{"id":54110,"date":"2022-05-31T20:38:24","date_gmt":"2022-05-31T16:38:24","guid":{"rendered":"https:\/\/www.msp360.com\/resources\/?p=54110"},"modified":"2022-06-03T14:21:41","modified_gmt":"2022-06-03T10:21:41","slug":"news-you-mightve-missed-may-2022","status":"publish","type":"post","link":"https:\/\/www.msp360.com\/resources\/blog\/news-you-mightve-missed-may-2022\/","title":{"rendered":"News You Might’ve Missed. May 2022"},"content":{"rendered":"

What's new this month in the news for MSPs? Google Cloud zeroing in on cloud governance, zero trust, open source software, etc.; 5 new critical vulnerabilities in enterprise network switches; Trend Micro finds Linux-based ransomware \u201dCheerscrypt\u201d targeting VMware ESXi servers; vulnerabilities in VMware and F5 products warning from CISA; and more.<\/p>\n

Let's see what it's all about.<\/p>\n

Google Cloud Zeroing in on Cloud Governance, Zero Trust, Open Source Software, etc.<\/h2>\n

Google says it\u2019s zooming in on its \u201cinvisible security\u201d concept with an offering of new security services.<\/p>\n

They want to encourage the adoption of zero-trust architecture by enterprise clients to help to secure software supply chains, transform security operations and boost cloud governance overall.<\/p>\n

Since many customers of its cloud services remain reliant on open-source software for their infrastructures and critical apps, Google says that\u2019s their weakest link, where patching is far behind the vulnerabilities that continue to appear in rapid succession.<\/p>\n

What\u2019s worse is that cybercriminals are increasing their attacks because they realize this. According to Sonatype Inc. in a recent report<\/a>, cyberattacks against open-source software suppliers increased by over 650% over the last year.<\/p>\n

At the Google Cloud Summit, Google Cloud announced the launch of the Assured Open Source Software service (Assured OSS) to rebuild the confidence of its subscribers.<\/p>\n

Assured OSS lets Google Cloud subscribers include the same OSS packages that Google developers leverage in their workflows. This service will enable businesses to use open-source software and not need to develop packages or operate and maintain the complex processes necessary to handle dependencies securely.<\/p>\n

What\u2019s more, the OSS packages are frequently analyzed, scanned, and \u201cfuzz-tested\u201d for vulnerabilities. Google then signs them, and they are distributed from a protected and secured artifact with Google. This process does the heavy lifting for each business when securing the software supply chain.
\nTo further its concept of zero-trust security, Google says it\u2019s expanding its Beyond Enterprise services with a new solution it\u2019s dubbed Beyond Enterprise Essentials. This service is aimed at helping businesses zero-trust their architectures with ease. After implementing it, companies will gain context-aware access controls for SaaS apps, URL filtering, and threat and data protection directly included in the Google Chrome browser.<\/p>\n

Google also announced the launch of its Security Foundation service and updates to the Security Command Center. It\u2019s targeting two pain points for developers using APIs: misconfigured application programming interfaces and \u201cbad-bots\u201d detection responsible for malicious API calls. Google is launching the public preview of Apigee Advanced API Security.<\/p>\n

5 New Critical Vulnerabilities in Enterprise Network Switches<\/h2>\n

Armis Inc. has uncovered five critical vulnerabilities when implementing TLS in the network switches used by millions of businesses. The vulnerability, dubbed TLStorm 2.0, is a sequel to three vulnerabilities discovered in APC Smart-UPS<\/a> by Armis last year and stems from a shared design flaw in the devices.<\/p>\n

In the original TLStorm, attackers were able to gain control of Smart-UPS devices from the internet and required no user interaction. The UPS overloaded and destroyed itself and eventually burned out in a cloud of smoke. The misuse of the NanoSSL TLS Library by Mocana is the cause of these vulnerabilities.<\/p>\n

So far, Armis researchers have identified dozens of devices using the Mocana NanoSSL TLS Library, including those from Avaya Inc. and Aruba Networks, owned by Hewlett-Packard Enterprise Co. While network switches differ from UPS devices in how they function and the levels of trust in the network, the TLS issues in their implementation still allow for devastating results.<\/p>\n

What\u2019s more, the vulnerabilities from TLStorm 2.0 can give an attacker total control of the network switches found in hospitals, airports, hotels, and many other organizations globally. The potential exploits due to the vulnerabilities include possibly spreading to other devices by changing switch behavior, data exfiltration of sensitive or private information of corporate network traffic from the internal network to the public internet, and \u201ccaptive portal\u201d escape.<\/p>\n

Trend Micro Finds Linux-Based Ransomware \u201dCheerscrypt\u201d Targeting VMware ESXi Servers<\/h2>\n

Linux-based ransomware dubbed \u201cCheerscrypt\u201d targets VMware Inc. by using the ESXi hypervisor they developed to deploy virtual PCs, say researchers at Trend Micro Inc<\/a>.<\/p>\n

The ransomware shares some similarities with other ransomware groups like Hive, LockBit, and RansomEXX that have targeted ESXi servers before. Cheerscrypt ransomware encrypts all VMware-related files. Its name is derived from the ransomware\u2019s activities.<\/p>\n

After it gets into an ESXi server, it will search for all .vmdk, .log, .vswp, .vmem, and .vmsn extension files connected to ESXi snapshots, log files, paging files, swap files and virtual disks. Before encryption, it adds \u201c.Cheers\u201d to the end of the file names.<\/p>\n

The researchers say Cheerscrypt ransomware is a double-tap type of ransomware. The group behind it not only demands payment for the decryptor but threatens to share the stolen files if the victim doesn\u2019t pay the ransom.<\/p>\n

Researchers say a proactive and robust security profile is necessary to maintain cybersecurity defenses solid against these types of threats. It is wise to adopt stringent best practices and set up security frameworks that keep pace with modern ransomware families.<\/p>\n

\n
\n
FREE WHITEPAPER<\/div>\n
The Value of Backup in Ransomware Protection Strategy<\/div>\n
What your ransomware protection strategy should look like? Learn in this whitepaper:<\/div>\n\"CTA\"<\/a><\/span><\/span>\n<\/div>\n
\"Ransomware<\/div>\n<\/div>\n

Vulnerabilities in VMware and F5 Products Warning from CISA<\/h2>\n

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings on five software vulnerabilities expected to affect many businesses. They found four of these in VMware Inc. products, and they discovered the fifth in an F5 load balancer.<\/p>\n

Patches from VMware came out on April 6 for two of the vulnerabilities in CVE 2022-22954 and CVE 2022-22960. VMware\u2019s One Access, vRealize Automation, Identity Manager, vRealize Suite Lifecycle Manager, and VMware Cloud Foundation products are affected.<\/p>\n

According to the alert published by CISA, the cybercriminals reverse-engineered VMware\u2019s April 6 patch in only 48 hours. They then began attacking vulnerable networks. Systems with vulnerabilities are susceptible to many types of attacks, and these hackers can run malicious scripts on the affected devices and get admin access and root access.<\/p>\n

Independently of this warning, CISA issued an emergency directive<\/a> on two newer vulnerabilities found in identical VMware products. They are tracked as CVE-2022-22972 and CVE-2022-22973.<\/p>\n

CISA released a fifth security vulnerability alert<\/a> that affects BIG-IP, a load balancer from F5 used by organizations to manage network traffic. They discovered that specific versions of the load balancer contain a vulnerability tracked as CVE-2022-1388.<\/p>\n

On May 4th, F5 released a patch for the vulnerability. Nevertheless, CISA states in the alert that threat actors publicly released proof-of-concept code that demonstrates how hackers can use the weakness and launch cyberattacks. CISA also warned that threat actors are already targeting affected systems.<\/p>\n

CISA and the Multi-State Information Sharing and Analysis Center expect widespread attacks that target affected systems soon. Agency officials \u201cstrongly urge\u201d businesses to secure vulnerable devices.<\/p>\n

Cado Labs Says Denonia Malware Is Going After AWS Lambda Environments<\/h2>\n

Security researchers have uncovered a new malware variant seen targeting AWS Lambda. In May, Cado Security published their research findings about Denonia, a malware that threat actors use in cyberattacks targeted against Lambda.<\/p>\n

Businesses use Lambda, a scalable computer service from AWS (Amazon Web Services), to run code, for OS and server maintenance, operating many backend services, and logging.<\/p>\n

Cado Security says<\/a> that with the advent of this new malware strain, the cloud service used by many small and medium businesses (SMBs) globally is in jeopardy of being infected by it. The malware should not be confused with Lambda Ransomware, as the code used is written in the Go programming language and is completely different, despite having the file name \u201cpython.\u201d<\/p>\n

They took the name \u201cDenonia\u201d for the malware based on the site it connects to and shares data with \u2013 gw.denonia.xyz.<\/p>\n

The sample the researchers conducted dynamic analysis on revealed that DoH (DNS over HTTPS) is used, rather than the traditional method of DNS. The new process encrypts the DNS queries to send out inquiries that appear as typical HTTPS network traffic to DNS over HTTPS resolvers.<\/p>\n

While researchers say the first sample seemed innocuous because it only runs software for cryptomining, it does indicate that cyberattackers are turning to cloud-specific knowledge, intending to exploit cloud environments. It sets the stage for future, much more malicious attacks.
\nA second sample has since been added to VirusTotal.<\/p>\n

NAS Customers Warned by QNAP of New Deadbolt Ransomware Attacks<\/h2>\n

The network-attached storage (NAS) manufacturer QNAP, based in Taiwan, warned of a new onslaught of cyberattacks that push payloads for Deadbolt ransomware and urged customers to take steps to secure their devices.<\/p>\n

Some of the steps suggested by QNAP included updating public-facing devices to the latest software version. The update will help to protect them from remote access over the internet.<\/p>\n

QNAP\u2019s PSIRT (Product Security Incident Response Team) says the attacks target NAS devices using QTS 4.4.1 and QTS 4.3.6<\/a> on the TS-X53 and TS-X51 series.<\/p>\n

The new warning comes on the heels of another customer advisory posted in January that urged those with public-facing devices to:<\/p>\n