce and Magento have been frequent targets. The new methods demonstrated by the research seem to target sites run by food and other retail sites.

The threat operators behind Magecart use a workflow that breaks down into three stages. This technique works to make it more difficult to detect and neutralize. Most code scanners don’t immediately flag the code due to this.

1. The loader stage: JavaScript code to get the malicious code.
2. Malicious code: this iterates over private input fields and values.
3. Data exfiltration: sends requests to the threat operatives’ C2 server using the private data.

Additionally, the workflow is making it simpler for the attackers to hide all components. This includes the command servers and the entire attack infrastructure, which then prolongs the attack.

To insert the code into a web server’s pages, the loader stage is used by the malware. The attacker uses the remaining stages to steal ‌private data, such as passwords and credit card numbers.

The first step loader has been designed to look like a piece of code for Facebook’s Meta Pixel, using a unique approach. The piece of code is designed so that it evades malware scanning tools.

The risk associated with this procedure is that if an incorrect URL is accessed, it could result in a 404 error page being generated in the later stages. This page can be confusing to those who visit it, but the hidden threat unknown to them is the malicious software the page contains..

After investigating the 404 code thoroughly, the true methods of the attack were exposed in a comment string. It was also noted that the 404 error page was alerted by the attacker to make sure that any website error would result in the infected page. The method is very clever and it makes it possible for the malware to be accessed by many of the tools used by the Magecart threat operators to steal data and complete the attacks.

The continuously evolving attack techniques that make them ever more dangerous and sophisticated by discovering even better obfuscation methods is helping Magecart to stick around.

That's a Wrap for News You Might've Missed

I hope this update has been helpful. MSP360 is your resource for MSP news. Stay safe and healthy, and remember to check back next month for more highlights.