Deprecating Support for TLS 1.0 / 1.1 – Improving Encryption Strength and your Security Posture

TLS Background

Transport Layer Security or TLS provides privacy and data integrity for applications communicating over the Internet. It can be used in many Internet services today such as VPN, Email Exchange, and most commonly, Web Services (HTTPS). There have been 2 released versions of Secure Sockets Layer (SSL) and 4 versions of TLS spanning the last 25 years of security advancements. Each successive release addresses security vulnerabilities or weaknesses in a prior release:

SSLv2 documented in RFC 6176, released in 1995
SSLv3 documented in RFC 6101, released in 1996
TLS1.0 documented in RFC 2246, released in 1999
TLS1.1 documented in RFC 4346, released in 2006
TLS1.2 documented in RFC 5246, released in 2008
TLS1.3 documented in RFC 8446, released in 2018

Current TLS Support

Our mission within Cisco Umbrella has always been to provide powerful security solutions that are easy to deploy and simple to manage. To maintain the simplicity for our customers and provide for the most backwards compatibility for those running legacy or unpatched operating systems, Cisco Umbrella has previously chosen to continue supporting all TLS Protocols 1.0 or later, deprecating only specific weak / insecure ciphers.

What’s Changing?

Cisco Umbrella will deprecate support for all TLS / SSL versions prior to version 1.2 on March 31st, 2020. After this date customers will be unable to connect without leveraging a TLS1.2 compatible client.

Why change now?

There are a few compelling events that caused us to re-evaluate our risk evaluation of TLS1.0 / 1.1.

1 – Apple, Google, Microsoft, and Mozilla announced in October of 2018 that they will deprecate support for TLS1.1 and prior within their browsers, forcing all TLS communications to be TLS1.2 or higher on March 31st, 2020.

2 – As of June 2018, the Payment Card Industry Security Standards Council (PCI-SSC) officially began enforcement of a new policy requiring any sites certified under PCI-DSS to deprecate TLS1.0 and any SSLv2/v3 configurations. While they will allow TLS1.1, there is a strong recommendation to implement only TLS1.2 and later protocols.

3 – As of 2014, the National Institute of Standards and Technology (NIST) formalized policy 800-52 which requires US Government Agencies to adopt TLS1.2 and deprecate use of TLS1.1 and before.

Upon re-evaluation of the associated risks and certification landscape, Cisco determined that now is the time to complete deprecations for anything prior to TLS1.2.

Source:
https://umbrella.cisco.com/blog/2019/09/06/deprecating-support-for-tls-1-0-1-1-improving-encryption-strength-and-your-security-posture/

Cyberattack Lateral Movement Explained

[Lightly edited transcript of the video above]

Hi there, Mark Nunnikhoven from Trend Micro Research, I want to talk to you about the concept of lateral movement.

And the reason why I want to tackle this today is because I’ve had some conversations in the last few days that have really kind of hit that idea bulb that people don’t truly understand how cybercriminals get away with their crimes in the organization. Specifically how they launch their attacks.

Now don’t get me wrong, this isn’t to blame on defenders. This isn’t to blame of the general public. I’m going to go with Hollywood’s to blame a little bit here, because we’re watching movies in Hollywood inevitably…you know the hackers in their dark hat and with no lighting, underground, Lord knows where they find these places to hack from and they are attacking directly through.

You see a bunch of text go across the screen and they penetrate through the first firewall, through the second firewall in into the data. That’s not how it works at all.

That’s ridiculous. It’s absurd.

[00:59]

It makes for interesting cinema, just like the red code/green code in CSI Cyber, but it’s not a reflection of reality and that’s a real challenge. Because a lot of people don’t have the experience of working with cybersecurity, working in cybersecurity, so their only perception is what they see either through media—you know TV, movies, books—or if they happen to run into somebody at in the industry. So there is an overwhelming amount of sort of information or misinformation.

Not even misinformation, just storytelling that tries to make it far more dramatic than it is. The reality is that cybercriminals are out for profit.

We know this time and time again—yes a bunch of nation-state stuff does happen but the vast majority of you are unaffected by it same with there’s

a massive amount of script-kiddie just sort of scanning random people with random tools that are just seeing what they can get away with that and

if you have solid, automated defenses that doesn’t really impact you.

What does impact you is the vast majority of organized cybercriminals who are out to make a profit. Trend Micro had a greatseries and continues to have a great series on the Underground, the Digital Underground that shows just how deep these profit motivations go.

This is very much a dark industry. And with that in mind we come back to the concept of lateral movement.

[02:22]

If an attacker breaches into your systems, whether they come in like a fourth of all attacks do via email whether they come in directly through a server compromise, which is about half of all breaches according to the Verizon data breach investigation report or one of the other methods that is commonly used…then they start to move around within your network.

That’s lateral movement.

We talk about north/south traffic with the network, which is basically inside the network to outside of the network, so out to the the internet and back. East/west is within the network itself. Most defenses, traditional defenses worry about that north/south traffic.

Not enough worry about the east/west and it’s breaking down finally. We are getting rid of this hard perimeter. “It’s mine, I defend everything inside” …and realizing that this is actually how cybercriminals work. Once they’re inside they move around. So we need to defend in-depth and have really great monitoring and protection tools within our networks because of this challenge of lateral movement.

[03:23]

Let me give you a little easier to digest analogy. Most of us in a home have a grocery list and maybe once a week—maybe twice–we head to the grocery store and we try to get everything we want off the list and then we come back. That just makes sense.

That’s how we do it. Right? You would never think of going, “Okay. Number one of the list is ketchup. I’m going to drive to the store to get ketchup. I’m going to buy it and I’m going to come back home.

I’m going to look at item number two. I need a loaf of bread. I’m going to drive back to the store. I’m going to buy a loaf of bread and I’m going to come back and we can go to item 3, and I’m going to go and I’m going to come back. I’m going to…” That’s just ridiculous, right? That’s absolutely absurd and cybercrimals agree.

Once they’ve driven to the store. They’re going to buy everything that they need and everything that they see as an opportunity, right? They are really susceptible to those end caps and impulse buys… and then they’re going to leave.

This is how they attack our organizations.

We know that, because of the average time to detect a breach is around 197 days right now and that stat has fluctuated maybe plus or minus 15 days for the last decade.

We also know that it takes almost three…it takes two and a half to three months actually contain a breach once you discover it and the reason for all of this is lateral movement.

Once you’re in as a cybercriminal, once you’ve made headway, once you gained a beachhead or a foothold within that network you’re going to do everything you can to expand it because it’s going to make you the most amount of money.

[04:55]

What do you think? Let us know in the comments below, hit us up on social @TrendMicro or you can reach me directly @marknca.

How are you handling lateral movement? How are you trying to reduce it? How are you looking for visibility across all of your systems?

Let’s continue this conversation because when we talk we all get better and more secure online.

source:
https://blog.trendmicro.com/cyberattack-lateral-movement-explained/

Mid-Year Update: 2019 SonicWall Cyber Threat Report

It’s almost cliché at this point, but the cyber arms race — and respective cybersecurity controls and technology — moves at an alarming pace.

For this reason, SonicWall Capture Labs threat researchers never stop investigating, analyzing and exploring new threat trends, tactics, strategies and attacks. They publish most of their findings — the data they can share publicly, anyway — in the annual SonicWall Cyber Threat Report.

But to ensure the industry and public are able to stay abreast of the quickly shifting threat landscape, the team offers a complementary mid-year update to the 2019 SonicWall Cyber Threat Report. Download the exclusive report to explore the stories, behaviors and trends that are shaping 2019 — as they are happening.

Malware volume dips in first half

In 2018, global malware volume hit a record-breaking 10.52 billion attacks, the most ever recorded by SonicWall Capture Labs threat researchers.

Fortunately, during the first six months of 2019, that trend slowed — at least somewhat. SonicWall recorded 4.8 billion* malware attacks, a 20% drop compared to the same time period last year.

Ransomware rising

Did you think ransomware was an outdated tactic? The latest 2019 data proves otherwise. Despite overall declines in malware volume, ransomware continues to pay dividends for cybercriminals.

All told, global ransomware volume reached 110.9 million for the first half of 2019, a 15% year-to-date increase. The exclusive mid-year update outlines which countries followed this trend and which were victimized by an increase in ransomware attacks.

Attacks against non-standard ports still a concern

As defined in the full 2019 SonicWall Cyber Threat Report, a ‘non-standard’ port means a service running on a port other than its default assignment, usually as defined by the IANA port numbers registry.

For the first half of 2019, 13% of all malware attacks came via non-standard ports, a slight dip due to below-normal activity in January (8%) and February (11%).

Encrypted threats intensify

In 2018, SonicWall logged more than 2.8 million encrypted threats, which was already a 27% jump over the previous year. Through the first six months of 2019, SonicWall has registered a 76% year-to-date increase.

Machine learning, multi-engine sandboxes evolving to ‘must-have’ security

So far in 2019, the multi-engine SonicWall Capture Advanced Threat Protection (ATP) cloud sandbox has exposed 194,171 new malware variants — a pace of 1,078 new variant discoveries each day of the year.

IoT malware volume doubled YTD

The speed and ferocity in which IoT devices are being compromised to deliver malware payloads is alarming. In the first half of 2019, SonicWall Capture Labs threat researchers have already recorded 13.5 million IoT attacks, which outpaces the first two quarters of last year.

Bitcoin run keeping cryptojacking in play

Late 2018 data showed cryptojacking on the decline. But with the surging values of both bitcoin and Monero, cryptojacking rebounded in 2019. Cryptojacking volume hit 52.7 million for the first six months of the year.

How do cybercurrency prices influence cryptojacking volume? The exclusive mid-year update looks deeper into the numbers.

Source
https://blog.sonicwall.com/en-us/2019/07/mid-year-update-2019-sonicwall-cyber-threat-report/

Windows Server 2008 End of Support: Are you Prepared?

On July 14^th, 2015, Microsoft’s widely deployed Windows Server 2003 reached end of life after nearly 12 years of support. For millions of enterprise servers, this meant the end of security updates, leaving the door open to serious security risks. Now, we are fast approaching the end of life of another server operating system – Windows Server 2008 and Server 2008 R2, which will soon reach end of support on January 14, 2020.

Nevertheless, many enterprises still rely on Windows Server 2008 for core business functions such as Directory Server, File Server, DNS Server, and Email Server. Organizations depend on these workloads for critical business applications and to support their internal services like Active Directory, File Sharing, and hosting internal websites.

What does this mean for you?

End of support for an operating system like Windows Server 2008 introduces major challenges for organizations who are running their workloads on the platform. While a small number may be ready to fully migrate to a new system or to the cloud, the reality is that most organizations aren’t able to migrate this quickly due to time, budgetary, or technical constraints. Looking back at Windows Server 2003, even nine months after the official EOS, 42% of organizations indicated they would still be using Windows Server 2003 for 6 months or more, while the remaining 58% were still in the process of migrating off of Windows Server 2003 (Osterman Research, April 2016). The same is likely to occur with the Server 2008 EOS, meaning many critical applications will continue to reside on Windows Server 2008 for the next few years, despite the greatly increased security risks.

What are the risks?

The end of support means organizations must prepare to deal with missing security updates, compliance issues, defending against malware, as well as other non-security bugs. You will no longer receive patches for security issues, or notifications of new vulnerabilities affecting your systems. With constant discovery of new vulnerabilities and exploits – 1,450 0days disclosed by the ZDI in 2018 alone – it’s all but guaranteed that we will see additions to the more than 1300+ vulnerabilities faced by Windows Server 2008. The lack of notifications to help monitor and measure the risk associated with new vulnerabilities can leave a large security gap.

This was the case for many organizations in the wake of the 2017 global WannaCry ransomware attack, which affected over 230,000 systems worldwide, specifically leveraging the EternalBlue exploit present in older Windows operating systems. While Microsoft did provide a patch for this, many weren’t able to apply the patches in time due to the difficulty involved in patching older systems.

What can security and IT teams do?

The most obvious solution is to migrate to a newer platform, whether that’s on-premise or using a cloud infrastructure-as-a-service offering such as AWS, Azure, or Google Cloud.

However, we know many organizations will either delay migration or leave a portion of their workloads running in a Windows Server 2008 environment for the foreseeable future. Hackers are aware of this behavior, and often view out-of-support servers as an easy target for attacks. Security teams need to assess the risk involved with leaving company data on those servers, and whether or not the data is secure by itself. If not, you need to ensure you have the right protection in place to detect and stop attacks and meet compliance on your Windows Server 2008 environment.

How can Trend Micro help?

Trend Micro Deep Security delivers powerful, automated protection that can be used to secure applications and workloads across new and end of support systems. Deep Security’s capabilities include host-based intrusion prevention, which will automatically shield workloads from new vulnerabilities, applying an immediate ‘virtual patch’ to secure the system until an official patch is rolled out – or in the case of EOS systems – for the foreseeable future.

Deep Security also helps monitor for system changes with real-time integrity monitoring and application control, and will secure your workloads with anti-malware, powered by the Trend Micro Smart Protection Network’s global threat intelligence. Deep Security’s broad platform and infrastructure support allows you to seamlessly deploy security across your physical, virtualized, cloud, and containerized workloads, and protecting your end of life systems throughout and beyond your migration.

Learn how easy it is to deploy virtual patching to secure your enterprise and address patching issues.

Source
https://blog.trendmicro.com/windows-server-2008-end-of-support-are-you-prepared/

WiFi Protection in Public Places

WiFi Internet has added much convenience to our daily lives, with its easy accessibility in public places such as restaurants, hotels, and cafes; malls, parks, and even in airplanes, where we can connect online for faster transactions and communication. Like any online technology, however, it’s vulnerable to hacker abuse, posing potential threats to you and your mobile devices.

Public WiFi hotspots in particular are unsecure, easily hacked by cybercriminals. Some ways you can be hacked when connected to public WiFi include (MUO, Bates, 10/3/16):

The hacker can get between you and the WiFi hotspot when hooked to the network, to perform man-in-the-middle attacks and spy on your connection.
The hacker can “spoof” the legitimate WiFi, creating an “evil twin” that you log onto without noticing it’s a fake—which again, lets them spy on your data in transit.
A hacker can “sniff” the packets on the unencrypted network you’re attached to, reading it with software like WireShark, for identity clues they can analyze and use against you later.
They can also “hijack” a session in real-time, reading the cookies sent to your device during a session, to gain access to private accounts you’re logged into. This is typically known as “sidejacking.”
Finally, they can “shoulder-surf,” simply watching you over your shoulder, to view your screens and track your keystrokes. In crowded places, it’s easy for hackers to “eavesdrop” on your connection.

Ways you can protect yourself when using public WiFi include (Wired, Nield, 8/5/18):

Connect only to more trusted public networks, like Starbucks, rather than any random public WiFi that shows up in your WiFi connection settings, as in a shopping mall or park.
Connect only to websites that show HTTPS, not just HTTP, which means the data transmission between the site and you is encrypted.
Don’t provide too much personal data, such as email addresses and phone numbers, if the WiFi network requires it to connect. Better to not connect than risk unwanted ads or even identity theft.
Don’t do public file or print sharing over public WiFi networks. This is even more true of financial transactions: banking on unsecured WiFi networks is an invitation to hackers to steal your data in transit.
Use a Virtual Private Network (VPN) on your mobile device, so you can be certain your data is encrypted to and from your mobile device.

The last piece of advice should probably be your first line of defense. Trend Micro WiFi Protection, for example, protects your devices from online threats by providing just such a VPN. It safeguards your private information when using public hotspots by automatically turning on when the device connects to an unsecured WiFi network. This ensures total anonymity from public servers and hides your data from hacker inspection by encrypting your data over the network. Trend Micro WiFi Protection also includes built-in web threat protection that protects you from online frauds and scams that can come your way via malicious links—and notifies you if there are any WiFi security issues on the network itself. You’ll be happy to also know that Trend Micro WiFi Protection does not affect your WiFi speed as it connects to its local or regional secured server.

Stay safe on public WiFi! Trend Micro WiFi Protection is available for PC, Mac, Android and iOSdevices.

Source
https://blog.trendmicro.com/wifi-protection-in-public-places/

Set up Chrome Browser Cloud Management

Enroll cloud-managed Chrome Browsers

Next: 3. Set policies for enrolled Chrome Browsers

After you have access to your Google Admin console, here's how to enroll the devices where you want to manage Chrome Browsers. You'll then be able to enforce policies for any users who open Chrome Browser on an enrolled device.

Step 1: Generate enrollment token

In your Google Admin console (at admin.google.com)...
Go to Device management.
(Optional) To add browsers in the top-level organization in your domain, keep Include all organizational units selected. Alternatively, you can generate a token that will enroll browsers directly to a specific organizational unit by selecting it in the left navigation before moving on to the next step. For more information, see Add an organization unit.
At the bottom, click Add to generate an enrollment token.
In the box, click Copy to copy the enrollment token.

Step 2: Enroll browsers with the enrollment token

Enroll browsers on Windows

Option 1: Use the Group Policy Management Editor

Under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome, set CloudManagementEnrollmentToken to the generated token you copied above.

Clear the current enrollment if one exists using:
-HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Enrollment

(Optional) By default, if enrollment fails (for example if the enrollment token is invalid or revoked), Chrome will start in an unmanaged state. If you instead want to prevent Chrome browser from starting if enrollment fails, set CloudManagementEnrollmentMandatory under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome to true

Notes:

The token must be set at a local machine level. It won't work at the user level.
If the machines you are enrolling are imaged from the same Windows source, make sure that you have used Microsoft's System Preparation tool (Sysprep) so that each enrolled machine has a unique identifier.

Option 2: Download the reg file

Click Download .reg file. The downloaded .reg file automatically adds the token and clears the current enrollment when run.

When you use the reg file, Chrome browser will still respect the CloudManagementEnrollmentMandatory policy in Option 1, blocking launch if enrollment fails. See the note above if you're enrolling machines imaged from the same Windows source.

Enroll browsers on Mac

Option 1: Use a policy

Push the token to your browser as a policy named CloudManagementEnrollmentToken. Setting policies on Mac devices requires the Apple Profile Manager.

Note: If you choose to manually set policies, be aware that Mac OS will delete the policy files on every sign-in. Learn more about setting up policies on Mac in the Quick Start Guide and help center.

Option 2: Use a text file

Push the token in a text file called CloudManagementEnrollmentToken, under /Library/Google/Chrome/. This file must only contain the token and be encoded as a .txt file, but should not have the .txt filename extension.

(Optional) By default, if enrollment fails (for example if the enrollment token is invalid or revoked), Chrome will start in an unmanaged state. If you instead want to prevent Chrome browser from starting if enrollment fails, create a file called CloudManagementEnrollmentOptions under /Library/Google/Chrome/ with the text Mandatory (case sensitive). This file must be encoded as a .txt file, but should not have the .txt filename extension.

If a token is pushed using both methods above, Chrome will use the value present in the policy and ignore the file. The token is stored in a directory under the home directory on the user's Mac. Each Mac OS user must enroll separately.

Enroll browsers on Linux machines

The token can be pushed by creating a text file called enrollment_token, under /etc/opt/chrome/policies/enrollment. This file must only contain the token and nothing else.

(Optional) By default, if enrollment fails (for example if the enrollment token is invalid or revoked), Chrome will start in an unmanaged state. If you instead want to prevent Chrome browser from starting if enrollment fails, create a file called CloudManagementEnrollmentOptions under /etc/opt/chrome/policies/enrollment/ with the text Mandatory (case sensitive). This file must be encoded as a .txt file, but should not have the .txt filename extension.

Step 3: Launch Chrome Browser and confirm enrollment

After setting the enrollment token using one of the methods in Step 2, quit Chrome Browser (if it's open) and launch Chrome Browser on the managed device.
Sign in to the Google Admin console (admin.google.com).
Go to Device management Chrome management Managed browsers. All browsers that have been launched with your enrollment token will appear in the browser list.
(Optional) To see additional details, click a machine's name.

Notes:

If you have multiple installations of Chrome Browser on a single device, they will show up in the browser list as a single managed browser.
Enrollment tokens are only used during enrollment. After enrollment, they can be revoked in the Admin console. However, enrolled browsers will still be registered.
On Windows, only system installations are supported because Chrome Browser requires admin privileges to register.

Just after registering, not many fields are populated. You need to enable browser reporting to access detailed reporting information. For more information, see Step 4: Enable Chrome Browser reporting.

Unenroll and re-enroll devices

To remove policies and to unenroll a device in Chrome Browser Cloud Management, delete both the enrollment token and the device token.

To re-enroll a device, delete the device token while leaving the enrollment token in place. The device token was created by Chrome during the initial enrollment. Make sure not to revoke the enrollment token. If you accidentally delete the enrollment token, create a new one.

Note: Unenrolling browsers from Chrome Browser Cloud Management doesn't delete the data that's already uploaded to the Google Admin console. To delete uploaded data, delete the corresponding device from the Admin console.

Questions

When are enrollment tokens used?

Enrollment tokens are only used during enrollment. They can be revoked after enrollment and enrolled browsers will still be registered.

Does this token enrollment process require admin privileges on Windows?

Yes. On Windows, only system installations are supported.

What gets uploaded during the enrollment process?

During the enrollment process, Chrome Browser uploads the following information:

Enrollment token
Device ID
Machine name
OS platform
OS version

Why don't I see a Chrome management section in my Admin console?

If you have the legacy free edition of G Suite, Chrome management isn't currently available in your Admin console. Support for legacy free edition will be rolled out in the future.

source:
https://support.google.com/chrome/a/answer/9301891?hl=en

Sonicwall : Cryptojacking Apocalypse – Defeating the Four Horsemen of Cryptomining

Despite price fluctuations of bitcoin and other cryptocurrencies, cryptojacking remains a serious — and often hidden — threat to businesses, SMBs and everyday consumers.

And the most covert of these threats is cryptomining via the browser, where popular forms of malware attempt to turn your device into a full-time cryptocurrency mining bot called a cryptojacker.

To help you creatively understand this trend, let me summon my classical training and be a little hyperbolic. If you see the cryptojacking wave as an apocalypse like some of their victims do, the Four Horsemen would be the four threats to your endpoint or business:

The White Horse: The energy it consumes or wastes
The Red Horse: The loss to productivity due to limited resources
The Black Horse: The damage it can do to a system
The Pale Horse: Security implications due to created vulnerabilities

Unlike ransomware that wants to be found (to ask for payment), a cryptojacker’s job is to run invisibly in the background (although your CPU performance graph or device’s fan may indicate something is not normal).

Ransomware authors have switched gears over the past two years to use cryptojacking more, because a ransomware strain’s effectiveness and ROI diminish as soon as it ends up on public feeds like VirusTotal.

Like anyone else running a highly profitable business, cybercriminals need to constantly find new ways to fulfill their financial targets. Cryptojacking is being used to solve that challenge.

In April 2018, SonicWall started tracking cryptojacking trends, namely the use of Coinhive in malware. Over the course of the year, we saw cryptojacking ebb and flow. In that time, SonicWall recorded nearly 60 million cryptojacking attacks, with as many as 13.1 million in September 2018. As published in the 2019 SonicWall Cyber Threat Report, volume dipped across the final quarter of 2018.

Global Cryptojacking Attacks | April-September 2018

The lure of cryptomining

Cryptomining operations have become increasingly popular, now consuming almost half a percent of the world’s electricity consumption. Despite the wild swings in price, roughly 60% of the cost of legitimately mining bitcoin is the energy consumption. In fact, at the time of writing, the price of a bitcoin is worth less than the cost of mining it legitimately.

With such costs and zero risk as compared to buying and maintaining equipment, cybercriminals have strong incentives to generate cryptocurrency with someone else’s resources. Infecting 10 machines with a cryptominer could net up to $100/day, so the challenge for cryptojackers is three-fold:

Find targets, namely organizations with a lot of devices on the same network, especially schools or universities.
Infect as many machines as possible.
Stay hidden for as long as possible (unlike ransomware and more akin to traditional malware).

Cryptojackers use similar techniques as malware to sneak on to an endpoint: drive-by downloads, phishing campaigns, in-browser vulnerabilities and browser plugins, to name a few. And, of course, they rely on the weakest link — the people — via social engineering techniques.

Am I infected by cryptominers?

Cryptominers are interested in your processing power and cryptojackers have to trade stealth against profit. How much of your CPU resources they take depends on their objectives.

Siphoning less power makes it harder for unsuspecting users to notice. Stealing more increases their profits. In either case, there will be a performance impact, but if the threshold is low enough it could be a challenge to distinguish the miner from legitimate software.

Enterprise administrators may look for unknown processes in their environment, and end users on Windows should spawn a Sysinternals Process Explorer to see what they are running. Linux and macOS users should investigate using System Monitor and Activity Monitor, respectively, for the same reason.

How to defend against cryptominers

The first step in defending against cryptominers is to stop this type of malware at the gateway, either through firewalls or email security (perimeter security), which is one of the best ways to scrub out known file-based threats.

Since people like to reuse old code, catching cryptojackers like Coinhive was also a simple first step. But in February 2019, Coinhive publicly announced it was ceasing operations March 8. The service stated that it wasn’t “economically viable anymore” and that the “crash” impacted the business severely.

Despite this news, SonicWall predicts there will still be a surge in new cryptojacking variants and techniques to fill the void. Cryptojacking could still become a favorite method for malicious actors because of its concealment; low and indirect damage to victims reduces chances of exposure and extends the valuable lifespan of a successful attack.

If the malware strain is unknown (new or updated), then it will bypass static filters in perimeter security. If a file is unknown, it will be routed to a sandbox to inspect the nature of the file.

The multi-engine SonicWall Capture Advanced Threat Protection (ATP) sandbox environment is designed to identify and stop evasive malware that may evade one engine but not the others.

If you have an endpoint not behind this typical set up (e.g., it’s roaming at the airport or hotel), you need to deploy an endpoint security product that includes behavioral detection.

Cryptominers can operate in the browser or be delivered through a fileless attack, so the legacy solutions you get free with a computer are blind to it.

A behavioral-based antivirus like SonicWall Capture Client would detect that the system wants to mine coins and then shut down the operation. An administrator can easily quarantine and delete the malware or, in the case of something that does damage to system files, roll the system back to the last known good state before the malware executed.

By combining a mixture of perimeter defenses and behavioral analysis, organizations can fight the newest forms of malware no matter what the trend or intent is.

Source:
https://blog.sonicwall.com/en-us/2019/05/cryptojacking-apocalypse-defeating-the-four-horsemen-of-cryptomining/

Sonicwall : 4 Ways the WhatsApp Exploit Could Use Employees to Infiltrate Your Network

The recent WhatsApp breach was very sophisticated and clever in the manner it was delivered. And that should be expected considering who was reported as being behind the zero-day attack against the popular messaging application.

But the attack against the WhatsApp app is not just a concern for its millions of global customers. There’s a very real and imminent threat to businesses and enterprises, too.

For example, let’s assume one of your employees has WhatsApp installed on their device and it is subsequently compromised via the latest WhatsApp exploit. In many situations, this employee will, at some point, connect their device to the corporate network.

This legitimate access could be via VPN, cloud applications (e.g., Office 365, Dropbox, etc.), corporate Wi-Fi or, my personal “favorite,” plugging the device into the USB port of a corporate laptop so the phone can charge. Understanding how and where users connect to the corporate network is critical.

In most cases, organizations can’t prevent personal BYOD phones from being compromised — particularly when outside the network perimeter. They can, however, protect the network from exploits delivered via the compromised phone. Here are the four most common ways the WhatsApp vulnerability could be leveraged to infiltrate a corporate network and, more importantly, how SonicWall can prevent it:

Via VPN. If an employee connects to corporate over VPN, SonicWall, for example, would be the endpoint where they establish the VPN Threat prevention (e.g., firewalls, Capture ATP) and access control (e.g., Secure Mobile Access) would prevent the WhatsApp breach from spreading any further than the compromised phone.
Via Wi-Fi. In this scenario, next-generation firewalls and secure wireless access points should be in place to inspect all internal traffic and prevent the exploit from going further than the phone.
Via compromised credentials. Because the WhatsApp exploit enabled attackers to steal credentials to cloud services and apps, organizations with Cloud Access Security Broker (CASB) solutions, like SonicWall Cloud App Security, would mitigate account takeovers (ATO), unauthorized access and any related data leakage.
Via USB port. Users often forget that a powered USB port on their laptop is an entry point for attackers — even when doing something as innocent as charging a phone. A sound endpoint protection solution (see diagram), such as Capture Client, would monitor the connection to the laptop and inspect any malicious activity attempting to leverage the USB port to deliver malware payloads.

Restore Control & Security of Your Endpoints

With next-generation malware protection, SonicWall Capture Client is a powerful endpoint protection solution that applies advanced threat protection techniques, such as machine learning, network sandbox integration and system rollback, to safeguard your endpoints from cyberattacks in real time.

LEARN MORE

https://blog.sonicwall.com/en-us/2019/05/4-ways-the-whatsapp-exploit-could-use-employees-to-infiltrate-your-network/

Computers Still Vulnerable to “Wormable” BlueKeep RDP Flaw

Nearly 1 Million Computers Still Vulnerable to "Wormable" BlueKeep RDP Flaw

Nearly 1 million Windows systems are still unpatched and have been found vulnerable to a recently disclosed critical, wormable, remote code execution vulnerability in the Windows Remote Desktop Protocol (RDP)—two weeks after Microsoft releases the security patch.

If exploited, the vulnerability could allow an attacker to easily cause havoc around the world, potentially much worse than what WannaCry and NotPetya like wormable attacks did in 2017.

Dubbed BlueKeep and tracked as CVE-2019-0708, the vulnerability affects Windows 2003, XP, Windows 7, Windows Server 2008 and 2008 R2 editions and could spread automatically on unprotected systems.

The vulnerability could allow an unauthenticated, remote attacker to execute arbitrary code and take control of a targeted computer just by sending specially crafted requests to the device's Remote Desktop Service (RDS) via the RDP—without requiring any interaction from a user.

Describing the BlueKeep vulnerability as being Wormable that could allow malware to propagate to vulnerable systems just like WannaCry, Microsoft released a security fix to address the vulnerability with its May 2019 Patch Tuesday updates.

However, the latest Internet scan performed by Robert Graham, head of offensive security research firm Errata Security, revealed that, unfortunately, roughly 950,000 publicly accessible machines on the Internet are vulnerable to the BlueKeep bug.

This clearly means that even after the security patch is out, not every user and organisation has deployed it to address the issue, posing a massive risk to individuals and organizations, including industrial and healthcare environments.

Graham used "rdpscan," a quick scanning tool he built on top of his masscan port scanner that can scan the entire Internet for systems still vulnerable to the BlueKeep vulnerability, and found a whole 7 million systems that were listening on port 3389, of which around 1 million systems are still vulnerable.

"Hackers are likely to figure out a robust exploit in the next month or two and cause havoc with these machines," the researcher says.

"That means when the worm hits, it'll likely compromise those million devices. This will likely lead to an event as damaging as WannaCry, and notPetya from 2017 -- potentially worse, as hackers have since honed their skills exploiting these things for ransomware and other nastiness."

The BlueKeep vulnerability has so much potential to wreak havoc worldwide that it forced Microsoft to release patches for not only the supported Windows versions but also Windows XP, Windows Vista and Windows Server 2003, which no longer receive mainstream support from the company but are still widely used.

Not just researchers, malicious hackers and cybercriminals have also started scanning the Internet for vulnerable Windows systems to target them with malware, GreyNoise Intelligence said.

"GreyNoise is observing sweeping tests for systems vulnerable to the RDP "BlueKeep" (CVE-2019-0708) vulnerability from several dozen hosts around the Internet. This activity has been observed from exclusively Tor exit nodes and is likely being executed by a single actor," the tweetsays.

However, fortunately, so far no security researcher has yet publicly published any proof-of-concept exploit code for BlueKeep, though a few of them have confirmed to have successfully developed a working exploit.

Are you still waiting for me to tell you what you should do next? Go and fix the goddamn vulnerability if you are using one of them.

If fixing the flaw in your organisation is not possible anytime sooner, then you can take these mitigations:

Disable RDP services, if not required.
Block port 3389 using a firewall or make it accessible only over a private VPN.
Enable Network Level Authentication (NLA) – this is partial mitigation to prevent any unauthenticated attacker from exploiting this Wormable flaw.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.

Source:
https://thehackernews.com/2019/05/bluekeep-rdp-vulnerability.html

Hackers Infect 50,000 MS-SQL and PHPMyAdmin Servers with Rootkit Malware

Cyber Security researchers at Guardicore Labs today published a detailed report on a widespread cryptojacking campaign attacking Windows MS-SQL and PHPMyAdmin servers worldwide.

Dubbed Nansh0u, the malicious campaign is reportedly being carried out by an APT-style Chinese hacking group who has already infected nearly 50,000 servers and are installing a sophisticated kernel-mode rootkit on compromised systems to prevent the malware from being terminated.

The campaign, which dates back to February 26 but was first detected in early-April, has been found delivering 20 different payload versions hosted on various hosting providers.

The attack relies on the brute-forcing technique after finding publicly accessible Windows MS-SQL and PHPMyAdmin servers using a simple port scanner.

Upon successful login authentication with administrative privileges, attackers execute a sequence of MS-SQL commands on the compromised system to download malicious payload from a remote file server and run it with SYSTEM privileges.

In the background, the payload leverages a known privilege escalation vulnerability (CVE-2014-4113) to gain SYSTEM privileges on the compromised systems.

"Using this Windows privilege, the attacking exploit injects code into the Winlogon process. The injected code creates a new process which inherits Winlogon SYSTEM privileges, providing equivalent permissions as the prior version."

The payload then installs a cryptocurrency mining malware on compromised servers to mine TurtleCoincryptocurrency.

Besides this, the malware also protects its process from terminating using a digitally-signed kernel-mode rootkit for persistence.

"We found that the driver had a digital signature issued by the top Certificate Authority Verisign. The certificate – which is expired – bears the name of a fake Chinese company – Hangzhou Hootian Network Technology."

Researchers have also released a complete list of IoCs (indicators of compromise) and a free PowerShell-based script that Windows administrators can use to check whether their systems are infected or not.

Since the attack relies on a weak username and password combinations for MS-SQL and PHPMyAdmin servers, admins are advised to always keep a strong, complex password for their accounts.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.

Source:
https://thehackernews.com/2019/05/hacking-mysql-phpmyadmin.html