Tag Archives: Threat

North Korea hacking threat still looms despite summit

Times may be changing for diplomatic relations between North Korea and the U.S., but the threat of North Korean hacking still looms.

This week’s summit between President Donald Trump and North Korean leader Kim Jong Un could lead to improved relations between the two countries and a possible denuclearization plan for North Korea. However, it’s unclear what impact, if any, the summit may have on nation-state cyberattacks coming from the country. According to various reports from the summit, the talks between Kim and Trump did not include any provisions concerning cyberattacks, and several cybersecurity companies have said there is evidence that North Korean hacking attacks may be ramping up this year.

Several notable cyberattacks have been attributed to the North Korean government in recent years, including the 2014 breach of Sony Pictures and last summer’s global WannayCry ransomware attacks. In addition, the FBI and the Department of Homeland Security recently issued a security advisory tying two well-known malware campaigns, Joanap and Brambul, to the North Korea hacking group Hidden Cobra, also known as Lazarus Group.

Priscilla Moriuchi, director of strategic threat development at Recorded Future, a threat intelligence provider based in Somerville, Mass., told SearchSecurity that while Kim’s regime wants to increase the country’s role in the international community, there’s no indication the government has curbed its hacking efforts.

In fact, she said there are signs that the opposite may be occurring.

“What we can say from looking at the data is that there are two stories: the data story, which shows us that North Korea increasingly cares about being monitored and watched, and that they are taking measures to hide their activity online; and the diplomacy story, where it’s telling the rest of the world that it’s ready to denuclearize and be more transparent,” Moriuchi said. “And the two stories just don’t match up.”

Recorded Future published research in April that showed a massive increase in anonymization of North Korean internet activity. “We conducted the research back in July, and we saw, for example, that less than 1% of all web browsing activity was anonymized — they didn’t even use HTTPS most of the time, let alone [virtual private networks (VPNs)],” she said, either because they didn’t care about hiding activity or because they didn’t know they could anonymize traffic. “But six months later, it was a completely different story — there was about a 12,000% increase in anonymization services and technology.”

Recorded Future issued another report last week detailing an increasingly large presence of U.S. technology in North Korean networks and usage by North Korean leadership, despite economic sanctions that prevent such trade. Moriuchi said North Korea has “professionalized sanctions evasion” over the last three-plus decades and found various ways to exploit weaknesses in U.S. export controls.

“We think this is a problem for two reasons. First, there are gaping holes in U.S. export control regime, and they’re being exploiting by this rogue nation,” she said. “Second, the U.S. government doesn’t want U.S. technology being used in cyberattacks from North Korea to harm businesses and government agencies.”

If Kim agrees to a denuclearization plan, there may be less incentive for the government to drops its hacking operations. Ross Rustici, senior director of intelligence services at Boston-based threat detection vendor Cybereason, believes North Korea’s hacking operations are a crucial bargaining chip for Kim and also present a unique threat to the Trump administration.

“North Korea currently lacks many options to force the U.S. into working inside a START [Strategic Arms Reduction Treaty] framework. Almost all of its military and foreign policy capabilities are defensive at this point,” Rustici wrote in a research post last month, prior to the summit. “The one exception is its cyberprogram. And, unfortunately, this is one domain where North Korea can impact the Trump brand in a way that it could not against any other President.”

Several vendors have reported increased sophistication and capabilities from suspected North Korean hacking groups this year. For example, Dragos Inc., a security firm based in Hanover, Md., that specializes in industrial control systems (ICS), published a threat report on a group it calls Covellite, which the company said uses malware and infrastructure similar to Hidden Cobra.

Dragos noted that Covellite, which had targeted U.S. organizations in the past, had recently abandoned North American companies and focused its attacks on European and Asian companies. Dragos also said that while Covellite lacks ICS-specific capabilities at this time, the group’s “rapidly improving capabilities, and history of aggressive targeting” made it a primary threat to the ICS industry.  

In addition to Hidden Cobra, FireEye earlier this year reported that another North Korean hacking group known as APT37 had demonstrated increased capabilities, including the use of an Adobe Flash zero-day vulnerability in attacks on South Korean targets. “Our analysis of APT37’s recent activity reveals that the group’s operations are expanding in scope and sophistication, with a toolset that includes access to zero-day vulnerabilities and wiper malware,” FireEye wrote, adding it has “high confidence” that the group is working on behalf of the North Korean government.

Threat hunting technology is on the rise, so are threats

More companies are adopting threat hunting functions, according to a recent survey from Crowd Research Partners, but detection of advanced threats remains elusive.

Threat hunting typically involves human security analysts identifying impending incidents or attacks that automated threat detection systems may have missed. The frequency of threats and the potential damage and impact of security incidents continue to outpace the capabilities of security operations centers (SOC), Crowd Research Partners’ “2018 Threat Hunting Report” found.

Fifty-eight percent of IT security professionals said cyberthreats against their organizations had doubled during the past 12 months; only 8% indicated threats decreased. SOCs, on average, missed 39% of threats, with the majority of attacks discovered in one to seven days for 58% of organizations. The average dwell time for attackers was 30 days.

The top challenges facing SOCs, according to those surveyed, included the following:

  • detection of advanced cyberthreats — hidden, unknown and emerging threats (55%);
  • lack of skilled personnel (43%);
  • lack of confidence in threat detection technologies (36%);
  • too much time wasted on false alerts (35%);
  • slow response time to find or detect advanced threats (31%);
  • outdated SIEM and SOC infrastructure (29%); and
  • lack of proper reporting tools (28%).

In order to offset some of these challenges, the report found that approximately one-third of the organizations surveyed had outsourced threat hunting to a managed security service provider.

Crowd Research Partners conducted an online survey of more than 461 security and IT professionals in the Information Security Community group on LinkedIn. The survey features respondents from industries such as technology (17%); financial services, banking and insurance (14%); telecommunications (6%); and healthcare (5%). Government cybersecurity professionals represented 20% of those surveyed.

Mix of analysts and tools

According to the survey, 40% of respondents reported that security analysts at their organizations used threat hunting platforms, up 5 percentage points from a similar survey in 2017. Benefits ranged from improved detection of advanced threats to less time spent coordinating events. The top indicators of compromise most frequently investigated by security analysts included behavior anomalies (67%), IP addresses (58%), domain names (46%), denied or flagged connections (46%) and file names (32%).

Security operations centers had more analysts hunting in 2018, at 17%, compared with 14% in 2017. More than half, however, have five or fewer analysts in their SOCs dedicated to threat hunting, the report found.

While security operations centers at some organizations are maturing, along with a greater awareness of threat hunting, 33% of those surveyed indicated limited SOC capabilities when it came to emerging threats; 28% said their SOC was advanced; 24% reported it was compliant, but behind the curve; and only 15% said their SOC was cutting-edge. 

Companies used a variety of tools for threat hunting. The top technologies included the following:

  • next-generation firewalls, intrusion prevention systems and antivirus software (55%);
  • SIEM (50%);
  • antiphishing or other messaging security software (49%);
  • threat intelligence platforms (39%);
  • enrichment and investigation tools (34%); and
  • vulnerability management (32%).

The majority of threat hunting was performed in-house (56%). Some companies used a hybrid of in-house and service provider (22%); others outsourced threat hunting (11%). Meanwhile, 11% of survey respondents reported that their organizations did “no proactive threat hunting.”

Security analysts at 60% of the organizations said they do not currently use threat hunting platforms or techniques. However, six out of 10 organizations indicated plans to build a threat hunting program in the next three years, according to the “2018 Threat Hunting Report,” which is produced in partnership with multiple vendors.

Barriers to adoption ranged from lack of budget (45%) to untrained personnel (7%). The tools desired most often for threat hunting included threat intelligence (69%), user and entity behavior analytics (57%), automatic detection (56%), and machine learning and automated analytics (56%).

According to proponents of threat hunting programs, such as David Bianco, who served as a technology adviser for Sqrrl Data Inc., before the startup company was acquired by Amazon Web Services earlier this year, one of the benefits is security teams can take what they find and use it to improve automated detection.

Microsoft announces new intelligent security innovations to help businesses manage threats from cloud to edge

Amid evolving digital threats, an innovative IoT security solution, integrated threat intelligence and advanced protection in Microsoft 365 help simplify cybersecurity for businesses

SAN FRANCISCO — April 16, 2018 At a news conference on Monday, Microsoft Corp. announced several new intelligent security tools and technologies to help enterprises more easily secure their data and networks against today’s biggest threats as well as address emerging threats aimed at IoT and edge devices. These new solutions build on Microsoft’s longstanding approach to delivering innovation that customers and partners can build upon to strengthen the broader ecosystem against cyberattacks from the cloud to the edge.

“As last year’s devastating cyberattacks demonstrated, security threats are evolving and becoming even more serious,” said Brad Smith, president of Microsoft. “The tech sector’s innovations need to accelerate to outpace security threats. Today’s steps bring important security advances not just to the cloud, but to the billions of new devices that are working on the edge of the world’s computer networks.”

Securing a new generation of connected devices: announcing Azure Sphere

Microsoft is harnessing the power of the intelligent cloud to address emerging threats against a new class of connected devices, those relying on a chip the size of a thumbnail called a microcontroller unit (MCU). MCU-powered devices are already the most populous area of computing with roughly 9 billion new devices every year. They are found in everything from toys and household appliances to industrial equipment — and attackers are starting to target them. To bring security to this next generation of connected devices, Microsoft is introducing Azure Sphere, the industry’s first holistic platform for creating highly secured, connected MCU devices on the intelligent edge. Featuring an entirely new class of MCUs with more than five times the power of legacy MCUs, an OS custom built for IoT security, and a turnkey cloud security service that guards every Azure Sphere device. With Azure Sphere, Microsoft extends the boundaries of the intelligent edge, to power and secure an entirely new category of devices.

“As our homes become more connected, we place significant value on the security of connected devices, so we can focus on continuing to deliver an exceptional customer experience,” said Brian Jones, director of Product Strategy and Marketing at Sub-Zero Group Inc. “Microsoft’s approach with Azure Sphere is unique in that it addresses security holistically at every layer.”

Microsoft 365 Intelligent Security Solutions: Simplifying Security

As security threats become more complex, companies are increasingly finding that the intelligence and threat protection tools they need to remain a step ahead of attackers are in the cloud. Today, Microsoft introduced several new intelligent security features for its Microsoft 365 commercial cloud offering designed to help IT and security professionals simplify how they manage security across their enterprises:

Advanced tools that make it easier to prevent threats before they happen

  • To help teams stay prepared and ahead of threats, Microsoft today released Microsoft Secure Score and Attack Simulator. Secure Score makes it easier for organizations to determine which controls to enable to help protect users, data and devices by quickly assessing readiness and providing an overall security benchmark score. It will also let organizations compare their results to those with similar profiles using built-in machine learning. Attack Simulator, a part of Office 365 Threat Intelligence, lets security teams run simulated attacks — including mock ransomware and phishing campaigns — to event-test their employees’ responses and tune configurations accordingly.

Automated threat detection and remediation to free up security operations teams

  • With the latest Windows 10 update, now in preview, Windows Defender Advanced Threat Protection (ATP) works across other parts of Microsoft 365 to include threat protection and remediation spanning Office 365, Windows and Azure. Also available today in preview, and with the upcoming Windows 10 update, are new automated investigation and remediation capabilities in Windows Defender ATP, leveraging artificial intelligence and machine learning to quickly detect and respond to threats on endpoints, within seconds, at scale.
  • Conditional Access provides real-time risk assessments to help ensure that access to sensitive data is appropriately controlled, without getting in the way of users’ productivity. Microsoft 365 is now adding the device risk level set by Windows Defender ATP to Conditional Access in preview to help ensure that compromised devices can’t access sensitive business data.

Stronger partnerships to give customers more integrated solutions

  • The intelligence data used to quickly detect and respond to threats improves as more relevant signals are added. Machine learning tools are only as good as the data they receive. Microsoft’s security products are informed by the trillions of diverse signals feeding into the Microsoft Intelligent Security Graph. Today, Microsoft announced a preview of a new security API for connecting Microsoft Intelligent Security Graph-enabled products as well as intelligence from solutions built by customers and technology partners to greatly enhance the fidelity of intelligence.

Most security tools report an attack from a single limited perspective, offering insight into one piece of a potentially larger threat. By connecting individual tools to the Intelligent Security Graph, security teams get new perspectives and more meaningful patterns of data to speed up threat investigation and remediation. The new API is in early testing with a select group of cybersecurity industry leaders that are collaborating with Microsoft to shape its development. The group, which includes Anomali, Palo Alto Networks and PwC, joined Microsoft today to share their own early exploration of the API and how it may improve each company’s ability to protect their mutual customers.

  • Microsoft also is announcing a new Microsoft Intelligent Security Association for security technology partners so they can benefit from, and contribute to, the Intelligent Security Graph and Microsoft security products. Members of the association will be able to create more integrated solutions for customers that provide greater protection and detect attacks more quickly. Palo Alto Networks and Anomali join PwC and other existing partners as founding members of the new association.

Microsoft is partnering with customers through their digital transformation by making it easier for them to help keep assets secure from the cloud to the edge.

More information on Microsoft’s security announcements can be found at the Microsoft Security News site.

Microsoft (Nasdaq “MSFT” @microsoft) enables digital transformation for the era of an intelligent cloud and an intelligent edge. Its mission is to empower every person and every organization on the planet to achieve more.

For more information, press only:

Microsoft Media Relations, WE Communications, (425) 638-7777,

rrt@we-worldwide.com

Note to editors: For more information, news and perspectives from Microsoft, please visit the Microsoft News Center at http://news.microsoft.com. Web links, telephone numbers and titles were correct at time of publication, but may have changed. For additional assistance, journalists and analysts may contact Microsoft’s Rapid Response Team or other appropriate contacts listed at http://news.microsoft.com/microsoft-public-relations-contacts.

 

The post Microsoft announces new intelligent security innovations to help businesses manage threats from cloud to edge appeared first on Stories.

Ransomware outbreak threat calls for backup and DR strategy

The ransomware outbreak threat may be subsiding somewhat, but IT managers continue to shore up their defenses. Backup and disaster recovery is a key area of emphasis.

For much of 2017, the WannaCry and NotPetya ransomware outbreaks dominated cybercrime headlines. A new report from antimalware vendor Malwarebytes said ransomware detections last year increased 90% among businesses. But by the end of 2017, the “development of new ransomware families grew stale,” as cybercriminals shifted their focus to other forms of malware, such as banker Trojans that steal financial information, according to the report, “Cybercrime Tactics and Techniques: 2017 State of Malware.”

That said, organizations are looking to bolster their ransomware outbreak protections. Front-end measures often include antivirus software, firewalls and content scanners that can intercept email attachments that appear questionable.

IT departments, however, are also looking to strengthen back-end protections that can help them recover from ransomware attacks that lock up data via encryption. Here, the emphasis is on disaster recovery strategies that let a business restore its data from a backup copy. But even here, there are risks: IT managers must ensure the backups it makes are actually usable and consider how long a data restore will take in the event of an emergency.

Another level of security

The city of Milpitas, Calif., already has a number of security measures in place to defend itself from a ransomware outbreak. On the front end, the municipal government employs email filtering, spam filtering and email attachment scanning. On the back end, the city uses BackupAssist, a Windows server backup and recovery software offering for SMBs. A remote disaster recovery site provides an additional line of defense.

The city earlier this month said it layered on another element to its backup and recovery defense. Mike Luu, information services director for the city of Milpitas, said the city activated CryptoSafeGuard, a BackupAssist feature the vendor recently added to its product.

CryptoSafeGuard, according to the company, prevents infected files from being backed up and also prevents backups from becoming encrypted. Some ransomware attacks have succeeded in encrypting both an organization’s production and backup data.

“It’s just another method of trying to protect against [Ransomware],” Luu said of CryptoSafeGuard.

Luu said switching on CryptoSafeGuard was a simple matter of ticking a box on BackupAssist’s user interface. “It came along for the ride at no additional cost,” he added.

BackupAssist offers CryptoSafeGuard as part of the vendor’s BackupCare subscription package. Troy Vertigan, digital sales and marketing manager at BackupAssist, said 30% of the vendor’s customers running the latest versions of BackupAssist have activated CryptoSafeGuard since it became available in September 2017.

When backups fail

Backup plans can fall through when ransomware hits. TenCate, a maker of composite materials and armor based in the Netherlands, found that out a few years ago during the CryptoLocker ransomware outbreak. Malware entered the company’s U.S. operations through a manufacturing facility and made its way to the file server, recalled Jayme Williams, senior systems engineer at TenCate. Data ended up encrypted from the shop floor to the front office.

When TenCate attempted a data restore from Linear Tape-Open standard tape backups, the backup software the company used wasn’t able to catalog the LTO tapes — a necessary step for recovering files. Williams said some data had been copied off to disk media, but that backup tier was also unreadable. He contacted a data recovery service, which was able to extract the data from the disks.

The company’s disk-based backups weren’t frequent, so some of the data had become stale. The recovered data, however, provided a framework for rebuilding what was lost. It took two weeks to make data accessible again; even then, it wasn’t an ideal data restore because of the age of the recovered data.

One of the key lessons learned from the CryptoLocker experience was that TenCate’s security was lacking for the ransomware infection to penetrate as far as it did, Williams noted. In response, company managers have signed off on tighter security.

The other lesson: Backup and disaster recovery are different things.

Backup is not resilience.
Jayme Williamssenior systems engineer at TenCate

“Backup is not resilience,” Williams said.

That realization put TenCate on the path toward new approaches. Initially, the company, which is a VMware shop, considered the virtualization vendor’s Site Recovery Manager. But the company’s IT services partner recommended a cloud-based backup and disaster recovery offering from Zerto. The vendor replicates data from an organization’s on-site data stores to the cloud.

One factor in favor of Zerto was simplicity. Zerto helped TenCate set up a proof of concept (POC) in about 30 minutes to demonstrate replication and failover. When Williams received permission to purchase the replication service, TenCate was able to take the POC into production without reinstallation.

When a second ransomware outbreak struck TenCate, the updated security and disaster recovery system thwarted the attack. The company’s virtual machines (VMs) were shielded within Zerto’s Virtual Protection Groups and journaling technique, which Williams described as “the TiVo of the VM.” The Zerto journal lets administrators rollback a VM to a point in time before the ransomware virus hit — a matter of seconds, according to Williams.

Time is a critical consideration in devising a ransomware mitigation strategy, noted Michael Suby, Stratecast vice president of research at Frost & Sullivan.

A too lengthy data restore process leaves organizations vulnerable to ransomware demands, he said. A besieged organization may capitulate and pay the fee if a drawn out recovery time would result in a greater loss of revenue or threaten lives, as in the case of an attack against a hospital.

“Companies can still be exploited if the time to revert to those backup files is excessive,” Suby explained. “It’s not just having backup files. We have to have them readily accessible.”

No need to rush network patching for Spectre and Meltdown

The recently discovered security threat in CPUs from nearly a dozen manufacturers poses a low risk to corporate networking gear, so operators have time to test vendors’ patches thoroughly.

That’s the take of security experts contacted by SearchNetworking following the discovery last week of the Spectre and Meltdown vulnerabilities that affect Intel, AMD and ARM chips. In response, Cisco and Juniper Networks have released patches rated medium and low risk, respectively, for a variety of products.

The low risk of Spectre and Meltdown to switches and routers means network managers have the time to thoroughly test the patches to minimize their impact on hardware performance, experts said.

“If you’re getting a firmware update, you need to patch,” said Rob Westervelt, analyst at IDC. “[But] the issue is whether you just deploy the patch or test it thoroughly and make sure you don’t break any applications or anything else.”

Roughly 20 CSOs and IT security professionals interviewed by IDC were taking a methodical approach to applying Spectre and Meltdown fixes across all systems.

“While it is top of mind, it’s not something that they’re immediately jumping on to patch,” Westervelt said. “They are using established best practices and testing those patches first.”

Network performance at risk

Westervelt warned there is the possibility network performance will suffer. “In some cases, it could be very costly.”

If you’re getting a firmware update, you need to patch.
Rob Westerveltanalyst at IDC

Indeed, Microsoft reported in a blog post patches for the PC and server versions of Windows would range from minor to significant, depending on the age of the operating system and the CPU. “I think we can expect a similar variety of performance impacts across other [vendors’] products,” said Jake Miller, a senior security analyst at IT consulting firm Bishop Fox, based in Tempe, Ariz.

Security pros expect hackers sophisticated enough to exploit the hard-to-reach vulnerabilities to target mostly servers in large data centers that host cloud computing environments. Because of the level of expertise needed to take advantage of the flaws, hackers working for nation states are the most likely attackers, experts said.

Exploiting the CPU holes would involve crafting code that takes advantage of how some processors anticipate features computer users will request next. In preparation for those requests, processors will load into memory valuable data and instructions that hackers can steal.

“The threat is significant, but currently is limited to highly sophisticated attackers and hacking groups with the means to carry out multi-staged targeted attacks,” IDC said in a research note. “Financially motivated cybercriminals are more likely to continue to use more accessible, time-tested methods to retrieve passwords and sensitive data.”

Nevertheless, even a low risk to networking gear is worth the time needed for fixing. “It’s better to be safe than sorry,” said Jonathan Valamehr, COO and co-founder of cybersecurity company Tortuga Logic Inc.

Data protection trends: Ransomware, M&A deals dominate news

From the constant threat of ransomware attacks to looking ahead to the European Union’s General Data Protection Regulation, backup vendors had a lot to tackle in 2017. And there was even a lot of movement among vendors themselves, with several big names making acquisitions to gain footholds in important markets.

Here we run down the year’s top data protection trends and news.

Ransomware protection gains strength

The ransomware epidemic is not slowing down. While ransomware has been out there for some time now, it made international headlines in May when the WannaCry strain simultaneously hit 300,000 machines in 150 countries. Other strains have made big news and caused problems for organizations of all sizes this year. Statistics vary, but many organizations say ransomware attacks are on the rise.

While WannaCry didn’t end up pulling in as much ransom as the attackers likely anticipated, that attack and others had organizations scrambling and making data protection a top focus. Often, backup and recovery is the only way out after ransomware hits. And that focus was evident with backup vendors as well, as data protection trends in this area included adding ransomware-specific features.

  • Acronis built a new version of its Active Protection technology — integrated into Acronis True Image backup software — that uses machine learning to help prevent ransomware viruses from corrupting data. It attempts to detect suspicious application behavior before file corruption. Active Protection is available in Acronis Backup software.
  • BackupAssist launched CryptoSafeGuard, part of its data protection software for SMBs, which works with existing antimalware software. It scans and detects suspicious activity in source files that can be related to ransomware, then sends alerts and blocks backup jobs from running.
  • Druva built ransomware monitoring and detection tools into its InSync endpoint data protection software. The software flags unusual activity occurring to data and helps identify the last good snapshot to recover the entire data set or individual files.
  • Unitrends Recovery Series physical appliances and Unitrends Backup virtual appliances use predictive analytics to determine the probability that ransomware exists in an environment. The vendor alerts customers when it detects the virus, so they can immediately restore from the last legitimate recovery point.

Mergers and acquisitions aplenty

The data protection 2017 market saw a large amount of merger and acquisition activity, particularly in the second half of the year. Cloud backup provider Carbonite was especially busy.

Here are several major moves from the past year:

  • Security and data protection vendor Barracuda is going private, following its purchase in November by equity firm Thoma Bravo for $1.6 billion.
  • Vista Equity Partners in October acquired data protection vendor Datto and will merge it with IT management provider Autotask, in a play to bring several technologies under one roof for SMBs, including backup and disaster recovery, professional services automation and networking continuity. Earlier in the year, Datto bought cloud-based networking provider Open Mesh.
  • Carbonite purchased Datacastle’s endpoint backup in August, which gives the growing cloud backup vendor better scalability and a bigger play in the SMB market. That same month, Code42 announced it is shutting down its consumer cloud backup product in 2018 to focus on other sectors and referring consumers to Carbonite. Earlier in the year, Carbonite bought Double-Take Software to improve its high-availability technology.
  • Peak 10 closed on a $1.675 billion acquisition of ViaWest in August, which will lead to a data protection suite of services between the cloud services providers that includes storage, backup and replication.
  • Axcient, which provides cloud-based disaster recovery and data protection, and EFolder, which offers cloud business continuity, cloud file sync and cloud-to-cloud backup, announced in July that they are merging.
  • Data protection vendor Arcserve in July acquired Zetta and its cloud backup and disaster recovery, following its purchase earlier in the year of FastArchiver for on-premises or public cloud emails.

The convergence and hyper-convergence of data protection

As vendors like Cohesity and Rubrik continue to lead the converged secondary storage market, backup going hyper-converged is one of the top data protection trends of 2017.

As vendors like Cohesity and Rubrik continue to lead the converged secondary storage market, backup going hyper-converged is one of the top data protection trends of 2017. Several vendors this year launched backup for hyper-converged products, with at least one data protection product focused solely on the Nutanix Acropolis Hypervisor (AHV).

The Unitrends Recovery Series backup appliances and Unitrends Backup virtual appliances feature integration for AHV. The vendor also protects all hypervisors that run on Nutanix and supports VMware, Hyper-V and Citrix XenServer hypervisors. Veeam, Commvault and Rubrik are among the other data protection vendors that recently launched or will launch backup for AHV.

Comtrade Software in June launched its HYCU dedicated to AHV backup. The vendor later in the year updated its product with increased support for Nutanix storage and backup management features.

Commvault went to a place it didn’t originally plan on going: the hardware market. The vendor launched its first scale-out integrated hardware appliance for data protection as it attempts to compete with Rubrik and Cohesity, as well as traditional backup vendors. The HyperScale platform is part of Commvault’s product strategy to build out its data services with software-defined storage and convergence. Converged secondary storage — one of the data protection trends that continues to grow — handles such nonprimary tasks as backup, archiving, test and development, and disaster recovery.

Ready or not, here comes GDPR

Companies are scrambling to ensure compliance with the European Union’s General Data Protection Regulation, which goes into effect in May and covers data produced by EU citizens and data stored within the union. It consists of 99 articles, including a rule that gives individuals the right to force organizations to delete all personal data.

But the rule requiring companies to notify customers of a data breach within 72 hours struck a chord this year via the Equifax breach. The company discovered it in July and reported it publicly in September. Companies not in compliance with GDPR face millions of dollars in fines.

Surveys routinely show that companies are not adequately prepared for GDPR. Some vendors, though, are trying to help aid compliance. For example, Veritas’ Integrated Classification Engine uses machine learning to identify sensitive and personal data.

Data protection trends take on storage growth

Tape storage got a capacity bump with the release of LTO-8. The latest version, launched two years after LTO-7 hit the market, features 32 TB of compressed capacity per tape, sustained data transfer rates of up to 1,180 MBps for compressed data, uncompressed capacity of 12.8 TB and an uncompressed transfer rate of 472 MBps. Tape is seen as a safe, offline backup in the face of cyberattacks such as ransomware. Plus, the massive capacity can help with long-term retention of huge data sets that continue to grow.

“No business measures data storage in terabytes anymore,” analyst Jon Toigo wrote in a November SearchDataBackup article. “… So LTO-8, with its 32 TB capacity, seems to be just what the doctor ordered for companies most likely to make big use of tape technology: cloudies and data-intensive verticals, such as healthcare, surveillance, research labs, and oil and gas. These firms are putting tape back to use in an old, secondary storage role.”

What’s old has become new again.

Dragonfly 2.0 hacker group seen targeting U.S. power grid

Researchers claim a threat group they call Dragonfly 2.0 has been performing social attacks in order to infiltrate systems connected to critical energy infrastructure.

Symantec has been tracking a group they named Dragonfly since 2011, but Symantec claims the group started a new campaign in 2015 using new tactics and attack methods against organizations related to the energy industry, leading to the new designation of Dragonfly 2.0.

“The original Dragonfly campaigns now appear to have been a more exploratory phase where the attackers were simply trying to gain access to the networks of targeted organizations,” Symantec wrote in its analysis. “The Dragonfly 2.0 campaigns show how the attackers may be entering into a new phase, with recent campaigns potentially providing them with access to operational systems, access that could be used for more disruptive purposes in future.”

Moreno Carullo, co-founder and CTO of Nozomi Networks, an ICS security company based in San Francisco, said that originally the group targeted pharmaceutical firms, while “Dragonfly 2.0 appears to have been weaponized to specifically target industrial control systems (ICS) field devices, and then feeds that information back to the command and control server which will be monitored by the attackers.”

“Rather than installing immediately on infection this latest iteration of Dragonfly bides its time, waiting eleven days before automatically installing a backdoor,” Carullo told SearchSecurity. “Using this new entrance, the attacker can then install or download applications to infected computers, particularly targeting Windows XP with known vulnerabilities, and even circumventing permission restrictions on user accounts.”

Symantec said it had observed Dragonfly 2.0 sending malicious emails and using watering hole attacks to gather network credentials, then using those stolen credentials in follow-up attacks against targeted organizations involved in the energy sector.

“In 2014, Symantec observed the Dragonfly group compromise legitimate software in order to deliver malware to victims, a practice also employed in the earlier 2011 campaigns. In the 2016 and 2017 campaigns the group is using the evasion framework Shellter in order to develop trojanized applications. In particular, Backdoor.Dorshel was delivered as a trojanized version of standard Windows applications,” Symantec explained in a blog post. “Symantec also has evidence to suggest that files masquerading as Flash updates may be used to install malicious backdoors onto target networks — perhaps by using social engineering to convince a victim they needed to download an update for their Flash player.”

Symantec said it’s clear “that Dragonfly is a highly experienced threat actor,” but said there wasn’t enough evidence to know if it is a nation-state group or even from where the group originates.

Dragonfly 2.0 succeeding with old exploit methods

Leigh-Anne Galloway, cyber security resilience officer at Positive Technologies, an enterprise security companybased in Framingham, Mass., said it was interesting that the group was making so much headway by using “relatively unsophisticated methods.”

“Usually with [supervisory control and data acquisition (SCADA)], the tactic of choice is to exploit zero-day vulnerabilities. In this case though, they’ve chosen to go for the older, but most effective methods of phishing and watering holes to get in,” Galloway told SearchSecurity. “As old as these techniques might be, this blunt instrument is proved as effective as ever, relying on the age-old ally of cyber criminals: human fallibility. These hackers have bet that, in spite of the critical importance of the systems, the people using them don’t have the security wherewithal to think before clicking on a link or opening an attachment. And in this case, they were right. In SCADA networks, the implications are life threatening, to personnel and the general public, and attackers could cause a short circuit disrupting safety mechanisms, or cause a complete outage.”

In SCADA networks, the implications are life threatening, to personnel and the general public, and attackers could cause a short circuit disrupting safety mechanisms, or cause a complete outage.
Leigh-Anne Gallowaycyber security resilience officer, Positive Technologies

Ken Spinner, vice president of field engineering at Varonis, agreed that it was “significant and startling that the attacks being attributed to Dragonfly 2.0 began with spearphishing emails.”

 “The notion that there may be nation-state or rogue actors who have been resident in the networks of nuclear facilities, electrical grids, and dams isn’t far-fetched. Many of these infrastructure providers are relying on outdated security systems with limited detection capabilities,” Spinner told SearchSecurity. “We’ve seen malware impact energy systems dating as far back as 2003, when the Microsoft SQL Server Worm, Slammer, infected an Ohio-based nuclear power plant network in 2003, causing a temporary outage. The key difference today is that attackers are equipped with far more sophisticated malware that is designed specifically to infiltrate and damage things like electricity substation switches and circuit breakers.

The dangers of persistent ICS attacks

Omer Schneider, CEO and co-founder of CyberX, an ICS security company based in Framingham, Mass., said no one should be surprised by these findings.

“As early as 2014, the ICS-CERT warned that adversaries had penetrated our control networks to perform cyberespionage. Over time the adversaries have gotten even more sophisticated and now they’ve stolen credentials that give them direct access to control systems in our energy sector,” Schneider told SearchSecurity. “If I were a foreign power, this would be a great way to threaten the U.S. while I invade other countries or engage in other aggressive actions against U.S. allies.”

Spinner said it is especially dangerous when an advanced persistent threat group (APT) like Dragonfly 2.0 sets up shop on a network.

“APTs will try to remain undetected as long as possible to do the most damage. Attackers will often establish numerous footholds within a network and attempt to remain undetected while mapping systems and locating key documents, emails, and user accounts,” Spinner said. “One of the most effective defenses against large scale cyberattacks on critical infrastructure is to establish separate, air-gapped networks that provide a physical line of defense. Separating core power systems from each other and the greater Internet can help mitigate attacks.”

Test your knowledge of Office 365 ATP

Microsoft stepped up its security game when it introduced Office 365 Advanced Threat Protection in 2015. The product brings more to the table than Exchange Online Protection, which provides antimalware protection. With more complex security threats appearing daily, customers need more protection.

Office 365 ATP is an optional email filtering service that blocks advanced threats, such as malicious URLs and new malware. Take this quiz to test your knowledge of the latest Microsoft Office 365 ATP features.

Powered by WPeMatico