The old saying goes, “practice what you preach.” When Ivanti started its “Customer Zero” initiative, Bob Grazioli, Chief Information Officer, saw it as a perfect opportunity to test the products and services consumed by customers.
For example, during Ivanti’s move to the cloud, Grazioli and the team experienced the same issues that customers would’ve experienced in their migration process. This first-hand experience allowed them to make improvements along the way. Listen to Grazioli go into detail about other crucial findings in the Customer Zero initiative and how expanding ITSM helps elevate the employee experience.
Key learnings from Ivanti’s “Customer Zero” program
“That’s great to call out our Customer Zero program because we’re really proud of it, actually. We are the first customer in Ivanti. We take every one of our tools that are obviously applicable to IT or SaaS and we implement them first, before the customer, to provide the feedback to our product managers, our engineering team and make sure that that feedback either makes it into the product or eliminates any potential problems that our customers might experience if something obviously wasn’t discovered during our testing.
But having said that, we have learned an awful lot about actually moving from on-prem to SaaS. If you look at what we’ve done with Customer Zero, our focus now has been to take a look at the Ivanti on-prem products and move ourself to the cloud. Obviously, I manage SaaS, so I’m very biased towards being in the cloud and that is our focus right now. So, we’ve taken patch, we’ve moved that from on-prem to cloud.
We now have taken our ITSM converged product with workflow management, with all of low-code, no code, we moved that into IT for ITSM. We have our own CMDB that we’re running against Discovery. Going out to our data centers, we have close to what, 40 different geos globally that we manage — thousands and thousands of assets across all of those data centers. Those are all being discovered placed in our own CMBD and managed.
We’re now deploying GRC for our compliance. We were like a lot of, you know, companies struggle through our SOC 2, SOC 2 type 2, where artifacts are put into certain repositories. We managed those assets. Now we have GRC, where all those artifacts get managed to ITSM. They’re linked to the proper controls. It makes the audit process so much simpler, so much easier for us to get through every year for compliance.
We’re learning that through the efficiency of moving to cloud from on-prem to SaaS, we’re learning those efficiencies do save us time, have a great ROI in terms of the OpeEx – CapEx equation, if most of you CIOs that go through that, there is a big advantage on the Capex-Opex side.”
“And then, just having all of our data in the cloud in ITSM, as I said earlier, becoming a single source of truth for Patch, Discovery, RiskSense [now known as Risk-Based Vulnerability Mangement] vulnerabilities. And obviously, the main focus, all the tickets that are created on the customer facing side, giving us insight into the customer, into what they’re using or what they’re not using. So really, adoption, big part of obviously what you need in SaaS to manage, the real true user experience.
It really has been eye opening, moving all of our products from on-prem to SaaS, leveraging those SaaS products in our own cloud, gaining that experience, pushing it back to product managers, pushing it back to engineering to produce a better quality product and a better service for all of our customers as they migrate to the cloud.
So, we kind of blunt any particular problems that our customers would have experienced when they move from on-prem to cloud. Customer Zero – it’s definitely eliminating a lot of issues that customers would have had if they move on-prem to SaaS. And we’re providing valuable telemetry to help improve our product and improve the quality and service to our customers.”
Important takeaways from Ivanti’s Customer Zero initiative
“Well, so we’ve improved our catalog for service requests and so on. That is the evolution of what ITSM should do. But DEX is the key. Having all of those tickets in ITSM that show customer issues or customer successes or what they’re using in our product, etc.
That is the game changer because now, as I said earlier, having DEX out there, looking at all those tickets, analyzing the tickets and then proactively either anticipating a problem with their device or potentially the way a customer is adopting certain technologies that we pushed out into the environment.
Those tickets are gold for that level of telemetry that allows us to gain the insights we need to provide the customer with a better experience. I think ticket management is really, it’s tough — you don’t want a lot of tickets, obviously, because sometimes that’s not a good thing. But what these tickets represent in terms of knowledge of the customer, it really is instrumental in us making things better, making the service better and having the customer have a better experience.”
“I mean, we use the word culture, but let’s face it, the generation of customers that are out there today growing up with technology and having the ability to control a lot of that technology right at their fingertips, that’s really what you’re trying to accommodate.
You don’t want someone to come into your company as an employee and have them not have that same experience. Not have them engaged with technology the same way they can engage at home or anywhere else out in the market. That’s what we’re trying to get to and be for that customer.
And we’re doing that because today, with the proactive nature that we’re creating within our products. Proactive nature, that’s DEX.
That’s having all that intelligence to engage the customer with empathy and with a proactive approach to giving them a solution to whatever issue they have. It’s empathy to what they’re going through and then proactively providing them with a fast, reliable solution to whatever experience they’re calling in on.
I think that’s our goal and I think ITSM is evolving to that because again, of the amount of information it’s able to collect and use with all of the AI and ML that we’re applying to it, to really create that more proactive experience with a very intelligent, very tech savvy customer that we have both in and outside our company.
And that’s happening. That’s the culture, if you will, that I see, that I’m engaged with, and we want to make sure our products can satisfy. ”
Broadening ITSM to support other areas brings with it new levels of proactive troubleshooting and empathy, helping you drive a better digital employee experience.
There are several browsers compatible with DNS over HTTPS (DoH). This protocol lets you encrypt your connection to 1.1.1.1 in order to protect your DNS queries from privacy intrusions and tampering.
Some browsers might already have this setting enabled.
By: Peter Girnus, Aliakbar Zahravi June 20, 2023 Read time: 10 min (2790 words)
This is the third installment of a three-part technical analysis of the fully undetectable (FUD) obfuscation engine BatCloak and SeroXen malware. In this entry, we document the techniques used to spread and abuse SeroXen, as well as the security risks, impact, implications of, and insights into highly evasive FUD batch obfuscators.
The remote access trojan (RAT) SeroXen tool can be purchased on the clearnet. During our investigation, we uncovered multiple domains selling not only this nefarious tool but also a cracked version of it hosted on a popular crack forum. We also uncovered individuals on popular video sites such as YouTube and TikTok acting as distributors for this piece of fully undetectable (FUD) malicious software. At the time of writing, many of these videos remain available for viewing.
In this section, we break down the different platforms that SeroXen uses to spread malware.
Website
Figure 1. SeroXen website
The tool SeroXen sports a sleek website with pages that users might expect from any number of websites selling software on the internet. However, sometime between the last week of May and the first week of June, a new shutdown notice has surfaced on its website due to SeroXen’s popularity and cybercriminal efficacy. Considering the content of the notice, there are strong indications that this shutdown is merely for show and that distribution is still ongoing through other platforms and channels.
Figure 2. SeroXen’s website shutdown notice
Prior to the shutdown notice, we observed the main SeroXen website offering a comprehensive list of features to prospective consumers. Examining some of the core features advertised by SeroXen shows a rich feature selection, including:
A Windows Defender-guaranteed bypass for both scan time and runtime.
FUD scan time and runtime evasion against most antivirus engines.
Hidden Virtual Network Computing (hVNC).
Full modern Windows support.
Figure 3. SeroXen’s features list
In addition to the sophisticated evasion and FUD component, the inclusion of hVNC is concerning as it is often deployed by highly sophisticated types of malware and advanced persistent threat (APT) groups. The hVNC component allows threat actors to operate a hidden or “virtual” desktop rather than the main desktop to keep the malicious sessions in the background running uninterrupted.
Meanwhile, the SeroXen web application provides users with the option to acquire either a monthly license key or a lifetime key using cryptocurrency.
Figure 4. SeroXen monthly subscription (top) and lifetime (bottom) price optionsFigure 5. SeroXen is currently unavailable for purchase at the website
The SeroXen web application also boasts a product support team available from Monday to Friday following a location for a time zone reference in the US. The Telegram account of the developer is also available for messaging, and the relevant channels are still active. At one point, a Discord account might also have been available for contact, although it was already unavailable at the time of this writing.
Figure 6. SeroXen’s product support offers
During our investigation, we encountered the disclosure of the developers and contributors associated with SeroXen’s development. Notably, the list includes the individual who also contributed to the creation of batch obfuscators such as Jlaive, BatCrypt, CryBat, Exe2Bat, and ScrubCrypt. This direct linkage therefore establishes a clear association between these historical FUD batch obfuscators and the SeroXen malware. In June, we also noticed that the website’s acknowledgments included the social media handle of the distributor.
Figure 7. The developers of Jlaive, BatCloak, CryBat, Exe2Bat, ScrubCrypt, and social media distributor’s username acknowledged on the SeroXen website
Social media accounts
While investigating SeroXen’s website, we uncovered a link to a review video hosted on YouTube.
Figure 8. Link to SeroXen review hosted on YouTube
The content is presented as a “review” and facilitated by a reseller. More importantly, it functions not only as an evaluation but also as a promotional advertisement coupled with a tutorial showcasing the capabilities of SeroXen. We found a collection of videos that was also attributed to a reseller of the malware. These videos function to endorse and market SeroXen, reinforcing its presence and appeal within the designated market. Details such as knowledge, discounts offered, and claims of being a distributor indicate the increased likelihood of this user being connected to the owner of the web app.
Figure 9. SeroXen YouTube advertisementsFigure 10. SeroXen distributor selling the malware on YouTube
Certain prospective customers of SeroXen have demonstrated an inclination toward exploring specific aspects associated with illicit activities. Their expressed interest encompasses the use of SeroXen in the context of engaging in potentially unlawful endeavors within the Roblox community.
Figure 11. Prospective customer interested in Roblox cookie theft
For context, Roblox is a widely popular video game with a user base of over 214 million active monthly users across the globe, predominantly comprised of minors, with approximately 67% of the player demographic aged below 16 years. In the US, over half of Roblox players are minors. In Figure 10, the significance of the inquiry lies in the potential risks and impact associated with the theft of the .ROBLOSECURITY cookie from an unsuspecting victim. If successfully stolen, this cookie would grant a threat actor the ability to compromise the targeted Roblox account by overriding two-factor authentication (2FA).
This exchange also highlights the risk associated with highly evasive and modular types of malware — namely, a modular design with the ability to load additional components to create a bigger impact on targeted and unwitting victims. In this instance, the reseller mentions the ability to use SeroXen with Hazard, a stealer with many features, including the capability to steal Discord webhooks.
At one point, the distributor sold SeroXen on Discord, but their accounts have a history of being terminated. In an exchange with a prospective customer on YouTube, a YouTube channel owner shows a clear understanding of how this tool will be used for criminal activity, after which they encourage a prospective customer to get in touch with them since they are a reseller. We also uncovered the reseller’s Twitter profile, which hosted more promotional content for SeroXen.
Figure 12. A reseller’s conversation with a prospective buyer on YouTube (top) and the reseller’s YouTube and Twitter profiles (middle and bottom)
As of this blog entry’s week of publishing, we noted that the social media distributor confirmed that SeroXen’s “sale” (referred to only as “offsale” on the website) is now offline. Still, this mainstream availability and exchange raise substantial concerns, given its occurrence outside the boundaries of underground hacking forums. While researchers and ordinary users alike might expect this kind of complacence and leeway on the darknet, they do not expect the same on a popular mainstream platform such as YouTube. This underscores the potential implications of the exchange, as it indicates that cybercriminals have become bolder in infiltrating mainstream platforms online. In turn, malicious activities and discussions related to illicit cybersecurity practices are now able to infiltrate mainstream online platforms.
Figure 13. SeroXen’s social media distributor confirms the RAT as unavailable for interested buyers/users
Additionally, during the investigation of this reseller’s YouTube profile we uncovered a batch-to-dropper file uploaded to Virus Total around the time of the latest SeroXen promotional video. The name of the batch file matches the username of this reseller’s YouTube profile. This batch attempts to download an infected batch file from Discord and run the infected file that leads to a SeroXen infection.
Figure 14. YouTube reseller includes SeroXen developer’s Telegram handleFigure 15. Reseller names file after uploading to a public repository, matching it with their YouTube profile name
SeroXen’s forum presence
We also discovered that the author of SeroXen actively engages with prominent hacking enthusiast forums to promote and distribute the malware. This strategic use of established forums catering to the hacking community serves as an additional avenue for the author to market and sell SeroXen, expanding its reach.
Figure 16. SeroXen advertisement on a popular hacking forum
Upon investigating the post of SeroXen’s developer, we saw that the author of Jlaive, BatCrypt, CryBat, Exe2Bat, and ScrubCrypt was once again acknowledged as playing a part in the development of SeroXen’s FUD capabilities. Additionally, on another forum, we found a cracked version of SeroXen that allows cybercriminals to bypass the payment requirement set up by the malware’s original developers.
Figure 17. Acknowledgement of developers and contributors in a forum postFigure 18. A cracked version of SeroXen
Examining the prevalence and impact of SeroXen
Throughout our investigation of the scope of infections, we discovered a substantial collection of forum posts containing reports from victims who fell prey to the SeroXen infection. This particular strain of malware showed a notable increase in users reporting their infections, with well-meaning individuals advising victims to implement security and antivirus solutions, which all failed to detect any malicious activity. This then perpetuates a distressing cycle of infections driven by the malware’s FUD capabilities.
Understanding SeroXen infections through an analysis of community discussions
We conducted an analysis on Reddit by analyzing reports of SeroXen infections. Many of these posts reported that the users noticed suspicious actions but were powerless to remediate the ongoing infection.
We went through different forum threads and observed a common theme among the scores of individuals whose systems were infected: they were downloading and executing highly suspect pieces of software hosted on Discord and other file-hosting services related to special interests. We also noticed reports of deceptive batch installers (downloaded from GitHub) claiming to be legitimate software installers or tools for highly sought-after applications and interests like Photoshop, image loggers, TikTok, quality-of-life tools, and Tor, among others. The primary intention behind this fraudulent activity is to lure unsuspecting individuals into unintentionally installing malicious programs that lead to compromise.
Figure 19. A user’s system is infected after they download the game Counter Strike: Global Offensive (CSGO).Figure 20. Samples of users reporting infections
Based on our analysis of the collected samples, one of the largest target communities are gamers playing popular titles such as Roblox, Valorant, Counter Strike, Call of Duty, and Fortnite. These multiplayer online games contain a rich ecosystem of desirable, high-value, and in-game items that make a rich in-game economy, making them a viable target of malicious actors using SeroXen. In particular, theft appears to be the primary motive driving these infections. Over the years, a thriving underground ecosystem has been established for the illicit resale of stolen in-game items, with a particular emphasis on the popular game Roblox via beaming.
What is Roblox beaming?
Within the Roblox community, the unauthorized sale of items, referred to as “beaming” in the community, has proven itself to be an immensely profitable venture for nefarious actors. It is worth noting that certain rare items within Roblox, known as “limiteds,” can command significant prices that reach thousands of dollars in real-world commercial values. Discord has served as fertile ground for buying and selling these items, allowing cybercriminals to exploit and profit from unsuspecting children who fall victim to their schemes.
During our investigation, we uncovered a thriving underground community using Discord to post stolen cookies to beam victims. Frequently, the practice of beaming is employed to generate content specifically intended for popular online platforms like YouTube and TikTok. Numerous individuals, often including minors, are subjected to beaming for the purpose of entertainment. Over the course of our investigation, we also uncovered many instances of beaming tutorials and how-to videos on both TikTok and YouTube.
Figure 21. A .ROBLOSECURITY cookie posted on Discord for beamingFigure 22. Roblox beaming videos on YouTube (top and middle) and TikTok (bottom)Figure 23. Roblox beaming tutorials on TikTok
Furthermore, our findings have revealed that these video platforms frequently function as recruitment platforms, funneling individuals into beaming Discord channels to engage in unethical and detrimental activities.
Figure 24. A Roblox beamer recruitment video on TikTok
FUD batch obfuscation techniques coupled with hVNC-capable toolkits provide actors powerful tools not only for stealing content but also for creating significant psychological distress in communities with a significant number of minors.
Examining SeroXen infections with insights from the Microsoft Support community
During our investigation of the prevalence and impact of SeroXen infections, we also examined posts within the Microsoft Support community. We observed striking similarities between the infection chain reported in this community and the discussions in Reddit. Moreover, a deeper understanding of the actions perpetrated revealed two distinct and concerning patterns. The first pattern involved direct extortion tactics, while the second involved the issuance of threats to victims’ lives through swatting.
Figure 25. Samples of reports seeking help against an extortion attempt (top) and a threat of swatting (bottom) after hackers gain control of users’ infected systems through SeroXen
Conclusion
Considering the capabilities and potential damage resulting from this tool, the costs for entry are low to null (given the cracked versions available online). This means that both cybercriminals and script kiddies experimenting with malware deployments can avail of SeroXen. Depending on the goals of cybercriminals — whether they care for arrests and notoriety or simply want to spread the tool — the sophistication of the infection routines does not appear to match with the chosen methods for distribution. The almost-amateur approach of using social media for aggressive promotion, considering how it can be easily traced, makes these developers seem like novices by advanced threat actors’ standards. That being said, the real-life consequences of abusing highly evasive malware as a tool to threaten other users via swatting and other threats to personal safety remain highly concerning especially as these developers might interact with online communities populated by minors.
The addition of SeroXen and BatCloak to the malware arsenal of malicious actors highlights the evolution of FUD obfuscators with a low barrier to entry. This can be considered an upcoming trend for a range of cybercriminals who can use a wide range of distribution mechanisms like Discord and social media platforms and their features (such as YouTube and short-from videos in TikTok) to push their preferred types of destructive software for abuse. Additionally, this trend also highlights the potential of highly evasive malware to proliferate in communities that host a significant number of minors who might be ill-equipped to confront destructive pieces of malware. Considering the low-to-nil detections in public repositories once a piece of malware is armed with these tools, this evolution presents new challenges to security teams and organizations alike, especially since FUD obfuscation can be used to deliver any kind of imaginable threat, including those that are not yet known.
Parents and guardians are encouraged to proactively familiarize themselves with the contemporary digital dynamics their children use regularly. This includes gaining an understanding of the various online communities that their children participate in, as well as communicating essential safe online practices and skills to their children. Adults are also encouraged to familiarize themselves with the colloquialisms minors use online and the platforms they frequent. By becoming familiar with these areas and simultaneously equipping children with such knowledge, guardians can play a pivotal role in ensuring everyone’s online safety and well-being.
Trend Vision One™️ enables security teams to continuously identify the attack surface, including known, unknown, managed, and unmanaged cyber assets. It automatically prioritizes risks, including vulnerabilities, for remediation, taking into account critical factors such as the likelihood and impact of potential attacks. Vision One offers comprehensive prevention, detection, and response capabilities backed by AI, advanced threat research, and intelligence. This leads to faster mean time to detect, respond, and remediate, improving the overall security posture and effectiveness.
When uncertain of intrusions, behaviors, and routines, assume compromise or breach immediately to isolate affected artifacts or tool chains. With a broader perspective and rapid response, an organization can address these and keep the rest of its systems protected. Organizations should consider a cutting-edge multilayered defensive strategy and comprehensive security solutions such as Trend Micro™ XDR that can detect, scan, and block malicious content across the modern threat landscape.
Our commitment to online safety
Trend Micro is committed to digital safety through our Trend Micro Initiative for Education , our outreach program that aims to improve internet safety awareness, digital literacy, and malware defense capabilities for a safer digital world. Our initiatives and participation for security and safety include but are not limited to:
If you receive a swatting threat or information that an individual is planning to engage in swatting activities, please report it to local law enforcement and/or the Federal Bureau of Investigation (FBI) at 1-800-CALL-FBI immediately.
By: Peter Girnus, Aliakbar Zahravi June 15, 2023 Read time: 7 min (2020 words)
We looked into the documented behavior of SeroXen malware and noted the inclusion of the latest iteration of the batch obfuscation engine BatCloak to generate a fully undetectable (FUD) .bat loader. This is the second part of a three-part series documenting the abuse of BatCloak’s evasion capabilities and interoperability with other malware.
The recent rise of highly sophisticated malware’s ability to evade detection through fully undetectable (FUD) capabilities, low-cost financial accessibility, and minimal skill barriers have created a pervasive threat targeting online communities and organizations. One particular malware known as SeroXen has deployed an advanced, fully undetectable (FUD) technique via highly obfuscated batch files to infect victims with hVNC-(Hidden Virtual Network Computing) capable malware.
This entry is the second installment of a three-part series featuring BatCloak engine, its iterations, and inclusion in SeroXen malware as the main loading mechanism. The first entry, titled “The Dark Evolution: Advanced Malicious Actors Unveil Malware Modification Progression,” looked into the beginnings and evolution of the BatCloak obfuscation engine. The third part of this series, “SeroXen Mechanisms: Exploring Distribution, Risks, and Impact,” analyzes the distribution mechanism of SeroXen and BatCloak, including the security impact and insights of FUD batch obfuscation. As of this writing, a quick online search for SeroXen will show top results for an official website and social media and sharing pages with videos on how to use the remote access trojan (RAT) as if it were a legitimate tool. We will go over these dissemination strategies in the subsequent entry.
SeroXen’s FUD batch patterns
To attain FUD status, the obfuscation patterns employed in SeroXen have shown multilayered tiers in its evolution, evolving from notable predecessors such as Jlaive, BatCloak, CryBat, Exe2Bat, and ScrubCrypt. Notably, the author of these FUD tools is acknowledged as a contributor in various instances, including attributions present on the main SeroXen website and forum posts authored by the individual behind SeroXen.
Examining the SeroXen infection chain
Figure 1. SeroXen infection chain
To successfully initiate the infection process, the targeted user is lured into executing a batch file. These lures are often presented as software-specific to enthusiast groups such as gaming communities. The infection process’ efficiency is enhanced because of the batch file’s FUD capability.
We found a compilation of compromised archives associated with cheats pertaining to prominent game titles. Each of these archives harbors a highly obfuscated batch file that serves as the infection vector initiating a SeroXen infection. Alarmingly, none of the archives exhibited any form of security solution detection. In most instances, these malicious archives are hosted on the Discord CDN (content delivery network) catering to specific interested communities, but they could also be hosted on any number of cloud storage options as well as special interest forums.
Taking a visual representation of a SeroXen sample submitted to a public repository under the false pretense of being a popular online video game cheat, the sample showcases the comprehensive concealment capabilities inherent. Through investigative analysis, we found a consistent pattern in the dimensions of SeroXen’s obfuscated batch files, which commonly exhibit sizes ranging from approximately 10MB to 15MB.
Figure 2. Gaming lures with no detections
Analyzing the obfuscation patterns deployed by SeroXen
To develop a comprehensive understanding of the obfuscation algorithm utilized within SeroXen, we conducted an in-depth examination on a multitude of heavily obfuscated batch files. The figure sample exhibits an obfuscated SeroXen batch payload camouflaged under the guise of a Fortnite hack.
Figure 3. SeroXen obfuscated batch payload
The batch obfuscation patterns implemented by the SeroXen FUD algorithm can be summarized as follows:
Suppression of console output through the inclusion of the directive “@echo off”
Utilization of sophisticated string manipulation techniques to obfuscate the initial “set” command
Assignment of the “set” command to a user-defined variable
Assignment of equal operations (“=”) to a user-defined variable
Utilization of steps 3 and 4 to assign values to the additional user-defined variables
Concatenation of variables at the conclusion of the obfuscation process to construct a command, which is subsequently executed
Furthermore, our investigation showed that the implementation of layered obfuscation techniques alongside the incorporation of superfluous code fragments or “junk code” were employed to impede the analysis of the batch file hindering detections.
Summary of commands executed during the SeroXen infection process
We break down the core commands concatenated and executed in order to infect the victim as follows:
Ensure all batch commands run are suppressed with “@echo off”
Copy the PowerShell executable from System32 to the current directory
Set the current directory
Name this copied PowerShell after the batch filename with an appended .exe, such as <mal_bat>.exe
Use the PowerShell command to decrypt and execute the encrypted payload
Build the final PowerShell command used to decrypt the final payload
Use the static operator to decrypt the final payload
Analyzing the deobfuscated SeroXen batch files
During our technical analysis of FUD-enabled SeroXen batch payloads, we were able to deobfuscate the commands associated with its execution and patch key points in its operation to dump the deobfuscated version.
Figure 4. Deobfuscated SeroXen batch payload
If we compare the deobfuscated sample presented with the highly obfuscated sample (Figure 3), we can demonstrate the core function of the batch script: to generate a series of set commands in an obfuscated manner to evade detection. We see the result of the numerous obfuscated set commands in its deobfuscated equivalent. Throughout the obfuscated batch file, numerous variables are concatenated together to be executed.
The PowerShell command to be executed in the FUD obfuscated batch file is a series of hidden PowerShell commands used to decrypt and deliver the .Net loader.
Figure 6 . Final PowerShell command executed in the SeroXen batch file
The deobfuscated sequence of PowerShell commands decrypt the payload and employ an assembly reflection mechanism to reflectively load it. The essential characteristics of the final sequence of PowerShell commands include:
Decode payload using Base64
Decrypt payload using AES OR XOR algorithm. In the case of AES:
Instantiate an AES decryption object with the cipher block chaining (CBC) mode
Use a Base64 blob for the key and IV
Unzip the payload
Reflectively load the payload
From the next figure, we demonstrate how the C# loader is decrypted from the deobfuscated batch files, after which we unzip the decrypted archive to drop the .Net binary.
We decoded the payload using Base64, which is then AES-decrypted using the deobfuscated Key and IV and finally gunzipped to reveal the .Net loader. This payload is then loaded into memory using reflection.
Figure 7. Using Python to decrypt the .Net loader
Deep dive into SeroXen builder
Figure 8. Obfuscated builder
The SeroXen builder binary file is protected by the Agile .NET. After unpacking the functions and builder resources, this section shows that SeroXen is a modified version of Quasar RAT with a rootkit and other modifications, such as adopting the loader builder Jlaive and BatCloak obfuscation engine to generate a FUD .bat loader. The evolution and technical analysis of Jlaive and BatCloak was discussed in part 1 of this series.
Figure 9 . Unpacked builder resources (left) and builder function names (right) a modified version of Quasar RAT in its arsenalFigure 10. SeroXen builder adopting Jlaive and BatCloak source codes
As of this writing, SeroXen offers monthly and lifetime key options for purchase online, as well as instructions for using the RAT. We go over this in detail in the third installment of this series as part of the cybercriminals’ distribution strategies.
Figure 11. SeroXen builder usage instruction
SeroXen payload generation process
Upon pressing the “build” button, the builder writes the user-given configuration to the pre-compiled file called “client.bin,” and this produces the Quasar RAT payload and passes it to a function called “Crypt.”
Figure 12. SeroXen vs Quasar RAT payload generation
The Crypt function employs the Jlaive crypter multi-stage loader generator and BatCloack obfuscator source code to produce undetectable loaders. This function first reads the Quasar RAT payload content and verifies if it is a valid .NET assembly. Crypt then patches some string and opcode within the binary and encrypts it using the AES algorithm with CBC cipher mode, and saves it as “payload.exe.”
Figure 13. Payload encryption and obfuscation process
Much like a Jlaive crypter, the builder takes in user configuration and produces the first loader. This is achieved using a C# template file, “Quasar.Server.Stub.cs,” found embedded within its resources. The author has integrated an extra functionality in this adapted version of the Jlaive CreateCS function such as API unhooking.
Figure 14. Create C# loader
Apiunhooker.dll is an open-source project called “SharpUnhooker,” which is a C#-based universal API unhooker that automatically Unhooks API Hives (i.e., ntdll.dll, kernel32.dll, advapi32.dll, and kernelbase.dll). This technique is used to attempt evading user-land monitoring done by antivirus technologies and/or endpoint detection and response (EDR) solutions by cleansing or refreshing API DLLs that loaded during the process.
The builder subsequently compiles the C# loader stub, adding necessary files and dependencies such as encrypted Quasart RAT (payload.exe) and SharpUnhooker (Apiunhooker.dll) to its resources.
Figure 15. C# loader compilation
Next, the builder compresses the C# loader, encrypts it using AES/XOR (depending on the configuration), and encodes it in Base64. Finally, it creates a batch file and includes the encoded C# loader binary into it. It also manages the compression, decoding, and decryption processes using an obfuscated PowerShell script, which is also appended to the batch file.
The batch file’s role is to deobfuscate the PowerShell script and execute it. This PowerShell script scans the content of the batch file for the value following “::“, extracts this value, decodes it, decompresses it, decrypts it, and finally executes it in memory.
Figure 16. Creating and writing encrypted data to a batch file, and deleting temporary filesFigure 17. Generating an obfuscated batch loader (top) and PowerShell loader (bottom)
Two PowerShell templates, “Qusar.Server.AESStub.ps1” and “Quasar.Server.XORStub.ps1,” exist in the resource section of the builder. Depending on the configuration, one of these will be loaded and utilized.
Figure 18. PowerShell stub
Conclusion
In this entry, we include a Yara rule that organizations and security teams can use to detect SeroXen obfuscated batch files. Additionally, here’s a PowerShell script that can reveal the final deobfuscated batch file and commands to be run.It is critically important that this PowerShell script be run in an isolated malware sandbox.This script can be used to deobfuscate the SeroXen batch file where security teams can inspect its output file for the PowerShell command to be executed in the deobfuscation routine. By inspecting this deobfuscated payload, the analyst can grab the Key and IV from the PowerShell command to decrypt the final payload.
Overall, SeroXen is a full-feature remote administration tool (RAT) coded in C# and built using a combination of various open-source projects that work together to generate a FUD payload. Reportshaveemerged of SeroXen being abused for several infections and attacks. We foresee the evolved BatCloak engine at the core of SeroXen’s FUD capabilities as the BatCloak obfuscation engine continues to evolve and be used as a FUD tool for future malware attacks.
Individuals are strongly advised to adopt a skeptical stance when encountering links and software packages associated with terms such as “cheats,” “hacks,” “cracks,” and other pieces of software related to gaining a competitive edge. Users, developers, gamers, and enthusiasts are also advised to exercise caution when executing batch files obtained from the internet. Additionally, organizations are encouraged to stay vigilant against phishing attacks that might attempt to entice users to download and run batch installers (e.g., scripting and automation of repetitive tasks).
Organizations should consider employing a cutting edge multilayered defensive strategy and comprehensive security solutions, such as Trend Micro™ XDR, that can detect, scan, and block malicious content such as SeroXen and BatCloak across the modern threat landscape. An extended detection and response capability across endpoint, servers, workloads, email, network, cloud, and identity observed from a single platform like Trend Vision One™️ can mitigate these risks by considering adversarial tactics, techniques, and procedures (TTPs) to profile the entirety of a routine. Learn more about how the Zero Day Initiative (ZDI) bug bounty program rewards researchers for responsible vulnerability disclosure as well as protects organizations globally and stay up to date on the latest news regarding mission critical security patches.
By: Peter Girnus, Aliakbar Zahravi June 09, 2023 Read time: 3 min (681 words)
We look into BatCloak engine, its modular integration into modern malware, proliferation mechanisms, and interoperability implications as malicious actors take advantage of its fully undetectable (FUD) capabilities.
UPDATE as of 6/15/2023 7:30PM (PHT): We’ve updated this entry to include indicators of compromise (IOCs) for BatCloak.
In our recent investigation, we discovered the use of heavily obfuscated batch files utilizing the advanced BatCloak engine to deploy various malware families at different instances. Running analysis and sample collection from September 2022 to June 2023, we found that these batch files are designed to be fully undetectable (FUD) and have demonstrated a remarkable ability to persistently evade security solutions. As a result, threat actors can load various malware families and exploits by leveraging highly obfuscated batch files seamlessly. Our initial research titled “The Dark Evolution: Advanced Malicious Actors Unveil Malware Modification Progression” delves into the continuing evolution of BatCloak, uncovering the modifications that have propelled modern malware to new levels of security evasion.
This is the first entry in a three-part technical research series taking an in-depth look at the continuing evolution of the highly evasive batch obfuscation engine BatCloak. The second part of this series, “SeroXen Incorporates Latest BatCloak Engine Iteration,” will look into the remote access trojan (RAT) SeroXen, a piece of malware gaining popularity for its stealth and, in its latest iterations, targets gamers, enthusiast communities, and organizations. Aside from the RAT’s own tools, we will look into the updated BatCloak engine included as SeroXen’s loading mechanism. The third and last part of this series, “SeroXen Mechanisms: Exploring Distribution, Risks, and Impact,” will detail the distribution mechanisms of SeroXen and BatCloak. We also include our security insights on the community and demographic impact of this level of sophistication when it comes to batch FUD obfuscation.
Defying detection: A preview of BatCloak engine’s efficacy
We analyzed hundreds of batch samples sourced from a public repository. The results showed a staggering 80% of the retrieved samples exhibiting zero detections from security solutions. This finding underscores the ability of BatCloak to evade traditional detection mechanisms employed by security providers. Moreover, when considering the overall sample set of 784, the average detection rate was less than one, emphasizing the challenging nature of identifying and mitigating threats associated with BatCloak-protected pieces of malware.
Figure 1. BatCloak detection counts from a public repository; samples and detection results collected from September 2022 to June 2023
Understanding the evolving landscape of advanced malware techniques such as FUD obfuscator BatCloak enables us to develop more effective strategies for combating the ever-evolving threats posed by these sophisticated adversaries. These findings highlight the pressing need for enhanced approaches to malware detection and prevention, such as a cutting-edge multilayered defensive strategy and comprehensive security solutions.
Security teams and organizations are advised to exercise a zero-trust approach. Teams should implement solutions capable of combining multiple rules, filters, and analysis techniques, including data stacking and machine learning to address the need for precise detection, as these tools can analyze individual and dynamic file signatures and observe patterns via heuristics and behavioral analysis. When uncertain of intrusions, behaviors, and routines, assume compromise or breach immediately to isolate affected artifacts or tool chains. With a broader perspective and rapid response, an organization can address these and keep the rest of its systems protected. Multilayered technologies and solutions, such as Trend Micro XDR™️, efficiently monitor, detect, and block tiered threats and attacks, as well as their clones and modified versions.
Instead of marking the end of an infection or an attack prior to the target because of siloed solutions, an extended detection and response capability across endpoint, servers, workloads, email, network, cloud, and identity observed from a single platform like Trend Vision One™️ can mitigate these risks by considering adversarial tactics, techniques, and procedures (TTPs) to profile the entirety of a routine. Trend Vision One also correlates with a connected threat intelligence system and rapidly prioritizes and responds with the necessary security and defensive actions as far left of the routine as possible.
Download the first part of our analysis on BatCloak engine here, and the indicators of compromise (IOCs) here and below :
By: Trend Micro June 29, 2023 Read time: 5 min (1290 words)
Risk Management of Human and Machine Identity in a Zero Trust Security Context
In today’s business world’s dynamic and ever-changing digital landscape, organizations encounter escalating security challenges that demand a more business-friendly and pertinent approach. Conventional security measures frequently lead to adverse effects on business operations.
However, the advent of Zero Trust security offers organizations the opportunity to embrace a risk-based response strategy that effectively mitigates these risks. The concept of identity is central to the effectiveness of security functions, which serves as a critical factor in guaranteeing the precision and security of transactions and data storage.
Identity and the Evolving Role of Humans and Machines
All security functions are fundamentally centered around identity. The statement, “Who did what to what, when,” encapsulates the core significance of identity in security. The accuracy and integrity of this statement rely on the accuracy and integrity of each identity clause. By ensuring the integrity of these identity clauses, organizations can automate the risk management process with high confidence in the outcomes.
Traditionally, security systems were designed assuming that human operators were solely responsible for all decisions made by machines. However, with the advent of computers and the increasing reliance on automated processes, this operator-centric model has become increasingly inadequate.
While humans and their associated accounts are often the primary targets of security measures, they merely represent the activity of the machines they interact with. In a Zero Trust deployment, embracing the concept of “machine as proxy human” becomes crucial. This approach allows organizations to apply security rules and surveillance to all devices, treating them like a malicious human is operating behind them.
By considering machines as proxy humans within the context of Zero Trust, organizations can extend security measures to encompass all devices and systems within their environment. This includes user devices, servers, IoT devices, and other interconnected components. Organizations can enforce strict access controls by treating machines as potential threat actors, applying behavioral analytics, and continuously monitoring for suspicious activities or deviations from expected behavior.
This shift in mindset enables organizations to proactively detect and respond to potential security threats, regardless of whether they originate from human actors or compromised machines. It allows for a more comprehensive and robust security posture, as security measures are applied at the device level, reducing the risk of unauthorized access, data breaches, and other security incidents.
Recognizing the centrality of identity in security and embracing the concept of “machine as proxy human” in a Zero Trust deployment enhances the effectiveness and comprehensiveness of security measures. By treating all devices as potential threat actors and applying security rules and surveillance accordingly, organizations can strengthen their risk management process, automate security controls, and mitigate the risks associated with human and machine-based security threats.
Applying Zero Trust to Machine-Human Approach
Treating all accounts, human or not, as machine/service accounts offer architectural flexibility in a Zero Trust environment. This approach allows organizations to apply consistent security measures to unknown devices, users, networks, and known entities, regardless of how frequently they change.
However, harmonized identity telemetry is crucial for this machine-human approach to be effective. Subscriber Identity Modules (SIM cards) and additional credentials facilitate Zero Trust management in 4G and 5G environments.
Organizations can incorporate a Software Bill of Materials (SBOM) into their Zero Trust solution to address the risks associated with the software. A SBOM is a comprehensive inventory that identifies the software components within an organization’s infrastructure, including internally developed and third-party/vendor-provided software.
By implementing a SBOM in a Zero Trust environment, organizations can establish a baseline for expected software behavior. This baseline includes the software’s version, dependencies, and associated digital signatures. Any deviations from this baseline can be identified as potential security threats or indicators of compromise.
One of the significant advantages of incorporating SBOM into a Zero Trust solution is the ability to monitor unexpected behaviors. Organizations can detect any suspicious activities or unauthorized modifications by continuously monitoring the software components and comparing their actual behavior against the established baseline. This proactive monitoring helps incident responders and risk management teams identify potential threats early and respond effectively to mitigate the risks.
Furthermore, SBOM facilitates supply chain component mapping, crucial for incident response and risk management. With a detailed inventory of software components, organizations can trace the origin of each component and identify potential vulnerabilities or compromised elements within their supply chain. This mapping capability enhances incident response capabilities by providing visibility into the interconnectedness of various software components and their potential impact on the organization’s overall security.
Ultimately incorporating SBOM into a Zero Trust solution helps organizations address software-related risks more effectively. By establishing baselines for expected software behavior and monitoring for any deviations, organizations can detect and respond to potential threats promptly. SBOM also facilitates supply chain component mapping, enabling organizations to enhance their incident response capabilities and mitigate the risks associated with software vulnerabilities and compromises.
Recommendations
Zero Trust security offers a surveillance-based approach that continuously checks and cross-references identity, assesses behavioral risk, and compares it to potential losses and revenue. This approach brings several recommendations for organizations looking to enhance their security posture:
Changes to executive responsibility and board governance require the adoption of Zero Trust security With the increasing importance of cybersecurity in today’s digital landscape, executive leadership, and board members need to prioritize and understand the significance of Zero Trust security. This includes making it a strategic focus and allocating resources for its implementation. By recognizing the value of Zero Trust and incorporating it into governance structures, organizations can ensure a top-down commitment to robust security practices.
Zero Trust can help organizations meet government and customer requirements for supply chain resiliency Supply chains have become more vulnerable to cyber threats, and government regulations and customer expectations emphasize supply chain resiliency. Zero Trust security measures can provide transparency, control, and trust within the supply chain ecosystem. Organizations can demonstrate their commitment to supply chain security and meet compliance requirements by establishing rigorous authentication, continuous monitoring, and granular access controls.
Operational risk management automation tools in Zero Trust can streamline security management and reduce enterprise risk and total cost of ownership Zero Trust security frameworks offer automation tools that streamline security management processes. Organizations can reduce human error and enhance operational efficiency by automating tasks such as identity verification, access controls, and threat detection. This automation minimizes security risks and reduces the total cost of ownership associated with managing complex security infrastructures.
Simplification of security management in Zero Trust can address the security skills gap by enabling reliance on junior or offshore staff for incident diagnoses The shortage of skilled cybersecurity professionals is a significant challenge for many organizations. Zero Trust can alleviate this skills gap by simplifying security management and enabling the reliance on junior or offshore staff for incident diagnoses. With streamlined processes, intuitive security controls, and automated monitoring, organizations can empower less experienced staff to effectively handle security incidents, optimizing resources and addressing the skills shortage.
By prioritizing identity integrity and leveraging the benefits of Zero Trust, organizations can establish a robust security framework that maximizes enterprise functionality while minimizing risk. In an increasingly unstable world where cyber threats continue to evolve, adopting a sophisticated, nuanced, and cost-effective security approach such as Zero Trust becomes essential for organizations to thrive and maintain resilience in the face of emerging challenges.
Ready to take your organization’s security to the next level? Download our comprehensive report on “Zero Trust: Enforcing Business Risk Reduction Through Security Risk Reduction” to gain valuable insights and practical strategies for implementing a business-friendly security approach. Discover how Zero Trust can minimize negative impacts, enhance risk management, and safeguard digital assets. Click here to download the report now!
By: Lucas Silva, RonJay Caragay, Arianne Dela Cruz, Gabriel Cardoso June 30, 2023 Read time: 7 min (1889 words)
Recently, the Trend Micro incident response team engaged with a targeted organization after having identified highly suspicious activities through the Targeted Attack Detection (TAD) service. In the investigation, malicious actors used malvertising to distribute a piece of malware via cloned webpages of legitimate organizations. In this case, the distribution involved a webpage of the well-known application WinSCP, an open-source Windows application for file transfer.
Advertising platforms like Google Ads enable businesses to display advertisements to target audiences to boost traffic and increase sales. Malware distributors abuse the same functionality in a technique known as malvertising, where chosen keywords are hijacked to display malicious ads that lure unsuspecting search engine users into downloading certain types of malware.
The targeted organization conducted a joint investigation with the Trend team and discovered that cybercriminals performed the following unauthorized and malicious activities within the company’s network:
Stole top-level administrator privileges and used these privileges to conduct unauthorized activities
Attempted to establish persistence and backdoor access to the customer environment using remote management tools like AnyDesk
Attempted to steal passwords and tried to access backup servers
It is highly likely that the enterprise would have been substantially affected by the attack if intervention had been sought later, especially since the threat actors had already succeeded in gaining initial access to domain administrator privileges and started establishing backdoors and persistence.
The following chart represents how the infection starts.
Figure 1. Infection chain of the observed attack
In the following sections, we discuss the details of this case: how threat actors made the initial access, what kind of attacks they carried out, and the lessons that can be drawn from this event.
Deep dive into the infection chain
The infection starts once the user searches for “WinSCP Download” on the Bing search engine. A malicious ad for the WinSCP application is displayed above the organic search results. The ad leads to a suspicious website containing a tutorial on how to use WinSCP for automating file transfer.
Figure 2. A suspicious site from a malvertisement
From this first page, the user is then redirected to a cloned download webpage of WinSCP (winsccp[.]com). Once the user selects the “Download” button, an ISO file is downloaded from an infected WordPress webpage (hxxps://events.drdivyaclinic[.]com). Recently, the malicious actor changed their final stage payload URL to the file-sharing service 4shared.
Figure 3. Malicious download site
The overall infection flow involves delivering the initial loader, fetching the bot core, and ultimately, dropping the payload, typically a backdoor.
In summary, the malicious actor uses the following malvertising infection chain:
A user searches for an application by entering a search term in a search bar (such as Google or Bing). In this example, the user wants to download the WinSCP application and enters the search term “WinSCP Download” on the Bing search bar.
Above the organic search results, the user finds a malvertisement for the WinSCP application that leads to a malicious website.
Once the user selects the “Download” button, this begins the download of an ISO file to their system.
On Twitter, user @rerednawyerg first spotted the same infection chain mimicking the AnyDesk application. Once the user mounts the ISO, it contains two files, setup.exe and msi.dll. We list the details of these two files here:
Setup.exe: A renamed msiexec.exe executable
Msi.dll: A delayed-loaded DLL (not loaded until a user’s code attempts to reference a symbol contained within the DLL) that will act as a dropper for a real WinSCP installer and a malicious Python execution environment responsible for downloading Cobalt Strike beacons.
Figure 4. The files downloaded once a user mounts the ISO
Once setup.exe is executed, it will call the msi.dll that will later extract a Python folder from the DLL RCDATA section as a real installer for WinSCP to be installed on the machine. Two installations of Python3.10 will be created — a legitimate python installation in %AppDataLocal%\Python-3.10.10 and another installation in %Public%\Music\python containing a trojanized python310.dll. Finally, the DLL will create a persistence mechanism to make a run key named “Python” and the value C:\Users\Public\Music\python\pythonw.exe.
Figure 5. The run key named “Python”
When the executable pythonw.exe starts, it loads a modified/trojanized obfuscated python310.dll that contains a Cobalt Strike beacon that connects to 167[.]88[.]164[.]141.
The following command-and-control (C&C) servers are used to obtain the main beacon module:
File name
C&C
pp.py
hxxps://167.88.164.40/python/pp2
work2.py
hxxps://172.86.123.127:8443/work2z
work2-2.py
hxxps://193.42.32.58:8443/work2z
work3.py
hxxps://172.86.123.226:8443/work3z
Multiple scheduled tasks executing batch files for persistence were also created in the machine. These batch files execute Python scripts leading to in-memory execution of Cobalt Strike beacons. Interestingly, the Python scripts use the marshal module to execute a pseudo-compiled (.pyc) code that is leveraged to download and execute the malicious beacon module in memory.
The Trend Vision One™ platform was able to generate the following Workbench for the previously mentioned kill chain.
Figure 6. Kill chain for the executed malware
The threat actor used a few other tools for discovery in the customer’s environment. First, they used AdFind, a tool designed to retrieve and display information from Active Directory (AD) environments. In the hands of a threat actor, AdFind can be misused for enumeration of user accounts, privilege escalation, and even password hash extraction.
In this case, the threat actor used it to fetch information on the operating system using the command adfind.exe -f objectcategory=computer -csv name cn OperatingSystem dNSHostName. The command specifies that it wants to retrieve the values of the name, common name (CN), operating system, and dNSHostName attributes for each computer object and output its result in a CSV format.
The threat actor used the following PowerShell command to gather user information and to save it into a CSV file:
We also observed that the threat actor used AccessChk64, a command-line tool developed by Sysinternals that is primarily used for checking the security permissions and access rights of objects in Windows. Although the threat actor’s purpose for using the tool in this instance is not clear, it should be noted that the tool can be used for gaining insights on what permissions are assigned to users and groups, as well as for privilege escalation and the identification of files, directories, or services with weak access control settings.
The threat actor then used findstr, a command-line tool in Windows used for searching strings or regular expressions within files by using the command findstr /S /I cpassword \\<REDACTED>\sysvol\<REDACTED>\policies\*.xml.
It is possible that the purpose of this command is to identify any XML files that contain the string cpassword. This is interesting from a security context since cpassword is associated with a deprecated method of storing passwords in Group Policy Preferences within AD.
Figure 7. How finsdtr is used in the attack
We also observed the execution of scripts with PowerShell. For instance, the command IEX (New-Object Net.Webclient).DownloadString(‘hxxp://127[.]0[.]0[.]1:40347/’); Invoke-FindLocalAdminAccess -Thread 50” it invokes a PowerShell function called Invoke-FindLocalAdminAccess and passes the parameter -Thread with a value of 50. This function is likely part of a script that performs actions related to finding local administrator access on a system.
Another PowerShell script used by the threat actor was PowerView. PowerView, which belongs to the PowerSploit collection of scripts used to assist in penetration testing and security operations, focuses on AD reconnaissance and enumeration and is commonly used by threat actors to gather information about the AD environment.
PowerShell Expand-Archive command was used to extract the ZIP files.
WMI was used to launch CoBeacon remotely across the environment.
C:\WINDOWS\system32\cmd.exe /C wmic /NODE:”<REDACTED>” process call createC:\users\public\videos\python\pythonw.exe C:\users\public\videos\python\work2-2.py
To obtain high-privileged credentials and escalate privileges, the threat actor used a Python script also containing the marshal module to execute a pseudo-compiled code for LaZagne. Another script to obtain Veeam credentials following the same structure was also identified in the environment.
PsExec, BitsAdmin, and curl were used to download additional tools and to move laterally across the environment.
The threat actor dropped a detailed KillAV BAT script (KillAV is a type of malicious software specifically designed to disable or bypass antivirus or antimalware programs installed on a target system) to tamper with Trend protections. However, due to the agent’s Self-Protection features and VSAPI detections, the attempt failed. The threat actors also made attempts to stop Windows Defender through a different KillAV BAT script.
Finally, the threat actor installed the AnyDesk remote management tool (renamed install.exe) in the environment to maintain persistence.
Figure 8. Remote management tool installed for persistence
After a diligent and proactive response, the attacker was successfully evicted from the network before they could reach their goal or execute their final payload. The incident response team also presented immediate countermeasures as well as medium- and long-term security procedures for implementation.
BlackCat uses the same tools, techniques, and procedures (TTPs)
In another investigation, following the same TTPs described previously described, we were able to identify that this activity led to a BlackCat (aka ALPHV) infection. Along with other types of malware and tools already mentioned, we were able to identify the use of the anti-antivirus or anti-endpoint detection and response (EDR) SpyBoyterminator in an attempt to tamper with protection provided by agents.
In order to exfiltrate the customer data, the threat actor used PuTTY Secure Copy client (PSCP) to transfer the gathered information. Investigating one of the C&C domains used by the threat actor behind this infection also led to the discovery of a possible related Cl0p ransomware file.
Figure 9. Files indicating possible Cl0p ransomware file
Conclusion and recommendations
In recent years, attackers have become increasingly adept at exploiting vulnerabilities that victims themselves are unaware of and have started employing behaviors that organizations do not anticipate. In addition to a continuous effort to prevent any unauthorized access, early detection and response within an organization’s network is critical. Immediacy in remediation is also essential, as delays in reaction time could lead to serious damage.
By understanding attack scenarios in detail, organizations can not only identify vulnerabilities that could lead to compromise and critical damage but also take necessary measures to prevent them.
Organizations can protect themselves by taking the following security measures:
Educate employees about phishing. Conduct training sessions to educate employees about phishing attacks and how to identify and avoid them. Emphasize the importance of not selecting suspicious links and not downloading files from unknown sources.
Monitor and log activities. Implement a centralized logging system to collect and analyze logs from various network devices and systems. Monitor network traffic, user activities, and system logs to detect any unusual or suspicious behavior.
Define normal network traffic for normal operations. Defining normal network traffic will help identify abnormal network traffic, such as unauthorized access.
Improve incident response and communication. Develop an incident response plan to guide your organization’s response in case of future breaches. Establish clear communication channels to inform relevant stakeholders, including employees, customers, and regulatory bodies, about a breach and the steps being taken to address it.
Engage with a cybersecurity professional. If your organization lacks the expertise or resources to handle the aftermath of a breach effectively, consider engaging with a reputable cybersecurity firm to assist with incident response, forensic analysis, and security improvements.
Indicators of Compromise (IOCs)
The full list of IOCs can be found here and below :
By: Trend Micro June 27, 2023 Read time: 4 min (1183 words)
Organizations face increasingly sophisticated cyber threats and vulnerabilities in today’s rapidly evolving digital landscape. Traditional security models can no longer protect sensitive data and mitigate risks. This is where Zero Trust comes into play, offering a comprehensive approach to security that can help organizations tackle emerging challenges.
In this article, we will explore how Zero Trust can benefit your organization, focusing on its ability to enhance security, secure supply chains, and align with international regulatory frameworks.
How Zero Trust Helps Your Organization
Zero Trust is designed to seek and eliminate shadow IT and inefficiencies within an organization. This approach can help reduce both operational and capital costs, effectively minimizing enterprise risks. Zero Trust also improves data hygiene by identifying systems with higher-than-average data risks, ensuring a more secure data environment.
Implementing Zero Trust also allows organizations to reduce the risk of brand-impacting security incidents and customer-facing outages. Zero Trust ensures uninterrupted business operations. Moreover, it provides fine-grained control over roaming and data sovereignty, granting organizations greater flexibility and security.
Moreover, Zero Trust enables multiple business functions to utilize a single access method. This consolidation improves security measures while reducing customers’ effort to complete transactions, ultimately enhancing the overall customer experience.
Zero Trust can be leveraged in numerous use cases, addressing different organizational security and risk management needs. Its versatility and adaptability make it a practical approach to securing digital environments effectively.
Secure Supply Chain Assurance: Importance and Zero Trust Applications
Zero Trust is crucial in securing the supply chain, as it helps identify revenue-impacting vulnerability chains within an enterprise. These chains can include business processes, security processes, and supply chains, collectively referred to as the attack surface.
Organizations can proactively identify and break potential kill chains within the supply chain by utilizing Zero Trust principles. Attack Surface Mapping and Cyber Asset Attack Surface Mapping (CAASM) enable the scanning and mitigating of current, potential, and near-miss supply chain attacks, reducing the risk of cascading failures.
Attack Surface Mapping involves identifying and mapping all the possible entry points, weaknesses, and exposure areas in an organization’s network, systems, and applications. It provides a comprehensive view of the organization’s attack surface, including external-facing systems and internal assets and connections.
Cyber Asset Attack Surface Mapping (CAASM) focuses explicitly on the assets within an organization’s supply chain. It examines the digital assets and dependencies in the supply chain ecosystem, including third-party vendors, partners, and interconnected systems. By analyzing the attack surface of the supply chain, organizations can identify potential weaknesses and vulnerabilities that attackers could exploit.
These mapping techniques enable organizations to proactively scan and assess their current security posture, identify potential risks, and prioritize mitigation efforts. Organizations can take appropriate measures to strengthen their defenses, patch vulnerabilities, and implement security controls by understanding the attack surface and potential attack vectors.
Zero Trust Frameworks: DISA NSA vs. NIST
Zero Trust frameworks can vary based on organizational needs and security requirements. The DISA NSA Zero Trust Reference Architecture is suitable for large critical infrastructure entities, while the NIST approach caters to entities in the early stages of their security maturity journey.
The DISA NSA framework provides a comprehensive and adaptable blueprint, focusing on Device Trust, User Trust, Data Trust, and Network Trust. Organizations can establish trust across various infrastructure components by implementing rigorous authentication, authorization, and continuous monitoring. This approach enhances risk management accuracy and reduces infrastructure costs, making it suitable for large critical infrastructure entities.
On the other hand, the NIST approach follows a risk-based strategy, emphasizing continuous monitoring, granular access controls, and dynamic policy enforcement. It promotes a “never trust, always verify” mindset, advocating for robust authentication mechanisms, network segmentation, and encryption. This framework offers flexibility and scalability, making it well-suited for organizations at various stages of their security maturity journey.
To leverage the strengths of both frameworks, organizations can incorporate complementary design elements tailored to their specific needs. Organizations can establish a robust Zero Trust architecture that addresses their unique security requirements by combining the DISA NSA and NIST approaches.
Ultimately, implementing Zero Trust principles provides organizations with a proactive and holistic security approach, reducing the risk of breaches, protecting sensitive data, and ensuring the resilience of their infrastructure. By embracing these frameworks, organizations can strengthen their security posture and effectively combat the ever-evolving cyber threats of today’s digital landscape.
Zero Trust and International Regulatory Frameworks
Zero Trust is a security framework that has gained significant attention and adoption in recent years. It aligns with various international regulatory frameworks, ensuring organizations meet stringent data protection, privacy, and security requirements.
General Data Protection Regulation (GDPR)
Zero Trust principles align closely with the core principles of GDPR, which emphasize the protection of personal data, privacy, and accountability. By implementing Zero Trust measures, organizations establish robust security controls, mitigate the risk of data breaches, and protect personal data. Through solid authentication, access controls, data segmentation, and encryption, Zero Trust helps organizations meet GDPR requirements, ensuring compliance with data protection regulations.
California Consumer Privacy Act (CCPA)
The CCPA highlights the importance of safeguarding consumers’ personal information. Zero Trust principles provide valuable contributions to adequate data protection and privacy practices. With strong authentication mechanisms, data segmentation, and encryption, organizations can enhance their data security measures and meet CCPA obligations. Zero Trust’s emphasis on continuous monitoring and granular access controls ensures that organizations maintain control over the processing and sharing of personal information, thus meeting CCPA compliance requirements.
Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS establishes rigorous security measures to protect cardholder data. Zero Trust provides a solid foundation for meeting PCI DSS requirements by focusing on secure access controls, continuous monitoring, and encryption. Zero Trust’s “never trust, always verify” principle aligns with the need for stringent authentication mechanisms and restricted access to cardholder data. Organizations can establish a robust security posture by implementing Zero Trust and maintaining compliance with the PCI DSS standards.
Zero Trust principles offer organizations a powerful approach to achieving compliance with international regulatory frameworks. By aligning with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and Payment Card Industry Data Security Standard (PCI DSS), Zero Trust enhances data protection, privacy, and security practices. Conclusion
In an era of increasing cyber threats and supply chain vulnerabilities, adopting a Zero Trust approach is essential for organizations aiming to strengthen their security measures and ensure the integrity of their supply chains. By implementing Zero Trust principles, organizations can enhance security, streamline business functions, and align with international regulatory frameworks.
The versatility of Zero Trust frameworks, such as DISA NSA and NIST, allows organizations to tailor their security strategies to their specific needs. Embracing Zero Trust is a proactive step towards safeguarding sensitive data and critical operations and a crucial component of building trust with customers and partners in an ever-evolving digital landscape.
Download our comprehensive report on Zero Trust frameworks and their implementation strategies today. Gain valuable insights, practical guidance, and actionable steps to strengthen security measures. Click here to download the report and stay one step ahead in the ever-evolving digital landscape.
CDNs help keep Microsoft 365 fast and reliable for end users. Cloud services like Microsoft 365 use CDNs to cache static assets closer to the browsers requesting them to speed up downloads and reduce perceived end user latency. The information in this topic will help you learn about Content Delivery Networks (CDNs) and how they’re used by Microsoft 365.
What exactly is a CDN?
A CDN is a geographically distributed network consisting of proxy and file servers in datacenters connected by high-speed backbone networks. CDNs are used to reduce latency and load times for a specified set of files and objects in a web site or service. A CDN may have many thousands of endpoints for optimal servicing of incoming requests from any location.
CDNs are commonly used to provide faster downloads of generic content for a web site or service such as Javascript files, icons and images, and can also provide private access to user content such as files in SharePoint Online document libraries, streaming media files, and custom code.
CDNs are used by most enterprise cloud services. Cloud services like Microsoft 365 have millions of customers downloading a mix of proprietary content (such as emails) and generic content (such as icons) at one time. It’s more efficient to put images everyone uses, like icons, as close to the user’s computer as possible. It isn’t practical for every cloud service to build CDN datacenters that store this generic content in every metropolitan area, or even in every major Internet hub around the world, so some of these CDNs are shared.
How do CDNs make services work faster?
Downloading common objects like site images and icons over and over again can take up network bandwidth that can be better used for downloading important personal content, like email or documents. Because Microsoft 365 uses an architecture that includes CDNs, the icons, scripts, and other generic content can be downloaded from servers closer to client computers, making the downloads faster. This means faster access to your personal content, which is securely stored in Microsoft 365 datacenters.
CDNs help to improve cloud service performance in several ways:
CDNs shift part of the network and file download burden away from the cloud service, freeing up cloud service resources for serving user content and other services by reducing the need to serve requests for static assets.
CDNs are purpose built to provide low-latency file access by implementing high performance networks and file servers, and by leveraging updated network protocols such as HTTP/2 with highly efficient compression and request multiplexing.
CDN networks use many globally distributed endpoints to make content available as close as possible to users.
The Microsoft 365 CDN
The built-in Microsoft 365 Content Delivery Network (CDN) allows Microsoft 365 administrators to provide better performance for their organization’s SharePoint Online pages by caching static assets closer to the browsers requesting them, which helps to speed up downloads and reduce latency. The Microsoft 365 CDN uses the HTTP/2 protocol for improved compression and download speeds.
Note
The Microsoft 365 CDN is only available to tenants in the Production (worldwide) cloud. Tenants in the US Government, China and Germany clouds do not currently support the Microsoft 365 CDN.
The Microsoft 365 CDN is composed of multiple CDNs that allow you to host static assets in multiple locations, or origins, and serve them from global high-speed networks. Depending on the kind of content you want to host in the Microsoft 365 CDN, you can add public origins, private origins or both.
Content in public origins within the Microsoft 365 CDN is accessible anonymously, and can be accessed by anyone who has URLs to hosted assets. Because access to content in public origins is anonymous, you should only use them to cache non-sensitive generic content such as Javascript files, scripts, icons and images. The Microsoft 365 CDN is used by default for downloading generic resource assets like the Microsoft 365 client applications from a public origin.
Private origins within the Microsoft 365 CDN provide private access to user content such as SharePoint Online document libraries, sites and proprietary images. Access to content in private origins is secured with dynamically generated tokens so it can only be accessed by users with permissions to the original document library or storage location. Private origins in the Microsoft 365 CDN can only be used for SharePoint Online content, and you can only access assets through redirection from your SharePoint Online tenant.
The Microsoft 365 CDN service is included as part of your SharePoint Online subscription.
Although not a part of the Microsoft 365 CDN, you can use these CDNs in your Microsoft 365 tenant for access to SharePoint development libraries, custom code and other purposes that fall outside the scope of the Microsoft 365 CDN.
Azure CDN
Note
Beginning in Q3 2020, SharePoint Online will begin caching videos on the Azure CDN to support improved video playback and reliability. Popular videos will be streamed from the CDN endpoint closest to the user. This data will remain within the Microsoft Purview boundary. This is a free service for all tenants and it does not require any customer action to configure.
You can use the Azure CDN to deploy your own CDN instance for hosting custom web parts, libraries and other resource assets, which allows you to apply access keys to your CDN storage and exert greater control over your CDN configuration. Use of the Azure CDN isn’t free, and requires an Azure subscription.
Microsoft’s Ajax CDN is a read-only CDN that offers many popular development libraries including jQuery (and all of its other libraries), ASP.NET Ajax, Bootstrap, Knockout.js, and others.
To include these scripts in your project, simply replace any references to these publicly available libraries with references to the CDN address instead of including it in your project itself. For example, use the following code to link to jQuery:
For more information about how to use the Microsoft Ajax CDN, see Microsoft Ajax CDN.
How does Microsoft 365 use content from a CDN?
Regardless of what CDN you configure for your Microsoft 365 tenant, the basic data retrieval process is the same.
Your client (a browser or Office client application) requests data from Microsoft 365.
Microsoft 365 either returns the data directly to your client or, if the data is part of a set of content hosted by the CDN, redirects your client to the CDN URL.a. If the data is already cached in a public origin, your client downloads the data directly from the nearest CDN location to your client.b. If the data is already cached in a private origin, the CDN service checks your Microsoft 365 user account’s permissions on the origin. If you have permissions, SharePoint Online dynamically generates a custom URL composed of the path to the asset in the CDN and two access tokens, and returns the custom URL to your client. Your client then downloads the data directly from the nearest CDN location to your client using the custom URL.
If the data isn’t cached at the CDN, the CDN node requests the data from Microsoft 365 and then caches the data for time after your client downloads the data.
The CDN figures out the closest datacenter to the user’s browser and, using redirection, downloads the requested data from there. CDN redirection is quick, and can save users a lot of download time.
How should I set up my network so that CDNs work best with Microsoft 365?
Minimizing latency between clients on your network and CDN endpoints is the key consideration for ensuring optimal performance. You can use the best practices outlined in Managing Microsoft 365 endpoints to ensure that your network configuration permits client browsers to access the CDN directly rather than routing CDN traffic through central proxies to avoid introducing unnecessary latency.
Is there a list of all the CDNs that Microsoft 365 uses?
The CDNs in use by Microsoft 365 are always subject to change and in many cases there are multiple CDN partners configured in the event one is unavailable. The primary CDNs used by Microsoft 365 are:
CDN
Company
Usage
Link
Microsoft 365 CDN
Microsoft Azure
Generic assets in public origins, SharePoint user content in private origins
There are many factors involved in measuring specific differences in performance between data downloaded directly from Microsoft 365 and data downloaded from a specific CDN, such as your location relative to your tenant and to the nearest CDN endpoint, the number of assets on a page that are served by the CDN, and transient changes in network latency and bandwidth. However, a simple A/B test can help to show the difference in download time for a specific file.
The following screenshots illustrate the difference in download speed between the native file location in Microsoft 365 and the same file hosted on the Microsoft Ajax Content Delivery Network. These screenshots are from the Network tab in the Internet Explorer 11 developer tools. These screenshots show the latency on the popular library jQuery. To bring up this screen, in Internet Explorer, press F12 and select the Network tab, which is symbolized with a Wi-Fi icon.
This screenshot shows the library uploaded to the master page gallery on the SharePoint Online site itself. The time it took to upload the library is 1.51 seconds.
The second screenshot shows the same file delivered by Microsoft’s CDN. This time the latency is around 496 milliseconds. This is a large improvement and shows that a whole second is shaved off the total time to download the object.
Is my data safe?
We take great care to protect the data that runs your business. Data stored in the Microsoft 365 CDN is encrypted both in transit and at rest, and access to data in the Microsoft 365 SharePoint CDN is secured by Microsoft 365 user permissions and token authorization. Requests for data in the Microsoft 365 SharePoint CDN must be referred (redirected) from your Microsoft 365 tenant or an authorization token won’t be generated.
To ensure that your data remains secure, we recommend that you never store user content or other sensitive data in a public CDN. Because access to data in a public CDN is anonymous, public CDNs should only be used to host generic content such as web script files, icons, images and other non-sensitive assets.
Note
3rd party CDN providers may have privacy and compliance standards that differ from the commitments outlined by the Microsoft 365 Trust Center. Data cached through the CDN service may not conform to the Microsoft Data Processing Terms (DPT), and may be outside of the Microsoft 365 Trust Center compliance boundaries.
For in-depth information about privacy and data protection for Microsoft 365 CDN providers, visit the following:
Learn more about Microsoft 365 privacy and data protection at the Microsoft Trust Center
Learn more about Azure privacy and data protection at the Azure Trust Center
How can I secure my network with all these 3rd party services?
Using an extensive set of partner services allows Microsoft 365 to scale and meet availability requirements and enhance the user experience when using Microsoft 365. The 3rd party services Microsoft 365 leverages include both certificate revocation lists; such as crl.microsoft.com or sa.symcb.com, and CDNs; such as r3.res.outlook.com. Every CDN FQDN generated by Microsoft 365 is a custom FQDN for Microsoft 365. If you’re sent to a FQDN at the request of Microsoft 365, you can be assured that the CDN provider controls the FQDN and the underlying content at that location.
For customers that want to segregate requests destined for a Microsoft 365 datacenter from requests that are destined for a 3rd party, we’ve written up guidance on Managing Microsoft 365 endpoints.
Is there a list of all the FQDNs that leverage CDNs?
The list of FQDNs and how they leverage CDNs change over time. Refer to our published Microsoft 365 URLs and IP address ranges page to get up to date on the latest FQDNs that leverage CDNs.
Can I use my own CDN and cache content on my local network?
We’re continually looking for new ways to support our customers’ needs and are currently exploring the use of caching proxy solutions and other on-premises CDN solutions.
Although it isn’t a part of the Microsoft 365 CDN, you can also use the Azure CDN for hosting custom web parts, libraries and other resource assets, which allows you to apply access keys to your CDN storage and exert greater control over your CDN configuration. Use of the Azure CDN isn’t free, and requires an Azure subscription. For more information on how to configure an Azure CDN instance, see Quickstart: Integrate an Azure storage account with Azure CDN.
I’m using Azure ExpressRoute for Microsoft 365, does that change things?
Azure ExpressRoute for Microsoft 365 provides a dedicated connection to Microsoft 365 infrastructure that is segregated from the public internet. This means that clients will still need to connect over non-ExpressRoute connections to connect to CDNs and other Microsoft infrastructure that isn’t explicitly included in the list of services supported by ExpressRoute. For more information about how to route specific traffic such as requests destined for CDNs, see Implementing ExpressRoute for Microsoft 365.
Can I use CDNs with SharePoint Server on-premises?
Using CDNs only makes sense in a SharePoint Online context and should be avoided with SharePoint Server. This is because all of the advantages around geographic location don’t hold true if the server is located on-premises or geographically close anyway. Additionally, if there’s a network connection to the servers where it’s hosted, then the site may be used without an Internet connection and therefore can’t retrieve the CDN files. Otherwise, you should use a CDN if there’s one available and stable for the library and files you need for your site.
Your site needs to have a defined structure because, without it, it’ll just be a random collection of pages and blog posts. Your users need this structure to navigate on your site, to click from one page to another. Google also uses the structure of your site to determine what content is important and what is less relevant. This guide tells you everything you need to know about site structure.
Site structure refers to organizing and arranging a website’s pages and content. It defines the information hierarchy within the site and serves as a roadmap for search engine crawlers. A well-structured site facilitates easy navigation, enhances user experience, and helps search engines like Google understand and effectively index the site’s content. This, in turn, can improve the site’s performance by making it easier for users to find and engage with the content. Ultimately, an optimized site structure helps achieve higher rankings, more traffic, and better conversion rates.
Importance for usability
The structure of your website significantly impacts the experience for your visitors (UX). If visitors can’t find the products and information they’re looking for, they’ll not likely become regular visitors or customers. In other words, you should help them navigate your site. A good site structure will help with this.
Navigating should be easy. You need to categorize and link your posts and products so they are easy to find. New visitors should be able to grasp what you’re writing about or selling instantly.
Importance of your site structure for SEO
A solid site structure vastly improves your chances of ranking in search engines. There are three main reasons for this:
a. It helps Google ‘understand’ your site
The way you structure your site will give Google vital clues about where to find the most valuable content on your site. It helps search engines understand what your site is mainly about or what you’re selling. A decent site structure also enables search engines to find and index content quickly. A good structure should, therefore, lead to a higher ranking in Google.
b. It prevents you from competing with yourself
On your site, you might have blog posts that are quite similar. If, for example, you write a lot about SEO, you could have multiple blog posts about site structure, each covering a different aspect. Consequently, Google won’t be able to tell which of these pages is the most important, so you’ll be competing with your content for high rankings. You should let Google know which page you think is most important. You need a good internal linking and taxonomy structure to do this, so all those pages can work for you instead of against you.
c. It deals with changes on your website
The products you sell in your shop will likely evolve. So does the content you’re writing. You probably add new product lines as old stock sells out. Or you write new articles that make old ones redundant. You don’t want Google to show outdated products or deleted blog posts, so you need to deal with these kinds of changes in the structure of your site.
Are you struggling with setting up your site’s structure? Don’t know the best strategy to link from one post to another? Check out our Site structure training, part of the Yoast SEO academy. Access to Yoast SEO academy is included in the price of Yoast SEO Premium. Before you know it, you’ll be able to improve your rankings by creating the best structure for your site!
How to set up the structure of your site
So, how do you construct a solid site structure? First, we’ll look at an ideal site structure and then explain how to achieve this for your site.
What’s an ideal site structure?
Let’s start by looking at an ideal situation: How should you organize your site if you’re starting from scratch? We think a well-organized website looks like a pyramid with several levels:
Homepage
Categories (or sections)
Subcategories (only for larger sites)
Individual pages and posts
The homepage should be at the top. Then, you have some sections or category pages beneath it. You should be able to file your content under one of these categories. You can divide these sections or categories into subcategories if your site is larger. Beneath your categories or subcategories are your pages and posts.
An ideal site structure looks like a pyramid. On top, you’ll find the homepage and, right below, the main sections or categories, possibly followed by subcategories. On the ground, you’ll find all the individual posts and pages.
Your homepage
On top of the pyramid is the homepage. Your homepage should act as a navigation hub for your visitors. This means, amongst others, that you should link to your most important pages from your homepage. By doing this:
Your visitors are more likely to end up on the pages you want them to end up on;
You show Google that these pages are important.
Further down this article, we’ll help you determine which pages are essential to your business.
Beware not to link too many pages from your homepage, which will cause clutter. And a cluttered homepage doesn’t guide your visitors anywhere. If you want to optimize your homepage further, you can do many other things. Read our article on homepage SEO to find out what.
Navigation
In addition to having a well-structured homepage, it’s also important to create a clear navigation path on your site. Your site-wide navigation consists of two main elements: the menu and the breadcrumbs.
The menu
First, let’s take a look at the menu. The website menu is the most common aid for navigation on your website, and you want to make the best possible use of it. Visitors use your menu to find things on your website. It helps them understand the structure of your website. That’s why the main categories on your site should all have a place in the menu on your homepage.
Furthermore, putting everything in just one menu is not always necessary. If you have a big site with lots of categories, this may clutter your website and makes your main menu a poor reflection of the rest of your site. Where it makes sense, creating a second menu is perfectly fine.
For instance, eBay has one menu at the top of the page – also called the top bar menu – and, in addition to that, a main menu. This top bar menu links to important pages that aren’t categories in the shop, like pages that relate to the visitor’s account on the site. The main menu reflects the most important product categories on eBay.
eBay has multiple ways to start navigating from the homepage
Finally, just like on your homepage, you shouldn’t add too many links to your menu. They will become less valuable for your users and search engines if you do.
Adding breadcrumbs to your pages can make your site’s structure even clearer. Breadcrumbs are clickable links, usually at the top of a page or post. Breadcrumbs reflect the structure of your site. They help visitors determine where they are on your site. They improve your site’s user experience and SEO, as you can read in our guide on breadcrumbs.
You can use one of the many breadcrumb plugins for your WordPress site. You can also use our Yoast SEO plugin, as we’ve implemented a breadcrumb functionality in our plugin as well.
Taxonomies
WordPress uses so-called taxonomies to group content; other CMSs have similar systems. The word ‘taxonomy’ is a fancy term for a group of things — website pages, in this case — that have something in common. This is convenient because people looking for more information on the same topic can find similar articles more easily. You can group content in different ways. The default taxonomies in WordPress are categories and tags.
Categories
You should divide your site’s blog posts or products into several categories. If these categories grow too big, you should divide these categories into subcategories to clear things up again. For example, if you have a clothing store and sell shoes, you can divide this category into subcategories: ‘boots’, ‘heels’, and ‘flats’. These subcategories contain products, in this case, shoes, of that specific type.
Adding this hierarchy and categorizing your pages helps your user and Google make sense of every page you write. Add your main categories to your site’s menu when implementing your category structure.
Your site’s structure will also benefit from adding tags. The difference between a category and a tag mostly concerns structure. Categories are hierarchical: you can have subcategories and even sub-subcategories. Tags, however, don’t have that hierarchy. Tags say: “Hey, this article or product has a certain property that might interest a visitor.” Think of it like this: categories are the table of contents of your website, and tags are the index. A tag for the online clothing store mentioned above could be a brand, for instance, Timberlands.
Try not to create too many tags. You’re not structuring anything if you add a new unique tag to every post or article. Ensure each tag is used at least twice, and your tags group articles that genuinely belong together.
Some WordPress themes display tags with each post, but some don’t. Ensure your tags are available to visitors somewhere, preferably at the bottom of your article or in the sidebar. Google isn’t the only one that likes tags: they are useful for visitors wanting to read more about the same topic.
Site structure is all about grouping and linking the content on your site. Until now, we mostly discussed so-called classifying links: links on your homepage, navigation, and taxonomies. On the other hand, contextual links are internal links within the copy on your pages that refer to other pages within your site. For a link to be contextual, the page you link to should be relevant for someone reading the current page. If you look at the previous paragraph, for instance, we link to a post about tagging, so people can learn more about it if they’re interested.
Your most important pages are often very relevant to mention on several pages across your site, so you’ll link to them most often. Just remember that not only the page you’re linking to is relevant, the context of the link is important as well.
Google uses the context of your links to gather information about the page you’re linking to. It always uses the anchor text (or link text) to understand what the page you’re linking to is about. But the anchor text isn’t the only thing Google looks at. Nowadays, it also considers the content around the link to gather extra information. Google is becoming better at recognizing related words and concepts. Adding links from a meaningful context allows Google to value and rank your pages properly. Yoast SEO Premium makes internal linking a breeze by automatically suggesting relevant content from your site to link to.
Contextual linking for blogs
For blogs, you should write extensively on the topics you want to rank for. You should write some main articles — your cornerstone articles — and write various posts about subtopics of that topic. Then link from these related posts to your cornerstone articles and from the cornerstone articles back to related posts. In this way, you’ll ensure that your most important pages have both the most and most relevant links.
The following metaphor might help you understand this principle:
Imagine you’re looking at a map of a state or country. You’ll probably see many small towns and some bigger cities. All towns and cities will be interconnected somehow. You’ll notice that small towns often have roads leading to the big cities. Those cities are your cornerstones, receiving the most links. The small towns are your posts on more specific topics. Some roads (links) lead to these smaller towns, but not as much as the big cities.
Contextual internal linking works differently on an online store with very few to no pages that are exclusively meant to inform. You don’t explore a specific topic on your product pages: you’re selling a product. Therefore, on product pages, you mostly want to keep people on a page and convince them to buy the product. Consequently, contextual linking is far less prominent in this context. You generally shouldn’t add contextual links to your product descriptions because it could lead to people clicking away from the page.
There are just a couple of meaningful ways of adding contextual links to the product pages for your ecommerce SEO:
link from a product bundle page to the individual products
a ‘related items’ or ‘compare with similar items’ section
a ‘customers also bought’ section
a ‘product bundles’ or ‘frequently bought together’ section.
Landing pages are the pages you want your audience to find when they search for specific keywords you’ve optimized for. For instance, we want people who search for ‘free SEO training’ to end up on the page about our free training called ‘SEO for beginners’. You need to approach the content of your most important landing pages differently than your regular pages.
Here, we’ll discuss two types of landing pages: cornerstone pages and product landing pages. They’re both pages you’d like people to land on from the search engines, but they require quite a different approach. But first, we’ll shortly go into search intent because you have to know what your audience is really looking for.
Search intent
When setting up your site structure, you must consider search intent. It’s about what you think people are looking for when they enter a query into a search engine. What do people want to find? And: what do they expect to find?
Consider different possibilities in search intent, as you might want to cater to different types on your site. Are people just looking for an answer to a question or a definition? Are they comparing products before purchase? Or are they intending to buy something right away? This is often reflected in the type of query they make. You can also use Google’s search results to create great content that fits someone’s needs.
When you have an idea of the search intent, ensuring your landing page fits your audience’s search intent is essential. Pages can answer multiple search intents, but you need a clear view of at least your most important pages.
Cornerstone articles are the most important informational articles on your website. Their focus is to provide the best and most complete information on a particular topic; their main goal is not to sell products.
Because of this focus, we usually think of blogs when discussing cornerstone content. Of course, that doesn’t mean it can only be a blog post. All different kinds of websites have cornerstone articles! Rule of thumb: if an article brings everything you know about a broad topic together, it’s a cornerstone content article.
Product landing pages significantly differ from cornerstone articles. The latter are lengthy, whereas product landing pages shouldn’t be that long. Rather than complete articles, they should be focused. These pages only need to show what your visitors need to know to be convinced. They don’t need to hold all the information.
You want to rank with these pages, meaning they need content. Enough content for Google to understand what the page is about and what keyword it should rank for. Where cornerstone articles could be made up of thousands of words, a couple of hundred could be enough for product landing pages. The main focus of the content should be on your products.
Structuring or restructuring your content doesn’t always have high priority in everything you have to do. Especially when you blog a lot or add other content regularly, it might feel like a chore. Although it isn’t always fun, you must do it, or your website might become messy. To prevent that from happening, you need to fix your site structure and keep an eye on it while adding new content. Site structure should be part of your long-term SEO strategy.
Evaluate your menu
When your business goal or website changes, your menu must also change. Planning things visually will pay off when you start thinking about restructuring your site. Make a flowchart.
Start with your new menu one or two levels deep and see if you can fit in more pages you have created over the years. You’ll find that some pages are still valid but don’t seem relevant to your menu anymore. No problem, just be sure to link to them on related pages and in your sitemaps so that Google and your visitors can still find these pages. The flowchart will also show you any gaps in the site structure.
Creating an overview of your categories, subcategories, and products or posts will also help you to rethink your site’s taxonomy. This could be a simple spreadsheet, but you can use more visual tools like LucidChart or MindNode.
Do your product categories and subcategories provide a logical overview of your product range or your posts and pages? Perhaps you’ve noticed somewhere down the line that one category has been far more successful than others, or you wrote many blog posts on one subject and very few on others.
If one category grows much larger than others, your site’s pyramid could be thrown off balance. Think about splitting this category into different categories. But, if some product lines end up much smaller than others, you might want to merge them. Don’t forget to redirect the ones you delete.
If you have built your HTML sitemap manually, update that sitemap after changing your site structure. In the far more likely event you have an XML sitemap, re-submit it to Google Search Console.
You might be able to update and republish some outdated articles to make them relevant again. If an article is outdated, but no one reads it anyway, you might delete it. This could clean up your site nicely.
What you should know, in that case, is that you should never delete a page or article without thinking. If Google cannot find the page, it serves your user a 404 error page. Both the search engine and your visitor will see this error message saying the page doesn’t exist, and that is a bad experience and, thus, bad for your SEO.
Be smart about this! You need to redirect the URL of the page you’re deleting properly so your user (and Google) lands on a different page that is relevant to them. That could even improve your SEO!
Got some old content to clean up on your site? Sort out hidden pages and dead ends in four easy steps with our orphaned content SEO workout, available in Yoast SEO Premium.
Avoid keyword cannibalization
Your website is about a specific topic, which could be quite broad or rather specific. While adding content, you should be aware of keyword cannibalization. If you optimize your articles for keywords that are all too similar, you’ll be devouring your chances of ranking in Google. If you optimize different articles for similar key terms, you’ll be competing with yourself, making both pages rank lower.
You’ll have some work to do if you suffer from keyword cannibalization. In short, you should research the performance of your content and probably merge and redirect some of it. When merging posts, we recommend creating a new draft by cloning one of the original posts with the free Yoast Duplicate Post plugin. This allows you to work on your merged post without making these changes to a live post. Read the guide by Joost to learn more about keyword cannibalization and how to fix it.
Internal linking with Yoast SEO
Feeling a bit overwhelmed by all this advice? Yoast SEO has some handy tools to make internal linking so much easier.
Yoast SEO’s text link counter visualizes your links so you can optimize them. It shows the internal links in a post and the internal links to a post. This tool can enhance your site structure by improving the links between your related posts. Make sure your cornerstones get the most (relevant) links! You can identify your cornerstones by finding them in the column with the pyramid icon.
Quickly see which posts have internal links pointing to them with the text link counter in Yoast SEO
Yoast SEO Premium helps you with your internal linking as well. Our internal linking suggestions tool will show you which articles are related to the one you’re writing, so you can easily link to them: just by dragging the link into your editor!
The internal linking suggestions even include other content types
Moreover, our tool allows you to indicate which articles you consider cornerstone content on your site. Those articles will be shown at the top of the internal linking suggestions. You’ll never forget to link to them again.
As we have seen, there are several reasons why site structure is important. A good site structure helps both your visitors and Google navigate your site. It makes it easier to implement changes and prevents competing with your content. So use the tips and pointers in this guide to check and improve your site structure. That way, you’ll stay on top and keep your website from growing out of control!
Want to improve your site structure but don’t know where to start? Get Yoast SEO Premium and get loads of helpful tools and guidance, including free access to Yoast SEO Academy, our Site structure training, and our SEO workouts!
Marieke was head of strategy and former CEO at Yoast. After the sale of Yoast to Newfold Digital in 2021 she is no longer active at Yoast in 2023. Marieke, together with her husband Joost, actively invests in and advises several startups through their company Emilia Capital.
