News You Might’ve Missed. September 2021

What's new this month in the news for MSPs? Storage capabilities extended by Google Cloud providing more choices for data replication; 'OMIGOD' Microsoft Azure weaknesses show users vulnerable to attackers; REvil cybercriminal gang back on the dark web; and more.

Let's see what it's all about

Storage Capabilities Extended by Google Cloud Providing More Choices for Data Replication

New products and features to make it easier for businesses to protect critical data broadly across use cases and apps are at the heart of Google LLC enhancing its cloud storage capabilities.

While Google has always offered Dual Region Buckets, the service was limited, since Google would automatically assign pairs based on the customer's first selection. For example, if they chose asia1, Tokyo and Osaka would be set.

Now, customers will be able to choose their regions based on the requirements of their workloads or applications.

Google is adding a new tier called Firestore Enterprise, targeted at tier-one apps that need to share files such as SAP Hana databases. In addition to its other features, Firestone Enterprise provides high availability through synchronous replication that occurs broadly over multiple zones in a region.

Another new addition to the Google Cloud product line is Backup for Google Kubernetes Engine (GKE). GKE is used by businesses to manage and deploy modern, container-based apps and is the company's fully managed Kubernetes service.

'OMIGOD' Microsoft Azure Weaknesses Show Users Vulnerable to Attackers

Azure vulnerabilities revealed themselves after Microsoft quietly installed the OMI (Open Management Infrastructure) software agent on more than half of its instances. Threat actors wasted no time getting to work to exploit the weaknesses. The vulnerabilities have been dubbed ‘OMIGOD’ by researchers at Wiz, Inc.

One of the vulnerabilities is nearly laughable, and an easy trick as no password is needed, says Sophos. Attackers don't even need to try and guess a correct token and insert it into a fake OMI web request; they only need to bypass the mention of the authentication token entirely, and access is granted.

The vulnerabilities affect customers using Azure Services, including Automatic Update, Operations Management Suite, Configuration Management, Log Analytics, Diagnostics, Automation, and Container Insights.

While a patch would usually correct the issue, Azure services remained vulnerable even after Microsoft offered a patch in August. The problem is that customers may need to install the patches on their own, since the issue is in Linux Azure installations. What's even more challenging is that many customers may not even be aware they have OMI installed. It gets installed only when customers add specific Azure services.

According to Wiz researchers, thousands of customers are affected, and customers who don't even use Azure but have Linux machines on-premise can be vulnerable.

According to Keven Beaumont, a former threat intelligence analyst at Microsoft, the Mirai botnet is already wreaking havoc on vulnerable machines, and mass scanning is already going on.

Those with a SIEM should be looking at audited events to find commands used by threat actors to run remote code. For OMIGOD, you should be hunting for the SCXore service. In Azure Linux VMs, look for activity in ‘/var/opt/microsoft/scx/tmp’.
Additionally, you should continue monitoring ports 5986, 5985, or 1270 for attempted network connections specifically, as these are the defaults for OMI. The only method that is 100% sure is to hand-audit Azure environments for Linux VMs and hand-patch OMIGOD.

REvil Cybercriminal Gang Back on the Dark Web

After going dark for two months after the Kaseya attack, the operators behind REvil ransomware-as-a-service seem to have reappeared. Moreover, two of its dark web portals have resurfaced, as noted by Brett Callow, a researcher from Emsisoft, including its Happy Blog data leak site and payment/negotiation site.

The Russian-based group's notable recent activities are attacks against JBS, the world's largest meat producer, and Kaseya VSA, where the cybercrime gang encrypted around 60 managed service providers. The group, also known as Sodinokibi, was listed as the fifth most-reported strain of ransomware for the first quarter of 2021.

Although many are rushing to assume the group is back in business, some say that this is merely speculation. Whether the group's reappearance online means anything at all remains questionable.
Linux Version of the ChaChi Remote Access Trojan Found

In an unusual example of threat actors adapting Windows-based malware for the Linux operating system, researchers have discovered the ChaChi remote access trojan active in the wild. The RAT malware is written in the Go compiled programming language developed by Google LLC. Researchers first found it last year, and threat actors used it in cyberattacks in June against US schools.

The researchers have linked the RAT malware with the PYSA ransomware gang, also known as Mespinoza. The group targets education, retail, manufacturing, government, medical, high-tech, logistics and transportation, and social services and engineering businesses.

Lacework, Inc. researchers are responsible for the discovery of the Linux-based variant of ChaChi. They say that, as the cloud is over 80% Linux-based, the appearance of Linux-based malware is a clear sign that attackers are focusing their attention on the cloud and cloud-based targets.
The core functionality, use of a Go obfuscator called Gobfuscate, and larger file size (at 8MB or more) are among the shared characteristics of the two variants.The RAT malware uses custom nameservers and is doubling them as CNC centers that support the DNS tunneling protocol.

With the malware being written in Go, there are very few antivirus programs that can discover it. Most AV products do not have capabilities that are mature enough to detect Linux malware. Coupled with ChaChi being from a newer malware family, the researchers say it is challenging to detect.

Alert from FBI, NSA, and CISA Says Conti Ransomware Attacks on the Rise

According to the FBI, NSA, and CISA, Conti ransomware attacks against US enterprises are rising. The three agencies strongly suggest that IT admins review their network security posture and implement the immediate actions outlined in the joint advisory to help defend their networks against Conti.

Over 400 cyberattacks against the US and international organizations have come from the Conti ransomware gang, according to the agencies.

Earlier this year, the FBI warned of possible attacks by the Conti operators against US healthcare networks and first responders.

Microsoft Says Nobelium Has Custom Malware Backdoor for Windows Domains

According to Microsoft, FoggyWeb, as it is dubbed by MSTIC, is a highly targeted and passive backdoor developed by the Nobelium hacking group. It steals sensitive data from AD FS (Active Directory Federation Services) servers and deploys additional payloads.

Nobelium was the threat actor responsible for the supply-chain attack against SolarWinds last year that led to several US federal agencies being compromised. It is a part of the Russian Foreign Intelligence Service's (SVR) hacking division, popularly known as APT29, Cozy Bear, or The Dukes.

Microsoft says the malware was developed to remotely extract private data from compromised AD FS servers, and decrypt token-decryption certificates and token-signing certificates in addition to other components.

FoggyWeb is known as a persistent backdoor. It configures HTTP listeners for actor-defined URIs to intercept get/post requests sent to the AD FS server that match custom URI patterns, and allows the abuse of SAML tokens.

Since April 2021, Russian state hackers have been observed in the wild using the FoggyWeb backdoor.

That's a Wrap for News You Might've Missed

I hope this update has been helpful. MSP360 is your resource for MSP news. Stay home, stay safe and healthy, and remember to check back next month for more highlights.