Tag Archives: targeting

New Mirai variant attacks Apache Struts vulnerability

New variants of the Mirai and Gafgyt botnets are targeting unpatched enterprise devices, according to new research.

Palo Alto Networks’ Unit 42 found the variants affect vulnerabilities in Apache Struts and in SonicWall’s Global Management System (GSM). The Mirai variant exploits the same vulnerability in Apache Struts that was behind the 2018 Equifax data breach, while the Gafgyt variant exploits a newly uncovered vulnerability in unsupported, older versions of SonicWall’s GSM.

The Unit 42 research team noted the Mirai variant involves taking advantage of 16 different vulnerabilities. And while that’s not unusual, it is the first known instance of Mirai or any of its variants targeting an Apache Struts vulnerability.

The research also found the domain that hosts the Mirai samples had resolved to a different IP address in August, which also hosted Gafgyt samples at that time. Those samples exploited the SonicWall GSM vulnerability, which is tracked as CVE-2018-9866. Unit 42’s research did not say whether the two botnets were the work of a single threat group or actor, but it did say the activity could spell trouble for enterprises.

“The incorporation of exploits targeting Apache Struts and SonicWall by these IoT/Linux botnets could indicate a larger movement from consumer device targets to enterprise targets,” the Palo Alto researchers wrote.

The Apache Struts vulnerability exploited by the new Mirai variant was patched last year before it was used in the Equifax breach. But systems that have not been updated are still susceptible to these types of exploits.

The Mirai botnet first emerged in the fall of 2016, and it has since affected hundreds of thousands of IoT and connected devices. The botnet’s malware had primarily targeted consumer devices, and it was responsible for massive distributed denial-of-service attacks on the German teleco Deutsche Telekom and on the domain name server provider Dyn, which took down websites such as Airbnb, Twitter, PayPal, GitHub, Reddit, Netflix and others.

The Unit 42 researchers discovered the Gafgyt and Mirai variant on Aug. 5, and they alerted SonicWall about its GMS vulnerability. The public disclosure was posted by Palo Alto on Sept. 9.

BGP hijacking attacks target payment systems

Researchers discovered BGP hijacking attacks targeting payment processing systems and using new tricks to maximize the attackers hold on DNS servers.

Doug Madory, director of internet analysis at Oracle Dyn, previously saw border gateway protocol (BGP) hijacking attacks in April 2018 and has seen them continue through July. The first attack targeted an Amazon DNS server in order to lure victims to a malicious site and steal cryptocurrency, but more recent attacks targeted a wider range of U.S. payment services.

“As in the Amazon case, these more recent BGP hijacks enabled imposter DNS servers to return forged DNS responses, misdirecting unsuspecting users to malicious sites.  By using long TTL values in the forged responses, recursive DNS servers held these bogus DNS entries in their caches long after the BGP hijack had disappeared — maximizing the duration of the attack,” Madory wrote in a blog post. “The normal TTL for the targeted domains was 10 minutes (600 seconds).  By configuring a very long TTL, the forged record could persist in the DNS caching layer for an extended period of time, long after the BGP hijack had stopped.”

Madory detailed attacks on telecom companies in Indonesia and Malaysia as well as BGP hijacking attacks on U.S. credit card and payment processing services, the latter of which lasted anywhere from a few minutes to almost three hours. While the payment services attacks featured similar techniques to the Amazon DNS server attack, it’s unclear if the same threat actors are behind them.

Justin Jett, director of audit and compliance for Plixer, said BGP hijacking attacks are “extremely dangerous because they don’t require the attacker to break into the machines of those they want to steal from.”

“Instead, they poison the DNS cache at the resolver level, which can then be used to deceive the users. When a DNS resolver’s cache is poisoned with invalid information, it can take a long time post-attacked to clear the problem. This is because of how DNS TTL works,” Jett wrote via email. “As Oracle Dyn mentioned, the TTL of the forged response was set to about five days. This means that once the response has been cached, it will take about five days before it will even check for the updated record, and therefore is how long the problem will remain, even once the BGP hijack has been resolved.”

Madory was not optimistic about what these BGP hijacking attacks might portend because of how fundamental BGP is to the structure of the internet.

“If previous hijacks were shots across the bow, these incidents show the internet infrastructure is now taking direct hits,” Madory wrote. “Unfortunately, there is no reason not to expect to see more of these types of attacks against the internet.”

Matt Chiodi, vice president of cloud security at RedLock was equally as worried and warned that these BGP hijacking attacks should be taken as a warning.

“BGP and DNS are the silent warriors of the internet and these attacks are extremely serious because nearly all other internet services assume they are secure. Billions of users rely on these mostly invisible services to accomplish everything from Facebook to banking,” Chiodi wrote via email. “Unfortunately, mitigating BGP and DNS-based attacks is extremely difficult given the trust-based nature of both systems.”

VR in real estate has mainstream potential for IT resellers

Channel firms targeting the real estate market are likely to encounter growing customer interest in emerging VR and AR technology.

That’s according to a recent podcast by distributor Ingram Micro, which explored benefits of AR and VR in real estate.  Up to now, the technology has been mostly experimented within high-end real estate situations — conducting virtual walkthroughs of New York luxury lofts or West Coast mansions, for example. But as the cost of the hardware decreases, channel partners can expect to see VR and AR technology move downstream.

“I would say that [VR in real estate] hasn’t trickled all the way down yet, and that’s mainly because of the cost of the hardware associated” with it, said Sam Alt, technical support specialist at Ingram Micro, in the podcast. Hardware would include VR headsets and 3D camera equipment.

The benefits of VR in real estate are clear, Alt said. Agents could use VR to perform numerous house tours from one location rather than have to drive with their clients to physically tour the locations. “You could go to one location and you could view multiple houses in an afternoon versus only a few,” he said. While house buyers would eventually want to visit a prospective real estate purchase in person, VR could help them weed through the options.

Alt also pointed to a role for augmented reality. Architectural firms could use AR to walk clients through model homes and, using an AR helmet, “swipe through what types of kitchens they could provide,” he said. “I think that’s a really easy way to … get a person who’s looking to … build a brand-new home really, really excited and be able to showcase that the end result is going to look exactly like … [what you can see] in this AR helmet, versus what it would look like on a piece of paper.”

“I think that VR and AR really do this market justice because it just brings in an entire new level of detail to what [firms] previously could provide,” he added.

CompTIA seeks tech stories

In an effort to encourage young people to enter the IT industry, CompTIA has launched a #MyTechStory initiative, in which current industry personnel tell the story of how they got started in technology.

Todd Thibodeaux, CEO at CompTIA, invited attendees at ChannelCon 2018 to participate, but the program is open to tech workers worldwide. Three- to five-minute videos may be tweeted to @CompTIA using #MyTechStory. Videos may also be emailed to kstone@comptia.org. Thibodeaux said his road to IT started with Lincoln Logs and Legos.

Other news

  • AppDynamics, a Cisco business unit specializing in app performance monitoring software, expanded its partner program with a new Pioneer partner tier. Dedicated to regional partners with domain expertise in applications, the Pioneer tier adds to the AppDynamics program’s existing Alliance and invitation-only Titan tiers, acting essentially as a promotion path to Titan status. Pioneer partners can access support from channel account managers and channel sales engineers, training and enablement programs, and semiannual business planning sessions, AppDynamics said.
  • Cloud distributor Pax8 will offer Anchor and Cloudfinder to MSPs under a new agreement with Axcient/eFolder, which provides data protection and business continuity offerings.
  • Xerox introduced a marketing toolkit to help partners promote the vendor’s managed print services and ConnectKey portfolio. New resources include social media syndication, redesigned partner badges and tools for hosting on-site customer events.
  • Collabrance, a provider of products and services for managed service providers (MSPs), said it expanded its Master Managed Security Services Provider portfolio. The portfolio now features security information event management and vulnerability and penetration testing, Collabrance said.

Market Share is a news roundup published every Friday.

Announcing the Reddit Solution Template | Microsoft Power BI Blog | Microsoft Power BI

Today, we are excited to announce a new suite of Power BI solution templates for brand management and targeting on Reddit through a thrid-party API relationship with SocialGist. These templates complement existing brand-oriented solution templates available for Twitter, Facebook, and Bing News.

The Reddit solution template suite combines AI with interactive visual analytics to reveal how different brands are performing across the Reddit platform, from companies and CEOs down to individual products. Behind the scenes, it uses Azure services and technologies from Microsoft AI and Research to support rich exploration by sentiment levels, key words, and author communities. All you need to get started are the list of brands you want to track and an Azure subscription – the solution template will automate and take care of everything else.

image

Actionable Insights

With Reddit solution templates, you can easily track mentions of your brand, identify communities that talk about your products, and discover key influencers within those communities. You can also do the same for your competitors and their products!

The templates provide direct answers to the questions about who is talking about which brands, what are they saying in terms of text, sentiment, and keywords, and where on Reddit are they saying it. The templates also reveal new opportunities to drive customer engagement, whether through the identification of new community segments, top posts worthy of promotion, or trends in post volume or sentiment that require a timely response.

“With more than 330 million monthly users posting, commenting and voting across 138,000 active communities each day, Reddit is home to the most diverse and authentic conversations on the internet; and as such, an increasingly valuable source of brand and consumer insights,” says Alex Riccomini, director of business development and media partnerships at Reddit. “We’re excited to partner with Microsoft to bring Reddit’s vast data to Power BI, making it easier and more flexible than ever to customize, collect, and consume business-impacting insights from the Reddit community.

Together, the Power BI solution templates for Reddit offer unique brand insight and customer targeting opportunities powered by the highly-engaged and rapidly-growing Reddit community.

Multiple Workbook Experiences

1. Overview – This workbook shows the big picture for selected brands and the key influencers and communities talking about them.

pic2

Analyzing sentiment over time

2. Targeting and Activation – This workbook reveals how communities relate to brands across the Reddit platform and highlights key influencers.

pic3

Lookalike community analysis

3. Advanced Analytics – This workbook enables deep analytic exploration of Reddit posts, comments, and user activity relating to selected brands.

image

Deep dive analysis with free-text search

Try it out & let us know

Go ahead and check out the Reddit solution template. You can try out an interactive sample report, watch a demo video or just go ahead and set things up! The team is always interested in any thoughts or feedback – you can reach us through our alias (pbisolntemplates@microsoft.com) or by leaving a comment on the Power BI Solution Template Community page.

DHS’s Dragonfly ICS campaign alert isn’t enough, experts say

A new government warning added details about cyberattacks targeting critical control systems, but experts said the industry needs more funding and action rather than alerts to secure infrastructure.

The Department of Homeland Security (DHS) issued an alert Friday stating that an advanced persistent threat group — labeled as Dragonfly by a September report from Symantec — has “targeted government entities and the energy, water, aviation, nuclear and critical manufacturing sectors” with specific focus on industrial control systems (ICS).

According to the DHS, the Dragonfly ICS campaign was comprised of “two distinct categories of victims: staging and intended targets.”

“The initial victims are peripheral organizations such as trusted third party suppliers with less secure networks … The threat actor uses the staging targets’ networks as pivot points and malware repositories when targeting their final intended victims,” DHS wrote in the alert. “The ultimate objective of the cyber threat actors is to compromise organizational networks.”

Dragonfly ICS attack patterns

The alert detailed how the Dragonfly ICS campaign used multiple different attacks to steal login credentials, including:

  • spear phishing attacks leveraging “legitimate Microsoft Office functions to retrieve a document from a remote server using the Server Message Block (SMB) protocol,”
  • spear phishing attacks aimed at luring targets to a website where they would be prompted to retrieve a malicious file,
  • phishing attacks with fake login pages or malicious Microsoft Word files and watering hole attacks.

DHS said the Dragonfly ICS campaign would make use of the stolen credentials “to access victims’ networks where multi-factor authentication [was] not used” to set up persistent access.

Paul Edon, director of international customer services at Tripwire, said the Dragonfly ICS attacks are “nothing new, but they should act to remind us that industrial control systems that were once protected by airgap and diode architecture, are now becoming physical extensions to corporate and business networks.”

The security mindset of watching for anomalies at the perimeter often becomes the equivalent of closing the barn door after the horses have bolted.
Satya Guptafounder and CTO, Virsec Systems

“There is no dispute that connectivity provides many business advantages, such as centralized management and control, remote engineering access and resource consolidation,” Edon told SearchSecurity. “However, it’s important to remember that it also brings with it a large number of additional risks, mainly increased attack vectors, exposure of inherently insecure and sometimes obsolete IT systems, and the opportunity for attackers to exploit vulnerabilities that may have been around for a decade or more but for various valid reasons have not been patched.”

Mitigating the risks of the Dragonfly ICS campaign

The DHS alert provided IP addresses, domain names, file hashes and YARA and Snort signatures associated with the Dragonfly ICS attacks and urged network admins to check for intrusions on their systems and block malicious sources. DHS also included a long list of ways to detect spear phishing attacks, watering holes, web shells, remote access activity and malicious persistence.

Michael Daly, CTO of cybersecurity and special missions at Raytheon, applauded the Dragonfly ICS alert for “sharing important security information with the private sector about the growing threats to the nation’s critical infrastructure.”

“Cybersecurity is no longer just a matter of protecting stored data like credit cards. It is now the protection of the systems that run critical industries–energy, transportation, health care and finance — all the things that enable our modern way of life,” Daly told SearchSecurity. “The adversaries we face are persistent and well-resourced. Their cyberattacks are changing constantly. One of their favorite techniques is installing backdoors to maintain a foothold in our systems they could use during a time of crisis.”

More needs to be done

However, not all experts were as positive about the DHS warning. Satya Gupta, founder and CTO for threat protection vendor Virsec Systems, said the “security recommendations are inadequate.”

“The security mindset of watching for anomalies at the perimeter often becomes the equivalent of closing the barn door after the horses have bolted. Perimeters are inevitably porous, and the air-gaps that many ICS systems were designed around have disappeared,” Gupta told SearchSecurity. “Our security focus needs to shift from the network perimeter to the applications themselves. By closely monitoring application flows, processes and memory, you can spot unusual behavior at the source and take action faster and more surgically, before damage occurs or spreads.”

Tim Erlin, vice president of product management and strategy at Tripwire, said the Dragonfly ICS alert is only one part of making infrastructure more secure.

“This public warning from the U.S. government should be taken seriously, but it’s only the latest in a long series of warnings from within the cybersecurity industry,” Erlin told SearchSecurity. “Experts working on cybersecurity for critical infrastructure know the risks and the stakes, and are already working to address them. Warnings like this are an important aspect of information sharing, but they don’t materially change funding levels, resources or skill sets by themselves.”