McAfee Enterprise – McAfee Blogs https://www.mcafee.com/blogs Securing Tomorrow. Today. Wed, 01 Dec 2021 16:53:04 +0000 en-US hourly 1 https://wordpress.org/?v=5.6.3 https://www.mcafee.com/wp-content/uploads/2018/11/cropped-favicon-32x32.png McAfee Enterprise – McAfee Blogs https://www.mcafee.com/blogs 32 32 The Bug Report – November Edition https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/the-bug-report-november-edition/ Wed, 01 Dec 2021 05:01:21 +0000 https://www.mcafee.com/blogs/?p=132034

Your Cybersecurity Comic Relief  CVE-2021-20322: Of all the words of mice and men, the saddest are, “it was DNS again.” ...

The post The Bug Report – November Edition appeared first on McAfee Blogs.

]]>

Your Cybersecurity Comic Relief 

CVE-2021-20322: Of all the words of mice and men, the saddest are, “it was DNS again.” 

Why am I here? 

For all our newcomers, welcome to the Advanced Threat Research team’s monthly bug report – a digest of all the latest and greatest vulnerabilities from the last 30-ish days based on merits just a tad more nuanced than sorting NVD by “CVSS > 9.0.” Instead, we focus on qualitative and experience-based analysis, relying on over 100 years of combined industry experience within our team. 

To those who are returning after having read last month’s issue, I would like to congratulate you for being a Bug Report fan before it was cool – which it now most assuredly is, thanks in no small part to a litany of fascinating vulnerabilities. We encourage our veterans to stick around as long as possible, so that a year from now you can complain about how we’re washed up and how much better our early editions were. 

PAN GlobalProtect VPN: CVE-2021-3064 

What is it? 

Palo Alto Networks (PAN) firewalls that use its GlobalProtect Portal VPN running PAN-OS versions older than 8.1.17 are vulnerable to a cutting-edge, state-of-the-art style of vulnerability known as a “stack-based buffer overflow.” Although the vulnerable code is normally not reachable, when combined with an HTTP smuggling vulnerability, CVE-2021-3064 can be used to gain remote code execution, a remote shell, and even access to sensitive configuration data according to Randori Attack Team researchers. Randori discovered the vulnerability over a year ago but chose not to disclose it to PAN until September of this year, using it as part of its “continuous and automated red team platform” during the interim – I suppose we should be thankful that PAN has claimed in its security advisory that no evidence of exploitation of this vuln has been discovered, despite its age. 

Who cares? 

Absence of “in-the-wild” exploitation aside, we should also be grateful that the number of people who should care is rapidly dwindling (an ever-present theme of 2021). Randori initially reported over 70,000 internet-accessible PAN firewalls running vulnerable versions of PAN-OS according to Shodan, which it later amended to 10,000. As of this writing, that number has fallen to around 7,000. Even so, 7,000 vulnerable firewalls mean an even larger number of vulnerable clients at risk of an over-the-internet attack vector requiring zero authentication. Those connecting to PAN firewalls running on VMs have even greater cause for concern as these lack ASLR, a factoid I have chosen to add to my ever-growing “why is that a thing” list, right next to the Ghostbusters remake. 

What can I do? 

We suggest an experiment: open the Shodan search linked above and note the total number of devices running a vulnerable version of PAN-OS. Next, call up whoever manages your firewall and demand they power it down immediately – use threats if you must. Check the Shodan scan again: has the number gone down? If so, it’s probably time to update. If you’re an Arch user and the prospect of updating terrifies you, Palo Alto has also indicated that its signatures for Unique Threat IDs 91820 and 91855 should block exploitation of CVE-2021-3064. 

The Gold Standard 

Be sure to stay up to date on the latest CVEs – our security bulletins are a great resource for finding product information for all kinds of critical vulnerabilities. 

Linux Kernel: CVE-2021-20322 

What is it? 

Researchers at the University of California, Riverside have discovered a flaw in the way the Linux kernel handles “ICMP fragment needed” and “ICMP redirect” errors, allowing an attacker to quickly learn the randomized port number assigned to a UDP socket. What this description fails to convey is the big picture impact of this vulnerability, which is its use as a side-channel for the now-prehistoric DNS cache poisoning attack, in which an off-path malicious actor ‘poisons’ a DNS resolver’s cache with a false record, mapping a known domain (google.com) to an IP address of their choosing (98.136.144.138). Truly nefarious. 

Who cares? 

To be frank, just about everyone should be at least raising an eyebrow at this one. Although the researchers have indicated in their whitepaper that this particular side-channel only affects about 13.85% of open resolvers on the internet, it’s important to note that various security services rely on proof of domain ownership, including even the issuing of certificates, making the impact tremendous. Users of popular DNS service Quad9 have particular cause for concern, as the paper claims it falls under the vulnerable 13.85%. Linux users should also be concerned, and not just because their drivers refuse to work – DNS software such as BIND, Unbound, and dnsmasq running on their platform of choice are also vulnerable. 

What can I do? 

This is where things get tricky. DNS extensions that were standardized over two decades ago, such as DNSSEC and DNS cookies, should successfully mitigate this and all other DNS cache poisoning attack side channels. The unfortunate reality is that these features see very limited adoption due to backwards-compatibility concerns. While we wait for these dinosaurs holding back progress to die out, the authors of the aforementioned whitepaper have suggested some alternative mitigations, including enabling the IP_PMTUDISC_OMIT socket option, introducing additional randomization to the structure of the DNS exception cache, and configuring DNS servers with a singular default gateway to outright reject ICMP redirects. Further details can be found in section 8.4 of their paper. 

The Gold Standard 

Unfortunately, not every vulnerability can be adequately addressed by network security products, and this vulnerability happens to be one of those cases. Your best bet is to follow the mitigations mentioned above and keep your servers up to date. 

Just About All DRAM: CVE-2021-42114 aka Blacksmith 

What is it? 

Blacksmith, a name referring to both the vulnerability and the fuzzer created to exercise it, is a new implementation of the Rowhammer DRAM hardware vulnerability from 2014. The crux of Rowhammer is the use of high frequency read operations to induce bit flips in neighboring regions of physical memory, which can lead to the crossing of any security barrier if the attacker can massage memory so that critical data is stored in a vulnerable physical page. Modern DRAM hardware uses a technology called Target Row Refresh (TRR) to prematurely refresh regions of physical memory targeted by common Rowhammer attacks. Researchers at ETH Zurich and their associates discovered that TRR exploits the uniform nature of memory accesses used by existing Rowhammer attacks to “catch” them, and so devised a Rowhammer attack that used non-uniform accesses, arriving at CVE-2021-42114, which bypasses TRR and all other modern Rowhammer mitigations. 

Who cares? 

Everyone. Just about every common electronic device you can think of uses DRAM and of the DIMMs (RAM sticks) testedthe researchers did not find a single one that was completely safe. It might be easy to presume that hardware vulnerabilities such as this are academically fascinating but have little real-world impact, but research published since 2014 has shown Rowhammer attacks successfully escape JavaScript containers in the browsercross VM boundaries in the cloud, and even achieve RCE across networks with high enough throughput. Perhaps the greatest tragedy of Blacksmith is that it arrived a month too late – it would have fit in perfectly with Halloween monsters like Freddy Krueger or Jason Voorhees who also see new iterations every few years and refuse to stay dead. 

What can I do? 

Hide your PC, hide your tablet, and hide your phone, ‘cause they’re hammerin’ everybody out there. Beyond that, there’s not much to be done besides wait for JEDEC to develop a fix and for DRAM manufacturers to begin supplying hardware with the new standard. 

The Gold Standard 

We at McAfee Enterprise are doing everything in our power to address this critical vulnerability. In other words, we’ll be waiting for that JEDEC fix right along with you. 

The post The Bug Report – November Edition appeared first on McAfee Blogs.

]]>
Fighting Supply Chain Threats Is Complicated https://www.mcafee.com/blogs/enterprise/fighting-supply-chain-threats-is-complicated/ Tue, 30 Nov 2021 14:00:44 +0000 https://www.mcafee.com/blogs/?p=132025

Relying on the kindness of strangers is not an ideal strategy for CISOs and CIOs. And yet that is the...

The post Fighting Supply Chain Threats Is Complicated appeared first on McAfee Blogs.

]]>

Relying on the kindness of strangers is not an ideal strategy for CISOs and CIOs. And yet that is the precise position where most find themselves today while trying to battle cybersecurity issues across their supply chain. While these supply chains have plenty of their own challenges, such as global disruptions of distribution, our recent research shows that it’s the cybersecurity problems that will long survive for the long term.

It’s not as though enterprises rely on their partners any more today than they did ten years ago. Their needs have not changed and are unlikely to change, except those rare instances where an enterprise will choose to manufacture their own supplies rather than rely on partners. Consider, for example, Costco creating its own gigantic chicken farm. Other than outlier examples like this, partner reliance is relatively stable.

What is changing with the supply chain is how much system access is being granted to these partners. They are getting access they didn’t always get and are getting far deeper access as well. As technology has advanced to allow such access, enterprises have accepted.

Given the wide range of partners–suppliers, distributors, contractors, outsourced sales, cloud platforms, geographical specialists, and sometimes your own largest customers–the cybersecurity complexities are growing by orders of magnitude. In addition, the more integrations that enterprises accept, the higher the level that their risk is. To be more precise, the risk doesn’t necessarily grow with the number of partners as much as the risk grows with the number of partners whose cybersecurity environments are less secure than the enterprise’s own environment.

To even begin to craft a cybersecurity strategy to manage partners and a global supply chain, the enterprise CISO needs to have a candid understanding of what their partners’ security level truly is. That is tricky, given that many of those partners themselves do not have a good sense of how secure or insecure they are.

One suggestion is to revise contracts to make it a requirement for all partners to maintain a security level equal to the enterprise customer. The contract must not only specify penalties for non-compliance–and those penalties must be sufficiently costly that it makes no sense for a partner to take that chance–but it must specify means to determine and re-verify that security level. Surprise inspections and the sharing of extensive log files would be a start.

Otherwise, even the strictest security environment such as Zero Trust may be unable to plug supply chain holes due to sloppier partner security practices. Let’s say that a large enterprise retailer is working with a large consumer goods manufacturer as a partner. A good environment will start with strict authentication, making sure that the user from the partner is really that authorized user. The enterprise environment must also watch the user throughout the session to make sure the user doesn’t do anything suspicious. But if the partner has been breached, malware could sneak in through the secure tunnel and, if it’s not caught by the enterprise, there’s a problem and now they can be breached.

This is not hypothetical. Since the beginning of the pandemic, our research found that a vast majority of global enterprises (81 percent) said that they are seeing far more attacks since the beginning of COVID-19.

Almost every business is dependent on the supply chain, making it a prime target for cybercriminals looking to cause disruption and breach wider networks. As the holiday season approaches, we are already seeing a spike in consumer and business activity across the supply chain, making it a prime target for cybercriminals looking to target essential and lucrative services.

Attackers are going to continue to leverage the global supply chain as an initial entry vector, accessing the network through a trusted connection, system, or user. The fact that these attacks exploit trusted channels makes them very difficult to prevent or detect. As organisations continue their digital transformation, including ever-more cloud services, managed services and endpoint modernization, the risks of supply chain threats will increase as its prevalence as a vector does so.

 

The post Fighting Supply Chain Threats Is Complicated appeared first on McAfee Blogs.

]]>
McAfee Enterprise Defender Blog | Windows Zero-Day – CVE-2021-41379 https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-defender-blog-windows-zero-day-cve-2021-41379/ Mon, 29 Nov 2021 19:12:04 +0000 https://www.mcafee.com/blogs/?p=132043

Threat Summary This month it was disclosed that a Microsoft vulnerability that allows for local privilege elevation, previously patched in...

The post McAfee Enterprise Defender Blog | Windows Zero-Day – CVE-2021-41379 appeared first on McAfee Blogs.

]]>

Threat Summary

This month it was disclosed that a Microsoft vulnerability that allows for local privilege elevation, previously patched in the November 2021 Patch Tuesday, is still exploitable and was not patched correctly. Using this vulnerability, threat actors with limited access to a compromised device can easily elevate their privileges to help spread laterally within the network.

Figure 1. MITRE ATT&CK Matrix for Windows Zero-Day in MVISION Insights

The vulnerability affects all supported versions of Windows, including Windows 10, Windows 11, and Windows Server 2022. At the time of writing, Microsoft has not released any updates or out-of-band patches to resolve it.

CVE-2021-41379 – Microsoft Windows Installer Elevation of Privilege Vulnerability

Bleeping Computer: New Windows zero-day with public exploit lets you become an admin

Bleeping Computer: Malware now trying to exploit new Windows Installer zero-day

McAfee Enterprise Protections and Global Detections

McAfee Enterprise Global Threat Intelligence is currently detecting all known proof of concept exploits for this zero-day vulnerability as malicious.

Blocking Exploitation Attempts with McAfee Enterprise ENS

McAfee Enterprise Endpoint Security (ENS) is currently detecting exploitation attempts and will quarantine the tools utilized to exploit this vulnerability as shown below.

Figure 2. Story Graph summary of exploitation detection by McAfee Enterprise ENS shown in MVISION ePO

Detecting Exploitation Activity with MVISION EDR

MVISION Endpoint Detection and Response (EDR) is currently alerting to the activity of this exploitation as malicious and will note the MITRE techniques and any suspicious indicators related to the exploit attempts.

Figure 3. Detection of zero-day exploitation activity and techniques in MVISION EDR

Threat Intelligence for Exploitation IOCS with MVISION Insights

MVISION Insights will provide the current threat intelligence and known indicators for exploitation of this vulnerability. MVISION Insights will also alert to detections that have been observed, and systems that require additional attention, to prevent widespread infection. MVISION Insights will also include Hunting Rules and Campaign Connections for threat hunting and further intelligence gathering of the threat activity and adversary.

MVISION Insights Campaign: New Windows Zero-Day CVE-2021-41379 With Public Exploit Lets You Become an Admin

Figure 4. Global Prevalence of zero-day exploitation activity in MVISION Insights

Figure 5. Exploitation IOCs and Detections in MVISION Insights

McAfee Enterprise offers Threat Intelligence Briefings along with Cloud Security and Data Protection workshops to provide customers with best practice recommendations on how to utilize their existing security controls to protect against adversarial and insider threats; please reach out if you would like to schedule a workshop with your organization.

The post McAfee Enterprise Defender Blog | Windows Zero-Day – CVE-2021-41379 appeared first on McAfee Blogs.

]]>
McAfee Enterprise Defender Blog | CISA Alert: MS Exchange & Fortinet Vulnerabilities https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-defender-blog-cisa-alert-ms-exchange-fortinet-vulnerabilities/ Thu, 25 Nov 2021 17:37:10 +0000 https://www.mcafee.com/blogs/?p=131938

Threat Summary On November 17, 2021, The US Cybersecurity & Infrastructure Security Agency (CISA) pushed an Alert entitled “Iranian Government-Sponsored...

The post McAfee Enterprise Defender Blog | CISA Alert: MS Exchange & Fortinet Vulnerabilities appeared first on McAfee Blogs.

]]>

Threat Summary

On November 17, 2021, The US Cybersecurity & Infrastructure Security Agency (CISA) pushed an Alert entitled “Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities” which you need to pay attention to if you use Microsoft Exchange or Fortinet appliances. It highlights one Microsoft Exchange CVE (Common Vulnerability & Exposure), three Fortinet CVEs and a list of malicious and legitimate tools associated with this activity.

Threat Intelligence Update from McAfee Enterprise

A few hours later our Advanced Threat Research (ATR) team published a new campaign in MVISION Insights under the name “Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities”. Immediately after, MVISION Insights started to provide near real-time statistics on the prevalence of the tools associated to this threat campaign by country and by sector.

Figure 1. MVISION Insights Global prevalence statistics for this campaign on Nov 19, 2021

In this blog I want to show you how you can operationalize the data linked to this alert in MVISION Insights together with your investigation and protection capabilities to better protect your organization against this threat.

Tracking New Campaigns and Threat Profiles, Including This Alert

MVISION Insights combines Campaigns and Threat Profiles in the same list, and you can change the order from “Last Detected” to “Last Added” as shown below.

Figure 2. List of MVISION Insights campaigns last added, with a selection of this campaign

On the left of figure 2, a color code shows you the severity assigned by the McAfee ATR team (Medium for this campaign), in the middle you can see whether we have seen detections of the analysed IOCs in your country or in your sector

If you are a McAfee Endpoint Security or IPS customer, on the right of figure 2 you can see whether you have had any detection of these IOCs by your McAfee Endpoint Security or IPS, or whether Endpoint Security has found exposed devices, or devices with insufficient Endpoint Security protection

As shown in figure 2, you can also click the campaign’s preview to read a short description, and the labels given by MVISION Insights:

  • APT
  • Ransomware
  • Tool
  • Vulnerability

In this case, you can see that CISA suspects this campaign to be associated with an APT threat group. It includes Ransomware behaviors. The labels also highlight the use of hacking tools and vulnerabilities which you can then view in the Campaign details. Last September we hosted a webinar focused on threat intelligence and protection against hacking tools.

The campaign description highlights the usual use of “devices encrypted with the Microsoft Windows BitLocker encryption feature”.

The campaign’s details also provide links to other sources, such as the CISA alert in this case.

Figure 3. Original CISA Alert used for this campaign

Evaluating the Risk and Whether you Could be Exposed

Once you have identified campaigns which could potentially hit you, you can evaluate your risk and whether you could be exposed because you could have:

        • Vulnerabilities listed
          In figure 4, you can see that in this campaign there is 1 CVE for Microsoft Exchange, and 3 CVEs for Fortinet FortiOS
        • Exposed devices
          In figure 2, there are none
        • Insufficient Endpoint Security protection
          In Figure 2, there are none

Figure 4. List of Common Vulnerabilities and Exposures (CVEs) in this campaign’s details

If you are a McAfee Enterprise customer, the MVISION Insights Endpoint Security Posture checks whether you have enabled the necessary Endpoint Security features to have the best level of protection across your estate.

In the example below:

  • 3 Endpoint Security devices have an insufficient AMcore content to detect all campaigns
  • The warning sign shows that some devices have been excluded from this assessment by the MVISION Insights administrator
  • 1 Endpoint Security device is missing Real Protect Client and Cloud
  • 1 Endpoint Security device is missing Adaptive Threat Protection (ATP)
  • 1 Endpoint Security device has an unresolved detection for a Medium Severity Campaign

As seen previously, this lab environment has sufficient protection to detect the “Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities” campaign IOCs. However, to have full Endpoint protection, GTI, On-Access scan, Exploit Prevention, Real Protect and ATP must be enabled.

Figure 5. McAfee Endpoint Security Detection across all MVISION Insights campaigns

Hunting for Detections and IOCs in Your Environment

If you are a McAfee Endpoint Security or IPS customer, the detections related to the campaign’s IOCs are automatically mapped by MVISION Insights as shown in Figure 6.

Figure 6: McAfee Endpoint Security Detection across all MVISION Insights campaigns

You can also use your Endpoint Detection and Response (EDR) or SIEM solution to search for the presence of IOCs. As you can see below in Figure 7, we have categorized the IOCs, and in this instance:

  • 4 File Hashes have been analyzed by our Threat Research experts and 3 File Hashes have NOT been fully analyzed at this time
  • 2 File Hashes are dual use, and therefore are non-Deterministic
  • 5 File Hashes are partially unique (2 Malicious and 2 Probable Malicious)

If you are an MVISION EDR customer, you can automatically search for the presence of these IOCs across your estate from MVISION insights

Otherwise, you can export the IOCs and hunt them in your EDR, and SIEM, to examine the evidence of a potential compromise and escalate the case to a level2 or level3 analyst to run a full investigation.

Additionally, you can also use the MVISION APIs with a third-party Threat Intelligence Platform such as ThreatQ, ThreatConnect or MISP to orchestrate this threat hunting capability.

Figure 7: MVISION Insights IOCs for this campaign

You can also leverage the new Campaign Connections feature (Figure 8) to check whether these IOCs are also listed in other campaigns or threat profiles. Campaign collection uses graphs to connect all the MVISION campaigns, and threat profile data such as:

  • IOCs
  • MITRE techniques
  • MITRE and McAfee Tools
  • Threat actors and groups
  • Labels
  • Prevalent countries and sectors
  • Detections

Figure 8: MVISION Insights Campaign connection using the IOCs of this campaign

Hunting TTPs in Your Environment

Beyond the IOCs, your Threat Analysts can also leverage the MITRE Techniques and Tools related to this campaign and documented in MVISION Insights.

Figure 9: MITRE Techniques and Tools observed in MVISION Insights for this campaign

For example, here you could use MVISION EDR to look for the presence of:

  • Unusual Scheduled Tasks
  • Unusual WinRAR archives
  • Unusual local and domain account usage
  • Mimikatz behavior

Then you can quarantine suspected devices before running a full remediation. You can also check that your Endpoint Security solution has credential theft protection capabilities such as ENS credential theft protection.

Vulnerability Management

If your organization hosts Microsoft Exchange or Fortinet appliances you will need to apply the recommended patching and upgrade recommendations. If you find indicators of compromise you might want to increase the priority of the tickets, asking the Fortinet and Microsoft Exchange administrators to fix these CVEs due to these suspicious activities.

Summary

To better assess your risk and exposure against this campaign you should review your current capabilities to:

  • Be informed about the latest relevant CISA alerts and other new campaigns and threat actors
  • Hunt the IOCs, Tools and Techniques associated
  • Identify Common Vulnerabilities and Exposures
  • Review your level of Endpoint Protection against these threats

McAfee Enterprise offers Threat Intelligence, and Security Operations workshops to provide customers with best practice recommendations on how to utilize their existing security controls to protect against adversarial and insider threats; please reach out if you would like to schedule a workshop with your organization.

The post McAfee Enterprise Defender Blog | CISA Alert: MS Exchange & Fortinet Vulnerabilities appeared first on McAfee Blogs.

]]>
Global Technology Provider Looks to MVISION Unified Cloud Edge https://www.mcafee.com/blogs/enterprise/cloud-security/global-technology-provider-looks-to-mvision-unified-cloud-edge/ Mon, 22 Nov 2021 15:04:14 +0000 https://www.mcafee.com/blogs/?p=131590

With the acceleration of cloud migration initiatives—partly arising the need to support a remote workforce during the pandemic and beyond—enterprises...

The post Global Technology Provider Looks to MVISION Unified Cloud Edge appeared first on McAfee Blogs.

]]>

With the acceleration of cloud migration initiatives—partly arising the need to support a remote workforce during the pandemic and beyond—enterprises are finding that this transformation has introduced new operational complexities and security vulnerabilities. Among these are potential misconfigurations, poorly secured interfaces, Shadow IT (access to unauthorized applications), and an increasing number of connected devices and users. To navigate these challenges, enterprises are relying on managed service providers to monitor and protect their cloud environment.

To better serve its customers and secure its own environments, one global technology provider decided to expand its existing on-premises data loss protection (DLP) and web protection with a comprehensive and robust cloud security strategy based on solutions from the  MVISION™ portfolio of solutions. Already a long-time user of McAfee Enterprise on-premises solutions, the global technology provider not only secured its internal cloud infrastructure consisting of more than 5,000 endpoints across over 30 locations worldwide, they also applied the same approach to the millions of endpoints they manage for more than 10,000 customers.

Evolving a Modern Cloud Security Approach

A primary objective for the global technology provider is securing data in the cloud in Software-as-a-Service (SaaS) applications (Microsoft Office 365, OneDrive, Salesforce, and others) and Infrastructure-as-a-Service (IaaS) platforms (Microsoft Azure, Amazon Web Services, Google Cloud Platform).

As a first step in its cloud journey, the global technology provider evaluated a number of cloud access security brokers (CASB) solutions. Ultimately, they decided to implement MVISION Cloud for AWS, Office 365, and Shadow IT. In addition to providing comprehensive visibility into cloud app usage, these solutions help with compliance; data loss prevention (DLP) by monitoring the movement of sensitive and confidential data content traveling to or from the cloud, within the cloud, and cloud to cloud; and detection and remediation of threats primarily through user and entity behavior analytics (UEBA).

Moving to a Consolidated Cloud Security Fabric

But the global technology provider didn’t stop there. When we rolled out MVISION Unified Cloud Edge, the global technology provider tested it and enthusiastically adopted it. As defined by Gartner, MVISION Unified Cloud Edge is an industry-leading example of Secure Access Service Edge (SASE), a security framework that brings together network connectivity and security into a single, cloud-delivered solution that supports business transformation, edge computing, and workforce mobility.

The global technology provider has reaped multiple advantages from this implementation across its own internal environment and for its customers.

Key advantage #1: Management ease and less overhead

MVISION Unified Cloud Edge combines multiple capabilities under one umbrella: CASB functionality with web proxy and DLP with a single administrative hub,  ePolicy Orchestrator® (ePO™) for streamlined management.

MVISION Unified Cloud Edge capabilities and the ease of integration with the McAfee Enterprise ecosystem has made life easier for the global technology provider’s team, saving time and resources. Now they can set consistent policies from device to cloud and provide users with accelerated and secure access to the tools they use every day, such as Box, Dropbox, and others. As the information security operations manager points out: “A single management console reduces overhead as does being able to set policies that we can sync and apply to multiple data sources on multiple cloud solutions, without having to recreate rules.”

Key advantage #2: Data protection policies in the cloud

MVISION Unified Cloud Edge has also enabled the global technology provider to further boost its cloud data protection. For example, it can detect data that is improperly managed and stored. Now the organization can apply their existing on-premises data policies to the cloud. For example, they can prevent certain user behaviors that may put both corporate and customer cloud data at risk. These include copying data to cloud apps or USBs, printing it, taking screen captures, accessing risky websites, and uploading data to unauthorized websites.

Key advantage #3: Improved control over apps

To create a more secure internal environment, MVISION Unified Cloud Edge has been invaluable for the global security provider. They have a better handle on the applications that are being used across their company. The solution also provides risk scores for the cloud apps that are being used to help steer users away from Shadow IT and toward using only authorized apps. When employees propose new apps to help them do their jobs better, the IT security team can check the security of these apps against requirements and make any necessary modifications to ensure compliance.

“The Shadow IT CASB automatically blocks all cloud services that are deemed high risk, both at our on-premises Web Gateway and the built-in cloud web gateway manager. So, when users attempt to use an unsanctioned SaaS application, they see a message explaining that the app is not safe,” notes the information security operations manager.

The global technology provider also sells SaaS solutions to its clients. With MVISION Unified Cloud Edge, the global technology provider can protect data on any newly sanctioned SaaS applications at no extra cost.”

A resounding endorsement

After a successful experience with McAfee Enterprise overall and specifically with the implementation of MVISION Unified Cloud Edge, the information security operation manager recommends the solution to any organization beginning or in the midst of migrating to the cloud.

“I would advise other companies thinking about their cloud transformation journey to seriously consider MVISION Unified Cloud Edge . . . It has a very user-friendly interface and does so much out of the box,” he asserts. “The level of granularity in policy setting lets you do things you don’t think possible or are much easier to accomplish than you realize. . . I don’t think any other vendor offers such a complete package.”

The post Global Technology Provider Looks to MVISION Unified Cloud Edge appeared first on McAfee Blogs.

]]>
McAfee Enterprise Continues to be a Leader in CASB and Cloud Security https://www.mcafee.com/blogs/enterprise/cloud-security/mcafee-enterprise-continues-to-be-a-leader-in-casb-and-cloud-security/ Mon, 22 Nov 2021 13:00:42 +0000 https://www.mcafee.com/blogs/?p=131611 Cloud Security Gateways (CSGs) are one of the hottest and most sought-after technologies in the market today, driven by the adoption of...

The post McAfee Enterprise Continues to be a Leader in CASB and Cloud Security appeared first on McAfee Blogs.

]]>
Cloud Security Gateways (CSGs) are one of the hottest and most sought-after technologies in the market today, driven by the adoption of cloud services for business transformation and the acceptance of hybrid workforce policies. CSGs, also commonly known as Cloud Access Security Brokers (CASBs), are responsible for enforcing security policies to protect cloud-hosted corporate assets from advanced threats, while enabling seamless and secure access to these assets from any location and device.  

We have witnessed an exponential growth in cloud usage in the past two years, primarily driven by remote workforce adoption. Based on the data collected by our research team from millions of connected McAfee Enterprise users across the globe, the overall usage of enterprise cloud services spiked by 50% across all industries, while the collaboration services witnessed an increase of up to 600% in usage. This led to an astonishing 630% increase in external attacks on the cloud accounts. Taking all these factors and trends into consideration, CSGs have become a highly essential element of any organization’s cloud security strategy, playing the most critical role for enabling data protection, threat prevention and compliance in the cloud. 

McAfee Enterprise continues to innovate in the cloud security space with a laser-focused strategy towards empowering our customers with the best-in-class cloud security solution. MVISION Cloud, recognized as the industry’s leading CSG solution, has become a vital part of enterprise security, allowing organizations to safely migrate to the cloud while protecting their “crown jewels” – the data. A huge testament to our cybersecurity vision is the IDC MarketScape Worldwide Cloud Security Gateways 2021 Vendor Assessment (Doc # US48334521, November 2021), and we are proud to announce that McAfee Enterprise has been recognized as a leader in the report. 

According to the report, “McAfee has a strong ecosystem of security solutions, including Secure Web Gateway, CSG, and endpoint security that it can integrate to enable customers in their data loss prevention, User Behavior Analytics, XDR, and threat prevention goals. McAfee has focused on providing robust protection and DLP, with the scale and speed necessary to support large user bases.” 

McAfee Enterprise’s multi-vector data protection capabilities go beyond the cloud to uniquely discover and protect sensitive assets on managed endpoints, in-network shares, and on-premises databases, enabling full scope of data protection from device-to-cloud. The industry-leading data protection and threat protection capabilities are tightly integrated with a unified policy framework that allows policy enforcement, data classification and incident management from a centralized console, reducing the cost and complexity of managing hybrid IT deployments, while improving the user experience. 

Figure 1: McAfee Enterprise Multi-Vector Data Protection 

MVISION Cloud is an integral component of our Unified Cloud Edge (UCE) solution, and together with McAfee Enterprise’s Next-Gen Secure Web Gateway (SWG) and MVISION Private Access (ZTNA) delivers the industry’s most comprehensive Security Services Edge (SSE) solution – the security element of the Secure Access Service Edge (SASE) framework. With McAfee Enterprise’s DLP technology being the common denominator across all the core SSE components, organizations can seamlessly utilize a unified, data-centric framework for centralized visibility and control over their entire digital footprint, while riding on an accelerated path for digital transformation and workplace mobility. 

Figure 2: MVISION Unified Cloud Edge (UCE) 

Our mission towards building a unified security platform for protecting data from device-to-cloud and defending against advanced threats and adversaries has established McAfee Enterprise as a leader in cybersecurity across multiple forums, and the 2021 IDC MarketScape report is another distinguished feather in our decorated cap. 

The post McAfee Enterprise Continues to be a Leader in CASB and Cloud Security appeared first on McAfee Blogs.

]]>
Zero Care About Zero Days https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/zero-care-about-zero-days/ Mon, 22 Nov 2021 05:01:48 +0000 https://www.mcafee.com/blogs/?p=131440

The time to repurpose vulnerabilities into working exploits will be measured in hours and there’s nothing you can do about...

The post Zero Care About Zero Days appeared first on McAfee Blogs.

]]>

The time to repurpose vulnerabilities into working exploits will be measured in hours and there’s nothing you can do about it… except patch

By Fred House

2021 is already being touted as one of the worst years on record with respect to the volume of zero-day vulnerabilities exploited in the wild. Some cite this as evidence of better detection by the industry while others credit improved disclosure by victims. Others will simply conclude that as the “upside” grows (e.g., REvil demanding $70M or Zerodium paying $2.5M for exploits) so too will the quantity and quality of players. But the scope of these exploitations, the diversity of targeted applications, and ultimately the consequences to organizations were notable as well. As we look to 2022, we expect these factors to drive an increase in the speed at which organizations respond.

If we look back at the past 12 months, we have seen notable breaches that highlight the need for organizations to improve response times:

ProxyLogon. When we first learned in 2020 that roughly 17,000 SolarWinds customers were affected, many reacted in shock at the pure scope of the compromise (it should be noted that a small subset of these customers are believed to have been compromised by follow-on activity). Unfortunately, 2021 brought its own notable increase in volume. Two weeks after Microsoft released a patch for ProxyLogon they reported that 30K Exchange servers were still vulnerable (less conservative estimates had the number at 60K).

ProxyShell. ProxyShell, a collection of three separate vulnerabilities (CVE-2021-31207, CVE-2021-34473 and CVE-2021-34523), was Exchange’s second major event of the year after ProxyLogon. In August, a Black Hat presentation outlining Exchange Server vulnerabilities was followed the next day by the release of an exploit POC, all of which had been patched by Microsoft months earlier in April/May. This analysis of data captured by Shodan one week after the exploit POC was released concluded that over 30K Exchange servers were still vulnerable, noting that the data may have underrepresented the full scope (i.e., Shodan hadn’t had time to scan the full Internet). In summary: patched in the Spring, exploited in the Fall. So, what happened in the interim you ask? The vulnerabilities in the Microsoft Client Access Service were exploited by threat actors who deployed web shells to execute arbitrary code on compromised mobile devices and web browsers.

vCenter Server. Another notable example occurred in May when VMWare released a patch for a remote code execution vulnerability in vCenter Server. This subsequent analysis concluded that over 4,000 systems remained vulnerable one week after the patch was released. Much like Exchange servers, where a typical company will only host a handful of servers, 4,000 vulnerable vCenter servers likely represents thousands of distinct companies.

Kaseya VSA. One bright spot may in fact be the Kaseya VSA breach. On July 2, REvil launched an unprecedented (anyone else tired of that word?) ransomware campaign against public facing VSA servers. Within two days the DIVD CSIRT reported that the number of exposed VSA servers had dropped from 2,200 to 140. Some estimates suggested that around 50 MSPs were compromised, affecting between 800 and 1500 business. While this doesn’t sound like much of a bright spot, patching 94% of the affected systems in two days surely helped reduce the success of REvil copycats.

So, what can we take away from all of this? Well, attackers and security researchers alike will continue to hone their craft until weaponized exploits and POCs are expected within hours of vulnerability disclosure. In turn however, and largely driven by the increased consequences of compromise, we can also expect renewed diligence around asset and patch management. From identifying public facing assets to quickly deploying patches despite potential business disruption, companies will have a renewed focus on reducing their “time to patch.”

Still not convinced? Well, the US government is. Checkout Binding Operational Directive 22-01 published on November 3rd which compels all federal agencies to remediate known exploited vulnerabilities in two weeks or sooner “in the case of grave risk to the Federal Enterprise”. It’s no coincidence that CISA’s known exploited vulnerabilities catalog, which catalogues the vulnerabilities that must be remediated, includes every one of our examples above with a two-week remediation deadline. If the US government can do it, you can too!

The post Zero Care About Zero Days appeared first on McAfee Blogs.

]]>
Ransomware Threats Affecting the Public Sector https://www.mcafee.com/blogs/enterprise/ransomware-threats-affecting-the-public-sector/ Thu, 18 Nov 2021 17:03:00 +0000 https://www.mcafee.com/blogs/?p=131446

In the October 2021 Threat Report, McAfee Enterprise ATR provides a global view of the top threats, especially those ransomware...

The post Ransomware Threats Affecting the Public Sector appeared first on McAfee Blogs.

]]>

In the October 2021 Threat Report, McAfee Enterprise ATR provides a global view of the top threats, especially those ransomware attacks that affected most countries and sectors in Q2 2021, especially in the Public Sector (Government).


In June 2021 the G7 economies urged countries that may harbor criminal ransomware groups to take accountability for tracking them down and disrupting their operations. Let’s review the high severity campaigns and threat profiles added to MVISION Insights recently.

Threat Profile Conti Ransomware & BazarLoader to Conti Ransomware in 32hrs

Conti has been one of the top Ransomware groups in 2021, including a new campaign reported in September 2021. As mentioned earlier in this report, the public sector seems to be the sector most affected by Ransomware attacks. McAfee Enterprise provides regular publications on the strategies to defend against ransomware, such as this blog.

Other Recent Threats Affecting the Public Sector

CVE-2021-40444 Microsoft MSHTML Remote Code Execution Vulnerability

This is a serious Microsoft Office vulnerability reported in September 2021 by Microsoft, McAfee Enterprise and other sources. The MVISION Insights heat map shows the prevalence of the Indicators of Compromise (IOCs) associated with this threat in the first half of October 2021.

Although Microsoft has provided guidance on a workaround, it can be challenging for many public sector organizations to deploy these patches quickly. To help you be more agile, McAfee Enterprise has released its own guidance leveraging ENS, EDR and NSP.

Microsoft Office vulnerabilities are commonly exploited in the early phases of the attack lifecycle. BazarLoader, mentioned earlier with the Conti Ransomware, has also been used with Word and Excel documents. In the MITRE Enterprise ATT&CK framework this technique is known as T1203, which we can find in 177 campaigns and threat profiles in MVISION Insights.

Threat Profile APT41 & APT41 Malware Identified Doing the ChaCha at SAS21

APT41 is a state sponsored threat group linked to China and associated with multiple campaigns, including a new campaign reported in September 2021. Although Ransomware is currently the main cyber threat type which hits the news, state sponsored threat groups are equally concerning, especially in the public sector for organizations with sensitive government and citizen data, which could be potentially exploited by a foreign nation like China.

In the second part of this report, we highlight how you can leverage the data from MVISION Insights to find traces of these attacks to enhance your level of protection.

Cloud Threats Affecting the Public Sector

In the October 2021 Threat Report, McAfee Enterprise ATR also assessed the prevalence of Cloud Threats, identifying the US Government sector as one of the top 10 verticals affected.

Many governments are moving quickly to adopt cloud technologies to bring services for their citizens, for collaboration and cost savings.

Inadequate readiness to address cloud security has been the primary contributor of these threats. Several cloud-native controls exist to protect sensitive data from loss or theft in real time, such as:

Operationalize Threat Intelligence

In the second part of this report, we want to give you some guidance on how you can operationalize this threat intelligence data to better protect your networks. MVISION Insights can help operationalize McAfee Enterprise Threat Intelligence data by providing risk assessment against threats affecting you, protective guidance and integrating with other tools to share threat data.

Let’s take the previous example of the Conti Ransomware Threat Profile. Below you can see how MVISION Insights provides:

1. A short description with the list of CVEs linked to this threat profile, the minimum version of McAfee Enterprise ENS AMcore content to be correctly protected against this threat, detections in your environment and on which device.

2. The list of related campaigns, the devices with unresolved detections related to these campaigns or those with insufficient protections.

3. The list of MITRE techniques and tools, which provide a universal and agnostic overlay of the threats, as well as details on the observables specific to this threat profile for each MITRE technique.

4. The list of IOCs with filters, IOC attributes, and IOC export features which you can use to share them with your other solutions, such as your SIEM, and which you can also share with other public sector entities. We also provide a direct integration with MVISION EDR. Alternatively, you can leverage the APIs to automate the exchange of IOCs.

If you find devices with these IOCs in MVISION EDR you can take immediate remote actions such as quarantine the device, kill the process, remove the files, or run custom scripts.

You can also use MVISION EDR for more advanced threat hunting such as searching for specific MITRE techniques in all MVISION EDR alerts …

… or in the MVISION EDR monitoring view which automatically groups the alerts.

5. MVISION Insights also provides hunting rules created by McAfee Enterprise Threat Intelligence experts using Yara, Sigma and McAfee Enterprise ENS expert rules.

6. A proactive assessment of your Endpoint and Cloud security posture score with guidance on the configuration changes which you should follow to ensure that your McAfee Enterprise Endpoint and Cloud solutions are protecting you with their full capabilities.

7. And all this, with more than 1,200 threat campaigns and threat profiles

MVISION APIs give you the ability to integrate and to exchange this extensive Threat Intelligence data with your SOC tools, including Threat Intelligence Platforms (TIPs) and Security Orchestration Automation and Response (SOAR).

These integrations can be used both in Internet-facing and closed networks. For advanced Threat Intelligence teams, our Advanced Program Group (APG) provides “Threat Intelligence as a Service” (INTAAS) including:

  • Access to the unaggregated raw data behind MVISION Insights
  • Access to McAfee Private Global Threat Intelligence (GTI)
  • Threat Assessments
  • Adversary Monitoring and Attribution
  • IOC enrichment
  • Reverse Engineering

Summary

To conclude, here is a summary of the use cases you can achieve with MVISION Insights in the public sector:

  1. Start your threat intelligence program despite a lack of time and expertise
  2. Improve your existing Threat Intelligence program
  3. Check whether you have been breached by leveraging McAfee Enterprise ENS and NPS
  4. Predict threats, including ransomwares, that are most likely going to hit you
  5. Prioritize threat hunting using the most relevant indicators
  6. Enrich investigations with MVISION EDR/XDR
  7. Integrate with your other SOC solutions
  8. Deliver on-premise Threat Intelligence for restricted networks
  9. Proactively assess your protection status with McAfee Enterprise ENS and MVISION Cloud
  10. Improve Zero Trust with Threat Intelligence

If you want to learn more on our Threat Intelligence capabilities and participate in Architecture or Incident Response Workshops, contact your local McAfee Enterprise representative.

The post Ransomware Threats Affecting the Public Sector appeared first on McAfee Blogs.

]]>
Digital Transformation Needs to (Re)Start with Security https://www.mcafee.com/blogs/enterprise/digital-transformation-needs-to-restart-with-security/ Thu, 18 Nov 2021 15:00:00 +0000 https://www.mcafee.com/blogs/?p=131176

In life, regret tends to take on many shapes and forms. We often do not heed the guidance of the...

The post Digital Transformation Needs to (Re)Start with Security appeared first on McAfee Blogs.

]]>

In life, regret tends to take on many shapes and forms. We often do not heed the guidance of the common anecdotes we hear throughout our days and years. From “look before you leap” to “an apple a day keeps the doctor away” – we take these sayings in stride, especially when we cannot necessarily provide proof of their veracity!

One particular trope that may incite ire, frustration, or regret when applied to enterprise security is – “once bitten, twice shy.”

In its very literal sense, we’re taught that if we’re bitten by something once – whether that be dog or security breach – we’re innately cautious or fearful of falling into a similar scenario. With dogs or any animal, we may pivot our behavior to avoid sharp teeth. However, with security breaches, many enterprises continue to be blindsided by “bites” – despite believing they’ve taken the utmost of caution to protect against them.

There is a clear disconnect between enterprise-preparedness and the severity of today’s threat landscape. We continue to see that no enterprise is immune to threats and breaches, with ransomware campaigns continuing to get more sophisticated and prevalent. We’re also seeing cyber criminals work together, banding as an enterprise themselves sharing common tools and knowledge. This means, as cyber criminals become more business-savvy, operational, and efficient – the enterprises they look to attack need to consistently be one step ahead to anticipate and prevent breaches.

Safety First, Now More Than Ever

The term digital transformation is not new by any means, but it needs to be newly approached through a security-first lens. For successful digital transformation to occur today, major industries need to focus on superior prevention against threats.

It’s time for business leaders to stop focusing on the “breach of the month” and more on building security into the fabric of their organizations so they’re not the next victims. For this to happen, it is imperative to break down silos of threat and information intelligence across the organization, enabling a collaborative, holistic, and strategic approach to securing the business.

Additionally, as we’re seeing more prevalent and sophisticated attacks, enterprises need to lean into the transformative technologies that can keep up with evolving techniques. AI provides for personalization of security – a key advantage as it can prioritize detection and response to allow organizations to focus on growth outcomes instead of spending time recouping lost data, customers, revenue, efficiencies, or more that can come at the expense of a threat or breach.

Placing security at the forefront of strategies can unleash the full potential of what digital transformation can make possible. With this approach and a mindset focused on prevention and cyber-readiness as the catalyst aiding true digital and business transformation, we have the power to turn the headlines around. It is time for enterprises to bite back, and the criminals to shy away.

The post Digital Transformation Needs to (Re)Start with Security appeared first on McAfee Blogs.

]]>
Qualities of a Highly Available Cloud https://www.mcafee.com/blogs/enterprise/cloud-security/qualities-of-a-highly-available-cloud/ Tue, 16 Nov 2021 15:00:01 +0000 https://www.mcafee.com/blogs/?p=131185

With the widespread adoption of hybrid work models across enterprises for promoting flexible work culture in a post pandemic world,...

The post Qualities of a Highly Available Cloud appeared first on McAfee Blogs.

]]>

With the widespread adoption of hybrid work models across enterprises for promoting flexible work culture in a post pandemic world, ensuring critical services are highly available in the cloud is no longer an option, but a necessity. McAfee Enterprise’s MVISION Unified Cloud Edge (UCE) is designed to maximize performance, minimize latency, and deliver 99.999% SLA guaranteed resiliency, offering blazing fast connectivity to cloud applications from any location and causing no service degradation, even when the usage of cloud services spiked 600% during the COVID-19 pandemic, as reported in our Cloud Adoption and Risk Report (Work From Home Edition). This blog shares details on how MVISION UCE is architected to enable uninterrupted access to corporate resources to meet the demands of the hybrid workforce.

MVISION UCE, our data-centric, cloud-native Security Service Edge (SSE) security platform, derives its capabilities from McAfee Enterprise’s industry leading Secure Web Gateway and Enterprise Data Protection solutions. However, this is not a lift and shift of capabilities to the cloud, which would have made it prone to service outages and impossible to have the flexibility that is needed to meet the demands of SSE. Instead, the best of breed functionality was purposefully reconstructed for SSE, using a microservices architecture that can scale elastically, and built on a platform-neutral stack that can run on bare metal and public cloud, equally effectively. A hallmark of the architecture is that the cloud is a single global fabric where service instances are spread throughout the globe. Users automatically access the best instance of any service through policy configuration.

What other alternatives are out there? We have seen some cloud services replicated in each region of their presence. While this makes controlling resources and data simple, and keeps everything within a boundary, such an approach loses out on the flexibility needed to scale on demand and reduced latency on access. With UCE, each point of presence (POP) is part of the global fabric, yet at the same time, fully featured with all services housed within the POP. This avoids the need to send traffic back and forth between various services located at different locations, a phenomenon known as traffic hairpin.

By default, user traffic gets processed at the POP closest to their physical location, regardless of where the user may be. A user may work at their office in New York 90% of the time and travel to UK occasionally. When the user connects to MVISON UCE, they are connected to New York POP when they are at office, and the POP in London if they are in a UK hotel while traveling. This is a big advantage if you think about it. User’s traffic does not need to trombone from the hotel in UK, to the POP in New York and back to a server in London. MVISION UCE’s out-of-the-box traffic routing scheme favors low latency. This does not mean that the customer cannot override this policy and force the traffic to be processed at the New York POP. They might do so if there is a compliance need to process all traffic at a certain location. Many customers have a need to store logs in a certain geography even though traffic processing may occur anywhere on the globe. MVISION UCE architecture decouples log storage from traffic processing and lets the customer choose their log storage geography based on criteria that customers define.

One of the key considerations while choosing a SSE vendor would be how much latency the service adds to user’s requests. Significant latency can negatively affect user experience and could be a deterrent to product adoption. With 85 POPs strategically placed around the globe providing low latency access to customers, UCE POPs have direct peering with the biggest SaaS vendors like Microsoft, Google, Akamai, and Salesforce to further reduce latency. In addition, MVISION UCE POPs peer with many ISPs around the globe, enabling high bandwidth and low latency connectivity end to end, from the customer’s network to UCE and from UCE to the destination server.

With thousands of peering partners growing every day, over 70% of traffic served by MVISION UCE uses peering links in some geographies. The whitepaper, How Peering POPs Make Negative Latency Possible, shares details about a study conducted by McAfee Enterprise to measure the efficacy of these peering relationships. This paper is proof that UCE customers experience faster response times going through our POPs than they would usually get by going directly through their Internet Service Providers. UCE follows a living partnership model when it comes to peering, with thousands of peering relationships in production. We are committed to keeping the latency to a minimum.

You may be wondering what the secret sauce is for achieving a reliability of five 9s or higher in MVISION UCE. Several items play a crucial role in preventing unplanned service degradation.

  1. Redundantly provisioned components that allow for one or more instances to pick up the work when one of them goes down. Unexpected system failures and interruptions do occur in the real world and having a good architecture that detects failures early and reroutes the traffic to another suitable instance is paramount to maintaining availability. A combination of client redirection, server-side redirection, along with deep application state tracking, is used to seamlessly bypass a failed spot. The global nature of the fabric allows for multiple simultaneous failures without causing a local outage.
  2. State of the art automation and deployment infrastructure is key to localize issues, maintain redundancy, and react automatically when issues are found. Containerized workloads over Kubernetes are the foundation of the cloud infrastructure in MVISION UCE, which facilitates fast recovery, canary rollouts of software, and elastic scaling of the infrastructure in case of peak demand. This is combined with an extensive automation and monitoring framework that monitors the customer’s experience and alerts the operations team of any localized or global service degradation.
  3. Ability to scale up on demand at a global scale. We are not talking about scale out within a POP here. Many times, physical data centers have a hard limit on resources and sometimes it takes several months to add new servers and resources at a physical site. We are talking about bursting out to newly provisioned POPs when the traffic demands, in a matter of hours. Through extensive automation and intelligent traffic routing, a new MVISION UCE POP can be deployed in public cloud quickly and start absorbing load, providing the needed cushion to avoid traffic peaks that could otherwise cause service degradation when usage patterns change. This capability allowed MVISION UCE to successfully handle increasing demand when customer VPNs could not handle the load created by dramatically increased remote work due to the pandemic last year.

At McAfee Enterprise, security is not an afterthought. From the start, the architecture was designed with zero trust in mind. Services are segmented from one another and follow the least privileged principle when resources need to be shared between services. Industry standard protocols and methodologies are used to enforce user and identity access management (UAM/IAM). Strong role-based access controls (RBAC) across the platform keep customer’s data separate and provide self-defense when a service is compromised. None of these features matter if the software is vulnerable. McAfee Enterprise follows one of the strictest Software Development Life Cycle (SDLC) processes in the industry to eliminate known vulnerabilities and threats in our software as it is written.

Another aspect of security that is gaining momentum these days is data privacy. This is at the forefront of all feature designs in MVISION UCE. Usually, data privacy means tokenization or anonymization of customer private data stored in MVISION UCE, be it logs or other metadata. At McAfee Enterprise, we strive to take this a step further. We do not want to retrieve private data from the customer environment if it can be avoided. For example, to evaluate a policy that involves customer premise data, UCE can offload the evaluation to a component on the customer premise. Case in point, McAfee Client Proxy (MCP) that is installed on user’s machine can perform a policy evaluation and avoid sending private data to the cloud. The McAfee Enterprise cloud leverages the results of the evaluation to complete the policy execution. Where this is not possible, private data is anonymized at the earliest entry point in the cloud to minimize data leaks.

Last but not the least, a chain is only as strong as its weakest link, and physical data center security must also be considered. Global partners are selected only after careful evaluation of their facilities and infrastructure that will host our data centers, while other vendors in this space are working with a larger set of less rigorously qualified regional partners to increase their presence. The McAfee Enterprise approach provides the necessary guard rails against supply chain attacks that our customers demand.

There are other architectural gems hidden within UCE and thus failing to mention them would make this article incomplete. First, the policy engine is exposed in the form of code with which the customer can construct complex policies without being constrained by what UI provides. If you are a user of MVISON UCE, you can see this in action by enabling “Code View” in the Web Policy tree. If you do not like the way policy nodes are ordered in the tree or the evaluations made by default, you can take complete control and process the traffic in any manner you wish. By the way, the policy is so flexible that one can write a policy to process traffic in one region and store logs in another region.

Second, policy evaluation can be distributed across various components which allows its evaluation at the earliest point in the network. This avoids hauling all traffic to the cloud to apply policy. For example, if a sensitive document needs to be blocked due to data protection rules, the DLP agent running on the user’s machine can block it instead of hauling the traffic to cloud for classification and blocking. This strategy reduces load on the cloud and consequently increases the scale at which we can process requests.

Lastly, all services are automated and require no manual intervention to provision a customer unlike other vendors that require a support ticket to provision some features. Independent of where your account has been provisioned and where your preferred UI console resides, polices that you author are stored in a global policy system that is synchronized to all POPs around the world, giving you the flexibility to process traffic anywhere in the world.

To conclude, all clouds are not built equally. Architecture of a cloud is a matter of choice and tradeoffs. MVISON UCE implements a global cloud and puts customers in the driver’s seat through programmatic policies, that are secure, scalable, and highly available.

To learn more about how MVISION UCE can help ensure your critical services are highly available in the cloud, watch this short video or visit our MVISION UCE page to get started.

The post Qualities of a Highly Available Cloud appeared first on McAfee Blogs.

]]>
Cloud API Services, Apps and Containers Will Be Targeted in 2022 https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/cloud-api-services-apps-and-containers-will-be-targeted-in-2022/ Mon, 15 Nov 2021 05:01:18 +0000 https://www.mcafee.com/blogs/?p=131074

McAfee Enterprise and FireEye recently teamed to release their 2022 Threat Predictions. In this blog, we take a deeper dive...

The post Cloud API Services, Apps and Containers Will Be Targeted in 2022 appeared first on McAfee Blogs.

]]>

McAfee Enterprise and FireEye recently teamed to release their 2022 Threat Predictions. In this blog, we take a deeper dive into cloud security topics from these predictions focusing on the targeting of API services and apps exploitation of containers in 2022.

5G and IoT Traffic Between API Services and Apps Will Make Them Increasingly Lucrative Targets

Recent statistics suggest that more than 80% of all internet traffic belongs to API-based services. It’s the type of increased usage that grabs the attention of threat developers hunting for rewarding targets.

Feature-rich APIs have moved from being just a middleware to applications and have evolved to become the backbone of most modern applications that we consume today. Examples include:

  • 5G mobile applications – 5G connectivity and deployment of IoT endpoints have increased dramatically providing higher capacity for broader connectivity needs.
  • Internet of Things – More than 30.9 billion IoT devices are expected to be in use worldwide by 2025. The industrial IoT market was predicted to reach $124 billion in 2021
  • Dynamic web-based productivity suites – Global cloud-based office productivity software market is expected to reach $50.7 billion by 2026

In most cases, attacks targeting APIs go undetected as they are generally considered as trusted paths and lack the same level of governance and security controls.

The following are some of the key risks that we see evolving in the future:

  1. Misconfiguration of APIs resulting in unwanted exposure of information.
  2. Exploitation of modern authentication mechanisms such as Oauth/Golden SAML to obtain access to APIs and persist within targeted environments.
  3. Evolution of traditional malware attacks to use more of the cloud APIs, such as the Microsoft Graph API, to land and expand. We have already seen evidence of this in the SolarWinds attack as well as other threat actors such as APT40/ GADOLINIUM.
  4. Potential misuse of the APIs to launch attacks on enterprise data, such as ransomware on cloud storage services like OneDrive, etc.
  5. The usage of APIs for software-defined infrastructure also means potential misuse leading to complete infrastructure takeover or shadow infrastructure being created for malicious purposes.

Gaining visibility into application usage with the ability to look at consumed APIs should be a priority for organizations, with the goal of ultimately having a risk-based inventory of accessed APIs and a governance policy to control access to such services. Having visibility of non-user-based entities within the infrastructure such as service accounts and application principles that integrate APIs with the wider enterprise eco-system is also critical.

For developers, developing an effective threat model for their APIs and having a Zero Trust access control mechanism should be a priority alongside effective security logging and telemetry for better incident response and detection of malicious misuse.

Expanded Exploitation of Containers Will Lead to Endpoint Resource Takeovers

Containers have become the de facto platform of modern cloud applications. Organizations see benefits such as portability, efficiency and speed which can decrease time to deploy and manage applications that power innovation for the business. However, the accelerated use of containers increases the attack surface for an organization. Which techniques should you look out for, and which container risk groups will be targeted? Exploitation of public-facing applications (MITRE T1190) is a technique often used by APT and Ransomware groups. MITRE T1190 has become a common entry vector given that cyber criminals are often avid consumers of security news and are always on the lookout for a good exploit. There are numerous past examples in which vulnerabilities concerning remote access software, webservers, network edge equipment and firewalls have been used as an entry point.

The Cloud Security Alliance (CSA) identified multiple container risk groups including:

  • Image risks
    • vulnerabilities
    • configuration defects
    • embedded malware
    • embedded clear text secrets
    • use of untrusted secrets
  • Orchestrator
    • unbounded administrative access
    • unauthorized access
    • poorly separated inter-container network traffic
    • mixing of workload sensitivity levels
    • orchestrator node trust
  • Registry
    • insecure connections to registries
    • stale images in registries
    • insufficient authentication and authorization restrictions
  • Container
    • vulnerabilities within the runtime software
    • unbounded network access from containers
    • insecure container runtime configurations
    • app vulnerabilities
    • rogue containers
  • Host OS Component
    • large attack surface
    • shared kernel
    • improper user access rights
    • host file system tampering
  • Hardware

How do you protect yourself? Recommended mitigations include bringing security into the DevOps process through continuous posture assessment for misconfigurations, checks for integrity of images, and controlling administrative privileges. Use the Mitre ATT&CK Matrix for Containers to identify gaps in your cloud security architecture.

The post Cloud API Services, Apps and Containers Will Be Targeted in 2022 appeared first on McAfee Blogs.

]]>
Veterans Day & Remembrance Day 2021 https://www.mcafee.com/blogs/enterprise/veterans-day-remembrance-day-2021/ Thu, 11 Nov 2021 14:00:11 +0000 https://www.mcafee.com/blogs/?p=131125

November 11 marks Veterans Day in the United States and Remembrance Day across Europe and beyond. Wherever you may be...

The post Veterans Day & Remembrance Day 2021 appeared first on McAfee Blogs.

]]>

November 11 marks Veterans Day in the United States and Remembrance Day across Europe and beyond. Wherever you may be on this 11th day of the 11th month, on the 11th hour, please be thankful to all our Veterans for their service and sacrifice. We would like to take a moment to reflect and honor some of our McAfee Enterprise employees who served.

When were you drafted or when did you enlist/join? What branch of the military did you serve and in what rank?

Shannon Clancy joined October 5, 2003 and was a Major in the United States Marine Corps

Kevin Benton enlisted ten days after high school (mid 1980’s) and was in the US Army as an E4/Specialist

Kevin Suares enlisted in the US Air Force on November 1, 1994, after four year’s he was a Senior Airman (E-4)

Why did you join and why did you pick the service branch you selected?

Clancy: I had always had a niggling in the back of my mind that I wanted to be a Marine (My father served as a Marine in Vietnam), and then September 11, 2001 happened and it solidified my choice. I wanted to be the best, and everyone knows Marines are the best.

Benton: The world was bigger than my little hometown and I wanted to travel the world. Plus, I was clearly the smartest person in my house at 18 years old, so I showed my parents how smart I was.

Suares: I needed money for college and needed some direction in life. Initially I considered the Navy, as I am a former Sea Scout. I spoke to a Navy recruiter and was ready to sign up. He sent me across the hall to “get a different perspective” from the Air Force recruiter (which I was also considering) and after a 20-minute conversation where we talked about options in the Air Force, Air Force training, how the Air Force encourages higher education and AF ethos, I changed my mind. Biggest regret of that Navy recruiter’s career! The next week I scored 97 out of 99 in the Armed Services Vocational Aptitude Battery (ASVAB) making me eligible for almost any job.

What do you remember about your first day in service? What do you remember about your last day in service?

Clancy: I remember my first day being total chaos. Not knowing the (now) simplest things like how to wear your cover (hat), blouse your trousers, align your belt, etc. Things that seem small and silly but were in fact critical lessons in attention to detail that have carried with me throughout service and life.

Benton: On the first day, I was tired and nervous about not having any idea of what was happening or what to do. The last day was filled with wildly mixed emotions! I made some great friends from all walks of life, and I was ready to get on with my life by attending college on the GI Bill, but I hadn’t yet lived on my own. I recall driving off the base and wondering if I should drive north or south on the Pacific Coast Highway; ultimately, I drove North and have never regretted the decision.

Suares: I remember on my first full day being woken up at 4:30 AM after going to bed around 1:30 AM, in a new environment to a metal trash can being hit repeatedly with a baton and words I can’t repeat here. On my last day, my supervisor still made me work the whole day, ending in a small ceremony where I was presented with a few token gifts (which I still have.) I wrote my flight a quick email saying goodbye then left for home. Not going to lie – I had tears in my eyes as I left the building.

What would you describe as your most memorable experience? What is something you miss about your days of service?

Clancy: My most memorable experience was my deployment to Iraq. There was a pause in operations on Thanksgiving and I got to play soccer with some of the Marines. It was a very “normal” thing in a place where there wasn’t much normal. I don’t miss much (because there is a lot of nonsense that also goes on), but what I do miss is the camaraderie and sense of belonging. You don’t question who you are or what your purpose is while you serve.

Benton: Being in the infantry, I recall experiencing some of the toughest, most physically demanding moments in my life, then experiencing shear exhaustion when reaching the end of a march or landing in a hot zone, only to have a few laughs with the guys to your left and right, toggling thru each other’s life stories.  No one cared where you were from or the color of our skin or whether you had any money. I’ll never forget the laughs and storytelling as we were all experiencing the same things at the same time. Come to find out, we were forming bonds for life.

Suares: My most pleasant memory wastaking my grandfather out to dinner in uniform for his 70th birthday. He was so proud that he was speechless for once. If you knew him, that was a really big deal. But my saddest memory was hearing the rifle salute at a friend’s funeral. Each volley cut me to the bone.

How do you honor Veterans/Remembrance Day for yourself, with family or friends?

Clancy: I usually call my dad. Veterans day buddies right up to the Marine Corps Birthday, so there is no shortage of celebrations or drinks to be shared among Marines. This year has been extremely difficult on veterans; so, I think I’ll text a few friends I haven’t heard from in a while. I encourage everyone to reach out to one you know, just to check in and say hi. It goes a lot further than you might think.

Benton: Our little town holds a ceremony at our local cemetery. I’ve attended with my family for years, afterwards nearly always telling my kids stories of my service to my country and the pride I feel when seeing our flag and all that it stands for. ​​​​​​​

Suares: Usually with service to others. Occasionally I may go out to dinner with family, but most times I used to be involved in giving talks to youth groups, schools, etc. or donating time to other Veterans causes. I proudly served my country – and would do it again if asked – but I feel that I am not owed anything. The day should be about recognizing the living service member (past or present) and honoring us all.

The post Veterans Day & Remembrance Day 2021 appeared first on McAfee Blogs.

]]>
Legendary Entertainment Relies on MVISION CNAPP Across Its Multicloud Environment https://www.mcafee.com/blogs/enterprise/cloud-security/legendary-entertainment-relies-on-mvision-cnapp-across-its-multicloud-environment/ Wed, 10 Nov 2021 16:14:56 +0000 https://www.mcafee.com/blogs/?p=131113

Becoming a cloud first company is an exciting and rewarding journey, but it’s also fraught with difficulties when it comes...

The post Legendary Entertainment Relies on MVISION CNAPP Across Its Multicloud Environment appeared first on McAfee Blogs.

]]>

Becoming a cloud first company is an exciting and rewarding journey, but it’s also fraught with difficulties when it comes to securing an entire cloud estate. Many forwarding-thinking companies that have made massive investments in migrating their infrastructure to the cloud are facing challenges with respect to their cloud-native applications. These range from inconsistent security across cloud properties to lack of visibility into the public cloud infrastructure where cloud-native applications are hosted—and more. All of these issues can create vulnerabilities in a sprawling attack surface that can be potentially exploited by cybercriminals.

Legendary Entertainment is a global media company with multiple divisions including film, television, digital studios, and comics. Under the guidance of Dan Meacham, VP of Global Security and Corporate Operations and CSO/CISO, the multi-billion dollar organization transitioned from on-premises data centers to the cloud in 2012.

Meacham points out that it’s been a source of great pride for his security and IT teams to always be “on top of the latest and greatest” technology trends—and migration to the cloud is no exception. That’s why his interest was sparked when he learned about the rollout of the MVISION security product line early in the migration process. Its cloud-native, open architecture was exactly the right fit for Legendary Entertainment’s environment.

The challenges of securing a multi-cloud environment

As a cloud-first organization, Legendary Entertainment encountered challenges that are common to many companies that have migrated their workloads, applications, and data assets to the cloud. At first, the organization attempted to rely on security services natively provided by the individual cloud service providers: Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and Wasabi for cloud storage. As Meacham notes, “The security from one vendor doesn’t trickle over to the others. They all have different security controls, so our cloud security was not uniform, and security management was complicated.”

Lack of visibility

In their disparate multicloud environment spanning several cloud service providers, it became time-consuming and difficult to monitor and assess the security posture of applications and workloads, such as which systems needed patching or contained critical vulnerabilities.

Inconsistent security policies

With multiple management consoles required for its many cloud environments, applying and enforcing uniform security policy across their cloud estate was nearly impossible without investing a lot of time, effort, and resources.

Risky Shadow IT

Another problem in Legendary Entertainment’s early adoption of cloud-first was shadow IT, where employees or contractors enrolled in cloud collaboration platforms that were not authorized by IT. Although the shadow IT platforms were not connected to core systems, they made it more difficult to tightly monitor data which sometimes caused cloud-enabled applications to violate security policies. It is understandable that teams with a cloud-first mindset would embrace innovation and new collaborative experiences to accomplish goals faster. However, some of the shadow IT application has weak or no security controls – resulting the opportunities for external collaborator accounts to be compromised or have mis-managed privileges.

Unacceptable levels of risk

With high-profile data breaches in the entertainment industry in recent headlines, Legendary Entertainment was concerned about its level of risk and exposure, especially since it has valuable intellectual property such as scripts and marketing strategy plans for film releases among its holdings. The requirement for stronger security has been a boardroom-level conversation at digital media companies since the Sony Pictures hack and other vendor supply chain and workflow hacks. Attacks now extend beyond data leaks and can have far reaching business disruptions across an entire supply chain.

How MVISION CNAPP creates a consistent, compliant cloud security posture

By deploying  MVISION™ Cloud Native Application Protection Platform (MVISION CNAPP), Legendary Entertainment addressed all of these challenges at once. This unique solution prioritizes alerts and defends against the latest cloud threats and vulnerabilities. MVISION CNAPP combines granular application and data context with cloud security posture management and cloud workload protection in a single-console solution.

Unparalleled visibility

MVISION CNAPP provides Legendary Entertainment with broad and deep visibility across its entire infrastructure. It discovers all their cloud assets, including compute resources, containers, and storage and provides continuous visibility into vulnerabilities and security posture for applications and workloads running across multiple clouds.

Thanks to MVISION CNAPP, Meacham’s team can write, apply, and enforce security policies in a consistent fashion for the entire cloud estate. As Meacham points out, policy is continually checked so his team can correct any misconfigurations, disable services, or remove escalated privileges until corrections are made in alignment with internal compliance rules. And in many cases, the remediation can be automated internally in MVISION CNAPP or through workflow initiations.

“MVISION CNAPP gives me manageability and security uniformity for all our cloud platforms so that I can elevate the level of security and make it consistent across the board. Now that I have visibility into all our cloud assets from a high level, I can look at how current controls and configurations compare to our best practices, industry best practices, and to the best practices of peers who are using the same product. Without MVISION CNAPP, management is one to one, whereas with MVISION CNAPP, it’s one to many,” explains Meacham.

The Cloud Security Posture Management (CSPM) component of MVISION CNAPP provides Legendary Entertainment with on-demand scanning, which looks at all services used in the public cloud and checks their security settings against internal benchmarks. “This gives us a security posture score and provides feedback on what we can do to bring ourselves back into compliance,” observes Meacham. “If someone changes a configuration, we get an alert right away. And if it’s not in alignment with policy, we can roll it back to the previous settings. MVISION CNAPP also helps us remediate policy exceptions by clearly stating the risks, instances impacted, and the necessary step by step actions needed for resolution.”

Banishing Shadow IT

MVISION CNAPP also ensures that Legendary Entertainment’s developers operate in a secure environment by alerting the security team when their actions violate security policies or increase the risk of a data breach. This effectively puts a halt to Shadow IT.

“MVISION CNAPP helps me keep my system administrators and developers accountable for what they are doing. We can make sure that they are consistent in how they execute, deploy, and build things. Configuration policies, on-demand scans, and different types of checks in MVISION CNAPP can help force that compliance. I am able to keep tabs on my developers to make sure they are operating according to these guidelines in any platform,” remarks Meacham.

Risk reduction through contextual entitlements

MVISION CNAPP reduces risk associated with operating in the cloud, enabling Legendary Entertainment to run mission-critical applications and develop blockbuster movies such as “The Dark Knight Rises” and “Dune” securely across a heterogenous multicloud environment. The solution also enables contextual entitlements so that users can be identified and assigned selective access to and permissions for applications and resources based on the security profile of the devices they are using at any given time.

Data protection with user and entity behavior analytics (UEBA)

Legendary Entertainment leverages MVISION CNAPP’s data loss prevention (DLP) capabilities to monitor activity in cloud data stores in order to help prevent data breaches. Unusual or suspicious activity or unauthorized movement of data transit is tracked and flagged immediately by leveraging built-in UEBA capabilities.

“If I see 2,000 files change in 30 seconds, that’s a huge red flag indicating ransomware or some other type of attack. The solution’s monitoring tool detects suspicious behavior and immediately brings that to our awareness. If we see something like that happening on multiple platforms, we know that immediate action is required. The UEBA capability is invaluable for identifying external collaborators who may have compromised accounts, which we find on a regular basis.”

Learn more

If you are looking for a simple-to-manage, high-visibility solution to secure your multicloud environment against the latest threats and vulnerabilities such as ChaosDB, take a look at MVISION CNAPP. For more information, visit: https://www.mcafee.com/enterprise/en-us/solutions/mvision-cnapp.html.

 

The post Legendary Entertainment Relies on MVISION CNAPP Across Its Multicloud Environment appeared first on McAfee Blogs.

]]>
Windows RDP Client Porting Critical Vulnerabilities to Hyper-V Manager https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/windows-rdp-client-porting-critical-vulnerabilities-to-hyper-v-manager/ Tue, 09 Nov 2021 18:02:35 +0000 https://www.mcafee.com/blogs/?p=131050

This month brings us yet another critical RCE (Remote Code Execution) bug found in the RDP (Remote Desktop Protocol) Client...

The post Windows RDP Client Porting Critical Vulnerabilities to Hyper-V Manager appeared first on McAfee Blogs.

]]>

This month brings us yet another critical RCE (Remote Code Execution) bug found in the RDP (Remote Desktop Protocol) Client which has also been ported to the Hyper-V Manager “Enhanced Session Mode” feature. User interaction is a prerequisite since the vulnerability lies within the RDP client, requiring a victim to connect to a malicious RDP server.

Vulnerability Analysis: CVE-2021-38666

This RCE bug is very closely related to CVE-2021-34535 and to CVE-2020-1374 , where there is a heap-based buffer overflow in mstscax.dll due to an attacker-controlled payload size field. The vulnerability can be triggered via the RDP Smart Card Virtual Channel Extension feature [MS-RDPESC], by leveraging the existing local RDPDR static virtual channel setup between the client and server. The RDP Smart Card Virtual Channel Extension feature [MS-RDPESC] functionality was leveraged in the “EsteemAudit” Exploit released by the “Shadow Brokers,” but that vulnerability targeted the RDP server and not the client. The functionality being exploited here is the ability to share a smart card reader between the client and server. The destination buffer intended for the IOCTL (I/O control) call to locate each host smart card reader is a fixed size, but the user-controlled size field can be altered to cause the client to perform an OOB (Out of Bounds) write. Seeing how simple it is to trigger this vulnerability, our team decided to mutate the test case to verify whether any other IOCTLs within the [MS-RDPESC] specification are vulnerable. Enumerating through the 60 other IOCTL calls tied to the smart card reader, we were able to find two additional unique crashes. All vulnerabilities discovered have been patched in the latest version of the mstscax.dll, which shows that the fix for this bug has mitigated other potentially vulnerable functions. The patched mstscax.dll now simply verifies that the bytes received over the wire do not exceed the user-supplied size field; it does this at the IOCTL dispatch table level before any IOCTL functions are called, so the single validation is applied to all IOCTLs.

This vulnerability has a CVSS (Common Vulnerability Scoring Standard) score of 8.8, dropped down from 9.8 because it requires user interaction in that a victim RDP client must connect to a malicious server.

Attack Scenario

This bug has the same attack scenario as that of CVE-2021-34535, which we also analyzed in depth:

  1. It is a client-side vulnerability so not wormable
  2. Requires a user to connect to a malicious RDP server
  3. It impacts both the traditional RDP client over the network and the local Hyper-V Manager “Enhanced Session Mode” since they both use the vulnerable mstscax.dll
  4. The vulnerability could be used for a guest-to-host escape on Hyper-V Windows 10

Looking Forward

We have seen a regular cadence of critical RDP vulnerabilities since BlueKeep (CVE-2019-0708), but what distinguishes the two vulnerabilities CVE-2021-38666 and CVE-2021-34535 is that they impact Hyper-V Manager “Enhanced Session Mode” and can thus be leveraged for guest-to-host escapes. While we do not rate these vulnerabilities as critical in the same manner as past RDP server-side RCE vulnerabilities, we are now clearly starting to see a trend of vulnerabilities emerging which impact Hyper-V Manager due to the porting of RDP. We recommend patching as a top priority as threat actors will potentially look to weaponize this common protocol for guest-to-host escapes on Windows 10 Hyper-V.

Microsoft has published a Knowledge Base article for this issue here with information regarding patching this vulnerability. As always, we recommend patching as a first course of action and we will continue to monitor this vulnerability for any exploitation in the wild.

For RDP security best practices please see: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rdp-security-explained/

The post Windows RDP Client Porting Critical Vulnerabilities to Hyper-V Manager appeared first on McAfee Blogs.

]]>
‘Tis The Season for Holiday Cyber Threats Targeting Enterprises in a Pandemic World https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/tis-the-season-for-holiday-cyber-threats-targeting-enterprises-in-a-pandemic-world/ Tue, 09 Nov 2021 05:01:01 +0000 https://www.mcafee.com/blogs/?p=130960

The holiday season is upon us, and many are preparing to celebrate with family and friends both near and far....

The post ‘Tis The Season for Holiday Cyber Threats Targeting Enterprises in a Pandemic World appeared first on McAfee Blogs.

]]>

The holiday season is upon us, and many are preparing to celebrate with family and friends both near and far. While we tend to look at consumer tendencies during the holidays, the season also presents a significant challenge to industries coping with the increase in consumer demands. McAfee Enterprise and FireEye recently conducted a global survey of IT professionals to better understand their cyber readiness, especially during peak times like the holiday season, and the impact the pandemic has had on their business. Most notably, 86% of organizations are anticipating a moderate-to-substantial increase in demand during the 2021 holiday season. The question is: Are they ready for that demand?

This year, the “everything shortage” is real – from a drop in available workforce to limited supplies to lack of delivery services. This creates an urgency for organizations to have actionable security plans and to effectively contain and respond to threats. Supply chain and logistics, e-commerce and retail, and the travel industry traditionally experience holiday seasonal increases in consumer and business activity, making them more vulnerable to cyber threats and leaving business, employee, and consumer data at risk. Here’s a statistical snapshot of these affected industries and how they can prepare for the anticipated increase in seasonal risks:

Supply Chain and Logistics

According to BCI’s Supply Chain Resilience Report 2021, 27.8% of organizations reported more than 20 supply chain disruptions during 2020, up from just 4.8% reporting the same number in 2019. The loss of manufacturing and logistics capacity, and employee-power in 2021 are expected to increase demand for goods, creating the perfect attack vector for cybercriminals: a potentially weak and vulnerable infrastructure to break through. Supply chain managers must identify risks, understand the potential downstream effects of a security breach or cyberattack, and prepare response plans so they can act quickly in the event of an incident.

E-Commerce and Retail

According to Adobe’s 2021 Digital Economy Index, global online spending is expected to increase by 11% in 2021 to $910 billion during the holiday season. With store closures and increases in online shopping, along with limited product availability and concerns about shipping, this industry is faced with more threats than before. According to McAfee Enterprise COVID-19 dashboard, the global retail industry accounts for 5.2% of the total detected cyber threats. Such threats include compromised payment credentials and cloud storage, as well as other forms of retail fraud and theft.

Travel

Cyber threats aren’t new to the travel industry with airports, airlines, travel sites and ride-sharing apps having been victims in years past. However, what sets this year apart is the travel industry enduring a holding pattern caused by pandemic-related health concerns and travel restrictions. According to the International Air Transport Association (IATA), coronavirus-related loss estimates for 2020 total $137.7 billion—with total industry losses in 2020-2022 expected to reach $201 billion. As demand for holiday travel is expected to increase over the coming months, cyber criminals are watching closely for vulnerabilities as the industry battles new related challenges – labor shortages, supply chain issues, travel bans, and vaccination requirements.

What Organizations Need to Know

McAfee Enterprise and FireEye threat findings unwrap the imminently crucial need for organizations to prioritize and strengthen their cybersecurity architecture through the holidays and end of 2021. Our research indicates that 81% of global organizations experienced increased cyber threats and 79% experienced downtime in the wake of previous cyberattacks.

While IT professionals know cyber threats have intensified, the findings prove that many organizations have not effectively prioritized security during COVID-19:

  • 94% percent of IT professionals want their organization to improve its overall cyber readiness
  • 60% saw an increase in online/web activity
  • 33% have had their technology and security budgets reduced
  • 56% have suffered from downtime due to a cyber concern, costing some over $100,000 USD
  • 76% find maintaining a fully staffed security team/SOC even more challenging during peak periods

Proactively Guarding Against Emerging Holiday Threats

Organizations can be proactive in defending their networks, data, customers, and employees against the anticipated increase in holiday cybercrime by implementing security measures including, but not limited to:

  1. Adopt industry-wide cybersecurity requirements designed to protect against the latest iterations of cyber threats, especially those known to target specific industries.
  2. Provide cybersecurity awareness training for employees, especially when encountering holiday phishing emails or texts and suspicious URL campaigns designed to breach organizational databases
  3. Develop an incident response plan capable of responding and remedying a security breach in minutes rather than hours

In addition, enterprises and commercial businesses can implement cloud-delivered security with MVISION Unified Cloud Edge (UCE) and FireEye Extended Detection and Response (XDR).

 Note: The research was conducted between September- October 2021 by MSI-ACI via an online questionnaire to 1,451 IT Security Professionals from nine countries.

The post ‘Tis The Season for Holiday Cyber Threats Targeting Enterprises in a Pandemic World appeared first on McAfee Blogs.

]]>
Who Will Bend the Knee in RaaS Game of Thrones in 2022? https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/who-will-bend-the-knee-in-raas-game-of-thrones-in-2022/ Mon, 08 Nov 2021 05:01:10 +0000 https://www.mcafee.com/blogs/?p=130954

McAfee Enterprise and FireEye recently released its 2022 Threat Predictions. In this blog, we take a deeper dive into a...

The post Who Will Bend the Knee in RaaS Game of Thrones in 2022? appeared first on McAfee Blogs.

]]>

McAfee Enterprise and FireEye recently released its 2022 Threat Predictions. In this blog, we take a deeper dive into a Game of Thrones power struggle among Ransomware-as-a-Service bad actors in 2022.

Prediction: Self-reliant cybercrime groups will shift the balance of power within the RaaS eco-kingdom. 

For several years, ransomware attacks have dominated the headlines as arguably the most impactful cyber threats. The Ransomware-as-a-Service (RaaS) model at the time opened the cybercrime career path to lesser skilled criminals which eventually led to more breaches and higher criminal profits.

For a long time, RaaS admins and developers were prioritized as the top targets, often neglecting the affiliates since they were perceived as less skilled. This, combined with the lack of disruptions in the RaaS ecosystem, created an atmosphere where those lesser-skilled affiliates could thrive and grow into very competent cybercriminals, eventually with a mind of their own.

In a response to the Colonial Pipeline attack, the popular cybercrime forums have banned ransomware actors from advertising. Now, the RaaS groups no longer have a third-party platform on which to actively recruit, show their seniority, offer escrow, have their binaries tested by moderators, or settle disputes. The lack of visibility has made it harder for RaaS groups to establish or maintain credibility and will make it harder for RaaS developers to maintain their current top tier position in the underground.

These events have undermined their trusted position. Ransomware has generated billions of dollars in recent years and it’s only a matter of time before more individuals who believe they aren’t getting their fair share become unhappy.

The first signs of this happening are already visible as described in our blog on the Groove Gang, a cyber-criminal gang that branched off from classic RaaS to specialize in computer network exploitation (CNE), exfiltrate sensitive data and, if lucrative, partner with a ransomware team to encrypt the organization’s network. McAfee Enterprise ATR believes, with high confidence, that the Groove gang is associated with the Babuk gang, either as a former affiliate or subgroup. These cybercriminals are happy to put aside previous Ransomware-as-a-Service hierarchies to focus on the ill-gotten gains to be made from controlling victim’s networks, rather than the previous approach which prioritized control of the ransomware itself.

Trust in a few things remains important even among cybercriminals underground, such as keeping your word and paying people what they deserve. Cybercriminals aren’t immune from feeling like employees whose contributions aren’t being adequately rewarded. When this happens, these bad actors cause problems within the organization. Ransomware has been generating billions of dollars in recent years and with revenue like that, it was inevitable that some individuals who believe they aren’t getting their fair share become unhappy and let the cybercrime world know it.

Recently, a former Conti affiliate was unhappy with their financial portion and decided to disclose the complete Conti attack playbook and their Cobalt Strike infrastructure online. In the past, McAfee ATR has been approached by individuals affiliated with certain RaaS groups expressing grudges with other RaaS members and admins, claiming they haven’t been paid in time or that their share wasn’t proportionate to the amount of work they put in.

In 2022, expect more self-reliant cybercrime groups to rise and shift the balance of power within the RaaS eco-climate from those who control the ransomware to those who control the victim’s networks.

Less-skilled Operators Won’t Have to Bend the Knee in RaaS Model Power Shift

The Ransomware-as-a-Service eco system has evolved with the use of affiliates, the middlemen and women that work with the developers for a share of the profits. While this structure was honed during the growth of GandCrab, we are witnessing potential chasms in what is becoming a not-so-perfect union.

Historically, the ransomware developers, held the cards, thanks to their ability to selectively determine the affiliates in their operations, even holding “job interviews” to establish technical expertise. Using CTB locker as an example, prominence was placed on affiliates generating sufficient installs via a botnet, exploit kits or stolen credentials. But affiliates recently taking on the role and displaying the ability to penetrate and compromise a complete network using a variety of malicious and non-malicious tools essentially changed the typical affiliate profile towards a highly skilled pen-tester/sysadmin.

The hierarchy of a conventional organized crime group often is described as a pyramid structure. Historically, La Cosa Nostra, drug cartels and outlaw motor gangs were organized in such a fashion. However, due to further professionalization and specialization of the logistics involved with committing crime, groups have evolved into more opportunistic network-based groups that will work together more fluidly, according to their current needs.

While criminals collaborating in the world of cybercrime isn’t new, a RaaS group’s hierarchy has been more rigid compared to other forms of cybercrime, due to the power imbalance between the group’s developers/admins and affiliates. But things are changing. RaaS admins and developers were prioritized as the top targets, but often neglected the affiliates who they perceived to be less-skilled. This, combined with the lack of disruptions in the RaaS ecosystem, created an atmosphere where those lesser-skilled affiliates could thrive and grow into very competent cybercriminals.

As more ransomware players have entered the market, we suspect that the most talented affiliates are now able to auction their services for a bigger part of the profits, and maybe demand a broader say in operations. For example, the introduction of Active Directory enumeration within DarkSide ransomware could be intended to remove the dependency on the technical expertise of affiliates. These shifts signal a potential migration back to the early days of ransomware, with less-skilled operators increasing in demand using the expertise encoded by the ransomware developers.

Will this work? Frankly, it will be challenging to replicate the technical expertise of a skilled penetration tester, and maybe – just maybe – the impact will not be as severe as recent cases.

The post Who Will Bend the Knee in RaaS Game of Thrones in 2022? appeared first on McAfee Blogs.

]]>
The Bug Report – October Edition https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/the-bug-report-october-edition/ Wed, 03 Nov 2021 04:01:53 +0000 https://www.mcafee.com/blogs/?p=130759

Your Cyber Security Comic Relief Apache server version 2.4.50 (CVE-2021-42013) Why am I here? Regardless of the origins, you’ve arrived...

The post The Bug Report – October Edition appeared first on McAfee Blogs.

]]>

Your Cyber Security Comic Relief

Apache server version 2.4.50 (CVE-2021-42013)

Why am I here?

Regardless of the origins, you’ve arrived at Advanced Threat Research team’s monthly bug digest – an overview of what we believe to be the most noteworthy vulnerabilities over the last month. We don’t rely on a single scoring system like CVSS to determine what you need to know about; this is all about qualitative and experience-based analysis, relying on over 100 years of combined industry experience within our team. We look at characteristics such as wormability, ubiquity of the target, likelihood of exploitation and impact.  If you don’t agree with these picks, we encourage you to write a strongly worded letter to your local senator. In lieu of that, we present our top CVEs from the last month.

Apache: CVE-2021-41773 and CVE-2021-42013

What is it?
2 CVES / 1 Vuln – It appears Apache struggled a bit with this latest critical vulnerability, where it took two tries to fix a basic path traversal bug, which was introduced while patching last month’s SSRF mod_proxy vulnerability. As path traversal bugs do, this allows unauthorized users to access files outside the expected document root on the web server. But wait, there’s more! This can lead to remote code execution provided mod-cgi is enabled on the server.

Who cares?
A quick Shodan scan told me there are at least 111,000 server admins that should care! With Apache being the second largest market share holder of implemented webservers, there is a good chance your organization is using it somewhere. It’s always important to consider both internal and external facing assets when looking at your exposure. Apache is even commonly used as an embedded webserver to other applications and should be reviewed for use in any installed 3rd party applications. Oh yeah – and if you overlook an instance you have installed somewhere, this IS currently being actively exploited in the wild – no pressure.

What can I do?
Oh! I know, use Microsoft IIS! If you’re not ready to completely abandon your webserver implementation, I suggest updating to Apache 2.4.51. Remember to avoid version 2.4.50 as it does not patch both vulnerabilities. If you have been an astute system admin and followed the Apache documentation using the default and pretty darn secure “require all denied” directive for all files outside the document root, kudos to you! Although patching is still highly recommended, you are not immediately vulnerable.

The Gold Standard
We recognize in some special cases patching is harder than compiling gcc from source, so McAfee Enterprise has you covered; we have been detecting path traversal attacks in our Network Security Platform (NSP) like it was going out of style since 1990 (and it was).

Win32k Driver: CVE-2021-40449

What is it?
Ain’t nothin’ free anymore! Except kernel module addresses on your Windows machines, thanks to Microsoft Windows CVE-2021-40449. This vulnerability is a use-after-free in the NtGdiResetDC function of the Win32k driver and can lead to attackers being able to locally elevate their privileges.

Who cares?
Are you currently reading this from a Microsoft Windows machine? Using Microsoft Server edition in your cloud? Local attacks are often given lower priority or downplayed. However, it is important to recognize that phishing attacks are still highly successfully as an initial point of entry, facilitating a need for privilege escalation bugs to obtain higher level access. So, unless you are a hardcore Linux and Mac-only shop, you may want to patch since this is actively being exploited by cybercriminals, according to our friends at Kaspersky.

What can I do?
That boring Microsoft patch Tuesday thing still works, or you could just use a superior operating system like FreeBSD.

The Gold Standard
Have you checked out the latest version of McAfee Enterprise ENS lately? Detecting exploitation and cybercriminal activity is sort of its thing, assuming you have grabbed the latest signatures.

Apple iOS: CVE-2021-30883

What is it?
An integer overflow vulnerability in the iOS “IOMobileFrameBuffer” component can allow an application to execute arbitrary code with kernel privileges. This has additionally been confirmed to be accessible from the browser.

Who cares?
Since Apple still reportedly holds 53% market share of all smartphone users, statistically speaking your organization should care too. It only takes one bad apple to hack your entire network, and with reported active exploitation in the wild it might happen sooner than you think.

What can I do?
You should be sensing a common theme in this section – and, in this case, you actually can take action! Stop reading this, plug that mobile device into a power source, and install the latest version of Apple iOS.

The Gold Standard
Since you stopped reading and updated already, congrats!

The post The Bug Report – October Edition appeared first on McAfee Blogs.

]]>
Nation States Will Weaponize Social and Recruit Bad Guys with Benefits in 2022 https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/nation-states-will-weaponize-social-and-recruit-bad-guys-with-benefits-in-2022/ Mon, 01 Nov 2021 04:01:14 +0000 https://www.mcafee.com/blogs/?p=130882

McAfee Enterprise and FireEye recently released its 2022 Threat Predictions. In this blog, we take a deeper dive into the...

The post Nation States Will Weaponize Social and Recruit Bad Guys with Benefits in 2022 appeared first on McAfee Blogs.

]]>

McAfee Enterprise and FireEye recently released its 2022 Threat Predictions. In this blog, we take a deeper dive into the continuingly aggressive role Nation States will play in 2022.

Prediction: Lazarus Wants to Add You as a Friend

By Raj Samani

We love our social media. From beefs between popstars and professional pundits, to an open channel to the best jobs in the industry.

But guess what?

The threat actors know this, and our appetite toward accepting connections from people we have never met are all part of our relentless pursuit of the next 1,000 followers.

A result of this has seen the targeting of executives with promises of job offers from specific threat groups; and why not? After all, it is the most efficient method to bypass traditional security controls and directly communicate with targets at companies that are of interest to threat groups. Equally, direct messages have been used by groups to take control over influencer accounts to promote messaging of their own.

While this approach is not new, it is nearly as ubiquitous as alternate channels. After all, it does demand a level of research to “hook” the target into interactions and establishing fake profiles are more work than simply finding an open relay somewhere on the internet. That being said, targeting individuals has proven a very successful channel, and we predict the use of this vector could grow not only through espionage groups, but other threat actors looking to infiltrate organizations for their own criminal gain.

Potential Impacts & Implications
The potential impacts and implications for an executive or company that had their social media channels targeted by threat actors are endless. We began to see some nation state groups using platforms like LinkedIn to target executives, more specifically targeting the defense and aerospace industry. For years we’ve been accepting connections on LinkedIn to expand our network and threat actors are using this to their advantage with job adverts. Threat actors will find the executive they want to target in the company they want to go after and develop profiles that look like legitimate recruiters. By getting an executive on the hook, they could potentially convince them to download a job spec that is malware. These types of espionage campaigns can be carried out by other social networks as well, including Twitter, Instagram, Reddit, etc.

Techniques & Tactics
In the past, fake social profiles were relatively easy to spot, however in the case of DPRK, the cybercriminals spent time to setting up a profile, get hooked up into the infosec scene, gain followers and connections through LinkedIn, making it more difficult than before to detect a fraudulent account. When threat actors weaponize social media, they use techniques and tactics you see in the legitimate world. They diligently do their research into what types of jobs would be of interest to you and share an offer that will require you to open a document and trick you to carry out some type of action that will have you download malicious content onto your device.

Who Can Regulate?
We live in a world where we are governed by rules, territories, and jurisdictions; to hold a threat actor accountable, we would need digital evidence. We need to use regulations for digital investigations, and the bad guys don’t. While in territories where there isn’t an extradition treaty, threat actors can continue their malicious behaviors without any consequences. Unfortunately, cybercrime has nonrepudiation and threat actors can deny all knowledge and get away with it.

Prevention
Cybercrime will always be an issue and we need to be more aware of what threat actors are doing and what they’re after. It’s important to understand the threat and what is happening. At McAfee Enterprise and FireEye we work to track malicious actors and integrate intelligence into our products and make content available for CISO, CEO etc. to know what to do and what to look for in the event they are targeted.

Prediction: Help Wanted: Bad Guys with Benefits

By Christiaan Beek

With a focus on strategic intelligence, our team is not only monitoring activity, but also investigating and monitoring open-source-intelligence from a diversity of sources to gain more insights into threat-activities around the globe – and these include an increase in the blending of cybercrime and nation-state operations.

In many cases, a start-up company is formed, and a web of front companies or existing “technology” companies are involved in operations that are directed and controlled by the countries’ intelligence ministries.

In May 2021 for example, the U.S. government charged four Chinese nationals who were working for state-owned front companies. The front-companies facilitated hackers to create malware, attack targets of interest to gain business intelligence, trade-secrets, and information about sensitive technologies.

Not only China but also other nations such as Russia, North Korea, and Iran have applied these tactics. Hire hackers for operations, do not ask questions about their other operations if they do not harm the interests of their own country.

Where in the past specific malware families were tied to nation-state groups, the blurring starts to happen when hackers are hired to write code and conduct these operations.

The initial breach with tactics and tools could be similar as “regular” cybercrime operations, however it is important to monitor what is happening next and act fast. With the predicted increase of blurring between cybercrime and nation-state actors in 2022, companies should audit their visibility and learn from tactics and operations conducted by actors targeting their sector.

Potential Impacts & Implications
With more tools at their disposal, nation state actors are reshaping the cyberthreat landscape leaving destruction and disrupted operations in their wake. There have been many accusations of “spying” which poses as a major threat to economic and national security. The main aim of these attacks is to obtain intellectual property or business intelligence. We are seeing nation states devoting a significant number of resources, time and energy toward achieving strategic cyber advantages, resulting in the implications of divulging national interests, intelligence-gathering capabilities, and military strength through espionage, disruption and theft.

Techniques & Tactics
In May 2021 incident where four Chinese nationals were charged in a global hacking campaign; the indictment stated the threat actors used a front company to hide the Chinese government’s role in the information theft. We anticipate nation states will continue to team up with cybercriminals and create front companies to hide involvement and gain access to private information, military tactics, trade secrets and more. Adversaries will leverage techniques like phishing, known vulnerabilities, malware, crimeware and more to attain their goal.

On the blending of cybercrime/nation-state; understanding the functionalities of malware becomes more important than ever. Let me give an example, when you get a Trickbot infection, a part of the code will steal credentials, they could be sold to a ransomware crew with a possible ransomware attack as result, a complete cybercrime operation. But what if the Trickbot infection was ordered by a Nation State, the credentials are used for a long time operation; started as a crime, ends as a long APT.

Who Can Regulate?
It’s important for governments to hold actors accountable for cyber incidents. Government entities and researchers can likely assist public and private sector organizations in navigating this new cyber landscape by developing standards and/or template processes to drive cyber defense and maintaining operational resiliency.

Prevention
A threat actor’s goal is to gain access to data they can sell, leverage for ransom, or gain critical knowledge so it is important to properly encrypt critical data, rendering it unusable to unauthorized users. You should also maintain regular, offline backups and have an incident response plan ready. Maintaining and testing offline backups can similarly mitigate the impact of destructive malware.

MVISION Insights Preview

Explore a preview of the only proactive solution to stay ahead of emerging threats.

Start Now

The post Nation States Will Weaponize Social and Recruit Bad Guys with Benefits in 2022 appeared first on McAfee Blogs.

]]>
McAfee Enterprise & FireEye 2022 Threat Predictions https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/mcafee-enterprise-fireeye-2022-threat-predictions/ Wed, 27 Oct 2021 04:01:11 +0000 https://www.mcafee.com/blogs/?p=130612

What cyber security threats should enterprises look out for in 2022? Ransomware, nation states, social media and the shifting reliance...

The post McAfee Enterprise & FireEye 2022 Threat Predictions appeared first on McAfee Blogs.

]]>

What cyber security threats should enterprises look out for in 2022?

Ransomware, nation states, social media and the shifting reliance on a remote workforce made headlines in 2021. Bad actors will learn from this year’s successful tactics, retool, and pivot them into next year’s campaigns wielding the potential to wreak more havoc in all our lives.

Skilled engineers and security architects from McAfee Enterprise and FireEye offer a preview of how the threatscape might look in 2022 and how these new or evolving threats could potentially impact the security of enterprises, countries, and civilians.

“Over this past year, we have seen cybercriminals get smarter and quicker at retooling their tactics to follow new bad actor schemes – from ransomware to nation states – and we don’t anticipate that changing in 2022,” said Raj Samani, fellow and chief scientist of the combined company. “With the evolving threat landscape and continued impact of the global pandemic, it is crucial that enterprises stay aware of the cybersecurity trends so that they can be proactive and actionable in protecting their information.”

Lazarus Wants to Add You as a Friend

Nation States will weaponize social media to target more enterprise professionals

By Raj Samani

We love our social media. From beefs between popstars and professional pundits, to an open channel to the best jobs in the industry.

But guess what?

The threat actors know this, and our appetite toward accepting connections from people we have never met are all part of our relentless pursuit of the next 1,000 followers.

A result of this has seen the targeting of executives with promises of job offers from specific threat groups; and why not? After all, it is the most efficient method to bypass traditional security controls and directly communicate with targets at companies that are of interest to threat groups. Equally, direct messages have been used by groups to take control over influencer accounts to promote messaging of their own.

While this approach is not new, it is nearly as ubiquitous as alternate channels. After all, it does demand a level of research to “hook” the target into interactions and establishing fake profiles are more work than simply finding an open relay somewhere on the internet. That being said, targeting individuals has proven a very successful channel, and we predict the use of this vector could grow not only through espionage groups, but other threat actors looking to infiltrate organizations for their own criminal gain.

Help Wanted: Bad Guys with Benefits

Nation states will increase their offensive operations by leveraging cybercriminals

By Christiaan Beek

With a focus on strategic intelligence, our team is not only monitoring activity, but also investigating and monitoring open-source-intelligence from a diversity of sources to gain more insights into threat-activities around the globe – and these include an increase in the blending of cybercrime and nation-state operations.

In many cases, a start-up company is formed, and a web of front companies or existing “technology” companies are involved in operations that are directed and controlled by the countries’ intelligence ministries.

In May 2021 for example, the U.S. government charged four Chinese nationals who were working for state-owned front companies. The front-companies facilitated hackers to create malware, attack targets of interest to gain business intelligence, trade-secrets, and information about sensitive technologies.

Not only China but also other nations such as Russia, North Korea, and Iran have applied these tactics. Hire hackers for operations, do not ask questions about their other operations if they do not harm the interests of their own country.
Where in the past specific malware families were tied to nation-state groups, the blurring starts to happen when hackers are hired to write code and conduct these operations.

The initial breach with tactics and tools could be similar as “regular” cybercrime operations, however it is important to monitor what is happening next and act fast. With the predicted increase of blurring between cybercrime and nation-state actors in 2022, companies should audit their visibility and learn from tactics and operations conducted by actors targeting their sector.

Game of Ransomware Thrones

Self-reliant cybercrime groups will shift the balance of power within the RaaS eco-kingdom

By John Fokker

For several years, ransomware attacks have dominated the headlines as arguably the most impactful cyber threats. The Ransomware-as-a-Service (RaaS) model at the time opened the cybercrime career path to lesser skilled criminals which eventually led to more breaches and higher criminal profits.

For a long time, RaaS admins and developers were prioritized as the top targets, often neglecting the affiliates since they were perceived as less skilled. This, combined with the lack of disruptions in the RaaS ecosystem, created an atmosphere where those lesser-skilled affiliates could thrive and grow into very competent cybercriminals, eventually with a mind of their own.

In a response to the Colonial Pipeline attack, the popular cybercrime forums have banned ransomware actors from advertising. Now, the RaaS groups no longer have a third-party platform on which to actively recruit, show their seniority, offer escrow, have their binaries tested by moderators, or settle disputes. The lack of visibility has made it harder for RaaS groups to establish or maintain credibility and will make it harder for RaaS developers to maintain their current top tier position in the underground.

These events undermine their trusted position. Ransomware has generated billions of dollars in recent years and it’s only a matter of time before some individuals who believe they aren’t getting their fair share become unhappy.

The first signs of this happening are already visible as described in our blog on the Groove Gang, a cyber-criminal gang that branched off from classic RaaS to specialize in computer network exploitation (CNE), exfiltrate sensitive data and, if lucrative, partner with a ransomware team to encrypt the organization’s network.

In 2022, expect more self-reliant cybercrime groups to rise and shift the balance of power within the RaaS eco-climate from those who control the ransomware to those who control the victim’s networks.

Ransomware For Dummies

Less-skilled operators won’t have to bend the knee in RaaS model power shift

By Raj Samani

The Ransomware-as-a-Service eco system has evolved with the use of affiliates, the middlemen and women that work with the developers for a share of the profits. While this structure was honed during the growth of GandCrab, we are witnessing potential chasms in what is becoming a not-so-perfect union.

Historically, the ransomware developers, held the cards, thanks to their ability to selectively determine the affiliates in their operations, even holding “job interviews” to establish technical expertise. As more ransomware players have entered the market, we suspect that the most talented affiliates are now able to auction their services for a bigger part of the profits, and maybe demand a broader say in operations. For example, the introduction of Active Directory enumeration within DarkSide ransomware could be intended to remove the dependency on the technical expertise of affiliates. These shifts signal a potential migration back to the early days of ransomware, with less-skilled operators increasing in demand using the expertise encoded by the ransomware developers.

Will this work? Frankly, it will be challenging to replicate the technical expertise of a skilled penetration tester, and maybe – just maybe – the impact will not be as severe as recent cases.

Keep A Close Eye on API

5G and IoT traffic between API services and apps will make them increasingly lucrative targets

By Arnab Roy

Threat actors pay attention to enterprise statistics and trends, identifying services and applications offering increased risk potential. Cloud applications, irrespective of their flavor (SaaS, PaaS, or IaaS), have transformed how APIs are designed, consumed, and leveraged by software developers, be it a B2B scenario or B2C scenario. The reach and popularity of some of these cloud applications, as well as, the treasure trove of business-critical data and capabilities that typically lie behind these APIs, make them a lucrative target for threat actors. The connected nature of APIs potentially also introduces additional risks to businesses as they become an entry vector for wider supply chain attacks.

The following are some of the key risks that we see evolving in the future:

1. Misconfiguration of APIs
2. Exploitation of modern authentication mechanisms
3. Evolution of traditional malware attacks to use more of the cloud APIs
4. Potential misuse of the APIs to launch attacks on enterprise data
5. The usage of APIs for software-defined infrastructure also means potential misuse.

For developers, developing an effective threat model for their APIs and having a Zero Trust access control mechanism should be a priority alongside effective security logging and telemetry for better incident response and detection of malicious misuse.

Hijackers Will Target Your Application Containers

Expanded exploitation of containers will lead to endpoint resource takeovers

By Mo Cashman

Containers have become the de facto platform of modern cloud applications. Organizations see benefits such as portability, efficiency and speed which can decrease time to deploy and manage applications that power innovation for the business. However, the accelerated use of containers increases the attack surface for an organization. Which techniques should you look out for, and which container risk groups will be targeted? Exploitation of public-facing applications (MITRE T1190) is a technique often used by APT and Ransomware groups. The Cloud Security Alliance (CSA) identified multiple container risk groups including Image, Orchestrator, Registry, Container, Host OS and Hardware.

The following are some of the key risks groups we anticipate will be targeted for expanded exploitation in the future:

1. Orchestrator Risks: Increasing attacks on the orchestration layer, such as Kubernetes and associated API mainly driven by misconfigurations.
2. Image or Registry Risk: Increasing use of malicious or backdoored images through insufficient vulnerability checks.
3. Container Risks: Increasing attacks targeting vulnerable applications.

Expanded exploitation of the above vulnerabilities in 2022 could lead to endpoint resource hijacking through crypto-mining malware, spinning up other resources, data theft, attacker persistence, and container-escape to host systems.

Zero Cares About Zero-days

The time to repurpose vulnerabilities into working exploits will be measured in hours and there’s nothing you can do about it… except patch

By Fred House

2021 is already being touted as one of the worst years on record with respect to the volume of zero-day vulnerabilities exploited in the wild. The scope of these exploitations, the diversity of targeted applications, and ultimately the consequences to organizations were all notable. As we look to 2022, we expect these factors to drive an increase in the speed at which organizations respond.

When we first learned in 2020 that roughly 17,000 SolarWinds customers were compromised and an estimated 40 were subsequently targeted, many reacted in shock at the pure scope of the compromise. Unfortunately, 2021 brought its own notable increase in volume along with uninspiring response times by organizations. Case in point: two weeks after Microsoft patched ProxyLogon they reported that 30K Exchange servers were still vulnerable (less conservative estimates had the number at 60K).

ProxyShell later arrived as Exchange’s second major event of the year. In August, a Blackhat presentation detailing Exchange Server vulnerabilities was followed the next day by the release of an exploit POC, all of which had been patched by Microsoft months earlier in April/May. This analysis of data captured by Shodan one week after the exploit POC was released concluded that over 30K Exchange servers were still vulnerable, noting that the data may have underrepresented the full scope (i.e., Shodan hadn’t had time to scan the full Internet). In summary: patched in the Spring, exploited in the Fall.

So, what can we take away from all of this? Well, attackers and security researchers alike will continue to hone their craft until weaponized exploits and POCs are expected within hours of vulnerability disclosure. In turn however, and largely driven by the increased consequences of compromise, we can also expect renewed diligence around asset and patch management. From identifying public facing assets to quickly deploying patches despite potential business disruption, companies will have a renewed focus on reducing their “time to patch.” While we will inevitably continue to see high-impact exploitations, the scope of these exploitations will be reduced as more organizations get back to the basics.

The post McAfee Enterprise & FireEye 2022 Threat Predictions appeared first on McAfee Blogs.

]]>
Why an Ounce of Cybersecurity Prevention is Worth a Pound of Detection https://www.mcafee.com/blogs/enterprise/endpoint-security/why-an-ounce-of-cybersecurity-prevention-is-worth-a-pound-of-detection/ Mon, 25 Oct 2021 15:01:22 +0000 https://www.mcafee.com/blogs/?p=130717

Cybersecurity detection is a criminal investigation. Cybercrime investigators are experts who are in limited supply.  Sometimes their hunt begins while...

The post Why an Ounce of Cybersecurity Prevention is Worth a Pound of Detection appeared first on McAfee Blogs.

]]>

Cybersecurity detection is a criminal investigation. Cybercrime investigators are experts who are in limited supply.  Sometimes their hunt begins while an intrusion is in process, but more often than not, it occurs after the attack when a crime has occurred. The investigation is taunting and less glamorous, realizing that it can take an average of 228 days even to identify the breach[i].

At that point, you’re looking to find out what your adversaries have seen or stolen, you want to plug the holes that enabled the hack and kick out or remove the adversary completely. Figure on an average of 80 days to resolve and contain a breach. Meanwhile, your adversary spends the epic dwell time in your environment to monitor your traffic and behavior before determining their next move.

Do the math on that exercise and, unless you have generous funding, you may conclude that your resources stretch further by focusing on prevention rather than detection. While eliminating detection may not be practical, you can at least realign your spending and shore up your prevention efforts with enhanced actionable information.

Several things have happened to make this shift possible. First, detection is now often automated and highly productive. Second, advance warning is better than ever. You can apply predictive analytics to leverage in-depth threat intelligence sources to produce real-time, automated assessments of your security posture risks from device to cloud.

Proactive Threat Hunting

Making the shift from detection to prevention didn’t happen overnight for the Service public de Wallonie (SPW), the public administration arm of the French-speaking regional government of Wallonia in Belgium. SPW’s endpoint security team oversees 9,000 desktops, 1,300 servers, and 1,000 applications used by more than 8,000 employees.

When SPW implemented MVISION Insights, the security team sought to identify potential threats lurking outside the agency’s perimeter. Using data gathered from one billion sensors globally that have been distilled and analyzed by artificial intelligence and human experts, MVISION Insights provides comprehensive risk intelligence filtered for a specific industry and geography. It helps SPW’s security team to prioritize which threats and campaigns are most likely to target them.

Before making this shift, SPW’s team regularly spent hours checking out various security sites, lab reports, and news articles to track the latest threat campaigns. After deploying MVISION Insights, the same result arrived in seconds or minutes. Now they’re engaging in more proactive threat hunting and attack prevention by tapping into predictive assessments and adjusting their posture accordingly.

A Change of Posture

Organizations such as SPW illustrate that playing both offense and defense becomes necessary to reduce time-to-detect and dwell time. Detection is difficult for several reasons, most notably the deluge of advanced persistent threats (APTs). And it’s also complicated by the cost of threat hunting talent, given the current shortage of cybersecurity expertise.

These days there’s such an overwhelming amount of security data pouring into data lakes that manually aggregating and analyzing it to make sense of anything requires a fair amount of threat expertise. Then there’s the time it takes to triage and determine the following steps to thwart an attack. By the time you’re analyzing this data, at best, you’re in a reactive state with limited visibility and understanding of your local environment.

One effective way to streamline that process is to apply the proven MITRE ATT&CK® framework, which provides an excellent knowledge base to help with threat hunting and detection. We use that framework to better inform MVISION XDR powered by MVISION Insights, for example. As we mentioned in March, we align XDR with MITRE to greatly expand the depth of our investigation, threat detection, and prevention capabilities to prevent the attack chain with relevant insights.

Meet the Proactive Evolution Series to Help Become More Preventive

In our leading role in the cybersecurity community, we gather a lot of intelligence and invest considerable time curating content to ensure that what we share is timely, accurate, and valuable. This is reflected in MVISION Insights with over 1000 threat campaign profiles. If you place MVISION Insights in your environment it goes beyond threat intelligence.  You also gain prioritized threat insights on a likely attack targeting you, where your gaps are and what you can do. Introducing our new Proactive Evolution series to get regular information on how to become more preventive and protective with LinkedIn Live discussions, blog posts, and other intelligence from our cybersecurity expert contributors highlighting the power of MVISION Insights.

This new Proactive Evolution Series features helpful content intended for managing or building security operations to be more effective and preventive or for a CISO who wants to stay on top of changing best practices.

Detection is often done in reaction to an attack or a looming threat. Not every organization can do both detection and prevention equally well. That’s usually because they lack dedicated or experienced threat hunters or suitable detection technologies. By shifting your efforts to a proactive prevention strategy, you’re boosting your chances to harden your systems before an attack.

Click here to access McAfee Enterprise’s new Proactive Evolution Series content.

Event Replay

The Proactive Evolution is Now

Understand how the adversary is working and how you stack up against them. Together, Raj and Brett dig into how MVISION Insights helps you determine which active threat campaigns you need to worry about, if you’re a target, and what you can do.

View Now

[1] Ponemon & IBM Research, Cost of Data Breach 2020

The post Why an Ounce of Cybersecurity Prevention is Worth a Pound of Detection appeared first on McAfee Blogs.

]]>
Realize Your SASE Vision with Security Service Edge and McAfee Enterprise https://www.mcafee.com/blogs/enterprise/cloud-security/realize-your-sase-vision-with-security-service-edge-and-mcafee-enterprise/ Thu, 21 Oct 2021 14:00:56 +0000 https://www.mcafee.com/blogs/?p=130630

Many people are excited about Gartner’s Secure Access Service Edge (SASE) framework and the cloud-native convergence of networks and security....

The post Realize Your SASE Vision with Security Service Edge and McAfee Enterprise appeared first on McAfee Blogs.

]]>

Many people are excited about Gartner’s Secure Access Service Edge (SASE) framework and the cloud-native convergence of networks and security. While originally proposed as fully unified architecture delivering network and security capabilities, the reality soon dawned that enterprise transition to a complete SASE model would be a decade long journey due to factors such as existing investments, operational silos (customer), and vendor consolidation. Consequently, Gartner introduced a new two-vendor approach to SASE that brought together a highly converged WAN Edge Infrastructure platform alongside a highly converged security platform – known as Security Service Edge (SSE).

Figure 1: SASE convergence.

SSE brings together Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), and Zero Trust Network Access (ZTNA) to secure access to the web, cloud services, and private applications, resulting in reduced risk, cost and complexity. McAfee Enterprise has long been a proponent of this approach: we embarked on a project to build the industry’s best SASE security solution over three years ago, introduced our MVISION Unified Cloud Edge solution in early 2020, and have since continued to innovate and set the standard for the Security Service Edge space.

How Did We Get Here?

The fundamental problem that SSE sets out to solve is that enterprises must adequately secure their personnel and their data. This became increasingly difficult as digital transformation spurred widespread cloud adoption and empowered remote and mobile workers. Just a few short years ago we would talk about remote access for short periods of time due to travel, and typically for a small proportion of the workforce. Today we speak in the context of COVID-19 and a vast, permanent “Work From Anywhere” (WFA) cultural shift. Supporting this shift is an accelerated migration into the cloud, where the vast majority of workloads and applications will soon reside.

All of this has taken down the walls that formed the perimeter we relied on heavily in the past. Today our people and our data are outside of that perimeter but inside of cloud applications. Cloud applications run from many locations, sometimes around the globe. Yet our objectives must remain the same. We still must secure our people, we must secure our devices, and we must secure our data on any device, at any time, using any service.

Secure web gateways were one of the gatekeepers to the old perimeter, fundamentally appliances that existed at the border of a network. Cloud access security brokers (CASB) were fundamentally built to secure the inside of cloud services. Virtual Private Networks (VPNs) enabled you to securely interconnect offices and remote users onto a single network. Managing these technologies separately became increasingly problematic as the boundaries between networks, the web, and the cloud began to blur. Organizational policies and compliance requirements must be translated to the administrative setup of a specific vendor’s management consoles. At first pass, this results in more errors in the implementation of these policies. Maintenance is difficult as policy changes must be rolled out and implemented within multiple vendor management interfaces. And when you position these traditional technologies against the problem statement of a “perimeterless” world, they fail. The logical answer to these problems is to converge these technologies together and bring them to the cloud.

The Power of Unification

For more than 3 years, McAfee Enterprise has invested deeply into a unified policy framework. We’ve unified threat engines, data engines. We’ve built a unified user experience and unified administrative experience to deliver against that promise of cloud native security.

A closely integrated SSE infrastructure can address the management challenges of setting up policies in multiple vendor management interfaces by deeply integrating security controls to reduce overhead, complexity, and cost, while increasing performance. But looking at the competitive landscape, this has proven to be easier said than done. Many fall short with it comes to securing data within the cloud, but McAfee Enterprise’s industry-leading Multi-Vector Data Protection capabilities make it incredibly easy to keep data safe no matter where it resides, with unified data classification, policy enforcement, and incident management.

Figure 2: McAfee Enterprise Multi-Vector Data Protection.

Other vendors grew up in the cloud but fall short when it comes to connecting to the private resources all large enterprises still use today. Some vendors are attempting to build-out the entire SSE product set from scratch, perhaps as part of a larger SASE offering. Most of the functions present baseline functional capability and the considerable instability of a complex and very new product.

The McAfee Enterprise Security Service Edge Vision

McAfee Enterprise has planned and executed a strategy for several years that takes MVISION Unified Cloud Edge’s complete set of SSE converged security services and then tie them closely to other highly integrated network services such as those offered by SD-WAN vendors to implement SASE. This approach enables most large enterprises the ability to leverage the majority of the technology partners they have to pull a SASE architecture together using much of the technology infrastructure they already have in place.

Figure 3: Enable secure access to web, cloud, and private apps with MVISION Unified Cloud Edge.

The increased efficiency of an integrated environment reduces the investment in administration, enhances the precision of policy enforcement, and improves the speed with which security control processes can be applied to data and activity in one single pass, improving security efficiency and efficacy. This earlier published blog demonstrates how our integration of Remote Browser Isolation (RBI) greatly improves security protection in a seamless, cost-effective manner.

Figure 4: MVISION Unified Cloud Edge threat protection stack with integrated Remote Browser Isolation.

The convergence and integration of cloud security technologies such as SWG, CASB, ZTNA, DLP, RBI and FWaaS substantially enhance operations, reduce cost, minimize errors, and enable more precise enforcement of organizational policy and management. Expenses are lower as experts in the administration and management of separate security controls are no longer required.

In conclusion, McAfee Enterprise has delivered the best and most rapid path to a comprehensive integrated SSE offering available in the market. Our Unified Cloud Edge (UCE) architecture completes that vision of unified and completely integrated policy management today. MVISION UCE is the security fabric that delivers data and threat protection to any location so you can enable fast and secure direct-to-internet access for your distributed workforce. This results in a transformation to a cloud-delivered SSE that converges with connectivity to reduce cost and complexity while increasing the speed and flexibility of your workforce.

Click here to see more about how MVISION Unified Cloud Edge can get you on the fastest route to SASE, or visit the MVISION UCE homepage to learn more and contact us to get started on your journey.

The post Realize Your SASE Vision with Security Service Edge and McAfee Enterprise appeared first on McAfee Blogs.

]]>
Is There Really Such a Thing as a Low-Paid Ransomware Operator? https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/is-there-really-such-a-thing-as-a-low-paid-ransomware-operator/ Tue, 19 Oct 2021 04:01:35 +0000 https://www.mcafee.com/blogs/?p=130297

Introduction Going by recent headlines you could be forgiven for thinking all ransomware operators are raking in millions of ill-gotten...

The post Is There Really Such a Thing as a Low-Paid Ransomware Operator? appeared first on McAfee Blogs.

]]>

Introduction

Going by recent headlines you could be forgiven for thinking all ransomware operators are raking in millions of ill-gotten dollars each year from their nefarious activities.

Lurking in the shadows of every large-scale attack by organized gangs of cybercriminals, however, there can be found a multitude of smaller actors who do not have access to the latest ransomware samples, the ability to be affiliates in the post-DarkSide RaaS world or the financial clout to tool up at speed.

So what is a low-paid ransomware operator to do in such circumstances?

By getting creative and looking out for the latest malware and builder leaks they can be just as devastating to their victims and, in this blog, we will track the criminal career of one such actor as they evolve from homemade ransomware to utilizing major ransomware through the use of publicly leaked builders.

The Rich Get Richer

For years, the McAfee Enterprise Advanced Threat Research (ATR) team has observed the proliferation of ransomware and the birth and (apparent) death of large organized gangs of operators. The most notorious of these gangs have extorted huge sums of money from their victims, by charging for decryption of data or by holding the data itself to ransom against the threat of publication on their ‘leak’ websites.

With the income of such tactics sometimes running into the millions of dollars, such as with the Netwalker ransomware that generated 25 million USD between 1 March and 27 July 2020, we speculate that much of those ill-gotten funds are subsequently used to build and maintain arsenals of offensive cyber tools, allowing the most successful cybercriminals to stay one step ahead of the chasing pack

Figure 1: Babuk group looking for a corporate VPN 0-Day

As seen in the image above, cybercriminals with access to underground forums and deep pockets have the means to pay top dollar for the tools they need to continually generate more income, with this particular Babuk operator offering up 50,000 USD for a 0-day targeting a corporate virtual private network (VPN) which would allow easy access to a new victim.

The Lowly-Paid Don’t Necessarily Stay That Way

For smaller ransomware operators, who do not have affiliation with a large group, the technical skills to create their own devastating malware or the financial muscle to buy what they need, the landscape looks rather different.

Unable to build equally effective attack chains, from initial access through to data exfiltration, their opportunities to make illegal profits are far slimmer in comparison to the behemoths of the ransomware market.

Away from the gaze of researchers who typically focus on the larger ransomware groups, many individuals and smaller groups are toiling in the background, attempting to evolve their own operations any way they can. One such method we have observed is through the use of leaks, such as the recent online posting of Babuk’s builder and source code.

Figure 2: Babuk builder public leak on Twitter

Figure 3: Babuk source code leak on underground forum

McAfee Enterprise ATR has seen two distinct types of cybercriminal taking advantage of leaks such as this. The first group, which we presume to be less tech-savvy, has merely copied and pasted the builder, substituting the Bitcoin address in the ransom note with their own. The second group has gone further, using the source material to iterate their own versions of Babuk, complete with additional features and new packers.

Thus, even those operators at the bottom of the ransomware food chain have the opportunity to build on others’ work, to stake their claim on a proportion of the money to be made from data exfiltration and extortion.

ATR’s Theory of Evolution

A Yara rule dedicated to Babuk ransomware triggered a new sample uploaded on VirusTotal, which brings us to our ‘lowly-paid’ ransomware actor.

From a quick glance at the sample we can deduce that it is a copied and pasted binary output from Babuk’s builder, with an edited ransom note naming the version “Delta Plus”, two recovery email addresses and a new Bitcoin address for payments:

Figure 4: Strings content of “Delta Plus” named version of Babuk

We’ve seen the two email recovery addresses before – they have been used to deliver random ransomware in the past and, by using them to pivot, we were able to delve into the actor’s resume:

The first email address, retrievedata300@gmail.com, has been used to drop a .NET ransomware mentioning “Delta Plus”:

Figure 5: Strings content of .NET ransomware related to previous Delta ransomware activities

Filename Setup.exe
Compiled Time Tue Sep  7 17:58:34 2021
FileType Win32 EXE
FileSize 22.50 KB
Sha256 94fe0825f26234511b19d6f68999d8598a9c21d3e14953731ea0b5ae4ab93c4d

The ransomware is pretty simple to analyze; all mechanisms are declared, and command lines, registry modification, etc., are hardcoded in the binary.

Figure 6: .NET analysis with command line details

In fact, the actor’s own ransomware is so poorly developed (no packing, no obfuscation, command lines embedded in the binary and the fact that the .NET language is easy to analyze) that it is hardly surprising they started using the Babuk builder instead.

By way of contrast, their new project is well developed, easy to use and efficient, no to mention painful to analyze (as it is written in the Golang language) and provides executables for Windows, Linux and network attached storage (NAS) systems.

The second email address, deltapaymentbitcoin@gmail.com, has been used to drop an earlier version of the .NET ransomware

Figure 7: Strings content from first version of .NET ransomware

Filename test2.exe
Compiled Time Mon Aug 30 19:49:54 2021
FileType Win32 EXE
FileSize 15.50 KB
Sha256 e1c449aa607f70a9677fe23822204817d0ff41ed3047d951d4f34fc9c502f761

Tactics, Techniques and Procedures

By checking the relationships between “Delta ransomware”, the Babuk iteration and the domains contacted during process execution, we can observe some domains related to our sample:

suporte01928492.redirectme.net
suporte20082021.sytes.net
24.152.38.205

Thanks to a misconfiguration, files hosted on those two domains are accessible through Open Directory (OpenDir), which is a list of direct links to files stored on a server:

Figure 8: Open Directories website where samples are hosted

  • bat.rar: A PowerShell script used to perform several operations:
    • Try to disable Windows Defender
    • Bypass User Account Control (UAC)
    • Get system rights via runasti

Figure 9: Privilege escalation to get system rights

  • exe.rar: Delta Plus ransomware
  • reg.rar: Registry values used to disable Windows Defender

Figure 10: Registry value modifications to disable Windows Defender

Other domains where files are hosted contain different tools used during attack operations:

  • We’ve found two methods employed by the operator, which we assume to be used for initial access: First, a fake Flash Player installer and, secondly, a fake Anydesk remote tool installer used to drop the ransomware. Our theory about Flash Player initial access has been confirmed by checking the IP that hosts most of the domains:

Figure 11: Fake Flash website used to download fake Flash installer

When logging in, the website warns you that your Flash Player version is outdated and tries to download the Fake Flash Player installer:

Figure 12: JavaScript variables used to drop fake Flash Installer

A secondary site appears to have also been utilized in propagating the fake Flash Player, though it is currently offline :

Figure 13: JavaScript function to download the fake Flash Installer from another website

  • Portable Executable (PE) files used to launch PowerShell command lines to delete shadow copies, exclude Windows Defender and import registry keys from “Update.reg.rar” to disable Windows defender.
  • A PE file used for several purposes: Exfiltrating files from the victim, keylogging, checking if the system has already been held to ransom, getting system information, obtaining user information and to create and stop processes.

Figure 14: Functions and C2 configuration from ransomware sample

(host used for extraction)

  • In addition to the above, we also found evidence that this actor tried to leverage another ransomware builder leak, Chaos ransomware.

Infrastructure

The majority of domains used by this actor are hosted on the same IP: “24.152.38.205” (AS 270564 / MASTER DA WEB DATACENTER LTDA).

But as we saw by “analyzing” the extraction tool used by the actor, another IP is mentioned: “149.56147.236” (AS 16276 / OVH SAS). On this IP, some ports are open, such as FTP (probably used to store exfiltrated data), SSH, etc.

By looking at this IP with Shodan, we can get a dedicated hash for the SSH service, plus fingerprints to use on this IP, and then find other IPs used by the actor during their operations.

By using this hash, we were able to map the infrastructure by looking for other IPs sharing the same SSH key + fingerprintings.

At least 174 IPs are sharing the same SSH pattern (key, fingerprint, etc.); all findings are available in the IOCs section.

Some IPs are hosting different file types, maybe related to previous campaigns:

Figure 15: Open Directory website probably used by the same actor for previous campaigns

Bitcoin Interests

Most of the ransomware samples used by the actor mention different Bitcoin (BTC) addresses which we assume is an effort to obscure their activity.

By looking for transactions between those BTC addresses with CipherTrace, we can observe that all the addresses we extracted (see the circle highlighted with a yellow “1” below) from the samples we’ve found are related and eventually point to a single Bitcoin wallet, probably under control of the same threat actor.

From the three samples we researched, we were able to extract the following BTC addresses:

  • 3JG36KY6abZTnHBdQCon1hheC3Wa2bdyqs
  • 1Faiem4tYq7JQki1qeL1djjenSx3gCu1vk
  • bc1q2n23xxx2u8hqsnvezl9rewh2t8myz4rqvmdzh2

Figure 16: Follow the money with CipherTrace

Ransomware Isn’t Just About Survival of the Fittest

As we have seen above, our example threat actor has evolved over time, moving from simplistic ransomware and demands in the hundreds of dollars, to toying with at least two builder leaks and ransom amounts in the thousands of dollars range.

While their activity to date suggests a low level of technical skill, the profits of their cybercrime may well prove large enough for them to make another level jump in the future.

Even if they stick with copy-pasting builders and crafting ‘stagers’, they will have the means at their disposal to create an efficient attack chain with which to compromise a company, extort money and improve their income to the point of becoming a bigger fish in a small pond, just like the larger RaaS crews.

In the meantime, such opportunitistic actors will continue to bait their hooks and catch any fish they can as, unlike affiliated ransomware operators, they do not have to follow any rules in return for support (pentest documentation, software, infrastructure, etc.) from the gang’s operators. Thus, they have a free hand to carry out their attacks and, if a victim wants to bite, they don’t care about ethics or who they target.

The good news for everyone else, however, is the fact that global law enforcement isn’t gonna need a bigger boat, as it already casts its nets far and wide.

 

Mitre Att&ck

Technique ID Technique Description Observable
T1189 Drive By Compromise The actor is using a fake Flash website to spread fake a Flash installer.
T1059.001 Command Scripting Interpreter: PowerShell PowerShell is used to launch command lines (delete shadow copies, etc.).
T1059.007 Command and Scripting Interpreter: JavaScript JavaScript is used in the fake Flash website to download the fake Flash installer.
T1112 Modify Registry To disable Windows Defender, the actor modifies registry. “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender” and “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection”.
T1083 File and Directory Discovery The actor is listing files on the victim system.
T1057 Process Discovery The actor is listing running processes on the victim system.
T1012 Query Registry To perform some registry modifications, the actor is first querying registry path.
T1082 System Information Discovery Before encrypting files, the actor is listing hard drives.
T1056.001 Input Capture: Keylogging The exfiltration tool has the capability to log user keystrokes.
T1005 Data from Local System
T1571 Non-Standard Port The actor is using port “1177” to exfiltrate data.
T1048 Exfiltration Over Alternative Protocol
T1486 Data Encrypted for Impact Data encrypted by ransomware.
T1490 Inhibit System Recovery Delete Shadow Copies.

 

Detection Mechanisms

Sigma Rules

–          Shadow Copies Deletion Using Operating Systems Utilities: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_shadow_copies_deletion.yml

–          Drops Script at Startup Location: https://github.com/joesecurity/sigma-rules/blob/master/rules/dropsscriptatstartuplocation.yml

–          File Created with System Process Name: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/sysmon_creation_system_file.yml

–          Suspicious Svchost Process: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_svchost.yml

–          System File Execution Location Anomaly: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_system_exe_anomaly.yml

–          Delete Shadow copy via WMIC: https://github.com/joesecurity/sigma-rules/blob/master/rules/deleteshadowcopyviawmic.yml

–          Always Install Elevated Windows Installer: https://github.com/SigmaHQ/sigma/blob/59000b993d6280d9bf063eefdcdf30ea0e83aa5e/rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml

 

Yara Rules

Babuk Ransomware Windows

rule Ransom_Babuk {

meta:

description = “Rule to detect Babuk Locker”

author = “TS @ McAfee Enterprise ATR”

date = “2021-01-19”

hash = “e10713a4a5f635767dcd54d609bed977”

rule_version = “v2”

malware_family = “Ransom:Win/Babuk”

malware_type = “Ransom”

mitre_attack = “T1027, T1083, T1057, T1082, T1129, T1490, T1543.003”

 

strings:

$s1 = {005C0048006F007700200054006F00200052006500730074006F0072006500200059006F00750072002000460069006C00650073002E007400780074}

//  \ How To Restore Your Files .txt

$s2 = “delete shadows /all /quiet” fullword wide

 

$pattern1 = {006D656D74617300006D65706F63730000736F70686F730000766565616D0000006261636B7570000047785673730000004778426C7200
000047784657440000004778435644000000477843494D67720044656657617463680000000063634576744D67720000000063635365744D67720000000
0536176526F616D005254567363616E0051424643536572766963650051424944505365727669636500000000496E747569742E517569636B426F6F6B732E46435300}

$pattern2 = {004163725363683253766300004163726F6E69734167656E74000000004341534144324457656253766300000043414152435570646174655376630000730071}

$pattern3 = {FFB0154000C78584FDFFFFB8154000C78588FDFFFFC0154000C7858CFDFFFFC8154000C78590FDFFFFD0154000C78594FDFFFFD8154
000C78598FDFFFFE0154000C7859CFDFFFFE8154000C785A0FDFFFFF0154000C785A4FDFFFFF8154000C785A8FDFFFF00164000C785ACFDFFFF081640
00C785B0FDFFFF10164000C785B4FDFFFF18164000C785B8FDFFFF20164000C785BCFDFFFF28164000C785C0FDFFFF30164000C785C4FDFFFF3816400
0C785C8FDFFFF40164000C785CCFDFFFF48164000C785D0FDFFFF50164000C785D4FDFFFF581640}

$pattern4 ={400010104000181040002010400028104000301040003810400040104000481040005010400058104000601040006C104000781040008
41040008C10400094104000A0104000B0104000C8104000DC104000E8104000F01040000011400008114000181140002411400038114000501140005C
11400064114000741140008C114000A8114000C0114000E0114000F4114000101240002812400034124000441240005412400064124000741240008C1
24000A0124000B8124000D4124000EC1240000C1340002813400054134000741340008C134000A4134000C4134000E8134000FC134000141440003C14
4000501440006C144000881440009C144000B4144000CC144000E8144000FC144000141540003415400048154000601540007815}

 

condition:

filesize >= 15KB and filesize <= 90KB and

1 of ($s*) and 3 of ($pattern*)

}

 

Exfiltration Tool

rule CRIME_Exfiltration_Tool_Oct2021 {

meta:

description = “Rule to detect tool used to exfiltrate data from victim systems”

author = “TS @ McAfee Enterprise ATR”

date = “2021-10-04”

hash = “ceb0e01d96f87af0e9b61955792139f8672cf788d506c71da968ca172ebddccd”

 

strings:

$pattern1 = {79FA442F5FB140695D7ED6FC6A61F3D52F37F24B2F454960F5D4810C05D7A83D4DD8E6118ABDE2055E4D
CCFE28EBA2A11E981DB403C5A47EFB6E367C7EC48C5EC2999976B5BC80F25BEF5D2703A1E4C2E3B30CD26E92570DAF1F9BD7B48B38FB522358}

$pattern2 = {B4A6D4DD1BBEA16473940FC2DA103CD64579DD1A7EBDF30638A59E547B136E5AD113835B8294F53B8C3A
435EB2A7F649A383AA0792DD14B9C26C1BCA348920DFD37DA3EF6260C57C546CA51925F684E91239152DC05D5161A9064434}

$pattern3 = {262E476A45A14D4AFA448AF81894459F7296633644F5FD061A647C6EF1BA950FF1ED48436D1BD4976BF8
1EE84AE09D638BD2C2A01FA9E22D2015518280F6692EB976876C4045FADB71742B9579C13C7482A44A}

$pattern4 = {F2A113713CCB049AFE352DB8F99160855125E5A045C9F6AC0DCA0AB615BD34367F2CA5156DCE5CA286CC
C55E37DFCDC5AAD14ED9DAB3CDB9D15BA91DD79FF96E94588F30}

 

condition:

3 of ($pattern*)

}

 

 

IOCs

Infrastructure URLs

http://atualziarsys.serveirc.com/Update4/

http://services5500.sytes.net/Update6/Update.exe.rar

http://suporte20082021.sytes.net/Update5/

http://atualziarsys.serveirc.com/update4/update.exe.rar

http://suporte20082021.sytes.net/Update3/

http://suporte01928492.redirectme.net/

http://atualziarsys.serveirc.com/Update3/

http://services5500.sytes.net/update8/update.exe.rar

http://suporte20082021.sytes.net/update/

http://suporte20082021.sytes.net/Update5/Update.exe.rar

http://suporte01928492.redirectme.net/AppMonitorPlugIn.rar

http://suporte01928492.redirectme.net/Update5/Update.exe.rar

http://services5500.sytes.net/update7/update.exe.rar

http://services5500.sytes.net/Update8/Update.exe.rar

http://services5500.sytes.net/Update8/Update.bat.rar

http://suporte01092021.myftp.biz/update/

http://services5500.sytes.net/Update7/Update.exe.rar

http://suporte01928492.redirectme.net/Update7/Update.bat.rar

http://suporte01928492.redirectme.net/Update7/Update.exe.rar

http://services5500.sytes.net/update6/update.exe.rar

http://suporte01092021.myftp.biz/

http://services5500.sytes.net/Update6/Update.bat.rar

http://suporte01928492.redirectme.net/update6/update.exe.rar

http://suporte01928492.redirectme.net/update5/update.exe.rar

http://services5500.sytes.net/

http://suporte01928492.redirectme.net/Update6/Update.exe.rar

http://atualziarsys.serveirc.com/Update3

http://atualziarsys.serveirc.com/update3/update.reg.rar

http://24.152.38.205/pt/flashplayer28_install.zip

http://suporte01928492.redirectme.net/Update7

http://atualziarsys.serveirc.com/

http://atualziarsys.serveirc.com/update3/mylink.vbs.rar

http://suporte01928492.redirectme.net/update7/update.exe.rar

http://atualziarsys.serveirc.com/Update4/Update.exe.rar

http://suporte01928492.redirectme.net/appmonitorplugin.rar

http://atualziarsys.serveirc.com/update3/update.exe.rar

http://suporte20082021.sytes.net/

http://suporte20082021.sytes.net/update3/update.exe.rar

http://atualziarsys.serveirc.com/Update4/Update.exe2.rar

http://suporte20082021.sytes.net/Update3/Update.exe.rar

http://suporte20082021.sytes.net/Update5/Update.reg.rar

http://atualziarsys.serveirc.com/Update4/Update.exe2.rar/

http://atualziarsys.serveirc.com/Update4

http://suporte01092021.myftp.biz/update/WindowsUpdate2.rar

http://suporte01092021.myftp.biz/update

http://atualziarsys.serveirc.com/Update3/Update.reg.rar/

http://atualziarsys.serveirc.com/Update3/Update.exe.rar

http://suporte20082021.sytes.net/Update3/Update.exe.rar/

http://suporte01092021.myftp.biz/update/WindowsUpdate2.rar/

http://atualziarsys.serveirc.com/Update4/Update.exe.rar/

http://atualziarsys.serveirc.com/Update3/mylink.vbs.rar

http://atualziarsys.serveirc.com/update4

http://atualziarsys.serveirc.com/update3

http://suporte01092021.myftp.biz/update/Update.rar

http://suporte01928492.redirectme.net/AppMonitorPlugIn.rar/

http://suporte20082021.sytes.net/update5/update.exe.rar

http://suporte01092021.myftp.biz/update5/update.exe.rar

http://atualziarsys.serveirc.com/update4/update.exe2.rar

http://suporte01092021.myftp.biz/update/windowsupdate2.rar

http://suporte20082021.sytes.net/update2/update.exe.rar

http://suporte20082021.sytes.net/update/windowsupdate2.rar

http://atualziarsys.serveirc.com/Update4/mylink.vbs.rar

http://atualziarsys.serveirc.com/favicon.ico

http://24.152.38.205/1.rar

http://24.152.38.205/1.exe

http://appmonitorplugin.sytes.net/appmonitorplugin.rar

http://suporte20082021.sytes.net/update/WindowsUpdate2.rar

http://appmonitorplugin.sytes.net/

http://suporte20082021.sytes.net/appmonitorplugin.rar

http://suportmicrowin.sytes.net/appmonitorplugin.rar

http://suportmicrowin.sytes.net/

http://suportmicrowin.sytes.net/AppMonitorPlugIn.rar

http://appmonitorplugin.sytes.net/AppMonitorPlugIn.rar

http://24.152.38.205/pt/setup.zip

 

Infrastructure Domains

services5500.sytes.net

atualziarsys.serveirc.com

suporte01092021.myftp.biz

suporte20082021.sytes.net

suporte01928492.redirectme.net

suportmicrowin.sytes.net

appmonitorplugin.sytes.net

 

Infrastructure IPs

149.56.147.236

24.152.38.205

54.38.122.66

149.56.38.168

149.56.38.170

24.152.36.48

66.70.170.191

66.70.209.174

142.44.129.70

51.79.107.245

46.105.36.189

178.33.108.239

54.39.193.37

24.152.37.115

144.217.139.134

24.152.36.58

51.38.19.201

51.222.97.177

51.222.53.150

144.217.45.69

87.98.137.173

144.217.199.24

24.152.37.19

144.217.29.23

198.50.246.8

54.39.163.60

54.39.84.55

24.152.36.30

46.105.38.67

24.152.37.96

51.79.63.229

178.33.107.134

164.132.77.246

54.39.163.58

149.56.113.76

51.161.120.193

24.152.36.210

176.31.37.238

176.31.37.237

24.152.36.83

24.152.37.8

51.161.76.193

24.152.36.117

137.74.246.224

51.79.107.134

51.79.44.49

51.222.173.152

51.79.124.129

51.79.107.242

51.222.173.148

144.217.117.172

54.36.82.187

54.39.152.91

54.36.82.177

142.44.146.178

54.39.221.163

51.79.44.57

149.56.38.173

24.152.36.46

51.38.19.198

51.79.44.59

198.50.246.11

24.152.36.35

24.152.36.239

144.217.17.186

66.70.209.169

24.152.36.158

54.39.84.50

51.38.19.200

144.217.45.68

144.217.111.5

54.38.164.134

87.98.171.7

51.79.124.130

66.70.148.142

51.255.119.19

66.70.209.168

54.39.239.81

24.152.36.98

51.38.192.225

144.217.117.10

144.217.189.108

66.70.148.136

51.255.55.134

54.39.137.73

66.70.148.137

54.36.146.230

51.79.107.254

54.39.84.52

144.217.61.176

24.152.36.150

149.56.147.236

51.38.19.196

54.39.163.57

46.105.36.133

149.56.68.191

24.152.36.107

158.69.99.10

51.255.55.136

54.39.247.244

149.56.147.204

158.69.99.15

144.217.32.24

149.56.147.205

144.217.32.213

54.39.84.53

79.137.115.160

144.217.233.98

51.79.44.56

24.152.36.195

142.44.146.190

144.217.139.13

54.36.82.180

198.50.246.14

137.74.246.223

24.152.36.176

51.79.107.250

51.161.76.196

198.50.246.12

66.70.209.170

66.70.148.139

51.222.97.189

54.39.84.49

144.217.17.185

142.44.129.73

144.217.45.67

24.152.36.28

144.217.45.64

24.152.37.39

198.27.105.3

51.38.8.75

198.50.204.38

54.39.221.11

51.161.76.197

54.38.122.64

91.134.217.71

24.152.36.100

144.217.32.26

198.50.246.13

54.36.82.188

54.39.84.25

66.70.209.171

51.38.218.215

54.39.8.92

51.38.19.205

54.39.247.228

24.152.36.103

24.152.36.104

51.79.44.43

54.39.152.202

66.70.134.218

24.152.36.25

149.56.113.79

178.32.243.48

144.217.45.66

66.70.173.72

176.31.37.239

54.38.225.81

158.69.4.173

24.152.37.189

54.36.146.129

198.50.246.15

51.222.102.30

51.79.105.91

51.79.9.91

51.222.173.151

51.79.107.124

51.222.173.142

144.217.17.187

149.56.85.98

51.79.107.244

144.217.158.195

24.152.36.178

192.95.20.74

51.79.117.250

 

Ransomware Hashes

106118444e0a7405c13531f8cd70191f36356581d58789dfc5df3da7ba0f9223

e1c449aa607f70a9677fe23822204817d0ff41ed3047d951d4f34fc9c502f761

ae6020a06d2a95cbe91b439f4433e87d198547dec629ab0900ccfe17e729cff1

c3776649d9c0006caba5e654fa26d3f2c603e14463443ad4a5a08e4cf6a81994

63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85

94fe0825f26234511b19d6f68999d8598a9c21d3e14953731ea0b5ae4ab93c4d

c8d97269690d3b043fd6a47725a61c00b57e3ad8511430a0c6254f32d05f76d6

67bc70d4141d3f6aaf8f17963d56df5cee3727a81bc54407e90fdf1a6dc8fe2a

98a3ef26b346c4f47e5dfdba4e3e26d1ef6a4f15969f83272b918f53d456d099

c3c306b2d51e7e4f963a6b1905b564ba0114c8ae7e4bb4656c49d358c0f2b169

 

Bitcoin Addresses

3JG36KY6abZTnHBdQCon1hheC3Wa2bdyqs

1Faiem4tYq7JQki1qeL1djjenSx3gCu1vk

bc1q2n23xxx2u8hqsnvezl9rewh2t8myz4rqvmdzh2

 

PDB

C:\Users\workdreams\Desktop\Testes\Crypt_FInal\Crazy_Crypt\Crazy\obj\Debug\AppMonitorPlugIn.pdb

C:\Users\workdreams\Desktop\test\Nopyfy-Ransomware-master\Nopyfy-Ransomware\Nopyfy-Ransomware\obj\Debug\Nopyfy-Ransomware.pdb

 

PowerShell Script

a8d7b402e78721443d268b682f8c8313e69be945b12fd71e2f795ac0bcadb353

 

Exfiltration Tool

ceb0e01d96f87af0e9b61955792139f8672cf788d506c71da968ca172ebddccd

c3323fbd0d075bc376869b0ee26be5c5f2cd4e53c5efca8ecb565afa8828fb53

 

Fake Flash Player installer

d6c35e23b90a7720bbe9609fe3c42b67d198bf8426a247cd3bb41d22d2de6a1f

 

Fake Anydesk Installer

e911c5934288567b57a6aa4f9344ed0f618ffa4f7dd3ba1221e0c42f17dd1390

 

 

The post Is There Really Such a Thing as a Low-Paid Ransomware Operator? appeared first on McAfee Blogs.

]]>
Unravel the XDR Noise and Recognize a Proactive Approach https://www.mcafee.com/blogs/enterprise/endpoint-security/unravel-the-xdr-noise-and-recognize-a-proactive-approach/ Mon, 18 Oct 2021 15:00:26 +0000 /blogs/?p=110335

Cybersecurity professionals know this drill well all too well. Making sense of lots of information and noise to access what...

The post Unravel the XDR Noise and Recognize a Proactive Approach appeared first on McAfee Blogs.

]]>

Cybersecurity professionals know this drill well all too well. Making sense of lots of information and noise to access what really matters. XDR (Extended Detection & Response) continues to be a technical acronym thrown around in the cybersecurity industry with many notations and promises. Every vendor offering cybersecurity has an XDR song to sing. Interestingly, some either miss a beat or require tuning since it’s still quite an emerging market.  This can be intriguing and nagging for cybersecurity professionals who are heads down defending against the persistent adversaries. The intent of this blog is to clarify XDR and remove the noise and hype into relevant and purposeful cybersecurity conversations with actions. And observe the need for a proactive approach.

Let’s begin with what does XDR refer to and its evolution. As noted earlier, XDR stands for Extended Detection and Response. “extended” is going beyond the endpoint to network and cloud infrastructure. You will find this cross-infrastructure or cross-domain capability is the common denominator for XDR.  XDR is the next evolution of a solid Endpoint Detection and Response (EDR). Ironically it was a term introduced by a network security vendor with aspirations to enter the emerging Security Operations market.

A Look at the Industry Point of Views

Industry experts have weighed in on this XDR capability for cybersecurity and agree it’s still relatively early to market. Gartner’s definition, XDR is “a SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components.” Gartner notes three primary requirements of an XDR system are; centralization of normalized data primarily focused on the XDR vendors’ ecosystem, correlation of security data and alerts into incidents and centralized incident response capability that can change the state of individual security products as part of incident response or security policy setting. If you want to hear more from Gartner on this topic, check out the report.

ESG defines XDR as an integrated suite of security products spanning hybrid IT architectures, designed to interoperate and coordinate on threat prevention, detection and response. In other words, XDR unifies control points, security telemetry, analytics, and operations into one enterprise system. The cross-vector analytics must be enhanced to track advanced multi-stage attacks.  In addition, implementation guidance such as reference architecture is needed to assure successful integrated workflows.

Forrester views XDR as the next generation of Endpoint Detection and Response to evolve to by integrating endpoint, network and application telemetry. The integration options are native where the integration is with one vendor’s portfolio or hybrid where the vendor integrates with other security vendors.  The key goals include empowering analysts with incident-driven analytics for root cause analysis, offer prescriptive remediation with the ability to orchestrate it and map uses cases MITRE ATT&CK techniques and chain them into complex queries that describe behaviors, instead of individual events.

XDR Themes

The common XDR themes from these XDR discussions are multiple security functions integrated and curated data across the control vectors all working together to achieve better security operational efficiencies while responding to a threat. Cross control points make sense since the adversary movement is erratic.  Emphasis is on removing complexity and offering better detection and understanding of the risk in the environment and quickly sorting through a possible response.  The range of detect and response capabilities also suggest that it cannot be done by one exclusive vendor. Many advocates an integrated partnership approach to unify defenses and streamline efforts across domains and vectors. It’s a more realistic approach as well since most organizations do not fulfil their entire security function with one vendor.  While buying an XDR “suite” from one vendor is easier where most of the security tools come from one vendor, some critical security functions from another vendor should be included to drive a more effective detect and response.  This is not a new concept to connect the security disciplines to work together, as matter fact, McAfee Enterprise has been professing and delivering on Together is Power motto for some time.

One more consideration on this unified and integrated security XDR theme, many vendors may proclaim this but look under the hood carefully. They may have a unified view in a single console but has the data from all the separate vectors been automatically assessed, triaged and providing meaningful and actionable next steps?

Another common XDR theme is the promise to accelerate investigation efforts by offering automatic analysis of findings and incidents to get closer to a better assessment. This makes your reactive cycles potentially less frequent.

Integrating security across the enterprise and control points and accelerating investigations are critical functions. Does it address organizational nuances like is this threat a high priority because it is prevalent in my geo and industry and it’s impacting target assets with highly sensitive data.  Prioritization should also be an XDR theme but not necessarily noted in these XDR discussions.  Encourage you to read this blog on The Art of Ruthless Prioritization and Why It Matters to Sec Ops.

Net Out the Core XDR Functions

After distilling the many point of views and the themes on XDR, it seems the core functions all focus on improving security operations immensely during an attack.  So, it’s a reactive function

 

XDR Core & Baseline functions  Why? 
Cross infrastructure—comprehensive vector coverage   Gain comprehensive visibility & control across your entire organization and stop operating in silos  

Remove disparate efforts between tools, data and functional areas  

Distilled data and correlated alerts across the organization   Remove manual discover and make sense of it all  
Unified management with a common experience   From a common view or starting point removes the jumping between consoles and data pools to assure more timely and accurate responses  
Security functions automatically exchange and trigger actions   Some security functions need to be automated like detection or response   
Advanced functions—not noted in many XDR discussions  Why? 
Actionable intelligence on potentially relevant threats   Allow organizations to proactively harden their environment before the attack  
Rich context that includes threat intelligence and organizational impact insight   Organizations can prioritize their threat remediation efforts on major impact to the organization  
Security working together with minimal effort   Simply tie a range of security functions together to create a united front and optimize security investments  

 

Key Desired Outcomes

The end game is better security operational efficiencies. This can be expressed in a handy outcome check list perhaps helpful when assessing XDR solutions.

Visibility  Control 
More accurate detection   More accurate prevention  
Adapt to changing technologies & infrastructure   Adapt to changing technologies & infrastructure  
Less blind spots   Less gaps  
Faster time to detect (or Mean Time to Detect-MTTD)   Faster time to remediate (or Mean Time to Respond-MTTR)  
Better views and searchability   Prioritized hardening across portfolio—not isolated efforts  
Faster & more accurate investigations (less false positive)    Orchestrate the control across the entire IT infrastructure  

A More Proactive Approach is Needed

McAfee Enterprise goes beyond the common XDR capabilities in the recently announced MVISION XDR and offers unmatched proactivity and prioritization producing smarter and better security outcomes. This means your SOC spends less time on error-prone reactive fire drills with weeks of investigation.  SOCs will respond and protect what counts a lot quicker. Imagine getting ahead of the adversary before they attack.

Solution or Approach?

Is XDR a solution or product to be bought or an approach an organization’s must rally their security strategy to take?  Honestly it can be both.  Many vendors are announcing XDR products to buy or XDR capabilities.  An XDR approach will shift processes and likely to merge and encourage tighter coordination between different functions like SOC analysts, hunters, incident responders and IT administrators.

Is XDR for everyone?

It depends on the organizations’ current cybersecurity maturity and readiness to embrace the breadth and required processes to obtain the SOC efficiency benefits. With the promise to correlate data across the entire enterprise implies some of the mundane and manual efforts to make sense of data into a better and actionable understanding of a threat are removed.  Now this is good for organizations on both spectrums.  Less mature organizations who do not have resources or expertise and do not consume data intelligence to shift through will appreciate this correlation and investigation step, but can they continue the pursuit of what does this mean to me. Medium to high mature cybersecurity organizations with expertise will not need to do the manual work to make sense of data. The difference with mature organizations comes with the next steps to further investigate and to decide on the remediation steps. Less mature organizations will not have the expertise to accomplish this. So, the real make a difference moment is for the more mature organization who can move more quickly to a response mode on the potential threat or threat in progress.

Your XDR Journey

If you are a medium to high mature cybersecurity organization, the question comes how and when. Most organizations using an Endpoint Detection and Response (EDR) solution are likely quite ready to embrace the XDR capabilities since their efforts are already investigating and resolving endpoint threats. It’s time to expand this effort gaining better understanding of the adversary’s movement across the entire infrastructure.  If you are using MVISION EDR you are already using a solution with XDR capabilities since it digests SIEM data from McAfee Enterprise ESM or Splunk (which means it goes beyond the endpoint, a key XDR requirement.)  Check out the latest award MVISION XDR received amongst the many recognitions.

Hope this blog removed the jargon and fog around XDR and offers actionable considerations for your organization to boost their SOC efforts. Start your XDR journey here.

The post Unravel the XDR Noise and Recognize a Proactive Approach appeared first on McAfee Blogs.

]]>
China Personal Information Protection Law (PIPL): A New Take on GDPR? https://www.mcafee.com/blogs/enterprise/china-personal-information-protection-law-pipl-a-new-take-on-gdpr/ Thu, 14 Oct 2021 17:16:46 +0000 https://www.mcafee.com/blogs/?p=130468

Many people have heard of the GDPR (General Data Protection Regulation), legislation that became law across the EU in May...

The post China Personal Information Protection Law (PIPL): A New Take on GDPR? appeared first on McAfee Blogs.

]]>

Many people have heard of the GDPR (General Data Protection Regulation), legislation that became law across the EU in May 2018.  It was designed to regulate how businesses protect personal data, notably how personal data is processed, and granted rights to individuals to exercise more control over their personal data.

GDPR is a framework which requires businesses to implement processes to enable them to understand where data is held, how it is used, how long it is kept for, how this can be reported to individuals, and how they may request its correction or deletion.

A critical – and often misunderstood – aspect of GDPR is that it doesn’t just apply to EU businesses.  Any company in the world that stores information on EU citizens must adhere to the regulations; serious breaches can result in significant fines.  Even just the top five companies that were penalized since GDPR’s introduction run into the hundreds of millions of US dollars!  These regulations have teeth, so people pay attention to them.

Beyond GDPR’s own impact in protecting the rights of EU residents, perhaps its greatest legacy has been to increase expectations for how organizations handle personal data the world over. GDPR has set a new global standard, and we are seeing it serve as the model for a number of similar laws being mooted or passed by governments all over the world. With that in mind, how many businesses have heard of the PIPL (Personal Information Protection Law)?  In August 2021, the Standing Committee of the National People’s Congress, the top legislative body in the People’s Republic of China, voted for this law to take effect on Nov. 1, 2021.  It has many similarities to GDPR, a key one being that it also applies world-wide with respect to data held on Chinese citizens.  If your company is a multi-national corporation that deals with Chinese individuals then it applies to you, no matter where your business is incorporated or headquartered.

Likely many of the processes you have in place for GDPR can be repurposed for PIPL, however you will be looking for different data.  McAfee’s Data Protection products (MVISION Unified Cloud Edge, MVISION Cloud, Endpoint DLP, and Network DLP) will help you identify where PIPL-relevant data is held and how it is being used.  Data classifications/data identifiers for the Chinese Resident Identity Card, passport numbers, mobile phones etc can be identified in data stored in the cloud and on premise.  McAfee’s unique multi-vector data exfiltration protection (more on that here) can also assist in ensuring that sensitive PII data doesn’t end up somewhere it shouldn’t.  Here’s a view of our management console showing how we can identify Chinese PII:

No individual product can claim to make a business “PIPL compliant”, but products such as McAfee’s Data Protection suites should be considered a key part of a toolbox to aid in this goal. The fact that we’ve had this capability within our products for an extended time, well before the introduction of PIPL, is yet another datapoint as to why Gartner named MVISION Cloud THE market leader in the CASB Magic Quadrant and why Forrester named us a leader in their Forrester Wave ™ Unstructured Data Security Platforms.

November is barely a month away and if you’re not already considering how to handle PIPL, you now need to make this a priority.  Consider testing and enabling our Chinese PII classifications.  If you’re running another vendor’s product that doesn’t offer such capability then take a look at how our MVISION Unified Cloud Edge solution can help solve this along with the digital transformation to cloud first that most companies have already undertaken.

The post China Personal Information Protection Law (PIPL): A New Take on GDPR? appeared first on McAfee Blogs.

]]>
2021 Hispanic Heritage Month Pt. 5: A Celebration of Hispanic Heritage and Hope https://www.mcafee.com/blogs/enterprise/2021-hispanic-heritage-month-pt-5-a-celebration-of-hispanic-heritage-and-hope/ Tue, 12 Oct 2021 15:00:32 +0000 https://www.mcafee.com/blogs/?p=130006

We’re closing McAfee Enterprise’s Hispanic Heritage Month with Solutions Architect, Gus Arias. Read the full interview below to see how...

The post 2021 Hispanic Heritage Month Pt. 5: A Celebration of Hispanic Heritage and Hope appeared first on McAfee Blogs.

]]>

We’re closing McAfee Enterprise’s Hispanic Heritage Month with Solutions Architect, Gus Arias. Read the full interview below to see how his heritage impacted his life and career in technology.

What do you enjoy most about your heritage and what is one of your favorite memories growing up?

I love the food and music.  To this day I never get tired of eating Arepas, a staple of my Venezuelan heritage.

Tell us about your journey to a career in technology and how your heritage played a role to where you are today?

I’ve always liked technology and I took a leap into IT from the Mortgage Industry. I stayed hungry for knowledge and am always eager to learn which transformed my cybersecurity career to where it is today.

What do you hope to pass on to future generations?

I want future generations to know that it is never too late to learn something new, and you should strive to learn something new every day.

What are the three most important things that people should know about your culture?

  1. Family oriented (Family takes care of family)
  2. We are very festive (any chance we get we will throw a party)
  3. A night of having family and friends over will turn out into a cookout and game night of playing dominos

What types of foods were cooked for special occasions when you were growing up?

Arepas, Mandocas, Hayacas, and Paella

Is there a tradition or celebration that you hope that your descendants maintain?

I would have to say our Christmas celebrations throughout the month of December.

As the country continues to grow more diverse, what advice would you give to young Hispanic/LatinX individuals interested in starting a career in cybersecurity?

Do not let anything hold you back and when it comes to change, have an open and positive view. Learn from those changes to improve, also work on soft skills. From a technology perspective – keep up with the times. Meaning, stay informed on the evolution of technology and threats.

What are some of your ideas on how to attract more Hispanic/LatinX individuals to cybersecurity?

Educate and promote early by engaging with local schools. Also, provide internships at the High School/College levels as a summer program.

The post 2021 Hispanic Heritage Month Pt. 5: A Celebration of Hispanic Heritage and Hope appeared first on McAfee Blogs.

]]>
2021 Hispanic Heritage Month Pt. 4: A Celebration of Hispanic Heritage and Hope https://www.mcafee.com/blogs/enterprise/2021-hispanic-heritage-month-pt-4-a-celebration-of-hispanic-heritage-and-hope/ Mon, 11 Oct 2021 15:00:09 +0000 https://www.mcafee.com/blogs/?p=129997

Although Hispanic Heritage Month is coming to an end on October 15th, it doesn’t mean we have to stop celebrating...

The post 2021 Hispanic Heritage Month Pt. 4: A Celebration of Hispanic Heritage and Hope appeared first on McAfee Blogs.

]]>

Although Hispanic Heritage Month is coming to an end on October 15th, it doesn’t mean we have to stop celebrating our employee’s and learning about their heritage and what led them to their career in cybersecurity. Take a look at the conversation below with McAfee Enterprise, Joyce Moros-Nahim, LTAM Legal Director

What do you enjoy most about your heritage and what is one of your favorite memories growing up?

What I enjoy the most about being Hispanic is that we are very amiable. We are always exited to meet new people and have new experiences. One of my favorite memories growing up is all the time I spent with my family. It was never something my parents had to force my brother and I to do. We were always happy to hang out with our cousins, have lunch with our “abuelitos” (grandparents), and celebrate with our very large family.

How have Hispanic/LatinX individuals helped contribute to where you are today in life and career?

I have met and worked closely with many Hispanic and LatinX individuals and their enthusiasm and dedication for their chosen career along with their zest for life has taken them very far in both their home country and around the world. This has inspired me to keep pushing and take on every day with positivity and joy.

Why were you interested in a career in technology and how has your heritage played a role in where you are today?

I have always been interested in the technology industry because it changes every day and will be more prevalent as we move into the future. Having been born in a Latin American country (Venezuela), I was always intrigued in seeing how other countries evolved in this industry.

What do you hope to pass on to future generations?

I hope that future generations will continue to appreciate and partake in their cultural traditions. No matter which country a Latinx individual is from, they’re typically very family oriented, respectful, hardworking, and loving; which I hope will continue in future generations.  

What family traditions did you have growing up?

Visiting my grandmothers almost every day and having a Cafecito.  On Sundays, we would also go to church in our Sunday best and have lunch with the whole family. I always enjoyed this time because I would see my whole family and hear about their week. It kept us spiritually and physically united.

What are the three most important things that people should know about your culture?

Venezuelans are extremely hospitable, hardworking, and love to befriend people with different nationalities.

Define and describe the most important (or most celebrated) holiday of your culture.

The most celebrated holiday in my culture is New Year’s Eve. The families get together and have “hallacas” and pan de jamon, two traditional Venezuelan meals. As it is about to strike 12 AM, we each eat 12 grapes, symbolizing 12 wishes or resolutions we have for the upcoming year. Once it’s 12 AM, we all embrace and celebrate what is to come!

As the country continues to grow more diverse, what advice would you give to young Hispanic/LatinX individuals interested in starting a career in cybersecurity?

My advice to a young Hispanic/Latinx individual would be to gain experience in the field and to find a mentor with a similar heritage to guide and inspire you.

What are some of your ideas on how to attract more Hispanic/LatinX individuals to cybersecurity?

A great way to attract more Hispanic/LatinX people to cybersecurity is to have programs in Latin American countries that will teach children about technology and how it’s key in our everyday life.

The post 2021 Hispanic Heritage Month Pt. 4: A Celebration of Hispanic Heritage and Hope appeared first on McAfee Blogs.

]]>
Shaping the Future of Cybersecurity https://www.mcafee.com/blogs/enterprise/shaping-the-future-of-cybersecurity/ Fri, 08 Oct 2021 20:04:12 +0000 https://www.mcafee.com/blogs/?p=130288

Today marks a significant and exciting step forward for the combined McAfee Enterprise and FireEye businesses as we create a...

The post Shaping the Future of Cybersecurity appeared first on McAfee Blogs.

]]>

Today marks a significant and exciting step forward for the combined McAfee Enterprise and FireEye businesses as we create a pure play, cybersecurity market leader.

I’m incredibly proud to be writing this as the newly appointed CEO of this combined business. Keeping nations and large enterprises safe is – I believe – one of the most important challenges facing the world today. We have already started working together to bring together the best of McAfee Enterprise and FireEye. Together, we see vast opportunities to develop an integrated security platform powered by artificial intelligence, machine learning, and automation that will offer an unbeatable security portfolio to protect customers across endpoints, infrastructure, applications, and in the cloud. With our combined energies, we will be able to bring these solutions to market faster, and with greater innovation than before.

And we will do this because of our incredibly talented team. Together, we have 5,000 of the best security professionals who have already been working tirelessly to protect our customers. I am energized about bringing together these two teams to relentlessly protect the world from cyberattacks. Our new company culture will be focused on continuing to deliver on this vision, particularly for our customers.

As a combined business, we have over 40,000 customers, including many of the most well-known businesses in the world. And supporting our customers to be more resilient and stay one step ahead of adversaries has always been a priority – that’s why the majority of our enterprise and government customers have worked with our companies for over 16 years. We are committed to continuing to deliver excellence to our customers through this integration.

Today is a monumental day for everyone in this team. It is also a monumental day for the future of threat detection, protection, and response. Together, we will deliver a new model that creates solutions that work together, in a continuous fashion, to secure our customers across the full attack continuum. We are already seen as market leaders, now our story keeps getting better.

The post Shaping the Future of Cybersecurity appeared first on McAfee Blogs.

]]>
2021 Hispanic Heritage Month Pt. 3: A Celebration of Hispanic Heritage and Hope https://www.mcafee.com/blogs/enterprise/2021-hispanic-heritage-month-pt-3-a-celebration-of-hispanic-heritage-and-hope/ Thu, 07 Oct 2021 15:00:38 +0000 https://www.mcafee.com/blogs/?p=129955

Did you know, the timing of Hispanic Heritage Month coincides with the Independence Day celebrations of several Latin American nations?...

The post 2021 Hispanic Heritage Month Pt. 3: A Celebration of Hispanic Heritage and Hope appeared first on McAfee Blogs.

]]>

Did you know, the timing of Hispanic Heritage Month coincides with the Independence Day celebrations of several Latin American nations?

At McAfee Enterprise, we’re celebrating Hispanic Heritage Month by recognizing some of our amazing employees and asking them about their heritage and the impact it had on their career and journey to cybersecurity. Read my conversation with Zuly Gonzalez below on how her family and culture have impacted her career.

What do you enjoy most about your heritage and what is one of your favorite memories growing up?

My parents moved to mainland US when I was young. During the summers, we’d go on vacation to Puerto Rico and one of my fondest memories growing up are the plane flights to/from Puerto Rico. This was before 9/11, when flying wasn’t what it is today. My sisters and I would keep ourselves entertained playing games. It was an adventure for us and the highlight was always a warm chicken or pasta meal.

What family traditions did you have growing up?

We had two Christmas celebrations, which as a kid, you can’t ask for anything better! We celebrated Christmas on the 25th, which was the big event where we got most of our presents. Then on January 6 we’d celebrate “Día de Reyes” (Three Kings Day) where we would get a few more presents.

What are the three most important things that people should know about your culture?

I’d say three things that are central to Puerto Rican culture are: family, God, and passion/hard work. Puerto Ricans believe in traditional family values. Religion plays an important part in our culture. And the Puerto Rican passion is hard to understate. I have to be careful, because a lot of times my passion leads me to speak very loudly, which can sometimes be misinterpreted by non-Hispanics as anger or aggression, when in fact, it’s just excitement. I saw a T-shirt recently that said, “I’m not yelling. I’m Puerto Rican.” This is so true!

Describe your favorite traditional dish, and how it was prepared. Who usually prepared it for family meals?

One of my favorite dishes growing up, because we didn’t have it often, was sancocho. It’s a rich, comfort soup made with root vegetables and other starchy vegetables common in Puerto Rico. Ingredients include ñame, yautia, pana, papas, platanos, guineos, maiz, and batatas, among other things. A few of the ingredients are hard to find in the US, and when you do find them, are expensive, so we didn’t have it often growing up. But when my mom did make it, it was always a treat!

How have Hispanic individuals helped contribute to where you are today in life and career?

My parents were by far the biggest influence in my life. They taught me that I could be and do anything I wanted in life. They didn’t set limits for what I could achieve and taught me that with hard work anything is possible.

I followed my father’s footsteps by pursuing a career in STEM and attending the same university he attended. In fact, thinking about it now as I answer this question, I think that even more so than my mom, my dad had the biggest influence on who I am today as an individual. He shaped a lot of my personality, my beliefs, and a lot of the decisions I’ve made in my life, both personally and professionally.

Tell us about your journey to a career in technology and how your heritage played a role to where you are today?

Family values are very important in Puerto Rican culture. My dad was a math teacher and growing up he was always ready to help me with my homework. During the summer trip to Puerto Rico before I graduated high school, we took a tour of the university my dad went to. I ended up going to that university, which set me on the path to where I am today in my career. I obtained a degree in Computer Engineering and a co-op opportunity (similar to an internship) at NSA. NSA led me to a career in cybersecurity. At NSA I met Beau Adkins, who later turned into my partner in life and in business. Beau and I founded Light Point Security, which ultimately led us to McAfee Enterprise. But it all started with my parents. Without my parents’ motivation, support, and ultimate push to attend the University of Puerto Rico, I wouldn’t be where I am today.

As the country continues to grow more diverse, what advice would you give to young Hispanic individuals interested in starting a career in cybersecurity?

Same advice I’d give any young person interested in any career path. That is – look for ways to learn outside of a traditional school setting. Getting a hands on experience is so important. First, it shows initiative and passion. Second, to use an analogy: Reading and memorizing a cooking recipe, and even knowing the history behind each ingredient, isn’t necessarily going to translate into a delicious meal, it takes practice. Practice with the equipment, practice with the ingredients, and sprinkle in your own creativity to make an expert dish. One that people will pay money for!

The post 2021 Hispanic Heritage Month Pt. 3: A Celebration of Hispanic Heritage and Hope appeared first on McAfee Blogs.

]]>
Executive Spotlight: Q&A with Vice President, Global Commercial, Britt Norwood https://www.mcafee.com/blogs/enterprise/executive-spotlight-qa-with-vice-president-global-commercial-britt-norwood/ Tue, 05 Oct 2021 16:37:47 +0000 https://www.mcafee.com/blogs/?p=129991

Welcome back to our executive blog series, where I chat with some of the pivotal players behind McAfee Enterprise to hear...

The post Executive Spotlight: Q&A with Vice President, Global Commercial, Britt Norwood appeared first on McAfee Blogs.

]]>

Welcome back to our executive blog series, where I chat with some of the pivotal players behind McAfee Enterprise to hear their takes on today’s security trends, challenges, and opportunities for enterprises across the globe. Dive into the conversation below with Vice President, Global Commercial, Britt Norwood.

Q: What’s the first career you dreamed of having as a kid?

My first career was as a paper boy from 5th through 8th grade, but I always wanted to be a professional golfer. However, when I realized I was not that good at golf, I decided to pursue a career in business and technology.

Q: What do you think about talent in the technology and security industry? 

The talent we have in this industry is amazing, people are working so hard every day, but our foes are relentless, and we will always need talent who can look at problems with diverse viewpoints.

Q: Which emerging technology do you think holds the most promise once it matures?

I’m interested in seeing the continued progress around the unification of threat hunting (EDR, XDR, MDR), as we better understand the power of machine learning, automated detection, and AI as it pertains to quickly identifying malicious code and non-conforming behaviors. This is a world where the surface is just being scratched. As this technology matures and develops, there is power for good, but it will always need to be balanced in a way that makes sure the uses are ethical and moral. This will be a true new frontier as it unfolds.

Q: What are some of the trends you are currently noticing within the privacy and cybersecurity space? 

Everyone knows that a layered model is necessary to protect valuable data against attacks, but there is fatigue within many IT departments about the number of tools they need and that need to be connected to each other to work properly. Most CIOs and CISOs are looking for platforms that simplify management and streamline threat research to consolidate and reduce complexities.

On the attack front, both the cryptocurrency phenomenon is allowing bad actors to be more aggressive, as they have a way to anonymously launder ransoms, which is why there are so many ransomware attacks happening now. Cryptocurrency needs to be examined from a regulatory standpoint to protect innocent consumers and businesses who are vulnerable to such attacks. Until that time, it falls back to security platforms to assist them.

 

The post Executive Spotlight: Q&A with Vice President, Global Commercial, Britt Norwood appeared first on McAfee Blogs.

]]>
2021 Hispanic Heritage Month Pt. 2: A Celebration of Hispanic Heritage and Hope https://www.mcafee.com/blogs/enterprise/2021-hispanic-heritage-month-pt-2-a-celebration-of-hispanic-heritage-and-hope-2/ Tue, 05 Oct 2021 15:00:19 +0000 https://www.mcafee.com/blogs/?p=129970

The nationally recognized Hispanic Heritage Month grew out of a desire to educate people all over the country about the...

The post 2021 Hispanic Heritage Month Pt. 2: A Celebration of Hispanic Heritage and Hope appeared first on McAfee Blogs.

]]>

The nationally recognized Hispanic Heritage Month grew out of a desire to educate people all over the country about the many contributions the Hispanic community has made to U.S. culture.

Here at McAfee Enterprise, we’re taking this year’s Hispanic Heritage Month to spotlight members of the LatinX community who are using their platforms to make their voices heard and contribute to the cybersecurity community. I spoke with Arnie Lopez, Vice President Worldwide Systems Engineering, about his heritage and journey to cybersecurity. 

What do you enjoy most about your heritage and what is one of your favorite memories growing up?

I love our food and music.  I remember my mom cooking up some great dishes while we danced around the house listening to fun music.

How have Hispanic/LatinX individuals helped contribute to where you are today in life and career?

I had two great LatinX mentors/role models, Carlos Dominguez and Guillermo Diaz that helped tremendously early in my career.

Tell us about your journey to a career in technology and how your heritage played a role to where you are today?

Our culture is hard working and sometimes very stubborn. Early in my career I was very interested in technology and asked people to teach me different types of technologies and would not take no for an answer. I started early on with learning computers, then servers, networking, security, then cloud and applications. All of this helped my career and had a huge impact.

What do you hope to pass on to future generations?

Embrace your LatinX culture, use it as a differentiator when competing for new roles.

What are the three most important things that people should know about your culture?

1) Our passion makes us great team members

2) We love to have fun… Work hard and play hard

3) We come in many different colors and sub-cultures but have common core values

Is there a tradition or celebration that you hope that your descendants maintain?

I hope my kids and nephews keep up the celebration of Bolivian Independence Day (Seis de Agosto).  It’s a big national party on August 6 every year with music, food and dancing.

As the country continues to grow more diverse, what advice would you give to young Hispanic/LatinX individuals interested in starting a career in cybersecurity?

Don’t be intimated by the lack of LatinX in Cyber, it’s up to us to change the demographics and we will do it. Find a LatinX mentor or coach that already works in Cyber to provide you candid and honest feedback and guidance.

What are some of your ideas on how to attract more Hispanic/LatinX individuals to cybersecurity?

Get involved, participate, and give back. Get involved in LatinX youth, corporate and University panels and events and tell your story.  “If they can SEE it, They can BE it!”

The post 2021 Hispanic Heritage Month Pt. 2: A Celebration of Hispanic Heritage and Hope appeared first on McAfee Blogs.

]]>
McAfee Enterprise Is Ready for Windows 11, Are You? https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-is-ready-for-windows-11-are-you/ Tue, 05 Oct 2021 15:00:03 +0000 https://www.mcafee.com/blogs/?p=129961

McAfee Enterprise is prepared to protect our customers from day 1 of their journey with the new Windows 11 release....

The post McAfee Enterprise Is Ready for Windows 11, Are You? appeared first on McAfee Blogs.

]]>

McAfee Enterprise is prepared to protect our customers from day 1 of their journey with the new Windows 11 release.

This summer Microsoft announced planned changes to its Windows platform with the release of Windows 11. McAfee Enterprise is proud to announce that we have delivered day 1 support for the benefit of our current and future customers. We know that today’s hybrid workspaces call for flexibility and ease of use without compromising security, so now that Windows 11 is here, we want to address a few important topics regarding what to expect from your trusted security vendor, McAfee Enterprise:

What does McAfee Enterprise day 1 support of Windows 11 mean to you?

Customers can rely on McAfee Enterprise products to already have the most important Windows 11 box checked—ensuring your systems are secure and protected against threats from day 1.

McAfee Enterprise is committed to continue this same level of support for Microsoft’s future release cadence of Windows 11. We work closely with Microsoft to make sure that McAfee Enterprise security software and hardware products are fully compatible with Windows operating systems.

What if my organization is not ready to upgrade to Windows 11?

We recognize that not every environment will be ready to upgrade on day 1, or even at the start of the new year. Regardless of the date of your transition, McAfee Enterprise is here to ensure you remain protected across your devices and OS versions.

Our ongoing commitment is to continue to support our customers and the release cadence of the Windows 10 platform. We keep apprised of Microsoft OS support cycles and ensure that our customers remain covered throughout their lifecycles. For more information, see KB85784 – Windows 10 compatibility with McAfee Enterprise products

That said, having a plan outlined in advance is a key ingredient to any successful environment upgrade or transition. McAfee Enterprise Technical Support and your Enterprise Customer Success teams are available to support and partner with you on your journey and to answer any product questions along the way.

Related resources:

What is an ideal security environment for McAfee Enterprise customers utilizing the new Windows 11 OS?

With McAfee Enterprise’s security platform, you can command a centrally managed solution that protects your environment across varied devices and operating systems. A combination of fully enabled Endpoint Security Adaptive Threat Protection (ENS ATP),  EDR, and MVISION Insights delivers proactive threat intelligence and defenses across the entire attack lifecycle. Our security teams work around the clock to anticipate future security needs and drive home industry-leading innovation. More on the McAfee Enterprise Endpoint Protection Platform here.

Additional product resources:

Where can I find documentation regarding McAfee Enterprise product support for the new Windows 11 release?

Our product teams have outlined our portfolio’s support in KB94901 – Windows 11 compatibility with McAfee Enterprise products.

To ensure a quality experience, each McAfee Enterprise product team is required to complete validations of all new releases that Microsoft publishes for Windows 11. The McAfee Enterprise goal is to add same-day support for all Windows 11 releases over time, for those products that don’t currently offer this cadence.

For general upgrade guidance or questions, customers may contact Enterprise Technical Support or visit our Support Portal here.

Take advantage of our latest Endpoint Security offering by visiting us here.

The post McAfee Enterprise Is Ready for Windows 11, Are You? appeared first on McAfee Blogs.

]]>
2021 Hispanic Heritage Month Pt. 1: A Celebration of Hispanic Heritage and Hope https://www.mcafee.com/blogs/enterprise/2021-hispanic-heritage-month-pt-1-a-celebration-of-hispanic-heritage-and-hope/ Mon, 04 Oct 2021 18:25:59 +0000 https://www.mcafee.com/blogs/?p=129940

Each year, Americans observe National Hispanic Heritage Month from September 15th to October 15th, by celebrating the contributions and importance...

The post 2021 Hispanic Heritage Month Pt. 1: A Celebration of Hispanic Heritage and Hope appeared first on McAfee Blogs.

]]>

Each year, Americans observe National Hispanic Heritage Month from September 15th to October 15th, by celebrating the contributions and importance of Hispanics and Latinos to the United States.

The 2021 Hispanic Heritage Month theme invites us to celebrate Hispanic Heritage and to reflect on how great our tomorrow can be if we hold onto our resilience and hope. This year’s theme also encourages us to reflect on the contributions Hispanics have made in the past and will continue to make in the future.

I spoke with Sr. Principal Engineer, Ismael Valenzuela about how his heritage played a role in who he is today, advice for future generations and more. Read our conversation below.

What do you enjoy most about your heritage and what is one of your favorite memories growing up?

I was born and raised in Malaga, Spain, and spent a good part of my professional career in my home country until I moved to the US in 2014. My favorite memories are those shared with my family and friends, enjoying some of the amazing food we have in Malaga, and the beautiful warm weather we have all year long. Enjoying a football game (we call it soccer here in the US, but it’s really football, since it’s played with the foot!) with the friends on a Friday evening or simply a walk by the beach to enjoy the fresh breeze of the Mediterranean sea. Those are some of my favorite memories.

How have Hispanic/LatinX individuals helped contribute to where you are today in life and career?

I was very fortunate to have a business angel at a very young age, who happened to be an experienced Argentinian businessman. He recognized my passion for infosec (it wasn’t called cyber back then) and provided me with the support needed to make my ideas and projects a reality. Thanks to him I was able to co-found one of the first infosec consulting businesses in Spain in 2000, and I’m still very grateful for that opportunity. My experience in the US has not been very different. Since 2014 I’ve had the pleasure to work very closely with super talented colleagues from our McAfee Enterprise teams in Argentina and Chile. Some of them were a tremendous help when I established myself in the NY area, and they continue to be great co-workers and friends, who I admire and look up to.

Tell us about your journey to a career in technology and how your heritage played a role to where you are today?

I think that Hispanic/LatinX are curious by nature. And curiosity is the basis for the ‘hacker’ culture. And yes, I call it hacker culture, referring to the original meaning and roots of the word ‘hacker’, which connoted technical virtuosity and playfulness (from Walter Isaacson, The Innovators. Great book by the way!). I think I’ve always had that curiosity, especially since I was a kid and had my very first computer, a PCS 286 with just plain old MS-DOS. From that moment on, I knew what I wanted to work with, for the rest of my life. By the time I was in high school I was already programming in several languages, most self-taught, including BASIC, Assembly, and Pascal, and was already doing little applications for some family and friends with tools like DBase III and Clipper. It was a lot of fun! It wasn’t until I started college that I started to dig deeper into operating systems, networking, and lower-level languages like C. When I was introduced to Linux, I immediately fell in love with it, and this increased my curiosity. I started to learn more about how the Internet worked and one thing led to the other. Before I knew it, I was reading guidelines on security, hacking, protocols, asking questions on IRC channels (Slack is essentially IRC for millennials, for those that didn’t know), and setting up my labs at home to play more with the tools I was learning about. Shortly after I landed my first job, as both a web programmer and a system administrator, I found some serious security vulnerabilities in a government network, that happened to make the news, which led me to setup my own consulting business in 2000 with my Argentinian partner. And the rest is history from there! (it’s on LinkedIn too)

What are the three most important things that people should know about your culture?

If I must pick three, I’ll go with these:

1) we love food!

2) we love having long meals with friends and family!

3) we love having food outdoors!

Is there a tradition or celebration that you hope that your descendants maintain?

Yes, I’m working on making sure my kids learn to eat a wide variety of healthy and fresh food, instead of processed and refined stuff. And I hope their kids do the same! Did I say I like food?

What do you hope to pass on to future generations?

My hope is that current and new generations realize that true success is more than just a title, a professional achievement, or a prestigious career, whether it is in IT, or anything else. We live in a world that puts too much emphasis in personal egos, competitiveness, and social status. However, most often those pursuing these goals end up with anxiety, health issues, and disappointment. So, we need to start taking some of that pressure off the young ones and emphasize more the values and principles that can make you happy in the long term, things like a good work ethic, resilience to deal with setbacks, patience to acquire the right training and work through problems, empathy for others, balance to take care of yourself and those you love, and respect for everyone’s opinions and ideas. It’s not all about cyber!

As the country continues to grow more diverse, what advice would you give to young Hispanic/LatinX individuals interested in starting a career in cybersecurity?

Don’t be afraid to ask for help or to ask for a mentor. I was very fortunate to have an amazing mentor that taught me the fundamentals of business and a good work ethic. Having technical skills is important, but it’s equally important to develop other soft skills, like the ability to communicate clearly, to think strategically, to follow through with your projects, and of course the importance to stick to your values and your principles, and to care about the people you interact with. Try to grow your network, and don’t limit yourself to a certain age group, background, or ethnicity. Embrace diversity and realize that there’s always something new to learn from everyone you work with. Stay humble, and never think you’re the smartest in the room. Not only will you be wrong, but you’ll be missing the opportunity to learn and grow. If you want to start a career in cybersecurity specifically, see what classes you can take in your area, and what local groups or conferences are available. One of the few positive things we have with COVID is that most of the conferences have moved to an online format. Many like SANS Summits allow you to join Slack or Discord channels where you can interact with practitioners and security professionals. Also the SANS Institute (from which I’m part of the faculty), have initiatives like the CyberStart America that is a free national program for high school students to learn and master cybersecurity. These can be a gateway to the industry and can lead to college scholarships. And if you need more help or advice, don’t hesitate to contact me on my Twitter account: @aboutsecurity. I can help to point you in the right direction.

What are some of your ideas on how to attract more Hispanic/LatinX individuals to cybersecurity?

I think one of the things we need to do as professionals is to demystify what we do in this field. We need to start admitting that this is not rocket science. It is true that it’s a fast-paced field, and that it can seem overwhelming at times, but nothing that we do is too hard that anyone should feel intimidated to try to break in. We all learned over time, and in many cases through a succession of failures and recoveries. We all have a responsibility, from corporations to professionals, to lower the entry barriers and give more opportunities. One way to do this is to make more information available in Spanish. In fact, I’ll be chairing a talk track in Spanish at the 2021 SANS Threat Hunting Summit on October 7th and I’ll be hosting breakout spaces for the attendees to network with and to continue the conversation in Spanish as well. So, if you’re reading this, you have no excuses!

The post 2021 Hispanic Heritage Month Pt. 1: A Celebration of Hispanic Heritage and Hope appeared first on McAfee Blogs.

]]>
McAfee Enterprise Advanced Threat Research Report: Ransomware’s Increasing Prevalence https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/mcafee-enterprise-advanced-threat-research-report-ransomwares-increasing-prevalence/ Mon, 04 Oct 2021 04:01:48 +0000 https://www.mcafee.com/blogs/?p=129835

The increasing prevalence of ransomware tops the findings of the McAfee Enterprise Advanced Threat Research Report: October 2021 released today....

The post McAfee Enterprise Advanced Threat Research Report: Ransomware’s Increasing Prevalence appeared first on McAfee Blogs.

]]>

The increasing prevalence of ransomware tops the findings of the McAfee Enterprise Advanced Threat Research Report: October 2021 released today.

While ransomware continues to hold cybersecurity headlines hostage, so much has changed since our last threat report. After shutting down the Colonial Pipeline, DarkSide created the appearance of walking away after attracting government scrutiny, thinking we would miss the (alleged) connection to BlackMatter.

Our Advanced Threat Research team also made a move to McAfee Enterprise, a newly dedicated Enterprise Cybersecurity company. While we will no longer publish our work under McAfee Labs, you can still find and follow our research on our new McAfee Enterprise ATR Twitter feed: @McAfee_ATR.

We’ve shifted the primary focus of our new Threat Report from frequency to prevalence. Our team is now paying attention to how often we see the threat around the globe and, more importantly, who it targets.

While DarkSide attempted to step out of the spotlight, other ransomware families including REvil/Sodinokibi, Ryuk, and Babuk wreaked havoc from among DarkSide’s shadow. In response, this threat report offers a deep dive into ransomware’s increasing prevalence including ransomware family detections and the delta of data between open-source intelligence and telemetry.

Our McAfee Enterprise team also offers research and analysis on relevant threat topics including:

  • Cloud Threats – Continuing threat trends targeting a remote workforce
  • B Braun – Our team’s uncovering of healthcare vulnerabilities in a globally used infusion pump
  • MITRE ATT&CK Techniques – Top techniques used in Q2 2021
  • How to Defend – Resources designed to help your enterprise defend itself from the latest threats

Once you’ve consumed the research and findings in this report, don’t forget our MVISION Insights preview dashboard which updates and profiles the most prevalent threats, offering a knowledge base that includes targeted countries and sectors along with proactive solutions to help your enterprise stay ahead of emerging threats.

We welcome your feedback about this threat report and what you would like to see in the next report.

The post McAfee Enterprise Advanced Threat Research Report: Ransomware’s Increasing Prevalence appeared first on McAfee Blogs.

]]>
The Art of Ruthless Prioritization and Why it Matters for SecOps https://www.mcafee.com/blogs/enterprise/security-operations/the-art-of-ruthless-prioritization-and-why-it-matters-for-secops/ Wed, 29 Sep 2021 16:19:44 +0000 https://www.mcafee.com/blogs/?p=129724

The security operations center (SecOps) team sits on the front lines of a cybersecurity battlefield. The SecOps team works around...

The post The Art of Ruthless Prioritization and Why it Matters for SecOps appeared first on McAfee Blogs.

]]>

The security operations center (SecOps) team sits on the front lines of a cybersecurity battlefield. The SecOps team works around the clock with precious and limited resources to monitor enterprise systems, identify and investigate cybersecurity threats, and defend against security breaches.

One of the important goals of SecOps is a faster and more effective collaboration among all personnel involved with security. The team seeks to streamline the security triage process to resolve security incidents efficiently and effectively. For this process to be optimized, we believe that ruthless prioritization is critical at all levels of alert response and triage. This ruthless prioritization requires both the processes and the supporting technical platforms to be predictive, accurate, timely, understandable for all involved, and ideally automated. This can be a tall order.

Alert Volumes Have the SecOps Team Under Siege

Most SecOps teams are bombarded with an increasing barrage of alerts each year. A recent IBM report also found that complexity is negatively impacting incident response capabilities. Those surveyed estimated their organization was using more than 45 different security tools on average and that each incident they responded to required coordination across around 19 security tools on average.

Depending on the enterprise size and industry, these tools may generate many thousands of alerts in periods ranging from hours to days, and many of them may be redundant or no value. One vendor surveyed IT professionals at the RSA conference in 2018. The survey results show that twenty-seven% of IT professional’s receive more than 1 million security alerts daily[1].

The cost and effort of reviewing all of these alerts are prohibitive for most organizations, so many are effectively deprioritized and immediately ignored. Some surveyed respondents admit to  ignoring specific categories of alerts, and some turn off the security alerts associated with the security controls that generate much of the alert traffic. However, the one alert you ignore may have resulted in a major data breach to the organization.

Tier 1 SecOps analysts have to manage this barrage of alerts. They are surrounded by consoles and monitors tracking many activities within enterprise networks. There is so much data that incident responders cannot process but a fraction of it. Alerts pour in every minute and ratchet up the activity level and the attendant stress throughout the day.

A Tier 1 SecOps analyst processes up to several hundred alerts in a day that require quick review and triage. As the alert is logged, the Tier 1 SecOps analyst usually goes through a checklist to determine further prioritization and determine if further escalation is required.  This can vary substantially depending on the automation and tools which support their efforts.

Once the alert is determined to be potentially malicious and requires follow-up it is  escalated to a Tier 2 SOC Analyst. Tier 2 SOC Analysts are primarily security investigators. Perhaps only 1% or less are escalated to a Tier 2 SOC analyst for deep investigation. Once again, the numbers can vary substantially depending on the organization and industry.

Security investigators will use a multitude of data, threat intelligence, log files, DNS activity, and much more to identify the exact nature of the potential breach and determine the best response playbook to use. In the case of a severe threat, this response and subsequent remediation must be done in the shortest possible amount of time, ideally measured in minutes if not just a very few hours.

In the most dangerous scenario that a threat actor has executed what is determined to be a zero-day attack, the SOC team works with IT, operations, and the business units to protect, isolate, and even take critical servers offline to protect the enterprise. Zero-day attacks raise the SOC to a war footing, which, if properly and rapidly executed against the team’s playbooks, can help mitigate further damage from what is otherwise previously unknown attack techniques. These require the skill and expertise of advanced security analysts to help assess and mitigate complex ongoing cyberattacks.

Given the barrage of alerts, it is essential to adopt a strategy to fit best the capabilities of your team against a priority-driven process. This allows you to optimize your response to alerts, best manage the resources on the SecOps team, and reduce the risk of a dangerous breach event.

There are several strategic views that SOC leadership can take on how to best approach prioritization. These include data driven strategies using tools like DLP, threat driven strategies to bolster defenses and shorten reaction time to threat vectors active in your industry and geography, and perhaps asset driven strategies, where certain assets will merit enhanced protection and priority driven escalation for alerts. Most organizations find that an integrated mix of these strategies addresses their overall needs.

A Data-Driven Approach to Prioritization

The first approach to prioritization, consistent with the tenets of zero trust, is to take a data-driven approach. Customer data and intellectual property are often at the center of every organization’s most protected jewels. One way to move this into focus within SecOps would be to implement Data Loss Prevention (DLP). Data loss prevention (DLP), per Gartner, may be defined as technologies that perform both content inspection and contextual analysis of data sent via messaging applications such as email and instant messaging, in motion over the network, in use on a managed endpoint device, and at rest in on-premises file servers or in cloud applications and cloud storage. These solutions execute responses based on policy and rules defined to address the risk of inadvertent or accidental leaks or exposure of sensitive data outside authorized channels.

Enterprise DLP solutions are comprehensive and packaged in agent software for desktops and servers, physical and virtual appliances for monitoring networks and email traffic, or soft appliances for data discovery. Integrated DLP works with secure web gateways (SWGs), secure email gateways (SEGs), email encryption products, enterprise content management (ECM) platforms, data classification tools, data discovery tools, and cloud access security brokers (CASBs).

A Threat-Driven Approach to Prioritization

Threat intelligence focuses on defense and triage priority from the data to external threat actors and the techniques they are most likely to utilize. Threat intelligence can give the SOC the data they need to anticipate threat actors and the Tactics, Techniques, and Procedures (TTPs) these threat actors might use. Further, threat intelligence can provide a path to recognize the often unique Incidents of Compromise (IOCs) that can uniquely identify a type of cyberattack and the threat actor that uses them. The goal, of course, is to identify and prevent these most likely attacks before they occur or stop them rapidly upon detection.

The consolation prize is also a good one. If you cannot prevent an attack, you must be able to identify an unfolding threat. You must identify the attack, break the attacker’s kill chain, and then stop the attack. Threat intelligence can also help you assess your environment, understand the vulnerabilities that would support the execution of a particular kill chain, and then let you move rapidly to mitigate these threats.

In August of 2020, researchers from Dutch and German universities[2] co-presented at the 29th Usenix conference on a survey they conducted. The survey showed that there is less overlap between threat intelligence sources than most of us would expect. This includes both open (free) and paid threat intelligence sources.  The moral of the story is that large organizations likely need a wide set of threat intelligence data from multiple sources to gain an advantage over threat actors and the attack vectors they are likely to use. And these sources must be integrated into a common dashboard where SecOps threat investigators can rapidly leverage them.

An Asset-Driven Approach to Prioritization

Of course, certain assets are more valuable than others. This can be a function of the data they may uniquely hold, and the access to network, applications, and information resources frequented by their owners, or the level of criticality of the asset’s function. For example, the chief financial officer’s laptop may be assumed to be in possession of the most sensitive data, or medical device monitor during surgery or command controller for manufacturing production. Hence they may deserve higher priority in terms of protection.

Optimize Your Prioritization Strategy with MVISION XDR

MVISION XDR provides capabilities leveraging all of these prioritization strategies: data-driven, threat-driven, and asset-driven. On top of this MVISION XDR offers predictive assessment based on global threats likely to target your organization with a local assessment of how your environment can counter the threat. This “before the attack” actionable assessment is powered by the distinct MVISION Insights empowering SOC to be more proactive and less reactive.  Here is a preview of MVISION Insights top ten threat campaigns.  Here are some key prioritization examples delivered in MVISION XDR:

Key MVISION XDR Prioritization Examples

 

Priority Strategy (ies) Capability Description Benefit & Value
Data-driven Alert based on data-sensitivity Focus on critical impact activity
Threat-driven Automatic correlated threat techniques to derive at likely next steps Gain confidence in the alert less false positives
Threat-driven View trends and threat actors targeting your organization Reduce the universe of threats and actors to those that matter
Asset-driven Tag critical assets for automated prioritization Address threats to critical assets faster

Prioritization Delivers Improved Business Value for the SecOps Team

MVISION XDR can help you implement and optimize your prioritization strategy. Your SecOps team will have the improved triage time they need with prioritized threats, predictive assessment, and proactive response, and the data awareness to make better and faster decisions. To learn more, please review our Evolve with XDR webpage or reach out to our sales team directly.

 

[1] https://www.imperva.com/blog/27-percent-of-it-professionals-receive-more-than-1-million-security-alerts-daily/

[2] https://www.usenix.org/system/files/sec20_slides_bouwman.pdf

The post The Art of Ruthless Prioritization and Why it Matters for SecOps appeared first on McAfee Blogs.

]]>
Executive Spotlight: Q&A with VP of Products and Marketing, Anand Ramanathan https://www.mcafee.com/blogs/enterprise/executive-spotlight-qa-with-vp-of-products-and-marketing-anand-ramanathan/ Tue, 28 Sep 2021 17:08:30 +0000 https://www.mcafee.com/blogs/?p=129817

I spoke with Anand Ramanathan, VP of Products and Marketing who brings over 20 years of enterprise SaaS product experience...

The post Executive Spotlight: Q&A with VP of Products and Marketing, Anand Ramanathan appeared first on McAfee Blogs.

]]>

I spoke with Anand Ramanathan, VP of Products and Marketing who brings over 20 years of enterprise SaaS product experience ranging from high growth startups to established market leaders. Read the interview below to understand his thoughts on McAfee Enterprise and where he see’s the company going in the coming years.

Q: What is your ideal way to spend a Sunday?

Every ideal Sunday has 3 components:

  1. Starts with keeping the body fit – a game of tennis with close friends.
  2. Spending time with family – making and eating lunch together.
  3. Preparing for the week ahead – planning out my work schedule and prioritizing the actions.

Q: With cybersecurity and AI capabilities expanding at a rapid pace, what will the future look like for companies like McAfee Enterprise in the coming years?

The adversarial landscape has always been a digital cat and mouse game. McAfee Enterprise’s investment in AI over the years has allowed its solution to stay ahead of adversaries and provide industry-best protection for its customers. With adversaries pivoting their techniques at a more rapid pace, it has become imperative for security solutions to leverage the cloud and AI capabilities.

Q: Can you talk about McAfee Enterprise’s history of Insights and how it is used to improve cybersecurity capabilities, including protecting against cyber threats?

Insights was born out of two very simple questions that CISOs get asked: Were we impacted by a given threat? Will our defenses protect us from the threat?

With an increase in security breaches being covered by popular press; board and executive management are becoming more attune with the threat landscape. We are seeing them start to ask the important questions to their security teams.

At McAfee Enterprise, we saw the gap in knowledge within security teams to give quick and efficient answers to the two pivotal questions. And given our depth in threat research and data analytics capabilities, innovated with the industry’s first proactive security solution in MVISION Insights, we feel we can answer the above questions, placing crucial information in the hands of the security teams. The feedback from our customers has been tremendously positive.

Q: What goals and initiatives are you focusing on to drive the company for the rest of 2021 and beyond? What IT capabilities do you have your eye on?

McAfee Enterprise is at the center of three key buzzwords of 2021 – SASE, ZTNA, and XDR. We have been at the forefront of innovating in these areas with the release of MVISION Insights, MVISION Private Access, and MVISION UCE with integrated Remote Browser Isolation. We also have leadership in MITRE based attack detection for endpoint and cloud and MVISION marketplace for security ecosystem integration. We will be continuing this innovation velocity and lead the market with new capabilities on Zero Trust and XDR integration with the security ecosystem. Stay tuned, more to come!

The post Executive Spotlight: Q&A with VP of Products and Marketing, Anand Ramanathan appeared first on McAfee Blogs.

]]>
Why Can’t We Automate Everything? https://www.mcafee.com/blogs/enterprise/why-cant-we-automate-everything/ Tue, 28 Sep 2021 15:00:49 +0000 https://www.mcafee.com/blogs/?p=129733

You can’t automate every business process. While I love automation and promote the concept, I know its limitations. This viewpoint...

The post Why Can’t We Automate Everything? appeared first on McAfee Blogs.

]]>

You can’t automate every business process. While I love automation and promote the concept, I know its limitations. This viewpoint needs to be recognized and observed as more security officials implement automation within their organizations.

I’d estimate that for most enterprises, the first 80 percent of migrating and integrating processes to automation is easy to do. The last 20 percent is hard to accomplish.

This breakdown helps you set realistic expectations about automation. I enjoy how automation saves time by generating useful data through repetition. But right now, data compiled from some activities still require a human being to examine the results and make a decision. You will still need a critical eye from your security operations team or managed security services provider when looking at the useful data or anomalies.

We still need to address the 20 percent and realize that the situation may not be as much of a challenge as we think initially. Here are some examples of what I mean.

Where Automation Needs a Human Touch

Your automation detects and notes that one of your executives is connecting to your network from Russia. How do you know whether that executive is actually in Russia or if someone there is impersonating that executive? For optimal security, there needs to be human interaction to review the information and determine whether to let that person should be allowed to connect.

Or consider when IT officials at a hospital used the McAfee Enterprise ePolicy Orchestrator (ePO) console to automate a deeper level scan of physicians’ laptops. This scan occurred before the physicians began their daily scans by sending over someone from the hospital’s operations department to clean the laptop and comply with HIPAA regulations. To collect the events compiled from the laptops, the IT officials used IBM® QRadar® Device Support Module (DSM) for McAfee Enterprise ePO. This platform integrated from IBM Security™ uses analytics for insights into potential threats to data.

With this setup, whenever an anomaly appeared in QRadar, such as some unusual behavior at the network level, an IT official at the hospital would right-click and add the IP address to a different scan group in ePO through the application programming interfaces (APIs). Automating that initial first pass of scanning the laptop finds these discrepancies quickly. But ultimately humans like IT officials must review the notification and send a message to McAfee Enterprise expert to clean the anomaly from the laptop themselves and confirm the anomaly was removed.

So, it’s hard to automate the 20 percent done by humans in your organization as shown here. But what the 80 percent of easy automation does for the rest of your business processes can outweigh that perceived drawback.

How and Why the 80 Percent Easy Automation Matters More

You can easily find yourself at work engulfed in an ocean of data. Indicators from your automation help you find out what’s important. Activity from the endpoints of your network gives you or an MSSP a view of what’s happening with your data.

Most systems today have everything connected to the internet. The endpoints interact with your network. Having broad visibility and detection across your network — whether it’s looking at DNS logs, proxy logs, traffic and so on — allows you to correlate information and identify what’s taking place right now.

The real-time aspect of automation for data on your network is vital important. Threats to your network depends both on how much time they require to activate and how long before they are detected and remediated. Automation that’s easy to implement helps find attacks quickly with a real-time detection engine that can minimize the damage that takes place.

Experts at McAfee Enterprise and our partners at IBM Security can help with troubleshooting by providing support for the 20 percent automation you can’t fulfill. You can investigate a full lifecycle of endpoint events using McAfee Enterprise MVISION and IBM QRadar integrated together. And you can automate remediation with the IBM Security SOAR (security orchestration, automation and response) platform.

With these tools, you can integrate the data available from threat feeds in one platform for better visibility and context. IBM’s managed security services experts can help you answer questions around how to best configure, administrate and manage endpoint security incidents based on that data collected by automation.

We can also help you learn about other technologies and trends that are happening that our experts deal with every day. Consultants can help you identify how to lower or minimize costs of attacks and breaches as well as work proactively to address these issues. Automation can’t provide you with these resources, but we can.

What to Expect for the Future

We have researchers at work looking how to merge that last hard 20 percent of automation implementation into the 80 percent of easy migration and conversion. For now, accept the notion that automation can handle most tasks for your organization and save you time and costs in the process. And what automation can’t do in those areas, we at McAfee Enterprise and IBM Security can help fill in the gaps.

Learn more about what automation with expert support can do for you by reviewing the features of MVISION Endpoint Security and IBM Managed Security Services. Or schedule a free 30-minute consultation with IBM Security by clicking the “Let’s talk” button on the IBM Managed Security Services homepage.

 

The post Why Can’t We Automate Everything? appeared first on McAfee Blogs.

]]>
Finding 0-days with Jackalope https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/finding-0-days-with-jackalope/ Mon, 27 Sep 2021 04:01:39 +0000 https://www.mcafee.com/blogs/?p=127255

Overview On March 21st, 2021, the McAfee Enterprise Advanced Threat Research (ATR) team released several vulnerabilities it discovered in the...

The post Finding 0-days with Jackalope appeared first on McAfee Blogs.

]]>

Overview

On March 21st, 2021, the McAfee Enterprise Advanced Threat Research (ATR) team released several vulnerabilities it discovered in the Netop Vision Pro Education software, a popular schooling software used by more than 9,000 school systems around the world. Netop was very responsive and released several updates to address many of the critical findings, creating a more secure product for our educators and children to use. During any vulnerability research project, as we continue to gain a deeper understanding on how a product works, additional threat vectors become apparent which may lead to additional findings; this proved once again true during the Netop research. In this blog we will highlight an additional finding: CVE-2021-36134, a vulnerability in the processing of JPEG images, on the Netop Vison Pro version 9.7.2 software. The main emphasis will focus on the process and techniques used during blackbox fuzzing of a Windows DLL.

Background

Fuzzing can be a challenging exercise and just knowing where to start can be cause for confusion. There are many different fuzzers on the market, many of them primarily designed to handle open-source projects on Linux. In late 2020 Google’s Project Zero team released a new fuzzer named Jackalope. Jackalope is a coverage-guided fuzzer, meaning it keeps track of code paths during testing and uses that information to guide its future mutations. Jackalope leverages a library called TinyInst for its code coverage and allows for command line parameters related to code coverage to be passed directly to TinyInst. What caught my attention about Jackalope was that it was designed with a blackbox, Windows and MacOS first mentality. It was built to fill a gap in Windows blackbox fuzzing, which has existed for some time and therefore warranted further investigation. During the time of Jackalope’s release, we were working on the Netop Vision Pro research which runs primarily on Windows, so it was logical to test Jackalope to see if we could discover any new vulnerabilities on Netop Vision Pro.

Setup

The Jackalope documentation does a great job of explaining the setup and build process to get started. For this setup we set up shop on a Windows 10 fully patched system and compiled Jackalope from the GitHub repo using Visual Studio 2019. In a short amount of time, it was time to test the setup. The repo provides a test binary which can be built with the source and therefore is the best place to understand how the fuzzer works. There are just under a few hundred lines of code, but how it works can be summed up in just a few lines, as seen in Figure 1.

Figure 1 test.cpp

Examining the test code, it becomes apparent the test binary simply crashes if it finds the word “test” in memory. It causes a crash by attempting to write the value “1” at an invalid memory address, “NULL”.  Therefore, to ensure the fuzzer is working properly we need to create a small input corpus. This can be done by creating an “in” directory and placing a couple of text files within it, one containing the word “test”. We are not looking for crashes or new vulnerabilities during this test, but simply making sure our setup is functioning as expected. The test run can be seen in Figure 2, where the command to execute the test case was taken from the Jackalope documentation.

Figure 2 Testing fuzzer

Target Selection

When selecting an overall target function, it’s first important to look at how an application takes input alongside with how the fuzzer can tailor that input. Jackalope is designed to provide either a file or a chunk of shared memory to the target. This gives a lot of flexibility since almost anything can be set up as shared memory including network packet payloads. The trick becomes how to pass the file or shared memory to the target. In larger applications on Windows, a typical approach is to determine what functionality you want to fuzz, find a DLL that exports a function within the target code path, and pass that function the input. The closer the exported function is to the end of the desired code path to fuzz, the less headaches, and better results you will have trying to exercise the desired code.

Through the research done on Netop, we had a deep insight into how the system functions and the very large number of DLLs that it contains along with the numerous amounts of exported functions. After review, the function MeImgLoadJpeg which is exported in MeImg.dll stuck out as a good place to get started.

Figure 3 MeImgLoadJpeg Header

What makes this a good candidate for fuzzing? First, how, and when this function is executed is important. This function gets executed on both the student and teacher machines whenever a JPEG image is loaded into the system. For students this is when an image is pushed over the network to them; for example: when a teacher uses the blank screen feature on a student. On the teacher’s machine this function is called when a teacher loads an image to send to the student. The key components here are that it is potentially executed often, input can come from a local file or a network file and it affects both components of our system.

Second, when investigating this function further, the parameters are fuzzing friendly. Through light reversing, it can easily be seen that it takes a file path and opens the file directly within the function. This makes fuzzing it with Jackalope very simple since it supports file fuzzing and we won’t need to open or manipulate the test file in memory. Also, very few parameters are passed, one of which (BITMAPINFOHEADER), is well documented by Microsoft, making it simpler to construct valid calls. This also is true for the return parameter, HBITMAP. This will make it easy to determine success and failure conditions. Lastly, the fuzzable component of this function is a JPEG file. JPEG is a well-documented format and a well-fuzzed format, making test corpus generation and potentially crash analysis simpler.

Writing the Test Harness

In most fuzzing setups, a custom program is necessary to setup the required structure and complete any initialization required by the target function. This is commonly referred to as the test harness. It is required any time your target for fuzzing is not the main binary or executable, which tends to be the case most of the time. For example, if you want to fuzz a small executable like the “file” command on Linux, you don’t always require a test harness, since the binary takes its input (a file) directly from the command line and there is little to no setup required to get to your desired state. However, in many cases, especially on Windows, it is common to be looking to fuzz part of the code that is often not as directly accessible or requires setup before it can be passed the fuzzed data. This is where a test harness comes into play. Using the Jackalope “test.cpp” file provided in the GitHub repo, it is easy to see an example of what is needed when writing a test harness. The harness needs to configure the incoming test case as ether a file or shared memory input, set up parameters for the target function, call the function, and, if needed, create a crash to indicate a found crash to Jackalope.

To get started we first must load the DLL which contains our target function. In Windows this is usually performed with a call to “LoadLibrary”. Since our entire purpose is to fuzz a function within this DLL, if it fails to load, we should just exit.

Figure 4 LoadLibrary

Now that the DLL is loaded into memory, we need to obtain the address of our target function. This is commonly done through “GetProcAddress”.

Figure 5 GetProcAddress

The next step, setting up the parameters for the target function, is arguably the most crucial and can be the most difficult step in building a test harness. The best trick to get this right is to find examples of your target function being called in the real application and then mimic this setup in your test harness.  In Netop, this function is only called by one other function. Figure 6 shows a slightly cleaned up version of a portion of the IDA decompilation of the function which calls MeImgLoadJpeg.

Figure 6 IDA Pro Decomplication of call to MeImgLoadJpeg

We can learn some key points from this call that are important to keep consistent if we want to find a useful crash. We know the first parameter (a2) is simply a file path. In our code, we do need to ensure our file path is in the format of a wide-character, since this is the typical format for a Windows file path. The second parameter (v8) is a Windows BITMAPINFOHEADER object. We can see from this code all the members of the BITMAPHEADER object are being set to 0 using a “memset”, except the “biSize”, which is being set to “40”. Since this is the only time this function is called in the Netop application, if we want to find a bug that has a chance to be leveraged through Netop, we need to follow this format. Why the value is set to 40 is less relevant for our purposes within the test harness; however, it may require investigation depending on any crashes found. The same principle holds true for the 3rd and final parameter. We see here it is hardcoded to zero, so we want to do the same. Could we test other values? Of course, but if Netop is hardcoded to zero we would never actually be able to pass anything else outside of our exercise. Using our additional understanding from Figure 6, we put the below code in Figure 7 into our harness.

Figure 7 Target Function Setup

With our parameters configured, we now need to simply call the function we want to fuzz. Where is the fuzzed data? In this case, our fuzzed data will be the jpeg file. The fuzzer will be passing a file path of a mutated jpeg file.

Figure 8 Calling MeImgLoadJpeg

This next step is highly dependent on the target function. If the target function will not fail in a manner that will crash your harness (throw an unhandled exception), then you need to create a crash for a failed test case. This can be seen in Figure 1 test.cpp. In this case, the target function has error handling and we are interested in any case which causes an unhandled exception within our DLL. If the DLL throws an unhandled exception, it will crash our test harness. As a result, we only need to check the return value for our own purposes to confirm things are working properly. This is good for initially testing, but we will want to remove any unnecessary code for our actual fuzz run. A non-null return value means the jpeg image was parsed and null means a handled error occurred, which is uninteresting for our case.

Figure 9 Checking the return value

With all this framework in place, we can run our harness with a valid image and confirm we get the expected result.

Figure 10 Test run

Performance Considerations

Although the above test harness code will successfully execute the target function and fully function within our fuzzer, we can make a few targeted changes to increase performance and results. One of the slowest operations in an application is printing to the screen, and this is true when fuzzing. Error checking is extremely helpful for development; however, printing “Result was not null” or the inverse every time will reduce our executions per second and doesn’t add anything to our fuzzer. Additionally, it is important not to introduce any extra code in our “fuzz” function which could potentially introduce additional code paths. This could cause the mutators to think that it found a new path of interesting code, when in fact it’s only the harness. As a result, you want your “fuzz” function to be the absolute bare minimum required to execute your code and perform other setup actions outside this function.

Selecting a Test Corpus

Now that we have a working test harness, we need to create a test corpus or input files for the fuzzer. The importance of this step for fuzzing cannot be overstated. The test cases produced by a fuzzer or only as good as the ones provided. In most cases, you are looking to create a set of minimal test inputs (and minimal size) that generate maximal code coverage.

Selecting or building a test corpus can be a complicated process. One of the advantages to using a known and popular format like JPEG is that there are many open-source corpora. Strongcourage’s corpus on GitHub is a great repo since it is many corpora combined and is the testing corpus that was used to find CVE-2021-36134. Jackalope does not recursively traverse directories when reading the input directory and does not throw an error in this regard, therefore it is important to make sure your corpus directory is only one level deep.

Results

Using this basic outlined method and running Jackalope in the same fashion as the example test binary, a write access violation crash is found in the MeImgLoadJpeg in just a few minutes. This write access violation bug is filed as CVE-2021-36134.

This violation occurs because of memory being allocated for the destination of a memory copy based on the default three color components of a JPEG image, instead of using the value provided in the input file’s JPEG header. The copy is using the values provided by the file to determine the address of where to copy the image in memory. A write access violation occurs when a malformed image reports having four color components instead of the default three and the memory allocated is not the same size as the actual image.

Given the extensive prior reports and full system vulnerabilities we submitted to NetOp before, we decided not to take the analysis further and determine if the bug was truly exploitable. The code path can be leveraged over the network, by utilizing the teacher’s blank student screen feature. It is worth noting this code runs on both the student and the teacher, so the teacher would be unable to load this image to send to a student without crashing their own system. An attacker could leverage the previously discovered and disclosed vulnerabilities to emulate a teacher and send this image to a student regardless.  Since the destination of the memory copy is being calculated based on image width and number of color components, it is plausible for an attacker to control where the “write” takes place; however, they would need to use an address space that could be calculated without invalidating the image further. In addition, the code is writing pixels from the image which is also under the attacker’s control. As a result, this could lead to a partial arbitrary write.

Conclusion

Fuzzing can be a fantastic tool for discovering new vulnerabilities in software. Although having source code can enhance fuzzing, it should not be considered a barrier of entry. Many tools and techniques exist which can be used to successfully fuzz blackbox targets and in turn help enhance the security of the industry.

One goal of the McAfee Enterprise Advanced Threat Research team is to identify and illuminate a broad spectrum of threats in today’s complex and constantly evolving landscape. Leveraging Google Project Zero team’s Jackalope and blackbox fuzzing techniques a JPEG parsing vulnerability, CVE-2021-36134 was discovered in Netop Vision Pro version 9.7.2. As per McAfee Enterprise’s vulnerability public disclosure policy, the ATR team informed Netop on June 25th, 2021, and worked directly with the Netop team. This partnership resulted in the vendor working towards effective mitigations of the vulnerability detailed in this blog.

The post Finding 0-days with Jackalope appeared first on McAfee Blogs.

]]>
What to Expect from the Next Generation of Secure Web Gateways https://www.mcafee.com/blogs/enterprise/cloud-security/what-to-expect-from-the-next-generation-of-secure-web-gateways/ Thu, 23 Sep 2021 19:42:27 +0000 /blogs/?p=102097

After more than a century of technological innovation since the first units rolled off Henry Ford’s assembly lines, automobiles, and...

The post What to Expect from the Next Generation of Secure Web Gateways appeared first on McAfee Blogs.

]]>

After more than a century of technological innovation since the first units rolled off Henry Ford’s assembly lines, automobiles, and transportation bear little in common with the Model T era. This evolution will continue as society finds better ways to achieve the outcome of moving people from point A to point B.

While Secure Web Gateways (SWGs) have operated on a far more compressed timetable, a similarly drastic evolution has taken place. SWGs are still largely focused on ensuring users are protected from unsafe or non-compliant corners of the internet, but the transition to a cloud and remote-working world has created new security challenges that the traditional SWG is no longer equipped to handle. It’s time for the next generation of SWGs that can empower users to thrive safely in an increasingly decentralized and dangerous world.

How We Got Here

The SWG actually started out as a URL filtering solution that enabled organizations to ensure that employees’ web browsing complied with corporate internet access policy.

URL filtering then transitioned to proxy servers sitting behind corporate firewalls. Since proxies terminate traffic coming from users and complete the connection to the desired websites, security experts quickly saw the potential to perform more thorough inspection than just comparing URLs to existing blacklists. By incorporating anti-virus and other security capabilities, the “Secure Web Gateway” became a critical part of modern security architectures. However, the traditional SWG could only play this role if it was the chokepoint for all internet traffic, sitting at the edge of every corporate network perimeter and having remote users “hairpin” back through that network via VPN or MPLS links.

Next-Generation SWG

The transition to a cloud and remote-working world has put new burdens on the traditional perimeter-based SWG. Users can now directly access IT infrastructure and connected resources from virtually any location from a variety of different devices, and many of those resources no longer reside within the network perimeter on corporate servers.

This remarkable transformation also expands the requirements for data and threat protection, leaving security teams to grapple with a number of new sophisticated threats and compliance challenges. Unfortunately, traditional SWGs haven’t been able to keep pace with this evolving threat landscape, resulting in an inefficient architecture that fails to deliver the potential of the distributed workforce.

Just about every major breach now involves sophisticated multi-level web components that can’t be stopped by a static engine. The traditional SWG approach has been to coordinate with other parts of the security infrastructure, including malware sandboxes. But as threats have become more advanced and complex, doing this has resulted in slowing down performance or letting threats get through. This is where Remote Browser Isolation (RBI) brings in a paradigm shift to advanced threat protection. When RBI is implemented as an integral component of SWG traffic inspection, it can deliver real-time, zero-day protection against ransomware, phishing attacks, and other advanced malware so that even the most sophisticated threats can’t get through, without hindering the browsing experience.

Another issue with most traditional SWGs is that they aren’t able to sufficiently protect data as it flows from distributed users to cloud apps, due to lacking advanced data protection and cloud app intelligence. Without Data Loss Prevention (DLP) technology that is advanced enough to understand the nature of cloud apps and to keep up with evolved safety demands, organizations can find data protection gaps in their SWG solutions that keep them vulnerable to risks.

Finally, there is the question of cloud applications. While cloud applications operate on the same internet as traditional websites, they function in a fundamentally different way that traditional SWGs simply can’t understand. Cloud Access Security Brokers (CASBs) are designed to provide visibility and control over cloud applications, and if the SWG doesn’t have access to a comprehensive CASB application database and sophisticated CASB controls, it is effectively blind to the cloud. It’s only a cloud-aware SWG with integrated CASB functionality that can extend data protection to all websites and cloud applications, empowering organizations and their users to be better protected against advanced threats.

What we need from Next-Gen SWGs

Fig. Next Generation Secure Web Gateway Capabilities

A next-gen SWG should help simplify the implementation of Secure Access Service Edge (SASE) architecture and help accelerate secure cloud adoption. At the same time, it needs to provide advanced threat protection, unified data control, and efficiently enable a remote and distributed workforce.

Here are some of the use cases:

  • Enable a remote workforce with a direct-to-cloud architecture that delivers 99.999% availability. As countries and states slowly came out of the shelter-in-place orders, many organizations indicated that supporting a remote and distributed workforce will likely be the new norm. Keeping remote workers productive, data secured, and endpoints protected can be overwhelming at times. A next-gen SWG should provide organizations with the scalability and security to support today’s remote workforce and distributed digital ecosystem. A cloud-native architecture helps ensure availability, lower latency, and maintain user productivity from wherever your team is working. A true cloud-grade service should offer five nines (99.999%) availability consistently.
  • Reduce administrative complexity and lower cost – Today, with increased cloud adoption, more than 80% of traffic is destined for the internet. Backhauling internet traffic to a traditional “Hub and Spoke” architecture which requires expensive MPLS links can be very costly. Network slows to a halt as traffics spikes, and VPN for remote workers have proven to be ineffective. A next-gen SWG should support the SASE framework and provide a direct-to-cloud architecture that lowers the total operating costs by reducing the need for expensive MPLS links. With a SaaS delivery model, next-gen SWGs remove the need to deploy and maintain hardware infrastructure reducing hardware and operating costs, while increasing performance, reliability, and scalability.
  • Lock down your data, not your business – More than 95% of companies today use cloud services, yet only 36% of companies can enforce DLP rules in the cloud at all. Additionally, most traditional SWGs are not able to sufficiently protect data as it flows from distributed users to cloud applications, due to the lack of advanced data protection and cloud app intelligence. A next-gen SWG should offer a more effective way to enforce protection with built-in Data Loss Prevention templates and in-line data protection workflows to prevent restricted data from flowing out of the organization. A device-to-cloud data protection offers comprehensive data visibility and consistent controls across endpoints, users, clouds, and networks. With built-in DLP technology, next-gen SWGs ensure organizations remain compliant with corporate security policies, as well as industry and government regulations.
  • Defend against known and unknown threats – As the web continues to grow and evolve, web-born malware attacks also grow and evolve, beyond the protection that traditional SWGs can provide. Ransomware, phishing, and other advanced web-based threats are putting users and endpoints at risk. A next-gen SWG should feature the most advanced integrated security controls, including global threat intelligence and sandboxing, so that even the most sophisticated threats can’t get through. A next-gen SWG with threat protection solutions that work together is able to ensure consistent policies, data protection, and visibility across isolated and non-isolated traffic. A next-gen SWG should also include integrated Remote Browser Isolation to prevent unknown threats from ever reaching the endpoints.

SWGs have clearly come a long way from just being URL filtering devices to the point where they are essential to furthering the safe and accelerated adoption of the cloud. But we need to push the proverbial envelope a lot further. Digital transformation demands nothing less.

 

The post What to Expect from the Next Generation of Secure Web Gateways appeared first on McAfee Blogs.

]]>
Detecting Credential Stealing Attacks Through Active In-Network Defense https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/detecting-credential-stealing-attacks-through-active-in-network-defense/ Thu, 23 Sep 2021 04:01:59 +0000 https://www.mcafee.com/blogs/?p=129064

Executive Summary Today, enterprises tend to use multiple layers of security defenses, ranging from perimeter defense on network entry points...

The post Detecting Credential Stealing Attacks Through Active In-Network Defense appeared first on McAfee Blogs.

]]>

Executive Summary

Today, enterprises tend to use multiple layers of security defenses, ranging from perimeter defense on network entry points to host based security solutions deployed at the end user’s machines to counter the ever-increasing threats. This includes inline traffic filtering and management security solutions deployed at access and distribution layers in the network, as well as out of band solutions like NAC, SIEM or User Behavior Analysis to provide identity-based network access and gain more visibility into the user’s access to critical network resources. However, layered security defenses face the major and recurring challenge of detecting newer exploitation techniques as they heavily rely on known behaviors. Additionally, yet another significant challenge facing the enterprise network is detecting post-exploitation activities, after perimeter security is compromised.

Post initial compromise, to be able to execute meaningful attacks, attackers would need to steal credentials to move laterally inside the network, access critical network assets and eventually exfiltrate data. They will use several sophisticated techniques to perform internal reconnaissance and remote code execution on critical resources, which range from using legitimate operating system tools to discover network assets to using novel code execution techniques on the target. Consequently, differentiating between the legitimate and malicious use of Windows’ internal tools and services becomes a high priority for enterprise networks.

To tackle this long-standing problem of detecting lateral movement, enterprise networks must formulate active in-network defense strategies to effectively prevent attackers from accessing critical network resources. Network Deception is one such defensive approach which could potentially prove to be an effective solution to detect credential theft attacks. Detecting credential stealing attacks with deception essentially requires building the necessary infrastructure by placing the decoy systems within the same network as production assets and configuring them with decoy contents to lure the attackers towards the decoy machines and services. Accurately configuring and tuning the deceptive network can deflect the attacker’s lateral movement path towards the deceptive services, consequently allowing the attackers to engage with the deceptive network, helping enterprises protect production assets.

MITRE Shield, a knowledge base maintained by MITRE for active defense techniques highlights many of the methods in adversary engagement. Some of the techniques described by MITRE Shield Matrix with respect to network deception are as below:

MITRE Shield Description ATT&CK Technique
Decoy Account – DTE0010 A decoy account is created for defensive or deceptive purposes. The decoy account can be used to make a system, service, or software look more realistic or to entice an action Account Discovery, Reconnaissance
Decoy Credentials – DTE0012 Seed a target system with credentials (such as username/password, browser tokens, and other forms of authentication data) Credential Access, Privilege Escalation
Decoy Diversity – DTE0013 deployment of decoy systems with varying Operating Systems and software configurations Reconnaissance
Decoy Network – DTE0014 Multiple computing resources that can be used for defensive or deceptive purposes Initial Access
Decoy Personna – DTE0015  Used to establish background information about a user. In order to have the adversary believe they are operating against real targets Initial Access, Discovery, Reconnaissance
Decoy System – DTE0017 Computing resources presented to the adversary in support of active defense Reconnaissance

 

Over the course of this paper, we will discuss some of the widely adapted credential theft attacks executed by adversaries after the initial compromise and then move on to discuss defense techniques against the above MITRE Shield attacks and how to use them effectively to detect deceptive credential usage in the network.

Network Deception – An Active in-network defensive approach

  • Most of the targeted attacks involve stealing credentials from the system at a certain point in time as attackers would use them to pivot to other systems in the network. Some of the credential stealing techniques like Golden Ticket attacks have been found to be used in multiple ransomwares armed with lateral movement capabilities.
  • Active in-network defense strategies described by the MITRE Shield matrix are significant and play a critical role in detecting credential abuse in the network.
  • Network Deception uses these active defense techniques to build the deceptive network infrastructure which could potentially lead to redirecting an attacker’s lateral movement path and engaging them to the decoy services without touching the critical production systems.
  • It involves placing decoy systems, decoy credentials and decoy contents all throughout the production network essentially converting it into a trap, playing a crucial role in mitigating the attacks.

McAfee Protection

  • McAfee MVISION Endpoint Security has the capabilities to protect against credential theft attacks like credential extraction from LSASS process memory via ATP rule 511. More details on configuring policies and a demo are available here.
  • McAfee MVISION Endpoint Detection and Response (EDR) has the capabilities to detect credential access from tools like Mimikatz.
  • With McAfee MVISION EDR and ENS integration with Attivo’s network and endpoint deception sensor, McAfee can manage its agents and receive alerts for detections in ePO and EDR.

Lateral Movement – Introduction

Lateral movement refers to the tools and techniques used by attackers to progressively expand their foothold within an enterprise network after gaining initial access. As shown in the figure below, lateral movement activity comprises of several stages starting from credential theft, target enumeration and discovery, privilege escalation, gaining access to network resources and eventually remote code execution on the target before exfiltrating data to accomplish a successful attack. Once inside the network, attackers will deploy a range of techniques at each stage of lateral movement to achieve their end goal. One of the primary challenges an attacker will face while moving laterally inside a network is to hide their activities in plain sight by generating a minimum volume of legitimate looking logs to be able to remain undetected. To achieve this, an attacker might choose to embed the tool within a malicious executable or use the operating system’s internal legitimate tools and services to perform its lateral movement operations, consequently making this network traffic harder to distinguish.

As per the Verizon DBIR report 2020, over 80% of data breaches involve credential theft attacks. Credential theft is one of the primary tasks attackers need to perform post-exploitation and after gaining initial control of the target machine. It will usually be the first step towards lateral movement strategies which will allow attackers to elevate their privileges and acquire access to other network resources. As indicated earlier, attackers have long been abusing Windows legitimate features like SMB, RPC over SMB, Windows Management Instrumentation, Windows Remote Management, and many other features to perform lateral movement activities. Figure 1 below highlights where lateral movement falls within the attack chain and its different stages. To remain stealthier, these activities would span a period ranging from many weeks to months.

Figure 1 – Stages of Lateral movement

To be able to distinguish between the admissible and malicious use of these inbuilt services, it is extremely critical for organizations to deploy advanced Threat Detection solutions. Over the course of this blog, we will discuss various credential theft techniques used by adversaries during lateral movement. We will also discuss an approach that can be used to effectively detect these techniques inside the network.

Credential Theft Attacks

Attackers use a variety of tools and techniques to execute credential theft attacks. Many of these tools are open source and readily available on the internet. Operating systems like Windows implement Single Sign On (SSO) functionality, which require the user’s credentials to be stored in memory, thereby allowing the OS to seamlessly access network resource without repeatedly asking the user to re-enter those credentials. Additionally, user credentials are stored in memory in a variety of formats like NTLM hashes, reversibly encrypted plaintext, Kerberos tickets, PINs, etc., which can be used to authenticate to services depending upon the supported authentication mechanism. These credentials can be acquired by attackers from memory by parsing appropriate credential storage structures or using the Windows credential enumeration APIs.  Consequently, these attacks pose major security concerns, especially in the domain environment if the attacker gains access to privileged credentials which can then be reused to access critical network resources. In the following sections, we discuss some of the widely adapted credential stealing techniques used by malware, with respect to the Windows operating system. Similar credential stealing techniques can also be used with other operating systems as well.

Stealing Credentials from LSASS Process Memory

The Local Security Authority Subsystem Service (LSASS) process manages and stores the credentials of all the users with active Windows sessions. These credentials stored in the LSASS process memory will allow users to access other network resource such as files shares, email servers and other remote services without asking them for the credentials again. LSASS process memory stores the credentials in many formats including reversibly encrypted plaintext, NTLM hashes, Kerberos Tickets (Ticket Granting Tickets, etc.). These credentials are generated and stored in the memory of the LSASS process when a user initiates the interactive logon to the machine such as console logon or RDP, runs a scheduled task or uses remote administration tools. The encryption and decryption of credentials is done using LsaProtectMemory and LsaUnProtectMemory respectively and hence a decryption tool using these APIs will be able to decrypt LSASS memory buffers and extract them. However, malware would need to execute with local administrator privileges and enable “SeDebugPrivilege” on the current process to be able access the LSASS process memory.

Below is a code snapshot from one of the famous credential harvesting tools, Mimikatz, enabling the required privileges on the calling thread before dumping the credentials.

Figure 2 – Checking for required privileges

We can see that the NTLM hash of the user’s credentials is revealed, and this can be brute forced offline as shown below. Many Windows services, such as SMB, support NTLM authentication and NTLM hashes can be used directly for authentication eliminating the need for the clear text passwords.

Figure 3 – Cracking NTLM Hashes offline

Attackers avoid using freely available tools like Mimikatz directly on the target machine to harvest credentials since they are easily detected by AVs. Instead, they use recompiled clones of it with minimal functionality to avoid noise. Below is one such instance where malware embeds recompiled Mimikatz code with the minimal required functionality.

Figure 4 – Credential extraction tool embedded inside malicious executable

Detection can also be avoided by using several “living off the land’ mechanisms, available in many post-exploitation frameworks, to execute the credential harvesting tools directly from memory using Reflective PE injection, where the binary is never written to the disk. Yet another approach is to dump the LSASS process memory using process dumping tools, exfiltrate the dump and extract the credentials offline. Microsoft has documented multiple ways to configure additional LSASS process protection which can prevent credentials being compromised.

Stealing Credentials from Security Accounts Manager (SAM) Database

The SAM database is a file on a local hard drive that stores the credentials for all local accounts on the Windows computer. NT hashes for all the accounts on the local machine, including the local administrator credential hash, are stored in the SAM database. The SAM database file is in %SystemRoot%system32/config and the hashes of the credentials are within the registry HKLM\SAM. Attackers need to acquire elevated privileges to be able to access the credentials from the SAM database. The example below demonstrates how the credentials from the SAM database can be revealed through a simple Meterpreter session.

Figure 5 – Dumping SAM database

Stealing Credentials from Windows Credential Manager (CredMan)

Windows Credential Manager stores the Web and SMB/RDP credentials of users if they choose to save them on the Windows machine, thereby preventing the authentication mechanism from asking for those passwords again on subsequent logins. These credentials are encrypted with Windows Data Protection APIs (DPAPI) CryptProtectData, either using the current user’s logon session or a generated master key, and then saved on the local hard drive. Consequently, any process running in the context of the logged in user will be able to decrypt the credentials using CryptUnProtectData DPAPI. In the domain environment, these credentials can be used by attackers to pivot to other systems in the network. Data Protection APIs provide the cryptographic functionalities that can be used to securely store credentials and keys. These APIs are used by several other Windows components like browsers (IE/Chrome), certificates and many other applications as well. Below is one example of how credential dumping tools like Mimikatz can be used to dump stored Chrome credentials.

Figure 6 – Dumping browser credentials

DPAPI can be abused in multiple ways. In the Active Directory domain joined environment, if other users have logged into the compromised machine, provided a malware is running with escalated privileges, it can extract other user’s master keys from the LSASS memory which can then be used to decrypt their secrets. Below is a screenshot of how the master key can be extracted by using the credential dumping tool.

Figure 7 – Extracting DPAPI Master Key

Malware also tends to use multiple variants of credential enumeration APIs available within Windows. These APIs can extract credentials from Windows Credential Manager. Below is one instance of the malware using CredEnumerateW API to retrieve credentials and then search for terminal services passwords which It would use to pivot to other systems.

Figure 8 – Extracting credentials using Windows API

Stealing Service Account Credentials Through Kerberoasting

In the domain joined environment, the Kerberos protocol has a significant role to play with respect to authentication and requesting access to services and applications. It provides Single-Sign-On functionality for accessing multiple shared resources within the enterprise network. The Kerberos authentication mechanism in Active Directory involves multiple requests and responses like Ticket Granting Ticket (TGT) and Ticket Granting Service (TGS) supported by a Key Distribution Server (KDC), usually a Domain Controller. Upon successful authentication, a user will be able to access the respective services.

Attackers gaining access to a system joined in the domain would usually look for high value assets like Active Directory Controller, Database server, SharePoint server, Web Server, etc., and these services are registered in the domain with the specific Service Principal Name (SPN) values, which is a unique identifier of the Service Account in the domain. These SPN values are used by Kerberos to map the instance with the logon account allowing the client to authenticate to the respective service. Well known SPN values are listed out here. Once the attacker is authenticated with any domain user credentials and has information about the SPN values of the services within the domain, they can initiate the Kerberos Ticket Granting Service request (TGS – REQ) to the Key Distribution Server with the specified SPN value. Details on how the SPN values are registered and used in Kerberos authentication is documented here. TGS response from the KDC will have the Kerberos Ticket encrypted with the hash of the service account. This ticket can be extracted from the memory and can be brute forced offline to acquire service account credentials, allowing a domain user to gain admin level access to the service.

Kerberoasting is a well-documented attack technique listed in MITRE ATT&CK and it essentially abuses the Kerberos authentication allowing adversaries to request the TGS Tickets for the valid service accounts and brute force the ticket offline to extract the plain text credentials of the service accounts, consequently enabling them to elevate their privileges from domain user to domain admin. As an initial step to this lateral movement technique, the attacker would perform an internal reconnaissance to gain information about the services registered in the domain and get SPN values. A simple PowerShell command after importing the Active Directory PowerShell module, as shown below, can initiate the LDAP query to get information about all the user accounts from the Domain Controller with the SPN value set.

Figure 9 – PowerShell command to generate LDAP query

Attackers can specifically choose to scan the domain for MSSQL service with the registered SPN value used for Kerberos authentication. PowerShell scripts like GetUserSPNs can scan all the user SPNs in the domain or MSSQL service registered in the domain with Discover-PSMSSQLServers or Invoke-Kerberoast scripts.  Following is an example output from the script:

Figure 10 – Kerberoasting PowerShell script output

Once an attacker has the SPN value of the SQL service, a Kerberos Ticket Granting Service Ticket request (TGS-REQ) can be initiated to the domain controller with the SPN value. This can be done by a couple of PowerShell commands generating KRB-TGS-REQ as shown below:

Figure 11 – Kerberos TGS request

Consequently, the Domain Controller sends the TGS-RESP with the ticket of the service account which will be cached in the memory and can be extracted by dumping tools like Mimikatz as a .kirbi document. This can be brute forced offline by tgsrespcrack, allowing the attacker to gain unrestricted access to the service with elevated privileges.

Stealing Credentials from Active Directory Domain Service (ntdis.dit) File

As indicted earlier, once an attacker has penetrated the domain network, it will be natural to progress towards targeting critical assets, such as the Active Directory controller. The Active Directory Database Services AD DS Ntds.dit file is one of the most overlooked attack vectors in the domain environment but can have significant impact if the attacker is able to gain the domain administrative rights leading to complete domain compromise.

The Ntds.dit file is the authoritative store of credentials for all the users in the domain joined environment, storing all the information about the users, groups and memberships, including credentials (NT Hashes) of all the users in the domain with historical passwords and user’s DPAPI backup master keys. An Attacker with domain admin rights can gain access to the Domain Controller’s file system and acquire credentials like hashes, Kerberos tickets and other reversibly encrypted passwords of all the users joined in the domain by dumping and exfiltrating the Ntds.dit file. These credentials can then be used by the attacker to further access resources by using attack techniques like PTH within the network since the credentials used across other shared resource could be same.

Multiple techniques can be used to dump the Ntds.dit file from the Domain Controller locally as well as remotely and extract the NTLM hashes/DPAPI backup keys for all the domain joined users. One of the techniques is to use the Volume Shadow Copy Service using the vssadmin command line utility and then extract the Ntds.dit file from the volume shadow copy as shown below.

Figure 12 – Dumping Volume shadow copy for C drive

Sensitive data on Active Directory is encrypted with the Boot Key (Syskey) stored in the SYSTEM registry hive and dumping the SYSTEM registry hive is a prerequisite as well to be able to extract all the credentials.

Publicly available Active Directory auditing frameworks like DSInternals provide PowerShell cmdlets to extract the Syskey from the SYSTEM registry hive and extract all the credentials from the Ntds.dit file.

Ntds.dit can also give access to the powerful service account within the Active Directory Domain, KRBTGT (Key Distribution Centre Service account). Acquiring the NTLM hash of this account can enable the attacker to execute a Golden Ticket attack leading to complete domain compromise with unrestricted access to any service on the domain joined system.

Stealing Credentials Through a DCSync Attack – From Domain user to Domain Admin

A DCSync attack is a method of credential acquisition which allows an attacker to impersonate the Domain Controller and can consequently replicate all the Active Directory objects to the impersonating client remotely, without requiring the user to logon to the DC or dumping the Ntds.dit file. By impersonating the Domain Controller, the attacker could acquire the NTLM hash of the KRBTGT service account, enabling them to gain access to all the shared resources and applications in the domain joined environment. To be able to execute this credential stealing technique, an attacker would have to compromise the user account with the required permissions, specifically DS-Replication-Get-Changes and DS-Replication-Get-Changes-All, as shown below.

Figure 13 – User with privileges

Once the attacker compromises the user account with the required privileges, Pass-The-Hash attacks can be executed to spawn a command shell with the forged logon session. Credential dumping tools like Mimikatz do this by enumerating all the user logon sessions and replacing the user credentials with the stolen usernames and NTLM hashes provided, in the current logon session. Behind the scenes, this is executed by duplicating the current process’s access token, replacing the user credentials pointed by duplicated access token and subsequently using the modified access token to start a new process with the stolen credentials which will be used for network authentication. This is as shown below for example user “DCPrivUser”.

Figure 14 – Pass-the-Hash attack

Further, as indicated below, any subsequent NTLM authentication from the logon session will use the stolen credentials to authenticate to domain joined systems like the Active Directory Controller.

Attackers can now initiate the AD user objects Replication request to the Domain Controller using Directory Replication Services Remote Protocol (DRSUAPI). DRSUAPI is the RPC protocol used for replication of AD objects. With DCERPC bind request to DRSUAPI, an RPC call to DSGetNCChanges will replicate all the user AD objects to the impersonating client. Attackers would usually target the KRBTGT account since acquiring the NTLM hash of this account will enable them to execute a Golden Ticket attack resulting in unrestricted access to domain services and applications.

Figure 15 – DCSync Attack

As indicated earlier, with the NTLM hash of the KRBTGT account, adversaries can initiate a Golden Ticket attack (Pass-the-Ticket) by injecting the forged Kerberos tickets into the current session which can be used to authenticate to any service with the client that supports pass the ticket (for instance, sqlcmd.exe connection to DB server, PsExec, etc.)

Figure 16 – Golden ticket with forged Kerberos ticket

Detecting Credential Stealing Attacks with Network Deception

The credential theft techniques we discussed in the previous sections are just the tip of the iceberg. Adversaries can use many other sophisticated credential stealing techniques to take advantage of system misconfigurations and legitimate administrative tools and protocols and, at the same time, remain undetected for a longer period. With many other event management solutions with SIEMs, used in conjunction with other network security solutions, it becomes a challenge for administrators to distinguish malicious use of legitimate tools and services from lateral movement. Perimeter solutions have their limitations in terms of visibility once the attacker crosses the network boundary and is inside the domain environment. It is extremely critical for organizations to protect and monitor critical network assets like the Domain Controller, Database server, Exchange Servers, build systems and other applications or services, as compromising these systems will result in significant damages. Therefore, enterprise networks must deploy a solution to detect credential stealing attacks as they can be used to pivot to other systems on the network and move laterally once an attacker establishes an attack path to a high value target. If the deployment of a solution within the critical zones of the network can detect the use of stolen credentials before adversaries can reach their target, the critical assets could still be prevented from being compromised.

Network Deception is one such deployment within the domain environment where, using the MITRE Shield techniques like decoy systems and network, decoy credentials, decoy accounts, decoy contents, could potentially help detect lateral movement early in the adversary’s attack path to the target asset and at the same time, report significantly low false detection rates. The idea of deception originates from the decades old honeypot systems but, unlike those, relies more on forging trust and giving adversaries what they are looking for. With its inbuilt proactiveness it is configured to lure attackers towards deceptive systems. As shown in the figure below, Network Deception consists of authentic looking decoy systems placed within the domain network, specifically in the network where the critical assets are placed. These decoy systems (could be virtual machines) are the full-fledged OS with configured applications or services and could be replicating the crucial services like Domain Controller, Exchange or DB server and other decoy machines that could lead to those systems. The image below highlights the key foundational aspects of the Network Deception

Figure 17 – Network Deception

Key Aspects of Network Deception

As visualized in the figure above, Network Deception comprises the following key basic facts with respect to the deployment in the domain joined environment:

  • As a part of deployment, decoy/deceptive machines are planted within the network alongside production systems and critical assets. These decoy systems could be real systems or virtual systems with production grade operating systems with the required setup to make them blend well with real systems.
  • As one of the key aspects, deceptive machines are configured to lure attackers towards the decoy services instead of the production services, thereby deflecting or misleading the attacker’s lateral movement path to the target asset.
  • Many of the decoy machines could replicate critical services like Domain Controller, DB servers, Exchange/SharePoint servers and other critical services or applications within the data center.
  • Any legitimate domain user should not be generating traffic to or communicating with the configured decoy machines unless there are some misconfigurations in the network, which need to be corrected.

Basic Decoy Network Setup

Since credential theft plays an important role in a successful targeted attack, deception essentially focuses on planting fake credentials on the production and decoy endpoints at multiple places within the OS and monitoring the use of these credentials to pivot to other systems. With respect to the network setup, the following are the key aspects, however this list is not exhaustive, and much more could be added:

  • Replicating critical network assets and services with decoy machines: Replicating critical network services like Active Directory, DB services, etc., will make more sense since these are the most targeted systems in the network. The decoy Active Directory should be configured with deceptive AD objects (users, groups, SPNs, etc.). with deceptive contents for other replicated services.
  • Planting authentic looking decoy machines in the production network: As indicated earlier, these decoy machines could be real or virtual machines with the production grade OS placed alongside production systems in the critical infrastructure to blend in well. These decoy machines should be joined to the decoy AD and configured with deceptive user accounts to monitor successful logon attempts to the systems.
  • Injecting deceptive credentials on production endpoints: Production endpoints should be injected with deceptive credentials at multiple places like LSASS process memory, Credential Manager, browser credentials, etc., to increase the possibility of these credentials being picked up and used to pivot to decoy systems in the network. These endpoints could be public facing machines or their replicas as well.
  • Decoy Machine runs client applications pointing to decoy services: Decoy machines may run the client with deceptive credentials and configured to point to the decoy services. These could be DB/FTP/Email clients and any other replicated decoy services.
  • Mark decoy systems as “NO LANDING ZONE”: One of the key deployment aspects of deception is to mark all the decoy systems and services as “NO LANDING ZONE”, essentially meaning no legitimate domain users should be accessing decoys and any attempts to access these systems should be closely monitored.

Some of the other setup required for effective deployment of deception is as summarized below:

Figure 18 – Deceptive network setup – Basic requirements

Basic Decoy Systems Setup

To detect the use of deceptive credentials, setting up decoy machines is an essential part of the solution as well. Primarily, decoy machines should enable the access attackers are looking to have during the lateral movement phase. Decoys should also be configured to enable relevant auditing services to be able to generate events. For instance, the following enables the account logon events to be audited:

Decoy machines must be setup to run the log collector agent that can collect the access logs generated and forward them to the correlation server. However, in the domain joined environment, it is also essential to tune the decoy machines to forward only the relevant logs to the correlation server to minimize false positives.

The below highlights some of the auditing required to be enabled on the decoy systems for effective correlation.

Figure 19 – Basic decoy setup

Illustrating and Achieving Network Deception

The following sections describe some examples of how deception can be achieved in the domain network, along with a visualization of how credential theft can be detected.

Network Deception – Example 1: Injecting NETONLY credentials into LSASS process memory

LSASS process memory is one of the prime targets for attackers, as well as malware armed with lateral movement capabilities since it caches a variety of credentials. Credential extraction from the LSASS process requires opening a read handle to the process itself which is closely monitored by EDR products but there are stealthier ways around it.

One of the primary tasks towards achieving credential-based deception is to stage the deceptive credentials in LSASS process memory. This can be accomplished on the production and decoy systems by executing a trivial credential injection code which uses the CreateProcessWithLogonW Windows API with the specified crafted credentials. CreateProcessWithLogonW creates the new logon session using the caller process access token and spawns the process specified as a parameter in the security context of the specified deceptive credentials and it will be staged in the LSASS memory until the process runs in the background. The below shows the example code calling the API with the specified credentials which is also visible when credentials are extracted with Mimikatz.

Figure 20 – Injecting credentials into LSASS memory

One of the parameters to CreateProcessWithLogonW is “dwLogonFlags” which should be specified as LOGON_NETCREDENTIALS_ONLY as shown in the code above. This ensures the specified credentials are used only on the network and not for local logons. Additionally, NETONLY credentials used to create a logon session are not validated by the system. Below is a code snapshot from credential extraction tool Mimikatz, using a similar approach to forge a logon session and replacing the credentials with the supplied ones while executing Pass-the-Hash attacks.

Figure 21 – Mimikatz code for PTH attack

Network Deception – Example 2: Configure deceptive hostnames for decoy VMs

Attackers or malware moving laterally inside the network might do a recon for interesting hostnames via nbtstat/nbtscan. To deflect the lateral movement path, decoy systems can be configured with real looking hostnames that match the production systems. These hostnames will then be visible on NetBIOS scans as shown below.

Figure 22 – Deceptive host names pointing to decoy machines

These decoy systems can also run the relevant client applications pointing to the decoy services, with authentication directed to the decoy Domain Controller in the network. Detection of this attack path happens much earlier, however the decoy network setup keeps the adversaries engaged, helping admins to study their Tools and Techniques.

Figure 23 – Decoy machines running clients pointing to decoy services

A similar deception setup can also be done for the browsers where saved credentials can point to the decoy applications and services within the domain. For instance, Chrome saves the credentials in the SQLite format on the disk which can be decrypted using DPAPI as discussed earlier sections. The below examples demonstrate deceptive browser credentials which can lure adversaries towards the decoy services.

Figure 24 – Inserting deceptive browser credentials

In addition to some of the techniques discussed above, and many others highlighted in the previous sections, setting up deception involves much more advanced configuration of decoy systems to minimize false positives and needs to be tuned to the environment to accurately identify malicious activities. Deception can also be configured to address multiple other phases of lateral movement activity including reconnaissance and target discovery, essentially redirecting the adversaries and giving them a path to the target. Below is a high-level visualization of how the decoy network can look like the domain environment.

Figure 25 – Deception network setup

On the occasion where one of the domain-joined or public facing systems is compromised, authentication would be attempted to other domain joined systems in the network. If an authentication is attempted and any of the decoy systems are accessed and logged on, the use of these planted deceptive credentials should be a red flag and something which must be investigated. The visualization below shows the flow and an event being sent to an administrator on accessing one of the decoy systems.

Figure 26 – Deceptive credentials usage for authentication in the domain

One such example event of successfully logging on to the decoy system is as shown below:

Figure 27 – Alert send to administrator on using deceptive credentials

MITRE ATT&CK Techniques:

Credential theft attacks discussed here are mapped by MITRE as below:

Technique ID Technique Name Description
T1003.001 LSASS Process Memory Attackers may attempt to access LSASS process memory to extract credentials as it stores a variety of credentials. Administrative privileges are required to access the process memory.
T1003.002 SAM Database Accessing credentials from SAM database requires SYSTEM level privileges. Stores credentials for all the local user accounts on the machine.
T1003.003 NTDS.dit file Contains credentials for all the domain users. File is present on the DC and domain admin privileges are required to access this file.
T1003.006 DCSync Attacker can extract the credentials from the DC by impersonating the domain controller and use DRSUAPI protocol to replicate credentials from DC.
T1558.001 Golden Ticket Attackers acquiring credentials for KRBTGT account can forge the Kerberos ticket called Golden Ticket, allowing them to get unrestricted access to any system in the domain
T1558.002 Silver Ticket Allows attacker to get admin level access to the service accounts by abusing Kerberos authentication
T1558.003 Kerberoasting Allows attackers to extract the Kerberos tickets for service accounts from memory and brute force offline to get credentials

Conclusion

As credential theft attacks play a significant role in an attacker’s lateral movement, so as in-network defense for the defenders. With attackers’ lateral movement tactics evolving and getting more stealthier, defenders will have to adapt to innovative ways of defending the critical network assets. In–network defense strategies like Deception could prove to be a promising and forward-looking approach towards detecting and mitigating data theft attacks. Strategic planting of decoy systems within the production network, inserting decoy credentials and decoy contents on calculative selection of endpoints and decoy systems and accurately setting up the logging and correlation via SIEMs for monitoring the use of decoy contents, could certainly detect and mitigate the attacks early in the lateral movement life cycle.

Endpoint solutions like User Entity Behavior Analytics (UEBA) and Endpoint Detection and Response (EDR) could also play a significant role in building the deception infrastructure. For instance, one of the ways UEBA solutions could prove useful is to baseline user behavior and monitor access to credential stores on the system. UEBA/EDR could raise the red flag on injection of forged Kerberos tickets in the memory. This can provide user level visibility to a greater extent when integrated with SIEM, playing a crucial role in mitigating credential theft attacks.

The post Detecting Credential Stealing Attacks Through Active In-Network Defense appeared first on McAfee Blogs.

]]>
McAfee Enterprise Defender Blog | OMIGOD Vulnerability Opening the Door to Mirai Botnet https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-defender-blog-omigod-vulnerability-opening-the-door-to-mirai-botnet/ Wed, 22 Sep 2021 16:15:12 +0000 https://www.mcafee.com/blogs/?p=129385

This month Microsoft released patches for 86 vulnerabilities. While many of these vulnerabilities are important and should be patched as...

The post McAfee Enterprise Defender Blog | OMIGOD Vulnerability Opening the Door to Mirai Botnet appeared first on McAfee Blogs.

]]>

This month Microsoft released patches for 86 vulnerabilities. While many of these vulnerabilities are important and should be patched as soon as possible, there is one critical vulnerability that McAfee Enterprise wants to immediately bring to your attention due to the simplicity of what is required to exploit, and evidence that possible exploitation is already being attempted.

The list of flaws, collectively called OMIGOD, impact a software agent called Open Management Infrastructure that’s automatically deployed in many Azure services –

CVE-2021-38647 (CVSS score: 9.8) – Open Management Infrastructure Remote Code Execution Vulnerability

CVE-2021-38648 (CVSS score: 7.8) – Open Management Infrastructure Elevation of Privilege Vulnerability

CVE-2021-38645 (CVSS score: 7.8) – Open Management Infrastructure Elevation of Privilege Vulnerability

CVE-2021-38649 (CVSS score: 7.0) – Open Management Infrastructure Elevation of Privilege Vulnerability

Azure customers on Linux machines, including users of Azure Automation, Azure Automatic Update, Azure Operations Management Suite (OMS), Azure Log Analytics, Azure Configuration Management, and Azure Diagnostics, are at risk of potential exploitation. OMI can also be installed outside of Azure on any on-premises Linux system.

The Remote Code Execution is extremely simple and all that is required is to remove the auth header and root access is available remotely on all machines. With this vulnerability the attackers can obtain initial access to the target Azure environment and then move laterally within it.

Campaign: Multiple CVE’s Affecting the Azure OMI Agent Dubbed OMIGOD

Source: MVISION Insights

Multiple security researchers shared proof of concept attacks on the exploitation of the vulnerabilities and, soon thereafter, actors mimicked the efforts and have recently been seen actively exploiting CVE-2021-38647 via botnet activities.

Background on the Mirai Botnet and related campaigns

Source: MVISION Insights

One such botnet is Mirai, which is actively scanning for vulnerabilities, including those identified as OMIGOD, that will allow the operators to infect a system and spread to connected devices. If the Mirai botnet exploits a vulnerable machine, the operators will drop one of the Mirai DDoS botnet versions and close port 5896 on the internet to prevent other attackers from exploiting the same box. Reports of successful exploitation of OMIGOD have reported cryptominers being deployed on the impacted systems.

McAfee Enterprise Coverage and Recommended Mitigations

Microsoft does not have an auto update mechanism; a manual upgrade of the agents is required to prevent exploitation. Microsoft has released a patched OMI version (1.6.8.1), suggested steps by Microsoft are provided in the below link.

CVE-2021-38647 – Open Management Infrastructure Remote Code Execution Vulnerability

McAfee Enterprise will continue to update the following KB document with product coverage of CVE-2021-38647; please subscribe to the KB to be notified of updates.

McAfee Enterprise coverage for CVE-2021-38647 Remote Code Execution Vulnerability

Identifying Vulnerable Systems with the OMI Agent

To identify vulnerable systems in your environment, McAfee Enterprise recommends scanning for systems listening on Ports 5986. Port 5986 is the typical port leveraged by the OMI agent. Industry intelligence from the Wiz Research group is also noting vulnerable systems listening on non–default ports 5985 and 1270. It is recommended to limit network access to those ports immediately to protect from the RCE vulnerability.

Detecting Threat Activity with MVISION Insights

MVISION Insights provides regularly updated threat intelligence for the ongoing attempts to exploit OMIGOD. The “Multiple CVE’s Affecting the Azure OMI Agent Dubbed OMIGOD” campaign will have up to date Global Prevalence, IOCs, and MITRE techniques being observed in the wild. The IOCs within MVISION Insights can be utilized by the Real-time Search function of MVISION Endpoint Detection & Response (EDR) to proactively search your entire Linux endpoint environment for detection.

Global Prevalence of OMIGOD Exploitation Source: MVISION Insights

Indicators of Compromise related to exploitation of OMIGOD Source: MVISION Insights

Blocking Ports with McAfee ENS Firewall

The McAfee ENS Firewall Rules will allow for the creation of custom rules to block specific ports until the OMI agent can be updated to the resolved version; please see the below screenshot for a sample rule to block the ports associated with the OMI agent.

Creation of Block Rule for OMI Agent Ports in McAfee ENS Firewall

Locating Systems Running OMI with MVISION EDR

The Real-time search feature in MVISION EDR with allow for the searching of your entire Linux environment utilizing several different parameters to identify systems that could be potential targets.

The below pre-built queries can be executed to locate systems listening on the noted ports for the OMI Agent and to verify the version of the OMI agent installed on your endpoint.

Processes and CurrentFlow and HostInfo hostname where Processes name equals omiengine

Software and HostInfo hostname where Software displayname contains om

Locating Installed Software Versions of OMI on Linux endpoints in MVISION EDR

Monitoring the traffic and user information of OMI in MVISION EDR

Discovery of Vulnerabilities and Configuration Audits with MVISION CNAPP

Another method to identify vulnerable systems in your cloud infrastructure is run an on-demand vulnerability scan and create security configuration audits with MVISION Cloud Native Application Protection Platform (CNAPP). Please see below several examples of using the CWPP and CSPM features to locate vulnerable systems by CVE number and detect usage of the “root” account in Microsoft Azure.

Running Vulnerability Scans to Identify Vulnerable Systems by CVE

Setting Security Configuration Audits to be alerted of Root Access in Microsoft Azure

The post McAfee Enterprise Defender Blog | OMIGOD Vulnerability Opening the Door to Mirai Botnet appeared first on McAfee Blogs.

]]>
Executive Spotlight: Q&A with Lead Scientist & Sr. Principal Engineer, Christiaan Beek https://www.mcafee.com/blogs/enterprise/executive-spotlight-qa-with-lead-scientist-sr-principal-engineer-christiaan-beek/ Wed, 22 Sep 2021 15:00:17 +0000 https://www.mcafee.com/blogs/?p=129679

Welcome back to our executive blog series, where I chat with some of the pivotal players behind McAfee Enterprise and the Advanced...

The post Executive Spotlight: Q&A with Lead Scientist & Sr. Principal Engineer, Christiaan Beek appeared first on McAfee Blogs.

]]>

Welcome back to our executive blog series, where I chat with some of the pivotal players behind McAfee Enterprise and the Advanced Threat Research Team to hear their takes on today’s security trends, challenges, and opportunities for companies across the globe.

Q: What got you interested in technology and threat research?

As a little kid, I was always fascinated by technology. I would wrench open devices to study the inner workings, and try to assemble again. At age 12 I worked for three years to assemble my first computer-setup: a Commodore 64, disk-drive, and printer followed by an Amiga with modem. From that point, it was a journey from sysadmin to ethical hacking into specializing in digital forensics and joining FoundStone to setup their EMEA Incident Response team. As I witnessed multiple malware incidents and later some of the largest cyber-attacks ever, I got fascinated by all the mechanics around threat research. From this, I made a move to lead and envision new ways (threat) research can assist both responders and customers.

Q: If you could relive any moment of your life, which would it be?

Good question. There are so many moments to be thankful for that I cannot choose one but will mention a few that might sound obvious: My baptism, marrying my wife, and the birth of my kids.

Q: What are some of the trends you are currently noticing across the threat landscape?

Of course, we still have ransomware around as an ongoing issue that keeps evolving and impacting not only companies around the world, but also our lives more and more when fuel is not available, supermarkets are closed, and delivery of goods cannot be executed. Secondly, I would say the volume and number of attacks that happen have increased dramatically over the years. The moment a vulnerability is announced, within days, a proof-of-concept is available and within a week it is used by adversaries (either cybercrime or nation-state motivated). The feedback from our customers has been tremendously positive.

Q: How do you react to constantly changing threats in the market?

The only way to respond to the constant changing threats is to be flexible and willing to change. What works today might not work tomorrow, which should be part of your strategy when it comes to threat hunting, threat detection, and protection. My team is eager to learn and we are committed to protect our customers, innovate new research techniques, and adapt that into our technology.

The post Executive Spotlight: Q&A with Lead Scientist & Sr. Principal Engineer, Christiaan Beek appeared first on McAfee Blogs.

]]>
BlackMatter Ransomware Analysis; The Dark Side Returns https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/blackmatter-ransomware-analysis-the-dark-side-returns/ Wed, 22 Sep 2021 14:54:36 +0000 https://www.mcafee.com/blogs/?p=129547

BlackMatter is a new ransomware threat discovered at the end of July 2021. This malware started with a strong group...

The post BlackMatter Ransomware Analysis; The Dark Side Returns appeared first on McAfee Blogs.

]]>

BlackMatter is a new ransomware threat discovered at the end of July 2021.

This malware started with a strong group of attacks and some advertising from its developers that claims they take the best parts of other malware, such as GandCrab, LockBit and DarkSide, despite also saying they are a new group of developers. We at McAfee Enterprise Advanced Threat Research (ATR), have serious doubts about this last statement as analysis shows the malware has a great deal in common with DarkSide, the malware associated with the Colonial Pipeline attack which caught the attention of the US government and law enforcement agencies around the world.

The main goal of BlackMatter is to encrypt files in the infected computer and demand a ransom for decrypting them. As with previous ransomware, the operators steal files and private information from compromised servers and request an additional ransom to not publish on the internet.

COVERAGE AND PROTECTION ADVICE

McAfee’s EPP solution covers BlackMatter ransomware with an array of prevention and detection techniques.

ENS ATP provides behavioral content focusing on proactively detecting the threat while also delivering known IoCs for both online and offline detections. For DAT based detections, the family will be reported as Ransom-BlackMatter!<hash>. ENS ATP adds 2 additional layers of protection thanks to JTI rules that provide attack surface reduction for generic ransomware behaviors and RealProtect (static and dynamic) with ML models targeting ransomware threats.

Updates on indicators are pushed through GTI, and customers of Insights will find a threat-profile on this ransomware family that is updated when new and relevant information becomes available.

TECHNICAL DETAILS

BlackMatter is typically seen as an EXE program and, in special cases, as a DLL (Dynamic Library) for Windows. Linux machines can be affected with special versions of it too but in this report, we will only be covering the Windows version.

This report will focus on version 1.2 of BlackMatter while also noting the important changes in the current version, 2.0.

BlackMatter is programmed in C++ and has a size of 67Kb.

FIGURE 1. Information about the malware

The compile date of this sample is the 23rd of July 2021. While these dates can be altered, we think it is correct; version 1.9 has a compile time of 12 August 2021 and the latest version, 2.0, has a date four days later, on the 16th of August 2021. Is clear that the malware developers are actively improving the code and making detection and analysis harder.

The first action performed by BlackMatter is preparation of some modules that will be needed later to get the required functions of Windows.

FIGURE 2. BlackMatter searching for functions

BlackMatter uses some tricks to try and make analysis harder and avoid debuggers. Instead of searching for module names it will check for hashes precalculated with a ROT13 algorithm. The modules needed are “kernel32.dll” and “ntdll.dll”. Both modules will try to get functions to reserve memory in the process heap. The APIs are searched using a combination of the PEB (Process Environment Block) of the module and the EAT (Export Table Address) and enumerating all function names. With these names it will calculate the custom hash and check against the target hashes.

FIGURE 3. BlackMatter detecting a debugger

At this point BlackMatter will make a special code to detect debuggers, checking the last 2 “DWORDS” after the memory is reserved, searching for the bytes “0xABABABAB”. These bytes always exist when a process reserves memory in the heap and, if the heap has one special flag (that by default is set when a process is in a debugger), the malware will avoid saving the pointer to the memory reserved so, in this case, the variables will keep a null pointer.

In Windows operating systems the memory has different conditions based on whether a program is running in normal mode (as usual) or in debugging mode (a mode used by programmers, for example). In this case, when the memory is reserved to keep information, if it is in debugging mode, Windows will mark the end of this memory with a special value, “0xABABABAB”. BlackMatter checks for this value and, if found, the debugger is detected. To avoid having it run normally it will destroy the function address that it gets before, meaning it will crash, thus avoiding the execution.

FIGURE 4. Preparing the protection stub function

After this check it will create a special stub in the reserved memory which is very simple but effective in making analysis harder as the stub will need to be executed to see which function is called and executed.

This procedure will be done with all functions that will be needed; the hashes are saved hardcoded in the middle of the “.text” section in little structs as data. The end of each struct will be recognized by a check against the “0xCCCCCCCC” value.

FIGURE 5. Hashes of the functions needed

This behavior highlights that the BlackMatter developers know some tricks to make analysis harder, though it is simple to defeat both by patching the binary.

After this, the ransomware will use another trick to avoid the use of debuggers. BlackMatter will call the function “ZwSetInformationThread” with the class argument of 0x11 which will hide the calling thread from the debuggers.

If the malware executes it correctly and a debugger is attached, the debugging session will finish immediately. This code is executed later in the threads that will be used to encrypt files.

FIGURE 6. Another way to detect a debugger

The next action is to check if the user that launched the process belongs to the local group of Administrators in the machine using the function “SHTestTokenMembership”. In the case that the user belongs to the administrator group the code will continue normally but in other cases it will get the operating system version using the PEB (to avoid using API functions that can alter the version) and, if it is available, will open the process and check the token to see if that belongs to the Administrators group.

FIGURE 7. BlackMatter checking if it has administrator rights

In the case that the user does not belong to the Administrator group the process token will use a clever trick to escalate privileges.

The first action is to prepare the string “dllhost.exe” and enumerate all modules loaded. For each module it will check one field in the initial structure that all executables have that keeps the base memory address where it will be loaded (for example, kernel32.dll in 0x7fff0000) and will compare with its own base address. If it is equal, it will change its name in the PEB fields and the path and arguments path to “dllhost.exe” (in the case of the path and argument path to the SYSTEM32 folder, where the legitimate “dllhost.exe” exists). This trick is used to try and mislead the user. For each module found it will check the base address of the module with its own base address and, at that moment, will change the name of the module loaded, the path, and arguments to mislead the user.

FIGURE 8. Decryption of the string “dllhost.exe”

The process name will be “dllhost.exe” and the path will be the system directory of the victim machine. This trick, besides not changing the name of the process in the TaskManager, can make a debugger “think” that another binary is loaded and remove all breakpoints (depending on the debugger used).

FIGURE 9. Changing the name and path in the PEB

The second action is to use one exploit using COM (Component Object Model) objects to try to elevate privileges before finishing its own instance using the “Terminate Process” function.

For detection, the module uses an undocumented function from NTDLL.DLL, “LoadedModulesLdrCallback” that lets the programmer set a function as a callback where it can get the arguments and check the PEB. In this callback the malware will set the new Unicode strings using “RtlInitUnicodeString”; the strings are the path to “dllhost.exe” in the system folder and “dllhost.exe” as the image name.

The exploit used to bypass the UAC (User Access Control), which is public, uses the COM interface of CMSTPLUA and the COM Elevation Moniker.

In the case that it has administrator rights or uses the exploit with success, it will continue making the new extension that will be used with the encrypted files. For this task it will read the registry key of “Machine Guid” in the cryptographic key (HKEY LOCAL MACHINE).

This entry and value exist in all versions of Windows and is unique for the machine; with this value it will make a custom hash and get the final string of nine characters.

FIGURE 10. Creating the new extension for the encrypted files

Next, the malware will create the ransom note name and calculate the integrity hash of it. The ransom note text is stored encrypted in the malware data. Usually the ransom note name is “%s.README.txt”, where the wildcard is filled with the new extension generated previously.

The next step is to get privileges that will be needed later; BlackMatter tries to get many privileges:

·         SE_BACKUP_PRIVILEGE

·         SE_DEBUG_PRIVILEGE, SE_IMPERSONATE_PRIVILEGE

·         SE_INC_BASE_PRIORITY_PRIVILEGE

·         SE_INCREASE_QUOTA_PRIVILEGE

·         SE_INC_WORKING_SET_PRIVILEGE

·         SE_MANAGE_VOLUME_PRIVILEGE

·         SE_PROF_SINGLE_PROCESS_PRIVILEGE

·         SE_RESTORE_PRIVILEGE

·         SE_SECURITY_PRIVILEGE

·         SE_SYSTEM_PROFILE_PRIVILEGE

·         SE_TAKE_OWNERSHIP_PRIVILEGE

·         SE_SHUTDOWN_PRIVILEGE

 

FIGURE 11. Setting special privileges

After getting the privileges it will check if it has SYSTEM privileges, checking the token of its own process. If it is SYSTEM, it will get the appropriate user for logon with the function “WTSQueryUserToken”. This function only can be used if the caller has “SeTcbPrivilege” that, by default, only SYSTEM has.

FIGURE 12. Obtaining the token of the logged on user

After getting the token of the logged on user the malware will open the Windows station and desktop.

In the case that it does not have SYSTEM permissions it will enumerate all processes in the system and try to duplicate the token from “explorer.exe” (the name is checked using a hardcoded hash), if it has rights it will continue normally, otherwise it will check again if the token that was duplicated has administrator rights.

In this case it will continue normally but in other cases it will check the operating system version and the CPU (Central Processing Unit) mode (32- or 64- bits). This check is done using the function “ZwQueryInformationProcess” with the class 0x1A (ProcessWow64Information).

FIGURE 13. Checking if the operating system is 32- or 64-bits

In the case that the system is 32-bits it will decrypt one little shellcode that will inject in one process that will enumerate using the typical “CreateRemoteThread” function. This shellcode will be used to get the token of the process and elevate privileges.

In the case that the system is 64-bits it will decrypt two different shellcodes and will execute the first one that gets the second shellcode as an argument.

FIGURE 14. BlackMatter preparing shellcodes to steal system token

These shellcodes will allow BlackMatter to elevate privileges in a clean way.

Is important to understand that to get the SYSTEM token BlackMatter will enumerate the processes and get “svchost.exe”, but not only will it check the name of the process, it will also check that the process has the privilege “SeTcbPrivilege”. As only SYSTEM has it by default (and it is one permission that cannot be removed from this “user”) it will be that this process is running under SYSTEM and so it becomes the perfect target to attack with the shellcodes and steal the token that will be duplicated and set for BlackMatter.

FIGURE 15. Checking if the target process is SYSTEM

After this it will decrypt the configuration that it has embedded in one section. BlackMatter has this configuration encrypted and encoded in base64.

This configuration has a remarkably similar structure to Darkside, offering another clear hint that the developers are one and the same, despite their claims to the contrary.

After decryption, the configuration can get this information:

  • RSA Key used to protect the Salsa20 keys used to encrypt the files.
  • A 16-byte hex value that remarks the victim id.
  • A 16-byte hex value that is the AES key that will be used to encrypt the information that will be sent to the C2.
  • An 8/9-byte array with the behavior flags to control the ransomware behavior.
  • A special array of DWORDs (values of 4 bytes each one) that keep the values to reach the critical points in the configuration.
  • Different blocks encoded and, sometimes, encrypted again to offer the field more protection.

 

After getting the configuration and parsing it, BlackMatter will start checking if it needs to make a login with some user that is in the configuration. In this case it will use the function “LogonUser” with the information of the user(s) that are kept in the configuration; this information has one user and one password: “test@enterprise.com:12345” where “test” is the user, “@enterprise.com” is the domain and “12345” the password.

The next action will be to check with the flag to see if a mutex needs to be created to avoid having multiple instances.

This mutex is unique per machine and is based in the registry entry “MachineGuid” in the key “Cryptography”. If the system has this mutex already the malware will finish itself.

Making a vaccine with a mutex can sometimes be useful but not in this case as the developers change the algorithm and only need to set the flag to false to avoid creating it.

FIGURE 16. Creation of the mutex to avoid multiple instances

After, it will check if it needs to send information to the C2. If it does (usually, but not always) it will get information of the victim machine, such as username, computer name, size of the hard disks, and other information that is useful to the malware developers to know how many machines are infected.

This information is encoded with base64 and encrypted with AES using the key in the configuration.

FIGURE 17. Encrypted information sent to the C2

The C2 addresses are in the configuration (but not all samples have them, in this case the flag to send is false). The malware will try to connect to the C2 using a normal protocol or will use SSL checking the initial “http” of the string.

FIGURE 18. Get information of the victim machine and user

The information is prepared in some strings decrypted from the malware and sent in a POST message.

FIGURE 19. Choose to send by HTTP or HTTPS

The message has values to mislead checks and to try and hide the true information as garbage. This “fake” data is calculated randomly.

The C2 returns garbage data but the malware will check if it starts and ends with the characters “{“  and “}”; if it does the malware will ignore sending the information to another C2.

FIGURE 20. Checking for a reply from the C2 after sending

BlackMatter is a multithread application and the procedure to send data to the C2 is done by a secondary thread.

After that, BlackMatter will enumerate all units that are FIXED and REMOVABLE to destroy the recycle bin contents. The malware makes it for each unit that has it and are the correct type. One difference with DarkSide is that it has a flag for this behavior while  BlackMatter does not.

The next action is to delete the shadow volumes using COM to try and avoid detection using the normal programs to manage the shadow volumes. This differs with DarkSide that has a flag for this purpose.

FIGURE 21. Destruction of the shadow volumes using COM

BlackMatter will check another flag and will enumerate all services based on one list in the configuration and will stop target services and delete them.

This behavior is the same as DarkSide.

FIGURE 22. Stopping services and deleting them

Processes will be checked and terminated as with DarkSide, based on other configuration flags.

After terminating the processes BlackMatter will stop the threads from entering suspension or hibernating if someone is using the computer to prevent either of those outcomes occurring when it is encrypting files. This is done using the function “ZwSetThreadExecutionState”.

FIGURE 23. Preventing the machine being suspended or hibernated

The next action will be to enumerate all units, fixed and on the network, and create threads to encrypt the files. BlackMatter uses Salsa20 to encrypt some part of the file and will save a new block in the end of the file, protected with the RSA key embedded in the configuration with the Salsa20 keys used to encrypt it. This makes BlackMatter slower than many other ransomwares.

After the encryption it will send to the C2 all information about the encryption process, how many files were crypted, how many files failed, and so on. This information is sent in the manner previously described, but only if the config is set to true.

FIGURE 24. Release of the mutex

If one mutex was created in this moment it will be released. Later it will check the way that the machine boots with the function “GetSystemMetrics”. If the boot was done in Safe Mode BlackMatter will set some keys for persistence in the registry for the next reboot and then attack the system, changing the desktop wallpaper.

FIGURE 25. Determining whether the system boots in safe mode or normal mode

Of course, it will disable the safeboot options in the machine and reboot it (it is one of the reasons why it needs the privilege of shutdown).

To ensure it can launch in safe mode, the persistence key value with the path of the malware will start with a ‘*’.

FIGURE 26. Setting the persistance registry key

If the machine starts in the normal way, it will change the desktop wallpaper with an alternative generated in runtime with some text about the ransom note.

FIGURE 27. BlackMatter makes the new wallpaper in runtime

VERSIONS 1.9 AND 2.0

The new versions have some differences compared with versions 1.2 to 1.6:

  • Changes in the stub generation code. Previously only one type of stub was used, but in more recent versions several types of stubs are employed, with one chosen randomly per function. Anyways the stubs can be removed without any problem by patching the binary.
  • A new byte flag in the configuration that remarks if it needs to print the ransom note using the available printer in the system. Very similar to Ryuk but instead BlackMatter uses APIs from “winspool.drv”.
  • Removed one C2 domain that was shut down by the provider.

Additional changes in version 2.0:

  • This version changes the crypto algorithm to protect the configuration making it more complex to decrypt it.
  • Removed the last C2 that was shut down by the provider.
  • Added a new C2 domain.

These changes suggest the developers are active on social media, with an interest in malware and security researchers.

VACCINE

Unlike some ransomware we’ve seen in the past, such as GandCrab , BlackMatter has good code, but it does have some design flaws that can be used in some cases to avoid having the malware encrypt the files.

This vaccine is not intended to be used in the normal way, rather only in special cases as, while it works, other programs can be affected (we obviously cannot test all third party programs but potential issues are likely to include data corruption and unpredictable behavior), and the fix is not permanent.

Steps to make the vaccine (proceed at your own risk):

  • Open regedit (or another registry editor) and go to the key in HKEY_LOCAL_MACHINE> Cryptography.
  • In this key can be seen a string value named “MachineGuid” with a special value. This value is unique for the machine and is used for some applications to identify the machine. BlackMatter uses it to make the mutex and, very importantly, the new extension for the encrypted files.
  • Make a new value of type string with a random name and put the same value as seen in “MachineGuid” to have a backup of it.
  • Remove the “MachineGuid” value, and then make it again but with the binary type Instead of string type, with the same name, “MachineGuid”.
  • Close the registry editor.

In this moment BlackMatter cannot affect the machine as it needs the registry key to make the ransom extension, and the most important thing is, if it cannot make it, it will return the function WITHOUT decrypting the config that is needed too. In this case it will destroy the recycle bin and shadow volumes anyways but later it will finish as it does not have any behavior to do, RSA Key to protect the files, or anything to send to the C2 as the flag was never read from the config (and the default values are false for all of them).

Though the behavior of other programs may be unpredictable, the vaccine is easy to make, and the system will boot, showing that the BlackMatter programmers made a mistake in the design of the code.

This vaccine works for all versions, including 2.0.

MITRE ATT&CK

The sample uses the following MITRE ATT&CK™ techniques:

Technique ID Technique Description Observable
T1134 Access Token Manipulation BlackMatter accesses and manipulates different process tokens.
T1486 Data Encrypted for Impact BlackMatter encrypts files using a custom Salsa20 algorithm and RSA.
T1083 File and Directory Discovery

 

BlackMatter uses native functions to enumerate files and directories searching for targets to encrypt.
T1222.001 Windows File and Directory Permissions Modification BlackMatter executes the command icacls “<DriveLetter>:\*” /grant Everyone: F /T /C /Q to grant full access to the drive.
T1562.001 Disable or Modify Tools BlackMatter stops services related to endpoint security software.
T1106 Native API BlackMatter uses native API functions in all code.
T1057 Process Discovery BlackMatter enumerates all processes to try to discover security programs and terminate them.
T1489 Service Stop BlackMatter stops services.
T1497.001 System Checks BlackMatter tries to detect debuggers, checking the memory reserved in the heap.
T1135 Network Share Discovery BlackMatter will attempt to discover network shares by building a UNC path in the following format for each driver letter, from A to Z: \\<IP>\<drive letter>$
T1082 System Information Discovery BlackMatter uses functions to retrieve information about the target system.
T1592 Gather Victim Host Information BlackMatter retrieves information about the user and machine.
T1070 Valid Accounts BlackMatter uses valid accounts to logon to the victim network.
T1547 Boot or Logon Autostart Execution BlackMatter installs persistence in the registry.
T1102 Query Registry BlackMatter queries the registry for information.
T1018 Remote System Discovery BlackMatter enumerates remote machines in the domain.
T1112 Modify Registry BlackMatter changes registry keys and values and sets new ones.

CONCLUSION

BlackMatter is a new threat in the ransomware field and its developers know full well how to use it to attack their targets. The coding style is remarkably similar to DarkSide and, in our opinion, the people behind it are either the same or have a very close relationship.

BlackMatter shares a lot of ideas, and to some degree code, with DarkSide:

  • Configurations are remarkably similar, especially with the last version of Darkside, besides the change in the algorithm to protect it which, despite having less options, remains with the same structure. We do not think that the developers of BlackMatter achieved this similarity by reversing DarkSide as that level of coding skill would have allowed them to create an entirely new ransomware from the ground up. Also, the idea that the DarkSide developers gave or sold the original code to them does not make any sense as it is an old product.
  • Dynamic functions are used in a similar way to DarkSide.
  • It uses the same compression algorithm for the configuration.
  • The victim id is kept in the same way as DarkSide.

It is important to keep your McAfee Enterprise products updated to the latest detections and avoid insecure remote desktop connections, maintain secure passwords that are changed on a regular basis, take precautions against phishing emails, and do not connect unnecessary devices to the enterprise network.

Despite some effective coding, mistakes have been made by the developers, allowing the program to be read, and a vaccine to be created, though we will stress again that it can affect other programs and is not a permanent solution and should be employed only if you accept the risks associated with it.

The post BlackMatter Ransomware Analysis; The Dark Side Returns appeared first on McAfee Blogs.

]]>
European Telecom Company Expands Its Footprint to Better Protect Users and Customers https://www.mcafee.com/blogs/enterprise/european-telecom-company-expands-its-footprint-to-better-protect-users-and-customers/ Wed, 22 Sep 2021 14:00:58 +0000 https://www.mcafee.com/blogs/?p=129433

Hyper-growth and a determination to stand above the crowd compelled a popular Eastern European telecom to upgrade its trusty McAfee...

The post European Telecom Company Expands Its Footprint to Better Protect Users and Customers appeared first on McAfee Blogs.

]]>

Hyper-growth and a determination to stand above the crowd compelled a popular Eastern European telecom to upgrade its trusty McAfee Enterprise security infrastructure, which they relied on for many years to protect their 8,000 corporate endpoints. Competitive pressure to keep costs low and cybercriminals at bay for both their internal users and their customers spurred the mobile and fixed telephony company to enhance their existing security architecture with the latest endpoint and cloud-based protections from McAfee Enterprise.

The integrated McAfee Enterprise approach—with ePolicy Orchestrator ( ePO™) at the helm as the single-pane-of-glass management hub—enabled the security architect to build out a strong security foundation, with McAfee Enterprise endpoint and data protection solutions and Microsoft Defender as the mainstays of the telecom’s line of defense.

With ransomware and other advanced threats grabbing headlines, the telecom company felt a pressing need to upgrade its McAfee Enterprise infrastructure and expand its on-premises endpoint protection to cloud-based McAfee Enterprise Endpoint Security. The organization also added MVISION™ Endpoint Threat Detection and Response (MVISION® EDR) and deployed two McAfee Enterprise Advanced Threat Defense appliances for dynamic and static sandboxing. These deployments were easily integrated into the telecom’s existing security architecture—with all solutions managed by McAfee Enterprise ePO software. 

Faster time to detection, investigation, and remediation

McAfee Enterprise Endpoint Security was instrumental in both simplifying and boosting endpoint protection, as multiple technologies—Threat Protection, Firewall, Web Control, and Adaptive Threat Prevention—are consolidated into a single agent. Leveraging threat data from local endpoints and McAfee Enterprise Global Threat Intelligence in the cloud, the telecom’s security team is also empowered to detect zero-day threats in near real time. When a threat is identified on a given endpoint, that information is automatically shared with all the other endpoints. And when an unknown or suspicious file is detected, it is immediately quarantined for analysis by MVISION EDR or the McAfee Endpoint Advanced Threat Defense sandbox.

Investigation had once been a lengthy and laborious manual process, often taking days or weeks. Sometimes detections of malicious activity were even ignored due to time constraints. But, after implementing MVISION EDR, things changed dramatically. Investigations and remediations now take as little as 10 to 15 minutes. The security team is catching more threats than ever before, their workflows are streamlined, and investigations are faster. Best of all, thanks to MVISION EDR, team members have expanded their threat-hunting capacity—without augmenting their staff.

Alerts coordinate with action

Because McAfee Enterprise Advanced Threat Defense appliances and MVISION EDR are integrated with McAfee Enterprise SIEM solutions and McAfee Enterprise ePO software, suspicious activity at an endpoint automatically triggers an investigation. Advanced analytics and artificial intelligence (AI) in MVISION enable administrators to understand the alert, sort out the facts, and remediate any threat. MVISION EDR does all the preparatory work, gathering and distilling relevant data, such as IP addresses and information about devices and users. Graphic visualizations and AI-guided investigations help analysts quickly get a grasp on what’s happening. The security team can also run real-time queries to see if something similar has occurred anywhere else, and they can conduct historical searches for greater context.

“The volume of malware we have to deal with has definitely shrunk since implementing McAfee Enterprise Endpoint Security. But the addition of MVISION EDR has made an even bigger impact on security posture. When our endpoints do encounter malware, we can now respond many times faster and more effectively than ever before,” points out the security architect.

Achieving a proactive stance

The enhanced McAfee Enterprise security architecture has transformed the telecom company’s approach to maintaining a more resilient security posture. The company is now taking a more proactive defense as a result of the new, fully coordinated McAfee Enterprise toolset.

In addition to advanced threat-hunting capabilities, the ability to share threat information across the organization via the Data Exchange Layer (DXL) has also contributed to a more proactive stance. For example, whenever a malicious file is identified, that information is automatically added to the McAfee Enterprise Threat Intelligence Exchange threat reputation database and shared with all DXL-connected systems: endpoints, SIEM, Advanced Threat Defense sandboxes, MVISION EDR software, and even the company’s Cisco pxGrid infrastructure, a multivendor, cross-platform network system that pulls together different parts of an IT infrastructure.

The European telecom company has plans to migrate to the cloud, beginning with Microsoft Office 365 and Microsoft Azure. For the time being, the organization plans to keep the McAfee Enterprise ePO management console on premises, but, in the very near future, the plan is to protect internet-only users with cloud-based MVISION ePO™.

“Taking measured steps to augment our security infrastructure has helped us succeed at keeping our company and customers secure,” say the security architect. “It’s nice to know that McAfee Enterprise can support us wherever we are in our journey and can extend our integrated security infrastructure from device to cloud when we’re ready.”

 

The post European Telecom Company Expands Its Footprint to Better Protect Users and Customers appeared first on McAfee Blogs.

]]>
McAfee Enterprise Defender Blog | MSHTML CVE-2021-40444 https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-defender-blog-mshtml-cve-2021-40444/ Mon, 20 Sep 2021 15:48:54 +0000 https://www.mcafee.com/blogs/?p=129307

Threat Summary Microsoft is warning its users of a zero-day vulnerability in Windows 10 and versions of Windows Server that...

The post McAfee Enterprise Defender Blog | MSHTML CVE-2021-40444 appeared first on McAfee Blogs.

]]>

Threat Summary

Microsoft is warning its users of a zero-day vulnerability in Windows 10 and versions of Windows Server that is being leveraged by remote, unauthenticated attackers to execute code on the target system using specifically crafted office documents. Tracked as CVE-2021-40444 (CVSS score: 8.8), the remote code execution flaw is rooted in MSHTML (aka Trident), a proprietary browser engine for the now-discontinued Internet Explorer and which is used in Microsoft Office to render web content inside Word, Excel, and PowerPoint documents. This vulnerability is being actively exploited and protections should be put into place to prevent that. Microsoft has released guidance on a workaround, as well as updates to prevent exploitation, but below are additional McAfee Enterprise countermeasures you can use to protect your business.

MVISION Insights Campaign – “CVE-2021-40444 – Microsoft MSHTML Remote Code Execution Vulnerability”

Since originally reported, vulnerability exploitation has grown worldwide.

Figure 1. Latest MITRE ATT&CK framework for Exploitation of CVE-2021-40444. Source: MVISION Insights

Additional MITRE ATT&CK techniques have been identified since our original report. MVISION Insights will be regularly updated with the latest IOCs and hunting rules for proactive detection in your environment.

Figure 2. Latest MITRE ATT&CK framework for Exploitation of CVE-2021-40444. Source: MVISION Insights

McAfee Enterprise Product Protections

The following McAfee Enterprise products can protect you against this threat.

Figure 3. Protection by ENS Module

For ENS, it’s important to have both Threat Protection (TP) and Adaptive Threat Protection (ATP) with GTI enabled. We are seeing 50% of detections based on ATP behavior analysis rules.

Figure 4. Protection by ENS Module

More details on Endpoint protection including MVISION EDR are included below.

Preventing Exploit with McAfee ENS

McAfee Global Threat Intelligence (GTI) is currently detecting the analyzed IOCs for this exploitation. GTI will be continually updated as new indicators are observed in the wild.

ENS Threat Prevention module can provide added protections against exploitation of CVE-2021-40444 until a patch is deployed. The following signature in Exploit Prevention has shown coverage in testing of observed exploits; this signature could cause false positives, so it is highly advised to test in Report Mode or in sandbox environments before blocking in production environments.

Signature 2844: Microsoft Word WordPerfect5 Converter Module Buffer Overflow Vulnerability

Several custom Expert Rules can be implemented to prevent or detect potential exploitation attempts. As with all Expert Rules, please test them in your environment before deploying widely to all endpoints. Recommended to implement this rule in a log only mode to start.

Figure 5. Expert Rule to block or log exploitation attempts

Figure 6. Expert Rule to block or log exploitation attempts

ATP Rules

Adaptive Threat Protection module provides behavior-blocking capability through threat intelligence, rules destined to detect abnormal application activity or system changes and cloud-based machine-learning. To exploit this vulnerability, the attacker must gain access to a vulnerable system, most likely through Spearphishing with malicious attachments. These rules may also be effective in preventing initial access and execution. It is recommended to have the following rules in Observe mode at least and monitor for threat events in ePO.

  • Rule 2: Use Enterprise Reputations to identify malicious files.
  • Rule 4: Use GTI file reputation to identify trusted or malicious files
  • Rule 5: Use GTI file reputation to identify trusted or malicious URLs
  • Rule 300: Prevent office applications from being abused to deliver malicious payloads
  • Rule 309: Prevent office applications from being abused to deliver malicious payloads
  • Rule 312: Prevent email applications from spawning potentially malicious tools

As with all ATP Rules, please test them in your environment before deploying widely to all endpoints or turning on blocking mode.

Utilizing MVISION EDR for Hunting of Threat Activity

The Real-Time Search feature in MVISION EDR provides the ability to search across your environment for behavior associated with the exploitation of this Microsoft vulnerability. Please see the queries to locate the “mshtml” loaded module associated with various application processes.

EDR Query One

Processes where Processes parentimagepath matches “winword|excel|powerpnt” and Processes cmdline matches “AppData\/Local\/Temp\/|\.inf|\.dll” and Processes imagepath ends with “\control.exe”

EDR Query Two

HostInfo hostname and LoadedModules where LoadedModules process_name matches “winword|excel|powerpnt” and LoadedModules module_name contains “mshtml” and LoadedModules module_name contains “urlmon” and LoadedModules module_name contains “wininet

Additionally, the Historical Search feature within MVISION EDR will allow for the searching of IOCs even if a system is currently offline.

Figure 7. Using Historical Search to locate IOCs across all devices. Source: MVISION EDR

McAfee Enterprise has published the following KB article that will be updated as more information and coverage is released.

McAfee Enterprise coverage for CVE-2021-40444 – MSHTML Remote Code Execution

Further Protection for Threat Actor Behavior After Exploitation

Since public disclosure of the vulnerability, it has been observed from successful exploitation of CVE-2021-40444 in the wild that threat actors are utilizing a Cobalt Strike payload to then drop ransomware later in the compromised environment. The association between this vulnerability and ransomware point to the possibility that the exploit has been added to the tools utilized in the ransomware-as-a-service (RaaS) ecosystem.

Figure 8. CVE-2021-40444-attack-chain (Microsoft)​​

The Ransomware Gangs that have been observed in these attacks have in the past been known to utilize the Ryuk and Conti variants of ransomware.

Please see below additional mitigations that can be utilized in the event your environment is compromised and added protections are needed to prevent further TTPs.

Cobalt Strike BEACON

MVISION Insights Campaign – Threat Profile: CobaltStrike C2s

 

Endpoint Security – Advanced Threat Protection:

Rule 2: Use Enterprise Reputations to identify malicious files.

Rule 4: Use GTI file reputation to identify trusted or malicious files

Rule 517: Prevent actor process with unknown reputations from launching processes in common system folders

 

Ryuk Ransomware Protection

MVISION Insights Campaign – Threat Profile: Ryuk Ransomware

 

Endpoint Security – Advanced Threat Protection:

Rule 2: Use Enterprise Reputations to identify malicious files.

Rule 4: Use GTI file reputation to identify trusted or malicious files

Rule 5: Use GTI file reputation to identify trusted or malicious URLs

 

Endpoint Security – Access Protection:

Rule: 1

Executables (Include):

*

Subrules:

Subrule Type: Files

Operations:

Create

Targets (Include):

*.ryk

 

Endpoint Security – Exploit Prevention

Signature 6153: Malware Behavior: Ryuk Ransomware activity detected

 

Conti Ransomware Protection

MVISION Insights Campaign – Threat Profile: Conti Ransomware

 

Endpoint Security – Advanced Threat Protection:

Rule 2: Use Enterprise Reputations to identify malicious files.

Rule 4: Use GTI file reputation to identify trusted or malicious files

Rule 5: Use GTI file reputation to identify trusted or malicious URLs

 

Endpoint Security – Access Protection Custom Rules:

Rule: 1

Executables (Include):

*

Subrules:

Subrule Type: Files

Operations:

create

Targets (Include):

*conti_readme.txt

 

Endpoint Security – Exploit Prevention

Signature 344: New Startup Program Creation

The post McAfee Enterprise Defender Blog | MSHTML CVE-2021-40444 appeared first on McAfee Blogs.

]]>
The Bug Report | September 2021: CVE-2021-40444 https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/the-bug-report-september-2021-cve-2021-40444/ Fri, 17 Sep 2021 10:07:22 +0000 https://www.mcafee.com/blogs/?p=129292 How to check for viruses

Why am I here? There’s a lot of information out there on critical vulnerabilities; this short bug report contains an...

The post The Bug Report | September 2021: CVE-2021-40444 appeared first on McAfee Blogs.

]]>
How to check for viruses

Why am I here?

There’s a lot of information out there on critical vulnerabilities; this short bug report contains an overview of what we believe to be the most news and noteworthy vulnerabilities. We don’t rely on a single scoring system like CVSS to determine what you need to know about; this is all about qualitative and experience-based analysis, relying on over 100 years of combined industry experience within our team. We look at characteristics such as wormability, ubiquity of the target, likelihood of exploitation and impact. Today, we’ll be focusing on CVE-2021-40444.

CrossView: CVE-2021-40444

What is it?

CVE-2021-40444 is a vulnerability in Office applications which use protected view such as Word, PowerPoint and Excel which allows an attacker to achieve remote code execution (RCE). CVE-2021-40444 is a vulnerability which allows a carefully crafted ActiveX control and a malicious MS Cabinet (.cab) file to be launched from an Office document

Most importantly, this vulnerability impacts the applications themselves, as well as the Windows Explorer preview pane.

Who cares?

This is a great question! Pretty much anyone who uses any Microsoft Office applications, or has them installed, should be concerned.

Office is one of the most widely-used applications on the planet. Odds are good you have it open right now. While many companies have disabled macros within Office documents at the Group Policy level, it is unlikely ActiveX is treated similarly. This means that without proper data hygiene, a large proportion of Office users will be vulnerable to this exploit.

Fortunately, “spray and pray” style email campaigns are unlikely to gain traction with this exploit, as mail providers have started flagging malicious files (or at least known PoCs) as potential malware and removing them as attachments.

What can I do?

Good news! You aren’t necessarily completely helpless. By default, Windows uses a flag known as the “Mark of the Web” (MoTW) to enable Protected Mode in Office. Email attachments, web downloads, and similar all have this MoTW flag set, and Protected Mode prevents network operations, ActiveX controls, and macros embedded within a document from being executed, which effectively disables exploitation attempts for this vulnerability.

That said, users have become so inured to the Protected View message, they often dismiss it without considering the consequences. Much like “confirmation fatigue” can lead to installing malicious software, attackers can leverage this common human response to compromise the target machine.

Even more so, while exploitation can occur via the Office applications themselves and via the Explorer preview pane, the Outlook preview pane operates in a completely different manner which does not trigger the exploit. Exactly why this distinction exists only MS can explain, but the upshot is that Outlook users have to explicitly open malicious files to be exploited – the more hoops users have to jump through to open a malicious, the less likely they are to be pwned.

If I’m protected by default, why does this matter?

It depends entirely on how the file gets delivered and where the user saves it.

There are many ways of getting files beyond email and web downloads – flash cards for cameras, thumb drives, external hard drives, etc. Files opened from these sources (and many common applications[1]) don’t have MoTW flag set, meaning that attackers could bypass the protection entirely by sending a malicious file in a .7z archive, or as part of a disk image, or dropping a USB flash drive in your driveway. Convincing users to open such files is no harder than any other social engineering strategy, after all.

Another fun workaround for bypassing default protections is to make use of an RTF file – emailed, downloaded, or otherwise. From our testing, an RTF file saved from an email attachment does not bear the MoTW but can still be used as a vector of exploitation. Whether RTF files become the preferred option for this exploit remains to be seen.

TL;DR

Ha! We put the tl;dr near the end, which only makes sense when the information above is so important it’s worth reading. But if all you care about is what you can actively do to ensure you’re not vulnerable, this section is for you.

Mitigations:

  • Apply the Patch! Available via Windows Update as of 9/14/2021, this is your best solution.
  • Enable registry workaround to disable ActiveX – details can be found on Microsoft’s bulletin page and should effectively disable exploitation attempts until a formal patch can be applied.
  • Confirm that Windows Explorer “Preview” pane is disabled (this is true by default). This only protects against the Preview pane exploitation in Explorer. Opening the file outside of Protected Mode (such as an RTF file) or explicitly disabling Protected Mode will still allow for exploitation.

The Gold Standard

In case you simply can’t apply the patch or have a “production patch cycle” or whatever, McAfee Enterprise has you covered. Per our KB we provide comprehensive coverage for this attack across our protection and detection technology stack of endpoint (ENS Expert Rules), network (NSP) and EDR.

https://kc.mcafee.com/corporate/index?page=content&id=KB94876

[1] 7zip, files from disk images or other container formats, FAT formatted volumes, etc.

The post The Bug Report | September 2021: CVE-2021-40444 appeared first on McAfee Blogs.

]]>
Executive Spotlight: Q&A with SVP of Global Channels, Kathleen Curry https://www.mcafee.com/blogs/enterprise/executive-spotlight-qa-with-svp-of-global-channels-kathleen-curry/ Wed, 15 Sep 2021 15:05:22 +0000 https://www.mcafee.com/blogs/?p=129046

For this week’s executive spotlight, I’m highlighting Kathleen Curry, senior vice president, Global Enterprise Channels at McAfee Enterprise. Curry was...

The post Executive Spotlight: Q&A with SVP of Global Channels, Kathleen Curry appeared first on McAfee Blogs.

]]>

For this week’s executive spotlight, I’m highlighting Kathleen Curry, senior vice president, Global Enterprise Channels at McAfee Enterprise. Curry was named one of CRN’s 2021 Channel Chiefs. Joining the company in April 2020, she was acknowledged for her contributions expanding our partner program initiatives to reward partners for servicing customers in line with their modern needs and consumption preferences. This includes spearheading McAfee Enterprises’ “channel first” initiative and ethos, aimed to better empower our channel partner community and increase their profitability, while at the same time optimizing the end customer experience by scaling through McAfee Enterprise’s channels and partners. Read below for more.

Q: Who has been the most influential person in your life?

My father instilled in me, from as far back as I can remember, that I can do whatever I set my mind to and that I am the owner of my life story. This helped create a positive, empowered mindset when facing challenges and opportunities throughout my life. And my father always kept our world big. Whether it was traveling to see other cultures, sharing his never-ending love of history, or getting involved in our community, his actions showed me the importance of taking time to connect with others, understand the context of things, and have compassion. While he is no longer with us, I still feel like I get advice from him every day.

Q: What are the most significant problems influencing cybersecurity professionals today?

The ever-changing threat landscape is a real challenge. Finding the time to keep up on trends, proactively secure an environment, and address unexpected issues has become increasingly difficult. Together with our partners, we can help solve these problems.

Q: How do you separate hype from genuine innovation?

Execution. True innovation delivers real outcomes. It can be big or small, but mostly, it must be realized and validated.

Q: With cybersecurity and AI capabilities expanding at a rapid pace, what will the future look like for companies like McAfee Enterprise and our partners in the coming years?

There is tremendous opportunity ahead for us and our partners. With the complexity of the cybersecurity landscape, continuing threats, and talent gaps, our customers need our collective solutions, expertise, and services more than ever. We are charging ahead to optimize our channel program with partner profitability and growth at the forefront. Our dedication to a Channel First strategy coupled with best-in-class solutions positions us extremely well to win and best benefit the customers we serve together.

The post Executive Spotlight: Q&A with SVP of Global Channels, Kathleen Curry appeared first on McAfee Blogs.

]]>
Operation ‘Harvest’: A Deep Dive into a Long-term Campaign https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/operation-harvest-a-deep-dive-into-a-long-term-campaign/ Wed, 15 Sep 2021 04:01:21 +0000 https://www.mcafee.com/blogs/?p=128752

A special thanks to our Professional Services’ IR team, ShadowServer, for historical context on C2 domains, and Thomas Roccia/Leandro Velasco...

The post Operation ‘Harvest’: A Deep Dive into a Long-term Campaign appeared first on McAfee Blogs.

]]>

A special thanks to our Professional Services’ IR team, ShadowServer, for historical context on C2 domains, and Thomas Roccia/Leandro Velasco for malware analysis support.

Executive Summary

Following a recent Incident Response, McAfee Enterprise‘s Advanced Threat Research (ATR) team worked with its Professional Services IR team to support a case that initially started as a malware incident but ultimately turned out to be a long-term cyber-attack.

From a cyber-intelligence perspective, one of the biggest challenges is having information on the tactics, techniques, and procedures (TTPs) an adversary is using and then keeping them up to date. Within ATR we typically monitor many adversaries for years and collect and store data, ranging from indicators of compromise (IOCs) to the TTPs.

In this report, ATR provides a deep insight into this long-term campaign where we will map out our findings against the Enterprise MITRE ATT&CK model. There will be parts that are censored since we respect the confidentiality of the victim. We will also zoom in and look at how the translation to the MITRE Techniques, historical context, and evidence artifacts like PlugX and Winnti malware led to a link with another campaign, which we highly trust to be executed by the same adversary.

IOCs that could be shared are at the end of this document.

McAfee customers are protected from the malware/tools described in this blog. MVISION Insights customers will have the full details, IOCs and TTPs shared via their dashboard. MVISION Endpoint, EDR and UCE platforms provide signature and behavior-based prevention and detection capability for many of the techniques used  in this attack. A more detailed blog with specific recommendations on using the McAfee portfolio and integrated partner solutions to defend against this attack can be found here.

Technical Analysis

Initial Infection Vectors [TA0001]

Forensic investigations identified that the actor established initial access by compromising the victim’s web server [T1190]. On the webserver, software was installed to maintain the presence and storage of tools [T1105] that would be used to gather information about the victim’s network [T1083] and lateral movement/execution of files [T1570] [T1569.002]. Examples of the tools discovered are PSexec, Procdump, and Mimikatz.

Privilege Escalation and Persistence [TA0004TA0003]

The adversary has been observed using multiple privilege escalation and persistence techniques during the period of investigation and presence in the network. We will highlight a few in each category.

Besides the use of Mimikatz to dump credentials, the adversaries used two tools for privilege escalations [T1068]. One of the tools was “RottenPotato”. This is an open-source tool that is used to get a handle to a privileged token, for example, “NT AUTHORITY\SYSTEM”, to be able to execute tasks with System rights.

Example of RottenPotato on elevating these rights:

Figure 1 RottenPotato

The second tool discovered, “BadPotato”, is another open-source tool that can be used to elevate user rights towards System rights.

Figure 2 BadPotato

The BadPotato code can be found on GitHub where it is offered as a Visual Studio project. We inspected the adversary’s compiled version using DotPeek and hunted for artifacts in the code. Inspecting the File (COFF) header, we observed the file’s compilation timestamp:

TimeDateStamp: 05/12/2020 08:23:47  – Date and time the image was created

PlugX

Another major and characteristic privilege escalation technique the adversary used in this long-term campaign was the malware PlugX as a backdoor. PlugX makes use of the technique “DLL Sideloading” [T1574.002]. PlugX was observed as usual where a single (RAR) executable contained the three parts:

  • Valid executable.
  • Associated DLL with the hook towards the payload.
  • Payload file with the config to communicate with Command & Control Server (C2).

The adversary used either the standalone version or distributed three files on different assets in the network to gain remote control of those assets. The samples discovered and analyzed were communicating towards two domains. Both domains were registered during the time of the campaign.

One of the PlugX samples consisted of the following three parts:

Filename Hashes
HPCustPartic.exe SHA256: 8857232077b4b0f0e4a2c3bb5717fd65079209784f41694f8e1b469e34754cf6
HPCustPartUI.dll SHA256: 0ee5b19ea38bb52d8ba4c7f05fa1ddf95a4f9c2c93b05aa887c5854653248560
HPCustPartic.bin SHA256: 008f7b98c2453507c45dacd4a7a7c1b372b5fafc9945db214c622c8d21d29775

The .exe file is a valid and signed executable and, in this case, an executable from HP (HP Customer participation). We also observed other valid executables being used, ranging from AV vendors to video software. When the executable is run, the DLL next to it is loaded. The DLL is valid but contains a small hook towards the payload which, in our case, is the .bin file. The DLL loads the PlugX config and injects it into a process.

We executed the samples in a test setup and dumped the memory of the machine to conduct memory analysis with volatility. After the basic forensically sound steps, we ran the malfind plugin to detect possible injected code in a process. From the redacted output of the plugin, we observed the following values for the process with possible injected code:

Process: svchost.exe Pid: 860 Address: 0xb50000

Process: explorer.exe Pid: 2752 Address: 0x56a000

Process: svchost.exe Pid: 1176 Address: 0x80000

Process: svchost.exe Pid: 1176 Address: 0x190000

Process: rundll32.exe Pid: 3784 Address: 0xd0000

Process: rundll32.exe Pid: 3784 Address: 0x220000

One observation is the mention of the SVCHOST process with a ProcessID value of 1176 that is mentioned twice but with different addresses. This is similar to the RUNDLL32.exe that is mentioned twice with PID 3785 and different addresses. One way to identify what malware may have been used is to dump these processes with the relevant PID using the procdump module, upload them to an online analysis service and wait for the results. Since this is a very sensitive case, we took a different approach. Using the best of both worlds (volatility and Yara) we used a ruleset that consists of malware patterns observed in memory over time. Running this ruleset over the data in the memory dump revealed the following (redacted for the sake of readability) output:

Figure 3 Output Yarascan memory dump

The output of the Yara rule scan (and there was way more output) confirmed the presence of PlugX module code in PID 1176 of the SVCHOST service. Also, the rule was triggered on PID 3784, which belonged to RUNDLL32.exe.

Investigating the dumps after dynamic analysis, we observed two domain names used for C2 traffic:

  • sery.brushupdata.com
  • dnssery.brushupdata.com

In particular, we saw the following hardcoded value that might be another payload being downloaded:

sery.brushupdata.com/CE1BC21B4340FEC2B8663B69

The PlugX families we observed used DNS [T1071.001] [T1071.004] as the transport channel for C2 traffic, in particular TXT queries. Investigating the traffic from our samples, we observed the check-in-signature (“20 2A 2F 2A 0D”) that is typical for PlugX network traffic:

00000000:            47 45 54 20 2F 42 34 42 42 44 43 43 30 32 39 45

00000010:            31 31 39 37 31 39 46 30 36 35 36 32 32 20 48 54

00000020:            54 50 2F 31 2E 31 0D 0A 41 63 63 65 70 74 3A 20

00000030:            2A 2F 2A 0D 0A 43 6F 6F 6B 69 65 3A 20 44 36 43

00000040:            57 50 2B 56 5A 47 6D 59 6B 6D 64 6D 64 64 58 55

00000050:            71 58 4D 31 71 31 6A 41 3D 0D 0A 55 73 65 72 2D

During our analysis of the different PlugX samples discovered, the domain names as mentioned above stayed the same, though the payload values were different. For example:

  • hxxp://sery.brushupdata.com/B4BBDCC029E119719F065622
  • hxxp://sery.brushupdata.com/07FDB1B97D22EE6AF2482B1B
  • hxxp://sery.brushupdata.com/273CDC0B9C6218BC1187556D

Other PlugX samples we observed injected themselves into Windows Media Player and started a connection with the following two domains:

  • center.asmlbigip.com
  • sec.asmlbigip.com

Hello Winnti

Another mechanism observed was to start a program as a service [T1543.003] on the Operating System with the acquired System rights by using the *Potato tools. The file the adversary was using seemed to be a backdoor that was using the DLL file format (2458562ca2f6fabddae8385cb817c172).

The DLL is used to create a malicious service and its name is service.dll”. The name of the created service, “SysmainUpdate”, is usurping the name of the legitimate service “SysMain” which is related to the legitimate DLL sysmain.dll and also to the Superfetch service. The dll is run using the command “rundll32.exe SuperFrtch.dll, #1”. The export function has the name “WwanSvcMain”.

The model uses the persistence technique utilizing svchost.exe with service.dll to install a rogue service. It appears that the dll employs several mechanisms to fingerprint the targeted system and avoid analysis in the sandbox, making analysis more difficult. The DLL embeds several obfuscated strings decoded when running. Once the fingerprinting has been done, the malware will install the malicious service using the API RegisterServiceHandlerA then SetServiceStatus, and finally CreateEventA. A description of the technique can be found here.

The malware also decrypts and injects the payload in memory. The following screenshot shows the decryption routine.

Figure 4 Decryption routine

When we analyzed this unique routine, we discovered similarities and the mention of it in a publication that can be read here. The malware described in the article is attributed to the Winnti malware family. The operating method and the code used in the DLL described in the article are very similar to our analysis and observations.

The process dump also revealed further indicators. Firstly, it revealed artifacts related to the DLL analyzed, “C:\ProgramData\Microsoft\Windows\SuperfRtch\SuperfRtch.dat”. We believe that this dat file might be the loaded payload.

Secondly, while investigating the process dump, we observed activities from the backdoor that are part of the data exfiltration attempts which we will describe in more detail in this analysis report.

A redacted snippet of the code would look like this:

Creating archive ***.rar

Adding   [data from location]

  0%

  OK

Another indicator of discovering Winnti malware was the following execution path we discovered in the command line dump of the memory:

cmd /c klcsngtgui.exe 1560413F7E <abbreviation-victim>.dat

What we observed here was the use of a valid executable, the AES 256 decryption key of the payload (.dat file). In this case, the payload file was named using an abbreviation of the victim company’s name. Unfortunately, the adversary had removed the payload file from the system. File carving did not work since the disk/unallocated space was overwritten. However, reconstructing traces from memory revealed that we were dealing with the Winnti 4.0 malware. The malware was injected into a SVCHOST process where a driver location pointed to the config file. We observed in the process dump the exfiltration of data on the system, such as OS, Processor (architecture), Domain, Username, etc.

Another clue that helped us was the use of DNS tunneling by Winnti which we discovered traces of in memory. The hardcoded 208.67.222.222 resolves to a legitimate OpenDNS DNS server. The IP is pushed into the list generated by the malware at runtime. At the start of the malware, it populates the list with the system’s DNS, and the OpenDNS server is only used as a backup to ensure that the C2 domain is resolved.

Another indicator in the process dump was the setup of the C2 connection including the User-Agent that has been observed being used by Winnti 4.0 malware:

Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36

Other Persistence Activities

WMI activity [T1546.003] was also observed to execute commands on the systems.

From a persistence point of view, scheduled tasks [T1053.005] and the use of valid accounts [T1078] acquired through the use of Mimikatz, or creating LSASS dumps, were observed being employed during the length of the campaign.

Lateral Movement

From a lateral movement perspective, the adversary used the obtained credentials to hop from asset to asset. In one particular case, we observed a familiar filename: “PsExec.exe”. This SysInternals tool is often observed being used in lateral movement by adversaries, however, it can also be used by the sysadmins of the network. In our case, the PsExec executable had a file size of 9.6 MB where the original PsExec (depending on 32- or 64-bit version) had a maximum file size of 1.3 MB. An initial static inspection of the file resulted in a blob of code that was present in the executable which had a very high entropy score (7.99). When running the file from the command line, the following output was observed:

Figure 5 PsExec output

The error notification and the ‘Impacket’ keyword tipped us off and, after digging around, we found more. The fake PsExec is an open-source Python script that is a PsExec alternative with shell/backdoor capability. It uses a script from this location: hxxps://github.com/SecureAuthCorp/impacket/blob/master/examples/psexec.pyi. The file is large since it incorporates a low-level protocol interaction from Impacket. The Python library combined with the script code is compiled with py2exe. The file was compiled during the time of the latest attack activities and signed with an expired certificate.

Data Exfiltration

From what we observed, the adversary had a long-term intention to stay present in the victim’s network. With high confidence, we believe that the adversary was interested in stealing proprietary intelligence that could be used for military or intellectual property/manufacturing purposes.

The adversary used several techniques to exfiltrate the data. In some cases, batch (.bat) scripts were created to gather information from certain network shares/folders and use the ‘rar’ tool to compress them to a certain size [T1020] [T1030]. Example of content in a batch script:

C:\Windows\web\rar.exe a -[redacted] -r -v50000 [Target-directory]

On other occasions, manual variants of the above command were discovered after using the custom backdoor as described earlier.

When the data was gathered on a local system using the backdoor, the files were exfiltrated over the backdoor and the rar files were deleted [T1070.004]. Where external facing assets were used, like a web server, the data was stored in a location in the Internet Information Services (IIS) web server and exfiltrated over HTTP using GET requests towards the exact file paths [T1041] [T1567] [T1071].

An example of the [redacted] web traffic in the IIS logfiles:

Date /Time Request TCP Src port Source IP User-Agent
Redacted GET /****/[redacted].rar 80 180.50.*.* MINIXL
redacted GET /****/[redacted].rar 80 209.58.*.* MINIXL

The source IP addresses discovered belonged to two different ISP/VPN providers based in Hong-Kong.

The User-Agent value is an interesting one, “MINIXL”. When we researched that value, we discovered a blog from Dell SecureWorks from 2015 that mentions the same User-Agent, but also a lot of the artifacts mentioned from the blog overlapped with the observations and TTPs of Operation Harvest [link].

What we could retrieve from open-source databases is that the use of this particular User-Agent is very limited and seems to originate from the APAC region.

Who did it?

That seems to be the one-million-dollar question to be asked. Within McAfee, attribution is not our main focus, protecting our customers is our priority. What we do care about is that if we learn about these techniques during an investigation, can we map them out and support our IR team on the ground, or a customer’s IR team, with the knowledge that can help determine which phase of the attack the evidence is pointing to and based on historical data and intelligence, assist in blocking the next phase and discover more evidence?

We started by mapping out all MITRE ATT&CK Enterprise techniques and sub-techniques, added the tools used, and did a comparison against historical technique data from the industry. We ended up with four groups that shared techniques and sub-techniques. The Winnti group was added by us since we discovered the unique encryption function in the custom backdoor and indicators of the use of the Winnti malware.

Figure 6 ATT&CK technique comparison

The diagram reflecting our outcome insinuated that APT27 and APT41 are the most likely candidates that overlap with the (sub-)techniques we observed.

Since all these groups are in a certain time zone, we extracted all timestamps from the forensic investigation with regards to:

  • Registration of domain
  • Compile timestamps of malware (considering deception)
  • Timestamps of command-line activity
  • Timestamps of data exfiltration
  • Timestamps of malware interaction such as creation, deletion, etc.

When we converted all these timestamps from UTC to the aforementioned groups’ time zones, we ended up with the below scheme on activity:

Figure 7 Adversary’s time of operation

In this campaign, we observed how the adversary mostly seems to work from Monday to Thursday and typically during office hours, albeit with the occasional exception.

Correlating ATT&CK (sub-)techniques, timestamps, and tools like PlugX and Mimikatz are not the only evidence indicators that can help to identify a possible adversary. Command-line syntax, specific code similarity, actor capability over time versus other groups, and unique identifiers are at the top of the ‘pyramid of pain’ in threat intelligence. The bottom part of the pyramid is about hashes, URLs, and domains, areas that are very volatile and easy to change by an adversary.

Figure 8 Pyramid of Pain

Beyond investigating those artifacts, we also took possible geopolitical interests and potential deception into consideration when building our hypothesis. When we mapped out all of these, we believed that one of the two previously mentioned groups were responsible for the campaign we investigated.

Our focus was not about attribution though, but more around where the flow of the attack is, matches against previous attack flows from groups, and what techniques/tools they are using to block next steps, or where to locate them. The more details we can gather at the top of ‘the pyramid of pain’, the better we can determine the likely adversary and its TTP’s.

That’s all Folks!

Well, not really. While correlating the observed (sub-)techniques, the malware families and code, we discovered another targeted attack against a similar target in the same nation with the major motivation of gathering intelligence. In the following diagram we conducted a high-level comparison of the tools being used by the adversary:

Figure 9 Tools comparison

Although some of the tools are unique to each campaign, if taken into consideration over time with when they were used, it makes sense. It demonstrates the development of the actor and use of newer tools to conduct lateral movement and to obtain the required level of user rights on systems.

Overall, we observed the same modus operandi. Once an initial foothold was established, the adversary would deploy PlugX initially to create a few backdoors in the victim’s network in case they were discovered early on. After that, using Mimikatz and dumping lsass, they were looking to get valid accounts. Once valid accounts were acquired, several tools including some of their own tools were used to gain information about the victim’s network. From there, several shares/servers were accessed, and information gathered. That information was exfiltrated as rar files and placed on an internet-facing server to hide in the ‘normal’ traffic. We represent that in the following graphic:

Figure 10 Attack flow

In the 2019/2020 case we also observed the use of a malware sample that we would classify as part of the Winnti malware family. We discovered a couple of files that were executed by the following command:

Start Ins64.exe E370AA8DA0 Jumper64.dat

The Winnti loader ‘Ins64.exe’ uses the value ‘E370AA8DA0’ to decrypt the payload from the .dat file using the AES-256-CTR decryption algorithm and starts to execute.

After executing this command and analyzing the memory, we observed a process injection in one of the svchost processes whereby one particular file was loaded from the following path:

C:\programdata\microsoft\windows\caches\ieupdate.dll

Figure 11 Memory capture

The malware started to open up both UDP and TCP ports to connect with a C2 server.

UDP Port 20502

TCP Port  20501

Figure 12 Network connections to C2

Capturing the traffic from the malware we observed the following as an example:

Figure 13 Winnti HTTP traffic to C2

The packet data was customized and sent through a POST request with several headers towards the C2. In the above screenshot the numbers after “POST /” were randomly generated.

The User-Agent is a good network indicator to identify the Winnti malware since it is used in multiple variants:

Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36

Indeed, the same User Agent value was discovered in the Winnti sample in Operation Harvest and seems to be typical for this malware family.

The cookie value consists of four Dword hex values that contain information about the customized packet size using a XOR value.

We learned more about the packet structure of Winnti from this link.

Applying what we learned about the handshake, we observed the following in our traffic sample:

Dword value 0 = 52 54 00 36

Dword value 1 = 3e ff 06 b2

Dword value 2 = 99 6d 78 fe

Dword value 3 = 08 00 45 00

Dword value 4 = 00 34 00 47

Initial handshake order:

Based on our cross-correlation with samples and other OSINT resources, we believe with a high confidence that this was a Winnti 4.0 sample that connects with a confirmed Winnti C2 server.

The identified C2 server was 185.161.211.97 TCP/80.

Timeline of Events

When analyzing the timestamps from this investigation, like we did for operation Harvest, we came to the below overview:

Figure 14 Beijing working hours case 2019/2020

Again, we observed that the adversary was operating Monday to Friday during office hours in the Beijing time-zone.

Conclusion

Operation Harvest has been a long-term operation whereby an adversary maintained access for multiple years to exfiltrate data. The exfiltrated data would have either been part of an intellectual property theft for economic purposes and/or would have provided insights that would be beneficial in case of military interventions. The adversaries made use of techniques very often observed in this kind of attack but also used distinctive new backdoors or variants of existing malware families. Combining all forensic artifacts and cross-correlation with historical and geopolitical data, we have high confidence that this operation was executed by an experienced APT actor.

After mapping out all data, TTP’s etc., we discovered a very strong overlap with a campaign observed in 2019/2020. A lot of the (in-depth) technical indicators and techniques match. Also putting it into perspective, and over time, it demonstrates the adversary is adapting skills and evolving the tools and techniques being used.

On a separate note, we observed the use of the Winnti malware. We deliberately mention the term ‘malware’ instead of group. The Winnti malware is known to be used by several actors. Within every nation-state cyber-offensive activity, there will be a department/unit responsible for the creation of the tools/malware, etc. We strongly believe that is exactly what we observe here as well. PlugX, Winnti and some other custom tools all point to a group that had access to the same tools. Whether we put name ‘X’ or ‘Y’ on the adversary, we strongly believe that we are dealing with a Chinese actor whose long-term objectives are persistence in their victims’ networks and the acquisition of the intelligence needed to make political/strategic or manufacturing decisions.

 

MITRE ATT&CK Techniques

Technique ID Technique Title Context Campaign
T1190 Exploit Public-facing application Adversary exploited a web-facing server with application
T1105 Ingress Tool transfer Tools were transferred to a compromised web-facing server
T1083 File & Directory Discovery Adversary browsed several locations to search for the data they were after.
T1570 Lateral Tool Transfer Adversary transferred tools/backdoors to maintain persistence
T1569.002 System Services: Service Execution Adversary installed custom backdoor as a service
T1068 The exploitation of Privilege Escalation Adversary used Rotten/Bad Potato to elevate user rights by abusing API calls in the Operating System.
T1574.002 Hijack Execution Flow: DLL Side-Loading Adversary used PlugX malware that is famous for DLL-Side-Loading using a valid executable, a DLL with the hook towards a payload file.
T1543.003 Create or Modify System Process: Windows Service Adversary launched backdoor and some tools as a Windows Service including adding of registry keys
T1546.003 Event-Triggered Execution: WMI Event Subscription WMI was used for running commands on remote systems
T1053.005 Scheduled task Adversary ran scheduled tasks for persistence of certain malware samples
T1078 Valid accounts Using Mimikatz and dumping of lsass, the adversary gained credentials in the network
T1020 Automated exfiltration The PlugX malware exfiltrated data towards a C2 and received commands to gather more information about the victim’s compromised host.
T1030 Data transfer size limits Adversary limited the size of rar files for exfiltration
T1070.004 Indicator removal on host Where in the beginning of the campaign the adversary was sloppy, during the last months of activity they became more careful and started to remove evidence
T1041 Exfiltration over C2 channel Adversary used several C2 domains to interact with compromised hosts.
T1567 Exfiltration over Web Service Gathered information was stored as ‘rar’ files on the internet-facing server, whereafter they were downloaded by a specific ip range.
T1071.004 Application layer protocol: DNS Using DNS tunneling for the C2 traffic of the PlugX malware

 

Indicators of Compromise (IOCs)

Note: the indicators shared are to be used in a historical and timeline-based context, ranging from 2016 to March 2021.

Operation Harvest:

PlugX C2:

sery(.)brushupdata(.)com
Dnssery(.)brushupdata(.)com
Center(.)asmlbigip(.)com

 

Tools:

Mimikatz

PsExec

RottenPotato

BadPotato

 

Operation 2019/2020

PlugX malware:

f50de0fae860a5fd780d953a8af07450661458646293bfd0fed81a1ff9eb4498

26e448fe1105b5dadae9b7607e3cca366c6ba8eccf5b6efe67b87c312651db01

e9033a5db456af922a82e1d44afc3e8e4a5732efde3e9461c1d8f7629aa55caf

3124fcb79da0bdf9d0d1995e37b06f7929d83c1c4b60e38c104743be71170efe

 

Winnti:

800238bc27ca94279c7562f1f70241ef3a37937c15d051894472e97852ebe9f4

c3c8f6befa32edd09de3018a7be7f0b7144702cb7c626f9d8d8d9a77e201d104

df951bf75770b0f597f0296a644d96fbe9a3a8c556f4d2a2479a7bad39e7ad5f

 

Winnti C2: 185.161.211.97

 

Tools:

PSW64                  6e983477f72c8575f8f3ff5731b74e20877b3971fa2d47683aff11cfd71b48c6

NTDSDumpEx  6db8336794a351888636cb26ebefb52aeaa4b7f90dbb3e6440c2a28e4f13ef96

NBTSCAN             c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e

NetSess                ddeeedc8ab9ab3b90c2e36340d4674fda3b458c0afd7514735b2857f26b14c6d

Smbexec              e781ce2d795c5dd6b0a5b849a414f5bd05bb99785f2ebf36edb70399205817ee

Wmiexec              14f0c4ce32821a7d25ea5e016ea26067d6615e3336c3baa854ea37a290a462a8

Mimikatz

RAR command-line

TCPdump

The post Operation ‘Harvest’: A Deep Dive into a Long-term Campaign appeared first on McAfee Blogs.

]]>
McAfee Enterprise Defender’s Blog: Operation Harvest https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/mcafee-defenders-blog-operation-harvest/ Wed, 15 Sep 2021 04:01:11 +0000 https://www.mcafee.com/blogs/?p=127468

Summary McAfee Enterprise’s Advanced Threat Research (ATR) team provided deep insight into a long-term campaign Operation Harvest. In the blog,...

The post McAfee Enterprise Defender’s Blog: Operation Harvest appeared first on McAfee Blogs.

]]>

Summary

McAfee Enterprise’s Advanced Threat Research (ATR) team provided deep insight into a long-term campaign Operation Harvest. In the blog, they detail the MITRE Tactics and Techniques the actors used in the attack. In this blog, our Pre-Sales network defenders describe how you can defend against a campaign like Operation Harvest with McAfee Enterprise’s MVISION Security Platform and security architecture best practices.

Defending Against Operation Harvest with McAfee

Operation Harvest, like other targeted attack campaigns, leverages multiple techniques to access the network and capture credentials before exfiltrating data. Therefore, as a Network Defender you have multiple opportunities to prevent, disrupt, or detect the malicious activity. Early prevention, identification and response to potentially malicious activity is critical for business resilience. Below is an overview of how you can defend against attacks like Operation Harvest with McAfee’s MVISION Security Architecture.

Throughout this blog, we will provide some examples of where MVISION Security Platform could help defend against this type of attack.

Get Prepared with the Latest Threat Intelligence

As Network Defenders our goal is to prevent, detect and contain the threat as early as possible in the attack chain. That starts with using threat intelligence, from blogs or solutions like MVISION Insights to get prepared and using tools like MITRE Attack Navigator to assess your defensive coverage. The ATR blog details the techniques, indicators and tools used by the attackers. Many of the tools used in Operation Harvest are common across other threat actors and detection details for PlugX, and Winnti are already documented in MVISION INSIGHTS.

Get a quick overview of the PlugX tool:

Easily search for or export PlugX IOCs right from MVISION Insights:

Get a quick overview of the Winnti tool:

Easily search for or export Winnti IOCs right from MVISION Insights:

Cross Platform Hunting Rules for Winnti:

MVISION Insights is also updated with the latest technical intelligence on Operation Harvest including a summary of the threat, prevalence, indicators of compromise and recommended defensive countermeasures.

Defending Against Initial Access

In this attack, the initial access involved a compromised web server. Over the last year we have seen attackers increasingly use initial access vectors beyond spear-phishing, such as compromising remote access systems or supply chains. The exploiting of public-facing vulnerabilities for Initial Access is a technique associated with Operation Harvest and other APT groups to gain entry. Detecting this activity and stopping it is critical to limiting the abilities of the threat actor to further their execution strategy. Along with detecting the ongoing activity, it is also imperative to verify critical vulnerabilities are patched and configurations are security best practice to prevent exploitation. MVISION UCE provides visibility into threats, vulnerabilities, and configuration audits mapped to the MITRE ATT&CK Framework for protection against suspicious activity.

Many customer-facing applications and web servers are hosted on cloud infrastructure. As a Network Defender, gaining visibility and monitoring for misconfigurations on the infrastructure platforms is critical as this is increasingly the entry point for an attacker. MVISION Cloud Native Application Protection Platform (CNAPP) provides a continuous assessment capability for multiple cloud platforms in a single console so you can quickly correct misconfigurations and harden the security posture across AWS, AZURE or Google Cloud Platforms.

Harden the Server or Endpoint Against Malicious Tool use

The attackers uploaded several known or potentially malicious tools to compromised systems. Many of these tools were detected on installation or execution by ENS Threat Prevention or Adaptative Threat Prevention Module. The following is a sample of the Threat Event log from ePolicy Orchestrator (ePO) from our testing.

You can easily search for these events in ePO and investigate any systems with detections.

For best protection turn on Global Threat Intelligence (GTI) for both Threat Prevention and Adaptive Threat Protection modules. Ensure ATP Rules 4 (GTI File Reputation) and 5 (URL Reputation) are enabled in ATP. Global Threat Intelligence is updated with the latest indicators for this attack as well.

Additionally, based on other observables in this attack, we believe there are several other Adaptive Threat Prevention Rules that could prevent or identify potentially malicious activity on the endpoint or server. Monitor especially for these ATP events in the ePO threat event logs:

Rule 269: Detects potentially malicious usage of WMI service to achieve persistence

Rule 329: Identify suspicious use of Scheduled Tasks

Rule 336: Detect suspicious payloads targeting network-related services or applications via dual use tools

Rule 500: Block lateral movement using utilities such as Psexec from an infected client to other machines in the network

Rule 511: Detect attempts to dump sensitive information related to credentials via lsaas

Analysis will continue and additional ATP rules we think relate will be added to mitigation guidance in MVISION Insights.

ENS with Expert Rules

Expert Rules are a powerful, customizable signature language within ENS Threat Prevention Module. For this attack, you could use Expert Rules to identify potential misuse of Psexec or prevent execution or creation of certain file types used such as .rar files.

Additional guidance on creating your own Expert Rules and link to our repository are here:

How to Use Expert Rules in ENS to Prevent Malicious Exploits

ATR Expert Rule Repository

Per standard practice, we recommend that customers test this rule in report mode before applying in block mode.

Preventing or Detecting Command and Control

Like other attacks exploiting critical vulnerabilities, attackers may gain command and control over exploited systems to deliver payloads or other actions. MVISION EDR can both identify many command-and-control techniques such as Cobalt Strike beacons. In this case, MVISION EDR would have logged the DNS and HTTP connection requests to the suspicious domains and an SOC analysts could use Real Time and Historical search to hunt proactively for compromised machines.

Additionally, Unified Cloud Edge (UCE – SWG) can prevent access to risky web sites using threat intelligence, URL reputation, behaviour analysis and remote browser isolation. Ensure you have a strong web security policy in place and are monitoring logs. This is a great control to identify potentially malicious C2 activity.

Monitoring for Privilege Escalation

The adversary used several techniques and tools to elevate privileges and run Mimikatz to steal credentials. In our simulation, MVISION EDR proactively identified the attempt to download and execute in memory a Mimikatz PowerShell script.

We simulated the attacker malicious attempt using potato tools reproducing a generic privilege escalation. From the EDR monitoring process tree we could observe the sequence of events with a change in terms of user name from a user account to SYSTEM.”

We started a guided investigation on the affected system. Analytics on the data identified anomalies in user behavior. Guided investigations make easier to visualize complex data sets and interconnections between artifacts and systems.

Identifying Commonly used Tools for Lateral Movement

The attackers used a common dual use system utility, in this case Psexec.exe, to move laterally. In many cases, the malicious use of legitimate system tools is difficult to detect with signature-based detection only. MVISION EDR uses a combination of behaviour analytics and threat intelligence to proactively identify and flag a high severity alert on malicious use of Psexec for lateral movement.

Psexec.exe used for lateral movement:

Mapping User and Data Anomalies to Detect Exfiltration

The threat actors behind Operation Harvest utilized various tools to elevate privileges and exfiltrate data out of the impacted environment. Visualizing anomalies in user activity and data movement can be used to detect out of the ordinary behavior that can point to malicious activity going on in your environment. MVISION UCE will monitor user behavior and provide anomalies for the security team to pinpoint areas of concern for insider or external adversarial threats.

Identifying User Access Anomalies with UCE:

Identifying Data Transfer Anomalies with UCE:

Summary

MVISION Security Platform provides defense in depth to prevent, disrupt or detect many of the techniques used in Operation Harvest. As a network defender, focus on early prevention or detection of the techniques to better protect your organization against cyber-attacks.

The post McAfee Enterprise Defender’s Blog: Operation Harvest appeared first on McAfee Blogs.

]]>
How MVISION CNAPP Helps Protect Against ChaosDB https://www.mcafee.com/blogs/enterprise/cloud-security/how-mvision-cnapp-helps-protect-against-chaosdb/ Thu, 09 Sep 2021 15:00:39 +0000 https://www.mcafee.com/blogs/?p=128674

Attackers have made it known that Microsoft is clearly in their cross hairs when it comes to potential targets. Just...

The post How MVISION CNAPP Helps Protect Against ChaosDB appeared first on McAfee Blogs.

]]>

Attackers have made it known that Microsoft is clearly in their cross hairs when it comes to potential targets. Just last month the US Justice Department disclosed that Solorigate continues to comprise security when they confirmed over 80% of Microsoft email accounts were breached across four different federal prosecutors offices. In August Microsoft released another security patch (the second of two) for PrintNightmare, which allows remote attackers system level escalation of all Windows clients and servers. Since Microsoft still has the dominate market share for desktop OS, email/office services, along with the second largest market share in cloud computing, any security vulnerability found within the Microsoft ecosystem has cascading effects across the board.

Based on this, we wanted to let our customers know our response to the latest Microsoft security vulnerability. On August 12, Microsoft confirmed a security vulnerability dubbed ChaosDB whereby attackers can download, delete, or modify all data stored within the Azure Cosmos DB service. In response to the vulnerability Microsoft has since disabled the feature that can be exploited and notified potentially affected customers. However, according to the research team that identified the vulnerability they believe the actual number of customers affected is much higher and has the potential to expose thousands of companies dating back to 2019.

Cosmos DB is Microsoft’s fully managed NoSQL database service hosted on Azure which boasts customers such as Mars, Mercedes Benz, and Chipotle. The ChaosDB vulnerability affects customers that use the Jupyter Notebook feature. This built-in feature allows customers to share data visualizations and narrative text based on the data stored in Cosmos DB. Unfortunately, the Jupyter Notebook feature has been enabled by default for customers since February 2021, and fixing the vulnerability is no easy task. Because the vulnerability exposes public keys that can be used to access other Cosmos databases, the resolution requires that customers manually rotate their Cosmos DB primary keys – which are typically long-lived keys and used across multiple services or applications.

For customers using Cosmos DB, we highly recommend following Microsoft’s guidance and rotate their keys, but we also recognize that business can’t stop and unless you’ve automated key rotation, that task may take time and coordination across multiple teams. This blog will help provide some assistance on how one of our newest services can help identify and mitigate ChaosDB.

MVISION Cloud Native Application Protection Platform (CNAPP) is a new service we launched this year that provides complete visibility and security into services and applications built on top of cloud native solutions. MVISION CNAPP helps customers secure the underlying platform like Amazon Web Services (AWS), Microsoft Azure, and Google Cloud used to build applications but also provides complete build and runtime protection for applications using virtual machines, Docker, and Kubernetes.

As part of this service, MVISION CNAPP has a feature called the custom policy builder. The custom policy builder is a great way for customers to audit services across their entire cloud environment in real time to identify risky configurations but can also be used to curate a specific policy to the customer’s unique environment based on several API properties.

How does the custom policy builder work? Once MVISION CNAPP is connected to a customer’s AWS, Azure, or GCP account, the custom policy builder will list all the supported services within each cloud platform. Along with all the supported services, the custom policy builder will also list all the available API attributes for each of those services – attributes that customers can use as triggers for creating security incidents and automatic responses. A good example of the capability would be “if MVISION CNAPP identifies a public Amazon S3 bucket, performs a scan to on the bucket objects to identify any sensitive data and alerts teams via a SNS notification.” When new vulnerabilities like ChaosDB hit the wire, the custom policy builder is purpose built to help customers identify and understand their risk to anything new.

So how can CNAPP help identify if you’re at risk for ChaosDB? Essentially, you’ll want to answer three questions to understand your risk:

  • Are we using Cosmos DB?
  • If so, do our Cosmos databases have unrestricted access?
  • If an attacker did have access to our Cosmos DB keys, what level of access would they have with those keys?

To find answers to these questions, I’ll show how you can create several custom policies using the MVISION CNAPP custom policy builder, but you can combine and mix these rules based on your needs.

In the first example, I’m going to answer the first two questions to see if we’re running Cosmos DB and if the service has unrestricted network access. Under the MVISION CNAPP menu I’ll click on Policy | Configuration Audit | Actions | Create Policy. From there I’ll give my policy a name and select Microsoft Azure | Next. The custom policy builder will automatically prepopulate all the available services in Azure when I click on Select Resource Type. Select Azure Cosmos DB and the custom policy builder will now show me all the available API attributes for that service. Start typing for the string of properties.publicNetworkAccess with a statement of equals to Enabled with a severity level you assign. Click Test Rule and the custom policy builder will check if you’re running any Cosmos DBs that allow access from any source.

Figure 1: Custom Policy Builder Screenshot

If the results of the custom policy show any incidents where Cosmos DB has unrestricted access, you’ll want to immediately change that setting by Configuring an IP firewall in Azure Cosmos DB.

Now let’s see if we have any Cosmos databases where we haven’t set firewall rules. These rules can be based on a set of IP addresses or private end points and should have been set when you created the DBs, but let’s confirm. You’ll follow the same steps as before but select the following criteria for the policy using AND statements:

  • ipRangeFilter equals to not set
  • virtualNetworksRules is not set
  • privateEndpointConnections is not set

Figure 2: Custom Policy Builder Screenshot 2

If you see any results from the custom policy, you’ll want to review the IP address and endpoints to make sure you’re familiar with access from those sources. If you’re not familiar with those sources or the sources are too broad, follow Configuring an IP firewall in Azure Cosmos DB to make the necessary changes.

Finally, let’s show how MVISION CNAPP can audit to see what is possible if your keys were exposed. In general, database keys are issued out to applications so they can access data. Rarely would you issue keys to make configuration changes or write changes to your database services. If you granted keys that can make changes, you may have issued an overly permissive key. Eventually you’ll want to regenerate those keys, but in the meantime let’s identify if the keys can make write changes.

We’ll follow the same procedure as before but use the properties.disableKeyBasedMetadataWriteAccess equals to false

Figure 3: Custom Policy Builder Screenshot 3

Like in the previous examples, if you find any results here that show you’ve issued keys that can make write changes, you’ll want to disable the feature by following Disable key based metadata write access.

Our custom policy builder is just one of the many features we’ve introduced with MVISION CNAPP. I invite you to check out the solution by visiting http://mcafee.com/CNAPP for more information or request a demo at https://mcafee.com/demo.

The post How MVISION CNAPP Helps Protect Against ChaosDB appeared first on McAfee Blogs.

]]>
How Groove Gang is Shaking up the Ransomware-as-a-Service Market to Empower Affiliates https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/ Thu, 09 Sep 2021 04:01:34 +0000 https://www.mcafee.com/blogs/?p=128548

Co-authored with Intel471 and McAfee Enterprise Advanced Threat Research (ATR) would also like to thank Coveware for its contribution. Executive...

The post How Groove Gang is Shaking up the Ransomware-as-a-Service Market to Empower Affiliates appeared first on McAfee Blogs.

]]>

Co-authored with Intel471 and McAfee Enterprise Advanced Threat Research (ATR) would also like to thank Coveware for its contribution.

Executive Summary

McAfee Enterprise ATR believes, with high confidence, that the Groove gang is associated with the Babuk gang, either as a former affiliate or subgroup. These cybercriminals are happy to put aside previous Ransomware-as-a-Service hierarchies to focus on the ill-gotten gains to be made from controlling victim’s networks, rather than the previous approach which prioritized control of the ransomware itself.

Introduction

For many years the world of Ransomware-as-a-Service (RaaS) was perceived as a somewhat hierarchical and structured organization. Ransomware developers would advertise their RaaS program on forums and gracefully open up slots for affiliates to join their team to commit crime. The RaaS admins would conduct interviews with potential affiliates to make sure they were skilled enough to participate. Historically, i.e., with CTB locker, the emphasis was on affiliates generating enough installs via a botnet, exploit kits or stolen credentials, but it has shifted in recent years to being able to penetrate and compromise a complete network using a variety of malicious and non-malicious tools. This essentially changed the typical affiliate profile towards a highly-skilled pen-tester/sysadmin.

Figure 1. Recruitment posting for CTB locker from 2014

Figure 2. Recruitment posting for REvil from 2020

Experts often describe the hierarchy of a conventional organized crime group as a pyramid structure. Historically, La Cosa Nostra, drug cartels and outlaw motor gangs were organized in such a fashion. However, due to further professionalization and specialization of the logistics involved with committing crime, groups have evolved into more opportunistic network-based groups that will work together more fluidly, according to their current needs.

While criminals collaborating in the world of cybercrime isn’t a novel concept, a RaaS group’s hierarchy is more rigid compared to other forms of cybercrime, due to the power imbalance between the group’s developers/admins and affiliates.

For a long time, RaaS admins and developers were prioritized as the top targets, often neglecting the affiliates since they were perceived as less-skilled. This, combined with the lack of disruptions in the RaaS ecosystem, created an atmosphere where those lesser-skilled affiliates could thrive and grow into very competent cybercriminals.

However, this growth isn’t without consequences. Recently we have observed certain events that might be the beginning of a new chapter in the RaaS ecosystem.

Cracks in the RaaS model

Trust in the cybercriminal underground is based on a few things, such as keeping your word and paying people what they deserve. Just like with legitimate jobs, when employees feel their contributions aren’t adequately rewarded, those people start causing friction within the organization. Ransomware has been generating billions of dollars in recent years and with revenue like that, it’s only a matter of time before some individuals who believe they aren’t getting their fair share become unhappy.

Recently, a former Conti affiliate was unhappy with their financial portion and decided to disclose the complete Conti attack playbook and their Cobalt Strike infrastructure online, as shown in the screenshot below.

Figure 3. Disgruntled Conti affiliate

In the past, ATR has been approached by individuals affiliated with certain RaaS groups expressing grudges with other RaaS members and admins, claiming they haven’t been paid in time or that their share wasn’t proportionate to the amount of work they put in.

Recently, security researcher Fabian Wosar opened a dedicated Jabber account for disgruntled cybercriminals to reach out anonymously and he stated that there was a high level of response.

Figure 4. Jabber group for unhappy threat actors

Moreover, the popular cybercrime forums have banned ransomware actors from advertising since the Colonial Pipeline attack. Now, the groups no longer have a platform on which to actively recruit, show their seniority, offer escrow, have their binaries tested by moderators, or settle disputes. The lack of visibility has made it harder for RaaS groups to establish or maintain credibility and will make it harder for RaaS developers to maintain their current top tier position in the underground.

Paying respects…. RAMP Forum and Orange

After a turbulent shutdown of Babuk and the fallout from the Colonial Pipeline and Kaseya attacks, it seems that some of the ransomware-affiliated cybercriminals have found a home in a forum known as RAMP.

Figure 5. RAMP posting by Orange, introducing Groove and explaining relationships

Translated Posting

When analyzing RAMP and looking at the posting above from the main admin Orange, it’s hard to ignore numerous references that are made: From the names chosen, to the avatar of Orange’s profile, which happens to be a picture of a legitimate cyber threat intelligence professional.

Orange

Hello, friends! I am happy to announce the first contest on Ramp.

Let’s make it clear that we don’t do anything without a reason, so at the end of the day, it’s us who will benefit most from this contest 🙂

Here’s the thing: besides my new projects and old, I have always had this unit called

GROOVE — I’ve never revealed its name before and it’s never been mentioned directly in the media, but it does exist — we’re like Mossad (we are few and aren’t hiring). It’s Groove whom the babuk ransomware needs to thank for its fame.

Groove rocks, and babuk stinks 🙂

Challenge: Using a PHP stack+MYSQL+Bootstrap, code a standard ransomware operators’ blog in THE RUSSIAN LANGUAGE with the following pages:

1) About us

The description of a group, which must be editable from the admin panel and use the same visual editor as our forum.

2) Leaks.

No hidden blogs, just leaks.

Use standard display, just like other ransomware operators’ blogs do.

3) News

A news page; it must be possible to add and edit news via the admin panel.

We’ll be accepting your submissions up to and including August 30.

Who will rate the entries and how?

There will be only one winner. I, Orange, will rate the usability and design of blogs. MRT will rate each entry’s source code and its security. In addition to USD 1k, the winner will most likely get a job in the RAMP team!

Now, for those of you who are interested in entirely different things:

1) No, we are not with the Kazakh intelligence agency.

https://www.fr.sogeti.com/globalassets/france/avis-dexperts–livres-blancs/cybersecchronicles_-_babuk.pdf

2) Groove has never had a ransomware product, nor will that ever change.

3) The babuk team doesn’t exist. We rented the ransomware from a coder who could not shoulder the responsibility, got too scared and decided to leave an error in the ESX builder — naturally, to give us a reason to chuck him out (his motives? Fxxx if I know)

babuk 2.0, which hit the headlines, is not to be taken seriously and must be regarded as nothing but a very stupid joke

4) GROOVE is first and foremost an aggressive financially motivated criminal organization dealing in industrial espionage for about two years. RANSOMWARE is no more than an additional source of income. We don’t care who we work with and how. You’ve got money? We’re in

RAMP Ransom Anon Mark[et] Place

RAMP was created in July 2021 by a threat actor TetyaSluha, who later changed their moniker to ‘Orange.’ This actor claimed the forum would specifically cater to other ransomware-related threat actors after they were ousted from major cybercrime forums for being too toxic, following the high-profile ransomware attacks against the Colonial Pipeline and Washington D.C.’s Metropolitan Police Department in the spring of 2021.

At the time of the initial launch, Orange claimed the forum’s name was a tribute to a now-defunct Russian-language underground drug marketplace, “Russian Anonymous Marketplace,” which was taken down by Russian law enforcement agencies in 2017.  The re-launched cybercrime forum’s name now supposedly stands for “Ransom Anon Mark[et] Place”.

The forum was initially launched on the same TOR-based resource that previously hosted a name-and-shame blog operated by the Babuk ransomware gang and the Payload.bin marketplace of leaked corporate data. The forum was later moved to a dedicated TOR-based resource and relaunched with a new layout and a revamped administrative team, where Orange acted as the admin, with other known actors MRT, 999 and KAJIT serving as moderators.

Why the name Orange?

Why the admin changed handles from TetyaSluha to Orange isn’t 100 percent clear. However, looking back, the early days of RAMP provides us some evidence on who this person has been affiliated with. We found a posting from  where the names Orange and Darkside are mentioned as potential monikers. Very shortly after that, TetyaSluha changed their handle to Orange. While the initial message has been removed from the forum itself, the content was saved thanks to Intel 471.

July 12th 2021 by Mnemo

Congratulations on the successful beginning of struggle for the right to choose and not to be evicted. I hope, the community will soon fill with reasonable individuals.

Oh yeah, you’ve unexpectedly reminded everyone about the wonderful RAMP forum. Are the handles Orange and Darkside still free?

The name Darkside might sound more familiar than Orange but, as we saw with the naming of RAMP, TetyaSluha is one for cybercrime sentiment, so there is almost certainly some hidden meaning behind it.

Based on ATR’s previous research, we believe the name Orange was chosen as a tribute to REvil/GandCrab. People familiar with those campaigns have likely heard of the actor UNKN’. However, there was a less well known REvil affiliate admin named Orange. A tribute seems fitting if Tetyasluha isn’t the notorious Orange as that moniker is tied to some successful ransomware families, GandCrab and REvilthat shaped the RaaS ecosystem as we know it today. 

In the past, UNKN was linked to several other monikers, however Orange was hardly mentioned since there wasn’t a matching public handle used on any particular cybercrime forum.  However, REvil insiders will recognize the name Orange as one of their admins.

Based on ATR’s closed-source underground research, we believe with a high level of confidence, that UNKN was indeed linked to the aforementioned accounts, as well as the infamous “Crab”handle used by GandCrab. Crab was one of the two affiliate-facing accounts that the GandCrab team had (The other being Funnycrab). We believe with a high level of confidence that after the closure of GandCrab, the individual behind the Funnycrab account changed to the account name to Orange and continued operations with REvil, with only a subset of skilled GandCrab affiliates, (as described in our Virus Bulletin 2019 whitepaper) since GandCrab grew too big and needed to shed some weight.

The posting in figure 5 is also shedding some light on the start of the Groove Gang, their relationship to Babuk and, subsequently, BlackMatter.

Groove Gang

In the post from Figure 5, “Orange” also claims to have always had a small group of people that the group collaborates with. Additionally, the actor claims that the name has not been mentioned in the media before, comparing the group to the Israeli secret service group Mossad. The group’s comparison to Mossad is extremely doubtful at best, given the drama that has publicly played out. Groove claims several of Babuk’s victims, including the Metropolitan Police Department, brought them a lot of attention. The several mentions to Babuk isn’t by mistake: we have evidence the two groups also have connections, which we’ve pieced together from examining the behavior of — and particularly the fallout between — the two groups.

Babuk’s Fallout

Originally, the Babuk gang paid affiliates by each victim they attacked. Yet on April 30, it was reported that the gang suddenly had stopped working with affiliates, including the act of encrypting a victim’s system. Instead, their focus shifted to data exfiltration and extortion of targeted organizations. That was followed by the group releasing the builder for the old versions of its ransomware as it pivoted to a new one for themselves.

The attention that Babuk drew by hacking and extorting the Metropolitan Police Department meant their brand name became widely known. It also meant that more firms and agencies were interested in finding out who was behind it. This kind of heat is unwanted by most gangs, as any loose ends that are out there can come back to bite them.

Then, on September 3, the threat actor with the handle ‘dyadka0220’ stated that they were the principal developer of Babuk ransomware and posted what they claimed was the Babuk ransomware source code. They claimed the reason they were sharing everything was due to being terminally ill with lung cancer.

Figure 6. Dyadka0220 was possibly the developer that Orange hinted at in the posting (Figure 5) mentioned above.

On September 7, the Groove gang responded with a blog on their own website, titled “Thoughts about the meaning”, which rhymes in Russian. In this blog, the gang (allegedly) provides information on several recent happenings. Per their statement, the illness of ‘dyadka0220’ is a lie. Additionally, their response alleges that the Groove gang never created the Babuk ransomware themselves, but worked with someone else to produce it.

The validity of the claims in Groove’s latest blog is hard to determine, although this does not matter too much: the Babuk group, including affiliates, had a fallout that caused the group to break up, causing the retaliation of several (ex-)members.

Observed Behavior

The ATR team has covered Babuk multiple times. The first blog, published last February, covers the initial observations of the group’s malware. The second blog, published last July, dives into the ESXi version of the ransomware and its issues. The group’s tactics, techniques, and procedures (TTPs) are in-line with commonly observed techniques from ransomware actors. The deployment of dual-use tools, which can be used for both benign and malicious purposes, is difficult to defend against, as intent is an unknown term for a machine. Together with other vendors we have narrowed down some of the TTPs observed by the Groove gang.

Initial Access

The actor needs to get a foothold within the targeted environment. The access can be bought, in terms of stolen (yet valid) credentials, or direct access in the form of a live backdoor on one or more of the victim’s systems. Alternatively, the actor can exploit publicly facing infrastructure using a known or unknown exploit. To ATR’s understanding, the latter has been used several times by exploiting vulnerable VPN servers.

Lateral Movement, Discovery and Privilege Escalation

Moving around within the network is an important step for the actor, for two reasons. Firstly, it allows the attacker to find as much data as possible, which is then exfiltrated. Secondly, access to all machines is required in order to deploy the ransomware at a later stage. By encrypting numerous devices at once, it becomes even harder to control the damage from a defender’s point of view. The actor uses commonly known tools, such as Ad-Find and NetScan, to gather information on the network. Based on the gathered information, the actor will move laterally through the network. One of the most frequently observed methods by this actor to do so, is by using RDP.

To work with more than user-level privileges, the actor has a variety of options to escalate their privilege to a domain administrator. Brute forcing RDP accounts, the dumping of credentials, and the use of legacy exploits such as EternalBlue (CVE-2017-0144), are ways to quickly obtain access to one or more privileged accounts. Once access to these systems is established, the next phase of the attack begins.

Data Exfiltration and Ransomware Deployment

The actor navigates through the machines on the network using the earlier obtained access. To exfiltrate the collected data, the attacker uses WinSCP. Note that other, similar, tools can also be used. Once all relevant data has been stolen, the attacker will execute the ransomware in bulk. This can be done in a variety of ways, ranging from manually starting the ransomware on the targeted machines, scheduling a task per machine, or using PsExec to launch the ransomware.

Linking Groove to Babuk and BlackMatter

As discussed above, there was a fallout within Babuk. From that fallout, a part of the group stayed together to form Groove. The server that Babuk used, which we will refer to as the “wyyad” server due to the ending of the onion URL, rebranded in late August 2021. The similarities can be seen in the two screenshots below.

Figure 7. The changes to the landing page from Babuk to Groove

Aside from this, data from old Babuk victims is still hosted on this server. The ATR team found, among others, leaks that belong to:

  • a major US sports team,
  • a British IT service provider,
  • an Italian pharmaceutical company,
  • a major US police department,
  • a US based interior shop.

All these victims have previously been claimed by (and attributed to) Babuk.

Another gang, known as BlackMatter, uses a variety of locations to host their extorted files, which can be done out of convenience or to avoid a single notice and takedown to remove all offending files. Additionally, the ATR team assumes, with medium confidence, that different affiliates use different hosting locations.

The data of one of the BlackMatter gang’s victims, a Thai IT service provider, is stored on the “wyyad” server. As such, it can mean that the Groove gang worked as an affiliate for the BlackMatter gang. This is in line with their claim to work with anybody, as long as they profit from it. The image below shows the BlackMatter leak website linking to the “wyyad” server.

Figure 8. screenshot of BlackMatter, where the data is stored on the Groove server

The Groove gang’s website contains, at the time of writing, a single leak: data from a German printing company. Even though the website is accessible via a different address, the leaked data is stored on the “wyyad” server.

Figure 9. Another Groove victim but stored on their own page

The affected company does not meet BlackMatter’s “requirements,” the group has said it only goes after companies that make more than $US 100 million. This company’s annual revenue is estimated at $US 75 million, as seen in the below screenshot.

Figure 10. Posting on the Exploit forum by BlackMatter

At the end of Orange’s announcement comes a call to action and collaboration: “GROOVE is first and foremost an aggressive financially motivated criminal organization dealing in industrial espionage for about two years. RANSOMWARE is no more than an additional source of income. We don’t care who we work with and how. You’ve got money? We’re in”.

The group’s primary goal, making money, is not limited to ransomware. Inversely, ransomware would be the cherry on top. This is yet another indication of the ransomware group’s shift to a less hierarchical set-up and a more fluid and opportunistic network-based way of working.

In the Groove gang’s blog on September 7, a reference is made with regards to BlackMatter, and its links to DarkSide. If true, these insights show that the Groove gang has insider knowledge of the BlackMatter gang. This makes the collaboration between Groove and BlackMatter more likely. If these claims are false, it makes one wonder as to why the Groove gang felt the need to talk about other gangs, since they seem to want to make a name for themselves.

Due to the above outlined actions ATR believes, with high confidence, that the Groove gang is a former affiliate or subgroup of the Babuk gang, who are willing to collaborate with other parties, as long as there is financial gain for them. Thus, an affiliation with the BlackMatter gang is likely.

Conclusion

Ever since Ransomware-as-a-Service became a viable, and highly profitable, business model for cybercriminals, it has operated in much the same way with affiliates being the sometimes underpaid workhorses at the bottom of a rigid pyramid shaped hierarchy.

For some affiliates there was an opportunity to become competent cybercriminals while, for many others, the lack of recompense and appreciation for their efforts led to ill-feeling. Combined with underground forums banning ransomware actors, this created the perfect opportunity for the threat actor known as Orange to emerge, with the Groove gang in tow, with the offer of new ways of working where an associate’s worth was based entirely on their ability to earn money.

Time will tell if this approach enhances the reputation of the Groove gang to the level of the cybercriminals they seem to admire. One thing is clear though; with the manifestation of more self-reliant cybercrime groups the power balance within the RaaS eco-climate will change from he who controls the ransomware to he who controls the victim’s networks.

MITRE TTPs

We have compiled a list of TTPs based on older Babuk cases and some recent cases linked to Groove:

  • T1190: Exploit Public-Facing Application (VPN services)
  • T1003: OS Credential Dumping
  • 002: Valid Accounts: Domain Accounts
  • T1059: Command and Scripting Interpreter
  • T1021:002: SMB/Windows Admin Shares
  • T1210: Exploitation of Remote Services
  • T1087: Account Discovery
  • T1482: Domain Trust Discovery
  • T1562: Impair Defense
  • T1537: Transfer Data to Cloud Account
  • T1567: Exfiltration Over Web Service

If a partnership is achieved with a Ransomware family:

  • T1486 Data Encrypted for Impact

The post How Groove Gang is Shaking up the Ransomware-as-a-Service Market to Empower Affiliates appeared first on McAfee Blogs.

]]>
Executive Spotlight: Q&A with Chief Public Policy Officer, Tom Gann https://www.mcafee.com/blogs/enterprise/executive-spotlight-qa-with-chief-public-policy-officer-tom-gann/ Wed, 08 Sep 2021 15:00:25 +0000 https://www.mcafee.com/blogs/?p=127055

I’m back at it again with another round of our executive blog series. This week I had the privilege to...

The post Executive Spotlight: Q&A with Chief Public Policy Officer, Tom Gann appeared first on McAfee Blogs.

]]>

I’m back at it again with another round of our executive blog series. This week I had the privilege to speak with Tom Gann, our Chief Public Policy officer and he had some interesting things to say on the cyber security issues that are shaping public policy dialogue in Washington DC and other capitals around the world, and much much more.

Q: What is one event in your life that made you who you are today?

Teaching tennis. I know that teaching tennis is not an event, it’s a sport. For me it was a business at a young age that helped to change my life.

I grew up in Palo Alto, CA, when the town was middle-class. I went to Gunn High School when the school was very good at tennis – they had 10 undefeated seasons. My parents were kind enough to pay for tennis lessons and while I was only a so-so tennis player, my tennis coach thought that I would be a good teacher. And so, starting in the 11th grade, I began teaching tennis for a tennis shop in Menlo Park called the Better Backhand. Then later, when I was at Stanford, I started my own business teaching lessons on private tennis courts which helped me pay for school and a car.

Through this experience, I learned how to become a professional and most importantly, how to relate to people while helping them learn something valuable. I am amazed that many of the things I learned from teaching tennis still guide me today: treating people well, empowering them, and striving to get things done that matter.

Q: What are the biggest cyber security issues shaping the public policy dialogue in Washington DC and other capitals around the world?

The reality today, and likely in the future, is that the bad guys have and will continue to have the advantage. Bad guys need to be right one time to get into a government or company environment. The good guys, playing defense, need to be right every time. This reality is made more challenging by the fact that today’s typical new, best-in-class cyber security solution is often out of date in two years because the bad guys are great at innovating. At the same time, unfortunately, many organizations are too slow or too distracted to ensure all their cyber security solutions work effectively together.

The threats from nation states, criminal organizations, and terrorist groups is only getting bigger as time goes on – meaning our challenge continually grows, shifts, and evolves. Today, these actors are perfecting a wide range of ransomware strategies to blackmail all types of organizations in the public and private sectors.

Responsible governments and citizens need to demand real change, they need to push non-compliant nation states to commit to a basic level of fair play. The public and private sectors also need to work together to create a firewall against these bad actors who use ransomware to achieve such strategic objectives as profit and intimidation.

Q: What is the true value cloud security has brought to the government contracting and federal sectors? Why is there so much hype around this technology?

Everyone is moving to the cloud – private and public sector organizations as well as folks at home. This trend makes sense because the cloud is cost effective, reliable, and highly secure. However, the key in this shift is to make sure that government agencies have the flexibility to rapidly work with private sector experts – the data center, the enterprise software, and the cyber security leaders – to ensure long term success. Too often, I have seen government agencies use outdated procurement rules and processes that bog down progress. This often results in cloud and data center deployments, particularly when government agencies host these infrastructures, being completed with last generation solutions.

At the same time, outdated contracting rules can limit the ability of agencies to field the most up to date cyber security solutions. This challenge is becoming a bigger deal as agencies deploy multiple cloud solutions. These many cloud implementations create targets of opportunity for hackers who exploit security gaps between and among clouds, meaning agencies need to be proactive to ensure that their move to the cloud is safe and effective. Policymakers need to step up to the plate and modernize procurement rules and processes. Such support will help government agencies work quicker and more effectively to serve our citizens who demand first-class service from their government.

Q: How can our organization be the best partner to government agencies moving forward?

It is all about trust. Without trust you have noting. Working with the government, a company, or your neighbor down the street is the same – it all depends on trust. This means doing what you say you will do and working to overdeliver on your commitments.

 

The post Executive Spotlight: Q&A with Chief Public Policy Officer, Tom Gann appeared first on McAfee Blogs.

]]>
Remote Browser Isolation: The Next Great Security Technology is Finally Attainable https://www.mcafee.com/blogs/enterprise/cloud-security/remote-browser-isolation-the-next-great-security-technology-is-finally-attainable/ Tue, 07 Sep 2021 15:00:17 +0000 https://www.mcafee.com/blogs/?p=126902

Security professionals and technologists old enough to remember renting movies at Blockbuster on Friday nights likely also remember a time...

The post Remote Browser Isolation: The Next Great Security Technology is Finally Attainable appeared first on McAfee Blogs.

]]>

Security professionals and technologists old enough to remember renting movies at Blockbuster on Friday nights likely also remember a time when the internet was a new phenomenon full of wonder and promise.  These same individuals probably view it through a more skeptical lens seeing it now as a cesspool of malware and great risk.  It’s also widely understood that no web security solution can offer perfect protection against the metaphorical minefield that is the internet.  This last statement, however, is being challenged by a new technology that is grasping at the title of perfect web security.  This mythical technology is Remote Browser Isolation, or RBI, and it can be argued that it does, in fact, provide its users with invincibility against web-based threats.

Remote Browser Isolation changes the playbook on web security in one very fundamental way: it doesn’t rely on detecting threats.  When a user tries to browse to a website, the RBI solution instantiates an ephemeral browser in a remote datacenter which loads all the requested content.  The RBI solution then renders the website into a dynamic visual stream that enables the user to see and safely interact with it.

Figure 1: How Remote Browser Isolation works.

User behavior can be controlled at a granular level, preventing uploads, downloads, and even copy & paste using the local clipboard.  When properly configured, absolutely none of the content from the requested site is loaded on the local client.  For this reason, it can be argued that it’s literally impossible for malware to be delivered to the local client.  Of course, the RBI solution’s ephemeral browser instance may be compromised, but it will be fully isolated from the organization’s valuable assets and data, rendering the attack harmless.  As soon as the user closes their local browser tab, the ephemeral browser is destroyed.

The value of this cannot be overstated.  The world is increasingly conducting its affairs through web browsers, and the challenge of detecting threats continues to increase at an exponential rate.  While there is great efficacy and value in the threat intelligence and malware detection capabilities of web security solutions today, the “cat & mouse” game being played with cybercriminals means that they’re simply never going to offer perfect protection.  Attackers often use zero-day threats coupled with domains registered perhaps within the past few minutes to compromise their victims, and these methods will too often succeed in circumventing any detection-based security measures.  The game-changing efficacy of RBI and the fact its inception was actually more than 10 years ago should bring an obvious question to mind – If it’s so great, why doesn’t every organization in the world use RBI today?  There are a few relevant answers to this, but one rises above all the rest: cost.

RBI’s method of instantiating remote web browsers for all users precludes the possibility of any implementation that is not expensive to deliver.  Consider the size of a modern enterprise, the number of users, the number of web browser tabs an average user keeps open, and then consider the amount of memory and CPU consumed by each of those tabs.  To mirror these resources in a remote datacenter will always be a costly proposition.  For this reason, many RBI solutions on the market today may literally consume the entire security budget allocated for each licensed user.  As prevalent as web-based threats are today and as effective as RBI’s protection may be, no security organization can dedicate most or all of their security budget to a single technology or even a single threat vector.

To better understand the cost problem and how it may be solved, let’s take a closer look at the two most common use cases for RBI.  The first and most common use case is handling uncategorized sites or sites with unknown risk, known as selective isolation.  As mentioned before, attackers will often use a site that was registered very recently to deliver their web-based threats to victims.  Therefore, organizations often want to block any site that has not been categorized by their web security vendor.  However, the problem is that many legitimate sites can be uncategorized resulting in unnecessary blocking that may impact business.  Managing such a policy is very tedious, and the user experience tends to suffer greatly.  RBI is an ideal solution to this problem where you can grant users access to these sites while maintaining a high level of security.  This situation calls for a selective use of RBI where trusted sites are filtered through more traditional means while only the unknown or high-risk sites are isolated.

The other common need for RBI is various groups of high-risk users.  Consider C-level executives who have access to highly sensitive information relating to business strategies, intellectual property, and other information that must remain private.  Another common example is IT administrators who have elevated privileges that could be devastating if their accounts were compromised.  In these scenarios, organizations may look to isolate all of the traffic for these users including even sites that are trusted.  Typically, this full isolation approach is reserved for only a subset of users who pose a particularly high risk if compromised.

In light of these two use cases, selective isolation and full isolation, let’s take a closer look at the cost of this invincibility-granting technology.  Let’s consider a hypothetical organization, Brycin International, who has a total of 10,000 users.  Brycin has identified 400 users who either have access to critical data or have elevated permissions and therefore require full-time isolation.  We will assume a street price of $100 per user for full time isolation totaling $40,000 for these users.  This seems like a reasonable cost considering the elevated risk a compromise would represent for any one of these users.  Brycin would also like to leverage selective isolation for the rest of the user population, or 9,600 users.  Some solutions may require purchasing a full license, but most offer a discounted license for selective isolation.  We will assume a generous discount of 60%, resulting in a total cost of $40 per user or $384,000 for the rest of the organization.  This gives us a total price tag of $424,000 for Brycin, or an average cost of $42.40 per user.

Not only is this a steep cost for our 10,000-user enterprise, but the cost does not at all align with the value or the cost to deliver the solution.  The 9,600 selective isolation users may represent 96% of the user population, but when you consider the fact that only a small percentage of their web traffic will actually be isolated – state-of-the-art web threat security stacks can detect as much as 99% of all threats, leaving 1% of all traffic to be isolated – they generate perhaps less than 20% of the isolated web traffic.  The full isolation users, while a minority of the license count, will represent the bulk of the isolated web traffic – a little more than 80%.  However, despite the fact that selective isolation users are responsible for such a small share of all isolated traffic and given the generous 60% discounted licensing, they are still by far the largest expense at over 90% of the total solution cost!  This ratio of cost to value simply will not align with the budget and goals of most security organizations.

Figure 2: The disproportionate relationship between RBI users, traffic load, and solution cost.

McAfee Enterprise has now upended this unfortunate paradigm by incorporating remote browser isolation technology natively into our MVISION Unified Cloud Edge platform.  McAfee Enterprise offers two licensing options for RBI: RBI for Risky Web and Full Isolation.  RBI for Risky Web uses an algorithm built by McAfee Enterprise to automatically trigger browser isolation for any site McAfee Enterprise determines to be potentially malicious.  This is designed to address the most common use case, selective isolation, and it is included at no additional cost for any Unified Cloud Edge customer.  Additionally, Full Isolation licenses can be purchased as an add-on for any users that require isolation at all times.  These Full Isolation licenses allow you to create your own policy dictating which sites are isolated or not for these users.

Now, let’s revisit Brycin International’s cost to deliver enterprise-wide RBI if they chose McAfee Enterprise.  As we saw earlier, despite the fact the selective isolation users generated less than 20% of the traffic, they represented over 90% of the total cost of the solution.  With McAfee Enterprise’s licensing model, these users would not require any additional licenses at all, reducing this cost to zero!  Now, Brycin only has to consider the Full Isolation add-on licenses for their 400 high-risk users, or $40,000 – this is now the entire cost for the enterprise-wide RBI deployment.  While $100 per user still may exceed the per-user security budget for Brycin, it is now diluted by the total user population, reducing the per-user cost of the RBI deployment from $42.40 to only $4.  This is a tremendous reduction in cost for equal or greater value, making RBI much more likely to fit into Brycin’s budget and overall security plans.

This may beg the question, “How can McAfee Enterprise do this?”  In short, as one of the most mature security vendors in the world, McAfee Enterprise has the most powerful threat intelligence and anti-malware capabilities in the market today.  McAfee Enterprise’s Global Threat Intelligence service leverages over 1 billion threat sensors around the world reducing the unknowns to an extremely small fraction of all web traffic.  In addition, its heuristics-based anti-malware technology is able to detect many zero-day malware variants.  More uniquely, the Gateway Anti-Malware engine offers inline, real-time, emulation-based sandboxing using behavioral analysis to identify never-before seen threats based on their behavior.  After analyzing the combined effectiveness of these technologies, we found that only a small percentage of web traffic could not be confidently identified as either safe or malicious – roughly 0.5%. This made the cost of delivering selective RBI for Risky Web something that could be easily absorbed without any additional cost to our customers.

Remote Browser Isolation is an absolute paradigm shift in how we can protect our most critical assets against web-based threats today.  While the benefits are tremendous, cost has been a significant barrier preventing this powerful defense from becoming a ubiquitous technology.  McAfee Enterprise has broken down this barrier by leveraging our superior threat intelligence to reduce the cost of delivering RBI and then passing this savings on to our customers.

Remote Browser Isolation

Remove the risk and enjoy worry-free web browsing with McAfee’s RBI.

View Now

The post Remote Browser Isolation: The Next Great Security Technology is Finally Attainable appeared first on McAfee Blogs.

]]>
Executive Spotlight: Q&A with EMEA Senior Vice President, Adam Philpott https://www.mcafee.com/blogs/enterprise/executive-spotlight-qa-with-emea-senior-vice-president-adam-philpott/ Thu, 02 Sep 2021 15:00:14 +0000 https://www.mcafee.com/blogs/?p=126920

Welcome back to our executive blog series, where we’re sitting down with some of the pivotal players behind McAfee Enterprise...

The post Executive Spotlight: Q&A with EMEA Senior Vice President, Adam Philpott appeared first on McAfee Blogs.

]]>

Welcome back to our executive blog series, where we’re sitting down with some of the pivotal players behind McAfee Enterprise to hear their takes on today’s security trends, challenges, and opportunities for enterprises across the globe.

Q: Do you have a role model? If so, who is it?

Well, there are work and there are more personal role models. At work, I have several past and present role models I’ve met across my career that share the same traits. They’re typically great leaders who lead authentically and with a strong sense of purpose and values. For these, I often think when facing a challenge, “What would he or she do?”

Personally, I have many people who have inspired me. A current, topical favorite is Gareth Southgate – manager of the England national football team. He’s not only achieved great success in getting the team to their first final in over 50 years but has challenged the status quo by focusing on young talent and has played a pivotal role as a visible leader in support of diversity.

Q: What’s the most important thing happening in your field at the moment? 

The pandemic, coupled with the ongoing digitization of society, are probably the two most dominant topics in the cyber domain. Ransomware and cyber threats continue to rise in profile, as does cyber security and information assurance in the macro, geo-political sphere. Our purpose has never been greater as leaders in this field.

Q: Will zero trust be a requirement for agencies?

Yes. Organizations deliver outcomes through partnerships, both at a human and systems level. Implementing mechanisms to ensure trust is increasingly important as these partnerships increasingly digitize in operation. Thinking of zero trust as an architecture and framework matters. Many suppliers articulate zero trust as a feature. It is not. As a true partner, it’s important to consider its role more broadly, to not trust and always verify, not just a virtual choke point (remember, there is no perimeter), but throughout the data journey.

Q: What was your mindset to build your team and establish the right culture to drive success for the new company and continue to strive for new goals in the future?

In building a team with the culture to drive growth, the most fundamental attributes I seek in every team member is attitude and energy. Those are the power and velocity needed as a foundation. It’s amazing what people can achieve, and how they find ways to do so, with those fundamental ingredients.

When you combine a group of those people with a common goal and assign each a clear role to play, you end up with a phenomenal team. Rather than offering either no parameters, or parameters that are too narrow, you must empower them with a framework in which they can innovate and find ways to win. This is critical – giving them the scope to use their talent for a positive outcome. Listen to them. Hiring great people who push boundaries brings a lot of intellect and creativity. It’s a waste of intelligence if you don’t take the time to learn from them to continuously improve the business.

 

The post Executive Spotlight: Q&A with EMEA Senior Vice President, Adam Philpott appeared first on McAfee Blogs.

]]>
SASE, Cloud Threats and MITRE https://www.mcafee.com/blogs/enterprise/cloud-security/sase-cloud-threats-and-mitre/ Tue, 31 Aug 2021 14:15:49 +0000 https://www.mcafee.com/blogs/?p=126878

As you know, McAfee Enterprise’s MVISION Unified Cloud Edge (UCE) was the first of all the SASE vendors to implement...

The post SASE, Cloud Threats and MITRE appeared first on McAfee Blogs.

]]>

As you know, McAfee Enterprise’s MVISION Unified Cloud Edge (UCE) was the first of all the SASE vendors to implement the MITRE ATT&CK Framework for Cloud last year. An important aspect of Gartner’s SASE Framework is the ability for effective Threat Protection and Resolution in the Cloud. MVISION UCE takes this to the next level – the product takes a multi-layered approach to cloud threat investigation that can speed your time to detect adversary activity in your cloud services, identify gaps, and implement targeted changes to your policy and configuration.

As a quick refresher, the MITRE Att&CK Matrix represents the relationship between attacker Tactics and Techniques:

  • Tactics. A tactic describes the objective, or why the adversaries are performing the attack. In the ATT&CK Matrix, the table header represents tactics.
  • Technique. A technique describes how adversaries achieve their tactical objectives. For example, what are the various technical ways performed by attackers to achieve the goal? In the ATT&CK Matrix, the table cell represents techniques.

This Dashboard is available within the MVISION Cloud console by accessing the Dashboards > MITRE Dashboard link

Ever since the launch of this truly differentiated product offering, we have seen a tremendous amount of interest and adoption of this feature within our existing customers. Over the past few months, we have continued to make significant enhancements as part of our MITRE Dashboard.

In this post, I shall summarize some of the significant highlights that we have introduced in the past few releases:

Executive Summary Section

The Executive Summary displays an at-a-glance view of the current count of Threats, Anomalies, Incidents, types of incidents, and Detected Techniques with severity.

Flexible Filters

To suit the needs of the different teams that would be using the MVISION Dashboard, we now have the ability to filter the MITRE Dashboard by using a variety of facets:

  • Service Name. The name of the cloud service.
  • Threat Type. The name of the threat type.
  • Status. The MITRE Threat statuses available are:
    • Executed Threat. Threats that caused risk to your cloud service security.
    • Potential Threat. Threats that have the potential to cause risk to your cloud service security. It is recommended to look into the Potential Threats to reduce the impending risk.
  • Top 20 Users. Top 20 users who are impacted by the attacks.

Detected Techniques – Risk and Drilldown

When an incident is detected for a technique in MVISION Cloud, a severity is computed. The detected techniques are categorized based on the severity of the incidents. Each detected technique is interactive and leads to more detailed explanations.

To view the details of the detected techniques:

  1. Click any technique on the ATT&CK Matrix table to view the Technique Cloud Card. For example, you can click one of the techniques under the Initial Access category such as Trusted Relationship to learn how an attacker gained access to an organization’s third-party partners’ account and shows the details of compromised Connected Apps.
  2. Next, click the Connected Apps Mini Card to view an extended cloud card that displays the restricted details of Connected Apps.
  3. Then click the link to the specific restricted Connected App to see an extended view of the compromised Connected Apps incident.
  4. Info severity details allow you to investigate and apply a remediation action. As a remediation action, select and assign the Owner and Status from the menu.

With McAfee Enterprise, threat investigation isn’t just for one environment – it is for all of your environments, from cloud to endpoint to your analytics platforms. With MVISION CloudMVISION EDR, and MVISION Insights, your enterprise has an extended detection and response (XDR) platform for the heterogenous attacks you face today.

 

MITRE ATT&CK® as a Framework for Cloud Threat Investigation

Want to learn more about how you can leverage MITRE ATT&CK to extend your detection and response capabilities to the cloud?

Download Now

The post SASE, Cloud Threats and MITRE appeared first on McAfee Blogs.

]]>
Access Granted: How the DoD Can Stay Cyber-Resilient https://www.mcafee.com/blogs/enterprise/access-granted-how-the-dod-can-stay-cyber-resilient/ Mon, 30 Aug 2021 15:00:05 +0000 https://www.mcafee.com/blogs/?p=126572

Now more than ever, it’s critical to be mission-ready for the next cyber threat. Our digital-first, post-pandemic world is shifting...

The post Access Granted: How the DoD Can Stay Cyber-Resilient appeared first on McAfee Blogs.

]]>

Now more than ever, it’s critical to be mission-ready for the next cyber threat. Our digital-first, post-pandemic world is shifting back to a new normal. But the threats are still here.

Mission-Ready

And according to many reports, the threats have – and are continuing to – increase. McAfee Enterprise’s Advanced Threat Research recently published a report highlighting some of the biggest cyber stories dominating the year thus far, including recent ransomware attacks. While the topic itself is not new, there is no question that the threat is now truly mainstream. In fact, the June report provides a deep dive into the DarkSide ransomware, which resulted in an agenda item in talks between U.S. President Biden and Russian President Putin.

Rising Up

So how does the DoD approach modern-day threats like this? McAfee Enterprise’s online cyber training program is a great place to start. I’m proud to say the program is complimentary for our DoD partners and provides anywhere from 1-6 Continuing Professional Education (CPE) hours per course. You can login anywhere in the world to access the various trainings. Plus, the digital course are valid for 30 days from your registration date, so you can start and stop at any time. Not surprisingly, the tech industry is seeing a greater acceptance and return on investment from online training programs. Within the DoD for example, the Airforce recently launched Digital University. Airmen are elevating their digital literacy skills with up to 12,000 courses to better serve our country, while discovering new career paths in the process. Everything from leadership and public speaking to cloud computing and cybersecurity are covered, proving this platform may be the future of IT training.

Access Granted

I know the cyber industry that I joined 20+ years ago isn’t the same as it is today. And without access to trainings and CPE courses, my skill set would not be as strong. But if your day is anything like mine, finding time to squeeze in continuing education courses is a challenge. However, after hearing feedback from a long-time DoD partner, I know we’re on to something good. Success stories like these remind me of the importance of staying cyber-resilient in the field.

Don’t forget to reach out to your McAfee Enterprise Account Executive for your unique DoD voucher code!

 

The post Access Granted: How the DoD Can Stay Cyber-Resilient appeared first on McAfee Blogs.

]]>
McAfee Enterprise ATR Uncovers Vulnerabilities in Globally Used B. Braun Infusion Pump https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/mcafee-enterprise-atr-uncovers-vulnerabilities-in-globally-used-b-braun-infusion-pump/ Tue, 24 Aug 2021 13:00:53 +0000 https://www.mcafee.com/blogs/?p=126404

Overview As part of our continued goal to provide safer products for enterprises and consumers, we at McAfee Advanced Threat...

The post McAfee Enterprise ATR Uncovers Vulnerabilities in Globally Used B. Braun Infusion Pump appeared first on McAfee Blogs.

]]>

Overview

As part of our continued goal to provide safer products for enterprises and consumers, we at McAfee Advanced Threat Research (ATR) recently investigated the B. Braun Infusomat Space Large Volume Pump along with the B. Braun SpaceStation, which are designed for use in both adult and pediatric medical facilities. This research was done with support from Culinda – a trusted leader in the medical cyber-security space. Though this partnership, our research led us to discover five previously unreported vulnerabilities in the medical system which include:

  1. CVE-2021-33886 – Use of Externally-Controlled Format String (CVSS 7.7)
  2. CVE-2021-33885 – Insufficient Verification of Data Authenticity (CVSS 9.7)
  3. CVE-2021-33882 – Missing Authentication for Critical Function (CVSS 8.2)
  4. CVE-2021-33883 – Cleartext Transmission of Sensitive Information (CVSS 7.1)
  5. CVE-2021-33884 – Unrestricted Upload of File with Dangerous Type (CVSS 5.8)

Together, these vulnerabilities could be used by a malicious actor to modify a pump’s configuration while the pump is in standby mode, resulting in an unexpected dose of medication being delivered to a patient on its next use – all with zero authentication.

Per McAfee’s vulnerability disclosure policy, we reported our initial findings to B. Braun on January 11, 2021. Shortly thereafter, they responded and began an ongoing dialogue with ATR while they worked to adopt the mitigations we outlined in our disclosure report.

This paper is intended to bring an overview and some technical detail of the most critical attack chain along with addressing unique challenges faced by the medical industry. For a brief overview please see our summary blog here.

Table of Contents

Background

The most important part of any product assessment is a solid understanding of the purpose and function of the product under test. Without this it is simply too easy for research to produce less than meaningful results. Therefore, for this research it is first important to answer these few simple questions. What are infusion pumps? What security research has already been performed?

What are Infusion Pumps?

To start with the basics using a trusted resource – fda.gov says “An infusion pump is a medical device that delivers fluids, such as nutrients and medications, into a patient’s body in controlled amounts.” The FDA goes on to explain they are typically used by a “trained user who programs the rate and duration”. Infusion pumps can be simple, administering a single intravenous (IV) medication in the home setting, or complex, delivering multiple medications simultaneously in the ICU setting. From the 1960’s to 2000 infusion pumps were mostly electromechanical devices with some embedded electronics, but the turn of the century delivered “smarter” devices with better safety mechanisms and the possibility to program them, which slowly opened the door to information security challenges. Cross referencing the specific product we have chosen to look at, the Infusomat® Space® Large Volume Pump (Figure 1), we see that this pump is meant only for a medical setting and not designed for a home user. Infusion pumps exist mostly to remove the need to perform manual infusion, which requires dose conversion into drops per minute and visually counting drops to set a rate which is both time consuming and unreliable. It is estimated that there are over 200 million IV infusions administered globally each year, and 2020 sales of IV pumps in the US were at $13.5 billion. Clearly infusion pumps have cemented their place in the medical world.

Figure 1: B. Braun Infusomat Pump

What Security Research has Already Been Performed?

Since infusion pumps are such a large part of the medical field and there are several different types, it is reasonable to expect our team is not the first to inquire about their security. As expected, there have been many different research projects on infusion pumps over the years. Perhaps the most well-known research was presented in 2018 at Blackhat by Billy Rios and Johnathan Butts. The infusion pump portion of their research was focused on the Medtronic insulin pumps. They found they were able to remotely dose a patient with extra insulin due to cleartext traffic and the ability to issue a replay attack. Even earlier, in 2015 research was published on the Hospira Symbiq Infusion Pump showing that it was possible to modify drug library files and raise dose limits through “unanticipated operations”, although authentication was required.

Of course, for our purpose, the most important question remains – is there any previous research performed on our specific device. Initially the answer was no; however, during our research project a very large study, ManiMed, was released under the aegis of German authorities to examine the security of network-connected medical devices produced or in use in their country. This included research done on the B. Braun Infusomat pump. This is a fantastic piece of work which covers many network-connected devices. We will reference this study and talk about their findings where appropriate throughout this document, as we additionally explore our enhancements to this research and demonstrate a new attack that was previously called impossible.

Project Motivation

If we consider the Background section earlier, it becomes apparent there is still a large amount of critical research to be performed in this space. Infusion pumps are a prominent and continuously developing area within the medical device space, where previous research has only scratched the surface. Due to the potential critical impact and the state of medical device security, many previous projects didn’t need to dig very deep to find security issues or concerns. The infusion pump industry has numerous devices which have not been researched publicly at all, and even more that only received a cursory analysis from the information security community. For these reasons, we decided to have an in-depth look at one of the largest infusion pumps vendors, B. Braun, and specifically focus on one of their devices used worldwide to analyze it at a depth never seen before. Tackling every aspect of this pump, we wanted to answer the basic question: In a realistic scenario, leveraging original security vulnerabilities, could a malicious attacker impact human life?

System Description

For this research project our system consisted of three main components– a B. Braun Infusomat Large Volume Pump Model 871305U (the actual infusion pump), a SpaceStation Model 8713142U (a docking station holding up to 4 pumps) and a software component called SpaceCom version 012U000050. These models and the corresponding software for the B. Braun Infusomat system were released in 2017. In industries such as consumer electronics, this would be considered obsolete and therefore less relevant to research. However, as discussed above, in the medical field this is simply not the case. Since older devices are still widely used and perhaps originally developed with a less emphasis on security, it increases the importance of investigating them. For due diligence, we consulted and confirmed with our industry partners that this specific model was still actively being used in hospital systems across the country.

SpaceCom is an embedded Linux system that can run either on the pump from within its smart-battery pack or from inside the SpaceStation. However, when the pump is plugged into the SpaceStation, the pump’s SpaceCom gets disabled. We performed most of our research with the pump attached to the SpaceStation as we found this was the most common use case. If a SpaceStation was compromised, it could potentially affect multiple pumps at once. SpaceCom acts as the external communication module for the system and is separated from the pump’s internal operations, regardless of where it is running from.

If we consider the pump attached to the SpaceStation as one system, it has three separate operating systems running on three distinct chipsets. SpaceCom running on the SpaceStation runs a standard version of Linux on a PowerPC chipset. The WIFI module for the SpaceStation also runs a standard version of Linux on an ARM chipset and communicates over a PCI bus with SpaceCom. Lastly, the pump runs its own custom Real Time Operating System (RTOS) and firmware on a M32C microcontroller. An additional microcontroller is used to monitor the M32C microcontroller, but this goes beyond the scope of our research. Due to this modular and isolated design, the Spacecom communication module and the pump need a dedicated path for exchanging data. This is resolved via a CAN bus, shared throughout the SpaceStation, where it allows pumps and accessories to communicate with each other. This is what SpaceCom and any pump docked into the Space Station rely on for their exchange. An architecture diagram below helps demonstrates the system layout and design when a pump is present in the docking station.

Figure 2: System Architecture

SpaceCom Functions and Software Components

SpaceCom contains many different pieces of propriety software and applications to support the many functions of the larger B. Braun and medical facility ecosystem. Our team spent time analyzing each one in great detail; however, for the purpose of this paper we will only touch on key components which are important to the most critical findings mention in the opening summary.

An important function of SpaceCom is to be able to update the drug library and pump configuration stored on the pump. The drug library contains information such as ward and department, a list of pre-configured drugs with their default concentrations, information messages to be printed on the screen when selected, and more importantly, soft, and hard limits to prevent medication error. One of the biggest selling points of the smart infusion pumps is their ability to prevent incorrect dosing of drugs, which is partly done through the limits in the drug library. Another risk the drug library helps mitigate is human error. By having the most common dosage and infusion lengths preprogrammed into the pump, it eliminates errors associated with rate calculations, and drop counting previously mentioned, associated with manual infusion therapy.

The pump RTOS contains a database of over 1500 key/value pairs used during operation. This data consists of everything from status about current components, battery life, motor speed, alarms and values used for tube calibration. As such, this data would be considered extremely sensitive in the context of the pump’s operation and is not intended to have direct user interaction, nor is it presented to the user. A subset of the keys can be indirectly modified via a dedicated servicing software by certified technicians.

To interact with both the drug library and pump configuration on the pump from SpaceCom, a propriety binary called PCS is used. The PCS binary uses the canon binary to interface with the CAN bus to send commands to the pump’s system for both reading and writing values based on the drug library or pump configuration provided to it. The main interface to accomplish this task is via a propriety TCP networking protocol, which by default is sent over port 1500. This protocol is both unauthenticated and unencrypted and we relied heavily on these weaknesses for our research and attacks. Additionally, this resulted in the filing of CVE-2021-33882 and CVE-2021-33883 as stated in the overview above.

Critical Attack Scenario Details

Goals

What could be the goal of a malicious attacker? Realistically speaking, most attacks have been proven to be financially motivated. When translating this to our infusion pump, the question becomes: What would medical executives, without hesitation, pay large sums of money for? If we look at recent events, in May of 2021, Colonial Pipeline paid hackers 4.4 million dollars to get their oil pipeline running again from ransomware attacks. Attacks on healthcare settings are increasing with the FBI estimating a cyberattack using “Ryuk” ransomware took in $61 million over a 21-month period in 2018 and 2019. Attacks are now showing potential for patient harm with one example beginning on October 28th, 2020. The University of Vermont Health Network was part of a larger coordinated attack on multiple US healthcare which resulted in a complete loss of their electronic medical record system for weeks. The results of the ransomware-based attack led to 75% of active chemotherapy patients being turned away, rerouting of ambulances, and delays in testing and treatment. Considering IV pumps are directly supporting human life in some cases, it is easy to suggest an attacker could demand any “ransom” amount leveraging threats to actual patients. To accomplish this an attacker would therefore need to control the operation of the pump.

This task is easier said than done when considering the design of the pump as outlined above. The traditional “getting root” on the network component (SpaceCom) proves ineffective. To make any changes to the pump itself, an attacker needs to interact with the pump’s RTOS, which is not network connected. In this section we provide an outline on how we were able to accomplish this goal by using the five reported CVEs.

Initial Access

Even though getting root access on SpaceCom will not provide us everything we need to accomplish the ultimate goal, it is still the first step. During our reconnaissance and enumeration of the system we discovered a remote interface listening at https://{ipaddress}/rpc. This interface was connected to a common open source service referred to as “json-dbus-bridge”. As described on GitHub, this service “is a fast-cgi application that provides access to D-Bus. It accepts JSON-RPC calls and translates these into D-Bus calls. Any response is converted back to JSON and sent to the client.” This piqued our interest since external access to the D-Bus subsystem could provide us access to internal communication, which may have a different level of security than typical external networking.

When doing any type of vulnerability research, product security assessment or evaluation it is critical to not forget to search for existing issues in any third-party components. This is even more important since we are working on a software released in 2017. While scouring GitHub pages for the json-dbus-bridge, we noticed a format string vulnerability that was patched in 2015. Of course, we had to test if the version we encountered had the existing vulnerability.

Figure 3: Format String Vulnerability Testing

The tests in Figure 3 confirmed the existence of the format sting vulnerability. While this format string vulnerability had been publicly discovered in 2015 in the json-dbus-bridge code, the update was never included in B. Braun’s software and hence satisfied the condition for a vendor specific zero-day vulnerability disclosure. This was filed as CVE-2021-33886 and was our first reported discovery to B. Braun. Over the next several weeks we were able to leverage this vulnerability and create a working exploit to gain www user level shell access to the device. Due to the potential impact to unpatched devices, the exact technical details of our exploit have not been included.

Privilege Escalation

Although user access is the first step, root access will be needed in order to interact with the CAN bus to communicate with the actual pump. A good target and well-known process for privilege escalation is to find a binary owned by root with the setuid bit enabled. We could not find one ready to use; however, the web interface has an option to backup and export settings which relies on tarring a folder containing a handful of files and encrypting it with AES using a user-provided password. The backup archive can then be downloaded for later restore of the settings. When restoring this backup, root is the user doing the untarring in such a way that file permissions are being preserved from the provided tar file. Thus, if we can tamper with the archive, we might be able to create a privilege escalation scenario.

To use this to our advantage we need to embed a binary in the backup archive owned by root with the “setuid” bit set so we can use it to elevate privileges. Ironically, the code responsible for the import/export of settings is already doing most of the work for us. The “configExport” binary located on the filesystem is a wrapper to call setuid/setgid (and sanitize inputs) which then calls execve on the script “/configExport/configExport.sh.” We can use a hex editor to change which script the “configExport” binary is running and replace “configExport.sh” with an attacker-controlled script, while also patching out the input sanitizing. We could absolutely have compiled our own binary instead, but this approach saves us from a couple of hours of PPC cross-compiling fun.

While we were working through this component of our attack chain, researchers working on the ManiMed project, in coordination with B. Braun, published a report which included this finding, listed as CVE-2020-16238 on B. Braun’s website. As described in section 4.6.2.2 of their report “An authenticated arbitrary file upload vulnerability combined with an unvalidated symbolic link and local privilege escalations enables attackers to execute commands as the root user.” We commend the ManiMed researchers for also discovering this vulnerability and practicing responsible disclosure.

Crossing Systems

The real work begins once root access is obtained. The challenge becomes how to affect change on the pump RTOS with root access on the SpaceCom communication module. One common approach would be to continue to look for vulnerabilities in the pump’s RTOS that would lead to code execution within its system. This method poses many challenges during black box testing and could lead to damaging our limited number of test devices.

Another approach which we have leveraged in past projects is hijacking the standard functionality of the device to further the attack. This can be more manageable, but it first requires a deep understanding of how the device works and the desired outcome. This also tests the device’s defense in depth and can prove to be very difficult depending on the security measures in place. In our case, this would force the question of how well-protected the area is surrounding the communication between the pump and SpaceCom.

As mentioned in the system description section above, the PCS binary is responsible for communicating with the pump’s system for two critical operations – updating the drug library and updating the pump config. These are key functions that would likely be of interest to an attacker. There are several different approaches which could be taken by an attacker to interact with these key operations, especially given root access. Considering the various alternatives, we chose to leverage our root access on SpaceCom to inject code into PCS’s memory and use existing functions and objects to communicate with the pump’s internal system.

Our chosen path required a deep understanding of the data structures and functions used to facilitate this communication. The key is to find the perfect place in a larger operation call stack where we can modify or inject the data we want, while still utilizing lower-level functions to avoid the need to unnecessarily create objects and data from scratch. To illustrate this point, consider if we want to send a simple signal to power off the pump from within PCS’s memory space. The fact that all data sent from SpaceCom to the pump’s RTOS is done through CAN messages, with root access meant that we could send CAN messages directly on the CAN bus. This would require an extensive knowledge and breakdown of the CAN message structure as the underlying protocol is designed by B. Braun and would have to be reverse engineered. Although possible, it is very difficult, especially with CAN’s data frame field having a lack of strict specifications. Inside PCS there is a call chain which builds this message. If we were to inject and utilize functions very low in the call chain, such as the trySend function which sends a CAN message (as seen in figure 4) , we would need to understand all of its arguments and the data format it uses. We’d essentially have the same problem as before.

Figure 4: trySend function

If we look higher in the call stack for a function that performs the operation we are interested in, switching off the device, we can instead let the rest of the call chain do the heavy lifting for us. Notice in Figure 5 below there is a function for just this purpose, which only requires one parameter to be passed.

Figure 5: switchOffDevice

Leveraging this concept, we are able to use the functions within PCS in a manner similar to an API to perform read and write operations to the pump’s database and force a change.

Understanding Critical Data

If we want to send and write data such as the drug library and pump config, we first need to understand the format of the data, how it is processed and any security measures in place which need to be accounted for. Our team spent extensive time reversing both the drug library and pump configuration data. A portion of the pump configuration is referred to as calibration and disposable data. Both can be modified through our attack chain; however, for this paper we will just touch on the more critical of the two the calibration and disposable data.

The calibration and disposable data are usually seen in the form of files that are living in SpaceCom. At a more granular level, they are a collection of key/value pairs that are meant to be read or written to the pump’s database. Each file can also be a large blob of data living on the pump flash. The physical location of each key within this blob is hardcoded in the pump and sometimes in PCS. This representation is relevant when it comes to computing various CRCs that operate on blobs of data rather than key pairs. These checksums are used heavily throughout the pump’s infrastructure with critical data to ensure the integrity of the data. This goes to ensure the safety of patients by ensuring data can’t be accidently modified or corrupted. Figure 6 shows an example of disposable data as contained in files on SpaceCom.

Figure 6: Disposable Data

Looking at the variable names inside the disposable data file and relevant code in the pump firmware led us to one key/value pair that specifies the “head volume” of the tube, which can be seen in the figure above. After extensive analysis, we determined that “head volume” is the parameter dictating the amount of medication being delivered per cycle to the patient. We determined that if this value was to be changed, it could be potentially harmful. We detail this analysis in section “Unique Consideration for Infusion Pump Hacking” below.

With a target key/value pair in mind, the next step would be to understand how to calculate the CRCs. Since the system is constantly checking the integrity of the data, if an attacker wanted to modify any value, they would also need to modify the CRCs which validate the changed data. Through reverse engineering we determined the CRC was a custom implementation of a CRC16, where the initial value is 0xFFFF and relies on a hardcoded polynomial table. We were able to extract this algorithm and write custom python scripts to compute the CRC needed for the disposable data.

With a basic understanding of the critical operational data and the ability to compute the CRCs, we are able to leverage the PCS binary, in an API fashion to send commands to the pump to modify this data. This holds true for both the drug library and the pump configuration data. Although CRCs are great for integrity checking, they provide no security or level of trust of the where the data is coming from.  This lack of origin verification is what led to the filing of CVE-2021-33885.

Final Attack Chain

If we review our attack chain, we can gain user-level access to the device without authentication or authorization. We can then escalate our privileges to root and leverage the existing functionality of the PCS binary to make modifications to the pump’s disposable data. Conceptually, the process is complete; however, we can do some additional housekeeping in order to make our attack chain slightly more realistic and efficient.

Since the proprietary protocol for the PCS binary is unauthenticated, there are certain configuration options which can be modified for an attacker to make their job even easier. One of these configuration options tells the pump which server is “trusted” to receive operational data from (such as the drug library). An attacker can send a command to SpaceCom which clears the current trusted server configuration and rewrites it to an attacker-controlled server. This is not required for this attack when leveraging the format string and privilege escalation path outlined above; however, it does provide alternative methods and simplifies the attack process.

Lastly, the pump has an audible and visual notification when any configuration or drug information has been modified on the pump. Once again in the spirit of a realistic attack, a malicious attacker is going to want to be as stealthy as possible. To accomplish this, it was worth determining a method in which to clear these notifications. This process turned out to be as simple as restarting the pump after our modifications were complete. The reboot operation happens in a matter of seconds, so by using this technique, all alerts to the end user were quickly cleared. The complete attack process can be seen outlined in the diagram below.

Figure 7: Complete Attack Chain

Attack Prerequisites

Although this attack chain presents a complete method to modify critical pump data, it is important to recognize the conditions required for this attack to be successful. These pumps are designed to be network connected to a local internal network. Therefore, under normal operating conditions an attacker would need to have found a method to gain access to the local network. Could this attack take place over the internet? Technically speaking, yes; however, it would be very unlikely to see a setup where a pump is directly internet-connected.

In addition to being on the local network, the pump does have safeguards in place to ensure no modifications can occur while the pump is operational. From what we discovered during our research, if the pump is actively administering medication, it ignores any request on the CAN bus to modify library or configuration data. This means the attack can only be successful when a pump is idle or in standby mode in between infusions.

Impact

The prerequisites for this attack are minimal and are not enough to mitigate the overall threat. In today’s world there are a wide range of documented and utilized methods for attackers to gain access to local networks. If we also consider that hospital or medical facilities are generally public places with little to no barriers to entry, it is easy to see how someone malicious can go unnoticed and obtain network access. Pumps are also not always actively administering mediation. Even in the busiest of hospitals there is downtime between patients or times when pumps are simply not in use.

With the ability to modify disposable and configuration data on the pump, there are a wide range of possibilities for which an attacker could choose to have an impact. An attacker could simply put the device in an unusable state or write arbitrary messages on the screen. We chose to focus on the disposable data, specifically the key/value pair labeled “TUBE_HEADVOLUME_A” since we determined it would demonstrate the greatest impact, bringing harm to a patient. In the below video you will first see the pump under normal operation. After demonstrating the system working as intended, we modify the configuration remotely using the attack chain explained above and then illustrate its effect on the pump when administering medication.

Demo

Unique Considerations for Infusion Pump Hacking

An interesting characteristic of this project is that its impact and consequences are inherently grounded in the physical world. Where common software hacks end with the ability to get root access or kernel privileges, in this project, the way the device is used by medical staff and how it can affect patient safety is crucial to the outcome. The next few sections will focus on various aspects of the project that fall under this umbrella.

Why we modified TUBE_HEADVOLUME

As described previously, our attack relies on modifying the disposable data that governs the way the pump is used to deliver medication. But why and how did we decide to go investigate this? An interesting side-effect of the pump being built to be safe is that most of the inputs and outputs it receives from the CAN bus are extensively checked against out-of-range access. From an attacker’s perspective who has already compromised SpaceCom, this would usually be the prime target for memory corruption bugs. Fuzzing and emulating the M32C architecture is cost-heavy in terms of upfront work, so instead, we started looking for a path of least resistance and searched for blind spots in the secure design.

In our case, we wanted to be able to affect the amount of drug being dispensed, preferably without having something on screen as that would indicate a malfunction or abnormality. Our original plan was to tamper with the device drug library, but it turns out that data we could alter would be displayed on screen, which could raise concern as medical staff verify the prescribed drug and rate against the order before, and immediately after starting the infusion. This would not be ideal for an attacker, so we kept investigating. The other files we could modify were the calibration data and the disposable data. These files are interesting as they describe internal parameters; the calibration one specifies the physical parameters of the device itself, while the disposable one is for the specifics regarding the tubing going through the pump. Anyone familiar with precision tools know how important a good calibration is. If the calibration is off it will lead to improper operations or results. From an operational standpoint this makes sense, but from an attacker perspective this has a strong likelihood of fitting the bill for the attack we had in mind: modifying an internal value so the pump thinks it is dispensing the right amount of drug, while it is actually incorrect in its calculations.

Looking at the variable names inside the disposable file and relevant code in the pump firmware led us to one that specifies the “head volume” of the tube. From our understanding, each time the pump pumps, it compresses the IV tubing thereby pushing a small quantity of drug towards the patient. Overall, there are many physical parameters that would govern this volume –the internal tube diameter, the length of the compressed region, how much the tube is being compressed, etc.—but in the end, it seemed that all these values were summed up in one variable. Cutting this value in half would make the pump believe it is pushing half the actual amount, and therefore would have to pump twice as fast to deliver it. We tried our hypothesis, and by doing so, the amount of drug dispensed doubled while the pump assumed everything was normal.

Operations in Hospitals and Consequences of Over-Infusing Drugs

Now that we have an idea of what happens to the device when we alter its internal configuration, we can consider how this could play out in the real world. As mentioned previously, medical staff are expected to be extra-careful when using these devices, ensuring the numbers match the doctor’s order. In the United States, both the Centers for Medicare and Medicaid Services (CMS) and the American Society of Clinical Oncology require standard of practice be followed with high risk or hazardous infusions like blood or chemotherapy. This standard requires two appropriately trained people (usually nurses), one who will be infusing the medication, and the other to verify the order and configuration prior to administration. Looking internationally, we were also  able to find this same protocol in use at an Irish hospital. It confirms the attention to detail and the requirement to double-check each value is correct. However, another document describing the adoption of a smart pump system in a Swedish hospital hints at concerns (p. 47) that invalid drug protocols might be followed if a nurse picked the wrong default settings on the pump. These documents are anecdotal, but the overall feeling is that strong checks are in place. Under pressure or with multiple infusions, mistakes can be made, which smart pumps should prevent.

One of our industry partners, Shaun Nordeck, M.D. is an Interventional Radiology Resident Physician at a Level 1 Trauma Center and prior, served as an Army Medic and Allied Health Professional. Leaning on more than 20 years in the medical field. Dr. Nordeck states “A high-pressure environment such as the ICU may be at increased risk for infusion errors since these critical and often medically complex patients have multiple infusions which are being adjusted frequently. Errors, however, are not limited to the ICU and may just as easily occur in the inpatient ward or outpatient settings. Essentially with each increase in variable (patient complexity or acuity, number of medications, rate changes, nurse to patient ratio, etc.) there is an increased risk for error.”

As a measure of safety, it is important to keep in mind that one can visually count the number of drops to verify the infusion rate (there’s even an optional module to do it automatically). However, depending on the parameters, a minor change of speed (e.g., halved or doubled) might not be immediately obvious but could still be deleterious. Dr. Nordeck further stated that “something as routine as correcting a person’s high blood sugar or sodium level too quickly can cause the brain to swell or damage the nerves which can lead to permanent disability or even death.” The FDA’s MAUDE database keeps track of adverse events involving medical devices and can be used to see what type of problems actually occurred in the field. Certain drugs are particularly potent, in which case the speed at which they are delivered matters. In this instance, an over-sedation at 4 times the intended rate led to the death of a patient a few hours after the incident occurred. Under-dosing can also be problematic as the required medication does not reach the patient in the appropriate quantity. These examples highlight that a pump not delivering the correct amount of drug occurs in the field and may remain unnoticed for multiple hours, which can lead to injury or death.

Common Pitfalls

Let’s now take a step back and consider some generic shortcomings that became apparent while looking at the infusion pump ecosystem. We believe these problems are not specific to a brand or a product but rather may be found across the entire medical field. This is because throughout the years, this vertical has only received a limited amount of attention from both malicious actors and the cybersecurity industry.  With the increased rate of cyber threats and the constant additions of new smart devices in private networks, new attack surfaces are being exposed and the hardening of many systems may turn into low hanging fruits for the ones lagging. The slower life cycle of smart medical devices means that best security practices and mitigations take longer to be adopted and deployed in the field. Awareness of this may help healthcare organizations, and their supporting IT administration have a more critical eye on the technology deployed in their environments while medical device vendors should remain vigilant of their “legacy” technologies and continually reassess the risk profile associated with legacy products in the current cybersecurity landscape.

Patching is Costly

Consumer products, both hardware and software are often nimbler than their counterparts in the medical industry. Your web-browser or operating system on your personal computer will auto-update immediately after a patch is released which come on a regular basis. This is radically different for medical devices which are often directly linked to patient safety and therefore need to undergo a more rigorous vetting process before applying updates. This often leads to the need to immobilize devices during updates, perform follow up tests and recalibrations. It is often very expensive and challenging for medical facilities to update products, resulting in deployed devices with firmware that is several years old. Because of this, “table stakes” security measures may never be fully adopted, and corresponding vulnerabilities may have a larger impact than in other industries.

Designed for Safety Rather than Security

When looking at the general architecture of the pump, it is obvious that it was designed with safety in mind. For instance, it relies on an application processor for the main processing but also has a control processor that makes sure nothing unexpected occurs by monitoring sensors output along with other components. Everything is CRC checked multiple times to flag memory corruption and every range is bounds-checked. All of this suggests that the design was intended to mitigate hardware and software faults, data accidentally being corrupted over the wire, and the flash module degrading which aligns with a high priority on safety.

However, it looks like preventing malicious intent was not given as much attention during the design process. Sometimes the difference between safety and security might be a little blurry. Preventing accidental memory corruption and out of bounds access due to faulty hardware will also make exploitation harder, yet an attacker will always attempt to escape these mitigations. Along the same lines, logic bugs that would be extremely unlikely to occur by chance might be the “keys to the kingdom” for an attacker. Internal audits and offensive security exercises can highlight the attacker mindset and bring valuable insights as how to harden existing safeguards to protect against intentional threats.

Everything is Trusted

When looking at how the pump and its communication module handles communication and file handling, we observed that critical files are not signed (CVE-2021-33885), most of the data exchanges are done in plain-text (CVE-2021-33883), and there is an overall lack of authentication (CVE-2021-33882) for the proprietary protocols being used. There are a few password-protected areas for user facing systems, but not as many for the behind-the-scenes internal systems. This might be because a login page on a website is an “obvious” necessity, along with having a proper authentication mechanism for FTP and SSH, while ad-hoc protocols designed more customized uses are not as obvious. There is also an evolving landscape at play and its related threat assessment; the risk of an unauthorized person tampering with a configuration file (calibration data, drug library, etc.) is fairly low if it also requires dedicated software and physical access to the device. However, if suddenly the device becomes network-connected, the attack surface is extended and the original assumptions may not be refreshed. Defense-in-depth would dictate that in any case, important files should not be easy to tamper with. However, security vs functionality comes with legitimate compromises and when it comes to embedded devices, limited resources and usability also need to be factored into the equation.

CAN gets Connected to WIFI

Originally, the CAN bus was reserved for communication between trusted components such as a Servicing PC used for maintenance or for connecting multiples devices within an older model of the Space Station that did not have SpaceCom built in. The latter would come as an optional module that could be plugged into the Space Station to offer external connectivity. Hence, the CAN bus was used for “internal” communication between trusted components and an external module, the SpaceCom, could be added for data reporting over the network. Over the following decade, technology improved and miniaturized to the point where everything got merged, so that even a battery module could provide WIFI connectivity and the SpaceCom functionalities. This opened new possibilities, such as having the built-in SpaceCom module provide similar capabilities as the servicing PC. From a user perspective this is great as it simplifies operations, but from a security perspective, this created a situation where a “trusted” internal network suddenly became bridged to an external network that could even be accessed wirelessly. What might have been an acceptable risk, where only a few proprietary devices with physical access could perform privileged operations, became much more questionable when a WIFI-connected Linux device started to offer the same capabilities.

This kind of problem has been faced by nearly every industry vertical that evolved from reliance on trusted physical networks which suddenly got connected to the internet or other untrusted networks. Smart connected devices are a double-edged sword: in the same way they offer greater flexibility and synergy between systems, they can also lead to emergent security issues that need to be considered holistically.

Technical Debt

When developing custom protocols and ad-hoc systems it’s natural to incur technical debt. This is even more true when the life cycle of a device is many years and when it is complicated and expensive to deploy patches and upgrades, leading to a heterogeneous customer base and multiple hardware revisions to support. This can cause situations where more obscure features are not looked at for years and their ownership might be lost or perfunctory. An example of this is the format string vulnerability affecting the json-dbus module. Its usage is obscure, and it was forked from an open-source project many years ago. The original repository fixed bugs that were security bugs but were not flagged as such which led them to fly under the radar for multiple years. Likely, at the time it was forked, the code served its purpose and was never revisited afterwards, leaving the security bug unnoticed. The same can be said for custom-designed protocols and file formats. It may be difficult to evolve them in line with the improvement of best security practices while avoiding breaking “legacy” deployments. In this scenario, mitigations might be the way to go; making sure the systems are isolated, unnecessary features can be disabled and their privilege and access limited to what’s needed. Future-proofing a system is a difficult challenge. If anything, transparency on how the system functions and the components it relies on, coupled with regular audits (code source review or black box audit) can help prevent components from falling in the cracks where they’re not checked against best practices for many years.

Conclusion

This concludes a research project which took two senior researchers a significant amount of time to showcase a life-threatening risk of a medical device being taken over by a remote attacker. For the time being, ransomware attacks are a more likely threat in the medical sector, but eventually these networks will be hardened against this type of attacks and malicious actors will look for other lower-hanging fruits. Given the lifespan of medical devices and the difficulties surrounding their updates, it is important to start planning now for tomorrow’s threats. We hope this research will help bring awareness to an area that has been a blind spot for far too long. Dr. Nordeck affirms the importance of this research stating: “The ability to manipulate medical equipment in a way that is potentially harmful to patients, without end-user detection, is effectively weaponizing the device and something only previously conceived by Hollywood yet, McAfee’s ATR team has confirmed is plausible. Device manufactures clearly aim to produce safe and secure products as evidenced by built-in safeguards. However, flaws may exist which allow the device to succumb to a ransom attack or potentially cause harm. Therefore, manufactures should collaborate with security professionals to independently test their products to detect and correct potential threats and thereby preserve patient safety and device security.”

Performing regular security audits, making it easier for medical professionals to keep their devices up to date and offering solid mitigations when this is not possible should really be on every medical vendor’s list of priorities. Medical professionals, policy makers and even the general public should also hold accountable the medical vendors and have them clearly articulate the risk profile of the devices they sell and demand better ways to keep their device secure. We recognize even with this mindset and a holistic approach to security, there will always be flaws that cannot be predetermined. In these cases, vendors should encourage and even seek out industry partners, embrace responsible disclosure and communicate broadly with researchers, stakeholders and customers alike.

From a security research perspective, it is crucial to understand how a device works at a holistic system level, and how each component interacts with each other, which components they can talk to, and so on. For manufacturers, it is important to read between the lines; something may not be in a design document or in the specifications, but sometimes emergent properties will occur as a side-effect of other design decisions.

An offensive project like ours is really meant to highlight structural weaknesses and point out risks. Now, defensive work is necessary to address these concerns. For instance, manufacturers should leverage cheaper and more powerful microcontrollers to implement proper authentication mechanisms. However, it is even more important to study and address the challenges hospitals face when it comes to keeping their devices up to date. This should come as both technical solutions from the vendors and advocacy to promote secure practices and raise awareness on the underlying risks associated with critical devices having outdated software. The FDA tried to lead the way in 2018 with its CyberMed Safety (Expert) Analysis Board (CYMSAB), but so far little progress has been made. The work the German BSI did with the ManiMed project is also extremely encouraging. We see this as an area of cybersecurity with lots of potential and need for attention and look forward to the information security industry taking on this challenge to make this critical sector always more secure.

One goal of the McAfee Advanced Threat Research team is to identify and illuminate a broad spectrum of threats in today’s complex and constantly evolving landscape. As per McAfee’s vulnerability public disclosure policy, McAfee’s ATR team informed and worked directly with the B.Braun team. This partnership resulted in the vendor working towards effective mitigations of the vulnerabilities detailed in this blog. We strongly recommend any businesses using the B.Braun Infusomat devices to update as soon as possible in line with your patch policy and testing strategy.

CVE Details

CVE: CVE-2021-33882

CVSSv3 Rating: 6.8/8.2

CVSS String: AV:N/AC:H/PR:N/UI:N/ S:C/C:N/I:H/A:N/CR:H/IR:H/AR:M/MAV:A

CVE Description: Missing Authentication for Critical Function vulnerability in BBraun SpaceCom2 prior to 012U000062 allows a remote attacker to reconfigure the device from an unknown source through lack of authentication on proprietary networking commands.

CVE: CVE-2021-33883

CVSSv3 Rating: 5.9/7.1

CVSS String: AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/CR:H/IR:H/AR:M/MAV:A

CVE Description: Cleartext Transmission of Sensitive Information vulnerability in BBraun SpaceCom2 prior to 012U000062 allows a remote attacker to obtain sensitive information by snooping the network traffic.  The exposed data includes critical values for the pumps internal configuration.

CVE: CVE-2021-33884

CVSSv3 Rating: 7.3/5.8

CVSS String: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/CR:M/IR:M/AR:L/MAV:A

CVE Description: Unrestricted Upload of File with Dangerous Type vulnerability in BBraun SpaceCom2 prior to 012U000062 allows remote attackers to upload any files to the /tmp directory of the device through the webpage API.  This can result in critical files being overwritten.

CVE: CVE-2021-33885

CVSSv3 Rating: 10.0/9.7

CVSS String: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N/CR:H/IR:H/AR:M/MAV:A

CVE Description: Insufficient Verification of Data Authenticity vulnerability in BBraun SpaceCom2 prior to 012U000062 allows a remote unauthenticated attacker to send malicious data to the device which will be used in place of the correct data.  This results in execution through lack of cryptographic signatures on critical data sets

CVE: CVE-2021-33886

CVSSv3 Rating: 8.1/7.7

CVSS String: AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/RL:O/RC:C

CVE Description: Improper sanitization of input vulnerability in BBraun SpaceCom2 prior to 012U000062 allows a remote unauthenticated attacker to gain user level command line access through passing a raw external string straight through to printf statements.  The attacker is required to be on the same network as the device.

The post McAfee Enterprise ATR Uncovers Vulnerabilities in Globally Used B. Braun Infusion Pump appeared first on McAfee Blogs.

]]>
Overmedicated: Breaking the Security Barrier of a Globally Deployed Infusion Pump https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/overmedicated-breaking-the-security-barrier-of-a-globally-deployed-infusion-pump/ Tue, 24 Aug 2021 13:00:19 +0000 https://www.mcafee.com/blogs/?p=126410

Cyberattacks on medical centers are one of the most despicable forms of cyber threat there is. For instance, on October...

The post Overmedicated: Breaking the Security Barrier of a Globally Deployed Infusion Pump appeared first on McAfee Blogs.

]]>

Cyberattacks on medical centers are one of the most despicable forms of cyber threat there is. For instance, on October 28th, 2020, a cyberattack at the University of Vermont Medical Center in Burlington VT led to 75% of the scheduled chemotherapy patients being turned away. Many of us have friends and loved ones who have had to undergo intensive treatments, and the last thing we want in this situation is for their critical care to be delayed due to on-going cyberattacks. Yet, as concerning as ransom attacks can be, what if the process of receiving the treatment was an even bigger threat than a system-wide ransomware event?

McAfee’s Enterprise Advanced Threat Research team, in partnership with Culinda, have discovered a set of vulnerabilities in B. Braun Infusomat Space Large Volume Pump and the B. Braun SpaceStation.

McAfee Enterprise ATR remotely hacks a B.Braun Infusomat Pump

These critical vulnerabilities could allow an attacker to conduct remote network attacks and modify the amount of medication a patient will receive through infusion. This modification could appear as a device malfunction and be noticed only after a substantial amount of drug has been dispensed to a patient, since the infusion pump displays exactly what was prescribed, all while dispensing potentially lethal doses of medication. This attack scenario is made possible through a chain of known and previously unknown vulnerabilities found by McAfee Enterprise ATR. A critical component of this attack is that the pump’s operating system does not verify who is sending commands or data to it, allowing an attacker to carry out remote attacks undetected. For those looking for a more technical analysis of the vulnerabilities, an in-depth blog can be found here.

History and Industry Insights

From the 1960’s to 2000, infusion pumps were mostly electromechanical devices with an embedded operating system, but the turn of the century delivered “smarter” devices with better safety mechanisms and the possibility to program them, which slowly opened the door to computer security challenges. Today, it is estimated that there are over 200 million IV infusions administered globally each year. The infusion pump market is a clear potential target for attackers. The market is valued at an estimated $54 billion in annual revenue, with 2020 sales of IV pumps in the US at $13.5 billion. IV pumps are inherently trusted to be secure and have over time become the mainstay for efficient and accurate infusion delivery of medication. B. Braun is one of the key market share holders in this rapidly growing market, emphasizing the impact of these vulnerability discoveries.

Industry personnel can be the best source of information for determining impact. Shaun Nordeck, M.D, an Interventional Radiology Resident Physician at a Level 1 Trauma Center, prior Army Medic and Allied Health Professional, with more than 20 years in the medical field, states that: “Major vulnerability findings like the ones reported by McAfee’s Enterprise Advanced Threat Research team are concerning for security and safety minded medical staff. The ability to remotely manipulate medical equipment undetected, with potential for patient harm, is effectively weaponizing these point of care devices. This is a scenario previously only plausible in Hollywood, yet now confirmed to be a real attack vector on a critical piece of equipment we use daily. The ransomware attacks that have targeted our industry rely on vulnerabilities just like these; and is exactly why this research is critical to understanding and thwarting attacks proactively.”

These vulnerabilities were reported to B. Braun beginning in January 2021 through McAfee’s responsible disclosure program. Through ongoing dialog, McAfee Enterprise ATR have learned that the latest version of the pump removes the initial network vector of the attack chain. Despite this, an attacker would simply need another network-based vulnerability and all remaining techniques and vulnerabilities reported could be used to compromise the pumps. Additionally, the vulnerable versions of software are still widely deployed across medical facilities and remain at risk of exploitation. Until a comprehensive suite of patches is produced and effectively adopted by B. Braun customers, we recommend medical facilities actively monitor these threats with special attention, and follow the mitigations and compensating controls provided by B. Braun Medical Inc. in their coordinated vulnerability disclosure documentation.

Call to Action

This concludes a research project which took two senior researchers a significant amount of time to showcase a life-threatening risk of a medical device being taken over by a remote attacker. For the time being, ransomware attacks are a more likely threat in the medical sector, but eventually these networks will be hardened against this type of attack and malicious actors will look for other lower-hanging fruits.

The unfortunate reality is that individuals can’t do much to prevent or mitigate these enterprise-level risks, outside of staying mindful of security issues and maintaining awareness of possible threats. However, the good news is that security researchers continue to propel this industry towards a safer future through responsible disclosure. We strongly encourage vendors to embrace vulnerability research and consumers to demand it. The medical industry has lagged severely behind others in the realm of security for many years – it’s time throw away the digital “band-aids” of slow and reactive patching, and embrace a holistic “cure” through a security-first mindset from the early stages of development, combined with a rapid and effective patch solution.

Braun Medical Inc. Statement

In May 2021, B. Braun Medical Inc. disclosed information to customers and the Health Information Sharing & Analysis Center (H-ISAC) that addressed the potential vulnerabilities raised in McAfee’s report, which were tied to a small number of devices utilizing older versions of B. Braun software. Our disclosure included clear mitigation steps for impacted customers, including the instructions necessary to receive the patch to eliminate material vulnerabilities.

Braun has not received any reports of exploitation or incidents associated with these vulnerabilities in a customer environment.

The post Overmedicated: Breaking the Security Barrier of a Globally Deployed Infusion Pump appeared first on McAfee Blogs.

]]>
Executive Spotlight: Q&A with Chief Information Officer, Scott Howitt https://www.mcafee.com/blogs/enterprise/executive-spotlight-qa-with-chief-information-officer-scott-howitt/ Mon, 23 Aug 2021 15:03:10 +0000 https://www.mcafee.com/blogs/?p=126530

Now that we’ve officially kicked off our journey as McAfee Enterprise, a pure-play enterprise cybersecurity company under the new ownership...

The post Executive Spotlight: Q&A with Chief Information Officer, Scott Howitt appeared first on McAfee Blogs.

]]>

Now that we’ve officially kicked off our journey as McAfee Enterprise, a pure-play enterprise cybersecurity company under the new ownership of Symphony Technology Group (STG), we’re celebrating a lot of new firsts and changes. But one thing remains the same: our passion and commitment to make the world a safer, more secure place. And that passion starts with our people. In this new blog series, you’ll meet some of the executives devoted to tackling today’s most pressing security concerns and innovating for the future.

Q: How did you come into this field of work?

I didn’t start out in information technology, I graduated from college with a degree in physics at the end of the Cold War. At the time, all the physics jobs had evaporated, so I started out as an intern in programming at EDS. I did that for a few years and then went into management. I eventually became a CTO and then a CIO.

When I was a CIO, I learned that I really didn’t know much about information security, and it was hindering me in the CIO role. My next job was a director of information security at a financial services company, and I never looked back. I found that I had a passion for information security and have been the CISO at two different Fortune 500 companies. My current role as CIO for a company that creates enterprise cybersecurity software is a perfect marriage of both skill sets.

Q: With cybersecurity and AI capabilities expanding at a rapid pace, what will the future look like for companies like McAfee Enterprise in the coming years?

I think our products like Insights and MVISION XDR are going to change the way we think about security. We have always relied on “after-the-fact” data as opposed to proactively looking at our environment. The days of looking at packet capture and syslogs as our primary defense method are behind us. While they are great for those “after-the-fact” forensic studies, they really don’t do much to proactively defend your enterprise.

Understanding user and device behavior and being able to spot anomalies is the future. Information security leaders need to stop having a negative reaction to new technology and instead embrace it. I also believe blockchain will likely be a good solution for IoT identity and machine learning will take over for the SEIM. You will start to see our tools evolving to meet these new challenges and paradigms.

Q: Since joining the company just over a year ago, how do you feel you’ve been able to help the company grow since last year and the impact you’ve had in your role?

My team has done a very good job in leading the charge to the cloud while at the same time reducing costs. But we are just at the beginning of the journey, and have a long way to go.

We have also challenged our lack of standards and formed the Enterprise Architecture team to drive these patterns into the organization. As Hamlet said, we must suffer “the slings and arrow of outrageous fortune” for trying to drive that change, but I have been impressed by the dedication of members of our Technology Services team. Our security team has worked in lock step with the rest of the organization to drive our outward facing security vulnerabilities down to zero. That is not where we were when I arrived, but the team took a measured approach to dramatically improve our security posture.

I also enjoy spending time with the sales organization and helping them in supporting our customers.   After being in the CISO role for over 12 years, I understand how difficult the role can be. I like to help our sales team understand what pain CISOs are experiencing and how our products can help.

Q: How do you hope to impact change in cybersecurity?

I have been involved in the clean-up of two major breaches. While it is easy to get caught up in the numbers of records lost or how the breach will affect the organization’s stock price, there is a very human cost. Many security or IT leaders lose their job after a breach where stolen records are used to commit identity theft which is very painful to reconcile if you are victim, as we have seen in some of the ransomware attacks on healthcare systems that may have led to the death of patients. The great thing about being a leader in cybersecurity is that you feel you are doing something for the good of the public.

My teams have worked closely with various law enforcement agencies and have caught attackers. There is no better feeling than knowing you have taken down a criminal. I personally want to look back on my career and believe the field of cybersecurity is in a better place than when I started and that the company I work for played a major role in that change.

 

The post Executive Spotlight: Q&A with Chief Information Officer, Scott Howitt appeared first on McAfee Blogs.

]]>
Data Centric Zero Trust for Federal Government Cybersecurity https://www.mcafee.com/blogs/enterprise/data-centric-zero-trust-for-federal-government-cybersecurity/ Wed, 11 Aug 2021 17:25:56 +0000 /blogs/?p=125912

As outlined in Executive Order on Improving the Nation’s Cybersecurity (EO 14028), Section 3: Modernizing Federal Government Cybersecurity, CISA has...

The post Data Centric Zero Trust for Federal Government Cybersecurity appeared first on McAfee Blogs.

]]>

As outlined in Executive Order on Improving the Nation’s Cybersecurity (EO 14028), Section 3: Modernizing Federal Government Cybersecurity, CISA has been tasked with developing a Federal cloud-security strategy to aid agencies in the adoption of a Zero Trust Architecture to meet the EO Requirements. While the government awaits the completion of that effort, I think it’s important to look at the two government reference architectures that have already been published, as they will undoubtedly be considered in the development of CISA’s cloud-security strategy. Both NIST (800-207) and DoD (Version 1.0) have released Zero Trust reference architectures. Both define a Zero Trust telemetry architecture informed by security sensors to dynamically evaluate device and user trust and automatically change access permissions with changes in entity trust. They each accomplish the same goal, even if they take slightly different paths to get there.

Whereas the DoD architecture establishes control planes that each have their own decision point, with data given its own decision point, NIST takes a broader approach to Zero Trust and emphasizes Zero Trust in relation to all resources, not just data. The data control plane within the DoD architecture encompasses data processing resources and applies data-specific context to them. As most networks, applications, storage and services exist to process and store data, it makes sense that access to these resources should be specific to the data contained within them, and not just the access to the resources themselves. Protecting data is central to Zero Trust, and the DoD’s architecture acknowledges this.

Data Centric Enterprise

Today, most Zero Trust efforts seem to focus on defending the applications, networks and services that contain the data but fall short of building data specific protections. And while protecting network, application, and service resources is certainly important and essential to layered protections, improving protection around the data is imperative to successfully adopt Zero Trust architecture. People with alarm systems on their homes still lock up valuables in a safe to guard against failures in controls, or less than trustworthy house guests and hired workers.

The DoD puts data at the center of its reference architecture. User and entity trust is assessed in relation to the data being accessed, and permission levels are dynamically changed specific to individual data resources.  If Zero Trust operates under the assumption that networks and applications are already compromised, then the only logical way to successfully implement Zero Trust is to combine network, application, and service access technologies with a comprehensive data protection platform. In a well-designed Zero Trust architecture, a comprehensive data protection platform serves not only to protect data, but also as a means to inform the analytics layer of potentially malicious insiders or compromised user accounts in order to automatically trigger changes in access permissions.

Imagine a very simple scenario where an organization has classified specific types of data and implemented controls to protect the data. Jane is a contractor, who, because of her contract function, was vetted and cleared for access to critical applications and controlled unclassified data. Jane has a government-issued laptop with data protection software, and she has access to government cloud applications like Office 365 that are protected and governed by the agencies’ CASB solution. Unfortunately, Jane has been having well disguised and undisclosed financial troubles, which have put her in a compromised situation. In order to try to get herself out of it, she has agreed to act as an insider. Jane initially attempts to send sensitive data to herself through her Office 365 email, but the attempt is blocked by the CASB. She then attempts to share the records from SharePoint to an untrusted email domain and again is blocked by the CASB and reported to security. Desperate, she tries to move the data to an external hard drive, and yet again she is blocked. At this point, Jane gives up and realizes the data is well protected.

On the backend of this scenario, each one of these attempts is logged as an incident and reported. These incidents now inform a Zero Trust dynamic access control layer, which determines that Jane’s trust level has changed, resulting in an automatic change to her user access policies and a Security Operations alert. This is one very basic example of how a data protection platform can inform and affect user trust.

What Comprises a Comprehensive Data Protection Platform?

Effectively architecting a comprehensive data protection platform requires a multi-vector and integrated approach.  The platform should be a combination of control points that leverage a common classification mechanism and a common incident management workflow. Data protection enforcement should facilitate enforcement controls across managed hosts, networks, SaaS, and IaaS resources, and whenever possible restrict sensitive data from being placed into areas where there are no controls.

McAfee enables this today through a Unified DLP approach that combines:

  • Host Data Loss Prevention (DLP)
  • Network Data Loss Prevention (DLP)
  • Cloud Access Security Broker (CASB)
  • Hybrid Web Gateway – On-Premises and SaaS
  • Incident Management

This comprehensive approach enables data protection policies to follow the data throughout the managed environment, ensuring that enterprise data is protected at rest, in transit, and in use. Within the platform, user trust is evaluated conditionally based on policy at each enforcement point, and any change to a user’s group through the Zero Trust architecture automatically modifies policies within the data protection platform.

What Next?

Data protection has long been a challenge for every enterprise. Successful implementation of data protection technologies requires a programmatic effort that includes data owners to accurately and successfully identify and build protections around sensitive information. If not implemented properly, data protection opens the door to user disruptions that many organizations have very little tolerance for. That’s why so many organizations focus their efforts on improving perimeter and access protections. Adversaries know this, which is why compromising user credentials or the supply chain to gain access remains a highly leveraged entry point for threat actors, because perimeter and access control protections fail to guard against people already inside the network with appropriate access. As enterprises plan for Zero Trust architectures, data protection has to take center stage.

By mandating that agencies quantify the type and sensitivity of their unclassified data, the EO appears to be steering Executive Branch agencies down the path of data centricity. The Executive Order focuses on improving the adoption of encryption best practices around data and implementing multifactor authentication in an effort to protect access to sensitive data from malicious outsiders. It falls short, however, of encouraging broad adoption of data loss prevention architectures to protect against accidental and malicious data leakage.

CISA has an opportunity to prioritize data as an enterprise’s central resource in their upcoming cloud-security strategy, which will drive agency adoption of Zero Trust Architecture. They should take this opportunity to emphasize the importance of designing a comprehensive data protection platform to serve as both a trust identifier and a mechanism of protection.

The post Data Centric Zero Trust for Federal Government Cybersecurity appeared first on McAfee Blogs.

]]>
Critical RDP Vulnerabilities Continue to Proliferate https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/critical-rdp-vulnerabilities-continue-to-proliferate/ Tue, 10 Aug 2021 18:12:23 +0000 /blogs/?p=125849

This month’s Patch Tuesday brings us a relatively small number of CVEs being patched, but an abnormally high percentage of...

The post Critical RDP Vulnerabilities Continue to Proliferate appeared first on McAfee Blogs.

]]>

This month’s Patch Tuesday brings us a relatively small number of CVEs being patched, but an abnormally high percentage of noteworthy critical vulnerabilities.

Vulnerability Analysis: CVE-2021-34535

One such vulnerability is identified as CVE-2021-34535, which is a remote code execution flaw in the Remote Desktop client software, observed in mstscax.dll, which is used by Microsoft’s built-in RDP client (mstsc.exe). The vulnerability is very closely related to a bug released in July of 2020, CVE-2020-1374, which also came through Microsoft’s Patch Tuesday process and had highly similar characteristics. The vulnerability is an integer overflow due to an attacker-controllable payload size field, which ultimately leads to a heap buffer overflow during memory allocation. The vulnerability can be triggered via the RDP Video Redirection Virtual Channel Extension feature [MS-RDPEV], which is typically deployed on port 3389, and is contained inside of compressed UDP payload and encrypted RDP using TLS.

But does this flaw, despite its impressive 9.9 CVSS score, rise to the level of past RDP vulnerabilities, including the infamous BlueKeep (CVE-2019-0708)? Not so fast – there are a few additional factors to take into consideration.

Attack Scenario

First and foremost, this is a client-side vulnerability, meaning there is no real ability for self-propagation, or “wormability” from an Internet perspective. The most likely attack scenario would be to convince a user to authenticate to a malicious RDP server, where the server could trigger the bug on the client side. During reproduction of the issue, we were able to easily trigger the crash and observe a later memcpy using the controlled overflow, which should facilitate exploitation. We think it is likely that exploits will be developed for this vulnerability but the availability of a patch prior to any known public exploitation helps to mitigate risks for organizations and individuals.

Secondly, thanks to the widespread proliferation and reach of BlueKeep and other related RDP vulnerabilities, a significant portion of RDP clients and servers have been disabled or moved from the network perimeter. This is less important given the client-side nature of the bug but does help with the overall attack surface.

In addition to Microsoft’s built-in RDP client (mstsc.exe), which is the more common Remote Desktop network connection, we have also confirmed that some lesser- known RDP vectors are affected by this vulnerability. Microsoft Hyper-V Manager “Enhanced Session Mode” and Microsoft Defender’s Application Guard (WDAG) both use RDP to screen share and present the secured browser respectively. This gives the end user a remote view of their isolated instance in the context of the host system. Rather than reimplementing the RDP session sharing capability, Microsoft ported the existing RDP client code base into Hyper-V and WDAG. Since the RDP client code is self-contained in mstscax.dll (an ActiveX COM object) it can simply be loaded into the Hyper-V (vmconnect.exe) and WDAG (hvsirdpclient.exe) processes to avail of the RDP client functionality. There does not appear to have been any attack surface reduction on this code base as the same DLL is loaded within all three processes mstsc.exe, vmconnect.exe and hvsirdpclient.exe. The impacted components are:

  • Microsoft’s built-in RDP client mstsc.exe uses the vulnerable mstscax.dll when a client remotely connects to an RDP server over the network. We have confirmed mstsc.exe crashes and the vulnerability can be triggered then the client has authenticated to an RDP server.

Mitigation: Patch

  • Microsoft’s Hyper-V Manager software also uses mstscax.dll where the vulnerable function resides. When using “Enhanced Session Mode” (enabled by default in Hyper-V Manager), the process vmconnect.exe loads mstscax.dll. We have confirmed through testing that triggering the vulnerability from inside a Hyper-V Windows 10 image will crash vmconnect.exe on the host. This means that it is subject to guest-to-host escapes using the vulnerability. (Hyper-V is disabled by Default on Windows 10).

Mitigation: Patch or disable “Enhanced Session Mode”

  • Microsoft Defender’s Application Guard also uses mstscax.dll to present the user with a view of their containerized Edge and IE browser. When a “New Application Guard window” is navigated from Edge it launches the process hvsirdpclient.exe which loads mstscax.dll. We have not confirmed the WDAG process hvsirdpclient.exe crashes but it does use the same code base so we recommend patching if using WDAG (WDAG is disabled by Default on Windows 10).

Looking Forward

The built-in RDP client and Hyper-V/WDAG clients communicate over different transport mediums in the form of TCP/IP and VMBus but they both use the same RDP client protocol implementation. Given that the flaw is contained within mstscax.dll, and is self-contained, the vulnerability was ported to these two implementations along with the rest of the code base.

While the urgency for patching remains somewhat lower than past critical vulnerabilities, threat actors will look to weaponize any of these low-hanging fruit that leverage common network protocols. Patching should be a top priority, and furthermore, a comprehensive and ongoing review of internet-facing and internal networked RDP clients and servers would be highly recommended. Eliminating or reducing the attack surface is one of the best counter attacks to vulnerability exploitation.

Microsoft have published a Knowledge Base article for the issue here with corresponding patch information. In the meantime, we are continuing to monitor this vulnerability closely; if exploitation is observed we may release additional content for customers.

For RDP security best practices please see https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rdp-security-explained/

 

With thanks to Cedric Cochin, McAfee.

The post Critical RDP Vulnerabilities Continue to Proliferate appeared first on McAfee Blogs.

]]>
Business Results and Better Security with MVISION Cloud for Microsoft Dynamics 365 https://www.mcafee.com/blogs/enterprise/cloud-security/business-results-and-better-security-with-mvision-cloud-for-microsoft-dynamics-365/ Tue, 10 Aug 2021 04:01:05 +0000 /blogs/?p=125399

We are in the midst of digital transformation to the cloud – these cloud services fuel transformative projects for businesses, empowering employees with powerful tools...

The post Business Results and Better Security with MVISION Cloud for Microsoft Dynamics 365 appeared first on McAfee Blogs.

]]>

We are in the midst of digital transformation to the cloud – these cloud services fuel transformative projects for businesses, empowering employees with powerful tools to do their jobs better and more efficiently. This cloud transformation has meant that a large portion of enterprise data now resides and is being accessed outside of the network perimeter and beyond the reach of traditional data security controls.  

MVISION™ Unified Cloud Edge is the SASE security fabric between an organizations’s workforce and their resources that enables fast direct-to-internet access by eliminating the need to route traffic through their data center for security. Data and threat protection are performed at every control point in a single pass to reduce the cost of security and simplify your management.  

Sensitive data uploaded to CRM has also put the service on the radar of IT security teams. Based on the Market share report Microsoft Dynamics 365 is amongst the top CRM vendors  

Data in Dynamics 365 represents anything from proprietary business information to sensitive customer data. The high volume and value of this data have made Dynamics 365 security a top priority for companies embarking on cloud security projects.  

Microsoft provides a host of security features for enterprise customers at the infrastructure and software level, but customers default lack many controls around data and user account security. For example, only 36 percent of cloud customers say they can enforce data loss prevention in the cloud. These are key security controls for organizations using Dynamics 365, especially those who upload regulated data to the service.  

MVISION Cloud for Dynamics 365, part of McAfee’s Unified Cloud Edge offering is a comprehensive solution, which allows enterprises to enforce security controls for data in Dynamics 365. It addresses four areas of Dynamics security: 

  • Visibility: Receive insights into usage analytics, user groups, privileges, and data content, both monitored dynamically and through an on-demand scan. This allows enterprises to evaluate the types of data and users within Dynamics and understand their unique risks.  
  • Compliance: Consistently enforce existing and new policies with cloud DLP for structured and unstructured data. Multitier remediation options and match highlighting allow for a positive user experience and efficient evaluation of policy violations from security teams.  

By applying cloud DLP policy you can find any sensitive info stored in Dynamics entity in near real-time. Configure via UI the entities where you know sensitive content is posted by the user and do near real time DLP. Also, you can integrate your Endpoint DLP engine policy and use the single console of MVISION to leverage the DLP policy defined on Dynamics entities. In addition, before the Auditor finds any sensitive information stored in data at rest, you can run on-demand scans on Dynamics 365 entities/attachments to ensure there is no sensitive data in Dynamics entities. MVISION Cloud Compliance scan applies to entities (structured data) and attachments (unstructured data) in Dynamics. Data privacy can save organizations from massive compliance fines, a negative public image, and loss of customer trust. Dynamics 365 data privacy is just as important as security, MVISION Cloud compliance scan ensures GDPR compliance for data at rest. In all cases whenever out of compliance is found, then raise incidents and takes remedial action for complete visibility. Malware scan to detect malware on any Dynamics 365 attachments if there is Malware. This scan could be Near Real-Time and also could be on data at rest.  

  • Threat Protection: Monitor threats from a Dynamics 365 security operations center (SOC) based on insights from user behavior analytics. Machine learning algorithms identify account compromises, insider threats, high-risk privileged users, and more. Mapping to the MITRE framework gives visibility and insights into whether Microsoft Dynamics services are used w.r.t tools and techniques for data compromise and exfiltration. 
  • Data Security: Enforce security controls based on transaction context including the user, device, and data. Block high-risk downloads in real-time.

MVISION Cloud for Dynamics 365 can act as an additional control point between enterprise users and the cloud to provide enhanced analytics into cloud usage, detect threats from insiders, compromised accounts, and privileged users, enforce compliance policies with DLP, and contextual access controls. Additionally, detecting intentional or inadvertent threats from employees or third parties, enforcing granular access controls based on parameters such as role, device, data, and location, and enforcing DLP policies. 

Finally, the MVISION platform provides benefits that a single-point solution for one cloud service cannot satisfy. A single point for cloud control removes gaps in policy enforcement. Visibility into all cloud traffic allows MVISION to correlate activity occurring across multiple cloud services, identifying high-risk users and cloud-to-cloud threats. And MVISION offers integrations with on-premises security tools to extend existing security policies to the cloud and feed cloud threats into SIEM solutions. Consolidating all cloud security data in one tool is the best way to capture a holistic view of cloud risk, in a snapshot and as it changes over time. 

Moving to the cloud does not have to be a trade-off between business results and security. Improved security in the cloud is a reality for companies that have embraced a cloud-native security approach. Using MVISION Cloud for Dynamics 365 can make data safer than ever before while empowering business teams to become more efficient and dynamic.  

For more information or to test out MVISION Cloud for Dynamics please visit us at:  https://www.mcafee.com/enterprise/en-us/solutions/mvision/marketplace.html 

The post Business Results and Better Security with MVISION Cloud for Microsoft Dynamics 365 appeared first on McAfee Blogs.

]]>
White House Executive Order – Improving Detection of Cybersecurity Vulnerabilities https://www.mcafee.com/blogs/enterprise/white-house-executive-order-improving-detection-of-cybersecurity-vulnerabilities/ Fri, 06 Aug 2021 15:54:42 +0000 /blogs/?p=125705

This is the third in a series of blogs on the Cybersecurity EO, and I encourage you to read those...

The post White House Executive Order – Improving Detection of Cybersecurity Vulnerabilities appeared first on McAfee Blogs.

]]>

This is the third in a series of blogs on the Cybersecurity EO, and I encourage you to read those you may have missed. (Part 1, Part 2).

Between the initial publication of the Executive Order (EO) for Improving the Nation’s Cybersecurity on May 12 and late July, a flurry of activity by departments and agencies continues to occur on how best to understand and address potential security gaps. Once identified, these analyses will facilitate plans to fulfill the requirements and further augment agencies’ existing preventative measures to improve their cybersecurity posture. Due to numerous far-reaching cybersecurity breaches that have occurred throughout the past year, one of the primary areas of emphasis in the Executive Order is enhancing the Federal Government’s ability to be more proactive in detecting vulnerabilities and preventing cybersecurity incidents throughout an agency’s network. By introducing an Endpoint Detection and Response (EDR) solution into an enterprise environment, the Government will be able to empower agency SOC teams to engage in active cyber hunting, containment, remediation, and incident response activities more universally.

How Does McAfee’s MVISION EDR Improve an Agency’s Security Posture?

The potential loss and impact of a cyberattack is no longer constrained to a single silo within an agency’s network or a small subset of devices. It can quickly escalate and impact the mission of an agency in seconds. That is why the Executive Order states it is crucial a government-wide initiative is undertaken to begin to get ahead of malicious actors by developing a comprehensive security strategy to prevent attacks before they happen.

Many cyberthreats use multiple attack mechanisms, requiring a different approach to keep our enterprises secure from malicious actors. Endpoint protection platforms still play a critical role in defending agency assets, but they are only one component of a multilayered approach to a robust cybersecurity strategy. Fortunately, McAfee Enterprise’s endpoint protection platform offers a threat detection capability that allows incorporating a next-generation solution (EDR) to track down potential threats if they break through the first layer of countermeasures.

By incorporating endpoint detection and response (EDR), organizations have granular control and visibility into their endpoints to detect suspicious activity. As a cloud service, EDR can incorporate new features and services in much more agile fashion than other solutions. MVISION EDR can discover and block threats in the pre-execution stage, investigate threats through analytics, and help provide an incident response plan. Additionally, by leveraging AI and machine learning to automate the steps in an investigative process, more experienced threat hunters can focus on in-depth analysis of sophisticated attacks, and other members of the SOC team can discover key findings to triage potential threats much faster and with less experience. These new capabilities can learn an agency’s baseline behaviors and use this information, along with a variety of other threat intelligence sources, to interpret findings.

Is Endpoint Detection and Response (EDR) Enough?

As the attack surface continues to evolve, a far more holistic approach to detection is needed. Although EDR is crucial to surfacing anomalous threats and malicious behavior for workstations, servers, and cloud workloads, their area of influence is confined to the telemetry provided by the endpoint. Realizing EDR is network blind and SIEM is endpoint blind, we integrated McAfee Enterprise EDR and SIEM technologies to enrich investigations. Still, more telemetry sources are needed to reveal all potential threat vectors an enterprise may encounter. This is where Extended Detection and Response (XDR) comes in, supporting agencies in a journey beyond the endpoint and allowing them to close even more gaps. 

Why Should Agencies Be Focusing on an Extended Detection and Response (XDR) Strategy?

XDR isn’t a single product or solution but rather a journey, as it refers to compiling multiple security products and technologies that comprise a unified platform. An XDR approach will shift processes and likely merge and encourage tighter coordination between different functions like SOC analysts, hunters, incident responders and IT administrators.

SIEMs are largely data-driven, meaning they need data definitions, custom parsing rules and pre-built content packs to retrospectively provide context based on the data they have ingested. In contrast, XDR is hypothesis driven, harnessing the power of machine learning and artificial intelligence engines to analyze high-fidelity threat data from a multitude of sources across the environment to support specific lines of investigation mapped to the MITRE ATT&CK framework.

Technically speaking, an XDR is a converged platform leveraging a common taxonomy and unifying language. An effective XDR must bring together numerous heterogeneous signals and return a homogenous visual and analytical representation. XDR must clearly show the potential security correlations that the SOC should focus on. Such a solution would de-duplicate information on one hand, but would emphasize the truly high-risk attacks, while filtering out the mountains of noise. The desired outcome would not require excessive amounts of repetitive manual work. Instead, it would allow SOC teams to focus on leading investigations and mitigating attacks. XDR’s presentation of data would be aware of context and content, be advanced technologically, yet be simple enough for analysts to understand and act upon.

As many organizations begin to adopt EDR solutions with the capability to embrace XDR, they also must consider how these solutions enable them to migrate toward a Zero Trust architecture. The wealth of information that will be available in a platform capable of distilling threat telemetry not only from endpoints, the networks they are accessing, and the cloud services they consume will create real advantages. It will greatly improve the granularity, flexibility, and accuracy of the policy engines granting access to enterprise resources and using that degree of trust to determine how much access is granted within the application.

The ideal solution must provide enhanced detection and response capabilities across endpoints, networks, and cloud infrastructures. It needs to prioritize and predict threats that matter before the attack and prescribe necessary countermeasures allowing the organization to proactively harden their environment. The ideal solution also must incorporate Zero Trust, and it should be built on an open security ecosystem.

McAfee Enterprise recognized early on that a multi-vendor security ecosystem is a key requirement to building a defense in depth security practice. One of the key building blocks was the Data Exchange Layer (DXL), which was subsequently made available as an open-source project (OpenDXL) for the community to further develop innovative use cases. This enabled our diverse ecosystem of partners from threat intelligence platforms to orchestration tools to use a common transport mechanism and information exchange protocol, thereby encouraging participating vendors to not only communicate vital threat details but also inform them of actions that all connected security solutions should take.

When you combine XDR and an open security ecosystem for XDR capabilities, agencies will have a solid foundation to advance their visibility and detection capabilities across their entire cyber infrastructure.

The post White House Executive Order – Improving Detection of Cybersecurity Vulnerabilities appeared first on McAfee Blogs.

]]>
Evolve With XDR – The Modern Approach to SecOps https://www.mcafee.com/blogs/enterprise/evolve-with-xdr-the-modern-approach-to-secops/ Thu, 05 Aug 2021 15:00:15 +0000 /blogs/?p=125726

If you are part of an organization aspiring to evolve and modernize your SecOps practice with greater efficiencies with XDR,...

The post Evolve With XDR – The Modern Approach to SecOps appeared first on McAfee Blogs.

]]>

If you are part of an organization aspiring to evolve and modernize your SecOps practice with greater efficiencies with XDR, this read is for you.

So, what’s all the continuous hype about XDR? Is it for you and what does it mean to your organization? If you haven’t already, I invite you to read our XDR—Please Explain and Unravel to XDR Noise blogs for added context. From here we can begin to ask, what are XDRs and what are they not? What happens once you acquire components that add the “X-factor” to your threat detection and response (TDR) practice? And how can SOC teams use it for investigation, prioritization, remediation and hunting?

I’ll cover the basics in this blog and hopefully by the end I’ve piqued your interest enough to watch our on-demand webinar where we will cover these aspects in detail.

For security practitioners, there’s one question that is top of mind—am I protected against the latest threats? But let’s face it, threats are evolving, adversaries are evolving too and a shortage of talent make it near impossible to keep up with alerts.

In fact, according to the latest XDR research by ESG, The Impact of XDR in the Modern SOC March 2021 [1], the top challenges related to TDR for respondents were:

  1. 31% spend time addressing high priority/emergency threats and not enough time on more comprehensive strategy and process improvement for TDR
  2. Another 29% have “blind spots” on the network due to inability to deploy agents
  3. 23% find it difficult to correlate and combine data from different security controls, which impacts TDR efficiency/efficacy

Advanced threats are now commonplace, challenging most security professionals to detect and respond before damage is done, we know that these attacks leverage multiple attack vectors to gain a foothold and execute. XDR solutions bring together security telemetry across multiple controls, correlating and stitching together complex attacks so analyst can quickly assess and investigate. XDR is seen as having the potential to modernize the SOC with enriched and aggregated security analytics capabilities to accelerate the investigation to a resolution.

What’s more, McAfee Enterprise is here to help you evolve your SecOps practice into the next era of security analytics, threat detection and response. McAfee’s MVISION XDR tools provide visibility across multiple control points to not only detect threats but to help organizations improve their security posture. In addition, MVISION Insights provides relevant threat intel to help customers proactively prevent threats on multiple control points like endpoint.

We invite view our on-demand webinar with Mo Cashman, Enterprise Architect at McAfee Enterprise, and Dave Gruber, Senior Analyst at ESG, as they cover what XDRs are and aren’t, the keys to SOC modernization for XDR with a focus on the SOAPA approach to security, and how McAfee’s MVISION XDR lays out the flexible groundwork for organizations aspiring to evolve with XDR. Here is the link to watch. 

Whether you are building a SOC function with limited resources or maturing a well-established SOC, McAfee Enterprise is here to help you simplify and strengthen your security operations with MVISION XDR. With MVISION XDR, you can proactively identify, investigate and mitigate threat actors targeting your organization before they can gain a foothold in the network. By combining the latest machine-learning techniques with human analysis, XDR connects and amplifies the early warning signals from your sensors at the network, endpoint, and cloud to improve situational awareness, drive better and faster decisions, and elevate your SOC. [2]

 

1 – ESG Research Report: The Impact of XDR in the Modern SOC by Jon Oltsik

2 – Cyber Cyber, Burning Bright: Can XDR Frame Thy Fearful Asymmetry?

 

The post Evolve With XDR – The Modern Approach to SecOps appeared first on McAfee Blogs.

]]>
McAfee NSP Provides Superior Security and Performance https://www.mcafee.com/blogs/enterprise/mcafee-nsp-provides-superior-security-and-performance/ Wed, 04 Aug 2021 20:28:37 +0000 /blogs/?p=125711

McAfee Enterprise is pleased to announce that the Network Security Platform (NSP), our industry leading next-gen Intrusion Prevention System (IPS)...

The post McAfee NSP Provides Superior Security and Performance appeared first on McAfee Blogs.

]]>

McAfee Enterprise is pleased to announce that the Network Security Platform (NSP), our industry leading next-gen Intrusion Prevention System (IPS) solution, has been awarded Miercom Certified Secure for superior security and performance.

About Miercom

Miercom has been reviewing network products for over 30 years, forming standardized test programs that have grown into a worldwide evaluation service for the latest technology.  Miercom has published hundreds of network product analyses in leading trade periodicals and other publications, thus gaining the reputation of being a leading, independent product test center.

About the Testing

The NSP Next Generation Intrusion Prevention System (NGIPS) solution was independently assessed by Miercom engineers for security, performance, and hands-on use to provide unbiased verification of McAfee Enterprise’s unique qualities.  The NGIPS solution was deployed in a real-world environment and subject to performance tests, multiple iterations of attacks from Miercom’s proprietary malware suite, and exploits from Ixia BreakingPoint and other test tools.

Figure 1. Test Bed Diagram

Figure 2. Test Tools

 

Results

NSP demonstrated security effectiveness in the attack lifecycle detection and protection through its efficient signature engine along with multiple advanced signature-less detection technologies, including file analysis, protocol behavior analysis, and network behavior analysis. The results not only showed NSP continued to hold the highest standard in exploit prevention capability, but also proved its advantage in zero-day malware and malicious URL protection compared to other IPS solutions in the market.

“Based on our findings, the McAfee Network Security Platform with NS9500 sensors demonstrates competitively superior security and performance.  The McAfee solution was stressed under real-world known and not yet discovered exploits and heavily loaded conditions and passed these tests with ease.  McAfee Network Security Platform has rightfully earned the distinction as Miercom Certified Secure.” – Rob Smithers, CEO, Miercom 

Key Findings

  • Prevented 98.7% of malware from Miercom’s Enterprise Critical Protect Malware Set consisting of compound threats, zero-day threats and ransomware (outperforming the industry average by 25%)
  • Detected 97.8% malicious URLs over HTTP with recommended default configuration (outperforming the competitive industry average by 44%)
  • Detected 100% of malicious URLs over HTTP with optimized settings (outperforming the competitive industry average by 47%)
  • Proved effective URL filtering by detecting 100% of blacklisted URLs
  • Prevented 100% of evasive malicious traffic and exploits mounted with mutated traffic

About McAfee NSP

McAfee Enterprise’s new appliance offerings, NS9500 and NS7500, are scalable hardware platforms that provide investment protection. They offer multiple throughput options with the inspection throughput being controlled by a software license. This provides customers the flexibility to only buy capacity that is needed, and easily scale inspection throughput as needs increase via a software upgrade license and/or by stacking appliances. The appliances are purpose-built for line speed DPI (Deep Packet Inspection) and its efficient architecture preserves performance regardless of security settings unlike other IPS offerings in the market.

To download a copy of the report, please visit McAfee.com/nsp-Miercom

To learn more about McAfee NSP, please visit McAfee.com/nsp

To learn more about Miercom, please visit https://Miercom.com

 

 

 

The post McAfee NSP Provides Superior Security and Performance appeared first on McAfee Blogs.

]]>
New Company, Same Commitment: Channel First https://www.mcafee.com/blogs/enterprise/new-company-same-commitment-channel-first/ Wed, 04 Aug 2021 15:30:17 +0000 /blogs/?p=125573

In the last week there has been change, but a lot remains the same, too. First, we are now McAfee...

The post New Company, Same Commitment: Channel First appeared first on McAfee Blogs.

]]>

In the last week there has been change, but a lot remains the same, too. First, we are now McAfee Enterprise, a pure-play enterprise cybersecurity company under the new ownership of Symphony Technology Group (STG). It’s an exciting change and true focus for our company, allowing us to concentrate on enterprise and commercial business needs. Our partners are an important part of our journey, and together we are excited to continue to win and drive success.

As we start this chapter as a pure-play enterprise security company, my focus is on adding value for our partners at all levels, ensuring our joint customers understand the power of our technology portfolio, and driving profitability and growth through better cybersecurity outcomes for our customers.

Our strategy continues to be Channel First, and we have worked to create continuity in all that we do for our channel partners and customers through the transition. That means our operations as a company will remain very much the same, so there will be no new systems or tools to learn, and our partners will continue to receive the same program benefits. At the same time, we will continue to evaluate and enhance program benefits, enablement and sales engagement.

We look forward to embarking on this journey with our partners as McAfee Enterprise. Our vision cannot be achieved without our partners’ trust and confidence in us.

 

The post New Company, Same Commitment: Channel First appeared first on McAfee Blogs.

]]>
See Ya Sharp: A Loader’s Tale https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/see-ya-sharp-a-loaders-tale/ Wed, 04 Aug 2021 14:00:16 +0000 /blogs/?p=125348

Introduction The DotNet based CyaX-Sharp loader, also known as ReZer0, is known to spread commodity malware, such as AgentTesla. In...

The post See Ya Sharp: A Loader’s Tale appeared first on McAfee Blogs.

]]>

Introduction

The DotNet based CyaX-Sharp loader, also known as ReZer0, is known to spread commodity malware, such as AgentTesla. In recent years, this loader has been referenced numerous times, as it was used in campaigns across the globe. The tale of CyaX-Sharp is interesting, as the takeaways provide insight into the way actors prefer to use the loader. Additionally, it shines a light onto a spot that is not often illuminated: the inner workings of loaders.

This blog is split up into several segments, starting with a brief preface regarding the coverage of loaders in reports. After that, the origin of the loader’s name is explored. Next, the loader’s capabilities are discussed, as well as the automatic extraction of the embedded payload from the loader. Lastly, the bulk analysis of 513 unique loader samples is discussed.

Loaders and their Coverage in Blogs

To conceal the malware, actors often use a loader. The purpose of a loader is, as its name implies, to load and launch its payload, thereby starting the next stage in the process. There can be multiple loaders that are executed sequentially, much like a Russian Matryoshka doll in which the smallest doll, which is hidden inside numerous others, is the final payload. The “smallest doll” generally contains the malware’s main capabilities, such as stealing credentials, encrypting files, or providing remote access to the actor.

While there is a lot of research into the actions of the final payload, the earlier stages are just as interesting and relevant. Even though the earlier stages do not contain the capabilities of the malware that is eventually loaded, they provide insight as to what steps are taken to conceal the malware. Blogs generally mention the capabilities of a loader briefly, if at all. The downside here lies in the potential detection rules that others can create with the blog, as the focus is on the final step in the process, whereas the detection should start as soon as possible.

Per best security practices, organizations should protect themselves at every step along the way, rather than only focusing on the outside perimeter. These threat models are often referred to as the, respectively, onion and egg model. The egg’s hard shell is tough to break, but once inside, an attacker has free roam. The onion model opposes the attacker every step of the way, due to its layered approach. Knowing the behavior of the final payload is helpful to detect and block malware although, ideally, the malware would be detected as early on as possible.

This blog focuses on one specific loader family, but the takeaways are valid in a broader sense. The preferred configurations of the actors are useful to understand how loaders can be used in a variety of attacks.

Confusing Family Names

A recent blog by G Data’s Karsten Hahn provides a more in-depth look into malware families ambiguous naming schemes. This loader’s name is also ambiguous, as it is known by several names. Samples are often named based on distinctive characteristics in them. The name CyaX-Sharp is based upon the recurring string in samples. This is, however, exactly why it was also named ReZer0.

When looking at the most used names within the 513 obtained samples, 92 use CyaX-Sharp, whereas 215 use ReZer0. This would make it likely that the loader would be dubbed ReZer0, rather than CyaX-Sharp. However, when looking at the sample names over time, as can be seen in the graph below, the reason why CyaX-Sharp was chosen becomes apparent: the name ReZer0 was only introduced 8 months after the first CyaX-Sharp sample was discovered. Based on this, McAfee refers to this loader as CyaX-Sharp.

Within the settings, one will find V2 or V4. This is not a reference of the loader’s version, but rather the targeted DotNet Framework version. Within the sample set, 62% of the samples are compiled to run on V4, leaving 38% to run on V2.

The Loader’s Capabilities

Each version of the loader contains all core capabilities, which may or may not be executed during runtime, based on the loader’s configuration. The raw configurations are stored in a string, using two pipes as the delimiting value. The string is then converted into a string array using said delimiter. Based on the values at specific indices, certain capabilities are enabled. The screenshots below show, respectively, the raw configuration value, and some of the used indices in a sample (SHA-256: a15be1bd758d3cb61928ced6cdb1b9fa39643d2db272909037d5426748f3e7a4).

The loader can delay its execution by sleeping for a certain number of seconds, use a mutex to ensure it is not already running, display a message box with a custom message, persist itself as a scheduled task, and/or execute a given payload in several ways. The payload can be downloaded from an external location, after which it is started. Alternatively, or additionally, the embedded payload within the loader can be launched. This can be done directly from the loader’s memory with the help of reflective calls, or by hollowing a newly created process. The flowchart below visualizes the process. Note that the dotted line means the linked step can be skipped, depending on the loader’s configuration.

Process Hollowing

The newly created process is one of the following: MSBuild.exe, vbc.exe, RegSvcs.exe, or a new instance of the loader. The process hollowing code segment seems to be taken from NYAN-x-CAT’s GitHub, as the for-loop to start the process hollowing method is present in both the loader and the linked repository. The way an error is handled is not a standardized method, making the link between the publicly available code very likely. The first image below shows the original code from the repository, whereas the second image shows the code from the loader (SHA-256: a15be1bd758d3cb61928ced6cdb1b9fa39643d2db272909037d5426748f3e7a4)

The loop calls the process hollowing function several times to more easily handle exceptions. In the case of an exception during the process hollowing, the targeted process is killed and the function returns. To try several times, a loop is used.

Changes Over Time

Even though the loader has changed over time, it maintained the same core structure. Later versions introduced minor changes to existing features. Below, different loader versions will be described, where the length of the string array that contains the loader’s configuration is used to identify different versions. The graph shows the rise and fall for each of the versions.

There are two notable differences in versions where the config array’s size is larger than 29. Some specific samples have slightly different code when compared with others, but I did not consider these differences sizable enough to warrant a new version.

Firstly, the ability to enable or disable the delayed execution of a sample. If enabled, the execution is delayed by sleeping for a predefined number of seconds. In config_29, the delay functionality is always enabled. The duration of the delay is based on the System.Random object, which is instantiated using the default seed. The given lower and upper limits are 45,000 and 60,000, resulting in a value between these limits, which equals in the number of milliseconds the execution should be delayed.

Secondly, the feature to display a custom message in a prompt has been added. The config file contains the message box’ title, text, button style, and icon style. Prompts can be used to display a fake error message to the victim, which will appear to be legitimate e.g.  43d334c125968f73b71f3e9f15f96911a94e590c80955e0612a297c4a792ca07, which uses “You do not have the proper software to view this document” as its message.

Payload and Configuration Extraction

To automatically extract the payload and configuration of a given loader, one can recreate the decryption mechanism in a language of choice, get the encrypted data from the loader, and decrypt it. The downside here is the need for an exact copy of the decryption mechanism. If the key were to change, or a slightly different algorithm were to be used, the copy would also need to reflect those changes. To avoid dealing with the decryption method, a different approach can be taken.

This loader mistakenly uses static variables to store the decrypted payload and configuration in. In short, these variables are initialized prior to the execution of the main function of the loader. As such, it is possible to reflectively obtain the value of the two variables in question. A detailed how-to guide can be found on my personal website. The data that was extracted from the 513 samples in the set is discussed in the next section.

Bulk Analysis Results

The complete set consists of 513 samples, all of which were found using a single Yara rule. The rule focuses on the embedded resource which is used to persist the loader as a scheduled task on the victim’s system. In some cases, the Yara rule will not match a sample, as the embedded resource is obfuscated using ConfuserEx (one example being SHA-256 0427ebb4d26dfc456351aab28040a244c883077145b7b529b93621636663a812). To deobfuscate, one can use ViRb3’s de4dot-cex fork of de4dot. The Yara rule will match with the deobfuscated binary. The graph below shows the number of unique samples over time.

The dates are based on VirusTotal’s first seen date. Granted, this date does not need to represent the day the malware was first distributed. However, when talking about commodity malware that is distributed in bulk, the date is reliable enough.

The sample set that was used is smaller than the total amount of loaders that have been used in the wild. This loader is often not the first stage, but rather an in-memory stage launched by another loader. Practically, the sample set is sizable enough for this research, but it should be noted that there are more unique loader samples in the wild for the given date range than are used in this report.

It is useful to know what the capabilities of a single sample are, but the main area of interest of this research is based upon the analysis of all samples in the set. Several features will be discussed, along with thoughts on them. In this section, all percentages refer to the total of 513 unless otherwise specified.

Widespread Usage

The loader’s usage is widespread, without a direct correlation towards a specific group or geographical region. Even though some reports mention a specific actor using or creating this loader, the fact that at least one builder has leaked makes attribution to one or more actors difficult. Coupled with the wide variety of targeted industries, as well as the broad geographic targeted areas, it looks like several actors utilise this loader. The goal of this research is not to dig into the actors who utilise this loader, but rather to look at the sample set in general. Appendix A provides a non-exhaustive list of public articles that (at least) mention this loader, in descending chronological order.

Execution Methods

The two options to launch a payload, either reflectively or via process hollowing, are widely apart in usage: 90% of all loaders uses process hollowing, whereas only 10% of the samples are launched via reflection. Older versions of the loader sometimes used to reflectively load a decrypted stager from the loader’s resources, which would then launch the loader’s payload via process hollowing. The metrics below do not reflect this, meaning the actual percentage of direct launches might be slightly lower than is currently stated. The details can be viewed in the graph below.

Note that the reflective loading mechanism will default to the process hollowing of a new instance of the loader if any exception is thrown. Only DotNet based files can be loaded reflectively, meaning that other files that are executed this way will be loaded using a hollowed instance of the loader.

Persistence and Mutexes

The persistence method, which uses a scheduled task to start the loader once the computer boots, is used by 54% of the loaders. This does not mean that the other 46% of the samples are not persisted on the victim’s machine, as a different stage could provide persistence as well. Notable is the date within the scheduled task, which equals 2014-10-25T14:27:44.8929027. This date is, at the time of writing, nearly 2500 days ago. If any of the systems in an organization encounter a scheduled task with this exact date, it is wise to verify its origin, as well as the executable that it points to.

A third of all loaders are configured to avoid running when an instance is already active using a mutex. Similar to the persistence mechanism, a mutex could be present in a different stage, though this is not necessarily the case. The observed mutexes seem to consist of only unaccented alphabetical letters, or [a-zA-Z]+ when written as a regular expression.

Delayed Execution

Delayed execution is used by nearly 37% of the samples, roughly half of which are config_29, meaning this setting was not configurable when creating the sample. The samples where the delayed execution was configurable, equal nearly 19% of the total. On average, a 4 second delay is used. The highest observed delay is 600 seconds. The graph below shows the duration of the delay, and the frequency.

Note that one loader was configured to have a delay of 0 seconds, essentially not delaying the execution. In most cases, the delayed time is a value that can be divided by five, which is often seen as a round number by humans.

Environmental Awareness

Prior to launching the payload, the loader can perform several checks. A virtual environment can be detected, as well as a sandbox. Roughly 10% of the samples check for the presence of a virtual machine, whereas roughly 11% check if it is executed in a sandbox. Roughly 8% of the 513 samples check for the presence of both, prior to continuing their execution. In other words, 88% of the samples that try to detect a virtual machine, also attempted to detect a sandbox. Vice versa, 74% of the samples that attempted to detect the sandbox, attempted to detect if they were executed on a virtual machine.

The option to disable Windows Defender was mainly present in the earlier samples, which is why only 15% of the set attempts to disable it.

Payload Families

The loader’s final goal is to execute the next stage on the victim’s machine. Knowing what kind of malware families are often dropped can help to find the biggest pain points in your organization’s additional defensive measures. The chart below provides insight into the families that were observed the most. The segment named other contains all samples that would otherwise clutter the overview due to the few occurrences per family, such as the RedLine stealer, Azorult, or the lesser known MrFireMan keylogger.

The percentages in the graph are based on 447 total payloads, as 66 payloads were duplicates. In other words, 66 of the unique loaders dropped a non-unique payload. Of all families, AgentTesla is the most notable, both in terms of frequency and in terms of duplicate count. Of the 66 duplicates, 48 were related to AgentTesla.

Barely Utilized Capabilities

Two functions of the loader that are barely used are the message box and the download of a remote payload. The usage of both is, respectively, 1.3% and 0.8%. All of the remote payloads also contained an embedded payload, although one of the four remotely fetching loaders does not contain a URL to download the remote payload from. The external file can be used as an additional module for a next stage, a separate malicious payload, or it can be used to disable certain defense mechanisms on the victim’s device.

Conclusion

Companies using the aforementioned onion security model benefit greatly from the dissection of such a loader, as their internal detection rules can be improved with the provided details. This stops the malware’s execution in its tracks, as is shown in the sequential diagram of McAfee’s detection below.

The techniques that this loader uses are commonly abused, meaning that the detection of a technique such as process hollowing will also prevent the successful execution of numerous other malware families. McAfee’s Endpoint Security (ENS) and Endpoint Detection & Response (EDR) detect the CyaX-Sharp loader every step of the way, including the common techniques it uses. As such, customers are protected against a multitude of families based on a program’s heuristics.

Appendix A – Mentions of CyaX-Sharp and ReZer0

Below, a non-exhaustive chronologically descending list of relevant articles is given. Some articles contain information on the targeted industries and/or target geographical area.

  • On the 12th of January 2021, ESET mentioned the loader in its Operation Spalax blog
  • On the 7th of December 2020, ProofPoint wrote about the decryption mechanisms of several known .NET based packers
  • On the 5th of November 2020, Morphisec mentioned a packer that looks a lot like this loader
  • On the 6th of October 2020, G Data mentioned the packer (or a modified version)
  • On the 29th of September 2020, ZScaler mentioned the packer
  • On the 17th of September 2020, I wrote about the automatic payload and config extraction of the loader
  • On the 16th of September 2020, the Taiwanese CERT mentioned the loader in a digital COVID-19 threat case study
  • On the 23rd of July 2020, ClamAV mentioned the loader in a blog
  • On the 14th of May 2020, Security firm 360TotalSecurity links the loader to the threat actor Vendetta
  • On the 21st of April 2020, Fortinet provided insight into the loader’s inner workings
  • On the 1st of March 2020, RVSEC0N mentioned the loader
  • On the 4th of December 2019, Trend Micro provided a backstory to CyaX-Sharp
  • On the 22nd of March 2019, 360TotalSecurity gave insight into some of the loader’s features

Appendix B – Hashes

The hashes that are mentioned in this blog are listed below, in order of occurrence. The SHA-1 and SSDeep hashes are also included. A full list of hashes for all 513 samples and their payloads can be found here.

Sample 1

SHA-256: a15be1bd758d3cb61928ced6cdb1b9fa39643d2db272909037d5426748f3e7a4

SHA-1: 14b1a50c94c2751901f0584ec9953277c91c8fff

SSDeep: 12288:sT2BzlxlBrB7d1THL1KEZ0M4p+b6m0yn1MX8Xs1ax+XdjD3ka:O2zBrB7dlHxv0M4p+b50yn6MXsSovUa

Sample 2

SHA-256: 43d334c125968f73b71f3e9f15f96911a94e590c80955e0612a297c4a792ca07

SHA-1: d6dae3588a2a6ff124f693d9e23393c1c6bcef05

SSDeep: 24576:EyOxMKD09DLjhXKCfJIS7fGVZsjUDoX4h/Xh6EkRlVMd3P4eEL8PrZzgo0AqKx/6:EyycPJvTGVijUDlhfEEIUvEL8PrZx0AQ

Sample 3

SHA-256: 0427ebb4d26dfc456351aab28040a244c883077145b7b529b93621636663a812

SHA-1: 8d0bfb0026505e551a1d9e7409d01f42e7c8bf40

SSDeep: 12288:pOIcEfbJ4Fg9ELYTd24xkODnya1QFHWV5zSVPjgXSGHmI:EEj9E/va

 

The post See Ya Sharp: A Loader’s Tale appeared first on McAfee Blogs.

]]>
Hyperautomation and Cybersecurity – A Platform Approach to Telemetry Architectures https://www.mcafee.com/blogs/enterprise/hyperautomation-and-cybersecurity-a-platform-approach-to-telemetry-architectures/ Tue, 03 Aug 2021 19:46:45 +0000 /blogs/?p=125528

Hyperautomation is a process where artificial intelligence (AI), machine learning (ML), event-driven software, and other tools are used to automate...

The post Hyperautomation and Cybersecurity – A Platform Approach to Telemetry Architectures appeared first on McAfee Blogs.

]]>

Hyperautomation is a process where artificial intelligence (AI), machine learning (ML), event-driven software, and other tools are used to automate as many business and IT processes as possible.  Forecasted by Gartner to reach $596.6 billion by 20221, hyperautomation and the global software market that enables it show no signs of slowing.

The myriad of technologies used by a typical organization often are not integrated and exist as siloed disparate tools.  Hyperautomation aims to reduce this “organizational debt” to improve value and brand.  In the context of cybersecurity, a patchwork of stovepipe solutions not only exposes the environment to risk, but also impacts the cyber defender’s ability to fortify the environment and respond to threats at machine speed.  Our target is “shift-left” security — leveraging intelligence to enhance predictability and encourage proactive responses to cyber threats.

The rise of telemetry architectures, combined with cloud adoption and data as the “new perimeter,” pose new challenges to cybersecurity operations.  Organizations will be forced to contend with increased “security debt” unless we figure out how to optimize, connect, and streamline the solutions.  In some cases, we have technologies available to begin this journey (MVISION Insights, MVISION Extended Detection and Response (XDR), MVISION API).  In others, our customers demand more.  They challenge us to build next-generation platforms to see themselves, see their cyberspace, and understand their cyberspace.  Some cyber defenders need more than traditional cyber threat intelligence telemetry to make critical operational impact decisions.

MVISION Insights and MVISION XDR are great starts.  It all begins with the build-up of an appropriate telemetry architecture, and McAfee Enterprise’s billion-sensor global telemetry is unmatched.  Insights provides an automated means to fortify the environment against emerging threats, weaponizing threat intelligence to take a proactive stance in reducing your attack surface from device to cloud.  Why start engaging at an attack’s point of impact when an organization can begin its own awareness at the same point an attacker would?  MVISION XDR brings together the fragmented security solutions accumulated over the years, sharing information and coordinating actions to deliver an effective, unified response across every threat vector.  Workflows are effortless to orchestrate.  The powerful combination of Insights and XDR provides management and visibility of the complete attack lifecycle.  Open architectures reinforce our belief that we are better together and facilitate a cybersecurity ecosystem consistent with the concepts of hyperautomation enablement.

Figure 1 – Attack Lifecycle

Where can we go from here?  How do we secure tomorrow?  From my perspective, we should expand the definition and scope of cybersecurity.

The answer is to look beyond traditional cyber threat telemetry; external factors (environmental, social media, geolocation, law enforcement, etc.) truly matter and are vital in making business impact decisions.  Complete operational visibility, and the ability to investigate, research, and rationalize what matters most to make accurate, critical judgments, is the missing link.  This is a Cyber Common Operating Picture (COP).  A natural extension of our current initiatives within the industry, a COP answers the growing need to provide an integrated cyber defender’s visualization workbench that manages multiple data telemetry sources (beyond cyber threats) and delivers our customers wisdom – a true understanding – regarding their cyberspace on a local, regional, and global scale.

Telemetry data represents change, and telemetry architectures will require new forms of advanced analytics, AI, and ML to make sense of the vast sea of all-source intelligence flowing in from the environment to enhance observations and take definitive action.  If we can “shift-left” for cyber threats, we can leverage that same predictability to identify and prepare for the impact of peripheral threats.  Open source, custom, and third-party data feeds are widely available and create integration opportunities with emerging markets and capabilities to solve unique challenges typically not associated with our platform:

  • How do we identify network or infrastructure hardware (IoT, OT, Industrial Control System) that is on the brink of failing?
  • Can we identify the exact geolocation from which a current cyber-attack is being launched?
  • Does social media and law enforcement chatter indicate a physical threat could be imminent near our headquarters?
  • How do we fuse/correlate inputs from myriad sources to develop regional situational awareness in all layers of cyberspace?

Non-traditional sensor telemetry, a multitude of feeds, and threat intelligence must be overlayed across the Cyber COP to provide AI-driven predictability modeling for next-gen systems and actionable conclusions.  This is a potential future for how hyperautomation can impact cybersecurity; this is orchestrating beyond standard capabilities and expanding the definition and scope of how our complex environments are secured.  AI engineering strategies will continue to expand and deliver data analytics at machine speeds.

McAfee Enterprise has always been a proponent of a platform approach to cybersecurity, creating interoperability and extending the security investments its customers have made. Loosely coupled security systems introduce gaps, and hyperautomation aims to solve that at a much larger scale.  As we look toward the future, we can collectively build the requirements for the next generation of security solutions and broaden the scope of how we defend against our common adversaries. I am confident that the technologies currently exist to provide the framework(s) of a COP solution for enhanced cyber situational awareness.

 

Source: 1Gartner Press Release: Gartner Forecasts Worldwide Hyperautomation-Enabling Software Market to Reach Nearly $600 Billion by 2022 (April 28, 2021)

 

The post Hyperautomation and Cybersecurity – A Platform Approach to Telemetry Architectures appeared first on McAfee Blogs.

]]>
Data as a Strategic Asset – Securing the New Perimeter in the Public Sector https://www.mcafee.com/blogs/enterprise/data-as-a-strategic-asset-securing-the-new-perimeter-in-the-public-sector/ Tue, 03 Aug 2021 19:38:36 +0000 /blogs/?p=125519

Every organization has data moving to the multi-cloud; digital transformation is occurring rapidly, is here to stay, and is impacting...

The post Data as a Strategic Asset – Securing the New Perimeter in the Public Sector appeared first on McAfee Blogs.

]]>

Every organization has data moving to the multi-cloud; digital transformation is occurring rapidly, is here to stay, and is impacting every major industry.  Organizations are working hard to adopt Zero Trust architectures as their critical information, trade secrets, and business applications are no longer stored in a single datacenter or location. As a result, there is a rapid shift to cloud resources to support dynamic mission requirements, and the new perimeter to defend is data.  At its core, Zero Trust is a data-centric model and is fundamental to what McAfee Enterprise offers.  In the Public Sector, data has now been classified as a strategic asset – often referred to as the “crown jewels” of an organization. Reinforced by the publication of the DoD Zero Trust Reference Architecture, we have arrived at a crossroads where demonstrating a sound data strategy will be a fundamental requirement for any organization.

All DoD data is an enterprise resource, meaning data requires consistent and uniform protections wherever it is created or wherever it traverses. This includes data transmitted across multi-cloud services, through custom mission applications, and on devices.  Becoming a data-centric organization requires that data be treated as the primary asset. It must also be available so that it can be leveraged by other solutions for discovery and analytics purposes.  To achieve this, interoperability and uniform data management are strategic elements that underpin many sections of DoD’s official vision of Zero Trust.

Let us dissect how the DoD plans to create a data advantage and where McAfee Enterprise can support these efforts as we explore the four essential capabilities – Architecture, Standards, Governance, and Talent & Culture:

Figure 1 – DoD Data Strategy Framework

Architecture:

McAfee Enterprise’s open architectural methodology emphasizes the efficiencies that cloud adoption and open frameworks can offer.  The ability to leverage agile development and continuously adapt to dynamic mission requirements – faster than our adversaries – is a strategic advantage.  Data protection and cloud posture, however, must not take a back seat to innovation.

The rapid pace of cloud adoption introduces new risks to the environment; misconfigurations and mistakes happen and are common. Vulnerabilities leave the environment exposed as DevOps tends to leverage open-source tools and capabilities.  Agile development introduces a lot of moving parts as applications are updated and changed at an expedited pace and based on shorter, prescriptive measures. Customers also utilize multiple cloud service providers (CSP) to fit their mission needs, so consistent and uniform data management across all the multi-cloud services is a necessity.  We are at a pivotal inflection point where native, built-in CSP protections have introduced too much complexity, overhead, and inconsistency. Our data security solution is a holistic, open platform that enforces standardized protections and visibility across the multi-cloud.

Together with our partners, we support the architecture requirements for data-centric organizations and take charge as the multi-cloud scales.  Several items – visibility and control over the multi-cloud, device-to-cloud data protection, cloud posture, user behavior and insider threat – play into our strengths while organic partner integrations (e.g., ZTNA) further bolster the Zero Trust narrative and contribute to interoperability requirements.  We are better together and can facilitate an open architecture to meet the demands of the mission.

Standards:

DoD requires proven-at-scale methods for managing, representing, and sharing data of all types, and an open architecture should be used wherever possible to avoid stovepiped solutions and facilitate an interoperable security ecosystem.  Past performance is key, and McAfee Enterprise has a long track record of delivering results, which is crucial as the DoD moves into a hybrid model of management.

Data comes in many forms, and the growth of telemetry architectures requires machines to do more with artificial intelligence and machine learning to make sense of data.  How do we share indicators of compromise (IoCs) so multiple environments – internal and external – can leverage intelligence from other organizations?  How do we share risks in multi-clouds and ensure data is secured in a uniform manner?  How do we weaponize intelligence to shift “left of boom” and eliminate those post-compromise autopsies?  Let’s explore how McAfee Enterprise supports data standards.

Made possible by Data Exchange Layer (DXL) and a strategic partner, the sharing of threat intelligence data has proven successful.  Multiple environments participate in a security-connected ecosystem where an “attack against one is an attack against all” and advanced threats are detected, stopped, and participants are inoculated in near real-time.  This same architecture scales to the hybrid cloud where the workloads in cloud environments can benefit from broad coverage.

Furthermore, DXL was built as open source to foster integrations and deliver cohesive partner solutions to promote interoperability and improve threat-informed intelligence.  All capabilities speak the same language, tip and cue, and provide much greater return on investment. Consider the sharing of cloud-derived threats.  No longer should we be limited to traditional hashes or IoCs. Perhaps we should share risky or malicious cloud services and/or insider threats.  Maybe custom-developed solutions should leverage our MVISION platform via API to take advantage of the rich global telemetry and see what we see.

Our global telemetry is unmatched and can be leveraged to organizations’ advantage to proactively fortify the device-to-cloud environment, effectively shifting security to the “left” of impact. This is all done through the utilization of MVISION Insights.  Automated posture assessments pinpoint where potential gaps in an organization’s countermeasures may exist and provide the means to take proactive action before it is hit.  Through MVISION Insights, cyber operators can learn about active global campaigns, emerging threats, and whether an organization is in the path – or even the target.  Leadership can grasp the all-important risk metric and deliver proof that the security investments are working and operational.  Combined with native MITRE ATT&CK Framework mappings – an industry standard being mapped across our portfolio – this proactive hardening is a way we use threat telemetry to customers’ advantage.

Standardized data protection, end-to-end, across all devices and multi-cloud services is a key tenant of the DoD Data Strategy.  Protecting data wherever it lives or moves, retaining it within set boundaries and making it available to approved users and devices only, and enforcing consistent controls from a single, comprehensive solution spanning the entire environment is the only data security approach.  This is what Unified Cloud Edge (UCE) does. This platform’s converged approach is tailored to support DoD’s digital transformation to the multi-cloud and its journey to a data-centric enterprise.

Governance:

DoD’s data governance element is comprised of the policies, procedures, frameworks, tools, and metrics to ensure data is managed at all levels, from when it is created to where it is stored.  It encompasses increased data oversight at multiple levels and ensures that data will be integrated into future modernization initiatives.  Many organizations tend to be driven by compliance requirements (which typically outweigh security innovation) unless there is an imminent mission need; we now have the compliance requirement.  Customers will need to demonstrate a proper data protection and governance strategy as multi-cloud adoption matures.  What better way to incorporate Zero Trust architectures than by leveraging UCE?  Remember, this is beyond the software defined perimeter.

McAfee Enterprise can monitor, discover, and analyze all the cloud services leveraged by users – both approved and unapproved (Shadow IT) – and provide a holistic assessment.  Closed loop remediation ensures organizations can take control and govern access to the unapproved or malicious services and use the information to lay the foundation for building effective data protection policies very relevant to mission needs.

Granular governance and control – application-level visibility – by authenticated users working within the various cloud services is just as important as controlling access to them.  Tight API integrations with traditional SaaS services guarantee only permitted activities occur.  With agile development on the rise, it is just as important that the solution is flexible to control these custom apps in the same way as any commercial cloud service.  Legacy mission applications are being redesigned to take advantage of cloud scale and efficiency; McAfee Enterprise will not impose limits.

Governance over cloud posture is equally important, and customers need to ensure the multi-cloud environment is not introducing any additional source of risk.  Most compromises are due to misconfigurations or mistakes that leave links, portals, or directories open to the public.  We evaluate the multi-cloud against industry benchmarks and best practices, provide holistic risk scoring, and provide the means to remediate these findings to fortify an organization’s cloud infrastructure.

Unified data protection is our end goal; it is at the core of what we do and how we align to Zero Trust.  Consistent protections and governance over data wherever it is created, wherever it goes, from device to multi-cloud.  The same engine is shared across the environment and provides a single place for incidents and management across the enterprise.  Customers can be confident that all data will be tracked and proper controls enforced wherever its destination may be.

Talent and Culture:

Becoming a data-centric organization will require a cultural change.  Decision-making capabilities will be empowered by data and analytics as opposed to experienced situations and scenarios (e.g., event response). Machine learning and artificial intelligence will continue to influence processes and procedures, and an open ecosystem is needed to facilitate effective collaboration. Capabilities designed to foster interoperability and collaboration will be the future.  As more telemetry is obtained, solutions must support the SOC analyst with reduced noise and provide relevant, actionable data for swift decision-making.

At McAfee Enterprise, we hear this.  UCE provides simplified management over the multi-cloud to ensure consistent and unified control over the environment and the data.  No other vendor has the past performance at scale for hybrid, centralized management.  MVISION Insights ensures that environments are fortified against emerging threats, allowing the cyber operators to focus on the security gaps that can leave an organization exposed.  Threat intelligence sharing and an open architecture has been our priority over the past several years, and we will continue to enrich and strengthen that architecture through our platform approach.  There is no silver bullet solution that will meet every mission requirement, but what we can collectively do is ensure we are united against our adversaries.

Data and Zero Trust will be at the forefront as we move forward into adopting cloud in the public sector.  There is a better approach to security in this cloud-first world. It is a mindset change from the old perimeter-oriented view to an approach based on adaptive and dynamic trust and access controls.  McAfee’s goal is to ensure that customers can support their mission objectives in a secure way, deliver new functionality, improved processes, and ultimately give better return on investments.

We are better together.

The post Data as a Strategic Asset – Securing the New Perimeter in the Public Sector appeared first on McAfee Blogs.

]]>
Introducing MVISION Private Access https://www.mcafee.com/blogs/enterprise/cloud-security/introducing-mvision-private-access/ Tue, 03 Aug 2021 03:00:53 +0000 /blogs/?p=125216

Enabling Zero Trust Access with End-to-end Data Security and Continuous Risk Assessment The current business transformation and remote workforce expansion...

The post Introducing MVISION Private Access appeared first on McAfee Blogs.

]]>

Enabling Zero Trust Access with End-to-end Data Security and Continuous Risk Assessment

The current business transformation and remote workforce expansion require zero trust access to corporate resources, with end-to-end data security and continuous risk assessment to protect applications and data across all locations – public clouds, private data centers, and user devices.  MVISION Private Access is the industry’s first truly integrated Zero Trust Network Access solution that enables blazing fast, granular “Zero Trust” access to private applications and provides best-in-class data security with leading data protection, threat protection, and endpoint protection capabilities, paving the way for accelerated Secure Access Service Edge (SASE) deployments.

We are currently operating in a world where enterprises are borderless, and the workforce is increasingly distributed. With an increasing number of applications, workloads and data moving to the cloud, security practitioners today face a wide array of challenges while ensuring business continuity, including:

  • How do I plan my architecture and deploy assets across multiple strategic locations to reduce network latency and maintain a high-quality user experience?
  • How do I keep a tight control over devices connecting from any location in the world?
  • How do I ensure proper device authorization to prevent over-entitlement of services?
  • How do I maintain security visibility and control as my attack surface increases due to the distributed nature of data, users, and devices?

Cloud-based Software-as-a-Service (SaaS) application adoption has exploded in the last decade, but most organizations still rely heavily on private applications hosted in data centers or Infrastructure-as-a-Service) IaaS environments. To date Virtual Private Networks (VPN) have been a quick and easy fix for providing remote users access to sensitive internal applications and data. However, with remote working becoming the new normal and organizations moving towards cloud-first deployments, VPNs are now challenged with providing secure connectivity for infrastructures they weren’t built for, leading to bandwidth, performance, and scalability issues. VPNs also introduce the risk of excessive data exposure, as any remote user with valid login keys can get complete access to the entire internal corporate network and all the resources within.

Enter Zero Trust Network Access, or ZTNA! Built on the fundamentals of “Zero Trust”, ZTNAs deny access to private applications unless the user identity is verified, irrespective of whether the user is located inside or outside the enterprise perimeter. Additionally, in contrast to the excessive implicit trust approach adopted by VPNs, ZTNAs enable precise, “least privileged” access to specific applications based upon the user authorization.

We are pleased to announce the launch of MVISION Private Access, an industry-leading Zero Trust Network Access solution with integrated Data Loss Prevention (DLP) and Remote Browser Isolation (RBI) capabilities. With MVISION Private Access, organizations can enable fast, ubiquitous, direct-to-cloud access to private resources from any remote location and device, allow deep visibility into user activity, enforce data protection over the secure sessions to prevent data misuse or theft, isolate private applications from potentially risky user devices, and perform security posture assessment of connecting devices, all from a single, unified platform.

Why does ZTNA matter for remote workforce security and productivity?

Here are the key capabilities offered by ZTNA to provide secure access for your remote workforce:

  • Direct-to-app connectivity: ZTNA facilitates seamless, direct-to-cloud and direct-to-datacenter access to private applications. This eliminates unnecessary traffic backhauling to centralized servers, reducing network latency, improving the user experience and boosting employee productivity.
  • Explicit identity-based policies: ZTNA enforces granular, user identity-aware, and context-aware policies for private application access. By eliminating the implicit trust placed on multiple factors, including users, devices and network location, ZTNA secures organizations from both internal and external threats.
  • Least-privileged access: ZTNA micro-segments the networks to create software-defined perimeters and allows “least privileged” access to specific, authorized applications, and not the entire underlying network. This prevents overentitlement of services and unauthorized data access. Micro-segmentation also significantly reduces the cyberattack surface and prevents lateral movement of threats in case of a breach.
  • Application cloaking: ZTNA shields private applications behind secure gateways and prevents the need to open inbound firewall ports for application access. This creates a virtual darknet and prevents application discovery on public Internet, securing organizations from Internet-based data exposure, malware and DDoS attacks.

Is securing the access enough? How about data protection?

Though ZTNAs are frequently promoted as VPN replacements, nearly all ZTNA solutions share an important drawback with VPNs – lack of data awareness and risk awareness. First-generation ZTNA solutions have categorically focused on solving the access puzzle and have left data security and threat prevention problems unattended. Considering that ubiquitous data awareness and risk assessment are the key tenets of the SASE framework, this is a major shortcoming when you consider how much traffic is going back and forth between users and private applications.

Moreover, the growing adoption of personal devices for work, oftentimes connecting over unsecure remote networks, significantly expands the threat surface and increases the risk of sensitive data exposure and theft due to lack of endpoint, cloud and web security controls.

Addressing these challenges requires ZTNA solutions to supplement their Zero Trust access capabilities with centralized monitoring and device posture assessment, along with integrated data and threat protection.

MVISION Private Access

MVISION Private Access, from McAfee Enterprise, is designed for organizations in need for an all-encompassing security solution that focuses on protecting their ever-crucial data, while enabling remote access to corporate applications. The solution combines the secure access capabilities of ZTNA with the data and threat protection capabilities of Data Loss Prevention (DLP) and Remote Browser Isolation (RBI) to offer the industry’s leading integrated, data-centric solution for private application security, while utilizing McAfee’s industry-leading Endpoint Security solution to derive deep insights into the user devices and validating their security posture before enabling zero trust access.

MVISION Private Access allows customers to immediately apply inline DLP policies to the collaboration happening over the secure sessions for deep data inspection and classification, preventing inappropriate handling of sensitive data and blocking malicious file uploads. Additionally, customers can utilize a highly innovative Remote Browser Isolation solution to protect private applications from risky and untrusted unmanaged devices by isolating the web sessions and allowing read-only access to the applications.

Fig. 1: MVISION Private Access

Private Access further integrates with MVISION Unified Cloud Edge (UCE) to enable defense-in-depth and offer full scope of data and threat protection capabilities to customers from device-to-cloud. Customers can achieve the following benefits from the integrated solution:

  • Complete visibility and control over data across endpoint, web and cloud.
  • Unified incident management across control points with no increase in operational overhead, leading to total cost of ownership (TCO) reduction.
  • Multi-vector data protection, eliminating data visibility gaps and securing collaboration from cloud to third-parties.
  • Defending private applications against cloud-native threats, advanced malware and fileless attacks.
  • Continuous device posture assessment powered by industry-leading endpoint security.

Additionally, UCE’s Hyperscale Service Edge, that operates at 99.999% service uptime and is powered by intelligently peered data centers, provides blazing fast, seamless experience to private access users. Authentication via Identity Providers eliminates the risk of threat actors infiltrating the corporate networks using compromised devices or user credentials.

What Sets MVISION Private Access apart?

With dozens of ZTNA solutions on the market, we’ve made sure that MVISION Private Access stands out from the crowd with the following:

  • Integrated data loss prevention (DLP) and industry-leading Remote Browser Isolation (RBI): Enables advanced threat protection and complete control over data collaborated through private access sessions, preventing inappropriate handling of sensitive data, blocking files with malicious content and securing unknown traffic activity to prevent malware infections on end-user devices.
  • SASE readiness with UCE integration: MVISION Private Access converges with MVISION UCE to deliver complete data and threat protection to any device at any location in combination with other McAfee security offerings, that include Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), and Endpoint Protection, while enabling direct-to-cloud access in partnership with leading SD-WAN vendors. This ensures a consistent user experience across web, public SaaS, and private applications.
  • Endpoint security and posture assessment: MVISION Private Access leverages industry-leading McAfee Endpoint Security powered by proactive threat intelligence from 1 billion sensors to evaluate device and user posture, which informs a risk-based zero trust decision in real-time. The rich set of telemetry, which goes well beyond the basic posture checking performed by competitive solutions, allows organizations to continuously assess the device and user risks, and enforce adaptive policies for private application access.
  • Securing unmanaged devices with clientless deployments: MVISION Private Access secures access from unmanaged devices through agentless, browser-based deployment, enabling collaboration between employees, external partners or third-party contractors in a most frictionless manner.

With MVISION Private Access customers can establish granular, least privileged access to their private applications hosted across cloud and IT environments, from any device and location, while availing all the goodness of McAfee’s leading data and threat protection capabilities to accelerate their business transformation and enable the fastest route to SASE. To learn more, visit www.mcafee.com/privateaccess.

 

 

 

The post Introducing MVISION Private Access appeared first on McAfee Blogs.

]]>
Introducing MVISION Cloud Firewall – Delivering Protection Across All Ports and Protocols https://www.mcafee.com/blogs/enterprise/cloud-security/introducing-mvision-cloud-firewall-delivering-protection-across-all-ports-and-protocols/ Thu, 29 Jul 2021 15:17:11 +0000 /blogs/?p=125183

Architected for the cloud-first and remote-first deployments, MVISION Cloud Firewall secures access to applications and resources on the internet, accessed...

The post Introducing MVISION Cloud Firewall – Delivering Protection Across All Ports and Protocols appeared first on McAfee Blogs.

]]>

Architected for the cloud-first and remote-first deployments, MVISION Cloud Firewall secures access to applications and resources on the internet, accessed from every remote site and location, through a cloud-native service model. The solution inspects end-to-end user traffic – across all ports and protocols, enabling unified visibility and policy enforcement across the organizational footprint. Powered by McAfee Enterprise’s industry leading next-generation intrusion detection and prevention system, contextual policy engine and advanced threat detection platform, and supported by Global Threat Intelligence feeds, MVISION Cloud Firewall proactively detects and blocks emerging threats and malware with a high degree of accuracy, uniquely addressing the security challenges of the modern remote workforce. MVISION Cloud Firewall is an integral component of McAfee Unified Cloud Edge, offering organizations an all-encompassing, cloud-delivered Secure Access Service Edge (SASE) security solution for accelerating their business transformation.

Wherever networks went, firewalls followed

For a long time, firewalls and computer networks were like conjoined twins. Businesses simply could not afford to run an enterprise network without deploying a security system at the edge to create a secure perimeter around their crown jewels. The growing adoption of web-based protocols and their subsequent employment by cybersecurity adversaries for launching targeted malware attacks, often hidden within encrypted traffic, saw the emergence of next-generation firewall (NGFW) solutions. Apart from including stateful firewall and unified threat management services, NGFWs offered multi-layered protection and performed deep packet inspection, allowing organizations greater awareness and control over the applications to counter web-based threats.

Cloud computing changed the playing field

But things took a dramatic turn with the introduction of cloud computing. Cloud service providers came up with an offer the organizations could not refuse – unlimited computing power and storage volumes at significantly lower operating costs, along with the option to seamlessly scale business operations without hosting a single piece of hardware on-premises. Hence began the mass exodus of corporate data and applications to the cloud. Left without a fixed network perimeter to protect, the relationship between firewalls and networks entered complicated terms. While the cloud service providers offered a basic level of security functionality, they lacked the muscle power of on-premises firewalls, particularly NGFWs. This was further exacerbated by the ongoing pandemic and the overnight switch of the workforce to remote locations, which introduced the following challenges:

  • Remote users were required to backhaul the entire outbound traffic to centralized firewalls through expensive MPLS connections, impacting the network performance due to latency and degrading the overall user experience.
  • Remote users connecting direct-to-cloud often bypassed the on-premises security controls. With the firewalls going completely blind to the remote user traffic, security practitioners simply couldn’t protect what they couldn’t see.
  • Deploying security appliances at each remote site and replicating the firewall policies across every site significantly increased the capital and operational expenditure. Additionally, these hardware applications lack the ability to scale and accommodate the growing volume of user traffic.
  • On-premises firewalls struggled to integrate with cloud-native security solutions, such as Secure Web Gateways (SWG) and Cloud Access Security Brokers (CASB), creating a roadblock in Secure Access Service Edge (SASE) deployments.

Enter Firewall-as-a-Service

The distributed workforce has expanded the threat landscape at an alarming rate. According to the latest McAfee Labs Threats Reports, the volume of malware threats observed by McAfee Labs averaged 688 threats per minute, an increase of 40 threats per minute (3%) in the first quarter of 2021. While SWGs and CASBs could address the security challenges for web and SaaS traffic, respectively, how could organizations secure the remaining non-web traffic? The answer lies in Firewall-as-a-Service, or FWaaS. FWaaS can be defined as a firewall hosted in the cloud, offering all the NGFW capabilities, including deep packet inspection, application-layer filtering, intrusion prevention and detection, advanced threat protection, among others. While, at the onset, FWaaS may give the impression of lifting and shifting NGFWs to the cloud, their business benefits are far more profound and relevant for the modern workforce, some of which include:

  • Securing the remote workers and local internet breakouts, allowing direct-to-cloud connections to reduce network latency and improve user experience. Avoiding traffic backhauls from remote sites to centralized firewalls through expensive VPN and MPLS lines reduces the deployment costs.
  • Significant cost savings by eliminating hardware installation at remote branch offices.
  • Aggregating the network traffic from on-premises datacenters, clouds, remote branch offices and remote user locations, allowing centralized visibility and unified policy enforcement across all locations.
  • Seamless scaling to handle the growing volume of traffic and the need for inspecting encrypted traffic for threats and malware.
  • Centralizing the service management, such as patching and upgrades, reducing the operational costs for repetitive tasks.

Introducing MVISION Cloud Firewall

McAfee MVISION Cloud Firewall is a cutting-edge Firewall-as-a-Service solution that enforces centralized security policies for protecting the distributed workforce across all locations, for all ports and protocols. MVISION Cloud Firewall allows organizations to extend comprehensive firewall capabilities to remote sites and remote workers through a cloud-delivered service model, securing data and users across headquarters, branch offices, home networks and mobile networks, with real-time visibility and control over the entire network traffic.

The core value proposition of MVISION Cloud Firewall is characterized by a next-generation intrusion detection and prevention system that utilizes advanced detection and emulation techniques to defend against stealthy threats and malware attacks with industry best efficacy. A sophisticated next-generation firewall application control system enables organizations to make informed decisions about allowing or blocking applications by correlating threat activities with application awareness, including Layer 7 visibility of more than 2000 applications and protocols.

Fig. MVISION Cloud Firewall Architecture

What makes MVISION Cloud Firewall special?

Superior IPS efficacy: MVISION Cloud Firewall delivers superior IPS performance through deep inspection of network traffic and seamless detection and blocking of both known and unknown threats across the network perimeter, data center, and cloud environments. The next-generation IPS engine offers 20% better efficacy than competitive solutions, while far exceeding the detection rates of open-source solutions. The solution combines with MVISION Extended Threat Detection and Response (XDR) to offer superior threat protection by correlating threat intelligence and telemetry across multiple vectors and proactively detecting and resolving adversarial threats before that can lead to any enterprise damage or loss. Additional advantages include inbound and outbound SSL decryption, signature-less malware analysis, high availability, and disaster recovery protection.

End-to-end visibility and optimization: The ability to visualize and control remote user sessions allows MVISION Cloud Firewalls to proactively monitor the end-to-end traffic flow and detect any critical issues observed across user devices, networks, and cloud. This offers network administrators a unified, organization-wide view of deployed assets to pinpoint and troubleshoot issues before the overall network performance and user productivity gets impacted. Optimizing network performance elevates the user experience through reduced session latency while keeping a check on the help desk ticket volumes.

Policy Sophistication: MVISION Cloud Firewall considers multiple contextual factors, such as the device type, security posture of devices, networks and users, and pairs that with application intelligence to define a robust and comprehensive policy lexicon that is more suitable for protecting the modern remote workforce. For example, most NGFWs can permit or block user traffic based on the configured rule set, such as permitting accounting users to access files uploaded on a Teams site. McAfee, on the other hand, utilizes its data protection and endpoint protection capabilities to create more powerful NGFW rules, such as permitting accounting users to access a third-party Teams site only if they have endpoint DLP enabled.

SASE Convergence

MVISION Cloud Firewall converges with MVISION Unified Cloud Edge to offer an integrated solution comprising of industry best Cloud Access Security Broker (CASB), Secure Web Gateway (SWG), Zero Trust Network Access (ZTNA), unified Data Loss Prevention (DLP) across endpoint, cloud and network, Remote Browser Isolation (RBI) and Firewall-as-a-Service, making McAfee one of the only vendors in the industry that solves the network security puzzle of the SASE framework. With the inclusion of MVISION Cloud Firewall, McAfee Enterprise customers can now utilize a unified security solution to inspect any type of traffic destined to the cloud, web, or corporate networks, while securing the sensitive assets and users across every location.

The post Introducing MVISION Cloud Firewall – Delivering Protection Across All Ports and Protocols appeared first on McAfee Blogs.

]]>
White House Executive Order – Removing Barriers to Sharing Threat Information https://www.mcafee.com/blogs/enterprise/white-house-executive-order-removing-barriers-to-sharing-threat-information/ Mon, 12 Jul 2021 15:00:51 +0000 /blogs/?p=124663

The latest guidance in the Executive Order on Improving the Nation’s Cybersecurity (EO), Section 2, discusses removing the barriers to...

The post