What’s your argument against an SLA with an MSP? Part-2

What’s your argument against an SLA with an MSP? (And why it doesn’t hold water) Part-2

In our last blog post, we discussed 3 reasons SMBs usually cite for not signing a service level agreement with an MSP. In this blog post, we suggest how an SLA with an MSP will add value to your business, irrespective of your business size, budget and the presence of an in-house IT team.

Reason#1: Our IT requirements are limited

IT is not a one-time thing where you can follow a set-it-and-forget-it approach. Want this to run smoothly? IT needs regular maintenance– a service level agreement with an MSP is the answer. Regular data backups, timely security patch application, software updates, etc, are all important and won’t happen unless you have a dedicated resource working on them. Plus, there’s the issue of network latency. Services like periodic network monitoring offered by MSPs ensure that any latency issues are identified and taken care of before they result in a major system failure.

Reason#2: We are tight on budget

Agreed that SMBs may not have the kind of revenue inflow as expected in large organizations, but that’s no reason to skimp on your IT requirements. Skimping on IT needs and diverting the funds elsewhere may sound tempting, especially when your IT infrastructure is running great, but this can cost you a lot more in the event something goes wrong. Let’s take a look at a malware attack scenario, for example. If you don’t have an SLA in place, you are most likely to reach out to an IT expert or MSP on a transactional basis. It will not only result in a sky-high bill, but also, there’s no guarantee that you will be immediately attended to: customers with SLAs get preference over transactional ones in the event of an emergency. Plus, every minute your IT infrastructure is down, you are losing potential revenue–through online or even offline sales. In the event of a data leak or a compromise in customer/vendor data due to the malware attack, you are liable for penalties and may be even sued by your clients. So, saving a few bucks here and there by cutting back on IT expenses can prove much more expensive later.

Reason#3: We have our in-house IT person/team

So, you have in-house IT personnel? Great! But there are ways in which an SLA with a managed service provider can still add value to you. This kind of setup is called the co-managed IT model. By bringing an MSP onboard when you have an in-house IT team, you B

  • Benefit from their expertise and enrich your in-house IT team’s knowledge
  • Enjoy flexibility in terms of meeting your IT needs as you can scale your IT up or down based on your business needs
  • Reduce payroll expenses incurred as result of hiring new IT staff in-house
  • Help your in-house IT team focus on more important tasks by outsourcing the mundane IT processes to the MSP
  • Get an extra hand to assist your in-house IT personnel in the event of a major IT issue
  • Have 24/7 IT support, something that may not be viable with a small in-house IT team

Having a service level agreement with a managed service provider adds value to businesses under all circumstances, and should be considered an essential, not an option.

Sharkbot Malware Found In Several Android Antivirus Apps

If you own an Android device, odds are excellent that your go-to source for apps of any kind is the Google Play Store.  That includes antivirus apps to help keep your device safe.

Unfortunately, the hackers of the world are aware of that fact and are always on the lookout for ways to capitalize on that.

Recently, researchers at Check Point have made a disturbing discovery.  Six different apps on the Play Store were recently found to be poisoned variants containing the Sharkbot malware. Sharkbot is designed to steal usernames and passwords by displaying cleverly disguised overlay windows that appear over the login window you expect to see when you visit a given website.

Instead of entering your login credentials on the site you thought you were visiting, you instead inadvertently feed the credentials to the bot. The bot dutifully exfiltrates them to a command-and-control server so the hackers controlling the malicious code can abuse them at their leisure.

To add insult to injury, all six of the poisoned apps appeared to be perfectly legitimate antivirus apps. Even worse is those apps were downloaded by unsuspecting users more than fifteen thousand times before Google caught the issue and removed them from the Play store.

Alexander Chailytlko is the cyber security researcher who led the team that made the discovery. They have an intriguing theory about how the hackers were able to get their poisoned code past Google’s robust series of checks against exactly such things.

Per Chailytko, “We think that they were able to do it because all malicious actions were triggered from the C&C server, so the app could stay in the “OFF”-state during a test period in Google Play and turn “ON” when they get to the users’ devices.”

If that theory proves correct and there’s little reason to doubt it  Google is going to have a tough time keeping that sort of thing from happening in the future. That means the Play Store may not be quite the safe place most people expect.  That’s troubling indeed.

VMWare Products Need Patched Now For Security Risks

If you use certain VMWAre products, be aware that the company has recently identified and issued a patch for a total of five critical security vulnerabilities.

These are being tracked as:

  • CVE-2022022954 (This issue is a server-side template injection remote code execution issue)
  • CVE-2022-22955
  • CVE-2022-22956 (This issue, and the one above it are both OAuth2 ACS authentication bypass vulnerabilities)
  • CVE-2022022957
  • And CVE-20220958, with these last two being JDBC injection remote code execution vulnerabilities.

The products impacted by these issues are:

  • vRealize Suite Lifecycle Manager
  • VMware Cloud Foundation
  • VMware vRealize Automation (vRA)
  • VMware Identity Manager (vIDM)
  • And VMware Workspace ONE Access (Access)

The patch the company released to address the issue is VMSA-2021-0011.

The company made a point to stress that different organizations will have varying risk tolerances, security controls, and defenses in place to manage risk. So customers using VMWare equipment should certainly feel free to make their own decisions regarding what priority to place on installing the patch for this issue. They strongly recommended that all their customers take immediate action given the severity of the security vulnerability.

VMware stressed that so far, they have found no evidence of any of these vulnerabilities being exploited in the wild. Of course, it’s just a matter of time until that happens and the company recommends applying the patch as soon as possible if you use any of the products mentioned above.

If you are unable to apply the patch immediately, also be aware that the company has a workaround detailed on their website that could be used as a stopgap measure in the short run.  It doesn’t remove the risk and it may introduce some added wrinkles and complexities but it’s better than doing nothing until the patch can be applied.

Kudos to VMware for their fast action in addressing these issues and in providing a workaround for those who cannot patch immediately.

Millions Of Cash App Users Had Their Data Breached

Do you use the popular smartphone app “Cash App?”  If so, you’re certainly not alone.  It is wildly popular and used by millions of people around the world.

As one of the most wildly popular things on the web, that has made it a target. Cash App was formerly known as Square. Recently, they submitted a filing to the SEC (Securities and Exchange Commission) acknowledging that they had been breached.

This was not a conventional hacking attack however.  In this instance it was a matter of a former employee accessing sensitive customer information before leaving the firm.  Based on the filing, the incident occurred on December 10th, 2021.

Apparently the employee in question had regular access to reports containing customer information as part of their job duties. Upon leaving the firm, the employee somehow re-gained access to that information.

The information taken from Cash App includes:

  • The full names of customers
  • Brokerage account numbers (US customers only)
  • Brokerage portfolio value
  • Brokerage portfolio holdings
  • Stock trading activity

Cash App has launched a formal investigation into the matter and retained the services of a third-party forensics firm.

Beyond that, details about the incident are somewhat sparse.  About all we know beyond what we mentioned above is that the former employee accessed the records of more than eight million Cash App current and former customers. In addition, the firm is currently in the process of reaching out to all impacted users to inform them.

As is generally the case in the aftermath of an incident like this, Cash App stressed that they take customer security very seriously and will be conducting a complete review of their processes to minimize the chances of a repeat occurrence in the future.  Cash App also stressed that the future costs associated with the incident based on its preliminary assessment are virtually impossible to predict.

In any case, if you are a current or former Cash App customer be on the lookout for a communication from the company if you’re one of the people potentially impacted by the breach.

Cracked Software Downloads Are Spreading FFDroider Malware

There’s a new malware threat to keep an eye out for according to researchers from Zscaler.  Dubbed FFDroider, this one is known for hijacking a variety of social media accounts and stealing credentials and cookies stores in web browsers.

Given the dominance of social media properties on the web, that makes FFDroider a serious threat.

If there’s a silver lining to be found, it lies in the fact that for now, FFDroider seems to be spread primarily from websites offering cracked software. Steer clear of downloading cracked software. Until the hackers behind the malicious code change their approach, you can minimize your risk of infection.

If you do happen to fall victim to the malware, know that it does take steps to obscure its presence on an infected system. This happens most commonly by appearing as a Telegram desktop application.  Once installed on a system, it creates a new Windows registry key called “FFDoider,” which served as the basis for naming the strain.

The strain scans the infected system for a pre-defined list of web browsers and essentially goes shopping. It goes rifling through the browser file harvesting cookies and saved password information, then exfiltrates the stolen contents to a command-and-control server managed by the hackers.

Currently, FFDroider can scan the contents of Chrome and any Chromium-based browser, Mozilla’s Firefox, Internet Explorer, and Microsoft Edge.

FFDroider will also make attempts to authenticate stolen login information. As an example, if it finds Facebook login information and can use it to successfully log in, it will gather information on the victim’s friends and the groups that person belongs to. If the user runs advertising on Facebook, FFDroider will also grab that information along with any account, billing, and payment details the victim has entered.

It’s fairly easy to avoid this one for now but if you do run afoul of it, it can cause serious headaches. So make sure everyone you know is aware.