Supply Chain Attacks from a Managed Detection and Response Perspective


Modern technology has made managing large IT environments much less daunting compared to the past, when each endpoint had to be manually configured and maintained. Many organizations now use tools and IT solutions that allow centralized management of endpoints, making it possible to update, troubleshoot, and deploy applications from a remote location.

However, this convenience comes at a price — just as IT staff can access machines from a single location, the centralized nature of modern tech infrastructure also means that malicious actors can target the primary hub to gain access to the whole system.  Even more concerning, cybercriminals no longer even have to launch a direct attack against an organization — they can bypass security measures by focusing on their target’s supply chain. For example, instead of trying to find weak points in the system of a large organization that will likely have strong defenses, an attacker can instead target smaller companies that develop software for larger enterprises.

In this blog entry, we will take a look at two examples of supply chain attacks that our Managed Detection and Response (MDR) team encountered in the past couple of months.

Incident #1: Attack on the Kaseya platform

On July 2, during the peak of the Kaseya ransomware incident, we alerted one of our customers, notifying them about  ransomware detections in their system.  

Figure 1. The timeline of the incident

Our investigation found suspicious activity when the file AgentMon.exe, which is part of the Kaseya Agent, spawned another file, cmd.exe, that is responsible for creating the payload agent.exe, which in turn dropped MsMpEng.exe

By expanding our root cause analysis (RCA) and checking the argument for cmd.exe, we were able to see a few items before the execution of the ransomware. These initial set of indicators of compromise (IoCs) are similar to the ones discussed in another blog post.

Figure 2. Vision One console showing the attack’s infection chain

We found that the malware attempted to disable the anti-malware and anti-ransomware features of Windows Defender via PowerShell commands. It also created a copy of the Windows command line program Certutil.exe to “C:\Windows\cert.exe”, which is used to decode the payload file agent.crt, with the output given the name agent.exe.  Agent.exe is then used to create the file MsMpEng.exe, a version of Windows Defender that is vulnerable to DLL side-loading.

Figure 3. Details of the threat

Machine learning detection capabilities managed to block and detect the ransomware, however, the protection module was not activated in all the security agents of Trend Micro Apex One™ — so the organization’s support requested the team to check their product settings. Because the process chain showed that the ransomware came from a Kaseya agent, we  requested our customer to isolate the Kaseya servers to contain the threat.

A few hours later, Kaseya released a notice to their users to immediately shut down their Virtual System/Server Administrator (VSA) server until further notice.

Incident #2: Credential dumping attack on the Active Directory

The second supply chain incident handled by our MDR team starts with an alert to a customer that notified them of a credential dump occurring in their active directory (AD). The Incident View in Trend Micro Vision One™️ aggregated other detections into a single view, providing additional information on the scope of the threat. From there, we were able to see a server, an endpoint, and a user related to the threat.

Figure 4. Vision One’s incident view showing the threat’s details

Our threat hunting team also noted suspicious behavior related to WmiExec. Further investigation of the affected hosts’ Ownership Alignment Tools (OATs) show a related entry for persistence:

  • C:\Windows\System32\schtasks.exe /CREATE /RU SYSTEM /SC HOURLY /TN “Windows Defender” /TR “powershell.exe C:\Windows\System.exe -L rtcp:// -F mwss://” /ST 12:00
Figure 5. OAT flagging a suspicious creation of a scheduled task

We found scheduled tasks being utilized as a persistence mechanism for the file System.exe. Further analysis of this file shows that it is related to GO simple tunnel, which is used to forward network traffic to an IP address depending on the argument.

Checking the initial alert revealed a file common in the two hosts, which prompted us to check the IOC list to determine the other affected hosts in the environment.

Figure 6. Discovery commands and access to a malicious domain evident in the process chain

Expanding the nodes from the RCA allowed us to gather additional IOCs that showed setup0.exe creating the file elevateutils.exe. In addition, elevateutils.exe was seen querying the domain vmware[.]center, which is possibly the threat’s command-and-control (C&C) server. We also discovered the earliest instance of setup0.exe in one of the hosts.

The samples setup0.exe is an installer for elevateutils.exe which seems to be a Cobalt Strike Beacon Malleable C&C stager based on our analysis. The installer may have been used to masquerade as a normal file installation. 

Figure 7. The presence of EICAR strings is an indicator of it being of elevateutils.exe being a Cobalt Strike Beacon

The stager elevateutils.exe: will try to load the DLL chartdir60.dll, which will in turn read the contents of manual.pdf (these are also dropped by the installer in the same directory as elevateutil.exe). It will then decrypt, load, and execute a shell code in memory that will access the URL vmware[.]center/mV6c.

It makes use of VirtualAlloc, VirtualProtect, CreateThread, and a function to decrypt the shellcode to load and execute in memory. It also uses indirect API calls after decryption in a separate function, then uses JMP EAX to call the function as needed, which is not a routine or behavior that a normal file should have.

Since it’s possible that this is a Cobalt Strike Malleable C&C stager, further behaviors may be dependent on what is downloaded from the accessed URL. However, due to being inaccessible at the time of writing this blog post, we were unable to observe and/or verify other behaviors.

Use of the Progressive RCA of Vision One allowed us to see how elevateutils.exe was created, as well as its behaviors. The malicious file was deployed via a Desktop Central agent.

Figure 8. Viewing the behaviors of elevateutils.exe
Figure 9. The console showing the attack’s infection chain

Based on these findings, our recommendation to the customer was to check the logon logs of the affected application to verify any suspicious usage of accounts during the time the threat was deployed.

By closely monitoring the environment, the threat was stopped after the credential dump. Furthermore, the IOCs (IP addresses and hashes) were added to the suspicious objects list to block them while waiting for detections. Further monitoring was done and no other suspicious behavior were seen.

Defending against supply chain attacks

As businesses become more interconnected, a successful supply chain attack has the potential to cause a significant amount of damage to affected organizations.  We can expect to see more of these in the future, as they often lead to the same results as a direct attack while providing a wider attack surface for malicious actors to exploit.

Supply chain attacks are difficult to track because the targeted organizations often do not have full access to what’s going on security-wise with their supply chain partners. This can often be exacerbated by security lapses within the company itself. For example, products and software may have configurations — such as folder exclusions and suboptimal implementation of detection modules — that make threats more difficult to notice.

Security audits are also a very important step in securing the supply chain.  Even if third party vendors are known to be trustworthy, security precautions should still be deployed in case there are compromised accounts or even insider threats.

Using Vision One to contain the threat

Trend Micro Vision One provides offers organizations the ability to detect and respond to threats across multiple security layers. It provides enterprises options to deal with threats such as the ones discussed in this blog entry:

  • It can Isolate endpoints, which are often the source of infection, until they are fully cleaned or the investigation is done.
  • It can block IOCs related to the threat, this includes hashes, IP addresses, or domains found during analysis.
  • It can collect files for further investigation.

Indicators of Compromise (IoCs)

Incident # 1


SHA256Detection nameDetails

Incident # 2

SHA256Detection nameDetails
116af9afb2113fd96e35661df5def2728e169129bedd6b0bb76d12aaf88ba1ab Trojan.Win32.COBALT.AZSetup0.exe

IP addresses and domains

  • 185[.]215[.]113[.]213
  • vmware[.]center

    Source :

Amazon Prime Day: Big Sales, Big Scams

Malicious actors taking advantage of important events is not a new trend. For example, a large number of tax-related scams pops up every tax season in the US, with threats ranging from simple phishing emails to the use of scare tactics that lead to ransomware. More recently,  Covid-19 has led to a surge in pandemic-related malicious campaigns, mostly arriving via email.

For many people, major online shopping events such as the annual Amazon Prime day — which falls on June 21 this year — presents a unique opportunity to purchase goods at heavily discounted prices. However, shoppers are not the only ones looking to benefit — cybercriminals are also looking to prey on unsuspecting victims via social engineering and other kinds of scams. Amazon Prime has experienced tremendous growth over the past two years. According to estimates, there were 150 million Prime members at the end of the fourth quarter of 2019, a number which grew to 200 million by the first quarter of 2021 — with around 105 million users in the US alone. This makes Amazon Prime customers a particularly lucrative target for malicious actors.

As Amazon Prime day approaches, we’d like to build awareness among the shopping public by showing some of the related scams we’ve observed over the past few months.

Amazon Prime Scams

In 2020, Amazon Prime day, which is usually held in June or July, was postponed to October due to Covid-19. That same month, the Australian Communications and Media Authority (ACMA) issued an alert warning the public that they had been receiving reports of scammers — impersonating Amazon Prime staff — calling their targets, claiming that they owed money to Amazon. They also warned the victim that funds would be taken from their bank account if they did not act immediately. Often, the goal of these scammers is to retrieve Amazon account details and personal data from their victims by asking them to go online and enter the relevant information.

A variation of this scam involves swindlers calling their targets and presenting them with a recorded message, allegedly from Amazon, notifying call recipients of an issue with their order — such as a lost package or an unfulfilled order. The victims would then be invited to either press the number “1” button on their phone or provided a number that they would need to call. As with the first scam, the goals are the same: gaining personal information.

Aside from phone call scams, malicious actors also use tried-and-tested email-based phishing tactics. One method uses fake order invoices with corresponding phony order numbers and even a bogus hotline number, which, once called, will prompt the recipient to enter their personal details.

Another technique involves the scammer notifying an Amazon Prime user of problems with their account: For example, a Twitter post from user VZ NRW – Phishing shows fake Amazon Prime message warning the recipient that their Prime benefits have allegedly been suspended due to a problem with the payment. The message also contains a fake phishing link that the user would have to click to resolve the issue.  

Figure 1. An example of an email scam, coming from “Amazon Prime” complete with a fake order ID and hotline number. Note the suspicious email address used by the sender containing a misspelled “Amazon.”

hotline number. Note the suspicious email address used by the sender containing a misspelled “Amazon.”

Malicious actors will also make use of fake websites and online forms — many of which are painstakingly crafted to match the official sites as much as possible. One phishing website asks users to confirm payment details by filling out certain information. However, despite looking authentic, the page contains plenty of red flags — for example, none of the outbound links actually work, and the forms used in the page requests more data than usual, including personal information that companies typically never ask users to provide.

A precursory search in VirusTotal using the strings “Amazon” and “Prime” reveal over a hundred PDF files, many of which contain movie names (membership in Amazon Prime also makes users eligible for Prime Video). These PDF files are hosted on various cloud services, with the link to these files typically distributed via malicious emails.

Figure 2. VirusTotal results using “Amazon” and “Prime” search strings

Upon opening some of these files, a Captcha button appears, which will activate a malicious redirection chain when clicked.

Figure 3. Captcha button that appears when clicking some of the VirusTotal samples.

While it’s easy to assume that most of these scammers are single individuals or small groups looking for a quick buck, there are certain threat actor groups that use sophisticated social engineering techniques for their campaigns, which includes Amazon users as a primary target.

The Heatstroke phishing campaign

We first encountered the phishing campaign known as Heatstroke back in 2019, noting that the group behind the campaign utilized complex techniques for both researching about and luring in their victims, which were primarily Amazon and Paypal users.

For example, compared to the webpage from the previous section, Heatstroke makes use of a phishing website with multiple working screens and subpages to try and mimic a legitimate website as much as possible. In addition, Heatstroke implements various obfuscation techniques such as forwarding the phishing kit content from another location or changing the landing page to bypass content filters.

Figure 4. Heatstroke’s infection chain, which they have been using since 2019

The threat actor has implemented some improvements over the past two years — such as expanded IP ranges and improvements to user agents and the kit’s “self-defense” mechanisms (coverage of scams, anti-bot, and IP protection services), as well as the addition of an API and kill date, after which the kit won’t work anymore. 

Heatstroke remains active with a well-maintained infrastructure in 2021. The threat actor largely uses the same techniques from the past. However, it might be a case of not fixing what isn’t broken, given how effective the previous campaigns proved to be.

Defending against scams

As exciting as Amazon Prime Day (and other similar shopping extravaganzas like Black Friday and Cyber Monday) is, the public should remain vigilant against potential scams, as cybercriminals are looking to capitalize on these types of events.

The following best practices and recommendations can help individuals avoid these kinds of scams:

  • Most reputable organizations will never ask for sensitive financial information over the phone. If a caller allegedly coming from Amazon or another company asks for strangely specific information such as credit card or bank account numbers, this is an automatic red flag.
  • Be wary of out-of-context emails. If you receive an email referencing an item you did not purchase, then it is highly likely that the email is a phishing attempt. Refrain from downloading attachments or clicking links in suspicious emails, as these can lead to malware infections.
  • Scan emails for typographical or grammatical mistakes. Legitimate emails will always be thoroughly checked and edited before being sent, therefore even small errors are possible signs of a malicious email.
  • Always double check the URL of a website to see if it matches up with the real one. For example, Amazon websites and subpages will always have a dot before “” (for example, “” versus “”), therefore, even if a website copies the design of the legitimate one, a sketchy URL will often give it away as being malicious. In the same vein, email addresses should be scrutinized to see if they look suspicious or have any unusual elements.
  • Organizations are also encouraged to regularly check the awareness of employees on the latest cyberthreats via Trend Micro Phish Insight, a cloud-based security awareness service that is designed to empower employees to protect themselves and their organization from social engineering-based attacks.

Source :–big-scams.html

What We Know About the DarkSide Ransomware and the US Pipeline Attack

Updated May 17, 2021, 3:25 a.m. Eastern Time: This article has been updated to add references to the DarkSide victim data.

On May 7, a ransomware attack forced Colonial Pipeline, a company responsible for nearly half the fuel supply for the US East Coast, to proactively shut down operations. Stores of gasoline, diesel, home heating oil, jet fuel, and military supplies had been so heavily affected that the Federal Motor Carrier Safety Administration (FMCSA) declared a state of emergency in 18 states to help with the shortages.

It has been five days since the shutdown prompted by the attack, but Colonial Pipeline is still unable to resume full operations. Outages have already started affecting motorists. In metro Atlanta, 30% of gas stations are without gasoline, and other cities are reporting similar numbers. To keep supplies intact for essential services, the US government has issued advisories against hoarding

The FBI has confirmed that DarkSide, a cybercriminal group believed to have originated in Eastern Europe, is behind the attack. The ransomware used by the group is a relatively new family that was first spotted in August 2020, but the group draws on experience from previous financially successful cybercrime enterprises.

Apart from locking Colonial Pipeline’s computer systems, DarkSide also stole over 100 GB of corporate data. This data theft is all the more relevant in light of the fact that the group has a history of doubly extorting its victims — not only asking for money to unlock the affected computers and demanding payment for the captured data, but also threatening to leak the stolen data if the victims do not pay. As we will cover later, DarkSide shows a level of innovation that sets it apart from its competition, being one of the first to offer what we call “quadruple extortion services.”

The group announced on May 12 that it had three more victims: a construction company based in Scotland, a renewable energy product reseller in Brazil, and a technology services reseller in the US. The DarkSide actors claimed to have stolen a total of 1.9 GB of data from these companies, including sensitive information such as client data, financial data, employee passports, and contracts.   

Since Darkside is a ransomware-as-a-service (RaaS), it is possible that three different affiliate groups are behind these three attacks. Even the DarkSide actors themselves admit that they just buy access to company networks — they have no idea how access was acquired.

Trend Micro Research found dozens of DarkSide ransomware samples in the wild and investigated how the ransomware group operates and what organizations it typically targets. 

The DarkSide ransomware

DarkSide offers its RaaS to affiliates for a percentage of the profits. The group presents a prime example of modern ransomware, operating with a more advanced business model. Modern ransomware identifies high-value targets and involves more precise monetization of compromised assets (with double extortion as an example). Modern ransomware attacks are also typically done by several groups who collaborate and split profits. These attacks may look more like advanced persistent threat (APT) attacks than traditional ransomware events.  

Here is a short timeline of DarkSide activity compiled from publicly available reports:

  •  August 2020: DarkSide introduces its ransomware.
  • October 2020: DarkSide donates US$20,000 stolen from victims to charity.
  • November 2020: DarkSide establishes its RaaS model. The group invites other criminals to use its service. A DarkSide data leak site is later discovered.
  • November 2020: DarkSide launches its content delivery network (CDN) for storing and delivering compromised data.
  • December 2020: A DarkSide actor invites media outlets and data recovery organizations to follow the group’s press center on the public leak site.
  • March 2021: DarkSide releases version 2.0 of its ransomware with several updates.
  • May 2021: DarkSide launches the Colonial Pipeline attack. After the attack, Darkside announces it is apolitical and will start vetting its targets (possibly to avoid raising attention to future attacks).

Initial access

In our analysis of DarkSide samples, we saw that phishing, remote desktop protocol (RDP) abuse, and exploiting known vulnerabilities are the tactics used by the group to gain initial access. The group also uses common, legitimate tools throughout the attack process to remain undetected and obfuscate its attack. 

Throughout the reconnaissance and gaining-entry phases, we saw these legitimate tools used for specific purposes:

  • PowerShell: for reconnaissance and persistence
  • Metasploit Framework: for reconnaissance
  • Mimikatz: for reconnaissance
  • BloodHound: for reconnaissance
  • Cobalt Strike: for installation

For modern ransomware like DarkSide, gaining initial access no longer immediately leads to ransomware being dropped. There are now several steps in between that are manually executed by an attacker.

Lateral movement and privilege escalation

Lateral movement is a key discovery phase in the modern ransomware process. In general, the goal is to identify all critical data within the victim organization, including the target files and locations for the upcoming exfiltration and encryption steps.

In the case of DarkSide, we confirmed reports that the goal of lateral movement is to gain Domain Controller (DC) or Active Directory access, which will be used to steal credentials, escalate privileges, and acquire other valuable assets for data exfiltration. The group then continues its lateral movement through the system, eventually using the DC network share to deploy the ransomware to connected machines. Some of the known lateral movement methods deployed by DarkSide use PSExec and RDP. But as we previously noted, a modern ransomware group behaves with methods more commonly associated with APT groups — it adapts its tooling and methods to the victim’s network defenses.


As is common practice with double extortion ransomware, critical files are exfiltrated prior to the ransomware being launched. This is the riskiest step so far in the ransomware execution process, as data exfiltration is more likely to be noticed by the victim organization’s security team. It is the last step before the ransomware is dropped, and the attack often speeds up at this point to complete the process before it is stopped.

For exfiltration, we saw the following tools being used:

  • 7-Zip: a utility used for archiving files in preparation for exfiltration
  • Rclone and Mega client: tools used for exfiltrating files to cloud storage
  • PuTTy: an alternative application used for network file transfer

DarkSide uses several Tor-based leak sites to host stolen data. The file-sharing services used by the group for data exfiltration include Mega and PrivatLab.

Execution and impact

The execution of the actual ransomware occurs next. The DarkSide ransomware shares many similarities with REvil in this step of the process, including the structure of ransom notes and the use of PowerShell to execute a command that deletes shadow copies from the network. It also uses the same code to check that the victim is not located in a Commonwealth of Independent States (CIS) country.

In addition to PowerShell, which is used to install and operate the malware itself, the group reportedly uses Certutil and Bitsadmin to download the ransomware. It uses two encryption methods, depending on whether the target operating system is Windows or Linux: A ChaCha20 stream cipher with RSA-4096 is used on Linux, and Salsa20 with RSA-1024 is used on Windows.

The following figure shows a sample ransom note from DarkSide.

Figure 1. A Darkside ransom note

It is interesting to note that DarkSide’s ransom note is similar to that of Babuk, which might indicate that these two families share a link.

DarkSide ransomware targets

Based on the group’s Tor leak sites, DarkSide determines whether to pursue targeting a potential victim organization by primarily looking at that organization’s financial records. It also uses this information to determine the amount of ransom to demand, with a typical ransom demand amounting to anywhere between US$200,000 and US$2 million.

Reports say that, based on the leak sites, there are at least 90 victims affected by DarkSide. In total, more than 2 TB of stolen data is currently being hosted on DarkSide sites, and 100% of victims’ stolen files are leaked.

The actors behind Darkside have stated that they avoid targeting companies in certain industries, including healthcare, education, the public sector, and the nonprofit sector. Organizations in manufacturing, finance, and critical infrastructure have been identified in Trend Micro data as targets.

Based on Trend Micro data, the US is by far DarkSide’s most targeted country, at more than 500 detections, followed by France, Belgium, and Canada. As previously mentioned, DarkSide avoids victimizing companies in CIS countries. Part of the ransomware execution code checks for the geolocation of potential victims to avoid companies in these countries, although the group would likely be aware of the location of a target organization long before the ransomware is executed. That the group admittedly spares companies in CIS countries could be a clue to where DarkSide actors are residing. It is possible that they do this to avoid law enforcement action from these countries, since the governments of some of these countries do not persecute criminal acts such as DarkSide’s if they are done on foreign targets.

After the Colonial Pipeline attack, DarkSide released a statement on one of its leak sites clarifying that the group did not wish to create problems for society and that its goal was simply to make money. There is no way to verify this statement, but we know that the group is still quite active. As previously mentioned, DarkSide actors announced that they had stolen data from three more victims since the Colonial Pipeline attack.

MITRE ATT&CK tactics and techniques

The following are the MITRE ATT&CK tactics and techniques associated with DarkSide.


Ransomware is an old but persistently evolving threat. As demonstrated by the recent activities of DarkSide, modern ransomware has changed in many aspects: bigger targets, more advanced extortion techniques, and farther-reaching consequences beyond the victims themselves. 

Ransomware actors are no longer content with simply locking companies out of their computers and asking for ransom. Now they are digging deeper into their victims’ networks and looking for new ways to monetize their activities. For example, a compromised cloud server can go through a complete attack life cycle, from the initial compromise to data exfiltration to resale or use for further monetization. Compromised enterprise assets are a lucrative commodity on underground markets; cybercriminals are well aware of how to make money from attacking company servers

In the Colonial Pipeline attack, DarkSide used double extortion. But some ransomware actors have gone even further. Jon Clay, Director of Global Threat Communications at Trend Micro, outlines the phases of ransomware:

  • Phase 1: Just ransomware. Encrypt the files, drop the ransom note, and wait for the payment.
  • Phase 2: Double extortion. Phase 1 + data exfiltration and threatening data release. Maze was one of the first documented cases of this.
  • Phase 3: Triple extortion. Phase 1 + Phase 2 + threatening DDoS. SunCrypt, RagnarLocker, and Avaddon were among the first groups documented doing this.
  • Phase 4: Quadruple extortion. Phase 1 (+ possibly Phase 2 or Phase 3) + directly emailing the victim’s customer base or having contracted call centers contact customers.

In fact, as detailed in security reports, DarkSide offers both the DDoS and call center options. The group is making quadruple extortion available to its affiliates and showing a clear sign of innovation. In cybercrime, there are no copyright or patent laws for tools and techniques. Innovation is as much about quickly and completely copying others’ best practices as it is about coming up with new approaches. 

Ransomware will only continue to evolve. Organizations therefore need to take the time to put in place an incident response plan focused on the new model of ransomware attacks. Unfortunately, some organizations may be putting cybersecurity on the back burner. For example, some security experts noted that Colonial Pipeline was using a previously exploited vulnerable version of Microsoft Exchange, among other cybersecurity lapses. A successful attack on a company providing critical services will have rippling effects that will harm multiple sectors of society, which is why protecting these services should be a top priority.

In a US Senate hearing on cybersecurity threats, Senator Rob Portman of Ohio described the strike on Colonial Pipeline as “potentially the most substantial and damaging attack on US critical infrastructure ever.” This attack is a call to action for all organizations to harden their networks against attacks and improve their network visibility.

Trend Micro has a multilayered cybersecurity platform that can help improve your organization’s detection and response against the latest ransomware attacks and improve your organization’s visibility. Visit the Trend Micro Vision One™ website for more information. Detailed solutions can be found in our knowledge base article on DarkSide ransomware.

Source :

Tips to avoid the new wave of ransomware attacks

There have been a lot of changes in ransomware over time. We want to help you protect your organization from this growing attack trend.

The Colonial Pipeline ransomware attack is just part of a new onslaught of ransomware attacks that malicious actors are ramping up against high value victims. Why are we seeing this?

These malicious actors are after extortion money, and as such they are looking to target organizations that are more likely to pay if they can disrupt their business operations. In the past we saw this with targeting of government and education victims. The more pain that these actors can cause an organization, the more likely they will receive an extortion payment.

Ransomware attacks have gone through many iterations and we’re now seeing phase 4 of these types of attacks. To give you context, here are the four phases of ransomware:

  • 1st phase: Just ransomware, encrypt the files and then drop the ransom note … wait for the payment in bitcoin.
  • 2nd phase: Double extortion. Phase 1 + data exfil and threaten for data release. Maze was the first document to do this and the other threat actor groups followed suit
  • 3rd phase: Triple extortion. Phase 1 + Phase 2 and threaten for DDoS. Avaddon was the first documented to do this
  • 4th phase: Quadruple extortion. Phase 1 + (possibly Phase 2 or Phase 3) + directly emailing affected victim’s customer base. Cl0p was first documented doing this, as written by Brian Krebs

The majority of the time now we’re seeing a double extortion model, but the main shift we’re now seeing is the targeting of critical business systems. In this latest case, it does not appear that OT systems were affected but the IT systems associated with the network were likely targeted.

That may change though as many organizations have an OT network that is critical to their operations and could become a target. In this blog post we highlighted how manufacturers are being targeted with modern ransomware and the associated impact.

Taking down the systems that run an organization’s day-to-day business operations can cause financial and reputation damage.

But there could also be unintended consequences of going after victims that are too high profile, and this latest might be one example of this. Bringing down a major piece of critical infrastructure for a nation, even if the motive is only financial gain, might incur major actions against the actors behind this attack. So in the future, malicious actors may need to assess the potential ramifications of their target victim and decide if it makes good business sense to commence with an attack.

We will continue to see ransomware used in the future, and as such organizations need to take the time to put in place an incident response plan focused on the new model of ransomware attacks. Some things to think about as you go about this:

  1. Understand that you will be a target. Every business can likely be on the radar of malicious actors, but those in critical infrastructure need to assess the likelihood of becoming a victim now.
  2. Dedicated attackers will find a way into your network. Access as a Service (usually where another group performs the initial access and sells it to another group) is used regularly now, and whether via a phished employee, a vulnerable system open to the internet, or using a supply chain attack, the criminals will likely find a way in.
  3. The malicious use of legitimate tools are a preferred tactic used across the entire attack lifecycle. Check out our recent blog on this topic.
  4. Your key administrator and application account credentials will be targeted.
  5. Ransomware actors will look to exfiltrate data to be used in the double extortion model.
  6. The ransomware component will be the last option in their malicious activities as it is the most visible part of the attack lifecycle and as such you will then know you’ve been compromised.

For those organizations who have OT networks some key things to think about:

  • Understand your risk if your OT network is taken offline
  • Build a security model that protects the devices within the OT network, especially those that cannot support a security agent
  • Network segmentation is critical
  • If your OT network needs to be taken offline due to the IT network being compromised, you need to identify how to overcome this limitation

This latest attack is another call to action for all organizations to harden their networks against attacks and improve their visibility that malicious actors are in your network. Trend Micro has a multi-layered cybersecurity platform that can help improve your detection and response against the latest ransomware attacks and improve your visibility. Check out our Trend Micro Vision One platform or give us a call to discuss how we can help.

Source :

“Zerologon” Understanding the Issues and Applying Solutions

A new CVE was released recently that has made quite a few headlines – CVE-2020-1472. Zerologon, as it’s called, may allow an attacker to take advantage of the cryptographic algorithm used in the Netlogon authentication process and impersonate the identity of any computer when trying to authenticate against the domain controller.

To put that more simply, this vulnerability in the Netlogon Remote Protocol (MS-NRPC) could allow attackers to run their applications on a device on the network. An unauthenticated attacker would use MS-NRPC to connect to a Domain Controller (DC) to obtain administrative access.

According to Dustin Childs with Trend Micro’s Zero Day Initiative (ZDI), “What’s worse is that there is not a full fix available. This patch enables the DCs to protect devices, but a second patch currently slated for Q1 2021 enforces secure Remote Procedure Call (RPC) with Netlogon to fully address this bug. After applying this patch, you’ll still need to make changes to your DC. Microsoft published guidelines to help administrators choose the correct settings.”

But if there’s a patch, why is this a big deal?
You might be thinking, “Well if there’s a patch, this really isn’t an issue.” But the idea of “just patch it” is not as easy as it sounds – check out this post (also from Dustin with the ZDI) for more insights on barriers to patching.

The average Mean Time to Patch (MTTP) is 60 to 150 days. This CVE was published in early August, so that would put the average time for implementing this patch between October 2020 and January 2021.

You have maybe heard the security industry joke that after Patch Tuesday comes Exploit Wednesday. That’s the comedic way to suggest that after a batch of patches for new CVEs are released the first Tuesday of every month from Microsoft and Adobe, attackers get to work reversing the patches to write exploits to take advantage of the bugs before patches have been applied.

Given the MTTP, that’s 2-5 months that your organization is left exposed to a known threat.

So what can I do to protect my organization?
Fortunately, there are advanced protections available for organizations to stay protected, including virtual patching. This provides an extra layer of security to help protect against vulnerabilities before you apply the official vendor patch. As the name suggests, it’s very similar to a patch because it is specifically designed to protect your environment with intrusion protection system (IPS) capabilities in case someone attempted to exploit that vulnerability. In general, virtual patches can be a critical safety net to allow you to patch in the way that works for your organization.

With Trend Micro, our virtual patching technology helps you mitigate attacks focused on thousands of vulnerabilities, giving you the flexibility to patch regularly without breaking your operational processes for every emergency patch. Other features, such as log inspection, also help you get valuable insight into post-patch exploitation attempts on your network even after you have fully patched. To learn more about Trend Micro protection for CVE-2020-1472, read our knowledge base article here.

On September 11, 2020, detailed technical information was made public regarding a critical Microsoft Windows vulnerability (CVSS 10) that was included in Microsoft’s August 2020 Patch Tuesday set of updates and appears to affect all currently supported Windows Server (2008 R2 and above).

When originally disclosed in August, the vulnerability was given the official designation of CVE-2020-1472, but not much detail on the vulnerability itself was made public.

However, we know that this vulnerability, now dubbed “Zerologon,” may allow an attacker to take advantage of the cryptographic algorithm used in the Netlogon authentication process and impersonate the identity of any computer when trying to authenticate against the domain controller. From there, a variety of other attacks, including but not limited to disabling security features, changing passwords, and essentially taking over the domain are possible.

The entire attack as demonstrated, is very fast, and can be executed in approximately 3 seconds, so it could be very dangerous. In addition, Trend Micro is now aware of weaponized proof-of-concept code that has been made publicly available, meaning that real exploits could be close behind.
Mitigation and Protection

First and foremost, the first line of protection against this vulnerability is to ensure that all affected systems are patched with Microsoft’s latest security update. This continues to be the primary recommendation for protection against any exploit that that may arise from this vulnerability.

According to the research, there is one serious limitation to exploits of this vulnerability – specifically it cannot be exploited remotely. An attacker will first need to gain access to the network domain via other means (legitimately or not). So one major mitigation point would be to ensure that network access (both physical and remote) are carefully guarded. However, if an attacker has obtained access to a network via another vulnerability or legitimately, this could become a powerful exploit.

Trend Micro Protection

To assist customers, Trend Micro has created and released some additional layers of protection in the form of Deep Security and Cloud One – Workload Security IPS rules and TippingPoint filters that may help organizations strengthen their overall security posture, especially in situations where comprehensive patching may take time or is not feasible.

IPS Rules

Deep Security and Cloud One – Workload Security, Vulnerability Protection and Apex One Vulnerability Protection (iVP)
Rule 1010519 – Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472)
Rule 1010521 – Netlogon Elevation of Privilege Vulnerability Over SMB (CVE-2020-1472)
Rule 1010539 – Identified NTLM Brute Force Attempt (ZeroLogon) (CVE-2020-1472)
Please note that the rules are already set to Prevent.

Worry-Free Business Security Services
Microsoft Windows Netlogon Elevation Of Privilege Vulnerability Over SMB (CVE-2020-1472)
Microsoft Windows Netlogon Elevation Of Privilege Vulnerability (CVE-2020-1472)
Filter 38166: MS-NRPC: Microsoft Windows Netlogon Zerologon Authentication Bypass Attempt
Filter 38235: MS-NRPC: Microsoft Windows NetrServerAuthenticate Request
Please note that the posture on this filter has been changed to Enable by Default.

Trend Micro TxONE
1137620: RPC Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472)

Other Inspection / Detection Rules

Deep Security Log Inspection
1010541 – Netlogon Elevation Of Privilege Vulnerability (Zerologon) (CVE-2020-1472)
This Log Inspection (LI) rule for Deep Security gives administrators visibility into potential exploit activity. Due to the complexity of this vulnerability, the Log Inspection rule will only log activities against systems that have already applied the Microsoft patch. Administrators who have patched critical servers with Deep Security may find this information useful internally to help accelerate patching of endpoints and non-critical systems if there is evidence of activity in their environment.

Deep Discovery Inspector

Trend Micro is continuing to aggressively look into other forms of detection and protection to assist our customers, but we do want to continue to reiterate that the primary recommendation is to apply the official Microsoft patches as soon as possible. We will continue to update this article and our customers if/when additional layers of protection are found.

Trend Micro Blog: Zerologon” and the Value of Virtual Patching –
Trend Micro Video (Youtube) – Cloud One – Workload Security about Zerologon
Microsoft Advisory –

Source :

Identity Fraud: How to Protect Your Identity Data, Accounts and Money During the Coronavirus Crisis

We’ve all been spending more of our time online since the crisis hit. Whether it’s ordering food for delivery, livestreaming concerts, holding virtual parties, or engaging in a little retail therapy, the digital interactions of many Americans are on the rise. This means we’re also sharing more of our personal and financial information online, with each other and the organizations we interact with. Unfortunately, as ever, there are bad guys around every digital corner looking for a piece of the action.

The bottom line is that personally identifiable information (PII) is the currency of internet crime. And cyber-criminals will do whatever they can to get their hands on it. When they commit identity theft with this data, it can be a messy business, potentially taking months for banks and businesses to investigate before you get your money and credit rating back. At a time of extreme financial hardship, this is the last thing anyone needs.

It therefore pays to be careful about how you use your data and how you protect it. Even more: it’s time to get proactive and monitor it—to try and spot early on if it has been stolen. Here’s what you need to know to protect your identity data.

How identity theft works

First, some data on the scope of the problem. In the second quarter of 2020 alone 349,641 identity theft reports were filed with the FTC. To put that in perspective, it’s over half of the number for the whole of 2019 (650,572), when consumers reported losing more than $1.9 billion to fraud. What’s driving this huge industry? A cybercrime economy estimated to be worth as much as $1.5 trillion annually.

Specialized online marketplaces and private forums provide a user-friendly way for cyber-criminals and fraudsters to easily buy and sell stolen identity data. Many are on the so-called dark web, which is hidden from search engines and requires a specialized anonymizing browser like Tor to access. However, plenty of this criminal activity also happens in plain sight, on social media sites and messaging platforms. This underground industry is an unstoppable force: as avenues are closed down by law enforcement or criminal in-fighting, other ones appear.

At-risk personal data could be anything from email and account log-ins to medical info, SSNs, card and bank details, insurance details and much more. It all has a value on the cybercrime underground and the price fraudsters are prepared to pay will depend on supply and demand, just like in the ‘real’ world.

There are various ways for attackers to get your data. The main ones are:

Phishing: usually aimed at stealing your log-ins or tricking you into downloading keylogging or other info-stealing malware. Phishing mainly happens via email but could also occur via web, text, or phone. Around $667m was lost in imposter scams last year, according to the FTC.Malicious mobile apps disguised as legitimate software.Eavesdropping on social media: If you overshare even innocuous personal data (pet names, birth dates, etc.,) it could be used by fraudsters to access your accounts.Public Wi-Fi eavesdropping: If you’re using it, the bad guys may be too.Dumpster diving and shoulder surfing: Sometimes the old ways are still popular.Stealing devices or finding lost/misplaced devices in public places.Attacking the organizations you interact with: Unfortunately this is out of your control somewhat, but it’s no less serious. There were 1,473 reported corporate breaches in 2019, up 17% year-on-year.Harvesting card details covertly from the sites you shop with. Incidents involving this kind of “web skimming” increased 26% in March as more users flocked to e-commerce sites during lockdown.

The COVID-19 challenge

As if this weren’t enough, consumers are especially exposed to risk during the current pandemic. Hackers are using the COVID-19 threat as a lure to infect your PC or steal identity data via the phishing tactics described above. They often impersonate trustworthy institutions/officials and emails may claim to include new information on outbreaks, or vaccines. Clicking through or divulging your personal info will land you in trouble. Other fraud attempts will try to sell counterfeit or non-existent medical or other products to help combat infection, harvesting your card details in the process. In March, Interpol seized 34,000 counterfeit COVID goods like surgical masks and $14m worth of potentially dangerous pharmaceuticals.

Phone-based attacks are also on the rise, especially those impersonating government officials. The aim here is to steal your identity data and apply for government emergency stimulus funds in your name. Of the 349,641 identity theft reports filed with the FTC in Q2 2020, 77,684 were specific to government documents or benefits fraud.

What do cybercriminals do with my identity data?

Once your PII is stolen, it’s typically sold on the dark web to those who use it for malicious purposes. It could be used to:

Crack open other accounts that share the same log-ins (via credential stuffing). There were 30 billion such attempts in 2018.Log-in to your online bank accounts to drain it of funds.Open bank accounts/credit lines in your name (this can affect your credit rating).Order phones in your name or port your SIM to a new device (this impacts 7,000 Verizon customers per month).Purchase expensive items in your name, such as a new watch or television, for criminal resale. This is often done by hijacking your online accounts with e-tailers. E-commerce fraud is said to be worth around $12 billion per year.File fraudulent tax returns to collect refunds on your behalf.Claim medical care using your insurance details.Potentially crack work accounts to attack your employer.

How do I protect my identity online?

The good news among all this bad is that if you remain skeptical about what you see online, are cautious about what you share, and follow some other simple rules, you’ll stand a greater chance of keeping your PII under lock and key. Best practices include:

Using strong, long and unique passwords for all accounts, managed with a password manager.Enable two-factor authentication (2FA) if possible on all accounts.Don’t overshare on social media.Freeze credit immediately if you suspect data has been misused.Remember that if something looks too good to be true online it usually is.Don’t use public Wi-Fi when out-and-about, especially not for sensitive log-ins, without a VPN.Change your password immediately if a provider tells you your data may have been breached.Only visit/enter payment details into HTTPS sites.Don’t click on links or open attachments in unsolicited emails.Only download apps from official app stores.Invest in AV from a reputable vendor for all your desktop and mobile devices.Ensure all operating systems and applications are on the latest version (i.e., patch frequently).Keep an eye on your bank account/credit card for any unusual spending activity.Consider investing in a service to monitor the dark web for your personal data.

How Trend Micro can help

Trend Micro offers solutions that can help to protect your digital identity.

Trend Micro ID Security is the best way to get proactive about data protection. It works 24/7 to monitor dark web sites for your PII and will sound the alarm immediately if it finds any sign your accounts or personal data have been stolen. It features

Dark Web Personal Data Manager to scour underground sites and alert if it finds personal info like bank account numbers, driver’s license numbers, SSNs and passport information.Credit Card Checker will do the same as the above but for your credit card information.Email Checker will alert you if any email accounts have been compromised and end up for sale on the dark web, allowing you to immediately change the password.Password Checker will tell you if any passwords you’re using have appeared for sale on the dark web, enabling you to improve password security.

Trend Micro Password Manager enables you to manage all your website and app log-ins from one secure location. Because Password Manager remembers and recalls your credentials on-demand, you can create long, strong and unique passwords for each account. As you’re not sharing easy-to-remember passwords across multiple accounts, you’ll be protected from popular credential stuffing and similar attacks.

Finally, Trend Micro WiFi Protection will protect you if you’re out and about connecting to WiFi hotspots. It automatically detects when a WiFi connection isn’t secure and enables a VPN—making your connection safer and helping keep your identity data private.

In short, it’s time to take an active part in protecting your personal identity data—as if your digital life depended on it. In large part, it does.

Source :

Twitter Hacked in Bitcoin Scam

It started with one weird tweet. Then another. Quickly, some of the most prominent accounts on Twitter were all sending out the same message;

I am giving back to the community.

All Bitcoin sent to the address below will be sent back double! If you send $1,000, I will send back $2,000. Only doing this for 30 minutes.


Are Apple, Elon Musk, Barrack Obama, Uber, Joe Biden, and a host of others participating in a very transparent bitcoin scheme?

No. Of course, not. The question was whether or not individual accounts were compromised or if something deeper was going on.

User Account Protection

These high profile accounts are prime targets for cybercriminals. They have a broad reach, and even a brief compromise of one of these accounts would significantly increase a hacker’s reputation in the underground.

That is why these accounts leverage the protections made available by Twitter in order to keep their accounts safe.

This means;

Using a strong password (one as long as possible, preferably using a password manager)Enabling password reset protectionEnabling two-factor authentication (where you will require your username, password, and temporary one-time token to login)Regularly reviewing the 3rd party applications that have access to their accounts

While it’s believed that one or two of these accounts failed to take these measures, it’s highly unlikely that dozens and dozens of them did. So what happened?

Rumours Swirl

As with any public attack, the Twitter-verse (ironically) was abuzz with speculation. That speculation ramped up when Twitter took the reasonable step of preventing any verified account from tweeting for about three hours.

This step helped prevent any additional scam tweets from being published and further raised the profile of this attack.

While some might shy away from raising the profile of an attack, this was a reasonable trade-off to prevent further damage to affected accounts and to help prevent the attack from taking more ground.

This move also provided a hint as to what was going on. If individual accounts were being attacked, it’s unlikely that this type of movement would’ve done much to prevent the attacker from gaining access. However, if the attacker was accessing a backend system, this mitigation would be effective.

Had Twitter itself been hacked?

Occam’s Razor

When imagining attack scenarios, a direct breach of the main service is a scenario that is often examined in-depth, which is also why it is one of the most planned for scenarios.

Twitter — like any company — has challenges with its systems, but they center primarily around content moderation…their backend security is top-notch.

An example of this an incident in 2018. Twitter engineers made a mistake that meant anyone’s password could have been exposed in their internal logs. Just in case, Twitter urged everyone to reset their password.

While possible, it’s unlikely that Twitter’s backend systems were directly breached. There is a much simpler potential explanation: insider access.

Internal Screenshot

Quickly after the attack, some in the security community noticed a screenshot of an internal support tool from Twitter surfacing in underground discussion forums. This rare inside view showed what appeared to be what a Twitter support team member would see.

This type of access is dangerous. Very dangerous.

Joseph Cox’s article detailing the hack has a key quote,

“We used a rep that literally done all the work for us.”

Anonymous Source

What remains unclear is whether this is a case of social engineering (tricking a privileged insider into taking action) or a malicious insider (someone internally motivated to attack the system).

The difference is important for other defenders out there.

The investigation is ongoing, and Twitter continues to provide updates via @TwitterSupport;

Social Engineering

Donnie Sullivan from CNN has a fantastic interview with the legendary Rachel Tobac showing how simple social engineering can be and the dangerous impact it can have;

If this attack was conducted through social engineering, the security team at Twitter would need to implement additional processes and controls to ensure that it doesn’t happen again.

Such a situation is what your team also needs to look at. While password resets, account closures, data transfers, and other critical processes are at particular risk of social engineering, financial transactions are atop the cybercriminal’s target list.

BEC—business email compromise—attacks accounted for USD 1.7 billion in losses in 2019 alone.

Adding additional side-channel confirmations, additional steps for verifications, firm and clear approvals and other process steps can help organizations mitigate these types of social engineering attacks.

Malicious Insider

If the attack turns out to be from a malicious insider. Defenders need to take a different approach.

Malicious insiders are both a security problem and human resource one.

From the security perspective, two key principles help mitigate the potential of these attacks;

Principle of least privilegeSeparation of duties

Making sure that individuals only have the technical access needed to complete their assigned tasks, and only that access is key to limiting this potential attack. Combined with the smart separation of duties (one person to request a change, another to approval it), this significantly reduces the possibility of these attacks causing harm.

The other—and not often spoken of—side of these attacks is the reason behind the malicious intent. Some people are just malicious, and when presented with an opportunity, they will take it.

Other times, it’s an employee that feels neglected, passed over, or is disgruntled in some other way. A strong internal community, regular communication, and a strong HR program can help address these issues before they escalate to the point where aiding a cybercriminal becomes an enticing choice.

Support Risks

Underlying this whole situation is a more challenging issue; the level of access that support has to any given system.

It’s easy to think of a Twitter account as “yours.” It’s not. It’s part of a system run by a company that needs to monitor the health of the system, respond to support issues, and aid law enforcement when legally required.

All of these requirements necessitate a level of access that most don’t think about.

How often are you sharing sensitive information via direct message? Those messages are most likely accessible by support.

What’s to prevent them from accessing any given account or message at any time? We don’t know.

Hopefully, Twitter—and others—have clear guardrails (technical and policy-based) in place to prevent abuse of support access, and they regularly audit them.

It’s a hard balance to strike. User trust is at stake but also the viability of running a service.

Clear, transparent policies and controls are the keys to success here.

Abuse can be internal or external. Support teams typically have privileged access but are also among the lowest paid in the organization. Support—outside of the SRE community—is usually seen as entry-level.

These teams have highly sensitive access, and when things go south, can do a lot of harm. Again, the principles of least privilege, separation of duties, and a strong set of policies can help.

What’s Next?

In the coming days, more details of the attack will surface. In the meantime, the community is still struggling to reconcile the level of access gained and how it was used.

Getting access to some of the world’s most prominent accounts and then conducting a bitcoin scam? Based on the bitcoin transactions, it appears the cybercriminals made off with a little over USD 100,000. Not insignificant, but surely there were other opportunities?

Occam’s razor can help here again. Bitcoin scams and coin miners are the most direct method fo cybercriminals to capitalized on their efforts. Given the high profile nature of the attack, the time before the discovery was always going to be sure. This may have been the “safest” bet for the criminal(s) to profit from this hack.

In the end, it’s a lesson for users of social networks and other services; even if you take all of the reasonable security precautions, you are relying on the service itself to help protect you. That might not always hold true.

It’s a harsh reminder that the very tooling you put in place to run your service may be its biggest risk for service providers and defenders…a risk that’s often overlooked and underestimated.

In the end, Marques Brownlee sums it up succinctly;

Source :

5 reasons to move your endpoint security to the cloud now

As the world adapts work from home initiatives, we’ve seen many organizations accelerate their plans to move from on-premises endpoint security and Detection and Response (EDR/XDR) solutions to Software as a Service versions. And several customers who switched to the SaaS version last year, recently wrote us to tell how glad to have done so as they transitioned to working remote. Here are 5 reasons to consider moving to a cloud managed solution:

  1. No internal infrastructure management = less risk

If you haven’t found the time to update your endpoint security software and are one or two versions behind, you are putting your organization at risk of attack. Older versions do not have the same level of protection against ransomware and file-less attacks. Just as the threats are always evolving, the same is true for the technology built to protect against them.

With Apex One as a Service, you always have the latest version. There are no software patches to apply or Apex One servers to manage – we take care of it for you. If you are working remote, this is one less task to worry about and less servers in your environment which might need your attention.

  1. High availability, reliability

With redundant processes and continuous service monitoring, Apex One as a Services delivers the uptime you need with 99.9% availability. The operations team also proactively monitors for potential issues on your endpoints and with your prior approval, can fix minor issues with an endpoint agent before they need your attention.

  1. Faster Detection and Response (EDR/XDR)

By transferring endpoint telemetry to a cloud data lake, detection and response activities like investigations and sweeping can be processed much faster. For example, creating a root cause analysis diagram in cloud takes a fraction of the time since the data is readily available and can be quickly processed with the compute power of the cloud.

  1. Increased MITRE mapping

The unmatched power of cloud computing also enables analytics across a high volume of events and telemetry to identify a suspicious series of activities. This allows for innovative detection methods but also additional mapping of techniques and tactics to the MITRE framework.  Building the equivalent compute power in an on- premises architecture would be cost prohibitive.

  1. XDR – Combined Endpoint + Email Detection and Response

According to Verizon, 94% of malware incidents start with email.  When an endpoint incident occurs, chances are it came from an email message and you want to know what other users have messages with the same email or email attachment in their inbox? You can ask your email admin to run these searches for you which takes time and coordination. As Forrester recognized in the recently published report: The Forrester Wave™ Enterprise Detection and Response, Q1 2020:

“Trend Micro delivers XDR functionality that can be impactful today. Phishing may be the single most effective way for an adversary to deliver targeted payloads deep into an infrastructure. Trend Micro recognized this and made its first entrance into XDR by integrating Microsoft office 365 and Google G suite management capabilities into its EDR workflows.”

This XDR capability is available today by combining alerts, logs and activity data of Apex One as a Service and Trend Micro Cloud App Security. Endpoint data is linked with Office 365 or G Suite email information from Cloud App Security to quickly assess the email impact without having to use another tool or coordinate with other groups.

Moving endpoint protection and detection and response to the cloud, has enormous savings in customer time while increasing their protection and capabilities. If you are licensed with our Smart Protection Suites, you already have access to Apex One as a Service and our support team is ready to help you with your migration. If you are an older suite, talk to your Trend Micro sales rep about moving to a license which includes SaaS.

Source :

This Week in Security News: 5 Reasons to Move Your Endpoint Security to the Cloud Now and ICEBUCKET Group Mimics Smart TVs to Steal Ad Money

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about 5 reasons your organization should consider moving to a cloud managed solution. Also, read about a massive online fraud operation that has been mimicking smart TVs to fool online advertisers and gain unearned profits from online ads.


Read on:

Letter from the CEO: A Time of Kindness and Compassion

As a global company with headquarters in Japan, Trend Micro has been exposed to COVID-19 from the very early days when it first erupted in Asia. During these difficult times, Trend Micro has also witnessed the amazing power of positivity and kindness around the world. In this blog, read more about the importance of compassion during these unprecedented times from Trend Micro’s CEO, Eva Chen.

What Do Serverless Compute Platforms Mean for Security?

Developers deploying containers to restricted platforms or “serverless” containers to the likes of AWS Fargate, for example, should think about security differently – by looking upward, looking left and also looking all-around your cloud domain for opportunities to properly security your cloud native applications. 

April Patch Tuesday: Microsoft Battles 4 Bugs Under Active Exploit

Microsoft released its April 2020 Patch Tuesday security updates, its first big patch update released since the work-from-home era began, with a whopping 113 vulnerabilities. Microsoft has seen a 44% increase in the number of CVEs patched between January to April 2020 compared to the same time period in 2019, according to Trend Micro’s Zero Day Initiative – a likely result of an increasing number of researchers looking for bugs and an expanding portfolio of supported products.

5 Reasons to Move Your Endpoint Security to the Cloud Now

As the world adopts work from home initiatives, we’ve seen many organizations accelerate their plans to move from on-premises endpoint security and detection and response (EDR/XDR) solutions to SaaS versions. In this blog, learn about 5 reasons you should consider moving to a cloud managed solution.

Why Running a Privileged Container is Not a Good Idea

Containers are not, by any means, new. They have been consistently and increasingly adopted in the past few years, with security being a popular related topic. It is well-established that giving administrative powers to server users is not a good security practice. In the world of containers, we have the same paradigm. In this article, Trend Micro’s Fernando Cardoso explains why running a privileged container is a bad idea.

Why CISOs Are Demanding Detection and Response Everywhere

Over the past three decades, Trend Micro has observed the industry trends that have the biggest impact on its customers. One of the big things we’ve noticed is that threats move largely in tandem with changes to IT infrastructure. As digital transformation continues to remain a priority, it also comes with an expanded corporate attack surface, driving security leaders to demand enhanced visibility, detection and response across the entire enterprise — not just the endpoint.

Shift Well-Architecture Left. By Extension, Security Will Follow

Using Infrastructure as Code (IaC) is the norm in the cloud. From CloudFormation, CDK, Terraform, Serverless Framework and ARM, the options are nearly endless. IaC allows architects and DevOps engineers to version the application infrastructure as much as the developers are already versioning the code. So, any bad change, no matter if on the application code or infrastructure, can be easily inspected or, even better, rolled back.

Work from Home Presents a Data Security Challenge for Banks

The mass relocation of financial services employees from the office to their couch, dining table or spare room to stop the spread of the deadly novel coronavirus is a significant data security concern, according to several industry experts. In this article, learn how managers can support security efforts from Trend Micro’s Bill Malik.

Principles of a Cloud Migration – Security, The W5H

For as long as cloud providers have been in business, discussing the Shared Responsibility Model has been priority when it comes to customer operation teams. It defines the different aspects of control, and with that control, comes the need to secure, manage, and maintain. In this blog, Trend Micro highlights some of the requirements and discusses the organization’s layout for responsibility.

Coronavirus Update App Leads to Project Spy Android and iOS Spyware

Trend Micro discovered a potential cyberespionage campaign, dubbed Project Spy, that infects Android and iOS devices with spyware. Project Spy uses the COVID-19 pandemic as a lure, posing as an app called ‘Coronavirus Updates’. Trend Micro also found similarities in two older samples disguised as a Google service and, subsequently, as a music app. Trend Micro noted a small number of downloads of the app in Pakistan, India, Afghanistan, Bangladesh, Iran, Saudi Arabia, Austria, Romania, Grenada and Russia.

Exposing Modular Adware: How DealPly, IsErIk, and ManageX Persist in Systems

Trend Micro has observed suspicious activities caused by adware, with common behaviors that include access to random domains with alternating consonant and vowel names, scheduled tasks, and in-memory execution via WScript that has proven to be an effective method to hide its operations. In this blog, Trend Micro walks through its analysis of three adware events linked to and named as Dealply, IsErIk and ManageX. 

ICEBUCKET Group Mimicked Smart TVs to Steal Ad Money

Cybersecurity firm and bot detection platform White Ops has discovered a massive online fraud operation that for the past few months has been mimicking smart TVs to fool online advertisers and gain unearned profits from online ads. White Ops has named this operation ICEBUCKET and has described it as “the largest case of SSAI spoofing” known to date.

Fake Messaging App Installers Promoted on Fraudulent Download Sites, Target Russian Users

Fake installers of popular messaging apps are being propagated via fraudulent download sites, as disclosed in a series of tweets by a security researcher from CronUp. Trend Micro has also encountered samples of the files. The sites and the apps are in Russian and are aiming to bait Russian users.

“Twin Flower” Campaign Jacks Up Network Traffic, Downloads Files, Steals Data

A campaign dubbed “Twin Flower” has been detected by Jinshan security researchers in a report published in Chinese and analyzed by Trend Micro. The files are believed to be downloaded unknowingly when visiting malicious sites or dropped into the system by another malware. The potentially unwanted application (PUA) PUA.Win32.BoxMini.A files are either a component or the main executable itself of a music downloader that automatically downloads music files without user consent.

Undertaking Security Challenges in Hybrid Cloud Environments

Businesses are now turning to hybrid cloud environments to make the most of the cloud’s dependability and dynamicity. The hybrid cloud gives organizations the speed and scalability of the public cloud, as well as the control and reliability of the private cloud. A 2019 Nutanix survey shows that 85% of its respondents regard the hybrid cloud as the ideal IT operating model.

How to Secure Video Conferencing Apps

What do businesses have to be wary of when it comes to their video conferencing software? Vulnerabilities, for one. Threat actors are not shy about using everything they have in their toolbox and are always on the lookout for any flaw or vulnerability they can exploit to pull off malicious attacks. In this blog, learn about securing your video conferencing apps and best practices for strengthening the security of work-from-home setups.

Monitoring and Maintaining Trend Micro Home Network Security – Part 4: Best Practices

In the last blog of this four-part series, Trend Micro delves deeper into regular monitoring and maintenance of home network security, to ensure you’re getting the best protection that Trend Micro Home Network Security can provide your connected home.

Surprised by the ICEBUCKET operation that has described as “the largest case of SSAI spoofing” known to date? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

Source :

Effective Business Continuity Plans Require CISOs to Rethink WAN Connectivity

As more businesses leverage remote, mobile, and temporary workforces, the elements of business continuity planning are evolving and requiring that IT professionals look deep into the nuts and bolts of connectivity.

CISOs and their team members are facing new challenges each and every day, many of which have been driven by digital transformation, as well as the adoption of other productivity-enhancing technologies.

A case in point is the rapidly evolving need to support remote and mobile users as businesses change how they interact with staffers.

For example, the recent COVID-19 crisis has forced the majority of businesses worldwide to support employees that work from home or other remote locations.

Many businesses are encountering numerous problems with connection reliability, as well as the challenges presented by rapidly scaling connectivity to meet a growing number of remote workers.

Add to that security and privacy issues, and it becomes evident that CISOs may very well face what may become insurmountable challenges to keep things working and secure.

It is the potential for disruption that is bringing Business Continuity Planning (BCP) to the forefront of many IT conversations. What's more, many IT professionals are quickly coming to the conclusion that persistent WAN and Internet connectivity prove to be the foundation of an effective business continuity plan.

VPNs are Failing to Deliver

Virtual Private Networks (VPNs) are often the first choice for creating secure connections into a corporate network from the outside world.

However, VPNs have initially been designed to allow a remote endpoint to attach to an internal local area network and grant that system access to data and applications stored on the network.

For occasional connectivity, with a focus on ease of use.

Yet, VPNs are quickly beginning to show their limitations when placed under the demand for supporting a rapidly deployed remote workforce.

One of the most significant issues around VPNs comes in the context of scalability; in other words, VPNs can be complicated to scale quickly.

For the most part, VPNs are licensed by connection and are supported by an appliance on the network side to encrypt and decrypt traffic. The more VPN users that are added, the more licenses and processing power that is needed, which ultimately adds unforeseen costs, as well as introducing additional latency into the network.

Eventually, VPNs can break under strain, and that creates an issue around business continuity. Simply put, if VPNs become overwhelmed by increased traffic, connectivity may fail, and the ability for employees to access the network may be impacted, the concept of business continuity suffers as a result.

VPNs are also used for site to site connections, where the bandwidth may be shared not only from a branch office to a headquarters office but also with remote users. A situation such as that can completely derail an organization's ability to do business if those VPNs fail.

Perhaps an even bigger concern with VPNs comes in the form of cybersecurity. VPNs that are used to give remote users access to a network are only as reliable as the credentials that are given to those remote users.

In some cases, users may share password and login information with others, or carelessly expose their systems to intrusion or theft. Ultimately, VPNs may pave the way for attacks on the corporate network by allowing bad actors to access systems.

ZTNA Moves Beyond VPNs

With VPN technology becoming suspect in the rapid expansion of remote workforces, CISOs and IT pros are looking for alternatives to ensure reliable and secure connections into the network from remote workers.

The desire to bridge security and reliability is driven by continuity, as well as operational issues. CISOs are looking to keep costs down, provide a level of security, without compromising performance, and still meet projected growth.

Many enterprises thought that the answer to the VPN dilemma could be found in SDP (Software Defined Perimeters) or ZTNA (Zero Trust Network Access), two acronyms that have become interchangeable in the arena of cybersecurity.

ZTNA has been built for the cloud as a solution that shifted security from the network to the applications. In other words, ZTNA is application-centric, meaning that users are granted access to applications and not the complete network.

Of course, ZTNA does much more than that. ZTNA can "hide" applications, while still granting access to authorized users. Unlike VPNs, ZTNA technology does not broadcast any information outside of the network for authentication, whereas VPN concentrators sit at the edge of the network for all to see, making them a target for malicious attackers.

What's more, ZTNA uses inside-out connections, which means IP addresses are never exposed to the internet. Instead of granting access to the network like a VPN, ZTNA technology uses a micro-segmentation approach, where a secure segment is created between the end-user and the named application.

ZTNA creates an access environment that provides private access to an application for an individual user, and only grants the lowest level of privileges to that user.

ZTNA technology decouples access to applications from access to the network, creating a new paradigm of connectivity. ZTNA based solutions also capture much more information than a VPN, which helps with analytics and security planning.

While a VPN may only track a device's IP address, port data, and protocols, ZTNA solutions capture data around the user identity, named application, latency, locations, and much more. It creates an environment that allows administrators to be more proactive and more easily consume and analyze the information.

While ZTNA may be a monumental step forward from legacy VPN systems, ZTNA solutions are not without their own concerns. ZTNA solutions do not address performance and scalability issues and may lack the core components of continuity, such as failover and automated rerouting of traffic.

In other words, ZTNA may require those additional third-party solutions to be added to the mix to support BCP.

Resolving ZTNA and VPN issues with SASE

A newer technology, which goes by the moniker of SASE (Secure Access Service Edge), may very well have the answer to the dilemmas of security, continuity, and scale that both ZTNA and VPNs introduce into the networking equation.

The Secure Access Service Edge (SASE) model was proposed by Gartner's leading security analysts, Neil MacDonald, Lawrence Orans, and Joe Skorupa. Gartner presents SASE as a way to collapse the networking and security stacks of SD-WANs into a fully integrated offering that is both easy to deploy and manage.

Gartner sees SASE as a game-changer in the world of wide-area networking and cloud connectivity. The research house expects 40% of enterprises to adopt SASE by 2024. However, a significant challenge remains, networking and cybersecurity vendors are still building their SASE offerings, and very few are actually available at this time.

One such vendor is Cato Networks, which offers a fully baked SASE solution and has been identified as one of the leaders in the SASE game by Gartner.

SASE differs significantly from the VPN and ZTNA models by leveraging a native cloud architecture that is built on the concepts of SD-WAN (Software-Defined Wide Area Network). According to Gartner, SASE is an identity-driven connectivity platform that uses a native cloud architecture to support secure connectivity at the network edge that is globally distributed.

SASE gives organizations access to what is essentially a private networking backbone that runs within the global internet. What's more, SASE incorporates automated failover, AI-driven performance tuning, and multiple secure paths into the private backbone.

SASE is deployed at the edge of the network, where the LAN connects to the public internet to access cloud or other services. And as with other SD-WAN offerings, the edge has to connect to something beyond the four walls of the private network.

In Cato's case, the company has created a global private backbone, which is connected via multiple network providers. Cato has built a private cloud that can be reached over the public internet.

SASE also offers the ability to combine the benefits of SDP with the resiliency of an SD-WAN, without introducing any of the shortcomings of a VPN.

Case in point is Cato's Instant Access, a clientless connectivity model that uses a Software-Defined Perimeter (SDP) solution to grant secure access to cloud-delivered applications for authorized remote users.

Instant access offers multi-factor authentication, single sign-on, least privileged access, and is incorporated into the combined networking and security stacks. Since it is built on SASE, full administrator visibility is a reality, as well as simplified deployment, instant scalability, integrated performance management, and automated failover.

Cato Networks' Remote Access Product Demo

In Cato's case, continuous threat protection keeps remote workers, as well as the network, safe from network-based threats. Cato's security stack includes NGFW, SWG, IPS, advanced anti-malware, and Managed Threat Detection and Response (MDR) service. Of course, Cato isn't the only player in the SASE game; other vendors pushing into SASE territory include Cisco, Akamai, Palo Alto Networks, Symantec, VMWare, and Netskope.

SASE Address the Problems of VPNs, ZTNA -- and More

With VPNs coming up short and ZTNA lacking critical functionality, such as ease of scale and performance management, it is quickly becoming evident that CISOs may need to take a long hard look at SASE.

SASE addresses the all too common problems that VPNs are introducing into a rapidly evolving remote work paradigm, while still offering the application-centric security that ZTNA brings to the table.

What's more, SASE brings with it advanced security, enhanced visibility, and reliability that will go a long way to improving continuity, while also potentially lowering costs.

Source :