Here you can browse the knowledge base, submit a service ticket or track prior requests.
The latest malware threat Bad Rabbit appears to be a Petya/NotPetya variant sharing approximately 67% of its code with known Petya DLL’s. At the moment, it seems to be primarily targeting organizations in Russia and Eastern Europe but could easily spread. The malware encrypts files and replaces the MBR (Master Boot Record) of the device infected effectively disabling the device. The user is then presented with the option to pay a ransom of 0.05 Bitcoin (about US$275) to decrypt the device. There is no evidence yet whether or not paying the ransom actually decrypts the device.
Bad Rabbit masquerades as an Adobe Flash update, tricking the end user to install it. This can be delivered via a compromised website accessed by the user or an email attachment. Once a device is infected it also attempts to spread across the local network via SMB protocol using a dictionary of common/weak credentials. This differs from variants like WannaCry because it does not take advantage of an exploit which can be patched, but rather weak username and password combinations.
Our Managed Antivirus has already released definition updates for known Bad Rabbit variants. It will be detected by MAV as Gen:Heur.Ransom.BadRabbit.1 and Gen:Variant.Ransom.BadRabbit.1. Some websites are reporting that creating two files named infpub.dat and cscc.dat in the C:\Windows directory and removing all rights, including execution, to those files “vaccinates” the device against Bad Rabbit but this is not verified.
Be aware that there seems to be a specific targeting of infrastructure and media organizations but could affect any users. Due to the nature of MBR replacement disabling access to the device, critical systems should be backed up in a manner that will facilitate a full system or bare metal restore to speed recovery in situations where decryption may not be possible.
Researchers have detected a vulnerability through which Wi-Fi Protected Access II (WPA2) handshake traffic can be manipulated to induce nonce and session key re-use, resulting in key re-installation by a wireless access point (AP) or client. An attacker within range of an affected AP and client may leverage these vulnerabilities to conduct attacks that are dependent on the data confidentiality protocols being used. Attacks may include arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast and group-addressed frames.
Since WPA2 is a protocol that secures all modern protected Wi-Fi networks, laptops, desktops, phones, and other devices that support Wi-Fi are likely affected. Major developers, including Microsoft and Google, have stated they will be releasing patches soon.
Actions to Take:
The number and type of devices connecting via Wi-Fi continues to grow. Understand what devices are present in your network, and be prepared to patch them as fixes become available. As a best practice, it is critical you have a proactive patching program in place.
Specifically, on May 12, 2017 a new strain of the Ransom.CryptXXX (WannaCry) strain of ransomware began spreading widely impacting a large number of organizations, particularly in Europe.
Wcry is demanding a ransom of $300 to $600 in Bitcoin to be paid by May 15, or, in the event that deadline is missed, a higher fee by May 19. The messages left on the screen say files will remain encrypted. It's not yet clear if there are flaws in the encryption scheme that might allow the victims to restore the files without paying the ransom.
If you have yet to install the Microsoft fix—MS17-010— you should do so immediately. You should also be extremely suspicious of all e-mails you receive, particularly those that ask the recipient to open attached documents or click on Web links.
If you have seen nonstandard activity and believe your customers’ information may have been exposed, please contact us.
We will be working to improve service on your MySQL server this Friday, April 14th, starting at 4PM CST. This maintenance is estimated to take up to 2-3 hours to complete with a total of roughly 2 hours of periodic downtime.
As part of this improvement, we will be upgrading your MySQL server to improve stability as well as patching it for potential vulnerabilities. There should be no data loss, but connectivity will be affected by this maintenance, and changes to your databases should not be made until the maintenance is complete.
Please contact our support team if you have any questions or concerns.
We hope you enjoy the resulting service improvements!
We’ve been informed by TeamViewer that they’ll be performing maintenance work during the weekend of Saturday April 8th. This will affect both the standalone TeamViewer integration and the TeamViewer version of Take Control.
TeamViewer is moving their infrastructure to a new data center. The maintenance period for the migration work is scheduled for 8 hours at these times:
Saturday, April 8th, 2017, 12:00 PM to 9:00 PM CST
The move will impact the availability of the TeamViewer service. While existing sessions will not be affected during the move, you will not be able to start new sessions or add participants to existing sessions. For more details, visit TeamViewer’s community page.
The MSP Anywhere version of Take Control is not impacted by this work
We will be performing database maintenance with our hosting provider on our Managed Antivirus (Bitdefender) service. During this time, installs will show as pending, and the Anti-virus North pane menus and South pane tab will not load. The anti-virus endpoints will continue to function on their normal scanning and definition update schedule. The update may take up to an hour. Thank you for your patience.
Starting from next week, we’ll be gradually rolling out new load-balancers for the agent upload endpoints for the ABS Dashboard.
The IP addresses of the new load-balancers are listed below per territory. If you have a restrictive firewall configuration, and need to explicitly authorize outbound traffic going from the agents to the agent endpoints, then please make sure the relevant IP address for your territory is added to your firewall whitelist.US:
We wanted to let you know we are planning a proactive network maintenance on February 8th, 2017 at 12:30pm CST in order to further improve network reliability. This has a planned maintenance window of four hours, and will result in server unavailability of up to 45 minutes.
Once the maintenance has begun, please avoid adding or modifying databases on your MySQL server, as we will be unable to process any database-related changes during this time (and those changes may be lost).
This will only affect availability of your web servers and MySQL servers during the maintenance period -- your email will not be affected.
We apologize for the inconvenience, and appreciate your understanding.
We have a new Bitdefender engine that we wish to roll out to the Managed Antivirus service. This update will download automatically on current installs of Bitdefender MAV if not set otherwise in the policy. We’re planning to push this update around 7am CST on Saturday, January 28th. The update can take up to 24 hours before being applied to the machine.
This update should not require a reboot. If any issues are encountered during the upgrade that do request a reboot, the reboot status will be reported up to the ABS Dashboard. Please watch the dashboard for machines reporting a reboot request.
Here is the change log for the new 22.214.171.1240 build:
New Features and Improvements
We’re planning to perform systems maintenance on Saturday, 14th January. The work will affect ABS Dashboard access and services in the North and South America region. Other regions are not affected. As is our normal practice, the work will be performed out of office hours to minimize disruption.
The maintenance schedule is as follows:
During this time, we’ll be performing essential maintenance to our firewalls. We expect downtime of around half an hour within this window, at which point the ABS Dashboard won’t be available.
Services on end-point devices, including Managed Antivirus, Patch Management, Web Protection and Online Backup & Recovery, are not affected and will continue to perform as normal during this period.