Blog - Page 59 of 102 - Appunti dalla rete

BEC Attacks: Can You Stop the Imposters in Your Inbox?

BEC attacks are a $1.8 billion dollar racket — and statistically, your business will be targeted sooner rather than later. Watch this webinar to learn how to stop them.

If asked which of the threat types tracked by the FBI causes the most financial damage, most people would say ransomware.

They’d be wrong.

In 2021, the FBI’s Internet Crime Complaint Center (IC3) received 19,954 Business Email Compromise (BEC) reports, with adjusted losses totaling almost $2.4 billion. That’s an average of more than $120,270 per incident, compared with just under $13,200 per incident for ransomware attacks.

Since the FBI began tracking these threats in 2013, tens of billions in financial losses have been recorded, resulting from nearly 170,000 incidents in 178 countries.

So why hasn’t this threat risen to the notoriety of ransomware?

During many ransomware attacks, business operations grind to a halt. When a company loses access to customer information, payment systems and mission-critical applications, it often becomes clear in short order that something is wrong.

But BEC attacks are comparatively silent. Even when these attacks have a huge impact on an organization’s bottom line, operations can generally continue as usual. As a result, businesses frequently opt to keep these attacks out of the public eye to avoid risking reputation damage and loss of trust.

But although ransomware still dominates security news, the growing frequency, volume and cost of BEC attacks have begun attracting more attention.

As a result, BEC attacks have become a top threat concern for many organizations today, according to a recent SonicWall-sponsored white paper by Osterman Research. “How to Deal with Business Email Compromise” reports primary research data from an in-depth customer survey of 119 respondents, each of which has direct knowledge of how their organization is addressing or planning to address the risk of BEC.

The results from this study offer a look at how security influencers and decision-makers are taking BEC into account when formulating their spending plans for the next 12 months. For example, while just 46% of organizations said they considered protecting against BEC attacks “important” or “extremely important” 12 months ago, 76% said they considered it important or extremely important today.

80%

Organizations indicating that protecting against BEC attacks in 2023 is of high importance

The data also shows that three-fifths of organizations in the study view protecting against BEC attacks as one of their top five security priorities.

62%

Organizations ranking protecting against BEC attacks as one of their top five priorities.

How BEC Attacks Fly Under the Radar

But what makes BEC attacks so dangerous when compared with other forms of cyberattacks? And why are they harder to stop?

BEC is a specialized type of phishing attack that relies on social engineering. They often use a proven pretexting technique to engineer a quick introduction and establish a believable scenario in order to manipulate the victim to take a specific action.

While these attacks can target employees at any level of an organization, they generally start with an attacker impersonating a person with authority, such as a CEO or CFO, a manager, or a supplier. The attacker uses the authority figure’s identity to start a chain of plausible (but fake) requests to gain monetary payment. This typically involves instructing someone in accounts payable, someone in HR or even someone with a company credit card to pay a fake invoice, transfer funds, send gift cards or make payroll payouts. The urgent tone of these messages encourages the victim to respond or act quickly, bypassing any checks and balances that may be in place.

Compared with other forms of cyberattacks, BEC attacks are among the hardest to detect because the threat signals are far less obvious. Relying on trickery and impersonation, the approach is very subtle, and the actual delivery generally doesn’t use weaponized URLs or malicious attachments, which are easily detected.

In addition, the email content and the delivery mechanism are usually of higher quality and often tailored to target a specific person or persons. With little to no apparent sign of a threat, these messages can bypass most email security filters to reach the inbox — and the absence of any sort of alert, such as a contextual warning advising them to exercise caution, leaves the victim more vulnerable to falling for the scam.

Because so many of these scams are successful, their use has grown dramatically — today, roughly 80% of companies targeted by BEC attacks each year. While there isn’t much you can do to avoid being targeted, there’s plenty you can do to safeguard your organization’s finances. To learn more about BEC attacks and how to stop them, check out our webinar, “Can You Stop the Imposters in Your Inbox?”

Source :
https://blog.sonicwall.com/en-us/2022/06/bec-attacks-can-you-stop-the-imposters-in-your-inbox/

An Analysis of Azure Managed Identities Within Serverless Environments

We examine Azure’s Managed Identities service and its security capability in a threat model as developers’ go-to feature for managing secrets and credentials.

Authentication and authorization play crucial parts when securing resources. Authentication verifies that the service or user accessing the secured resources has provided valid credentials, while authorization makes sure that they have sufficient permissions for the request itself.

Broken Access Control is listed among the top 10 OWASP prevalent web application issues from 2017 to 2021, and we have previously written about the importance of secrets management used for authentication. This occurs when an unauthorized user can access, modify, delete, or perform actions within an application or system that is outside the set permissions or policies, malicious or unintended. Broken access control has become the number one concern in the organization’s list, and in this article, we discuss Azure’s Managed Identities service inside the cloud service provider (CSP) to tackle the said web application issue.

Managing system and user identities

Managed Identities for Azure allows users to authenticate certain services available within the CSP. This is done by providing the cloud application a token used for service authentication. We distinguish between two types of managed identities: system-assigned identities and user-assigned identities. To differentiate, system-assigned identities are restricted from one to the resource, which means that different user roles can’t be applied to the same resource. On the other hand, user-managed identities solve this problem and we can imagine them as user roles.

Figure 1. Usage of Managed Identities

For instance, we want to use an Azure storage account within a serverless application for saving our application records. For this purpose, we decided to use a system-managed identity.

This practically means:

Enable managed identities inside a serverless function
Grant serverless functions the necessary permissions for storage account access

Figure 2. Enabling managed identities in a serverless function

After that, we can start using the managed identity for authentication to the storage account. In the following sections, we will look at how the managed identities interface is technically implemented within the serverless environment and the corresponding security implications based on our recent research.

Managing identities in the serverless environment

To make it work, the serverless environment runs a special .NET application process named “dotnet TokenServiceContainer.dll.” This process listens on a localhost and port 8081 to accept HTTP requests. The endpoint for requesting a token is http://localhost:8081/msi/token, and the required parameters specifies that the API version used and resource identifier for which the service requests the token. Optionally, it uses “client_id,” which is a parameter used when a managed user identity token is requested. The request also needs a specific X-IDENTITY-HEADER, and the needed value is present inside IDENTITY_HEADER or an MSI_SECRET environmental variable.

After receiving this token request, the request is delegated to the endpoint within the CSP (another service) and provides the requested token. The endpoint is publicly available and is a part of the *.identity.azure.net subdomain based on the region of the serverless application. By design and public access to the endpoint the service requires authentication, and this is done using a X509 client certificate. This certificate is unique to the specific application ID (meaning the serverless function has a one-to-one pairing of certificate and app ID) and valid for 180 days. If the request is successful, it returns a JSON response with a bearer token valid for one day.

Figure 3. Managed identities inside serverless environments

From that perspective, the security standard is high, which is expected from a CSP service. However, there is one hidden danger and that is the certificate itself. The certificate can be leaked by leaking environmental variables.

The Managed Service Identity (MSI) certificate is part of the encrypted container context, which can be accessed inside using a URL-specified CONTAINER_START_CONTEXT_SAS_URI and decrypted using the CONTAINER_ENCRYPTION_KEY variable. Once the certificate is leaked, it can be used to obtain the token outside the scope of CSP services and successfully used for publicly available service endpoints as it would be called from the CSP service.

Threat model and scenario

Figure 4. PoC of getting token using leaked environmental variables from Managed Identity service

At this point, we should emphasize that to be able to abuse the retained token, a certain factor (or malicious actor) must first leak these environmental variables and there must be an assigned role within the requested resource, the pre-requisites being the identities enabled and the role set for the application. This means there are no default roles unless explicitly specified within the CSP settings.

However, as this example of potential compromise shows from a gap leaking environmental variables of a Linux endpoint, using environmental variables for storing sensitive information is not a valid secure approach as they are by default inherited into the child process. Considering that the information is available inside the environment itself and that the certificate contains all the information provided, the endpoint for getting the token now becomes publicly available. A threat actor can get the authentication token outside of the CSP’s service and get all the permissions as the original user.

In this example, the token provider service within the serverless environment is running under a different user. Why is the client certificate available not only for this user in the form of a file with permissions only for that user? This allows a compromised serverless function to leak it and obtain the access token from the external service. But while the unauthorized user can’t get additional privileges other than what the function has, this is enough to conduct activities inside the environment that can have a range of damaging effects. By moving a client certificate into the security boundary of token service user and setting access permissions for the token service user as read-only, we guarantee that even in case of a compromise, the client certificate could not be leaked and used outside the CSP service without additional lateral movement.

The security chain is only as strong as its weakest parts. And while CSP services are not inherently insecure, small design weaknesses put together with improper user configurations could lead to bigger, more damaging consequences. Design applications, environments, and all their related variables with security in mind. If possible, avoid using environmental variables. Following best security practices such as applying the principle of least privilege helps to mitigate the consequences of a breach.

Source :
https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/an-analysis-of-azure-managed-identities-within-serverless-environments

Trend Micro Cloud App Security Threat Report 2021

In this report, we highlight the notable email threats of 2021, including over 33.6 million high-risk email threats (representing a 101% increase from 2020’s numbers) that we’ve detected using the Trend Micro Cloud App Security platform.

Email is an integral cog in the digital transformation machine. This was especially true in 2021, when organizations found themselves trying to keep business operations afloat in the middle of a pandemic that has forever changed how people work. At a time when the workplace had already largely shifted from offices to homes, malicious actors continued to favor email as a low-effort yet high-impact attack vector to disseminate malware.

Email is not only popular among cybercriminals for its simplicity but also for its efficacy. In fact, 74.1% of the total threats blocked by Trend Micro in 2021 are email threats. Meanwhile, the 2021 Internet Crime Report by the FBI’s Internet Crime Complaint Center (IC3) states that there was “an unprecedented increase in cyberattacks and malicious cyber activity” last year, with business email compromise (BEC) being among the top incidents.

In this report, we discuss the notable email threats of 2021 based on the data that we’ve gathered using the Trend Micro™ Cloud App Security™, a security solution that supplements the preexisting security features in email and collaboration platforms.

Download our infographic

Malware detections surge as attacks become more elaborate, targeted

The Trend Micro Cloud App Security solution detected and thwarted a total of 3,315,539 total malware files in 2021. More urgently, this number represents an increase of a whopping 196% from 2020’s numbers. There were also huge spikes in both known and unknown malware detections in 2021 at 133.8% and 221%, respectively.

Cybercriminals worked overtime to attach malware in malicious emails in 2021 using advanced tactics and social engineering lures. In January, we saw how Emotet sent spam emails that used hexadecimal and octal representations of IP addresses for detection evasion in its delivery of malware such as TrickBot and Cobalt Strike.

In May last year, we reported on Panda Stealer, an information stealer that targets cryptocurrency wallets and credentials via spam emails. We also shared an update on APT-C-36 (aka Blind Eagle), an advanced persistent threat (APT) group targeting South American entities using a spam campaign that used fraudulent emails impersonating Colombia’s national directorate of taxes and customs and even fake infidelity email lures.

QAKBOT operators also resumed their spam campaign in late 2021 after an almost three-month hiatus and abused hijacked email threads to lead victims to both QAKBOT and the SquirrelWaffle malware loader.

Meanwhile, ransomware detections continued to decline in 2021, a consistent trend that we have been seeing in previous years. Last year, the Trend Micro Cloud App Security solution detected and blocked 101,215 ransomware files — a 43.4% decrease compared to 2020’s detections.

The reason behind this continuing decline is possibly two-fold: One, unlike legacy ransomware that focuses on the quantity of victims, modern ransomware focuses on waging highly targeted and planned attacks to yield bigger profits. Since today’s ransomware actors no longer abide by the spray-and-pray ransomware model, the number of attacks are no longer as massive as the number that we witnessed in ransomware’s early days. We identified the other reason in our year-end roundup report: That is, it’s possible that ransomware detections are down because our cybersecurity solutions continue to block an increasing number of ransomware affiliate tools each year, including TrickBot and BazarLoader. This could have prevented ransomware attacks from being successfully executed on victim environments.

Known, unknown, and overall credential phishing attacks rose in 2021

Based on Trend Micro Cloud App Security data, 6,299,883 credential phishing attacks were detected and blocked in 2021, which accounts for a 15.2% overall increase. Similar to last year, the number of known credential phishing attacks is greater than the unknown ones. However, this year, the percentage of increase is at a staggering 72.8%.

When comparing 2020 and 2021’s numbers, we saw an 8.4% increase in the number of detections for known credential phishing links, while a 30% growth is observed in the number of detections for unknown credential phishing links.

Abnormal Security noted the increase in overall credential phishing attacks in one 2021 report and stated that credential phishing is attributed to 73% of all advanced threats that they’ve analyzed.

We have also documented the rise in credential phishing attacks from previous years. In fact, in the first half of 2019, the Trend Micro Cloud App Security solution detected and blocked 2.4 million credential phishing attacks alone.

BEC’s small numbers bring big business losses

The Trend Micro Cloud App Security solution intercepted a total of 283,859 BEC attacks in 2021. Compared with 2020’s BEC detections, this number represents a 10.61% decrease. Interestingly, there is an 82.7% increase in this year’s BEC attacks that were detected using Writing Style DNA, while there is a 38.59% decrease in attacks that have been blocked using the antispam engine.

Overall, BEC numbers have consistently been on a downward trend since 2020. But the reduction in BEC victims doesn’t equate to a dip in cybercriminal profits. According to the FBI’s IC3, BEC accounted for US$2.4 billion in adjusted losses for both businesses and consumers in 2021. According to the same organization, BEC losses have reached over US$43 billion between June 2016 and December 2021 for both domestic and international incidents.

We have also observed how BEC actors continuously tweak their tactics for ill gain. In August last year, our telemetry showed a gradual increase in BEC detections. Upon investigation, we discovered that instead of impersonating company executives and upper management personnel, this BEC-related email campaign impersonated and targeted ordinary employees for money transfers and bank payroll account changes.

Covid-19 lures, cybercriminal campaigns behind massive jump in phishing numbers

The Trend Micro Cloud App Security solution data shows that a total of 16,451,166 phishing attacks were detected and blocked in 2021. This is a 137.6% growth from 2020’s phishing numbers.

In contrast to last year’s numbers, we saw a significant jump in phishing attacks detected via spam count this year — a whopping 596% increase, to be specific. Meanwhile, we observed a notable 15.26% increase in credential phishing count compared to last year.

These high numbers reflect organizations’ sentiments about phishing attacks. According to a survey in an Osterman Research report titled “How to Reduce the Risk of Phishing and Ransomware,” organizations were “concerned” or “extremely concerned” about phishing attempts making their way to end users and employees failing to spot phishing and social engineering attacks before accessing a link or attachment.

While they kicked off majority of Covid-19-related phishing emails and sites in 2020, cybercriminals still exploited the global pandemic for financial gain. Last year, Mexico-based medical laboratory El Chopo shared that a fraudulent website that looked identical to the company’s had been launched. On that website, users could schedule a vaccination appointment after paying MXN2,700 (approximately US$130). To make the fake website appear credible, the malicious actors behind it added fake contact information such as email addresses and social media pages that victims can use for inquiries.

Early last year, we reported on a wave of phishing emails that pretended to be coming from national postal systems. This campaign attempted to steal credit card numbers from 26 countries. We also investigated a spear-phishing campaign that used Pegasus spyware-related emails to lead victims into downloading a file stealer. This campaign targeted high-ranking political leaders, activists, and journalists in 11 countries.

Protect emails, endpoints, and cloud-based services and apps from attacks with Trend Micro Cloud App Security

Organizations should consider a comprehensive multilayered security solution such as Trend Micro Cloud App Security. It supplements the preexisting security features in email and collaboration platforms like Microsoft 365 and Google Workspace (formerly known as G Suite) by using machine learning (ML) to analyze and detect any suspicious content in the message body and attachments of an email. It also acts as a second layer of protection after emails and files have passed through Microsoft 365 or Gmail’s built-in security.

Trend Micro Cloud App Security uses technologies such as sandbox malware analysis, document exploit detection, and file, email, and web reputation technologies to detect malware hidden in Microsoft 365 or PDF documents. It provides data loss prevention (DLP) and advanced malware protection for Box, Dropbox, Google Drive, SharePoint Online, OneDrive for Business, and Salesforce while also enabling consistent DLP policies across multiple cloud-based applications. It also offers seamless integration with an organization’s existing cloud setup, preserving full user and administrator functionality, providing direct cloud-to-cloud integration through vendor APIs, and minimizing the need for additional resources by assessing threat risks before sandbox malware analysis.

Trend Micro Cloud App Security stands on the cutting edge of email and software-as-a-service (SaaS) security, offering ML-powered features that combat two of the primary email-based threats: BEC and credential phishing. Writing Style DNA can help determine if an email is legitimate by using ML to check a user’s writing style based on past emails and then comparing suspicious emails against it. Computer vision, on the other hand, combines image analysis and ML to check branded elements, login forms, and other site content. It then pools this information with site reputation elements and optical character recognition (OCR) to check for fake and malicious sites — all while reducing instances of false positives to detect credential phishing email.

This security solution also comes with an option to rescan historical URLs in users’ email metadata and perform continued remediation (automatically taking configured actions or restoring quarantined messages) using newer patterns updated by Web Reputation Services.

This is a significant option since users’ email metadata might include undetected suspicious or dangerous URLs that have only recently been discovered. The examination of such metadata is thus an important part of forensic investigations that help determine if your email service has been affected by attacks. This solution also officially supports the Time-of-Click Protection feature to protect Exchange Online users against potential risks when they access URLs in incoming email messages.

Trend Micro Cloud App Security also comes with the advanced and extended security capabilities of Trend Micro XDR, providing investigation, detection, and response across your endpoints, email, and servers.

Source :
https://www.trendmicro.com/vinfo/us/security/research-and-analysis/threat-reports/roundup/trend-micro-cloud-app-security-threat-report-2021

Log4Shell Still Being Exploited to Hack VMWare Servers to Exfiltrate Sensitive Data

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with the Coast Guard Cyber Command (CGCYBER), on Thursday released a joint advisory warning of continued attempts on the part of threat actors to exploit the Log4Shell flaw in VMware Horizon servers to breach target networks.

“Since December 2021, multiple threat actor groups have exploited Log4Shell on unpatched, public-facing VMware Horizon and [Unified Access Gateway] servers,” the agencies said. “As part of this exploitation, suspected APT actors implanted loader malware on compromised systems with embedded executables enabling remote command-and-control (C2).”

In one instance, the adversary is said to have been able to move laterally inside the victim network, obtain access to a disaster recovery network, and collect and exfiltrate sensitive law enforcement data.

Log4Shell, tracked as CVE-2021-44228 (CVSS score: 10.0), is a remote code execution vulnerability affecting the Apache Log4j logging library that’s used by a wide range of consumers and enterprise services, websites, applications, and other products.

Successful exploitation of the flaw could enable an attacker to send a specially-crafted command to an affected system, enabling the actors to execute malicious code and seize control of the target.

Based on information gathered as part of two incident response engagements, the agencies said that the attackers weaponized the exploit to drop rogue payloads, including PowerShell scripts and a remote access tool dubbed “hmsvc.exe” that’s equipped with capabilities to log keystrokes and deploy additional malware.

“The malware can function as a C2 tunneling proxy, allowing a remote operator to pivot to other systems and move further into a network,” the agencies noted, adding it also offers a “graphical user interface (GUI) access over a target Windows system’s desktop.”

The PowerShell scripts, observed in the production environment of a second organization, facilitated lateral movement, enabling the APT actors to implant loader malware containing executables that include the ability to remotely monitor a system’s desktop, gain reverse shell access, exfiltrate data, and upload and execute next-stage binaries.

Furthermore, the adversarial collective leveraged CVE-2022-22954, a remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager that came to light in April 2022, to deliver the Dingo J-spy web shell.

Ongoing Log4Shell-related activity even after more than six months suggests that the flaw is of high interest to attackers, including state-sponsored advanced persistent threat (APT) actors, who have opportunistically targeted unpatched servers to gain an initial foothold for follow-on activity.

According to cybersecurity company ExtraHop, Log4j vulnerabilities have been subjected to relentless scanning attempts, with financial and healthcare sectors emerging as an outsized market for potential attacks.

“Log4j is here to stay, we will see attackers leveraging it again and again,” IBM-owned Randori said in an April 2022 report. “Log4j buried deep into layers and layers of shared third-party code, leading us to the conclusion that we’ll see instances of the Log4j vulnerability being exploited in services used by organizations that use a lot of open source.”

Source :
https://thehackernews.com/2022/06/log4shell-still-being-exploited-to-hack.html

Broadcom and VMware: Planning for the next generation of infrastructure software

In late May we announced our agreement to acquire VMware. Since that time, we’ve been meeting with many VMware customers and partners to tell them more about how this combination will deliver compelling benefits to them. We’ve also kicked off planning efforts for the post-closing company.

VMware is an iconic software company with a vibrant ecosystem, including hyperscalers, system integrators and channel partners. We don’t want to change any of that, and in fact, we want to embrace those relationships. We have tremendous respect for what VMware has built, supported by a skilled team of engineering talent. It is for all these reasons and more that we’ve committed to rebrand Broadcom Software Group as VMware.

Bringing VMware’s multi-cloud offerings and Broadcom’s software portfolio together after the deal closes will enable customers greater choice and flexibility to build, run, manage, connect and protect traditional and modern applications at scale across diversified, distributed environments. Simply put, this combination will help customers better meet the demands of the incredibly complex IT landscape head on. We share VMware’s commitment to working in close partnership with customers on joint engineering and innovation initiatives to drive enhanced value and performance.

The existing Broadcom Software business – including our portfolio of Value Stream Management, AIOps and Observability, Cybersecurity, Enterprise Automation and Continuous Delivery solutions – will be offered alongside the VMware solutions for cloud infrastructure, modern applications and anywhere workspace after the deal closes. Following the anticipated rebrand, customers will have the ability to purchase from the new VMware a broad portfolio of solutions that help enterprises build, manage and secure a wide variety of applications – from mainframe to client server to cloud-native via Kubernetes – and more securely deliver amazing end user experiences to any device anywhere. All of this means we will be placing more choice in customers’ hands.

Broadcom’s commitment

Delivering on this value proposition has never been more critical, and we recognize that enterprise customers are relying on both companies for high-performing and ubiquitous access to their critical applications. We have been listening closely to customer and partner feedback, and we are committed to getting it right.

We are approaching the post-closing planning phase of the transaction process with an open mind, while drawing from the lessons learned from our previous acquisitions of CA and Symantec Enterprise. This means that we’ll be working in close coordination with VMware to learn more about their go-to-market, product portfolio, approach to innovation, engineering talent, partner network and, of course, strong customer footprint.

The insights we’re gaining are only strengthening our confidence in the future of a combined Broadcom Software and VMware. VMware has great technology and respected products that will remain a source of significant value to the combined company going forward after the deal closes. And we recognize the central role that VMware’s deep customer relationships play in its success. Broadcom wants to preserve and grow these relationships – we’ll be investing in both the direct sales force across all key verticals as well as the partners that support the broader customer base.

From a product portfolio standpoint, this transaction presents a tremendous opportunity to advance our mutual focus on innovation. We recognize that customers value VMware because of its strong history of innovation and technology leadership. Broadcom also has a proud track record of significant R&D investment – as a company, we’ve grown total R&D spending 24x since 2009 – and this will remain a top priority after the deal closes with VMware as part of Broadcom. A key pillar of the combined company’s innovation roadmap will be to retain and support VMware’s engineering and R&D talent, and we are committed to this effort as we progress toward closing the transaction and thereafter.

All this said, we are still in the early days of this exciting journey. We will be carefully evaluating the proposed combined footprint and operating model of Broadcom Software plus VMware, and we will be approaching each decision with a commitment to transparency, innovation, value creation and maintaining the highest-quality experience for customers and partners. We will continue to welcome input from VMware leadership, employees, customers and partners as we plan for this next chapter, and we look forward to keeping you updated.

Additional Information about the Transaction and Participants in the Solicitation: Broadcom Inc. (‘Broadcom”) intends to file with the SEC a Registration Statement on Form S-4 that will include a proxy statement of VMware, Inc. (“VMware”) and that also constitutes a prospectus of Broadcom, as well as other relevant documents concerning the proposed transaction. We urge investors to read the proxy statement/prospectus and any other documents filed with the SEC in connection with the proposed transaction or incorporated by reference in the proxy statement/prospectus, if and when they become available, because they will contain important information. Investors may obtain these documents free of charge at the SEC’s web site (www.sec.gov). In addition, the documents filed with the SEC by Broadcom may be obtained free of charge on Broadcom’s website at https://investors.broadcom.com. Copies of the documents filed with the SEC by VMware will be available free of charge on VMware’s website at ir.vmware.com. The directors, executive officers, and certain other members of management and employees of VMware and Broadcom may be deemed to be participants in the solicitation of proxies in favor of the proposed transactions. Information about the directors and executive officers of Broadcom, including a description of their direct or indirect interests, by security holdings or otherwise, is set forth in Broadcom’s proxy statement for its 2022 Annual Meeting of Stockholders, which was filed with the SEC on February 18, 2022, and Broadcom’s Annual Report on Form 10-K for the fiscal year ended October 31, 2021, which was filed with the SEC on December 17, 2021. Information about the directors and executive officers of VMware, including a description of their direct or indirect interests, by security holdings or otherwise, is set forth in VMware’s proxy statement for its 2022 Annual Meeting of Stockholders, which was filed with the SEC on May 27, 2022, VMware’s Annual Report on Form 10-K for the fiscal year ended January 28, 2022, which was filed with the SEC on March 24, 2022, a Form 8-K filed by VMware on April 22, 2022 and a Form 8-K filed by VMware on May 2, 2022.

Source :
https://www.broadcom.com/blog/broadcom-vmware

Adobe Acrobat may block antivirus tools from monitoring PDF files

Security researchers found that Adobe Acrobat is trying to block security software from having visibility into the PDF files it opens, creating a security risk for the users.

Adobe’s product is checking if components from 30 security products are loaded into its processes and likely blocks them, essentially denying them from monitoring for malicious activity.

Flagging incompatible AVs

For a security tool to work, it needs visibility into all processes on the system, which is achieved by injecting dynamic-link libraries (DLLs) into software products launching on the machine.

PDF files have been abused in the past to execute malware on the system. One method is to add a command in the ‘OpenAction’ section of document to run PowerShell commands for malicious activity, explain the researchers at cybersecurity company Minerva Labs.

“Since March of 2022 we’ve seen a gradual uptick in Adobe Acrobat Reader processes attempting to query which security product DLLs are loaded into it by acquiring a handle of the DLL” – Minerva Labs

According to a report this week, the list has grown to include 30 DLLs from security products of various vendors. Among the more popular ones with consumers are Bitdefender, Avast, Trend Micro, Symantec, Malwarebytes, ESET, Kaspersky, F-Secure, Sophos, Emsisoft.

Querying the system is done with ‘libcef.dll’, a Chromium Embedded Framework (CEF) Dynamic Link Library used by a wide variety of programs.

While the Chromium DLL comes with a short list of components to be blacklisted because they cause conflicts, vendors using it can make modifications and add any DLL they want.

**Chromium’s list of hardcoded DLLs**, *source: Minerva Labs*

The researchers explain that “libcef.dll is loaded by two Adobe processes: AcroCEF.exe and RdrCEF.exe” so both products are checking the system for components of the same security products.

Looking closer at what happens with the DLLs injected into Adobe processes, Minerva Labs found that Adobe checks if the bBlockDllInjection value under the registry key ‘SOFTWARE\Adobe\Adobe Acrobat\DC\DLLInjection\’ is set to 1. If so, it will prevent antivirus software’s DLLs from being injected into processes.

It is worth noting that the registry key’s value when Adobe Reader runs for the first time is ‘0’ and that it can be modified at any time.

“With the registry key name dBlockDllInjection, and looking at the cef documentation, we can assume that the the blacklisted DLLs are designated to be unloaded” – Minerva Labs

According to Minerva Labs researcher Natalie Zargarov, the default value for the registry key is set to ‘1’ – indicating active blocking. This setting may depend on the operating system or the Adobe Acrobat version installed, as well as other variables on the system.

In a post on Citrix forums on March 28, a user complaining about Sophos AV errors due to having an Adobe product installed said that the company “suggested to disable DLL-injection for Acrobat and Reader.

**Adobe responding to Citrix user experiencing errors on machine with Sophos AV**

Working on the problem

Replying to BleepingComputer, Adobe confirmed that users have reported experiencing issue due to DLL components from some security products being incompatible with Adobe Acrobat’s usage of the CEF library.

“We are aware of reports that some DLLs from security tools are incompatible with Adobe Acrobat’s usage of CEF, a Chromium based engine with a restricted sandbox design, and may cause stability issues” – Adobe

The company added that it is currently working with these vendors to address the problem and “to ensure proper functionality with Acrobat’s CEF sandbox design going forward.”

Minerva Labs researchers argue that Adobe chose a solution that solves compatibility problems but introduces a real attack risk by preventing security software from protecting the system.

BleepingComputer has contacted Adobe with further questions to explain the conditions the DLL blocking occurs and will update the article once we have the information.

Source :
https://www.bleepingcomputer.com/news/security/adobe-acrobat-may-block-antivirus-tools-from-monitoring-pdf-files/

7-zip now supports Windows ‘Mark-of-the-Web’ security feature

7-zip has finally added support for the long-requested ‘Mark-of-the-Web’ Windows security feature, providing better protection from malicious downloaded files.

When you download documents and executables from the web, Windows adds a special ‘Zone.Id’ alternate data stream to the file called the Mark-of-the-Web (MoTW).

This identifier tells Windows and supported applications that the file was downloaded from another computer or the Internet and, therefore, could be a risk to open.

When you attempt to open a downloaded file, Windows will check if a MoTW exists and, if so, display additional warnings to the user, asking if they are sure they wish to run the file.

**Launching a downloaded executable containing a MoTW**
*Source: BleepingComputer*

Microsoft Office will also check for the Mark-of-the-Web, and if found, it will open documents in Protected View, with the file in read-only mode and macros disabled.

**Word document opened in Protected View**
*Source: BleepingComputer*

To check if a downloaded file has the Mark-of-the-Web, you can right-click on it in Windows Explorer and open its properties.

If the file contains a MoTW, you will see a message at the bottom stating, “This file came from another computer and might be blocked to help protection this computer.”

**File property indicator for the Mark-of-the-Web**
*Source: BleepingComputer*

If you trust the file and its source, you can put a check in the ‘Unblock‘ box and click on the ‘Apply‘ button, which will remove the MoTW from the file.

Furthermore, running the file for the first time and allowing it to open will also remove the MoTW, so warnings are not shown in the future.

7-zip adds support for Mark-of-the-Web

7-zip is one of the most popular archiving programs in the world, but, until now, it lacked support for Mark-of-the-Web.

This meant that if you downloaded an archive from the Internet and extracted it with 7-zip, the Mark-of-the-Web would not propagate to the extracted files, and Windows would not treat the extracted files as risky.

For example, if you downloaded a ZIP file containing a Word document, the ZIP file would have a MoTW, but the extracted Word document would not. Therefore, Microsoft Office would not open the file in Protected View.

Over the years, numerous security researchers, developers, and engineers have requested that the 7-Zip developer, Igor Pavlov, add the security feature to his archiving utility.

Pavlov said he doesn’t like the feature as it adds extra overhead to the program.

“The overhead for that property (additional Zone Identifier stream for each file) is not good in some cases,” explained Pavlov in a 7-zip bug report.

However, this all changed last week after Pavlov added a new setting in 7-zip 22.00 that enables you to propagate MoTW streams from downloaded archives to its extracted files.

To enable this setting, search for and open the ‘7-Zip File Manager,’ and when it opens, click on Tools and then Options. Under the 7-Zip tab, you will now see a new option titled ‘Propagate Zone.Id stream’ and the ability to set it to ‘No,’ ‘Yes,’ or ‘For Office files.’

Set this option to ‘Yes’ or ‘For Office files,’ which is less secure, and then press the OK button.

**New Propagate Zone.Id stream in 7-Zip**
*Source: BleepingComputer*

With this setting enabled, when you download an archive and extract its files, the Mark-of-the-Web will also propagate to the extracted files.

With this additional security, Windows will now prompt you as to whether you wish to run downloaded files and Microsoft Office will open documents in Protected View, offering increased security.

To take advantage of this new feature, you can download 7-zip 22.0 from 7-zip.org.

Source :
https://www.bleepingcomputer.com/news/microsoft/7-zip-now-supports-windows-mark-of-the-web-security-feature/

Critical PHP flaw exposes QNAP NAS devices to RCE attacks

QNAP has warned customers today that some of its Network Attached Storage (NAS) devices (with non-default configurations) are vulnerable to attacks that would exploit a three-year-old critical PHP vulnerability allowing remote code execution.

“A vulnerability has been reported to affect PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24, and 7.3.x below 7.3.11. If exploited, the vulnerability allows attackers to gain remote code execution,” QNAP explained in a security advisory released today.

“To secure your device, we recommend regularly updating your system to the latest version to benefit from vulnerability fixes.”

The Taiwanese hardware vendor has already patched the security flaw (CVE-2019-11043) for some operating system versions exposed to attacks (QTS 5.0.1.2034 build 20220515 or later and QuTS hero h5.0.0.2069 build 20220614 or later).

However, the bug affects a wide range of devices running:

QTS 5.0.x and later
QTS 4.5.x and later
QuTS hero h5.0.x and later
QuTS hero h4.5.x and later
QuTScloud c5.0.x and later

QNAP customers who want to update their NAS devices to the latest firmware automatically need to log on to QTS, QuTS hero, or QuTScloud as administrator and click the “Check for Update” button under Control Panel > System > Firmware Update.

You can also manually upgrade your device after downloading the update on the QNAP website from Support > Download Center.

QNAP devices targeted by ransomware

Today’s warning comes after the NAS maker warned its customers on Thursday to secure their devices against active attacks deploying DeadBolt ransomware payloads.

BleepingComputer also reported over the weekend that ech0raix ransomware has started targeting vulnerable QNAP NAS devices again, according to sample submissions on the ID Ransomware platform and multiple user reports who had their systems encrypted.

Until QNAP issues more details on ongoing attacks, the infection vector used in these new DeadBolt and ech0raix campaigns remains unknown.

While QNAP is working on patching the CVE-2019-11043 PHP vulnerability in all vulnerable firmware versions, you should ensure that your device is not exposed to Internet access as an easy way to block incoming attacks.

As QNAP has advised in the past, users with Internet-exposed NAS devices should take the following measures to prevent remote access:

Disable the Port Forwarding function of the router: Go to the management interface of your router, check the Virtual Server, NAT, or Port Forwarding settings, and disable the port forwarding setting of the NAS management service port (port 8080 and 433 by default).
Disable the UPnP function of the QNAP NAS: Go to myQNAPcloud on the QTS menu, click the “Auto Router Configuration,” and unselect “Enable UPnP Port forwarding.”

QNAP also provides detailed info on how to toggle off remote SSH and Telnet connections, change the system port number, change device passwords, and enable IP and account access protection to further secure your device.

Update June 22, 08:45 EDT: After this story was published, QNAP’s PSIRT team updated the original advisory and told BleepingComputer that devices with default configurations are not impacted by CVE-2019-11043.

Also, QNAP said that the Deadbolt ransomware attacks are targeting devices running older system software (released between 2017 and 2019).

For CVE-2019-11043, described in QSA-22-20, to affect our users, there are some prerequisites that need to be met, which are:

nginx is running, and
php-fpm is running.

As we do not have nginx in our software by default, QNAP NAS are not affected by this vulnerability in their default state. If nginx is installed by the user and running, then the update provided with QSA-22-20 should be applied as soon as possible to mitigate associated risks.

We are updating our security advisory QSA-22-20 to reflect the facts stated above. Again we would like to point out that most QNAP NAS users are not affected by this vulnerability since its prerequisites are not met. The risk only exists when there is user-installed nginx present in the system.

We have also updated the story to reflect the new information provided by QNAP.

Source :
https://www.bleepingcomputer.com/news/security/critical-php-flaw-exposes-qnap-nas-devices-to-rce-attacks/

Microsoft reveals cause behind this week’s Microsoft 365 outage

Microsoft has revealed that this week’s Microsoft 365 worldwide outage was caused by an infrastructure power outage that led to traffic management servicing failovers in multiple regions.

Starting on Monday, June 20, at 11:00 PM UTC, customers began experiencing and reporting several issues while trying to access and use Microsoft 365 services.

According to Microsoft, problems encountered during the incident included delays and failures when accessing some Microsoft 365 services.

Customer reports also shared info on continuous re-login requests, emails not getting delivered after being stuck in queues, and the inability to access Exchange Online mailboxes despite trying all available connection methods.

The affected services included the Microsoft Teams communication platform, the Exchange Online hosted email platform, SharePoint Online, Universal Print, and the Graph API.

Microsoft’s response while investigating the root cause behind the outage also brought to light some issues related to how the company fails to share new incident-related info with customers.

Even though Microsoft told customers they could find out more about this incident from the admin center under EX394347 and MO394389, user reports suggest that those incident tickets were not showing up, effectively keeping the customers in the dark.

16-hour-long incident caused by power failure

More than 16 hours after the first signs of the outage were detected, on Tuesday, June 21, at 3:27 PM UTC, Microsoft said in an update to the MO394389 service alert sent to customers that the root cause was an infrastructure power loss.

“An infrastructure power outage necessitated failing over Microsoft 365 traffic management servicing users primarily in Western Europe,” the company explained.

“This action failed to properly complete, leading to functional delays and access failures for several Microsoft 365 services.”

The outage was most severe for customers in Western Europe. Still, the impact extended to “a small percentage” users throughout EMEA (Europe, the Middle East, and Africa), North America, and the Asia-Pacific regions.

Redmond also refuted reports that a separate outage affecting the company’s Outlook on the web service was also linked to this incident.

“We’ve confirmed from our updated service monitoring that all services remain healthy following the targeted restarts,” Microsoft added.

“Additionally, we completed our investigation into the potential remaining impact to Outlook on the web and confirmed that this is a known issue

which is unrelated to this event.”

On Tuesday, Cloudflare was also hit by a massive outage that affected over a dozen data centers and hundreds of major online platforms and services.

Cloudflare revealed that the incident was caused by a configuration error while implementing a change that would have otherwise increased its network’s resilience.

Source :
https://www.bleepingcomputer.com/news/microsoft/microsoft-reveals-cause-behind-this-week-s-microsoft-365-outage/

NSA shares tips on securing Windows devices with PowerShell

The National Security Agency (NSA) and cybersecurity partner agencies issued an advisory today recommending system administrators to use PowerShell to prevent and detect malicious activity on Windows machines.

PowerShell is frequently used in cyberattacks, leveraged mostly in the post-exploitation stage, but the security capabilities embedded in Microsoft’s automation and configuration tool can also benefit defenders in their forensics efforts, improve incident response, and to automate repetitive tasks.

The NSA and cyber security centres in the U.S. (CISA), New Zealand (NZ NCSC), and the U.K. (NCSC-UK) have created a set of recommendations for using PowerShell to mitigate cyber threats instead of removing or disabling it, which would lower defensive capabilities.

“Blocking PowerShell hinders defensive capabilities that current versions of PowerShell can provide, and prevents components of the Windows operating system from running properly. Recent versions of PowerShell with improved capabilities and options can assist defenders in countering abuse of PowerShell”

Lower risk for abuse

Reducing the risk of threat actors abusing PowerShell requires leveraging capabilities in the framework such as PowerShell remoting, which does not expose plain-text credentials when executing commands remotely on Windows hosts.

Administrators should be aware that enabling this feature on private networks automatically adds a new rule in Windows Firewall that permits all connections.

Customizing Windows Firewall to allow connections only from trusted endpoints and networks helps reduce an attacker’s chance for successful lateral movement.

For remote connections, the agencies advise using the Secure Shell protocol (SSH), supported in PowerShell 7, to add the convenience and security of public-key authentication:

remote connections don’t need HTTPS with SSL certificates
no need for Trusted Hosts, as required when remoting over WinRM outside a domain
secure remote management over SSH without a password for all commands and connections
PowerShell remoting between Windows and Linux hosts

Another recommendation is to reduce PowerShell operations with the help of AppLocker or Windows Defender Application Control (WDAC) to set the tool to function in Constrained Language Mode (CLM), thus denying operations outside the policies defined by the administrator.

“Proper configuration of WDAC or AppLocker on Windows 10+ helps to prevent a malicious actor from gaining full control over a PowerShell session and the host”

Detecting malicious PowerShell use

Recording PowerShell activity and monitoring the logs are two recommendations that could help administrators find signs of potential abuse.

The NSA and its partners propose turning on features like Deep Script Block Logging (DSBL), Module Logging, and Over-the-Shoulder transcription (OTS).

The first two enable building a comprehensive database of logs that can be used to look for suspicious or malicious PowerShell activity, including hidden action and the commands and scripts used in the process.

With OTS, administrators get records of every PowerShell input or output, which could help determine an attacker’s intentions in the environment.

Administrators can use the table below to check the features that various PowerShell versions provide to help enable better defenses on their environment:

Security features in PowerShell — Security features present in PowerShell versions

The document the NSA released today states that “PowerShell is essential to secure the Windows operating system,” particularly the newer versions that dealt away with previous limitations.

When properly configured and managed, PowerShell can be a reliable tool for system maintenance, forensics, automation, and security.

The full document, titled “Keeping PowerShell: Security Measures to Use and Embrace” is available here [PDF].

Source :
https://www.bleepingcomputer.com/news/security/nsa-shares-tips-on-securing-windows-devices-with-powershell/