Login
With the acceleration of cloud migration initiatives—partly arising the need to support a remote workforce during the pandemic and beyond—enterprises are finding that this transformation has introduced new operational complexities and security vulnerabilities. Among these are potential misconfigurations, poorly secured interfaces, Shadow IT (access to unauthorized applications), and an increasing number of connected devices and users. To navigate these challenges, enterprises are relying on managed service providers to monitor and protect their cloud environment.
To better serve its customers and secure its own environments, one global technology provider decided to expand its existing on-premises data loss protection (DLP) and web protection with a comprehensive and robust cloud security strategy based on solutions from the MVISION portfolio of solutions. Already a long-time user of McAfee Enterprise on-premises solutions, the global technology provider not only secured its internal cloud infrastructure consisting of more than 5,000 endpoints across over 30 locations worldwide, they also applied the same approach to the millions of endpoints they manage for more than 10,000 customers.
A primary objective for the global technology provider is securing data in the cloud in Software-as-a-Service (SaaS) applications (Microsoft Office 365, OneDrive, Salesforce, and others) and Infrastructure-as-a-Service (IaaS) platforms (Microsoft Azure, Amazon Web Services, Google Cloud Platform).
As a first step in its cloud journey, the global technology provider evaluated a number of cloud access security brokers (CASB) solutions. Ultimately, they decided to implement MVISION Cloud for AWS, Office 365, and Shadow IT. In addition to providing comprehensive visibility into cloud app usage, these solutions help with compliance; data loss prevention (DLP) by monitoring the movement of sensitive and confidential data content traveling to or from the cloud, within the cloud, and cloud to cloud; and detection and remediation of threats primarily through user and entity behavior analytics (UEBA).
But the global technology provider didn’t stop there. When we rolled out MVISION Unified Cloud Edge, the global technology provider tested it and enthusiastically adopted it. As defined by Gartner, MVISION Unified Cloud Edge is an industry-leading example of Secure Access Service Edge (SASE), a security framework that brings together network connectivity and security into a single, cloud-delivered solution that supports business transformation, edge computing, and workforce mobility.
The global technology provider has reaped multiple advantages from this implementation across its own internal environment and for its customers.
MVISION Unified Cloud Edge combines multiple capabilities under one umbrella: CASB functionality with web proxy and DLP with a single administrative hub, ePolicy Orchestrator® (ePO) for streamlined management.
MVISION Unified Cloud Edge capabilities and the ease of integration with the McAfee Enterprise ecosystem has made life easier for the global technology provider’s team, saving time and resources. Now they can set consistent policies from device to cloud and provide users with accelerated and secure access to the tools they use every day, such as Box, Dropbox, and others. As the information security operations manager points out: “A single management console reduces overhead as does being able to set policies that we can sync and apply to multiple data sources on multiple cloud solutions, without having to recreate rules.”
MVISION Unified Cloud Edge has also enabled the global technology provider to further boost its cloud data protection. For example, it can detect data that is improperly managed and stored. Now the organization can apply their existing on-premises data policies to the cloud. For example, they can prevent certain user behaviors that may put both corporate and customer cloud data at risk. These include copying data to cloud apps or USBs, printing it, taking screen captures, accessing risky websites, and uploading data to unauthorized websites.
To create a more secure internal environment, MVISION Unified Cloud Edge has been invaluable for the global security provider. They have a better handle on the applications that are being used across their company. The solution also provides risk scores for the cloud apps that are being used to help steer users away from Shadow IT and toward using only authorized apps. When employees propose new apps to help them do their jobs better, the IT security team can check the security of these apps against requirements and make any necessary modifications to ensure compliance.
“The Shadow IT CASB automatically blocks all cloud services that are deemed high risk, both at our on-premises Web Gateway and the built-in cloud web gateway manager. So, when users attempt to use an unsanctioned SaaS application, they see a message explaining that the app is not safe,” notes the information security operations manager.
The global technology provider also sells SaaS solutions to its clients. With MVISION Unified Cloud Edge, the global technology provider can protect data on any newly sanctioned SaaS applications at no extra cost.”
After a successful experience with McAfee Enterprise overall and specifically with the implementation of MVISION Unified Cloud Edge, the information security operation manager recommends the solution to any organization beginning or in the midst of migrating to the cloud.
“I would advise other companies thinking about their cloud transformation journey to seriously consider MVISION Unified Cloud Edge . . . It has a very user-friendly interface and does so much out of the box,” he asserts. “The level of granularity in policy setting lets you do things you don’t think possible or are much easier to accomplish than you realize. . . I don’t think any other vendor offers such a complete package.”
The post Global Technology Provider Looks to MVISION Unified Cloud Edge appeared first on McAfee Blog.
Cloud Security Gateways (CSGs) are one of the hottest and most sought-after technologies in the market today, driven by the adoption of cloud services for business transformation and the acceptance of hybrid workforce policies. CSGs, also commonly known as Cloud Access Security Brokers (CASBs), are responsible for enforcing security policies to protect cloud-hosted corporate assets from advanced threats, while enabling seamless and secure access to these assets from any location and device.
We have witnessed an exponential growth in cloud usage in the past two years, primarily driven by remote workforce adoption. Based on the data collected by our research team from millions of connected McAfee Enterprise users across the globe, the overall usage of enterprise cloud services spiked by 50% across all industries, while the collaboration services witnessed an increase of up to 600% in usage. This led to an astonishing 630% increase in external attacks on the cloud accounts. Taking all these factors and trends into consideration, CSGs have become a highly essential element of any organization’s cloud security strategy, playing the most critical role for enabling data protection, threat prevention and compliance in the cloud.
McAfee Enterprise continues to innovate in the cloud security space with a laser-focused strategy towards empowering our customers with the best-in-class cloud security solution. MVISION Cloud, recognized as the industry’s leading CSG solution, has become a vital part of enterprise security, allowing organizations to safely migrate to the cloud while protecting their “crown jewels” – the data. A huge testament to our cybersecurity vision is the IDC MarketScape Worldwide Cloud Security Gateways 2021 Vendor Assessment (Doc # US48334521, November 2021), and we are proud to announce that McAfee Enterprise has been recognized as a leader in the report.
According to the report, “McAfee has a strong ecosystem of security solutions, including Secure Web Gateway, CSG, and endpoint security that it can integrate to enable customers in their data loss prevention, User Behavior Analytics, XDR, and threat prevention goals. McAfee has focused on providing robust protection and DLP, with the scale and speed necessary to support large user bases.”
McAfee Enterprise’s multi-vector data protection capabilities go beyond the cloud to uniquely discover and protect sensitive assets on managed endpoints, in-network shares, and on-premises databases, enabling full scope of data protection from device-to-cloud. The industry-leading data protection and threat protection capabilities are tightly integrated with a unified policy framework that allows policy enforcement, data classification and incident management from a centralized console, reducing the cost and complexity of managing hybrid IT deployments, while improving the user experience.
Figure 1: McAfee Enterprise Multi-Vector Data Protection
MVISION Cloud is an integral component of our Unified Cloud Edge (UCE) solution, and together with McAfee Enterprise’s Next-Gen Secure Web Gateway (SWG) and MVISION Private Access (ZTNA) delivers the industry’s most comprehensive Security Services Edge (SSE) solution – the security element of the Secure Access Service Edge (SASE) framework. With McAfee Enterprise’s DLP technology being the common denominator across all the core SSE components, organizations can seamlessly utilize a unified, data-centric framework for centralized visibility and control over their entire digital footprint, while riding on an accelerated path for digital transformation and workplace mobility.
Figure 2: MVISION Unified Cloud Edge (UCE)
Our mission towards building a unified security platform for protecting data from device-to-cloud and defending against advanced threats and adversaries has established McAfee Enterprise as a leader in cybersecurity across multiple forums, and the 2021 IDC MarketScape report is another distinguished feather in our decorated cap.
The post McAfee Enterprise Continues to be a Leader in CASB and Cloud Security appeared first on McAfee Blog.
The time to repurpose vulnerabilities into working exploits will be measured in hours and there’s nothing you can do about it… except patch
By Fred House
2021 is already being touted as one of the worst years on record with respect to the volume of zero-day vulnerabilities exploited in the wild. Some cite this as evidence of better detection by the industry while others credit improved disclosure by victims. Others will simply conclude that as the “upside” grows (e.g., REvil demanding $70M or Zerodium paying $2.5M for exploits) so too will the quantity and quality of players. But the scope of these exploitations, the diversity of targeted applications, and ultimately the consequences to organizations were notable as well. As we look to 2022, we expect these factors to drive an increase in the speed at which organizations respond.
If we look back at the past 12 months, we have seen notable breaches that highlight the need for organizations to improve response times:
ProxyLogon. When we first learned in 2020 that roughly 17,000 SolarWinds customers were affected, many reacted in shock at the pure scope of the compromise (it should be noted that a small subset of these customers are believed to have been compromised by follow-on activity). Unfortunately, 2021 brought its own notable increase in volume. Two weeks after Microsoft released a patch for ProxyLogon they reported that 30K Exchange servers were still vulnerable (less conservative estimates had the number at 60K).
ProxyShell. ProxyShell, a collection of three separate vulnerabilities (CVE-2021-31207, CVE-2021-34473 and CVE-2021-34523), was Exchange’s second major event of the year after ProxyLogon. In August, a Black Hat presentation outlining Exchange Server vulnerabilities was followed the next day by the release of an exploit POC, all of which had been patched by Microsoft months earlier in April/May. This analysis of data captured by Shodan one week after the exploit POC was released concluded that over 30K Exchange servers were still vulnerable, noting that the data may have underrepresented the full scope (i.e., Shodan hadn’t had time to scan the full Internet). In summary: patched in the Spring, exploited in the Fall. So, what happened in the interim you ask? The vulnerabilities in the Microsoft Client Access Service were exploited by threat actors who deployed web shells to execute arbitrary code on compromised mobile devices and web browsers.
vCenter Server. Another notable example occurred in May when VMWare released a patch for a remote code execution vulnerability in vCenter Server. This subsequent analysis concluded that over 4,000 systems remained vulnerable one week after the patch was released. Much like Exchange servers, where a typical company will only host a handful of servers, 4,000 vulnerable vCenter servers likely represents thousands of distinct companies.
Kaseya VSA. One bright spot may in fact be the Kaseya VSA breach. On July 2, REvil launched an unprecedented (anyone else tired of that word?) ransomware campaign against public facing VSA servers. Within two days the DIVD CSIRT reported that the number of exposed VSA servers had dropped from 2,200 to 140. Some estimates suggested that around 50 MSPs were compromised, affecting between 800 and 1500 business. While this doesn’t sound like much of a bright spot, patching 94% of the affected systems in two days surely helped reduce the success of REvil copycats.
So, what can we take away from all of this? Well, attackers and security researchers alike will continue to hone their craft until weaponized exploits and POCs are expected within hours of vulnerability disclosure. In turn however, and largely driven by the increased consequences of compromise, we can also expect renewed diligence around asset and patch management. From identifying public facing assets to quickly deploying patches despite potential business disruption, companies will have a renewed focus on reducing their “time to patch.”
Still not convinced? Well, the US government is. Checkout Binding Operational Directive 22-01 published on November 3rd which compels all federal agencies to remediate known exploited vulnerabilities in two weeks or sooner “in the case of grave risk to the Federal Enterprise”. It’s no coincidence that CISA’s known exploited vulnerabilities catalog, which catalogues the vulnerabilities that must be remediated, includes every one of our examples above with a two-week remediation deadline. If the US government can do it, you can too!
The post Zero Care About Zero Days appeared first on McAfee Blog.
In the October 2021 Threat Report, McAfee Enterprise ATR provides a global view of the top threats, especially those ransomware attacks that affected most countries and sectors in Q2 2021, especially in the Public Sector (Government).
In June 2021 the G7 economies urged countries that may harbor criminal ransomware groups to take accountability for tracking them down and disrupting their operations. Let’s review the high severity campaigns and threat profiles added to MVISION Insights recently.
Conti has been one of the top Ransomware groups in 2021, including a new campaign reported in September 2021. As mentioned earlier in this report, the public sector seems to be the sector most affected by Ransomware attacks. McAfee Enterprise provides regular publications on the strategies to defend against ransomware, such as this blog.
CVE-2021-40444 Microsoft MSHTML Remote Code Execution Vulnerability
This is a serious Microsoft Office vulnerability reported in September 2021 by Microsoft, McAfee Enterprise and other sources. The MVISION Insights heat map shows the prevalence of the Indicators of Compromise (IOCs) associated with this threat in the first half of October 2021.
Although Microsoft has provided guidance on a workaround, it can be challenging for many public sector organizations to deploy these patches quickly. To help you be more agile, McAfee Enterprise has released its own guidance leveraging ENS, EDR and NSP.
Microsoft Office vulnerabilities are commonly exploited in the early phases of the attack lifecycle. BazarLoader, mentioned earlier with the Conti Ransomware, has also been used with Word and Excel documents. In the MITRE Enterprise ATT&CK framework this technique is known as T1203, which we can find in 177 campaigns and threat profiles in MVISION Insights.
APT41 is a state sponsored threat group linked to China and associated with multiple campaigns, including a new campaign reported in September 2021. Although Ransomware is currently the main cyber threat type which hits the news, state sponsored threat groups are equally concerning, especially in the public sector for organizations with sensitive government and citizen data, which could be potentially exploited by a foreign nation like China.
In the second part of this report, we highlight how you can leverage the data from MVISION Insights to find traces of these attacks to enhance your level of protection.
In the October 2021 Threat Report, McAfee Enterprise ATR also assessed the prevalence of Cloud Threats, identifying the US Government sector as one of the top 10 verticals affected.
Many governments are moving quickly to adopt cloud technologies to bring services for their citizens, for collaboration and cost savings.
Inadequate readiness to address cloud security has been the primary contributor of these threats. Several cloud-native controls exist to protect sensitive data from loss or theft in real time, such as:
In the second part of this report, we want to give you some guidance on how you can operationalize this threat intelligence data to better protect your networks. MVISION Insights can help operationalize McAfee Enterprise Threat Intelligence data by providing risk assessment against threats affecting you, protective guidance and integrating with other tools to share threat data.
Let’s take the previous example of the Conti Ransomware Threat Profile. Below you can see how MVISION Insights provides:
1. A short description with the list of CVEs linked to this threat profile, the minimum version of McAfee Enterprise ENS AMcore content to be correctly protected against this threat, detections in your environment and on which device.
2. The list of related campaigns, the devices with unresolved detections related to these campaigns or those with insufficient protections.
3. The list of MITRE techniques and tools, which provide a universal and agnostic overlay of the threats, as well as details on the observables specific to this threat profile for each MITRE technique.
4. The list of IOCs with filters, IOC attributes, and IOC export features which you can use to share them with your other solutions, such as your SIEM, and which you can also share with other public sector entities. We also provide a direct integration with MVISION EDR. Alternatively, you can leverage the APIs to automate the exchange of IOCs.
If you find devices with these IOCs in MVISION EDR you can take immediate remote actions such as quarantine the device, kill the process, remove the files, or run custom scripts.
You can also use MVISION EDR for more advanced threat hunting such as searching for specific MITRE techniques in all MVISION EDR alerts …
… or in the MVISION EDR monitoring view which automatically groups the alerts.
5. MVISION Insights also provides hunting rules created by McAfee Enterprise Threat Intelligence experts using Yara, Sigma and McAfee Enterprise ENS expert rules.
6. A proactive assessment of your Endpoint and Cloud security posture score with guidance on the configuration changes which you should follow to ensure that your McAfee Enterprise Endpoint and Cloud solutions are protecting you with their full capabilities.
7. And all this, with more than 1,200 threat campaigns and threat profiles
MVISION APIs give you the ability to integrate and to exchange this extensive Threat Intelligence data with your SOC tools, including Threat Intelligence Platforms (TIPs) and Security Orchestration Automation and Response (SOAR).
These integrations can be used both in Internet-facing and closed networks. For advanced Threat Intelligence teams, our Advanced Program Group (APG) provides “Threat Intelligence as a Service” (INTAAS) including:
To conclude, here is a summary of the use cases you can achieve with MVISION Insights in the public sector:
If you want to learn more on our Threat Intelligence capabilities and participate in Architecture or Incident Response Workshops, contact your local McAfee Enterprise representative.
The post Ransomware Threats Affecting the Public Sector appeared first on McAfee Blog.
In life, regret tends to take on many shapes and forms. We often do not heed the guidance of the common anecdotes we hear throughout our days and years. From “look before you leap” to “an apple a day keeps the doctor away” – we take these sayings in stride, especially when we cannot necessarily provide proof of their veracity!
One particular trope that may incite ire, frustration, or regret when applied to enterprise security is – “once bitten, twice shy.”
In its very literal sense, we’re taught that if we’re bitten by something once – whether that be dog or security breach – we’re innately cautious or fearful of falling into a similar scenario. With dogs or any animal, we may pivot our behavior to avoid sharp teeth. However, with security breaches, many enterprises continue to be blindsided by “bites” – despite believing they’ve taken the utmost of caution to protect against them.
There is a clear disconnect between enterprise-preparedness and the severity of today’s threat landscape. We continue to see that no enterprise is immune to threats and breaches, with ransomware campaigns continuing to get more sophisticated and prevalent. We’re also seeing cyber criminals work together, banding as an enterprise themselves sharing common tools and knowledge. This means, as cyber criminals become more business-savvy, operational, and efficient – the enterprises they look to attack need to consistently be one step ahead to anticipate and prevent breaches.
The term digital transformation is not new by any means, but it needs to be newly approached through a security-first lens. For successful digital transformation to occur today, major industries need to focus on superior prevention against threats.
It’s time for business leaders to stop focusing on the “breach of the month” and more on building security into the fabric of their organizations so they’re not the next victims. For this to happen, it is imperative to break down silos of threat and information intelligence across the organization, enabling a collaborative, holistic, and strategic approach to securing the business.
Additionally, as we’re seeing more prevalent and sophisticated attacks, enterprises need to lean into the transformative technologies that can keep up with evolving techniques. AI provides for personalization of security – a key advantage as it can prioritize detection and response to allow organizations to focus on growth outcomes instead of spending time recouping lost data, customers, revenue, efficiencies, or more that can come at the expense of a threat or breach.
Placing security at the forefront of strategies can unleash the full potential of what digital transformation can make possible. With this approach and a mindset focused on prevention and cyber-readiness as the catalyst aiding true digital and business transformation, we have the power to turn the headlines around. It is time for enterprises to bite back, and the criminals to shy away.
The post Digital Transformation Needs to (Re)Start with Security appeared first on McAfee Blog.
The malware landscape is growing more complex by the minute, which means that no device under your family’s roof—be it Android, iPhone, PC, or Mac—is immune to an outside attack. This reality makes it possible that one or more of your devices may have already been infected. But would you know it?
According to 2021 statistics from the Identity Theft Resource Center (ITRC), the number of data breaches reported has soared by 17 percent over last year. In addition, as reported by McAfee, cybercriminals have been quick to take advantage of the increase in pandemic connectivity throughout 2020. McAfee Labs saw an average of 375 new threats per minute and a surge of hackers exploiting the pandemic through COVID-19 themed phishing campaigns, malicious apps, malware, and more. With Black Friday and Cyber Monday now at hand, we can count on even more new threats.
Often, if your device has been compromised, you know it. Things get wonky. However, with the types of malware and viruses now circulating, there’s a chance you may not even realize it. The malware or virus may be working in the background sending usage details or sensitive information to a third party without disrupting other functions. So, be on the lookout for these tell-tale signs.
If you discover a family device has been compromised, there are several things you can do. 1) Install security software that will help you identify the malware so you can clean your device and protect yourself in the future. 2) Delete any apps you didn’t download, delete risky texts, delete browsing history and empty your cache. 3) In some situations, malware warrants that you wipe and restore your device (Apple or Android) to its original settings. Before doing so, however, do your research and be sure you’ve backed up any photos and critical documents to the cloud. 4) Once you’ve cleaned up your devices, be sure to change your passwords.
The surge in malware attacks brings with it a clear family mandate that if we want to continue to live and enjoy the fantastic benefits of a connected life, we must also work together at home to make online safety and privacy a daily priority.
The post 5 Signs Your Device May be Infected with Malware or a Virus appeared first on McAfee Blog.
With the widespread adoption of hybrid work models across enterprises for promoting flexible work culture in a post pandemic world, ensuring critical services are highly available in the cloud is no longer an option, but a necessity. McAfee Enterprise’s MVISION Unified Cloud Edge (UCE) is designed to maximize performance, minimize latency, and deliver 99.999% SLA guaranteed resiliency, offering blazing fast connectivity to cloud applications from any location and causing no service degradation, even when the usage of cloud services spiked 600% during the COVID-19 pandemic, as reported in our Cloud Adoption and Risk Report (Work From Home Edition). This blog shares details on how MVISION UCE is architected to enable uninterrupted access to corporate resources to meet the demands of the hybrid workforce.
MVISION UCE, our data-centric, cloud-native Security Service Edge (SSE) security platform, derives its capabilities from McAfee Enterprise’s industry leading Secure Web Gateway and Enterprise Data Protection solutions. However, this is not a lift and shift of capabilities to the cloud, which would have made it prone to service outages and impossible to have the flexibility that is needed to meet the demands of SSE. Instead, the best of breed functionality was purposefully reconstructed for SSE, using a microservices architecture that can scale elastically, and built on a platform-neutral stack that can run on bare metal and public cloud, equally effectively. A hallmark of the architecture is that the cloud is a single global fabric where service instances are spread throughout the globe. Users automatically access the best instance of any service through policy configuration.
What other alternatives are out there? We have seen some cloud services replicated in each region of their presence. While this makes controlling resources and data simple, and keeps everything within a boundary, such an approach loses out on the flexibility needed to scale on demand and reduced latency on access. With UCE, each point of presence (POP) is part of the global fabric, yet at the same time, fully featured with all services housed within the POP. This avoids the need to send traffic back and forth between various services located at different locations, a phenomenon known as traffic hairpin.
By default, user traffic gets processed at the POP closest to their physical location, regardless of where the user may be. A user may work at their office in New York 90% of the time and travel to UK occasionally. When the user connects to MVISON UCE, they are connected to New York POP when they are at office, and the POP in London if they are in a UK hotel while traveling. This is a big advantage if you think about it. User’s traffic does not need to trombone from the hotel in UK, to the POP in New York and back to a server in London. MVISION UCE’s out-of-the-box traffic routing scheme favors low latency. This does not mean that the customer cannot override this policy and force the traffic to be processed at the New York POP. They might do so if there is a compliance need to process all traffic at a certain location. Many customers have a need to store logs in a certain geography even though traffic processing may occur anywhere on the globe. MVISION UCE architecture decouples log storage from traffic processing and lets the customer choose their log storage geography based on criteria that customers define.
One of the key considerations while choosing a SSE vendor would be how much latency the service adds to user’s requests. Significant latency can negatively affect user experience and could be a deterrent to product adoption. With 85 POPs strategically placed around the globe providing low latency access to customers, UCE POPs have direct peering with the biggest SaaS vendors like Microsoft, Google, Akamai, and Salesforce to further reduce latency. In addition, MVISION UCE POPs peer with many ISPs around the globe, enabling high bandwidth and low latency connectivity end to end, from the customer’s network to UCE and from UCE to the destination server.
With thousands of peering partners growing every day, over 70% of traffic served by MVISION UCE uses peering links in some geographies. The whitepaper, How Peering POPs Make Negative Latency Possible, shares details about a study conducted by McAfee Enterprise to measure the efficacy of these peering relationships. This paper is proof that UCE customers experience faster response times going through our POPs than they would usually get by going directly through their Internet Service Providers. UCE follows a living partnership model when it comes to peering, with thousands of peering relationships in production. We are committed to keeping the latency to a minimum.
You may be wondering what the secret sauce is for achieving a reliability of five 9s or higher in MVISION UCE. Several items play a crucial role in preventing unplanned service degradation.
At McAfee Enterprise, security is not an afterthought. From the start, the architecture was designed with zero trust in mind. Services are segmented from one another and follow the least privileged principle when resources need to be shared between services. Industry standard protocols and methodologies are used to enforce user and identity access management (UAM/IAM). Strong role-based access controls (RBAC) across the platform keep customer’s data separate and provide self-defense when a service is compromised. None of these features matter if the software is vulnerable. McAfee Enterprise follows one of the strictest Software Development Life Cycle (SDLC) processes in the industry to eliminate known vulnerabilities and threats in our software as it is written.
Another aspect of security that is gaining momentum these days is data privacy. This is at the forefront of all feature designs in MVISION UCE. Usually, data privacy means tokenization or anonymization of customer private data stored in MVISION UCE, be it logs or other metadata. At McAfee Enterprise, we strive to take this a step further. We do not want to retrieve private data from the customer environment if it can be avoided. For example, to evaluate a policy that involves customer premise data, UCE can offload the evaluation to a component on the customer premise. Case in point, McAfee Client Proxy (MCP) that is installed on user’s machine can perform a policy evaluation and avoid sending private data to the cloud. The McAfee Enterprise cloud leverages the results of the evaluation to complete the policy execution. Where this is not possible, private data is anonymized at the earliest entry point in the cloud to minimize data leaks.
Last but not the least, a chain is only as strong as its weakest link, and physical data center security must also be considered. Global partners are selected only after careful evaluation of their facilities and infrastructure that will host our data centers, while other vendors in this space are working with a larger set of less rigorously qualified regional partners to increase their presence. The McAfee Enterprise approach provides the necessary guard rails against supply chain attacks that our customers demand.
There are other architectural gems hidden within UCE and thus failing to mention them would make this article incomplete. First, the policy engine is exposed in the form of code with which the customer can construct complex policies without being constrained by what UI provides. If you are a user of MVISON UCE, you can see this in action by enabling “Code View” in the Web Policy tree. If you do not like the way policy nodes are ordered in the tree or the evaluations made by default, you can take complete control and process the traffic in any manner you wish. By the way, the policy is so flexible that one can write a policy to process traffic in one region and store logs in another region.
Second, policy evaluation can be distributed across various components which allows its evaluation at the earliest point in the network. This avoids hauling all traffic to the cloud to apply policy. For example, if a sensitive document needs to be blocked due to data protection rules, the DLP agent running on the user’s machine can block it instead of hauling the traffic to cloud for classification and blocking. This strategy reduces load on the cloud and consequently increases the scale at which we can process requests.
Lastly, all services are automated and require no manual intervention to provision a customer unlike other vendors that require a support ticket to provision some features. Independent of where your account has been provisioned and where your preferred UI console resides, polices that you author are stored in a global policy system that is synchronized to all POPs around the world, giving you the flexibility to process traffic anywhere in the world.
To conclude, all clouds are not built equally. Architecture of a cloud is a matter of choice and tradeoffs. MVISON UCE implements a global cloud and puts customers in the driver’s seat through programmatic policies, that are secure, scalable, and highly available.
To learn more about how MVISION UCE can help ensure your critical services are highly available in the cloud, watch this short video or visit our MVISION UCE page to get started.
The post Qualities of a Highly Available Cloud appeared first on McAfee Blog.
McAfee Enterprise and FireEye recently teamed to release their 2022 Threat Predictions. In this blog, we take a deeper dive into cloud security topics from these predictions focusing on the targeting of API services and apps exploitation of containers in 2022.
Recent statistics suggest that more than 80% of all internet traffic belongs to API-based services. It’s the type of increased usage that grabs the attention of threat developers hunting for rewarding targets.
Feature-rich APIs have moved from being just a middleware to applications and have evolved to become the backbone of most modern applications that we consume today. Examples include:
In most cases, attacks targeting APIs go undetected as they are generally considered as trusted paths and lack the same level of governance and security controls.
The following are some of the key risks that we see evolving in the future:
Gaining visibility into application usage with the ability to look at consumed APIs should be a priority for organizations, with the goal of ultimately having a risk-based inventory of accessed APIs and a governance policy to control access to such services. Having visibility of non-user-based entities within the infrastructure such as service accounts and application principles that integrate APIs with the wider enterprise eco-system is also critical.
For developers, developing an effective threat model for their APIs and having a Zero Trust access control mechanism should be a priority alongside effective security logging and telemetry for better incident response and detection of malicious misuse.
Containers have become the de facto platform of modern cloud applications. Organizations see benefits such as portability, efficiency and speed which can decrease time to deploy and manage applications that power innovation for the business. However, the accelerated use of containers increases the attack surface for an organization. Which techniques should you look out for, and which container risk groups will be targeted? Exploitation of public-facing applications (MITRE T1190) is a technique often used by APT and Ransomware groups. MITRE T1190 has become a common entry vector given that cyber criminals are often avid consumers of security news and are always on the lookout for a good exploit. There are numerous past examples in which vulnerabilities concerning remote access software, webservers, network edge equipment and firewalls have been used as an entry point.
The Cloud Security Alliance (CSA) identified multiple container risk groups including:
How do you protect yourself? Recommended mitigations include bringing security into the DevOps process through continuous posture assessment for misconfigurations, checks for integrity of images, and controlling administrative privileges. Use the Mitre ATT&CK Matrix for Containers to identify gaps in your cloud security architecture.
The post Cloud API Services, Apps and Containers Will Be Targeted in 2022 appeared first on McAfee Blog.
It would be impossible nowadays to separate our everyday lives from technology. We travel well-worn, comfortable paths online and engage in digital activities that work for us. But could those seemingly harmless habits be putting out the welcome to cyber criminals out to steal our data?
It’s a given that our “digital-first mindset” comes with inherent risks. With the work and learn from home shift looking more permanent and cybercrime on the rise, it’s imperative to adopt new mindsets and put new skills in motion. The first step with any change? Admitting your family may have a few bad habits to fix. Here are just a few to consider.
1. You share toooo much online. Too Much Information, yes, TMI. Oversharing personal information online is easy access for bad actors online. Those out to do harm online have made it their life’s work to piece together your personal details so they can steal your identity—or worse. Safe Family Tips: Encourage your family not to post private information such as their full name, family member names, city, address, school name, extracurricular activities, and pet names. Also, get in the habit of a) setting social media profiles to private, b) regularly scrubbing personal information on social profiles—this includes profile info, comments, and even captions that reveal too much c) regularly editing your friends lists to people you know and trust.
2. You’ve gotten lazy about passwords. It’s tough to keep up with everything these days. We get it. However, passwords are essential. They protect your digital life—much like locks on doors protect your physical life. Safe Family Tips: Layer up your protection. Use multi-factor authentication to safeguard user authenticity and add a layer of security to protect personal data and all family devices. Consider adding comprehensive software that includes a password manager as well as virus and malware protection. This level of protection can add both power and peace of mind to your family’s online security strategy.
3. You casually use public Wi-Fi. It’s easy to do. If you are working away from home or on a family trip, you may need to purchase something, meet a deadline, or send sensitive documents quickly. Public Wi-Fi is easy and fast, but it’s also loaded with security gaps that cybercriminals camp out on. Safe Family Tip: If you must conduct transactions on a public Wi-Fi connection, consider McAfee Total Protection. It includes antivirus and safe browsing software, plus a secure VPN.
4. You have too many unvetted apps. We love apps, but can we trust them? Unfortunately, when it comes to security and privacy, apps are notoriously risky and getting tougher to trust as app technology evolves. So, what can you do? Safe Family Tips: A few things you can do include a) Double-checking app permissions. Before granting access to an app, ask yourself: Does this app need what it’s asking me to share? Apps should not ask for access to your data, b) researching the app and checking its security level and if there have been breaches, c) reading user reviews, d) routinely deleting dormant and unused apps from your phone. This is important to do on your phone and your laptop, e) monitor your credit report for questionable activity that may be connected to a malicious app or any number of online scams.
5. You’ve gotten too comfortable online. If you think that a data breach, financial theft, or catfish scam can’t happen to you or your family, it’s a sign you may be too comfortable online. Growing strong digital habits is an ongoing discipline. If you started strong but have loosened your focus, it’s easy to get back to it. Safe Family Tips: Some of the most vulnerable areas to your privacy can be your kids’ social media. They may be oversharing, downloading malicious apps, and engaging with questionable people online that could pose a risk to your family. Consider regularly monitoring your child’s online activity (without hovering or spying). Physically pick up their devices to vet new apps and check they’ve maintained all privacy settings.
6. You lack a unified family security strategy. Consider it: If each family member owns three devices, your family has countless security gaps. Closing those gaps requires a unified plan. Safe Family Tips: a) Sit down and talk about baseline security practices every family member should follow, b) inventory your technology, including IoT devices, smartphones, game systems, tablets, and toys, c) make “keeping the bad guys out” fun for kids and a challenge for teens. Sit and change passwords together, review privacy settings, reduce friend lists. Come up with a reward system that tallies and recognizes each positive security step.
7. You ignore updates. Those updates you’re putting off? They may be annoying, but most of them are security-related, so it’s wise to install them as they come out. Safe Family Tip: Many people make it a habit to change their passwords every time they install a new update. We couldn’t agree more.
Technology continues to evolve and open extraordinary opportunities to families every day. However, it’s also opening equally extraordinary opportunities for bad actors banking on consumers’ casual security habits. Let’s stop them in their tracks. If you nodded to any of the above habits, you aren’t alone. Today is a new day, and putting better digital habits in motion begins right here, right now.
The post 7 Common Digital Behaviors that Put Your Family’s Privacy at Risk appeared first on McAfee Blog.
November 11 marks Veterans Day in the United States and Remembrance Day across Europe and beyond. Wherever you may be on this 11th day of the 11th month, on the 11th hour, please be thankful to all our Veterans for their service and sacrifice. We would like to take a moment to reflect and honor some of our McAfee Enterprise employees who served.
Shannon Clancy joined October 5, 2003 and was a Major in the United States Marine Corps
Kevin Benton enlisted ten days after high school (mid 1980’s) and was in the US Army as an E4/Specialist
Kevin Suares enlisted in the US Air Force on November 1, 1994, after four year’s he was a Senior Airman (E-4)
Clancy: I had always had a niggling in the back of my mind that I wanted to be a Marine (My father served as a Marine in Vietnam), and then September 11, 2001 happened and it solidified my choice. I wanted to be the best, and everyone knows Marines are the best.
Benton: The world was bigger than my little hometown and I wanted to travel the world. Plus, I was clearly the smartest person in my house at 18 years old, so I showed my parents how smart I was.
Suares: I needed money for college and needed some direction in life. Initially I considered the Navy, as I am a former Sea Scout. I spoke to a Navy recruiter and was ready to sign up. He sent me across the hall to “get a different perspective” from the Air Force recruiter (which I was also considering) and after a 20-minute conversation where we talked about options in the Air Force, Air Force training, how the Air Force encourages higher education and AF ethos, I changed my mind. Biggest regret of that Navy recruiter’s career! The next week I scored 97 out of 99 in the Armed Services Vocational Aptitude Battery (ASVAB) making me eligible for almost any job.
Clancy: I remember my first day being total chaos. Not knowing the (now) simplest things like how to wear your cover (hat), blouse your trousers, align your belt, etc. Things that seem small and silly but were in fact critical lessons in attention to detail that have carried with me throughout service and life.
Benton: On the first day, I was tired and nervous about not having any idea of what was happening or what to do. The last day was filled with wildly mixed emotions! I made some great friends from all walks of life, and I was ready to get on with my life by attending college on the GI Bill, but I hadn’t yet lived on my own. I recall driving off the base and wondering if I should drive north or south on the Pacific Coast Highway; ultimately, I drove North and have never regretted the decision.
Suares: I remember on my first full day being woken up at 4:30 AM after going to bed around 1:30 AM, in a new environment to a metal trash can being hit repeatedly with a baton and words I can’t repeat here. On my last day, my supervisor still made me work the whole day, ending in a small ceremony where I was presented with a few token gifts (which I still have.) I wrote my flight a quick email saying goodbye then left for home. Not going to lie – I had tears in my eyes as I left the building.
Clancy: My most memorable experience was my deployment to Iraq. There was a pause in operations on Thanksgiving and I got to play soccer with some of the Marines. It was a very “normal” thing in a place where there wasn’t much normal. I don’t miss much (because there is a lot of nonsense that also goes on), but what I do miss is the camaraderie and sense of belonging. You don’t question who you are or what your purpose is while you serve.
Benton: Being in the infantry, I recall experiencing some of the toughest, most physically demanding moments in my life, then experiencing shear exhaustion when reaching the end of a march or landing in a hot zone, only to have a few laughs with the guys to your left and right, toggling thru each other’s life stories. No one cared where you were from or the color of our skin or whether you had any money. I’ll never forget the laughs and storytelling as we were all experiencing the same things at the same time. Come to find out, we were forming bonds for life.
Suares: My most pleasant memory wastaking my grandfather out to dinner in uniform for his 70th birthday. He was so proud that he was speechless for once. If you knew him, that was a really big deal. But my saddest memory was hearing the rifle salute at a friend’s funeral. Each volley cut me to the bone.
Clancy: I usually call my dad. Veterans day buddies right up to the Marine Corps Birthday, so there is no shortage of celebrations or drinks to be shared among Marines. This year has been extremely difficult on veterans; so, I think I’ll text a few friends I haven’t heard from in a while. I encourage everyone to reach out to one you know, just to check in and say hi. It goes a lot further than you might think.
Benton: Our little town holds a ceremony at our local cemetery. I’ve attended with my family for years, afterwards nearly always telling my kids stories of my service to my country and the pride I feel when seeing our flag and all that it stands for.
Suares: Usually with service to others. Occasionally I may go out to dinner with family, but most times I used to be involved in giving talks to youth groups, schools, etc. or donating time to other Veterans causes. I proudly served my country – and would do it again if asked – but I feel that I am not owed anything. The day should be about recognizing the living service member (past or present) and honoring us all.
The post Veterans Day & Remembrance Day 2021 appeared first on McAfee Blog.
Becoming a cloud first company is an exciting and rewarding journey, but it’s also fraught with difficulties when it comes to securing an entire cloud estate. Many forwarding-thinking companies that have made massive investments in migrating their infrastructure to the cloud are facing challenges with respect to their cloud-native applications. These range from inconsistent security across cloud properties to lack of visibility into the public cloud infrastructure where cloud-native applications are hosted—and more. All of these issues can create vulnerabilities in a sprawling attack surface that can be potentially exploited by cybercriminals.
Legendary Entertainment is a global media company with multiple divisions including film, television, digital studios, and comics. Under the guidance of Dan Meacham, VP of Global Security and Corporate Operations and CSO/CISO, the multi-billion dollar organization transitioned from on-premises data centers to the cloud in 2012.
Meacham points out that it’s been a source of great pride for his security and IT teams to always be “on top of the latest and greatest” technology trends—and migration to the cloud is no exception. That’s why his interest was sparked when he learned about the rollout of the MVISION security product line early in the migration process. Its cloud-native, open architecture was exactly the right fit for Legendary Entertainment’s environment.
As a cloud-first organization, Legendary Entertainment encountered challenges that are common to many companies that have migrated their workloads, applications, and data assets to the cloud. At first, the organization attempted to rely on security services natively provided by the individual cloud service providers: Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and Wasabi for cloud storage. As Meacham notes, “The security from one vendor doesn’t trickle over to the others. They all have different security controls, so our cloud security was not uniform, and security management was complicated.”
In their disparate multicloud environment spanning several cloud service providers, it became time-consuming and difficult to monitor and assess the security posture of applications and workloads, such as which systems needed patching or contained critical vulnerabilities.
With multiple management consoles required for its many cloud environments, applying and enforcing uniform security policy across their cloud estate was nearly impossible without investing a lot of time, effort, and resources.
Another problem in Legendary Entertainment’s early adoption of cloud-first was shadow IT, where employees or contractors enrolled in cloud collaboration platforms that were not authorized by IT. Although the shadow IT platforms were not connected to core systems, they made it more difficult to tightly monitor data which sometimes caused cloud-enabled applications to violate security policies. It is understandable that teams with a cloud-first mindset would embrace innovation and new collaborative experiences to accomplish goals faster. However, some of the shadow IT application has weak or no security controls – resulting the opportunities for external collaborator accounts to be compromised or have mis-managed privileges.
With high-profile data breaches in the entertainment industry in recent headlines, Legendary Entertainment was concerned about its level of risk and exposure, especially since it has valuable intellectual property such as scripts and marketing strategy plans for film releases among its holdings. The requirement for stronger security has been a boardroom-level conversation at digital media companies since the Sony Pictures hack and other vendor supply chain and workflow hacks. Attacks now extend beyond data leaks and can have far reaching business disruptions across an entire supply chain.
By deploying MVISION Cloud Native Application Protection Platform (MVISION CNAPP), Legendary Entertainment addressed all of these challenges at once. This unique solution prioritizes alerts and defends against the latest cloud threats and vulnerabilities. MVISION CNAPP combines granular application and data context with cloud security posture management and cloud workload protection in a single-console solution.
MVISION CNAPP provides Legendary Entertainment with broad and deep visibility across its entire infrastructure. It discovers all their cloud assets, including compute resources, containers, and storage and provides continuous visibility into vulnerabilities and security posture for applications and workloads running across multiple clouds.
Thanks to MVISION CNAPP, Meacham’s team can write, apply, and enforce security policies in a consistent fashion for the entire cloud estate. As Meacham points out, policy is continually checked so his team can correct any misconfigurations, disable services, or remove escalated privileges until corrections are made in alignment with internal compliance rules. And in many cases, the remediation can be automated internally in MVISION CNAPP or through workflow initiations.
“MVISION CNAPP gives me manageability and security uniformity for all our cloud platforms so that I can elevate the level of security and make it consistent across the board. Now that I have visibility into all our cloud assets from a high level, I can look at how current controls and configurations compare to our best practices, industry best practices, and to the best practices of peers who are using the same product. Without MVISION CNAPP, management is one to one, whereas with MVISION CNAPP, it’s one to many,” explains Meacham.
The Cloud Security Posture Management (CSPM) component of MVISION CNAPP provides Legendary Entertainment with on-demand scanning, which looks at all services used in the public cloud and checks their security settings against internal benchmarks. “This gives us a security posture score and provides feedback on what we can do to bring ourselves back into compliance,” observes Meacham. “If someone changes a configuration, we get an alert right away. And if it’s not in alignment with policy, we can roll it back to the previous settings. MVISION CNAPP also helps us remediate policy exceptions by clearly stating the risks, instances impacted, and the necessary step by step actions needed for resolution.”
MVISION CNAPP also ensures that Legendary Entertainment’s developers operate in a secure environment by alerting the security team when their actions violate security policies or increase the risk of a data breach. This effectively puts a halt to Shadow IT.
“MVISION CNAPP helps me keep my system administrators and developers accountable for what they are doing. We can make sure that they are consistent in how they execute, deploy, and build things. Configuration policies, on-demand scans, and different types of checks in MVISION CNAPP can help force that compliance. I am able to keep tabs on my developers to make sure they are operating according to these guidelines in any platform,” remarks Meacham.
MVISION CNAPP reduces risk associated with operating in the cloud, enabling Legendary Entertainment to run mission-critical applications and develop blockbuster movies such as “The Dark Knight Rises” and “Dune” securely across a heterogenous multicloud environment. The solution also enables contextual entitlements so that users can be identified and assigned selective access to and permissions for applications and resources based on the security profile of the devices they are using at any given time.
Legendary Entertainment leverages MVISION CNAPP’s data loss prevention (DLP) capabilities to monitor activity in cloud data stores in order to help prevent data breaches. Unusual or suspicious activity or unauthorized movement of data transit is tracked and flagged immediately by leveraging built-in UEBA capabilities.
“If I see 2,000 files change in 30 seconds, that’s a huge red flag indicating ransomware or some other type of attack. The solution’s monitoring tool detects suspicious behavior and immediately brings that to our awareness. If we see something like that happening on multiple platforms, we know that immediate action is required. The UEBA capability is invaluable for identifying external collaborators who may have compromised accounts, which we find on a regular basis.”
If you are looking for a simple-to-manage, high-visibility solution to secure your multicloud environment against the latest threats and vulnerabilities such as ChaosDB, take a look at MVISION CNAPP. For more information, visit: https://www.mcafee.com/enterprise/en-us/solutions/mvision-cnapp.html.
The post Legendary Entertainment Relies on MVISION CNAPP Across Its Multicloud Environment appeared first on McAfee Blog.
The Robinhood trading platform recently disclosed a data breach that exposed the information of millions of its customers. News of the attack was released on Monday, November 8th along with word the hackers behind it had demanded an extortion payment from the company.
According to Robinhood’s disclosure, the attack occurred on November 3rd, which allowed an unauthorized party to obtain the following:
In addition, smaller groups of Robinhood customers had yet more information compromised. Around 310 people had their names, birth dates, and zip codes exposed in the breach. Another 10 customers had “more extensive account details revealed,” per Robinhood’s disclosure.
Robinhood went on to say, “We believe that no Social Security numbers, bank account numbers, or debit card numbers were exposed and that there has been no financial loss to any customers as a result of the incident.”
Robinhood further stated that the company contained the intrusion and that it promptly informed law enforcement of the extortion demand. Robinhood says that it is continuing to investigate the incident with the assistance of a security firm.
The company advised its customers to visit the Robinhood help center to receive the latest messages from the company, noting that they will never include a link to access an account in a security alert.
Any data breach that you and your information may have been involved in calls for a few quick security steps:
1. Log into your account and update your password with a new one that is strong and unique. Likewise, if you use the same or similar passwords across several accounts, change those as well. (A password manager that’s included with comprehensive online protection software can do that work for you.) Set up two-factor authentication if your account allows for it, as this will provide an extra layer of protection as well.
2. Review your statements for any strange activity—even the smallest of withdrawals or transactions could be the sign of a larger issue.
3. Report any suspected fraud to the company or institution involved. They typically have set policies and procedures in place to provide support.
If you believe that you’ve become a victim of identity theft, file a report with local law enforcement and the Federal Trade Commission (FTC). Law enforcement can provide you with a case number that you may need as part of the recovery process. Likewise, the FTC’s identity theft website provides excellent resources, including a recovery plan and a step-by-step walkthrough if you create an account with them.
For even more information, visit our blog that points out the signs of identity theft and the steps you can take should you find yourself victim.
Given that the breach apparently exposed some 5 million email addresses, there’s the risk that these may end up in the hands of bad actors who may use them for follow-on attacks.
Notable among them would be phishing attacks, where hackers could target Robinhood users with phony messages in an attempt to get affected users to reveal further account information. For example, hackers could potentially create bogus emails that appear to come from Robinhood and direct users to a malicious site that requests account information. As Robinhood stated, the company will never include a link to access an account in a security alert. Users should visit the Robinhood site directly for account information.
This breach could lead to other phishing attacks as well, ones that may or may not pose as communication from Robinhood. Some of these phishing attacks can be rather easy to spot, as they may include typos, poorly rendered logos, or spoofed web addresses. However, some sophisticated hackers can roll out rather polished phishing attacks that can closely resemble legitimate communications.
In all, people can avoid falling victim to phishing attacks by keeping the following in mind:
1. Only access your accounts directly from the official website of the company or financial institution involved. If you receive an email, message, or text alerting you of an issue, do not click any links provided in the communication. Go straight to the site yourself by typing in the proper address and view your account information there. Likewise, calling the customer support line posted on their official site is an option as well.
2. Use comprehensive online protection software that includes a spam filter. This can prevent phishing emails from reaching your inbox in the first place.
3. Get to know the signs of phishing emails. A common sign of a scam is an email, ad, message, or site that simply doesn’t look or read right. (Maybe the grammar is awkward or the logo is grainy or has the colors slightly wrong.) However, some of them can look quite convincing, yet there are still ways to spot an attempted phishing attack.
4. Beware of email attachments you aren’t expecting. This is always good form because hackers love to spike attachments with malware that’s designed to steal your personal information. Whether you get an unexpected attachment from a friend or business, follow up before opening it. That’s a quick way to find out if the attachment is legitimate or not.
For more info on phishing and how to steer clear of it, check out our blog on how to spot phishing attacks.
The unfortunate fact is that data breaches can and do happen. Many of the larger data breaches make the headlines, yet many more do not—such as the ones that hit small businesses, restaurants, and medical care providers. In the hands of hackers, the information spilled by these breaches can provide them with the building blocks to commit identity theft. As a result, keeping on top of your identity and personal information is a must.
The good news is that you have solid options to prevent them from harming you or at least greatly lessen their potential impact. With identity theft protection, even in the short-term, you can monitor emails addresses and usernames that are being used to breach other accounts. You can monitor dozens of different types of personal information and receive alerts to keep an eye out for misuse. Likewise, it can monitor your email addresses and bank accounts for signs of misuse or fraud, plus provide theft protection and support from a recovery specialist if identity theft, unfortunately, happens to you.
Along those same lines, news of a data breach offers all of us a moment to pause and take stock of just how protected we are. Above and beyond the steps covered above, comprehensive online protection can protect your devices from malware, phishing attacks, malicious websites, and other threats. More importantly, it protects you—your identity and privacy, particularly in times where breaches such as the one we’re talking about here occur with seeming regularity.
The post Protecting Yourself in the Wake of the Robinhood Data Breach appeared first on McAfee Blog.
This month brings us yet another critical RCE (Remote Code Execution) bug found in the RDP (Remote Desktop Protocol) Client which has also been ported to the Hyper-V Manager “Enhanced Session Mode” feature. User interaction is a prerequisite since the vulnerability lies within the RDP client, requiring a victim to connect to a malicious RDP server.
This RCE bug is very closely related to CVE-2021-34535 and to CVE-2020-1374 , where there is a heap-based buffer overflow in mstscax.dll due to an attacker-controlled payload size field. The vulnerability can be triggered via the RDP Smart Card Virtual Channel Extension feature [MS-RDPESC], by leveraging the existing local RDPDR static virtual channel setup between the client and server. The RDP Smart Card Virtual Channel Extension feature [MS-RDPESC] functionality was leveraged in the “EsteemAudit” Exploit released by the “Shadow Brokers,” but that vulnerability targeted the RDP server and not the client. The functionality being exploited here is the ability to share a smart card reader between the client and server. The destination buffer intended for the IOCTL (I/O control) call to locate each host smart card reader is a fixed size, but the user-controlled size field can be altered to cause the client to perform an OOB (Out of Bounds) write. Seeing how simple it is to trigger this vulnerability, our team decided to mutate the test case to verify whether any other IOCTLs within the [MS-RDPESC] specification are vulnerable. Enumerating through the 60 other IOCTL calls tied to the smart card reader, we were able to find two additional unique crashes. All vulnerabilities discovered have been patched in the latest version of the mstscax.dll, which shows that the fix for this bug has mitigated other potentially vulnerable functions. The patched mstscax.dll now simply verifies that the bytes received over the wire do not exceed the user-supplied size field; it does this at the IOCTL dispatch table level before any IOCTL functions are called, so the single validation is applied to all IOCTLs.
This vulnerability has a CVSS (Common Vulnerability Scoring Standard) score of 8.8, dropped down from 9.8 because it requires user interaction in that a victim RDP client must connect to a malicious server.
This bug has the same attack scenario as that of CVE-2021-34535, which we also analyzed in depth:
We have seen a regular cadence of critical RDP vulnerabilities since BlueKeep (CVE-2019-0708), but what distinguishes the two vulnerabilities CVE-2021-38666 and CVE-2021-34535 is that they impact Hyper-V Manager “Enhanced Session Mode” and can thus be leveraged for guest-to-host escapes. While we do not rate these vulnerabilities as critical in the same manner as past RDP server-side RCE vulnerabilities, we are now clearly starting to see a trend of vulnerabilities emerging which impact Hyper-V Manager due to the porting of RDP. We recommend patching as a top priority as threat actors will potentially look to weaponize this common protocol for guest-to-host escapes on Windows 10 Hyper-V.
Microsoft has published a Knowledge Base article for this issue here with information regarding patching this vulnerability. As always, we recommend patching as a first course of action and we will continue to monitor this vulnerability for any exploitation in the wild.
For RDP security best practices please see: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rdp-security-explained/
The post Windows RDP Client Porting Critical Vulnerabilities to Hyper-V Manager appeared first on McAfee Blog.
The holiday season is upon us, and many are preparing to celebrate with family and friends both near and far. While we tend to look at consumer tendencies during the holidays, the season also presents a significant challenge to industries coping with the increase in consumer demands. McAfee Enterprise and FireEye recently conducted a global survey of IT professionals to better understand their cyber readiness, especially during peak times like the holiday season, and the impact the pandemic has had on their business. Most notably, 86% of organizations are anticipating a moderate-to-substantial increase in demand during the 2021 holiday season. The question is: Are they ready for that demand?
This year, the “everything shortage” is real – from a drop in available workforce to limited supplies to lack of delivery services. This creates an urgency for organizations to have actionable security plans and to effectively contain and respond to threats. Supply chain and logistics, e-commerce and retail, and the travel industry traditionally experience holiday seasonal increases in consumer and business activity, making them more vulnerable to cyber threats and leaving business, employee, and consumer data at risk. Here’s a statistical snapshot of these affected industries and how they can prepare for the anticipated increase in seasonal risks:
According to BCI’s Supply Chain Resilience Report 2021, 27.8% of organizations reported more than 20 supply chain disruptions during 2020, up from just 4.8% reporting the same number in 2019. The loss of manufacturing and logistics capacity, and employee-power in 2021 are expected to increase demand for goods, creating the perfect attack vector for cybercriminals: a potentially weak and vulnerable infrastructure to break through. Supply chain managers must identify risks, understand the potential downstream effects of a security breach or cyberattack, and prepare response plans so they can act quickly in the event of an incident.
According to Adobe’s 2021 Digital Economy Index, global online spending is expected to increase by 11% in 2021 to $910 billion during the holiday season. With store closures and increases in online shopping, along with limited product availability and concerns about shipping, this industry is faced with more threats than before. According to McAfee Enterprise COVID-19 dashboard, the global retail industry accounts for 5.2% of the total detected cyber threats. Such threats include compromised payment credentials and cloud storage, as well as other forms of retail fraud and theft.
Cyber threats aren’t new to the travel industry with airports, airlines, travel sites and ride-sharing apps having been victims in years past. However, what sets this year apart is the travel industry enduring a holding pattern caused by pandemic-related health concerns and travel restrictions. According to the International Air Transport Association (IATA), coronavirus-related loss estimates for 2020 total $137.7 billion—with total industry losses in 2020-2022 expected to reach $201 billion. As demand for holiday travel is expected to increase over the coming months, cyber criminals are watching closely for vulnerabilities as the industry battles new related challenges – labor shortages, supply chain issues, travel bans, and vaccination requirements.
McAfee Enterprise and FireEye threat findings unwrap the imminently crucial need for organizations to prioritize and strengthen their cybersecurity architecture through the holidays and end of 2021. Our research indicates that 81% of global organizations experienced increased cyber threats and 79% experienced downtime in the wake of previous cyberattacks.
While IT professionals know cyber threats have intensified, the findings prove that many organizations have not effectively prioritized security during COVID-19:
Organizations can be proactive in defending their networks, data, customers, and employees against the anticipated increase in holiday cybercrime by implementing security measures including, but not limited to:
In addition, enterprises and commercial businesses can implement cloud-delivered security with MVISION Unified Cloud Edge (UCE) and FireEye Extended Detection and Response (XDR).
The post ‘Tis The Season for Holiday Cyber Threats Targeting Enterprises in a Pandemic World appeared first on McAfee Blog.
You’re not the only one looking forward to the big holiday sales like Black Friday and Cyber Monday. Hackers are too. As people flock to retailers big and small in search of the best deals online, hackers have their shopping scams ready. Remember, McAfee frees you to live your connected life safe from threats like viruses, malware, phishing, and more. Download award-winning antivirus that protects your data and devices today.
One aspect of cybercrime that deserves a fair share of attention is the human element. Crooks have always played on our feelings, fears, and misplaced senses of trust. It’s no different online, particularly during the holidays. We all know it can be a stressful time and that we sometimes give into the pressure of finding that hard-to-get gift that’s so hot this year. Crooks know it too, and they’ll tailor their attacks accordingly as we get wrapped up in the rush of the season.
So while you already know how to spot a great deal, here are ways you and your family can spot online shopping scams so you can keep your finances safer this shopping season:
A common scam hackers use is introducing malware via email attachments, and during the holiday sale season, they’ll often send malware under the guise of offering emails and shipping notifications. Know that retailers and shipping companies won’t send things like offers, promo codes, and tracking numbers in attachments. They’ll clearly call those things out in the body of an email instead.
A classic scammer move is to “typosquat” phony email addresses and URLs that look awfully close to legitimate addresses of legitimate companies and retailers. They often appear in phishing emails and instead of leading you to a great deal, these can in fact link you to scam sites that can then lift your login credentials, payment info, or even funds should you try to place an order through them. You can avoid these sites by going to the retailer’s site directly. Be skeptical of any links you receive by email, text, or direct message—it’s best to go to the site yourself by manually typing in the legitimate address yourself and look for the deal there.
A related scammer trick that also uses typosquatting tactics is to set up sites that look like they could be run by a trusted retailer or brand but are not. These sits may tout a special offer, a great deal on a hot holiday item, or whatnot, yet such sites are one more way cybercriminals harvest personal and financial information. A common way for these sites to spread is by social media, email, and other messaging platforms. Again a “close to the real thing” URL is a telltale sign of a copycat, so visit retailers directly. Also, comprehensive online protection software can prevent your browser from loading suspicious sites and warn you of suspicious sites in your search results.
While the best of them can look practically professional and be tough to spot, one way to avoid counterfeit shopping apps is to go to the source. Hit the retailer’s website on your mobile browser and look for a link to the app from their website. Likewise, stick to the legitimate app stores such as Google Play and Apple’s App Store. Both have measures in place to prevent malicious apps from appearing in their stores. Some can sneak through before being detected though, so look for the publisher’s name in the description and ensure it is legitimate. On a fake app, the name may be close to the retailer you’re looking for, but not quite right. Other signs of a fake will include typos, poor grammar, and design that looks a bit off.
At the heart of holiday shopping is scarcity. Special offers for a limited time, popular holiday items that are tough to find, and just the general preciousness of time during the season to get things done, like shopping. Scammers love this time of year. During the holidays, they’ll play on that scarcity and crunch you’re under in their offers and messaging. Enter the “too good to be true” offer, typically set up on phony sites like the ones mentioned above. If the pricing, availability, or delivery time all look too good to be true, it may be a scam designed to harvest your personal info and accounts. Use caution here before you click. If you’re unsure about a product or retailer, read reviews from trusted websites to help see if it’s legitimate.
Apart from spotting scams, there are several things you can do to keep yourself safer while shopping this holiday season. In fact, they can keep you safer when you shop year ‘round as well. Looking for a last minute deal? Download McAfee online protection today.
This is a great one to start with. Secure websites begin their address with “https,” not just “http.” That extra “s” in stands for “secure,” which means that it uses a secure protocol for transmitting sensitive info like passwords, credit card numbers, and the like over the internet. It often appears as a little padlock icon in the address bar of your browser, so double-check for that. If you don’t see that it’s secure, it’s best to avoid making purchases on that website.
Specific to the U.S., the Fair Credit Billing Act offers the public protection against fraudulent charges on credit cards, where citizens can dispute charges over $50 for goods and services that were never delivered or otherwise billed incorrectly. Note that many credit card companies have their own policies that improve upon the Fair Credit Billing Act as well. However, debit cards aren’t afforded the same protection under the Act. Avoid using those while shopping online and use your credit card instead.
Another alternative is to set up a virtual credit card, which is a proxy for your actual credit card. With each purchase you make, that proxy changes, which then makes it much more difficult for hackers to exploit. You’ll want to research virtual credit cards further, as there are some possible cons that go along with the pros, such as in the case of returns where a retailer will want to use the same proxy to reimburse a purchase.
Using a complete suite of online protection software can offer layers of extra protection while you shop, such as web browser protection and a password manager. Browser protection can block malicious and suspicious links that could lead you down the road to malware or a financial scam. A password manager can create strong, unique passwords and store them securely as well, making it far more difficult for hackers to compromise your accounts. Identity theft protection takes your safety a step further by helping you secure your identity online and restore it should any of your personal info be found in the wrong hands.
Two-factor authentication is an extra layer of defense on top of your username and password. It adds in the use of a special one-time-use code to access your account, usually sent to you via email or to your phone by text or a phone call. In all, it combines something you know, like your password, with something you have, like your smartphone. Together, that makes it tougher for a crook to hack your account. If any of your accounts support two-factor authentication, the few extra seconds it takes to set up is more than worth the big boost in protection you’ll get.
Public Wi-Fi in coffee shops and other public locations can expose your private surfing to prying eyes because those networks are open to all. Using a virtual private network (VPN) encrypts your browsing, shopping, and other internet traffic, thus making it secure from attempts at intercepting your data on public Wi-Fi and harvesting information like your passwords and credit card numbers.
With all the passwords and accounts we keep, this is important. Checking your credit will uncover any inconsistencies or outright instances of fraud. From there, you can then take steps to straighten out any errors or bad charges that you find. In the U.S., you can run a free credit report once a year with the major credit reporting agencies.
So while you’re shopping online this year, take a deep breath before you dive in. Double-check those deals that may look almost too good to be true. Look closely at those links. And absolutely don’t click on those attachments that look like shipping notices or coupon deals. Hackers are counting on you to be in a bit of a hurry this time of year. Taking an extra moment to spot their tricks can go a long way toward keeping you and your finances safe. Remember, stay ahead of cyber criminals, get an extra layer of protection with McAfee this holiday season.
The post Spot Those Black Friday and Cyber Monday Shopping Scams appeared first on McAfee Blog.
McAfee Enterprise and FireEye recently released its 2022 Threat Predictions. In this blog, we take a deeper dive into a Game of Thrones power struggle among Ransomware-as-a-Service bad actors in 2022.
For several years, ransomware attacks have dominated the headlines as arguably the most impactful cyber threats. The Ransomware-as-a-Service (RaaS) model at the time opened the cybercrime career path to lesser skilled criminals which eventually led to more breaches and higher criminal profits.
For a long time, RaaS admins and developers were prioritized as the top targets, often neglecting the affiliates since they were perceived as less skilled. This, combined with the lack of disruptions in the RaaS ecosystem, created an atmosphere where those lesser-skilled affiliates could thrive and grow into very competent cybercriminals, eventually with a mind of their own.
In a response to the Colonial Pipeline attack, the popular cybercrime forums have banned ransomware actors from advertising. Now, the RaaS groups no longer have a third-party platform on which to actively recruit, show their seniority, offer escrow, have their binaries tested by moderators, or settle disputes. The lack of visibility has made it harder for RaaS groups to establish or maintain credibility and will make it harder for RaaS developers to maintain their current top tier position in the underground.
These events have undermined their trusted position. Ransomware has generated billions of dollars in recent years and it’s only a matter of time before more individuals who believe they aren’t getting their fair share become unhappy.
The first signs of this happening are already visible as described in our blog on the Groove Gang, a cyber-criminal gang that branched off from classic RaaS to specialize in computer network exploitation (CNE), exfiltrate sensitive data and, if lucrative, partner with a ransomware team to encrypt the organization’s network. McAfee Enterprise ATR believes, with high confidence, that the Groove gang is associated with the Babuk gang, either as a former affiliate or subgroup. These cybercriminals are happy to put aside previous Ransomware-as-a-Service hierarchies to focus on the ill-gotten gains to be made from controlling victim’s networks, rather than the previous approach which prioritized control of the ransomware itself.
Trust in a few things remains important even among cybercriminals underground, such as keeping your word and paying people what they deserve. Cybercriminals aren’t immune from feeling like employees whose contributions aren’t being adequately rewarded. When this happens, these bad actors cause problems within the organization. Ransomware has been generating billions of dollars in recent years and with revenue like that, it was inevitable that some individuals who believe they aren’t getting their fair share become unhappy and let the cybercrime world know it.
Recently, a former Conti affiliate was unhappy with their financial portion and decided to disclose the complete Conti attack playbook and their Cobalt Strike infrastructure online. In the past, McAfee ATR has been approached by individuals affiliated with certain RaaS groups expressing grudges with other RaaS members and admins, claiming they haven’t been paid in time or that their share wasn’t proportionate to the amount of work they put in.
In 2022, expect more self-reliant cybercrime groups to rise and shift the balance of power within the RaaS eco-climate from those who control the ransomware to those who control the victim’s networks.
The Ransomware-as-a-Service eco system has evolved with the use of affiliates, the middlemen and women that work with the developers for a share of the profits. While this structure was honed during the growth of GandCrab, we are witnessing potential chasms in what is becoming a not-so-perfect union.
Historically, the ransomware developers, held the cards, thanks to their ability to selectively determine the affiliates in their operations, even holding “job interviews” to establish technical expertise. Using CTB locker as an example, prominence was placed on affiliates generating sufficient installs via a botnet, exploit kits or stolen credentials. But affiliates recently taking on the role and displaying the ability to penetrate and compromise a complete network using a variety of malicious and non-malicious tools essentially changed the typical affiliate profile towards a highly skilled pen-tester/sysadmin.
The hierarchy of a conventional organized crime group often is described as a pyramid structure. Historically, La Cosa Nostra, drug cartels and outlaw motor gangs were organized in such a fashion. However, due to further professionalization and specialization of the logistics involved with committing crime, groups have evolved into more opportunistic network-based groups that will work together more fluidly, according to their current needs.
While criminals collaborating in the world of cybercrime isn’t new, a RaaS group’s hierarchy has been more rigid compared to other forms of cybercrime, due to the power imbalance between the group’s developers/admins and affiliates. But things are changing. RaaS admins and developers were prioritized as the top targets, but often neglected the affiliates who they perceived to be less-skilled. This, combined with the lack of disruptions in the RaaS ecosystem, created an atmosphere where those lesser-skilled affiliates could thrive and grow into very competent cybercriminals.
As more ransomware players have entered the market, we suspect that the most talented affiliates are now able to auction their services for a bigger part of the profits, and maybe demand a broader say in operations. For example, the introduction of Active Directory enumeration within DarkSide ransomware could be intended to remove the dependency on the technical expertise of affiliates. These shifts signal a potential migration back to the early days of ransomware, with less-skilled operators increasing in demand using the expertise encoded by the ransomware developers.
Will this work? Frankly, it will be challenging to replicate the technical expertise of a skilled penetration tester, and maybe – just maybe – the impact will not be as severe as recent cases.
The post Who Will Bend the Knee in RaaS Game of Thrones in 2022? appeared first on McAfee Blog.
It’s little surprise that a digital currency scam based on the popular Squid Games series on Netflix is making the news.
If you haven’t caught wind of it yet, the story goes along the following lines:
Note that this Squid Game cryptocurrency had no relationship to the show or to Netflix, aside from hijacking the Squid Game name without permission so that the scammers could use it as bait.
Scams such as this are nothing new. Earlier this year, an “initial coin offering” (ICO) called Mando turned out to be a scam as well. Based on Disney’s popular Star Wars series, The Mandalorian, the scammers used the name and the Star Wars-themed imagery around it without permission. Then, just as suddenly they used the popular name to drum up investments in the ICO, the scammers disappeared with the money they garnered from the “pre-sale” of the bogus Mando cryptocurrency.
With all the fervor around cryptocurrencies, scams associated with them are on the rise and have been for some time. A study published by Investopedia found that 80% of cryptocurrencies are scams and that only 8% of cryptocurrencies make their way onto legitimate trading exchanges.
In the case of the Squid Game cryptocurrency, there were several apparent signs that it was bogus to begin with. Reports call out the fact that the currency was not available for purchase on mainstream platforms. Instead, investors could only purchase the cryptocurrency on a platform that doesn’t guarantee the transactions made upon it. Further, investors could only buy the currency, not sell it, effectively locking them in.
Other indications were found in the accompanying website and technical white paper, which were laden with spelling and grammatical errors, along with apparently unsubstantiated claims. In all, red flags such as those are very similar to the ones associated with phishing attacks—where scammers co-opt the identities of well-known brands and organizations in bogus emails and websites, albeit in an often-clumsy fashion. Errors like those are often a telltale sign that something sketchy is afoot.
1. Working with an accredited financial adviser is always a sound step with any investment you choose to make, as is only investing funds you can afford to lose if the investment falls through.
2. Steer clear of cryptocurrency investments that ask you to contribute money directly from one of your own accounts rather than via a reliable platform that is verified.
3. Consider dependable cryptocurrencies such as Bitcoin, Ethereum, and Litecoin—of course recognizing that even legitimate cryptocurrencies can be highly volatile investments.
4. Regard any cryptocurrency based on a pop culture reference like movies, memes, and shows with a highly critical eye. It may very well be a scam built around buzz rather than an earnest attempt at launching a legitimate cryptocurrency, such as it was with the Squid Game scam.
Just as Netflix’s Squid Game is one in a long string of hit shows that’ll capture our attention, we can count on a similarly long string of cryptocurrency scams to continue. In this case, the Squid Game cryptocurrency scam was rigged from the start, despite the warning signs. After all, an investment people can only buy into but never sell is scam, plain and simple.
The post Squid Game Cryptocurrency Scam appeared first on McAfee Blog.
Apache server version 2.4.50 (CVE-2021-42013)
Regardless of the origins, you’ve arrived at Advanced Threat Research team’s monthly bug digest – an overview of what we believe to be the most noteworthy vulnerabilities over the last month. We don’t rely on a single scoring system like CVSS to determine what you need to know about; this is all about qualitative and experience-based analysis, relying on over 100 years of combined industry experience within our team. We look at characteristics such as wormability, ubiquity of the target, likelihood of exploitation and impact. If you don’t agree with these picks, we encourage you to write a strongly worded letter to your local senator. In lieu of that, we present our top CVEs from the last month.
What is it?
2 CVES / 1 Vuln – It appears Apache struggled a bit with this latest critical vulnerability, where it took two tries to fix a basic path traversal bug, which was introduced while patching last month’s SSRF mod_proxy vulnerability. As path traversal bugs do, this allows unauthorized users to access files outside the expected document root on the web server. But wait, there’s more! This can lead to remote code execution provided mod-cgi is enabled on the server.
Who cares?
A quick Shodan scan told me there are at least 111,000 server admins that should care! With Apache being the second largest market share holder of implemented webservers, there is a good chance your organization is using it somewhere. It’s always important to consider both internal and external facing assets when looking at your exposure. Apache is even commonly used as an embedded webserver to other applications and should be reviewed for use in any installed 3rd party applications. Oh yeah – and if you overlook an instance you have installed somewhere, this IS currently being actively exploited in the wild – no pressure.
What can I do?
Oh! I know, use Microsoft IIS! If you’re not ready to completely abandon your webserver implementation, I suggest updating to Apache 2.4.51. Remember to avoid version 2.4.50 as it does not patch both vulnerabilities. If you have been an astute system admin and followed the Apache documentation using the default and pretty darn secure “require all denied” directive for all files outside the document root, kudos to you! Although patching is still highly recommended, you are not immediately vulnerable.
The Gold Standard
We recognize in some special cases patching is harder than compiling gcc from source, so McAfee Enterprise has you covered; we have been detecting path traversal attacks in our Network Security Platform (NSP) like it was going out of style since 1990 (and it was).
What is it?
Ain’t nothin’ free anymore! Except kernel module addresses on your Windows machines, thanks to Microsoft Windows CVE-2021-40449. This vulnerability is a use-after-free in the NtGdiResetDC function of the Win32k driver and can lead to attackers being able to locally elevate their privileges.
Who cares?
Are you currently reading this from a Microsoft Windows machine? Using Microsoft Server edition in your cloud? Local attacks are often given lower priority or downplayed. However, it is important to recognize that phishing attacks are still highly successfully as an initial point of entry, facilitating a need for privilege escalation bugs to obtain higher level access. So, unless you are a hardcore Linux and Mac-only shop, you may want to patch since this is actively being exploited by cybercriminals, according to our friends at Kaspersky.
What can I do?
That boring Microsoft patch Tuesday thing still works, or you could just use a superior operating system like FreeBSD.
The Gold Standard
Have you checked out the latest version of McAfee Enterprise ENS lately? Detecting exploitation and cybercriminal activity is sort of its thing, assuming you have grabbed the latest signatures.
What is it?
An integer overflow vulnerability in the iOS “IOMobileFrameBuffer” component can allow an application to execute arbitrary code with kernel privileges. This has additionally been confirmed to be accessible from the browser.
Who cares?
Since Apple still reportedly holds 53% market share of all smartphone users, statistically speaking your organization should care too. It only takes one bad apple to hack your entire network, and with reported active exploitation in the wild it might happen sooner than you think.
What can I do?
You should be sensing a common theme in this section – and, in this case, you actually can take action! Stop reading this, plug that mobile device into a power source, and install the latest version of Apple iOS.
The Gold Standard
Since you stopped reading and updated already, congrats!
The post The Bug Report – October Edition appeared first on McAfee Blog.
The holidays are almost here! That means it’s time to start making your list and checking it twice. To help prepare you for this year’s holiday shopping spree, McAfee is providing you with the ultimate holiday shopping list for every Tech lover in your family. Here are the devices to keep on your radar this holiday shopping season and what you should use to protect them.
Know someone who enjoys vanquishing aliens, building virtual amusement parks, and online battle royale? There’s a good chance that you do, as online gaming traffic increased 30% from the first to the second quarter of 2020. For the gaming guru in your life, consider gifting them a top-of-the-line gaming laptop so, they don’t have to compromise portability for playability. If they prefer to play in the comfort of their own home, consider giving the gamer in your life a snazzy new gaming monitor. This will allow them to enjoy a crystal-clear resolution, rapid refresh rate, and size to bring their virtual world to life. And to truly immerse your gamer in a new realm, gift them a new gaming console so they can enjoy optimal speed and stellar game lineups.
When shopping for your gamer, consider how you can empower them to stay secure while they play. A security solution like McAfee Gamer Security not only delivers a faster, quieter, and safer experience, but it can also boost a rig’s performance. This antivirus software detects threats through the cloud and optimizes resources to minimize frame drops. Gamers can even customize which games to boost (or even add other apps they’d like to boost), which background services to pause, and more. This improves your gamer’s experience and also keeps them safe while they play.
Does your tech-savvy teen love to browse on the go? Or perhaps you have a college student who likes to bring their online studying and video streaming with them beyond the home. For the mobile mastermind in your family, gift them a new smartphone or tablet this holiday season. These devices will allow your loved ones to access all their favorite apps and surf the web anytime, anywhere.
With the World Wide Web constantly at their fingertips, enable your family members to surf the internet with confidence by employing the help of a safe browsing solution like McAfee WebAdvisor. This trusty companion, available for free and included in the McAfee Total Protection app for iOS and Android, helps keep users safe from threats like malware and phishing attempts. Web Advisor blocks malicious sites, scans downloads, and alerts the user if a known threat is detected. With comprehensive security on their side, your mobile user will be free to search, stream, and download on the go.
The number of smart households (households that contain connected technology and can interact with other IoT devices) in the U.S. is expected to grow to 77.05 million by 2025. That may not come as a surprise, since IoT devices have upped the convenience of tech users’ lives everywhere. Perhaps your spouse or parents love filling their home with the latest and greatest smart home gadgets. This holiday season, give them the gift of convenience with a smart TV, speaker, thermostat, kitchen appliances, a personal home assistant – the list of smart home devices goes on!
While these devices can provide greater efficiency to anyone’s life, it’s important to be aware of the potential risks that come with this level of interconnectivity. Many product designers treat security as an afterthought, rushing to get their smart devices to market and consequentially creating an easy access point for criminals to exploit. But fear not! A solution like McAfee Secure Home Platform can automatically secure connected devices through a router with McAfee protection. It can hide your IoT devices from hackers, giving you the confidence that you have a solid line of defense against online threats.
For the Fitness Fanatic
At the onset of the pandemic, people adjusted their workout routines to accommodate for gym closures and began to rely on other solutions to stay fit. In fact, many turned to IoT devices used for virtual fitness, including wearable fitness trackers and stationary machines equipped with digital interfaces. Sound like someone you know? Consider giving them a stylish new or upgraded smartwatch that allows them to track their daily step count, heart rate, and sleep patterns.
While these devices can be instrumental in tracking users’ activity levels, it’s important to remember that wearable gadgets collect valuable health and location data a criminal could exploit. To keep your fitness fanatic happy and healthy without sweating their security, encourage them to install software updates immediately. This will protect your loved one’s device from reported bugs, enhance functionality, and seal up any security loopholes.
As you plan your holiday shopping list this year, don’t forget about the gift that keeps on giving: the peace of mind that comes with having the right online security! With comprehensive solutions built to safeguard your loved one’s devices, personal data, and everything they do online, they can continue to live their digital lives with confidence.
The post The Ultimate Holiday Shopping Guide appeared first on McAfee Blog.
It’s safe to say that many Americans are obsessed with Squid Game. According to Business Insider, the Korean drama series has driven the newest engagers to a Netflix title of any Netflix series over the last three years. And while word-of-mouth buzz has played a big part in the show’s success, TV watchers aren’t the only ones taking note. Cybercriminals are also formulating ways to profit off the show’s popularity. According to the New York Post, a malicious app based on Squid Game was recently found on the Google Play Store, infecting users’ devices with malware.
The app in question, called “Squid Game Wallpaper 4K HD,” was one of the 200 Squid Game-related apps on the Google Play Store. This particular app masqueraded as a place to download cool Squid Game backgrounds for Android devices. However, once a user downloaded the app, it infected their smartphone with a strain of Joker malware. Joker malware is a type of billing fraud malware that usually disguises itself as a messenger, photo editor, camera, or in this case, wallpaper apps.
You may wonder how an app like this even ends up on a legitimate app purchasing store. In order to bypass Google Play’s app review process, Joker malware hides its malicious payload during the review process. This means that when the app is published in the Google Play Store, there’s no sign of malware. It’s only when a user installs the app that the malware downloads the malicious payload. Once the malware successfully installs itself, it secretly signs the user up for premium subscriptions, intercepts all their SMS messages, and can upload all their contacts to the malware operators.
The “Squid Game Wallpaper 4K HD” app received 5,000 downloads before it was removed from the Google Play Store. It’s likely that cybercriminals will continue to use the show’s popularity to exploit its fans and make a profit, whether that be through malicious apps disguised as a place where viewers can watch the show or fraudulent websites selling Squid Game merchandise. But fear not! There are steps you can take to help ensure that you steer clear of malware:
Unlike Google Play and Apple’s App Store, which have measures in place to review and vet apps to help ensure that they are safe, third-party sites may not have that process in place. In fact, some third-party sites may intentionally host malicious apps as part of a broader scam. However, cybercriminals have found ways to work around Google and Apple’s review process (such as with “Squid Game Wallpaper 4K HD”), but the chances of downloading a safe app from these stores are far greater than anywhere else. Additionally, Google and Apple are quick to remove malicious apps once discovered.
Before you download a new app, do some quick research. Check out the developer. Have they published several other apps with many downloads and good reviews? A legit app typically has several reviews, whereas malicious apps may have only a handful of fake five-star reviews. Lastly, look for typos and grammatical errors in both the app description and screenshots. They could be a sign that a hacker slapped the app together and quickly deployed it.
Certain types of malware strains operate stealthily behind the scenes, commandeering login credentials or banking information right under a user’s nose. Check your accounts every so often and if you notice any suspicious activity, report it and change your passwords. You can also use ID monitoring tools, which will notify you of uncharacteristic changes or actions.
Just like you secure your computers and laptops, it’s important to secure the minicomputer in your pocket—your smartphone! For the strongest protection, use comprehensive security software that shields your device from malware and risky websites, links, and files. With a few key steps, you can boost your confidence in the safety of your devices and personal information and enjoy your favorite binge-worthy shows to the fullest!
The post Squid Game App or Mobile Malware in Disguise? appeared first on McAfee Blog.
McAfee Enterprise and FireEye recently released its 2022 Threat Predictions. In this blog, we take a deeper dive into the continuingly aggressive role Nation States will play in 2022.
By Raj Samani
We love our social media. From beefs between popstars and professional pundits, to an open channel to the best jobs in the industry.
But guess what?
The threat actors know this, and our appetite toward accepting connections from people we have never met are all part of our relentless pursuit of the next 1,000 followers.
A result of this has seen the targeting of executives with promises of job offers from specific threat groups; and why not? After all, it is the most efficient method to bypass traditional security controls and directly communicate with targets at companies that are of interest to threat groups. Equally, direct messages have been used by groups to take control over influencer accounts to promote messaging of their own.
While this approach is not new, it is nearly as ubiquitous as alternate channels. After all, it does demand a level of research to “hook” the target into interactions and establishing fake profiles are more work than simply finding an open relay somewhere on the internet. That being said, targeting individuals has proven a very successful channel, and we predict the use of this vector could grow not only through espionage groups, but other threat actors looking to infiltrate organizations for their own criminal gain.
Potential Impacts & Implications
The potential impacts and implications for an executive or company that had their social media channels targeted by threat actors are endless. We began to see some nation state groups using platforms like LinkedIn to target executives, more specifically targeting the defense and aerospace industry. For years we’ve been accepting connections on LinkedIn to expand our network and threat actors are using this to their advantage with job adverts. Threat actors will find the executive they want to target in the company they want to go after and develop profiles that look like legitimate recruiters. By getting an executive on the hook, they could potentially convince them to download a job spec that is malware. These types of espionage campaigns can be carried out by other social networks as well, including Twitter, Instagram, Reddit, etc.
Techniques & Tactics
In the past, fake social profiles were relatively easy to spot, however in the case of DPRK, the cybercriminals spent time to setting up a profile, get hooked up into the infosec scene, gain followers and connections through LinkedIn, making it more difficult than before to detect a fraudulent account. When threat actors weaponize social media, they use techniques and tactics you see in the legitimate world. They diligently do their research into what types of jobs would be of interest to you and share an offer that will require you to open a document and trick you to carry out some type of action that will have you download malicious content onto your device.
Who Can Regulate?
We live in a world where we are governed by rules, territories, and jurisdictions; to hold a threat actor accountable, we would need digital evidence. We need to use regulations for digital investigations, and the bad guys don’t. While in territories where there isn’t an extradition treaty, threat actors can continue their malicious behaviors without any consequences. Unfortunately, cybercrime has nonrepudiation and threat actors can deny all knowledge and get away with it.
Prevention
Cybercrime will always be an issue and we need to be more aware of what threat actors are doing and what they’re after. It’s important to understand the threat and what is happening. At McAfee Enterprise and FireEye we work to track malicious actors and integrate intelligence into our products and make content available for CISO, CEO etc. to know what to do and what to look for in the event they are targeted.
By Christiaan Beek
With a focus on strategic intelligence, our team is not only monitoring activity, but also investigating and monitoring open-source-intelligence from a diversity of sources to gain more insights into threat-activities around the globe – and these include an increase in the blending of cybercrime and nation-state operations.
In many cases, a start-up company is formed, and a web of front companies or existing “technology” companies are involved in operations that are directed and controlled by the countries’ intelligence ministries.
In May 2021 for example, the U.S. government charged four Chinese nationals who were working for state-owned front companies. The front-companies facilitated hackers to create malware, attack targets of interest to gain business intelligence, trade-secrets, and information about sensitive technologies.
Not only China but also other nations such as Russia, North Korea, and Iran have applied these tactics. Hire hackers for operations, do not ask questions about their other operations if they do not harm the interests of their own country.
Where in the past specific malware families were tied to nation-state groups, the blurring starts to happen when hackers are hired to write code and conduct these operations.
The initial breach with tactics and tools could be similar as “regular” cybercrime operations, however it is important to monitor what is happening next and act fast. With the predicted increase of blurring between cybercrime and nation-state actors in 2022, companies should audit their visibility and learn from tactics and operations conducted by actors targeting their sector.
Potential Impacts & Implications
With more tools at their disposal, nation state actors are reshaping the cyberthreat landscape leaving destruction and disrupted operations in their wake. There have been many accusations of “spying” which poses as a major threat to economic and national security. The main aim of these attacks is to obtain intellectual property or business intelligence. We are seeing nation states devoting a significant number of resources, time and energy toward achieving strategic cyber advantages, resulting in the implications of divulging national interests, intelligence-gathering capabilities, and military strength through espionage, disruption and theft.
Techniques & Tactics
In May 2021 incident where four Chinese nationals were charged in a global hacking campaign; the indictment stated the threat actors used a front company to hide the Chinese government’s role in the information theft. We anticipate nation states will continue to team up with cybercriminals and create front companies to hide involvement and gain access to private information, military tactics, trade secrets and more. Adversaries will leverage techniques like phishing, known vulnerabilities, malware, crimeware and more to attain their goal.
On the blending of cybercrime/nation-state; understanding the functionalities of malware becomes more important than ever. Let me give an example, when you get a Trickbot infection, a part of the code will steal credentials, they could be sold to a ransomware crew with a possible ransomware attack as result, a complete cybercrime operation. But what if the Trickbot infection was ordered by a Nation State, the credentials are used for a long time operation; started as a crime, ends as a long APT.
Who Can Regulate?
It’s important for governments to hold actors accountable for cyber incidents. Government entities and researchers can likely assist public and private sector organizations in navigating this new cyber landscape by developing standards and/or template processes to drive cyber defense and maintaining operational resiliency.
Prevention
A threat actor’s goal is to gain access to data they can sell, leverage for ransom, or gain critical knowledge so it is important to properly encrypt critical data, rendering it unusable to unauthorized users. You should also maintain regular, offline backups and have an incident response plan ready. Maintaining and testing offline backups can similarly mitigate the impact of destructive malware.
Explore a preview of the only proactive solution to stay ahead of emerging threats.
The post Nation States Will Weaponize Social and Recruit Bad Guys with Benefits in 2022 appeared first on McAfee Blog.
What do social media companies really know about you? It’s a fair question. And the quick answer is this: the more you use social media, the more those companies likely know.
The moment you examine the question more closely, the answer takes on greater depth. Consider how much we use social media for things other than connecting with friends. While that was the original intent behind social networks, the role of social media has since evolved into something far more expansive. We use it to get our news, stay up to date on when artists will drop a new release, and sometimes reach out for customer service on a company’s social media page. In some cases, we use our social media accounts to log into other sites and apps or we even make payments through social media.
Taken together, all of those likes, taps, clicks, links, and time spent reading or watching videos can add up and paint a detailed picture of who you are.
Why are they collecting all this information? Largely, it’s for two reasons:
1. To make improvements to their platform, by better understanding your behavior and ways you like to use their service.
2. To create an exacting user profile that advertisers can use for targeting ads that they think will interest you.
That’s the exchange in play here. You use the company’s social media service for free, and in return, they gain rights to gather specific information about you, which you consent to by agreeing to their terms of service.
Let’s get into the details of what social media companies may collect and know about you—along with ways you can limit the data and information they gather.
Different social media platforms have different user agreements that cover what types of information they collect and use. For starters, we’ll speak broadly about social media companies in general, and then we’ll weave in a few specific examples along the way. Generally, they may know:
We collect information about how you use our Products, such as the types of content you view or engage with; the features you use; the actions you take; the people or accounts you interact with; and the time, frequency and duration of your activities.
When you communicate with others by sending or receiving Direct Messages, we will store and process your communications and information related to them. This includes link scanning for malicious content, link shortening to http://t.co URLs, detection of spam, abuse and prohibited images, and use of reported issues. We also use information about whom you have communicated with and when (but not the content of those communications) to better understand the use of our services, to protect the safety and integrity of our platform, and to show more relevant content.
If you use our Products for purchases or other financial transactions (such as when you make a purchase in a game or make a donation), we collect information about the purchase or transaction. This includes payment information, such as your credit or debit card number and other card information; other account and authentication information; and billing, shipping and contact details.
By the way, none of this is secret. What I’ve listed here can be found by simply reading the terms of use posted by various social media companies. Note that these terms of use can and do change. Checking up on them regularly will help you understand what is being collected and how it may be used.
This nearly goes without saying, yet another layer of data and information collection comes by way of the pictures and updates you post. Per Instagram (as of October 2021):
We collect the content, communications and other information you provide when you use our Products, including when you sign up for an account, create or share content, and message or communicate with others. This can include information in or about the content you provide (like metadata), such as the location of a photo or the date a file was created.
Another consideration is how the content you interact with on other sites may be shared with social media companies in return. Some social media companies partner with other third parties to gather this data, which is used to round out your user profile in yet more detail. That information can include purchases you made, how often you visited that third party’s site, and so on.
In the case of Facebook, they refer to this as “Off-Facebook Activity.” In their words:
Off-Facebook activity includes information that businesses and organizations share with us about your interactions with them. Interactions are things like visiting their website or logging into their app with Facebook. Off-Facebook activity does not include customer lists that businesses use to show a unique group of customers relevant ads.
The good news here is that you can take control of the Off-Facebook Activity setting with a few clicks.
No doubt about it, the content you create and interact with, both on the social media sites and sometimes off of them as well, can generate information about you that’s collected by social media companies.
Short of deleting your accounts altogether, there are several things you can do to take control and limit the amount of information you share.
For example, you can visit your Facebook Settings, Instagram Settings, and Twitter Settings, which each gives you options for managing your information—or download it and even delete it from their platform outright if you wish. (Note that this will likely only delete data associated with your account. Content you posted or shared with other people on their accounts will remain.)
As noted above, this isn’t an absolute fix because social media companies can infer your location other ways. Yet taking this step gives them one less piece of exacting information about you.
Each platform will have its own settings and options, so give them a look. Here, you can determine which information advertisers are allowed to use to serve up ads to you, set rules for facial recognition, enable or disable location history, and much more. If possible, do this from your computer or laptop rather than your smartphone. Often, the account controls that you can access from a computer browser are far more comprehensive than the ones in a mobile app.
Using direct messaging on social media platforms may tell social media companies even more about you and who you interact with. When possible, think about using text messaging instead or other means of communication that aren’t tied to a social media company.
Some apps and sites will allow you to use your social media login instead of creating a new one. While convenient, this can provide the social media company with more information about you. Additionally, if your social media account is compromised, it could compromise the other accounts that are tied to it as well. Check your settings and look for “Apps and Websites” to see what’s connected to your social media account, what’s being shared, and how you can disable it.
Protection like ours will include a VPN, which anonymizes your online activity and thus may shield you from certain types of information collection, such as your location. Additionally, using online protection software is simply a good move because it can create and store strong, unique passwords for you, steer you clear of risky sites, protect your identity, and make your time online safer overall.
The very nature of social media is sharing and exchanging. That’s the draw it has—the way it keeps us connected to the people, pastimes, and things we care about. Yet that exchange runs deeper. In return for using these free services, social media companies collect information on us which they use to improve their platforms and generate revenue. It’s all there for you to see in the various terms of use associated with your social media accounts. In short, using social media means sharing information about yourself with social media companies.
Yet you can do several things to reduce the amount of information that social media companies know about you. By spending some time on the account and privacy settings for each of your social media accounts, you can determine what information you’re providing to them and get a much better sense of what social media companies know about you.
The post What Do Social Media Companies Know About You? appeared first on McAfee Blog.
What cyber security threats should enterprises look out for in 2022?
Ransomware, nation states, social media and the shifting reliance on a remote workforce made headlines in 2021. Bad actors will learn from this year’s successful tactics, retool, and pivot them into next year’s campaigns wielding the potential to wreak more havoc in all our lives.
Skilled engineers and security architects from McAfee Enterprise and FireEye offer a preview of how the threatscape might look in 2022 and how these new or evolving threats could potentially impact the security of enterprises, countries, and civilians.
“Over this past year, we have seen cybercriminals get smarter and quicker at retooling their tactics to follow new bad actor schemes – from ransomware to nation states – and we don’t anticipate that changing in 2022,” said Raj Samani, fellow and chief scientist of the combined company. “With the evolving threat landscape and continued impact of the global pandemic, it is crucial that enterprises stay aware of the cybersecurity trends so that they can be proactive and actionable in protecting their information.”
Nation States will weaponize social media to target more enterprise professionals
By Raj Samani
We love our social media. From beefs between popstars and professional pundits, to an open channel to the best jobs in the industry.
But guess what?
The threat actors know this, and our appetite toward accepting connections from people we have never met are all part of our relentless pursuit of the next 1,000 followers.
A result of this has seen the targeting of executives with promises of job offers from specific threat groups; and why not? After all, it is the most efficient method to bypass traditional security controls and directly communicate with targets at companies that are of interest to threat groups. Equally, direct messages have been used by groups to take control over influencer accounts to promote messaging of their own.
While this approach is not new, it is nearly as ubiquitous as alternate channels. After all, it does demand a level of research to “hook” the target into interactions and establishing fake profiles are more work than simply finding an open relay somewhere on the internet. That being said, targeting individuals has proven a very successful channel, and we predict the use of this vector could grow not only through espionage groups, but other threat actors looking to infiltrate organizations for their own criminal gain.
Nation states will increase their offensive operations by leveraging cybercriminals
By Christiaan Beek
With a focus on strategic intelligence, our team is not only monitoring activity, but also investigating and monitoring open-source-intelligence from a diversity of sources to gain more insights into threat-activities around the globe – and these include an increase in the blending of cybercrime and nation-state operations.
In many cases, a start-up company is formed, and a web of front companies or existing “technology” companies are involved in operations that are directed and controlled by the countries’ intelligence ministries.
In May 2021 for example, the U.S. government charged four Chinese nationals who were working for state-owned front companies. The front-companies facilitated hackers to create malware, attack targets of interest to gain business intelligence, trade-secrets, and information about sensitive technologies.
Not only China but also other nations such as Russia, North Korea, and Iran have applied these tactics. Hire hackers for operations, do not ask questions about their other operations if they do not harm the interests of their own country.
Where in the past specific malware families were tied to nation-state groups, the blurring starts to happen when hackers are hired to write code and conduct these operations.
The initial breach with tactics and tools could be similar as “regular” cybercrime operations, however it is important to monitor what is happening next and act fast. With the predicted increase of blurring between cybercrime and nation-state actors in 2022, companies should audit their visibility and learn from tactics and operations conducted by actors targeting their sector.
Self-reliant cybercrime groups will shift the balance of power within the RaaS eco-kingdom
By John Fokker
For several years, ransomware attacks have dominated the headlines as arguably the most impactful cyber threats. The Ransomware-as-a-Service (RaaS) model at the time opened the cybercrime career path to lesser skilled criminals which eventually led to more breaches and higher criminal profits.
For a long time, RaaS admins and developers were prioritized as the top targets, often neglecting the affiliates since they were perceived as less skilled. This, combined with the lack of disruptions in the RaaS ecosystem, created an atmosphere where those lesser-skilled affiliates could thrive and grow into very competent cybercriminals, eventually with a mind of their own.
In a response to the Colonial Pipeline attack, the popular cybercrime forums have banned ransomware actors from advertising. Now, the RaaS groups no longer have a third-party platform on which to actively recruit, show their seniority, offer escrow, have their binaries tested by moderators, or settle disputes. The lack of visibility has made it harder for RaaS groups to establish or maintain credibility and will make it harder for RaaS developers to maintain their current top tier position in the underground.
These events undermine their trusted position. Ransomware has generated billions of dollars in recent years and it’s only a matter of time before some individuals who believe they aren’t getting their fair share become unhappy.
The first signs of this happening are already visible as described in our blog on the Groove Gang, a cyber-criminal gang that branched off from classic RaaS to specialize in computer network exploitation (CNE), exfiltrate sensitive data and, if lucrative, partner with a ransomware team to encrypt the organization’s network.
In 2022, expect more self-reliant cybercrime groups to rise and shift the balance of power within the RaaS eco-climate from those who control the ransomware to those who control the victim’s networks.
Less-skilled operators won’t have to bend the knee in RaaS model power shift
By Raj Samani
The Ransomware-as-a-Service eco system has evolved with the use of affiliates, the middlemen and women that work with the developers for a share of the profits. While this structure was honed during the growth of GandCrab, we are witnessing potential chasms in what is becoming a not-so-perfect union.
Historically, the ransomware developers, held the cards, thanks to their ability to selectively determine the affiliates in their operations, even holding “job interviews” to establish technical expertise. As more ransomware players have entered the market, we suspect that the most talented affiliates are now able to auction their services for a bigger part of the profits, and maybe demand a broader say in operations. For example, the introduction of Active Directory enumeration within DarkSide ransomware could be intended to remove the dependency on the technical expertise of affiliates. These shifts signal a potential migration back to the early days of ransomware, with less-skilled operators increasing in demand using the expertise encoded by the ransomware developers.
Will this work? Frankly, it will be challenging to replicate the technical expertise of a skilled penetration tester, and maybe – just maybe – the impact will not be as severe as recent cases.
5G and IoT traffic between API services and apps will make them increasingly lucrative targets
By Arnab Roy
Threat actors pay attention to enterprise statistics and trends, identifying services and applications offering increased risk potential. Cloud applications, irrespective of their flavor (SaaS, PaaS, or IaaS), have transformed how APIs are designed, consumed, and leveraged by software developers, be it a B2B scenario or B2C scenario. The reach and popularity of some of these cloud applications, as well as, the treasure trove of business-critical data and capabilities that typically lie behind these APIs, make them a lucrative target for threat actors. The connected nature of APIs potentially also introduces additional risks to businesses as they become an entry vector for wider supply chain attacks.
The following are some of the key risks that we see evolving in the future:
1. Misconfiguration of APIs
2. Exploitation of modern authentication mechanisms
3. Evolution of traditional malware attacks to use more of the cloud APIs
4. Potential misuse of the APIs to launch attacks on enterprise data
5. The usage of APIs for software-defined infrastructure also means potential misuse.
For developers, developing an effective threat model for their APIs and having a Zero Trust access control mechanism should be a priority alongside effective security logging and telemetry for better incident response and detection of malicious misuse.
Expanded exploitation of containers will lead to endpoint resource takeovers
By Mo Cashman
Containers have become the de facto platform of modern cloud applications. Organizations see benefits such as portability, efficiency and speed which can decrease time to deploy and manage applications that power innovation for the business. However, the accelerated use of containers increases the attack surface for an organization. Which techniques should you look out for, and which container risk groups will be targeted? Exploitation of public-facing applications (MITRE T1190) is a technique often used by APT and Ransomware groups. The Cloud Security Alliance (CSA) identified multiple container risk groups including Image, Orchestrator, Registry, Container, Host OS and Hardware.
The following are some of the key risks groups we anticipate will be targeted for expanded exploitation in the future:
1. Orchestrator Risks: Increasing attacks on the orchestration layer, such as Kubernetes and associated API mainly driven by misconfigurations.
2. Image or Registry Risk: Increasing use of malicious or backdoored images through insufficient vulnerability checks.
3. Container Risks: Increasing attacks targeting vulnerable applications.
Expanded exploitation of the above vulnerabilities in 2022 could lead to endpoint resource hijacking through crypto-mining malware, spinning up other resources, data theft, attacker persistence, and container-escape to host systems.
The time to repurpose vulnerabilities into working exploits will be measured in hours and there’s nothing you can do about it… except patch
By Fred House
2021 is already being touted as one of the worst years on record with respect to the volume of zero-day vulnerabilities exploited in the wild. The scope of these exploitations, the diversity of targeted applications, and ultimately the consequences to organizations were all notable. As we look to 2022, we expect these factors to drive an increase in the speed at which organizations respond.
When we first learned in 2020 that roughly 17,000 SolarWinds customers were compromised and an estimated 40 were subsequently targeted, many reacted in shock at the pure scope of the compromise. Unfortunately, 2021 brought its own notable increase in volume along with uninspiring response times by organizations. Case in point: two weeks after Microsoft patched ProxyLogon they reported that 30K Exchange servers were still vulnerable (less conservative estimates had the number at 60K).
ProxyShell later arrived as Exchange’s second major event of the year. In August, a Blackhat presentation detailing Exchange Server vulnerabilities was followed the next day by the release of an exploit POC, all of which had been patched by Microsoft months earlier in April/May. This analysis of data captured by Shodan one week after the exploit POC was released concluded that over 30K Exchange servers were still vulnerable, noting that the data may have underrepresented the full scope (i.e., Shodan hadn’t had time to scan the full Internet). In summary: patched in the Spring, exploited in the Fall.
So, what can we take away from all of this? Well, attackers and security researchers alike will continue to hone their craft until weaponized exploits and POCs are expected within hours of vulnerability disclosure. In turn however, and largely driven by the increased consequences of compromise, we can also expect renewed diligence around asset and patch management. From identifying public facing assets to quickly deploying patches despite potential business disruption, companies will have a renewed focus on reducing their “time to patch.” While we will inevitably continue to see high-impact exploitations, the scope of these exploitations will be reduced as more organizations get back to the basics.
The post McAfee Enterprise & FireEye 2022 Threat Predictions appeared first on McAfee Blog.
It’s October, and at McAfee we love celebrating spooky season. As McAfee’s Chief Technology Officer, I’m also excited that it’s Cyber Security Awareness Month. And while there are no fun-size candy bars, we do talk about some truly bone-chilling stuff when it comes to cyber safety. So gather round, as I tell you all about one of the scariest threats online, ransomware.
Ransomware is a form of extortion that happens when cyber criminals demand payment. Recently some high-profile companies have been in the news as victims of major ransomware attacks. However, ransomware also impacts individuals, just like you and me. In the individual’s case, a cybercriminal may demand payment to restore access to your device or data or even to prevent them from dumping sensitive or embarrassing information onto the internet. McAfee defends consumers from tens of thousands of ransomware attacks every month.
If the worst should happen, take a deep breath and don’t panic. Calmly assessing the situation now can save you a lot of stress later. Ask yourself:
Now that you’ve assessed the situation, we can do something about it.
If you can afford to lose your data, and the personal impact is minimal, we always recommend you don’t pay the criminal. There’s no guarantee that if you pay the ransom, you’ll get your data back, and ultimately, you’re incentivizing the cybercriminal to do it again. The best defense against ransomware is to have great cybersecurity habits that prevent the attack from occurring in the first place.
So, whether you’re enjoying some creepy lawn decorations, or just surfing the web, remember to stay safe out there this Halloween.
The post Staying Cyber Aware and Safer from Ransomware appeared first on McAfee Blog.
Cybersecurity detection is a criminal investigation. Cybercrime investigators are experts who are in limited supply. Sometimes their hunt begins while an intrusion is in process, but more often than not, it occurs after the attack when a crime has occurred. The investigation is taunting and less glamorous, realizing that it can take an average of 228 days even to identify the breach[i].
At that point, you’re looking to find out what your adversaries have seen or stolen, you want to plug the holes that enabled the hack and kick out or remove the adversary completely. Figure on an average of 80 days to resolve and contain a breach. Meanwhile, your adversary spends the epic dwell time in your environment to monitor your traffic and behavior before determining their next move.
Do the math on that exercise and, unless you have generous funding, you may conclude that your resources stretch further by focusing on prevention rather than detection. While eliminating detection may not be practical, you can at least realign your spending and shore up your prevention efforts with enhanced actionable information.
Several things have happened to make this shift possible. First, detection is now often automated and highly productive. Second, advance warning is better than ever. You can apply predictive analytics to leverage in-depth threat intelligence sources to produce real-time, automated assessments of your security posture risks from device to cloud.
Making the shift from detection to prevention didn’t happen overnight for the Service public de Wallonie (SPW), the public administration arm of the French-speaking regional government of Wallonia in Belgium. SPW’s endpoint security team oversees 9,000 desktops, 1,300 servers, and 1,000 applications used by more than 8,000 employees.
When SPW implemented MVISION Insights, the security team sought to identify potential threats lurking outside the agency’s perimeter. Using data gathered from one billion sensors globally that have been distilled and analyzed by artificial intelligence and human experts, MVISION Insights provides comprehensive risk intelligence filtered for a specific industry and geography. It helps SPW’s security team to prioritize which threats and campaigns are most likely to target them.
Before making this shift, SPW’s team regularly spent hours checking out various security sites, lab reports, and news articles to track the latest threat campaigns. After deploying MVISION Insights, the same result arrived in seconds or minutes. Now they’re engaging in more proactive threat hunting and attack prevention by tapping into predictive assessments and adjusting their posture accordingly.
Organizations such as SPW illustrate that playing both offense and defense becomes necessary to reduce time-to-detect and dwell time. Detection is difficult for several reasons, most notably the deluge of advanced persistent threats (APTs). And it’s also complicated by the cost of threat hunting talent, given the current shortage of cybersecurity expertise.
These days there’s such an overwhelming amount of security data pouring into data lakes that manually aggregating and analyzing it to make sense of anything requires a fair amount of threat expertise. Then there’s the time it takes to triage and determine the following steps to thwart an attack. By the time you’re analyzing this data, at best, you’re in a reactive state with limited visibility and understanding of your local environment.
One effective way to streamline that process is to apply the proven MITRE ATT&CK® framework, which provides an excellent knowledge base to help with threat hunting and detection. We use that framework to better inform MVISION XDR powered by MVISION Insights, for example. As we mentioned in March, we align XDR with MITRE to greatly expand the depth of our investigation, threat detection, and prevention capabilities to prevent the attack chain with relevant insights.
In our leading role in the cybersecurity community, we gather a lot of intelligence and invest considerable time curating content to ensure that what we share is timely, accurate, and valuable. This is reflected in MVISION Insights with over 1000 threat campaign profiles. If you place MVISION Insights in your environment it goes beyond threat intelligence. You also gain prioritized threat insights on a likely attack targeting you, where your gaps are and what you can do. Introducing our new Proactive Evolution series to get regular information on how to become more preventive and protective with LinkedIn Live discussions, blog posts, and other intelligence from our cybersecurity expert contributors highlighting the power of MVISION Insights.
This new Proactive Evolution Series features helpful content intended for managing or building security operations to be more effective and preventive or for a CISO who wants to stay on top of changing best practices.
Detection is often done in reaction to an attack or a looming threat. Not every organization can do both detection and prevention equally well. That’s usually because they lack dedicated or experienced threat hunters or suitable detection technologies. By shifting your efforts to a proactive prevention strategy, you’re boosting your chances to harden your systems before an attack.
Click here to access McAfee Enterprise’s new Proactive Evolution Series content.
Event Replay
Understand how the adversary is working and how you stack up against them. Together, Raj and Brett dig into how MVISION Insights helps you determine which active threat campaigns you need to worry about, if you’re a target, and what you can do.
The post Why an Ounce of Cybersecurity Prevention is Worth a Pound of Detection appeared first on McAfee Blog.
There’s a person behind every cybercrime. That’s easy to lose sight of. After all, cybercrime can feel a little anonymous, like a computer is doing the attacking instead of a person. Yet people are indeed behind these attacks, and over the years they’ve been getting organized—where cybercriminals structure and run their operations in ways that darkly mirror the workings of a real business.
Funny, the notion of hackers running an illegal business just like a regular business. But there you go. What works, apparently works. So, let’s take a closer look at how organized crime goes about its business—and get a little more insight into how we can protect ourselves in the process.
A classic notion of the cybercriminal is that of a lone hacker, donning a hoodie in a dimly lit room and chipping away at the networks and devices of a business or household. That does happen, such as in the case of the former engineer accused of. Yet increasingly, attacks are orchestrated efforts.
More and more of today’s cybercrime is a distributed, international affair that relies on several bad actors to see it through. This takes the form of organized crime groups with ringleaders located in one country and developers in others, further supported by operations, marketing, finance, and call center teams in yet other locations—just like a legitimate business, strange as it seems.
What does that look like in real life? Consider a practical example: an identity theft ring sets up a series of phony websites to hijack personal information. There’s a lot of work that goes into putting up those websites, so let’s start there and see who could be involved. From there, we can work our way up the chain of cybercrime organizations. For starters:
And that’s just for starters. There’s plenty of activity that follows once victims share their personal info on that phony site, spanning yet more business roles:
Stepping back and looking at this example, you can see how there are several distinct skillsets at play here. While small groups of hackers could pull off something similar, the most effective of these scams will have a relatively large staff in place to ensure it runs effectively. This is just one broad example, yet it does serve to remind us that sophisticated cybercrime can have a sophisticated organization behind it.
Other examples include tech support scams that run their own call support centers, corporate ransomware attacks where scammers hijack the company’s social media accounts and shame them into paying. There are yet more examples of bogus call centers, like the ones that will walk individual victims through the process of paying off a ransomware attack with cryptocurrency. Once again, quite an operation.
Back to the lone hacker in a hoodie for a moment. They’re still out there. In fact, many of them are enabled by larger cybercrime organizations. This can happen in several ways:
It’s a marketplace out there, where our data acts as a kind of currency that’s traded and sold by operators large and small.
So yes, there’s a person behind every cybercrime. And then there’s you. Along with all things you can do to stop them.
Earlier this year, I shared how McAfee now solely focuses on people. Organized cybercrime is just one of the many reasons why. While different devices may come and go in our lives, our data always follows us—the very things cybercriminals are after. It’s people who need protection. By protecting you, your identity, and your privacy, along with your devices, we protect you from threats like these, whether they stem from a small-time crook or an organized crime gang. Even lone hackers in hoodies.
To me, the solution looks something like this: you’re out there enjoying the internet without having to look over your shoulder. You’re just safe. And living your life.
So as cybercrime becomes more sophisticated, we’re becoming yet more sophisticated at McAfee. And it’s you entirely with you in mind. Online protection should come naturally and give you the confidence to go about your day—protection that is personalized, intelligent, and easier to use so that it adapts based on what you’re doing and what you need at any given moment. That’s our aim. Ease. Freedom. Particularly in a time when criminals are trying their hardest to make you their business as you go about yours.
The post Organized Cybercrime: The Big Business Behind Hacks and Attacks appeared first on McAfee Blog.
Many people are excited about Gartner’s Secure Access Service Edge (SASE) framework and the cloud-native convergence of networks and security. While originally proposed as fully unified architecture delivering network and security capabilities, the reality soon dawned that enterprise transition to a complete SASE model would be a decade long journey due to factors such as existing investments, operational silos (customer), and vendor consolidation. Consequently, Gartner introduced a new two-vendor approach to SASE that brought together a highly converged WAN Edge Infrastructure platform alongside a highly converged security platform – known as Security Service Edge (SSE).
Figure 1: SASE convergence.
SSE brings together Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), and Zero Trust Network Access (ZTNA) to secure access to the web, cloud services, and private applications, resulting in reduced risk, cost and complexity. McAfee Enterprise has long been a proponent of this approach: we embarked on a project to build the industry’s best SASE security solution over three years ago, introduced our MVISION Unified Cloud Edge solution in early 2020, and have since continued to innovate and set the standard for the Security Service Edge space.
The fundamental problem that SSE sets out to solve is that enterprises must adequately secure their personnel and their data. This became increasingly difficult as digital transformation spurred widespread cloud adoption and empowered remote and mobile workers. Just a few short years ago we would talk about remote access for short periods of time due to travel, and typically for a small proportion of the workforce. Today we speak in the context of COVID-19 and a vast, permanent “Work From Anywhere” (WFA) cultural shift. Supporting this shift is an accelerated migration into the cloud, where the vast majority of workloads and applications will soon reside.
All of this has taken down the walls that formed the perimeter we relied on heavily in the past. Today our people and our data are outside of that perimeter but inside of cloud applications. Cloud applications run from many locations, sometimes around the globe. Yet our objectives must remain the same. We still must secure our people, we must secure our devices, and we must secure our data on any device, at any time, using any service.
Secure web gateways were one of the gatekeepers to the old perimeter, fundamentally appliances that existed at the border of a network. Cloud access security brokers (CASB) were fundamentally built to secure the inside of cloud services. Virtual Private Networks (VPNs) enabled you to securely interconnect offices and remote users onto a single network. Managing these technologies separately became increasingly problematic as the boundaries between networks, the web, and the cloud began to blur. Organizational policies and compliance requirements must be translated to the administrative setup of a specific vendor’s management consoles. At first pass, this results in more errors in the implementation of these policies. Maintenance is difficult as policy changes must be rolled out and implemented within multiple vendor management interfaces. And when you position these traditional technologies against the problem statement of a “perimeterless” world, they fail. The logical answer to these problems is to converge these technologies together and bring them to the cloud.
For more than 3 years, McAfee Enterprise has invested deeply into a unified policy framework. We’ve unified threat engines, data engines. We’ve built a unified user experience and unified administrative experience to deliver against that promise of cloud native security.
A closely integrated SSE infrastructure can address the management challenges of setting up policies in multiple vendor management interfaces by deeply integrating security controls to reduce overhead, complexity, and cost, while increasing performance. But looking at the competitive landscape, this has proven to be easier said than done. Many fall short with it comes to securing data within the cloud, but McAfee Enterprise’s industry-leading Multi-Vector Data Protection capabilities make it incredibly easy to keep data safe no matter where it resides, with unified data classification, policy enforcement, and incident management.
Figure 2: McAfee Enterprise Multi-Vector Data Protection.
Other vendors grew up in the cloud but fall short when it comes to connecting to the private resources all large enterprises still use today. Some vendors are attempting to build-out the entire SSE product set from scratch, perhaps as part of a larger SASE offering. Most of the functions present baseline functional capability and the considerable instability of a complex and very new product.
McAfee Enterprise has planned and executed a strategy for several years that takes MVISION Unified Cloud Edge’s complete set of SSE converged security services and then tie them closely to other highly integrated network services such as those offered by SD-WAN vendors to implement SASE. This approach enables most large enterprises the ability to leverage the majority of the technology partners they have to pull a SASE architecture together using much of the technology infrastructure they already have in place.
Figure 3: Enable secure access to web, cloud, and private apps with MVISION Unified Cloud Edge.
The increased efficiency of an integrated environment reduces the investment in administration, enhances the precision of policy enforcement, and improves the speed with which security control processes can be applied to data and activity in one single pass, improving security efficiency and efficacy. This earlier published blog demonstrates how our integration of Remote Browser Isolation (RBI) greatly improves security protection in a seamless, cost-effective manner.
Figure 4: MVISION Unified Cloud Edge threat protection stack with integrated Remote Browser Isolation.
The convergence and integration of cloud security technologies such as SWG, CASB, ZTNA, DLP, RBI and FWaaS substantially enhance operations, reduce cost, minimize errors, and enable more precise enforcement of organizational policy and management. Expenses are lower as experts in the administration and management of separate security controls are no longer required.
In conclusion, McAfee Enterprise has delivered the best and most rapid path to a comprehensive integrated SSE offering available in the market. Our Unified Cloud Edge (UCE) architecture completes that vision of unified and completely integrated policy management today. MVISION UCE is the security fabric that delivers data and threat protection to any location so you can enable fast and secure direct-to-internet access for your distributed workforce. This results in a transformation to a cloud-delivered SSE that converges with connectivity to reduce cost and complexity while increasing the speed and flexibility of your workforce.
Click here to see more about how MVISION Unified Cloud Edge can get you on the fastest route to SASE, or visit the MVISION UCE homepage to learn more and contact us to get started on your journey.
The post Realize Your SASE Vision with Security Service Edge and McAfee Enterprise appeared first on McAfee Blog.
In the hands of a thief, your Social Security Number is the master key to your identity.
With a Social Security Number (SSN), a thief can unlock everything from credit history and credit line to tax refunds and medical care. In extreme cases, thieves can use it to impersonate others. So, if you suspect your number is lost or stolen, it’s important to report identity theft to Social Security right away.
Part of what makes an SSN so powerful in identity theft is that there’s only one like it. Unlike a compromised credit card, you can’t hop on the phone and get a replacement. No question, the theft of your SSN has serious implications. If you suspect it, report it. So, let’s take a look at how it can happen and how you can report identity theft to Social Security if it does.
Yes. Sort of. The Social Security Administration can assign a new SSN in a limited number of cases. However, per the SSA, “When we assign a different Social Security number, we do not destroy the original number. We cross-refer the new number with the original number to make sure the person receives credit for all earnings under both numbers.”
In other words, your SSN is effectively forever, which means if it’s stolen, you’re still faced with clearing up any of the malicious activity associated with the theft potentially for quite some time. That’s yet another reason why the protection of your SSN deserves particular attention.
There are several ways an SSN can end up with a thief. Some involve physical theft, and others can take the digital route. To what extent are SSNs at risk? Notably, there was the Equifax breach of 2017, which exposed some 147 million SSNs. Yet just because an SSN has been potentially exposed does not mean that an identity crime has been committed with it.
So, let’s start with the basics: how do SSNs get stolen or exposed?
That’s quite the list. Broadly speaking, the examples above give good reasons for keeping your SSN as private and secure as possible. With that, it’s helpful to know that there are only a handful of situations where your SSN is required for legitimate purposes, which can help you can make decisions about how and when to give it out. The list of required cases is relatively short, such as:
You’ll notice that places like doctor’s offices and other businesses are not listed here, though they’ll often request an SSN for identification purposes. While there’s no law preventing them from asking you for that information, they may refuse to work with you if you do not provide that info. In such cases, ask what the SSN would be used for and if there is another form of identification that they can use instead. In all, your SSN is uniquely yours, so be extremely cautious in order to minimize its potential exposure to theft.
Let’s say you spot something unusual on your credit report or get a notification that someone has filed a tax return on your behalf without your knowledge. These are possible signs that your identity, if not your SSN, is in jeopardy, which means it’s time to act right away using the steps below:
File a police report and a Federal Trade Commission (FTC) Identity Theft Report. This will help in case someone uses your Social Security number to commit fraud, since it will provide a legal record of the theft. The FTC can also assist by guiding you through the identity theft recovery process as well. Their site really is an excellent resource.
Get in touch with the fraud department at each of the businesses where you suspect theft has taken place, let them know of your situation, and follow the steps they provide. With your police and FTC reports, you will already have a couple of vital pieces of information that can help you clear your name.
Check your Social Security account to see if someone has gotten a job and used your SSN for employment purposes. Reviewing earnings associated with your SSN can uncover fraudulent use. You can also contact the Social Security Fraud Hotline at (800) 269-0271 or reach out to your local SSA office for further, ongoing assistance. Likewise, contact the Internal Revenue Service at (800) 908-4490 to report the theft and help prevent someone from submitting a tax return in your name.
As we’ve talked about in some of my other blog posts, identity theft can be a long-term problem where follow-up instances of theft can crop up over time. However, there are a few steps you can take to minimize the damage and ensure it doesn’t happen again. I cover several of those steps in detail in this blog here, yet let’s take a look at a few of the top items as they relate to SSN theft:
By placing a fraud alert, you can make it harder for thieves to open accounts in your name. Place it with one of the three major credit bureaus (Experian, TransUnion, Equifax), and they will notify the other two. During the year-long fraud alert period, it will require businesses to verify your identity before issuing new credit in your name.
A full credit freeze is in place until you lift it and will prohibit creditors from pulling your credit report altogether. This can help stop thieves dead in their tracks since approving credit requires pulling a report. However, this applies to legitimate inquires, including any that you make, like opening a new loan or signing up for a credit card. If that’s the case, you’ll need to take extra steps as directed by the particular institution or lender. Unlike the fraud alert, you’ll need to notify each of the three major credit bureaus (Experian, TransUnion, Equifax) when you want the freeze lifted.
Once every 12 months, you can access a free credit report from Experian, TransUnion, and Equifax. (And as of this writing during the pandemic, this can be done for free on a weekly basis, which is great news.) Doing so will allow you to spot any future discrepancies and offer you options for correcting them.
Using a service to help protect your identity can monitor several types of personally identifiable information and alert you of potentially unauthorized use. Our own Identity Protection Service will do all this and more, like offering guided help to neutralize threats and prevent theft from happening again. You can set it up on your computers and smartphone to stay in the know, address issues immediately, and keep your identity secured.
Of all the forms of identity theft, the theft of a Social Security Number is certainly one of the most potentially painful because it can unlock so many vital aspects of your life. It’s uniquely you, even more than your name alone – at least in the eyes of creditors, banks, insurance companies, criminal records, etc. Your SSN calls for extra protection, and if you have any concerns that it may have been lost or stolen, don’t hesitate to spring into action.
The post How to Report Identity Theft to Social Security appeared first on McAfee Blog.
In a world of contact-free pickup and payments, an old hacker’s trick is getting a new look—phony QR code scams.
QR codes have been around for some time. Dating back to industrial use in the 1990s, QR codes pack high volumes of visual information in a relatively compact space. In that way, a QR code shares many similarities with a barcode, yet a QR code can hold more than 300 times the data of a barcode.
With the rise of the smartphone, QR codes have taken on more consumer applications. Especially in the latter days of the pandemic in the form of contact-free conveniences. Now, by pointing your smartphone’s camera at a QR code, you can order food at a restaurant, pay for parking, download coupons from the shelf at your drugstore or several other convenient things.
Yet as it is in places where people, devices, and money meet, hackers are there with a scam ready to go. Enter the QR code scam. By pointing your smartphone’s camera at a bogus QR code and giving it a scan, hackers can lead people to malicious websites and commit other attacks on their phones.
The good news is that there are several ways you can spot these scams, along with several other ways you can avoid them altogether, all so you can get the best out of QR code convenience without the hassle.
In several ways, the QR code scam works much like any other phishing attack. With a few added wrinkles, of course.
Classically, phishing attacks use doctored links that pose as a legitimate website in the hopes you’ll follow them to a hacker’s malicious website. Once there, that site is designed to trick you into providing your personal information, credit card numbers, and so forth, perhaps in the context of a special offer or a phony account alert. Likewise, it could send you to a site that simply infects your device with malware.
It’s much the same with a QR code, yet here’s are a couple of big differences:
Aside from appearing in emails, direct messages, in social media ads, and such, there are plenty of other places phony QR codes can show up. Here are a few that have been making the rounds in particular:
Scanning a QR code may open a notification on your smartphone screen to follow a link. Like other phishing-type scams, hackers will do their best to make that link look legitimate. They may alter a familiar company name so that it looks like it could have come from that company. Also, they may use link shorteners that take otherwise long web addresses and compress them into a short string of characters—the trick there being that you really have no way of knowing where it will send you simply by looking at it.
In this way, there’s more to using QR codes than simply “point and shoot.” A mix of caution and eagle-eyed consideration is called for to spot the legitimate uses from the malicious ones.
Luckily some very basic rules about avoiding QR code attacks. The U.S. Better Business Bureau (BBB) has put together a great list that can help. Their advice is right on the mark, which we’ve paraphrased and added to here:
1. Don’t open links or scan QR codes from strangers. Unsolicited messages with these links or codes could lead you to a scam site or access the functionality of your smartphone in unwanted ways.
2. Some scams will appear to come from legitimate sources. Double-check and see if it indeed is. You can check the official website to confirm, such as by accessing your account or contacting a customer service rep to follow up on the communication sent to you.
3. Try alternative payment methods. If you receive a bill with a QR code for payment, see if there’s another way to pay it—such as on the company’s website or simply through online bill pay to their known, legitimate address. These are less susceptible to fraud. Likewise, check to see if the requested payment is legitimate in the first place.
4. Think twice about following shortened links. As mentioned above, shortened links can be a shortcut to a malicious website. This can particularly be the case with unsolicited communications. And it can still be the case with a friend or family member if their device or account has been hacked.
5. If someone you know sends you a QR code, also confirm before scanning it. Whether you receive a text message from a friend or a message on social media from your workmate, contact that person directly before you scan the QR code to make sure they haven’t been hacked.
6. Watch out for tampering. Hackers have been known to stick their own QR codes over legitimate ones. If you see any sign of altering or placement that looks slapdash, don’t give that code a scan.
7. Install mobile security. Comprehensive online protection software can protect your mobile devices as well as your computers and laptops. In this case, it can detect bad links associated with QR codes and steer you clear of accessing the malicious sites and downloads associated with them.
QR codes have made transactions smoother and accessing helpful content on our phones much quicker, especially in recent months as they’ve seen an uptick in use. And useful as they are like other means of paying or browsing online, keep an eye open when using them. With this advice as a guide, if something doesn’t feel right, keep your smartphone in your pocket and away from that QR code.
The post Be on the Lookout for a New Wave of QR Code Scams appeared first on McAfee Blog.
Going by recent headlines you could be forgiven for thinking all ransomware operators are raking in millions of ill-gotten dollars each year from their nefarious activities.
Lurking in the shadows of every large-scale attack by organized gangs of cybercriminals, however, there can be found a multitude of smaller actors who do not have access to the latest ransomware samples, the ability to be affiliates in the post-DarkSide RaaS world or the financial clout to tool up at speed.
So what is a low-paid ransomware operator to do in such circumstances?
By getting creative and looking out for the latest malware and builder leaks they can be just as devastating to their victims and, in this blog, we will track the criminal career of one such actor as they evolve from homemade ransomware to utilizing major ransomware through the use of publicly leaked builders.
For years, the McAfee Enterprise Advanced Threat Research (ATR) team has observed the proliferation of ransomware and the birth and (apparent) death of large organized gangs of operators. The most notorious of these gangs have extorted huge sums of money from their victims, by charging for decryption of data or by holding the data itself to ransom against the threat of publication on their ‘leak’ websites.
With the income of such tactics sometimes running into the millions of dollars, such as with the Netwalker ransomware that generated 25 million USD between 1 March and 27 July 2020, we speculate that much of those ill-gotten funds are subsequently used to build and maintain arsenals of offensive cyber tools, allowing the most successful cybercriminals to stay one step ahead of the chasing pack
Figure 1: Babuk group looking for a corporate VPN 0-Day
As seen in the image above, cybercriminals with access to underground forums and deep pockets have the means to pay top dollar for the tools they need to continually generate more income, with this particular Babuk operator offering up 50,000 USD for a 0-day targeting a corporate virtual private network (VPN) which would allow easy access to a new victim.
For smaller ransomware operators, who do not have affiliation with a large group, the technical skills to create their own devastating malware or the financial muscle to buy what they need, the landscape looks rather different.
Unable to build equally effective attack chains, from initial access through to data exfiltration, their opportunities to make illegal profits are far slimmer in comparison to the behemoths of the ransomware market.
Away from the gaze of researchers who typically focus on the larger ransomware groups, many individuals and smaller groups are toiling in the background, attempting to evolve their own operations any way they can. One such method we have observed is through the use of leaks, such as the recent online posting of Babuk’s builder and source code.
Figure 2: Babuk builder public leak on Twitter
Figure 3: Babuk source code leak on underground forum
McAfee Enterprise ATR has seen two distinct types of cybercriminal taking advantage of leaks such as this. The first group, which we presume to be less tech-savvy, has merely copied and pasted the builder, substituting the Bitcoin address in the ransom note with their own. The second group has gone further, using the source material to iterate their own versions of Babuk, complete with additional features and new packers.
Thus, even those operators at the bottom of the ransomware food chain have the opportunity to build on others’ work, to stake their claim on a proportion of the money to be made from data exfiltration and extortion.
A Yara rule dedicated to Babuk ransomware triggered a new sample uploaded on VirusTotal, which brings us to our ‘lowly-paid’ ransomware actor.
From a quick glance at the sample we can deduce that it is a copied and pasted binary output from Babuk’s builder, with an edited ransom note naming the version “Delta Plus”, two recovery email addresses and a new Bitcoin address for payments:
Figure 4: Strings content of “Delta Plus” named version of Babuk
We’ve seen the two email recovery addresses before – they have been used to deliver random ransomware in the past and, by using them to pivot, we were able to delve into the actor’s resume:
The first email address, retrievedata300@gmail.com, has been used to drop a .NET ransomware mentioning “Delta Plus”:
Figure 5: Strings content of .NET ransomware related to previous Delta ransomware activities
| Filename | Setup.exe |
| Compiled Time | Tue Sep 7 17:58:34 2021 |
| FileType | Win32 EXE |
| FileSize | 22.50 KB |
| Sha256 | 94fe0825f26234511b19d6f68999d8598a9c21d3e14953731ea0b5ae4ab93c4d |
The ransomware is pretty simple to analyze; all mechanisms are declared, and command lines, registry modification, etc., are hardcoded in the binary.
Figure 6: .NET analysis with command line details
In fact, the actor’s own ransomware is so poorly developed (no packing, no obfuscation, command lines embedded in the binary and the fact that the .NET language is easy to analyze) that it is hardly surprising they started using the Babuk builder instead.
By way of contrast, their new project is well developed, easy to use and efficient, no to mention painful to analyze (as it is written in the Golang language) and provides executables for Windows, Linux and network attached storage (NAS) systems.
The second email address, deltapaymentbitcoin@gmail.com, has been used to drop an earlier version of the .NET ransomware
Figure 7: Strings content from first version of .NET ransomware
| Filename | test2.exe |
| Compiled Time | Mon Aug 30 19:49:54 2021 |
| FileType | Win32 EXE |
| FileSize | 15.50 KB |
| Sha256 | e1c449aa607f70a9677fe23822204817d0ff41ed3047d951d4f34fc9c502f761 |
By checking the relationships between “Delta ransomware”, the Babuk iteration and the domains contacted during process execution, we can observe some domains related to our sample:
| suporte01928492.redirectme.net |
| suporte20082021.sytes.net |
| 24.152.38.205 |
Thanks to a misconfiguration, files hosted on those two domains are accessible through Open Directory (OpenDir), which is a list of direct links to files stored on a server:
Figure 8: Open Directories website where samples are hosted
Figure 9: Privilege escalation to get system rights
Figure 10: Registry value modifications to disable Windows Defender
Other domains where files are hosted contain different tools used during attack operations:
Figure 11: Fake Flash website used to download fake Flash installer
When logging in, the website warns you that your Flash Player version is outdated and tries to download the Fake Flash Player installer:
Figure 12: JavaScript variables used to drop fake Flash Installer
A secondary site appears to have also been utilized in propagating the fake Flash Player, though it is currently offline :
Figure 13: JavaScript function to download the fake Flash Installer from another website
Figure 14: Functions and C2 configuration from ransomware sample
(host used for extraction)
The majority of domains used by this actor are hosted on the same IP: “24.152.38.205” (AS 270564 / MASTER DA WEB DATACENTER LTDA).
But as we saw by “analyzing” the extraction tool used by the actor, another IP is mentioned: “149.56147.236” (AS 16276 / OVH SAS). On this IP, some ports are open, such as FTP (probably used to store exfiltrated data), SSH, etc.
By looking at this IP with Shodan, we can get a dedicated hash for the SSH service, plus fingerprints to use on this IP, and then find other IPs used by the actor during their operations.
By using this hash, we were able to map the infrastructure by looking for other IPs sharing the same SSH key + fingerprintings.
At least 174 IPs are sharing the same SSH pattern (key, fingerprint, etc.); all findings are available in the IOCs section.
Some IPs are hosting different file types, maybe related to previous campaigns:
Figure 15: Open Directory website probably used by the same actor for previous campaigns
Most of the ransomware samples used by the actor mention different Bitcoin (BTC) addresses which we assume is an effort to obscure their activity.
By looking for transactions between those BTC addresses with CipherTrace, we can observe that all the addresses we extracted (see the circle highlighted with a yellow “1” below) from the samples we’ve found are related and eventually point to a single Bitcoin wallet, probably under control of the same threat actor.
From the three samples we researched, we were able to extract the following BTC addresses:
Figure 16: Follow the money with CipherTrace
As we have seen above, our example threat actor has evolved over time, moving from simplistic ransomware and demands in the hundreds of dollars, to toying with at least two builder leaks and ransom amounts in the thousands of dollars range.
While their activity to date suggests a low level of technical skill, the profits of their cybercrime may well prove large enough for them to make another level jump in the future.
Even if they stick with copy-pasting builders and crafting ‘stagers’, they will have the means at their disposal to create an efficient attack chain with which to compromise a company, extort money and improve their income to the point of becoming a bigger fish in a small pond, just like the larger RaaS crews.
In the meantime, such opportunitistic actors will continue to bait their hooks and catch any fish they can as, unlike affiliated ransomware operators, they do not have to follow any rules in return for support (pentest documentation, software, infrastructure, etc.) from the gang’s operators. Thus, they have a free hand to carry out their attacks and, if a victim wants to bite, they don’t care about ethics or who they target.
The good news for everyone else, however, is the fact that global law enforcement isn’t gonna need a bigger boat, as it already casts its nets far and wide.
| Technique ID | Technique Description | Observable |
| T1189 | Drive By Compromise | The actor is using a fake Flash website to spread fake a Flash installer. |
| T1059.001 | Command Scripting Interpreter: PowerShell | PowerShell is used to launch command lines (delete shadow copies, etc.). |
| T1059.007 | Command and Scripting Interpreter: JavaScript | JavaScript is used in the fake Flash website to download the fake Flash installer. |
| T1112 | Modify Registry | To disable Windows Defender, the actor modifies registry. “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender” and “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection”. |
| T1083 | File and Directory Discovery | The actor is listing files on the victim system. |
| T1057 | Process Discovery | The actor is listing running processes on the victim system. |
| T1012 | Query Registry | To perform some registry modifications, the actor is first querying registry path. |
| T1082 | System Information Discovery | Before encrypting files, the actor is listing hard drives. |
| T1056.001 | Input Capture: Keylogging | The exfiltration tool has the capability to log user keystrokes. |
| T1005 | Data from Local System | |
| T1571 | Non-Standard Port | The actor is using port “1177” to exfiltrate data. |
| T1048 | Exfiltration Over Alternative Protocol | |
| T1486 | Data Encrypted for Impact | Data encrypted by ransomware. |
| T1490 | Inhibit System Recovery | Delete Shadow Copies. |
| rule Ransom_Babuk {
meta: description = “Rule to detect Babuk Locker” author = “TS @ McAfee Enterprise ATR” date = “2021-01-19” hash = “e10713a4a5f635767dcd54d609bed977” rule_version = “v2” malware_family = “Ransom:Win/Babuk” malware_type = “Ransom” mitre_attack = “T1027, T1083, T1057, T1082, T1129, T1490, T1543.003”
strings: $s1 = {005C0048006F007700200054006F00200052006500730074006F0072006500200059006F00750072002000460069006C00650073002E007400780074} // \ How To Restore Your Files .txt $s2 = “delete shadows /all /quiet” fullword wide
$pattern1 = {006D656D74617300006D65706F63730000736F70686F730000766565616D0000006261636B7570000047785673730000004778426C7200 $pattern2 = {004163725363683253766300004163726F6E69734167656E74000000004341534144324457656253766300000043414152435570646174655376630000730071} $pattern3 = {FFB0154000C78584FDFFFFB8154000C78588FDFFFFC0154000C7858CFDFFFFC8154000C78590FDFFFFD0154000C78594FDFFFFD8154 $pattern4 ={400010104000181040002010400028104000301040003810400040104000481040005010400058104000601040006C104000781040008
condition: filesize >= 15KB and filesize <= 90KB and 1 of ($s*) and 3 of ($pattern*) } |
| rule CRIME_Exfiltration_Tool_Oct2021 {
meta: description = “Rule to detect tool used to exfiltrate data from victim systems” author = “TS @ McAfee Enterprise ATR” date = “2021-10-04” hash = “ceb0e01d96f87af0e9b61955792139f8672cf788d506c71da968ca172ebddccd”
strings: $pattern1 = {79FA442F5FB140695D7ED6FC6A61F3D52F37F24B2F454960F5D4810C05D7A83D4DD8E6118ABDE2055E4D $pattern2 = {B4A6D4DD1BBEA16473940FC2DA103CD64579DD1A7EBDF30638A59E547B136E5AD113835B8294F53B8C3A $pattern3 = {262E476A45A14D4AFA448AF81894459F7296633644F5FD061A647C6EF1BA950FF1ED48436D1BD4976BF8 $pattern4 = {F2A113713CCB049AFE352DB8F99160855125E5A045C9F6AC0DCA0AB615BD34367F2CA5156DCE5CA286CC
condition: 3 of ($pattern*) } |
| http://atualziarsys.serveirc.com/Update4/
http://services5500.sytes.net/Update6/Update.exe.rar http://suporte20082021.sytes.net/Update5/ http://atualziarsys.serveirc.com/update4/update.exe.rar http://suporte20082021.sytes.net/Update3/ http://suporte01928492.redirectme.net/ http://atualziarsys.serveirc.com/Update3/ http://services5500.sytes.net/update8/update.exe.rar http://suporte20082021.sytes.net/update/ http://suporte20082021.sytes.net/Update5/Update.exe.rar http://suporte01928492.redirectme.net/AppMonitorPlugIn.rar http://suporte01928492.redirectme.net/Update5/Update.exe.rar http://services5500.sytes.net/update7/update.exe.rar http://services5500.sytes.net/Update8/Update.exe.rar http://services5500.sytes.net/Update8/Update.bat.rar http://suporte01092021.myftp.biz/update/ http://services5500.sytes.net/Update7/Update.exe.rar http://suporte01928492.redirectme.net/Update7/Update.bat.rar http://suporte01928492.redirectme.net/Update7/Update.exe.rar http://services5500.sytes.net/update6/update.exe.rar http://suporte01092021.myftp.biz/ http://services5500.sytes.net/Update6/Update.bat.rar http://suporte01928492.redirectme.net/update6/update.exe.rar http://suporte01928492.redirectme.net/update5/update.exe.rar http://services5500.sytes.net/ http://suporte01928492.redirectme.net/Update6/Update.exe.rar http://atualziarsys.serveirc.com/Update3 http://atualziarsys.serveirc.com/update3/update.reg.rar http://24.152.38.205/pt/flashplayer28_install.zip http://suporte01928492.redirectme.net/Update7 http://atualziarsys.serveirc.com/ http://atualziarsys.serveirc.com/update3/mylink.vbs.rar http://suporte01928492.redirectme.net/update7/update.exe.rar http://atualziarsys.serveirc.com/Update4/Update.exe.rar http://suporte01928492.redirectme.net/appmonitorplugin.rar http://atualziarsys.serveirc.com/update3/update.exe.rar http://suporte20082021.sytes.net/ http://suporte20082021.sytes.net/update3/update.exe.rar http://atualziarsys.serveirc.com/Update4/Update.exe2.rar http://suporte20082021.sytes.net/Update3/Update.exe.rar http://suporte20082021.sytes.net/Update5/Update.reg.rar http://atualziarsys.serveirc.com/Update4/Update.exe2.rar/ http://atualziarsys.serveirc.com/Update4 http://suporte01092021.myftp.biz/update/WindowsUpdate2.rar http://suporte01092021.myftp.biz/update http://atualziarsys.serveirc.com/Update3/Update.reg.rar/ http://atualziarsys.serveirc.com/Update3/Update.exe.rar http://suporte20082021.sytes.net/Update3/Update.exe.rar/ http://suporte01092021.myftp.biz/update/WindowsUpdate2.rar/ http://atualziarsys.serveirc.com/Update4/Update.exe.rar/ http://atualziarsys.serveirc.com/Update3/mylink.vbs.rar http://atualziarsys.serveirc.com/update4 http://atualziarsys.serveirc.com/update3 http://suporte01092021.myftp.biz/update/Update.rar http://suporte01928492.redirectme.net/AppMonitorPlugIn.rar/ http://suporte20082021.sytes.net/update5/update.exe.rar http://suporte01092021.myftp.biz/update5/update.exe.rar http://atualziarsys.serveirc.com/update4/update.exe2.rar http://suporte01092021.myftp.biz/update/windowsupdate2.rar http://suporte20082021.sytes.net/update2/update.exe.rar http://suporte20082021.sytes.net/update/windowsupdate2.rar http://atualziarsys.serveirc.com/Update4/mylink.vbs.rar http://atualziarsys.serveirc.com/favicon.ico http://24.152.38.205/1.rar http://24.152.38.205/1.exe http://appmonitorplugin.sytes.net/appmonitorplugin.rar http://suporte20082021.sytes.net/update/WindowsUpdate2.rar http://appmonitorplugin.sytes.net/ http://suporte20082021.sytes.net/appmonitorplugin.rar http://suportmicrowin.sytes.net/appmonitorplugin.rar http://suportmicrowin.sytes.net/ http://suportmicrowin.sytes.net/AppMonitorPlugIn.rar http://appmonitorplugin.sytes.net/AppMonitorPlugIn.rar http://24.152.38.205/pt/setup.zip |
| services5500.sytes.net
atualziarsys.serveirc.com suporte01092021.myftp.biz suporte20082021.sytes.net suporte01928492.redirectme.net suportmicrowin.sytes.net appmonitorplugin.sytes.net |
| 149.56.147.236
24.152.38.205 54.38.122.66 149.56.38.168 149.56.38.170 24.152.36.48 66.70.170.191 66.70.209.174 142.44.129.70 51.79.107.245 46.105.36.189 178.33.108.239 54.39.193.37 24.152.37.115 144.217.139.134 24.152.36.58 51.38.19.201 51.222.97.177 51.222.53.150 144.217.45.69 87.98.137.173 144.217.199.24 24.152.37.19 144.217.29.23 198.50.246.8 54.39.163.60 54.39.84.55 24.152.36.30 46.105.38.67 24.152.37.96 51.79.63.229 178.33.107.134 164.132.77.246 54.39.163.58 149.56.113.76 51.161.120.193 24.152.36.210 176.31.37.238 176.31.37.237 24.152.36.83 24.152.37.8 51.161.76.193 24.152.36.117 137.74.246.224 51.79.107.134 51.79.44.49 51.222.173.152 51.79.124.129 51.79.107.242 51.222.173.148 144.217.117.172 54.36.82.187 54.39.152.91 54.36.82.177 142.44.146.178 54.39.221.163 51.79.44.57 149.56.38.173 24.152.36.46 51.38.19.198 51.79.44.59 198.50.246.11 24.152.36.35 24.152.36.239 144.217.17.186 66.70.209.169 24.152.36.158 54.39.84.50 51.38.19.200 144.217.45.68 144.217.111.5 54.38.164.134 87.98.171.7 51.79.124.130 66.70.148.142 51.255.119.19 66.70.209.168 54.39.239.81 24.152.36.98 51.38.192.225 144.217.117.10 144.217.189.108 66.70.148.136 51.255.55.134 54.39.137.73 66.70.148.137 54.36.146.230 51.79.107.254 54.39.84.52 144.217.61.176 24.152.36.150 149.56.147.236 51.38.19.196 54.39.163.57 46.105.36.133 149.56.68.191 24.152.36.107 158.69.99.10 51.255.55.136 54.39.247.244 149.56.147.204 158.69.99.15 144.217.32.24 149.56.147.205 144.217.32.213 54.39.84.53 79.137.115.160 144.217.233.98 51.79.44.56 24.152.36.195 142.44.146.190 144.217.139.13 54.36.82.180 198.50.246.14 137.74.246.223 24.152.36.176 51.79.107.250 51.161.76.196 198.50.246.12 66.70.209.170 66.70.148.139 51.222.97.189 54.39.84.49 144.217.17.185 142.44.129.73 144.217.45.67 24.152.36.28 144.217.45.64 24.152.37.39 198.27.105.3 51.38.8.75 198.50.204.38 54.39.221.11 51.161.76.197 54.38.122.64 91.134.217.71 24.152.36.100 144.217.32.26 198.50.246.13 54.36.82.188 54.39.84.25 66.70.209.171 51.38.218.215 54.39.8.92 51.38.19.205 54.39.247.228 24.152.36.103 24.152.36.104 51.79.44.43 54.39.152.202 66.70.134.218 24.152.36.25 149.56.113.79 178.32.243.48 144.217.45.66 66.70.173.72 176.31.37.239 54.38.225.81 158.69.4.173 24.152.37.189 54.36.146.129 198.50.246.15 51.222.102.30 51.79.105.91 51.79.9.91 51.222.173.151 51.79.107.124 51.222.173.142 144.217.17.187 149.56.85.98 51.79.107.244 144.217.158.195 24.152.36.178 192.95.20.74 51.79.117.250 |
| 106118444e0a7405c13531f8cd70191f36356581d58789dfc5df3da7ba0f9223
e1c449aa607f70a9677fe23822204817d0ff41ed3047d951d4f34fc9c502f761 ae6020a06d2a95cbe91b439f4433e87d198547dec629ab0900ccfe17e729cff1 c3776649d9c0006caba5e654fa26d3f2c603e14463443ad4a5a08e4cf6a81994 63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85 94fe0825f26234511b19d6f68999d8598a9c21d3e14953731ea0b5ae4ab93c4d c8d97269690d3b043fd6a47725a61c00b57e3ad8511430a0c6254f32d05f76d6 67bc70d4141d3f6aaf8f17963d56df5cee3727a81bc54407e90fdf1a6dc8fe2a 98a3ef26b346c4f47e5dfdba4e3e26d1ef6a4f15969f83272b918f53d456d099 c3c306b2d51e7e4f963a6b1905b564ba0114c8ae7e4bb4656c49d358c0f2b169 |
| 3JG36KY6abZTnHBdQCon1hheC3Wa2bdyqs
1Faiem4tYq7JQki1qeL1djjenSx3gCu1vk bc1q2n23xxx2u8hqsnvezl9rewh2t8myz4rqvmdzh2 |
| C:\Users\workdreams\Desktop\Testes\Crypt_FInal\Crazy_Crypt\Crazy\obj\Debug\AppMonitorPlugIn.pdb
C:\Users\workdreams\Desktop\test\Nopyfy-Ransomware-master\Nopyfy-Ransomware\Nopyfy-Ransomware\obj\Debug\Nopyfy-Ransomware.pdb |
| a8d7b402e78721443d268b682f8c8313e69be945b12fd71e2f795ac0bcadb353 |
| ceb0e01d96f87af0e9b61955792139f8672cf788d506c71da968ca172ebddccd
c3323fbd0d075bc376869b0ee26be5c5f2cd4e53c5efca8ecb565afa8828fb53 |
| d6c35e23b90a7720bbe9609fe3c42b67d198bf8426a247cd3bb41d22d2de6a1f |
| e911c5934288567b57a6aa4f9344ed0f618ffa4f7dd3ba1221e0c42f17dd1390 |
The post Is There Really Such a Thing as a Low-Paid Ransomware Operator? appeared first on McAfee Blog.
Many people have heard of the GDPR (General Data Protection Regulation), legislation that became law across the EU in May 2018. It was designed to regulate how businesses protect personal data, notably how personal data is processed, and granted rights to individuals to exercise more control over their personal data.
GDPR is a framework which requires businesses to implement processes to enable them to understand where data is held, how it is used, how long it is kept for, how this can be reported to individuals, and how they may request its correction or deletion.
A critical – and often misunderstood – aspect of GDPR is that it doesn’t just apply to EU businesses. Any company in the world that stores information on EU citizens must adhere to the regulations; serious breaches can result in significant fines. Even just the top five companies that were penalized since GDPR’s introduction run into the hundreds of millions of US dollars! These regulations have teeth, so people pay attention to them.
Beyond GDPR’s own impact in protecting the rights of EU residents, perhaps its greatest legacy has been to increase expectations for how organizations handle personal data the world over. GDPR has set a new global standard, and we are seeing it serve as the model for a number of similar laws being mooted or passed by governments all over the world. With that in mind, how many businesses have heard of the PIPL (Personal Information Protection Law)? In August 2021, the Standing Committee of the National People’s Congress, the top legislative body in the People’s Republic of China, voted for this law to take effect on Nov. 1, 2021. It has many similarities to GDPR, a key one being that it also applies world-wide with respect to data held on Chinese citizens. If your company is a multi-national corporation that deals with Chinese individuals then it applies to you, no matter where your business is incorporated or headquartered.
Likely many of the processes you have in place for GDPR can be repurposed for PIPL, however you will be looking for different data. McAfee’s Data Protection products (MVISION Unified Cloud Edge, MVISION Cloud, Endpoint DLP, and Network DLP) will help you identify where PIPL-relevant data is held and how it is being used. Data classifications/data identifiers for the Chinese Resident Identity Card, passport numbers, mobile phones etc can be identified in data stored in the cloud and on premise. McAfee’s unique multi-vector data exfiltration protection (more on that here) can also assist in ensuring that sensitive PII data doesn’t end up somewhere it shouldn’t. Here’s a view of our management console showing how we can identify Chinese PII:
No individual product can claim to make a business “PIPL compliant”, but products such as McAfee’s Data Protection suites should be considered a key part of a toolbox to aid in this goal. The fact that we’ve had this capability within our products for an extended time, well before the introduction of PIPL, is yet another datapoint as to why Gartner named MVISION Cloud THE market leader in the CASB Magic Quadrant and why Forrester named us a leader in their Forrester Wave Unstructured Data Security Platforms.
November is barely a month away and if you’re not already considering how to handle PIPL, you now need to make this a priority. Consider testing and enabling our Chinese PII classifications. If you’re running another vendor’s product that doesn’t offer such capability then take a look at how our MVISION Unified Cloud Edge solution can help solve this along with the digital transformation to cloud first that most companies have already undertaken.
The post China Personal Information Protection Law (PIPL): A New Take on GDPR? appeared first on McAfee Blog.
Take a roll call of all your devices that connect to the internet. These include the obvious ones – laptops, tablets, and your smartphone. But they also include the ones you may not immediately think about, such as routers, smart TVs and thermostats, virtual assistant technology, and connected fitness watches and equipment.
Each of these devices is known as an endpoint to you. To a cybercriminal, they’re an entry point into your online information. It’s important to secure every endpoint so that you can confidently go about your day-to-day without worrying about your security. Here’s the definitive device security checklist to get you on your way confidently and safely.
Laptops and desktops are prime entryways into your online life. Think of all the payment information, passwords, and maybe even tax documents you store on it. The best way to protect the contents of your laptops and desktops is to password-protect your computer with strong passwords or passphrases. Here are a few password and passphrase best practices:
Especially if you work at common spaces like coffee shops, the library, or even your kitchen table, get in the habit of putting your computer to sleep when you step away. Commit the sleep command shortcut to memory to make it less of a hassle. For example, on Mac computers, the keyboard command is command + option + eject, and for Windows, it’s alt + F4.
Speaking of common spaces, whenever you log in from a public Wi-Fi network, always log in with a virtual private network (VPN). A VPN scrambles your data, making it indecipherable to any malicious characters who may be lurking on public networks.
Multifactor authentication is another way to protect your valuable devices and accounts. This means that anyone trying to log in on your device needs to provide at least two forms of identification. Forms of ID could include a text message with a one-time code or a fingerprint or face scan in addition to a correct password.
These two devices are grouped because the security features on them are similar. Just like with computers, put your device to sleep every time you walk away from it. It’s much easier and may already be in your routine to hit the sleep button when you put down your cellphone or tablet.
Always put a passcode on your smartphones and tablets. Choose a collection of numbers that do not have an obvious connection to you, such as important birthdays or parts of your phone number. Even if they’re a random assortment, you’ll get the hang of them quickly. Or to make sure only you can enter your phone, set up a facial or fingerprint ID scan. People have several passwords and account combinations they have to remember. To take the guesswork and trial and error of logging in, consider trusting your passwords to a password manager that can remember them for you!
A great mobile phone and tablet habit you should adopt is backing up your files regularly to the cloud. In the event that you lose your device or if someone steals it, at least it’s valuable — and in some cases, priceless — content is safe. You may be able to remotely “brick” your device to keep a stranger from breaking into your accounts. Bricking a device means remotely wiping a connected device and rendering it unusable.
Your router is the gateway to all the connected devices in your home; thus, it’s key to beef up its security. The best way to do so is to make sure that you customize the router name and password to make it different from the factory settings. Always password-protect your home router! Employing password best practices you use for your online accounts and your devices will prevent strangers from hopping onto your network. Another way to keep your Wi-Fi network out of the hands of strangers is to toggle on the setting to not appear to non-users. While it’s fun seeing the quirky names your neighbors choose for their home networks, it’s best to keep yours completely private.
There have been some unsettling reports about cybercriminals commandeering smart home devices and virtual assistant technology. For example, a cybercriminal hacked a homeowner’s virtual assistant and blasted music through the home’s speakers, and turn the heat up to 90 degrees. The key to securing the connected devices that are responsible for your heating and cooling, shopping lists, and even your home security system is to ensure it is connected to a secure router and protected by a strong password.
Also, keep an eye on software updates, which include security upgrades. If you don’t think you have time to manually update software, set up your devices to automatically update. This will give you peace of mind knowing that you have the latest security patches and bug fixes as soon as they are available.
IoT fitness watches and machines are fun additions to your workout routines. In the case of Peloton bikes, they track your heartbeat and location and offer a huge library of classes. However, cybercriminals may be able to track your workouts if they break their way into your fitness devices. The best way to keep your workouts private is to turn off geolocation and make sure you are up to date with all software releases and protect your accounts with strong passwords.
If you’re looking for a tool to put your mind at ease, consider McAfee Total Protection. It includes antivirus and safe browsing software plus a secure VPN. You can be confident that your personal information is safe, thus allowing you to enjoy the full potential of all your devices.
The post How to Secure All Your Everyday Connected Devices appeared first on McAfee Blog.
We’re closing McAfee Enterprise’s Hispanic Heritage Month with Solutions Architect, Gus Arias. Read the full interview below to see how his heritage impacted his life and career in technology.
I love the food and music. To this day I never get tired of eating Arepas, a staple of my Venezuelan heritage.
I’ve always liked technology and I took a leap into IT from the Mortgage Industry. I stayed hungry for knowledge and am always eager to learn which transformed my cybersecurity career to where it is today.
I want future generations to know that it is never too late to learn something new, and you should strive to learn something new every day.
Arepas, Mandocas, Hayacas, and Paella
I would have to say our Christmas celebrations throughout the month of December.
Do not let anything hold you back and when it comes to change, have an open and positive view. Learn from those changes to improve, also work on soft skills. From a technology perspective – keep up with the times. Meaning, stay informed on the evolution of technology and threats.
Educate and promote early by engaging with local schools. Also, provide internships at the High School/College levels as a summer program.
The post 2021 Hispanic Heritage Month Pt. 5: A Celebration of Hispanic Heritage and Hope appeared first on McAfee Blog.
Although Hispanic Heritage Month is coming to an end on October 15th, it doesn’t mean we have to stop celebrating our employee’s and learning about their heritage and what led them to their career in cybersecurity. Take a look at the conversation below with McAfee Enterprise, Joyce Moros-Nahim, LTAM Legal Director
What I enjoy the most about being Hispanic is that we are very amiable. We are always exited to meet new people and have new experiences. One of my favorite memories growing up is all the time I spent with my family. It was never something my parents had to force my brother and I to do. We were always happy to hang out with our cousins, have lunch with our “abuelitos” (grandparents), and celebrate with our very large family.
I have met and worked closely with many Hispanic and LatinX individuals and their enthusiasm and dedication for their chosen career along with their zest for life has taken them very far in both their home country and around the world. This has inspired me to keep pushing and take on every day with positivity and joy.
I have always been interested in the technology industry because it changes every day and will be more prevalent as we move into the future. Having been born in a Latin American country (Venezuela), I was always intrigued in seeing how other countries evolved in this industry.
I hope that future generations will continue to appreciate and partake in their cultural traditions. No matter which country a Latinx individual is from, they’re typically very family oriented, respectful, hardworking, and loving; which I hope will continue in future generations.
Visiting my grandmothers almost every day and having a Cafecito. On Sundays, we would also go to church in our Sunday best and have lunch with the whole family. I always enjoyed this time because I would see my whole family and hear about their week. It kept us spiritually and physically united.
Venezuelans are extremely hospitable, hardworking, and love to befriend people with different nationalities.
The most celebrated holiday in my culture is New Year’s Eve. The families get together and have “hallacas” and pan de jamon, two traditional Venezuelan meals. As it is about to strike 12 AM, we each eat 12 grapes, symbolizing 12 wishes or resolutions we have for the upcoming year. Once it’s 12 AM, we all embrace and celebrate what is to come!
My advice to a young Hispanic/Latinx individual would be to gain experience in the field and to find a mentor with a similar heritage to guide and inspire you.
A great way to attract more Hispanic/LatinX people to cybersecurity is to have programs in Latin American countries that will teach children about technology and how it’s key in our everyday life.
The post 2021 Hispanic Heritage Month Pt. 4: A Celebration of Hispanic Heritage and Hope appeared first on McAfee Blog.
Today marks a significant and exciting step forward for the combined McAfee Enterprise and FireEye businesses as we create a pure play, cybersecurity market leader.
I’m incredibly proud to be writing this as the newly appointed CEO of this combined business. Keeping nations and large enterprises safe is – I believe – one of the most important challenges facing the world today. We have already started working together to bring together the best of McAfee Enterprise and FireEye. Together, we see vast opportunities to develop an integrated security platform powered by artificial intelligence, machine learning, and automation that will offer an unbeatable security portfolio to protect customers across endpoints, infrastructure, applications, and in the cloud. With our combined energies, we will be able to bring these solutions to market faster, and with greater innovation than before.
And we will do this because of our incredibly talented team. Together, we have 5,000 of the best security professionals who have already been working tirelessly to protect our customers. I am energized about bringing together these two teams to relentlessly protect the world from cyberattacks. Our new company culture will be focused on continuing to deliver on this vision, particularly for our customers.
As a combined business, we have over 40,000 customers, including many of the most well-known businesses in the world. And supporting our customers to be more resilient and stay one step ahead of adversaries has always been a priority – that’s why the majority of our enterprise and government customers have worked with our companies for over 16 years. We are committed to continuing to deliver excellence to our customers through this integration.
Today is a monumental day for everyone in this team. It is also a monumental day for the future of threat detection, protection, and response. Together, we will deliver a new model that creates solutions that work together, in a continuous fashion, to secure our customers across the full attack continuum. We are already seen as market leaders, now our story keeps getting better.
The post Shaping the Future of Cybersecurity appeared first on McAfee Blog.
Did you know, the timing of Hispanic Heritage Month coincides with the Independence Day celebrations of several Latin American nations?
At McAfee Enterprise, we’re celebrating Hispanic Heritage Month by recognizing some of our amazing employees and asking them about their heritage and the impact it had on their career and journey to cybersecurity. Read my conversation with Zuly Gonzalez below on how her family and culture have impacted her career.
My parents moved to mainland US when I was young. During the summers, we’d go on vacation to Puerto Rico and one of my fondest memories growing up are the plane flights to/from Puerto Rico. This was before 9/11, when flying wasn’t what it is today. My sisters and I would keep ourselves entertained playing games. It was an adventure for us and the highlight was always a warm chicken or pasta meal.
We had two Christmas celebrations, which as a kid, you can’t ask for anything better! We celebrated Christmas on the 25th, which was the big event where we got most of our presents. Then on January 6 we’d celebrate “Día de Reyes” (Three Kings Day) where we would get a few more presents.
I’d say three things that are central to Puerto Rican culture are: family, God, and passion/hard work. Puerto Ricans believe in traditional family values. Religion plays an important part in our culture. And the Puerto Rican passion is hard to understate. I have to be careful, because a lot of times my passion leads me to speak very loudly, which can sometimes be misinterpreted by non-Hispanics as anger or aggression, when in fact, it’s just excitement. I saw a T-shirt recently that said, “I’m not yelling. I’m Puerto Rican.” This is so true!
One of my favorite dishes growing up, because we didn’t have it often, was sancocho. It’s a rich, comfort soup made with root vegetables and other starchy vegetables common in Puerto Rico. Ingredients include ñame, yautia, pana, papas, platanos, guineos, maiz, and batatas, among other things. A few of the ingredients are hard to find in the US, and when you do find them, are expensive, so we didn’t have it often growing up. But when my mom did make it, it was always a treat!
My parents were by far the biggest influence in my life. They taught me that I could be and do anything I wanted in life. They didn’t set limits for what I could achieve and taught me that with hard work anything is possible.
I followed my father’s footsteps by pursuing a career in STEM and attending the same university he attended. In fact, thinking about it now as I answer this question, I think that even more so than my mom, my dad had the biggest influence on who I am today as an individual. He shaped a lot of my personality, my beliefs, and a lot of the decisions I’ve made in my life, both personally and professionally.
Family values are very important in Puerto Rican culture. My dad was a math teacher and growing up he was always ready to help me with my homework. During the summer trip to Puerto Rico before I graduated high school, we took a tour of the university my dad went to. I ended up going to that university, which set me on the path to where I am today in my career. I obtained a degree in Computer Engineering and a co-op opportunity (similar to an internship) at NSA. NSA led me to a career in cybersecurity. At NSA I met Beau Adkins, who later turned into my partner in life and in business. Beau and I founded Light Point Security, which ultimately led us to McAfee Enterprise. But it all started with my parents. Without my parents’ motivation, support, and ultimate push to attend the University of Puerto Rico, I wouldn’t be where I am today.
Same advice I’d give any young person interested in any career path. That is – look for ways to learn outside of a traditional school setting. Getting a hands on experience is so important. First, it shows initiative and passion. Second, to use an analogy: Reading and memorizing a cooking recipe, and even knowing the history behind each ingredient, isn’t necessarily going to translate into a delicious meal, it takes practice. Practice with the equipment, practice with the ingredients, and sprinkle in your own creativity to make an expert dish. One that people will pay money for!
The post 2021 Hispanic Heritage Month Pt. 3: A Celebration of Hispanic Heritage and Hope appeared first on McAfee Blog.
A good time to check if someone is using your identity is before it even happens.
One of identity theft’s several downsides is how people discover they’ve become a victim in the first place—by surprise. They go to rent an apartment, open a line of credit, or apply for financing, only to discover that their finances or reputation has taken a hit because of identity thief.
And those hits add up, particularly when you look at the dollars involved. In 2020, the Federal Trade Commission (FTC) reported $3.3 billion in financial losses from 4.7 million reported cases of fraud, a 45% increase over the year prior. Of those reports, identity theft was the leading fraud category, accounting for 29% of fraud incidents.
Plenty. Depending on the type and amount of information an identity thief gets their hands on, they can harm your finances and reputation in several ways, including:
Rather than ending up with a rude and potentially costly surprise of your own, you can get ahead of thieves by checking to see if someone is using your identity before it’s a problem or before it really takes root.
Major data breaches that expose personal information seem to hit the headlines with some regularity, not to mention the many, many more that don’t get national or international press coverage. Most recently we have the Neiman Marcus breach, where this major retailer alerted 4.6 million customers that “an unauthorized party obtained personal information associated with certain Neiman Marcus customers’ online accounts.”
And as it is with many such breaches, it took quite some time before the theft of information was discovered. Per Neiman Marcus, it’s believed that the breach occurred in May 2020 and only discovered in September of 2021. Potentially compromised information included:
Whether or not you have reason to suspect that your information got caught up in this recent large-scale breach, it serves as a good reminder that any time is the right time to check up on your identity. Acting now can save headaches, potentially big headaches, later.
Quite a bit of identity theft prevention begins with taking stock of the accounts and services you have in your name. This ranges anywhere from bank accounts to public utilities and from credit cards to loans, all of which contain varying degrees of personal information about you. With a sense of where your personal identity is being used, you can better look for instances where it’s being misused.
Ways you can spot for possible identity theft include:
If you stop receiving a bill that normally comes to you, such as a utility bill or for a department store credit card, that could be a sign that a thief has changed the mailing address and has potentially hijacked your identity.
This is rather straightforward, yet it reminds us how important it is to look at our statements closely. Charges that you didn’t ring up or that seem slightly higher than normal are a surefire sign that you should follow up with the bank or company involved and let them know of possible fraud.
In the U.S., you have annual access to free credit reports from the major credit reporting agencies. Not only will this give you a sense of your credit score, but it will also show the credit that’s open in your name, along with addresses associated with your identity. Spotting an account that you haven’t signed up for or seeing an address of a residence that you’re not renting are other common signs that your identity may have been compromised.
With the number of accounts many of us have these days, a credit monitoring service can help you stay on top of what’s happening in your name. Often offered through banks, credit unions, and even insurance providers, credit monitoring can alert you in several instances, including:
Overall, credit monitoring can act as another set of eyes for you and spot potential identity issues. Different services provide different levels of monitoring, so consider reviewing a few options to find the one that works best for you.
One like our own Identity Protection Service will monitor several types of personally identifiable information, alert you of potentially stolen personal info, and offer guided help to neutralize the threat—in addition to offering several preventative steps to help keep theft from happening in the first place. With this set up on your computers and smartphone you can stay in the know and address issues immediately.
Along with keeping an eye on what’s happening with your identity online and elsewhere, there are a few more things you can do to make it tougher for thieves to steal your identity.
Given all the banking and shopping we do on our computers and phones, installing and using comprehensive online protection software is a must these days. It puts several layers of security in place, such as creating complex passwords automatically, shielding credit card info from prying eyes, and protecting your privacy and data online by connecting with a VPN. In short, online protection software acts as a solid first line of defense.
As mentioned above, comprehensive online protection software often includes a password manager that can generate strong, unique passwords for each of your accounts and remember them for you. It’s extra protection that makes life a lot easier for you by managing all the accounts you’re juggling. Also, use MFA (multi-factor authentication) on the accounts that give you the option, which makes it harder for a thief to crack your accounts with a password alone.
Sensitive documents come in all forms. Top-of-the-line examples include things like tax returns, bank statements, and financial records. Yet there are also things like your phone and utility bills, statements from your doctor’s office, and offers that come to you via mail. Together, these things can contain personal information such as account numbers, your full Social Security Number, the last four digits of your Social Security Number (which can still be useful to thieves), and other information that may uniquely identify you. You’ll want to dispose of sensitive documents like these so that they can’t be harvested by hackers.
For physical documents, consider the low-cost investment of a paper shredder to help ensure they don’t fall into the wrong hands when you are done with them. (And let’s face it, they’re fun to use!) For digital documents, simply deleting a file is not enough – online protection software is a great resource that often includes a digital document shredder, designed to render the data practically unusable when you’re ready to trash the file.
Your Social Security Number is one of the most prized possessions a thief can run away with because it is so closely associated with you and things like your tax returns, employment, and so on. Keep it stored in a safe location rather than on your person or in your wallet. Likewise, be careful about giving out your SSN. While organizations like the IRS, your bank, and employer require it, there are other organizations who do not—but may ask for it anyway. (Doctor’s offices are a prime example.) If you get such a request, ask them what they intend to use it for and then ask if another form of identification will work instead.
Phishing attacks are one of the primary ways identity thieves steal personal information. Whether they come via a direct message, on social media, or through email, text, or phone calls, thieves use them to harvest your personal info by posing as a legitimate organization—such as in this recent IRS phishing scam. Phishing is a topic all unto itself, and you can check out this quick read to see how you can spot phishing scams and protect yourself from them.
Like any criminal, identity thieves do their dirtiest work in the shadows—quietly stealing money under your nose, or worse, as we outlined above. By shining a light on your identity and keeping regular track of what’s happening with it, you can spot unusual activity right away. Even the small stuff is important. A co-worker of mine once saw an incorrect address listed on his credit report. Turned out, that address was used to rack up several large charges at a retailer, which he was able to fix with the aid of the credit reporting agency and the retailer in question.
No doubt about it. Identity theft is indeed on the rise, and your best bet to avoid such a nasty surprise is to keep an eye on your digital identity the same way you keep an eye on your actual wallet.
The post How to Check if Someone is Using Your Identity appeared first on McAfee Blog.
Welcome back to our executive blog series, where I chat with some of the pivotal players behind McAfee Enterprise to hear their takes on today’s security trends, challenges, and opportunities for enterprises across the globe. Dive into the conversation below with Vice President, Global Commercial, Britt Norwood.
Q: What’s the first career you dreamed of having as a kid? |
My first career was as a paper boy from 5th through 8th grade, but I always wanted to be a professional golfer. However, when I realized I was not that good at golf, I decided to pursue a career in business and technology.
Q: What do you think about talent in the technology and security industry? |
The talent we have in this industry is amazing, people are working so hard every day, but our foes are relentless, and we will always need talent who can look at problems with diverse viewpoints.
Q: Which emerging technology do you think holds the most promise once it matures? |
I’m interested in seeing the continued progress around the unification of threat hunting (EDR, XDR, MDR), as we better understand the power of machine learning, automated detection, and AI as it pertains to quickly identifying malicious code and non-conforming behaviors. This is a world where the surface is just being scratched. As this technology matures and develops, there is power for good, but it will always need to be balanced in a way that makes sure the uses are ethical and moral. This will be a true new frontier as it unfolds.
Q: What are some of the trends you are currently noticing within the privacy and cybersecurity space? |
Everyone knows that a layered model is necessary to protect valuable data against attacks, but there is fatigue within many IT departments about the number of tools they need and that need to be connected to each other to work properly. Most CIOs and CISOs are looking for platforms that simplify management and streamline threat research to consolidate and reduce complexities.
On the attack front, both the cryptocurrency phenomenon is allowing bad actors to be more aggressive, as they have a way to anonymously launder ransoms, which is why there are so many ransomware attacks happening now. Cryptocurrency needs to be examined from a regulatory standpoint to protect innocent consumers and businesses who are vulnerable to such attacks. Until that time, it falls back to security platforms to assist them.
The post Executive Spotlight: Q&A with Vice President, Global Commercial, Britt Norwood appeared first on McAfee Blog.
The nationally recognized Hispanic Heritage Month grew out of a desire to educate people all over the country about the many contributions the Hispanic community has made to U.S. culture.
Here at McAfee Enterprise, we’re taking this year’s Hispanic Heritage Month to spotlight members of the LatinX community who are using their platforms to make their voices heard and contribute to the cybersecurity community. I spoke with Arnie Lopez, Vice President Worldwide Systems Engineering, about his heritage and journey to cybersecurity.
I love our food and music. I remember my mom cooking up some great dishes while we danced around the house listening to fun music.
I had two great LatinX mentors/role models, Carlos Dominguez and Guillermo Diaz that helped tremendously early in my career.
Our culture is hard working and sometimes very stubborn. Early in my career I was very interested in technology and asked people to teach me different types of technologies and would not take no for an answer. I started early on with learning computers, then servers, networking, security, then cloud and applications. All of this helped my career and had a huge impact.
Embrace your LatinX culture, use it as a differentiator when competing for new roles.
1) Our passion makes us great team members
2) We love to have fun… Work hard and play hard
3) We come in many different colors and sub-cultures but have common core values
I hope my kids and nephews keep up the celebration of Bolivian Independence Day (Seis de Agosto). It’s a big national party on August 6 every year with music, food and dancing.
Don’t be intimated by the lack of LatinX in Cyber, it’s up to us to change the demographics and we will do it. Find a LatinX mentor or coach that already works in Cyber to provide you candid and honest feedback and guidance.
Get involved, participate, and give back. Get involved in LatinX youth, corporate and University panels and events and tell your story. “If they can SEE it, They can BE it!”
The post 2021 Hispanic Heritage Month Pt. 2: A Celebration of Hispanic Heritage and Hope appeared first on McAfee Blog.
McAfee Enterprise is prepared to protect our customers from day 1 of their journey with the new Windows 11 release.
This summer Microsoft announced planned changes to its Windows platform with the release of Windows 11. McAfee Enterprise is proud to announce that we have delivered day 1 support for the benefit of our current and future customers. We know that today’s hybrid workspaces call for flexibility and ease of use without compromising security, so now that Windows 11 is here, we want to address a few important topics regarding what to expect from your trusted security vendor, McAfee Enterprise:
Customers can rely on McAfee Enterprise products to already have the most important Windows 11 box checked—ensuring your systems are secure and protected against threats from day 1.
McAfee Enterprise is committed to continue this same level of support for Microsoft’s future release cadence of Windows 11. We work closely with Microsoft to make sure that McAfee Enterprise security software and hardware products are fully compatible with Windows operating systems.
We recognize that not every environment will be ready to upgrade on day 1, or even at the start of the new year. Regardless of the date of your transition, McAfee Enterprise is here to ensure you remain protected across your devices and OS versions.
Our ongoing commitment is to continue to support our customers and the release cadence of the Windows 10 platform. We keep apprised of Microsoft OS support cycles and ensure that our customers remain covered throughout their lifecycles. For more information, see KB85784 – Windows 10 compatibility with McAfee Enterprise products
That said, having a plan outlined in advance is a key ingredient to any successful environment upgrade or transition. McAfee Enterprise Technical Support and your Enterprise Customer Success teams are available to support and partner with you on your journey and to answer any product questions along the way.
Related resources:
With McAfee Enterprise’s security platform, you can command a centrally managed solution that protects your environment across varied devices and operating systems. A combination of fully enabled Endpoint Security Adaptive Threat Protection (ENS ATP), EDR, and MVISION Insights delivers proactive threat intelligence and defenses across the entire attack lifecycle. Our security teams work around the clock to anticipate future security needs and drive home industry-leading innovation. More on the McAfee Enterprise Endpoint Protection Platform here.
Additional product resources:
Our product teams have outlined our portfolio’s support in KB94901 – Windows 11 compatibility with McAfee Enterprise products.
To ensure a quality experience, each McAfee Enterprise product team is required to complete validations of all new releases that Microsoft publishes for Windows 11. The McAfee Enterprise goal is to add same-day support for all Windows 11 releases over time, for those products that don’t currently offer this cadence.
For general upgrade guidance or questions, customers may contact Enterprise Technical Support or visit our Support Portal here.
Take advantage of our latest Endpoint Security offering by visiting us here.
The post McAfee Enterprise Is Ready for Windows 11, Are You? appeared first on McAfee Blog.
Each year, Americans observe National Hispanic Heritage Month from September 15th to October 15th, by celebrating the contributions and importance of Hispanics and Latinos to the United States.
The 2021 Hispanic Heritage Month theme invites us to celebrate Hispanic Heritage and to reflect on how great our tomorrow can be if we hold onto our resilience and hope. This year’s theme also encourages us to reflect on the contributions Hispanics have made in the past and will continue to make in the future.
I spoke with Sr. Principal Engineer, Ismael Valenzuela about how his heritage played a role in who he is today, advice for future generations and more. Read our conversation below.
I was born and raised in Malaga, Spain, and spent a good part of my professional career in my home country until I moved to the US in 2014. My favorite memories are those shared with my family and friends, enjoying some of the amazing food we have in Malaga, and the beautiful warm weather we have all year long. Enjoying a football game (we call it soccer here in the US, but it’s really football, since it’s played with the foot!) with the friends on a Friday evening or simply a walk by the beach to enjoy the fresh breeze of the Mediterranean sea. Those are some of my favorite memories.
I was very fortunate to have a business angel at a very young age, who happened to be an experienced Argentinian businessman. He recognized my passion for infosec (it wasn’t called cyber back then) and provided me with the support needed to make my ideas and projects a reality. Thanks to him I was able to co-found one of the first infosec consulting businesses in Spain in 2000, and I’m still very grateful for that opportunity. My experience in the US has not been very different. Since 2014 I’ve had the pleasure to work very closely with super talented colleagues from our McAfee Enterprise teams in Argentina and Chile. Some of them were a tremendous help when I established myself in the NY area, and they continue to be great co-workers and friends, who I admire and look up to.
I think that Hispanic/LatinX are curious by nature. And curiosity is the basis for the ‘hacker’ culture. And yes, I call it hacker culture, referring to the original meaning and roots of the word ‘hacker’, which connoted technical virtuosity and playfulness (from Walter Isaacson, The Innovators. Great book by the way!). I think I’ve always had that curiosity, especially since I was a kid and had my very first computer, a PCS 286 with just plain old MS-DOS. From that moment on, I knew what I wanted to work with, for the rest of my life. By the time I was in high school I was already programming in several languages, most self-taught, including BASIC, Assembly, and Pascal, and was already doing little applications for some family and friends with tools like DBase III and Clipper. It was a lot of fun! It wasn’t until I started college that I started to dig deeper into operating systems, networking, and lower-level languages like C. When I was introduced to Linux, I immediately fell in love with it, and this increased my curiosity. I started to learn more about how the Internet worked and one thing led to the other. Before I knew it, I was reading guidelines on security, hacking, protocols, asking questions on IRC channels (Slack is essentially IRC for millennials, for those that didn’t know), and setting up my labs at home to play more with the tools I was learning about. Shortly after I landed my first job, as both a web programmer and a system administrator, I found some serious security vulnerabilities in a government network, that happened to make the news, which led me to setup my own consulting business in 2000 with my Argentinian partner. And the rest is history from there! (it’s on LinkedIn too)
If I must pick three, I’ll go with these:
1) we love food!
2) we love having long meals with friends and family!
3) we love having food outdoors!
Yes, I’m working on making sure my kids learn to eat a wide variety of healthy and fresh food, instead of processed and refined stuff. And I hope their kids do the same! Did I say I like food?
My hope is that current and new generations realize that true success is more than just a title, a professional achievement, or a prestigious career, whether it is in IT, or anything else. We live in a world that puts too much emphasis in personal egos, competitiveness, and social status. However, most often those pursuing these goals end up with anxiety, health issues, and disappointment. So, we need to start taking some of that pressure off the young ones and emphasize more the values and principles that can make you happy in the long term, things like a good work ethic, resilience to deal with setbacks, patience to acquire the right training and work through problems, empathy for others, balance to take care of yourself and those you love, and respect for everyone’s opinions and ideas. It’s not all about cyber!
Don’t be afraid to ask for help or to ask for a mentor. I was very fortunate to have an amazing mentor that taught me the fundamentals of business and a good work ethic. Having technical skills is important, but it’s equally important to develop other soft skills, like the ability to communicate clearly, to think strategically, to follow through with your projects, and of course the importance to stick to your values and your principles, and to care about the people you interact with. Try to grow your network, and don’t limit yourself to a certain age group, background, or ethnicity. Embrace diversity and realize that there’s always something new to learn from everyone you work with. Stay humble, and never think you’re the smartest in the room. Not only will you be wrong, but you’ll be missing the opportunity to learn and grow. If you want to start a career in cybersecurity specifically, see what classes you can take in your area, and what local groups or conferences are available. One of the few positive things we have with COVID is that most of the conferences have moved to an online format. Many like SANS Summits allow you to join Slack or Discord channels where you can interact with practitioners and security professionals. Also the SANS Institute (from which I’m part of the faculty), have initiatives like the CyberStart America that is a free national program for high school students to learn and master cybersecurity. These can be a gateway to the industry and can lead to college scholarships. And if you need more help or advice, don’t hesitate to contact me on my Twitter account: @aboutsecurity. I can help to point you in the right direction.
I think one of the things we need to do as professionals is to demystify what we do in this field. We need to start admitting that this is not rocket science. It is true that it’s a fast-paced field, and that it can seem overwhelming at times, but nothing that we do is too hard that anyone should feel intimidated to try to break in. We all learned over time, and in many cases through a succession of failures and recoveries. We all have a responsibility, from corporations to professionals, to lower the entry barriers and give more opportunities. One way to do this is to make more information available in Spanish. In fact, I’ll be chairing a talk track in Spanish at the 2021 SANS Threat Hunting Summit on October 7th and I’ll be hosting breakout spaces for the attendees to network with and to continue the conversation in Spanish as well. So, if you’re reading this, you have no excuses!
The post 2021 Hispanic Heritage Month Pt. 1: A Celebration of Hispanic Heritage and Hope appeared first on McAfee Blog.
We hope you’ve enjoyed Cyber Awareness month. This year’s theme asked us all to do our part to stay safer online. The idea is that if we each take steps to secure our lives online, then together we all contribute to creating a safer, more secure internet. Of course, it’s our job to help you #BeCyberSmart. With that in mind, we’ve pulled together all the safety tips we featured in October. From family security to protecting your latest smart home gadgets, they’re all here and organized by theme. So take a look below and let’s all do our part today, tomorrow, and in the year to come!
10 quick tips for keeping the whole family safe
Online security for senior citizens
A quick list of tips for protecting kids on apps and social networking
How to protect baby’s first digital footprints
Millennials are major targets for identity theft. Check out this quick guide for protecting identity online
Ways for online gamers to #BeCyberSmart.
#Phishing is a common #scam that pops up in emails, DMs, and texts where crooks try and get you to click sketchy links. Learn how to spot them.
Securing your mobile phone.
Protecting your #socialmedia accounts from hacks and attacks.
Keeping the whole family safer
Spotting fake news and misinformation
https://www.mcafee.com/blogs/consumer/spot-fake-news-and-misinformation-in-your-social-media-feed
How to avoid oversharing online.
https://www.mcafee.com/blogs/consumer/family-safety/is-this-tmi
Managing your personal photos online safely.
Interested in starting a podcast? Here are some tips to get you started.
https://www.mcafee.com/blogs/consumer/entertainment-fromhome-how-to-start-your-own-podcast
Check out some tips for keeping your family safe when you hit the road with your phones, tablets, and laptops
Have smart home devices like a doorbell or smart lightbulbs? See how you can enjoy it all safely
Staying safe while banking online
App scams aimed at kids
https://www.mcafee.com/blogs/consumer/family-safety/9-tips-to-help-kids-avoid-popular-app-scams
Take a look at some of the ways you can improve your privacy
Using payment apps safely
Protecting kids from identity theft
Let’s talk online shopping and ways you can score some great deals safely during a time of year when hackers break out some of their oldest (yet effective) tricks
Thanks for celebrating Cyber Awareness month with us this October. More importantly, we hope you’re able to take the tips above and not only make your life safer but also the lives of friends and family as well. After all, we all need to do our part to #BeCyberSmart and protected online.
The post Do your part and #BeCyberSmart with these online safety tips appeared first on McAfee Blog.
The increasing prevalence of ransomware tops the findings of the McAfee Enterprise Advanced Threat Research Report: October 2021 released today.
While ransomware continues to hold cybersecurity headlines hostage, so much has changed since our last threat report. After shutting down the Colonial Pipeline, DarkSide created the appearance of walking away after attracting government scrutiny, thinking we would miss the (alleged) connection to BlackMatter.
Our Advanced Threat Research team also made a move to McAfee Enterprise, a newly dedicated Enterprise Cybersecurity company. While we will no longer publish our work under McAfee Labs, you can still find and follow our research on our new McAfee Enterprise ATR Twitter feed: @McAfee_ATR.
We’ve shifted the primary focus of our new Threat Report from frequency to prevalence. Our team is now paying attention to how often we see the threat around the globe and, more importantly, who it targets.
While DarkSide attempted to step out of the spotlight, other ransomware families including REvil/Sodinokibi, Ryuk, and Babuk wreaked havoc from among DarkSide’s shadow. In response, this threat report offers a deep dive into ransomware’s increasing prevalence including ransomware family detections and the delta of data between open-source intelligence and telemetry.
Our McAfee Enterprise team also offers research and analysis on relevant threat topics including:
Once you’ve consumed the research and findings in this report, don’t forget our MVISION Insights preview dashboard which updates and profiles the most prevalent threats, offering a knowledge base that includes targeted countries and sectors along with proactive solutions to help your enterprise stay ahead of emerging threats.
We welcome your feedback about this threat report and what you would like to see in the next report.
After more than a century of technological innovation since the first units rolled off Henry Ford’s assembly lines, automobiles, and transportation bear little in common with the Model T era. This evolution will continue as society finds better ways to achieve the outcome of moving people from point A to point B.
While Secure Web Gateways (SWGs) have operated on a far more compressed timetable, a similarly drastic evolution has taken place. SWGs are still largely focused on ensuring users are protected from unsafe or non-compliant corners of the internet, but the transition to a cloud and remote-working world has created new security challenges that the traditional SWG is no longer equipped to handle. It’s time for the next generation of SWGs that can empower users to thrive safely in an increasingly decentralized and dangerous world.
The SWG actually started out as a URL filtering solution that enabled organizations to ensure that employees’ web browsing complied with corporate internet access policy.
URL filtering then transitioned to proxy servers sitting behind corporate firewalls. Since proxies terminate traffic coming from users and complete the connection to the desired websites, security experts quickly saw the potential to perform more thorough inspection than just comparing URLs to existing blacklists. By incorporating anti-virus and other security capabilities, the “Secure Web Gateway” became a critical part of modern security architectures. However, the traditional SWG could only play this role if it was the chokepoint for all internet traffic, sitting at the edge of every corporate network perimeter and having remote users “hairpin” back through that network via VPN or MPLS links.
The transition to a cloud and remote-working world has put new burdens on the traditional perimeter-based SWG. Users can now directly access IT infrastructure and connected resources from virtually any location from a variety of different devices, and many of those resources no longer reside within the network perimeter on corporate servers.
This remarkable transformation also expands the requirements for data and threat protection, leaving security teams to grapple with a number of new sophisticated threats and compliance challenges. Unfortunately, traditional SWGs haven’t been able to keep pace with this evolving threat landscape, resulting in an inefficient architecture that fails to deliver the potential of the distributed workforce.
Just about every major breach now involves sophisticated multi-level web components that can’t be stopped by a static engine. The traditional SWG approach has been to coordinate with other parts of the security infrastructure, including malware sandboxes. But as threats have become more advanced and complex, doing this has resulted in slowing down performance or letting threats get through. This is where Remote Browser Isolation (RBI) brings in a paradigm shift to advanced threat protection. When RBI is implemented as an integral component of SWG traffic inspection, it can deliver real-time, zero-day protection against ransomware, phishing attacks, and other advanced malware so that even the most sophisticated threats can’t get through, without hindering the browsing experience.
Another issue with most traditional SWGs is that they aren’t able to sufficiently protect data as it flows from distributed users to cloud apps, due to lacking advanced data protection and cloud app intelligence. Without Data Loss Prevention (DLP) technology that is advanced enough to understand the nature of cloud apps and to keep up with evolved safety demands, organizations can find data protection gaps in their SWG solutions that keep them vulnerable to risks.
Finally, there is the question of cloud applications. While cloud applications operate on the same internet as traditional websites, they function in a fundamentally different way that traditional SWGs simply can’t understand. Cloud Access Security Brokers (CASBs) are designed to provide visibility and control over cloud applications, and if the SWG doesn’t have access to a comprehensive CASB application database and sophisticated CASB controls, it is effectively blind to the cloud. It’s only a cloud-aware SWG with integrated CASB functionality that can extend data protection to all websites and cloud applications, empowering organizations and their users to be better protected against advanced threats.
A next-gen SWG should help simplify the implementation of Secure Access Service Edge (SASE) architecture and help accelerate secure cloud adoption. At the same time, it needs to provide advanced threat protection, unified data control, and efficiently enable a remote and distributed workforce.
Here are some of the use cases:
SWGs have clearly come a long way from just being URL filtering devices to the point where they are essential to furthering the safe and accelerated adoption of the cloud. But we need to push the proverbial envelope a lot further. Digital transformation demands nothing less.
The post What to Expect from the Next Generation of Secure Web Gateways appeared first on McAfee Blog.
The security operations center (SecOps) team sits on the front lines of a cybersecurity battlefield. The SecOps team works around the clock with precious and limited resources to monitor enterprise systems, identify and investigate cybersecurity threats, and defend against security breaches.
One of the important goals of SecOps is a faster and more effective collaboration among all personnel involved with security. The team seeks to streamline the security triage process to resolve security incidents efficiently and effectively. For this process to be optimized, we believe that ruthless prioritization is critical at all levels of alert response and triage. This ruthless prioritization requires both the processes and the supporting technical platforms to be predictive, accurate, timely, understandable for all involved, and ideally automated. This can be a tall order.
Most SecOps teams are bombarded with an increasing barrage of alerts each year. A recent IBM report also found that complexity is negatively impacting incident response capabilities. Those surveyed estimated their organization was using more than 45 different security tools on average and that each incident they responded to required coordination across around 19 security tools on average.
Depending on the enterprise size and industry, these tools may generate many thousands of alerts in periods ranging from hours to days, and many of them may be redundant or no value. One vendor surveyed IT professionals at the RSA conference in 2018. The survey results show that twenty-seven% of IT professional’s receive more than 1 million security alerts daily[1].
The cost and effort of reviewing all of these alerts are prohibitive for most organizations, so many are effectively deprioritized and immediately ignored. Some surveyed respondents admit to ignoring specific categories of alerts, and some turn off the security alerts associated with the security controls that generate much of the alert traffic. However, the one alert you ignore may have resulted in a major data breach to the organization.
Tier 1 SecOps analysts have to manage this barrage of alerts. They are surrounded by consoles and monitors tracking many activities within enterprise networks. There is so much data that incident responders cannot process but a fraction of it. Alerts pour in every minute and ratchet up the activity level and the attendant stress throughout the day.
A Tier 1 SecOps analyst processes up to several hundred alerts in a day that require quick review and triage. As the alert is logged, the Tier 1 SecOps analyst usually goes through a checklist to determine further prioritization and determine if further escalation is required. This can vary substantially depending on the automation and tools which support their efforts.
Once the alert is determined to be potentially malicious and requires follow-up it is escalated to a Tier 2 SOC Analyst. Tier 2 SOC Analysts are primarily security investigators. Perhaps only 1% or less are escalated to a Tier 2 SOC analyst for deep investigation. Once again, the numbers can vary substantially depending on the organization and industry.
Security investigators will use a multitude of data, threat intelligence, log files, DNS activity, and much more to identify the exact nature of the potential breach and determine the best response playbook to use. In the case of a severe threat, this response and subsequent remediation must be done in the shortest possible amount of time, ideally measured in minutes if not just a very few hours.
In the most dangerous scenario that a threat actor has executed what is determined to be a zero-day attack, the SOC team works with IT, operations, and the business units to protect, isolate, and even take critical servers offline to protect the enterprise. Zero-day attacks raise the SOC to a war footing, which, if properly and rapidly executed against the team’s playbooks, can help mitigate further damage from what is otherwise previously unknown attack techniques. These require the skill and expertise of advanced security analysts to help assess and mitigate complex ongoing cyberattacks.
Given the barrage of alerts, it is essential to adopt a strategy to fit best the capabilities of your team against a priority-driven process. This allows you to optimize your response to alerts, best manage the resources on the SecOps team, and reduce the risk of a dangerous breach event.
There are several strategic views that SOC leadership can take on how to best approach prioritization. These include data driven strategies using tools like DLP, threat driven strategies to bolster defenses and shorten reaction time to threat vectors active in your industry and geography, and perhaps asset driven strategies, where certain assets will merit enhanced protection and priority driven escalation for alerts. Most organizations find that an integrated mix of these strategies addresses their overall needs.
The first approach to prioritization, consistent with the tenets of zero trust, is to take a data-driven approach. Customer data and intellectual property are often at the center of every organization’s most protected jewels. One way to move this into focus within SecOps would be to implement Data Loss Prevention (DLP). Data loss prevention (DLP), per Gartner, may be defined as technologies that perform both content inspection and contextual analysis of data sent via messaging applications such as email and instant messaging, in motion over the network, in use on a managed endpoint device, and at rest in on-premises file servers or in cloud applications and cloud storage. These solutions execute responses based on policy and rules defined to address the risk of inadvertent or accidental leaks or exposure of sensitive data outside authorized channels.
Enterprise DLP solutions are comprehensive and packaged in agent software for desktops and servers, physical and virtual appliances for monitoring networks and email traffic, or soft appliances for data discovery. Integrated DLP works with secure web gateways (SWGs), secure email gateways (SEGs), email encryption products, enterprise content management (ECM) platforms, data classification tools, data discovery tools, and cloud access security brokers (CASBs).
Threat intelligence focuses on defense and triage priority from the data to external threat actors and the techniques they are most likely to utilize. Threat intelligence can give the SOC the data they need to anticipate threat actors and the Tactics, Techniques, and Procedures (TTPs) these threat actors might use. Further, threat intelligence can provide a path to recognize the often unique Incidents of Compromise (IOCs) that can uniquely identify a type of cyberattack and the threat actor that uses them. The goal, of course, is to identify and prevent these most likely attacks before they occur or stop them rapidly upon detection.
The consolation prize is also a good one. If you cannot prevent an attack, you must be able to identify an unfolding threat. You must identify the attack, break the attacker’s kill chain, and then stop the attack. Threat intelligence can also help you assess your environment, understand the vulnerabilities that would support the execution of a particular kill chain, and then let you move rapidly to mitigate these threats.
In August of 2020, researchers from Dutch and German universities[2] co-presented at the 29th Usenix conference on a survey they conducted. The survey showed that there is less overlap between threat intelligence sources than most of us would expect. This includes both open (free) and paid threat intelligence sources. The moral of the story is that large organizations likely need a wide set of threat intelligence data from multiple sources to gain an advantage over threat actors and the attack vectors they are likely to use. And these sources must be integrated into a common dashboard where SecOps threat investigators can rapidly leverage them.
Of course, certain assets are more valuable than others. This can be a function of the data they may uniquely hold, and the access to network, applications, and information resources frequented by their owners, or the level of criticality of the asset’s function. For example, the chief financial officer’s laptop may be assumed to be in possession of the most sensitive data, or medical device monitor during surgery or command controller for manufacturing production. Hence they may deserve higher priority in terms of protection.
MVISION XDR provides capabilities leveraging all of these prioritization strategies: data-driven, threat-driven, and asset-driven. On top of this MVISION XDR offers predictive assessment based on global threats likely to target your organization with a local assessment of how your environment can counter the threat. This “before the attack” actionable assessment is powered by the distinct MVISION Insights empowering SOC to be more proactive and less reactive. Here is a preview of MVISION Insights top ten threat campaigns. Here are some key prioritization examples delivered in MVISION XDR:
Key MVISION XDR Prioritization Examples
| Priority Strategy (ies) | Capability Description | Benefit & Value |
| Data-driven | Alert based on data-sensitivity | Focus on critical impact activity |
| Threat-driven | Automatic correlated threat techniques to derive at likely next steps | Gain confidence in the alert less false positives |
| Threat-driven | View trends and threat actors targeting your organization | Reduce the universe of threats and actors to those that matter |
| Asset-driven | Tag critical assets for automated prioritization | Address threats to critical assets faster |
MVISION XDR can help you implement and optimize your prioritization strategy. Your SecOps team will have the improved triage time they need with prioritized threats, predictive assessment, and proactive response, and the data awareness to make better and faster decisions. To learn more, please review our Evolve with XDR webpage or reach out to our sales team directly.
[1] https://www.imperva.com/blog/27-percent-of-it-professionals-receive-more-than-1-million-security-alerts-daily/
[2] https://www.usenix.org/system/files/sec20_slides_bouwman.pdf
The post The Art of Ruthless Prioritization and Why it Matters for SecOps appeared first on McAfee Blog.
The latest gadget on the tech and fashion streets is Ray-Ban Stories, a sunglasses collaboration between Facebook and Ray-Ban. These pair of shades feature two cameras that capture video, audio, and photos and sync to a mobile app. Social media fanatics are excited about this new ability to capture and share hands-free content.
Do gadgets like Ray-Ban Stories make you immediately think, “Cool, but what about the security and privacy red flags?” If so, you may be suited to a career in cybersecurity. Everyone benefits from implementing cybersecurity best practices into their daily lives, and those who enjoy a career in the field experience many benefits.
Check out these four benefits of a career in cybersecurity and discover if this might be the path for you.
One of the best things about working in cybersecurity is you go to work every day knowing that you’re helping people. Nightly news broadcasts are littered with reports of major disruptions caused by cyberattacks, such as the Colonial Pipeline incident. Sometimes, even people’s lives are at stake in the cybersecurity realm, as in the case of connected pacemaker security vulnerabilities.
Cybersecurity professionals can feel good that their work gives people the confidence to go about their daily lives without worrying. The fear of identity theft, phishing, and malware stop people from enjoying their connected devices and the internet to the fullest. Technology is capable of incredible feats, and everyone should be able to use it enthusiastically.
Saving the world from cybercriminals is financially rewarding as well as personally rewarding. Cybersecurity professionals are in high demand as nearly every business in every sector is at risk of a breach, DDoS, or ransomware attack at any time. Average entry-level positions begin over $80k CDN. Seasoned professionals can make six figures. Additionally, cybersecurity professionals are in high demand, so you will likely enjoy solid job security.
3. Work in a Global Industry
Another benefit of a career in cybersecurity is the opportunity to work in a global industry. You’ll get to meet coworkers and clients all over the world. The diversity of outlooks and backgrounds can make every day a learning experience.
If you’re a keen traveler, working in cybersecurity allows you to explore the world. First, much of the work you would be completing can be done remotely. As long as you have a secure and strong internet connection and are OK with time zone differences, you may be able to work from anywhere. Also, there are opportunities for trips to international conferences and meetups with satellite offices or clients.
Working in a global industry means that you can be a cybersecurity ambassador for your home country. For example, if your home country has devised an innovative new technology, you may have the opportunity to teach others abroad. Or, if another country has developed an exciting new technology, you can learn about it and perhaps tailor it to your location.
Cybersecurity is a highly specialized field, which means there is definitely a branch of it that plays to your strengths and interests you. Also, if you get tired of one aspect of the field, you can likely stay with your same company but move to a different department.
Here are a few areas of cybersecurity specializations that may speak to you:
McAfee can help you achieve your cybersecurity career aspirations. It’s an exciting, fast-paced field, and McAfee is at the forefront of new innovations. Check out current McAfee career openings and embark on your new career today!
The post How to Start a Career in Cybersecurity appeared first on McAfee Blogs.
When it comes to crime, what do people worry about most? Having their car stolen? A break-in while they’re not at home? Good answers, but not the top answer by a long shot. In this U.S.-based survey, hacker-related crime weighed in at 72%, with a home burglary at 35% and auto theft at 34%, indicating that people’s concerns about cybercrime are very much front and center.
The good news is that plenty of cybercrime can be prevented, or at least made less likely, provided you protect yourself online, much in the same way you take steps to protect your car or home. And that’s the focus of this year’s Cybersecurity Awareness Month. With the theme of “Do Your Part. #BeCyberSmart,” it reminds us of how we can take charge of our own safety—the ways we can look out for ourselves and others as we enjoy our time online.
Throughout October, we’re participating in Cybersecurity Month here on our blogs and across our social media channels, posting a host of ways that you can help keep cybercrooks away from your digital doorstep. Each week, we’ll tackle a different aspect of online protection:
Maybe it comes as no surprise to hear it, yet one recent study shows the average person spends nearly eight hours a day online. With that, we’re taking this week to focus on the family, how they spend their time online and how they can be safer when they do.
Whether they come by email, text, or DM, phishing attacks account for the most common types of reported cybercrime, according to the FBI Internet Crime Complaint Center. This week, we’ll show you how you can indeed fight the phish!
This sentiment sums up the best of the internet in so many ways. Getting out there, discovering, catching up with friends online. Our focus this week is helping you enjoy it all without any of the bad apples out there spoiling your fun.
We wrap it up with a look at some of the top priorities so everyone in the family can #BeCyberSmart—online banking, app scams, privacy, identity theft, and more—along with plenty of straightforward tips that can help you stay safer.
We hope our posts throughout Cybersecurity Awareness Month help you get a little sharper and feel a little safer so you can enjoy your time online, free from hassles or headaches. Look for more from us throughout October!
The post Cybersecurity Awareness Month: Taking Charge of Your Safety Online appeared first on McAfee Blog.
I spoke with Anand Ramanathan, VP of Products and Marketing who brings over 20 years of enterprise SaaS product experience ranging from high growth startups to established market leaders. Read the interview below to understand his thoughts on McAfee Enterprise and where he see’s the company going in the coming years.
Q: What is your ideal way to spend a Sunday? |
Every ideal Sunday has 3 components:
Q: With cybersecurity and AI capabilities expanding at a rapid pace, what will the future look like for companies like McAfee Enterprise in the coming years? |
The adversarial landscape has always been a digital cat and mouse game. McAfee Enterprise’s investment in AI over the years has allowed its solution to stay ahead of adversaries and provide industry-best protection for its customers. With adversaries pivoting their techniques at a more rapid pace, it has become imperative for security solutions to leverage the cloud and AI capabilities.
Q: Can you talk about McAfee Enterprise’s history of Insights and how it is used to improve cybersecurity capabilities, including protecting against cyber threats? |
Insights was born out of two very simple questions that CISOs get asked: Were we impacted by a given threat? Will our defenses protect us from the threat?
With an increase in security breaches being covered by popular press; board and executive management are becoming more attune with the threat landscape. We are seeing them start to ask the important questions to their security teams.
At McAfee Enterprise, we saw the gap in knowledge within security teams to give quick and efficient answers to the two pivotal questions. And given our depth in threat research and data analytics capabilities, innovated with the industry’s first proactive security solution in MVISION Insights, we feel we can answer the above questions, placing crucial information in the hands of the security teams. The feedback from our customers has been tremendously positive.
Q: What goals and initiatives are you focusing on to drive the company for the rest of 2021 and beyond? What IT capabilities do you have your eye on? |
McAfee Enterprise is at the center of three key buzzwords of 2021 – SASE, ZTNA, and XDR. We have been at the forefront of innovating in these areas with the release of MVISION Insights, MVISION Private Access, and MVISION UCE with integrated Remote Browser Isolation. We also have leadership in MITRE based attack detection for endpoint and cloud and MVISION marketplace for security ecosystem integration. We will be continuing this innovation velocity and lead the market with new capabilities on Zero Trust and XDR integration with the security ecosystem. Stay tuned, more to come!
The post Executive Spotlight: Q&A with VP of Products and Marketing, Anand Ramanathan appeared first on McAfee Blog.
You can’t automate every business process. While I love automation and promote the concept, I know its limitations. This viewpoint needs to be recognized and observed as more security officials implement automation within their organizations.
I’d estimate that for most enterprises, the first 80 percent of migrating and integrating processes to automation is easy to do. The last 20 percent is hard to accomplish.
This breakdown helps you set realistic expectations about automation. I enjoy how automation saves time by generating useful data through repetition. But right now, data compiled from some activities still require a human being to examine the results and make a decision. You will still need a critical eye from your security operations team or managed security services provider when looking at the useful data or anomalies.
We still need to address the 20 percent and realize that the situation may not be as much of a challenge as we think initially. Here are some examples of what I mean.
Your automation detects and notes that one of your executives is connecting to your network from Russia. How do you know whether that executive is actually in Russia or if someone there is impersonating that executive? For optimal security, there needs to be human interaction to review the information and determine whether to let that person should be allowed to connect.
Or consider when IT officials at a hospital used the McAfee Enterprise ePolicy Orchestrator (ePO) console to automate a deeper level scan of physicians’ laptops. This scan occurred before the physicians began their daily scans by sending over someone from the hospital’s operations department to clean the laptop and comply with HIPAA regulations. To collect the events compiled from the laptops, the IT officials used IBM® QRadar® Device Support Module (DSM) for McAfee Enterprise ePO. This platform integrated from IBM Security uses analytics for insights into potential threats to data.
With this setup, whenever an anomaly appeared in QRadar, such as some unusual behavior at the network level, an IT official at the hospital would right-click and add the IP address to a different scan group in ePO through the application programming interfaces (APIs). Automating that initial first pass of scanning the laptop finds these discrepancies quickly. But ultimately humans like IT officials must review the notification and send a message to McAfee Enterprise expert to clean the anomaly from the laptop themselves and confirm the anomaly was removed.
So, it’s hard to automate the 20 percent done by humans in your organization as shown here. But what the 80 percent of easy automation does for the rest of your business processes can outweigh that perceived drawback.
You can easily find yourself at work engulfed in an ocean of data. Indicators from your automation help you find out what’s important. Activity from the endpoints of your network gives you or an MSSP a view of what’s happening with your data.
Most systems today have everything connected to the internet. The endpoints interact with your network. Having broad visibility and detection across your network — whether it’s looking at DNS logs, proxy logs, traffic and so on — allows you to correlate information and identify what’s taking place right now.
The real-time aspect of automation for data on your network is vital important. Threats to your network depends both on how much time they require to activate and how long before they are detected and remediated. Automation that’s easy to implement helps find attacks quickly with a real-time detection engine that can minimize the damage that takes place.
Experts at McAfee Enterprise and our partners at IBM Security can help with troubleshooting by providing support for the 20 percent automation you can’t fulfill. You can investigate a full lifecycle of endpoint events using McAfee Enterprise MVISION and IBM QRadar integrated together. And you can automate remediation with the IBM Security SOAR (security orchestration, automation and response) platform.
With these tools, you can integrate the data available from threat feeds in one platform for better visibility and context. IBM’s managed security services experts can help you answer questions around how to best configure, administrate and manage endpoint security incidents based on that data collected by automation.
We can also help you learn about other technologies and trends that are happening that our experts deal with every day. Consultants can help you identify how to lower or minimize costs of attacks and breaches as well as work proactively to address these issues. Automation can’t provide you with these resources, but we can.
We have researchers at work looking how to merge that last hard 20 percent of automation implementation into the 80 percent of easy migration and conversion. For now, accept the notion that automation can handle most tasks for your organization and save you time and costs in the process. And what automation can’t do in those areas, we at McAfee Enterprise and IBM Security can help fill in the gaps.
Learn more about what automation with expert support can do for you by reviewing the features of MVISION Endpoint Security and IBM Managed Security Services. Or schedule a free 30-minute consultation with IBM Security by clicking the “Let’s talk” button on the IBM Managed Security Services homepage.
The post Why Can’t We Automate Everything? appeared first on McAfee Blog.
On March 21st, 2021, the McAfee Enterprise Advanced Threat Research (ATR) team released several vulnerabilities it discovered in the Netop Vision Pro Education software, a popular schooling software used by more than 9,000 school systems around the world. Netop was very responsive and released several updates to address many of the critical findings, creating a more secure product for our educators and children to use. During any vulnerability research project, as we continue to gain a deeper understanding on how a product works, additional threat vectors become apparent which may lead to additional findings; this proved once again true during the Netop research. In this blog we will highlight an additional finding: CVE-2021-36134, a vulnerability in the processing of JPEG images, on the Netop Vison Pro version 9.7.2 software. The main emphasis will focus on the process and techniques used during blackbox fuzzing of a Windows DLL.
Fuzzing can be a challenging exercise and just knowing where to start can be cause for confusion. There are many different fuzzers on the market, many of them primarily designed to handle open-source projects on Linux. In late 2020 Google’s Project Zero team released a new fuzzer named Jackalope. Jackalope is a coverage-guided fuzzer, meaning it keeps track of code paths during testing and uses that information to guide its future mutations. Jackalope leverages a library called TinyInst for its code coverage and allows for command line parameters related to code coverage to be passed directly to TinyInst. What caught my attention about Jackalope was that it was designed with a blackbox, Windows and MacOS first mentality. It was built to fill a gap in Windows blackbox fuzzing, which has existed for some time and therefore warranted further investigation. During the time of Jackalope’s release, we were working on the Netop Vision Pro research which runs primarily on Windows, so it was logical to test Jackalope to see if we could discover any new vulnerabilities on Netop Vision Pro.
The Jackalope documentation does a great job of explaining the setup and build process to get started. For this setup we set up shop on a Windows 10 fully patched system and compiled Jackalope from the GitHub repo using Visual Studio 2019. In a short amount of time, it was time to test the setup. The repo provides a test binary which can be built with the source and therefore is the best place to understand how the fuzzer works. There are just under a few hundred lines of code, but how it works can be summed up in just a few lines, as seen in Figure 1.
Figure 1 test.cpp
Examining the test code, it becomes apparent the test binary simply crashes if it finds the word “test” in memory. It causes a crash by attempting to write the value “1” at an invalid memory address, “NULL”. Therefore, to ensure the fuzzer is working properly we need to create a small input corpus. This can be done by creating an “in” directory and placing a couple of text files within it, one containing the word “test”. We are not looking for crashes or new vulnerabilities during this test, but simply making sure our setup is functioning as expected. The test run can be seen in Figure 2, where the command to execute the test case was taken from the Jackalope documentation.
Figure 2 Testing fuzzer
When selecting an overall target function, it’s first important to look at how an application takes input alongside with how the fuzzer can tailor that input. Jackalope is designed to provide either a file or a chunk of shared memory to the target. This gives a lot of flexibility since almost anything can be set up as shared memory including network packet payloads. The trick becomes how to pass the file or shared memory to the target. In larger applications on Windows, a typical approach is to determine what functionality you want to fuzz, find a DLL that exports a function within the target code path, and pass that function the input. The closer the exported function is to the end of the desired code path to fuzz, the less headaches, and better results you will have trying to exercise the desired code.
Through the research done on Netop, we had a deep insight into how the system functions and the very large number of DLLs that it contains along with the numerous amounts of exported functions. After review, the function MeImgLoadJpeg which is exported in MeImg.dll stuck out as a good place to get started.
Figure 3 MeImgLoadJpeg Header
What makes this a good candidate for fuzzing? First, how, and when this function is executed is important. This function gets executed on both the student and teacher machines whenever a JPEG image is loaded into the system. For students this is when an image is pushed over the network to them; for example: when a teacher uses the blank screen feature on a student. On the teacher’s machine this function is called when a teacher loads an image to send to the student. The key components here are that it is potentially executed often, input can come from a local file or a network file and it affects both components of our system.
Second, when investigating this function further, the parameters are fuzzing friendly. Through light reversing, it can easily be seen that it takes a file path and opens the file directly within the function. This makes fuzzing it with Jackalope very simple since it supports file fuzzing and we won’t need to open or manipulate the test file in memory. Also, very few parameters are passed, one of which (BITMAPINFOHEADER), is well documented by Microsoft, making it simpler to construct valid calls. This also is true for the return parameter, HBITMAP. This will make it easy to determine success and failure conditions. Lastly, the fuzzable component of this function is a JPEG file. JPEG is a well-documented format and a well-fuzzed format, making test corpus generation and potentially crash analysis simpler.
In most fuzzing setups, a custom program is necessary to setup the required structure and complete any initialization required by the target function. This is commonly referred to as the test harness. It is required any time your target for fuzzing is not the main binary or executable, which tends to be the case most of the time. For example, if you want to fuzz a small executable like the “file” command on Linux, you don’t always require a test harness, since the binary takes its input (a file) directly from the command line and there is little to no setup required to get to your desired state. However, in many cases, especially on Windows, it is common to be looking to fuzz part of the code that is often not as directly accessible or requires setup before it can be passed the fuzzed data. This is where a test harness comes into play. Using the Jackalope “test.cpp” file provided in the GitHub repo, it is easy to see an example of what is needed when writing a test harness. The harness needs to configure the incoming test case as ether a file or shared memory input, set up parameters for the target function, call the function, and, if needed, create a crash to indicate a found crash to Jackalope.
To get started we first must load the DLL which contains our target function. In Windows this is usually performed with a call to “LoadLibrary”. Since our entire purpose is to fuzz a function within this DLL, if it fails to load, we should just exit.
Figure 4 LoadLibrary
Now that the DLL is loaded into memory, we need to obtain the address of our target function. This is commonly done through “GetProcAddress”.
Figure 5 GetProcAddress
The next step, setting up the parameters for the target function, is arguably the most crucial and can be the most difficult step in building a test harness. The best trick to get this right is to find examples of your target function being called in the real application and then mimic this setup in your test harness. In Netop, this function is only called by one other function. Figure 6 shows a slightly cleaned up version of a portion of the IDA decompilation of the function which calls MeImgLoadJpeg.
Figure 6 IDA Pro Decomplication of call to MeImgLoadJpeg
We can learn some key points from this call that are important to keep consistent if we want to find a useful crash. We know the first parameter (a2) is simply a file path. In our code, we do need to ensure our file path is in the format of a wide-character, since this is the typical format for a Windows file path. The second parameter (v8) is a Windows BITMAPINFOHEADER object. We can see from this code all the members of the BITMAPHEADER object are being set to 0 using a “memset”, except the “biSize”, which is being set to “40”. Since this is the only time this function is called in the Netop application, if we want to find a bug that has a chance to be leveraged through Netop, we need to follow this format. Why the value is set to 40 is less relevant for our purposes within the test harness; however, it may require investigation depending on any crashes found. The same principle holds true for the 3rd and final parameter. We see here it is hardcoded to zero, so we want to do the same. Could we test other values? Of course, but if Netop is hardcoded to zero we would never actually be able to pass anything else outside of our exercise. Using our additional understanding from Figure 6, we put the below code in Figure 7 into our harness.
Figure 7 Target Function Setup
With our parameters configured, we now need to simply call the function we want to fuzz. Where is the fuzzed data? In this case, our fuzzed data will be the jpeg file. The fuzzer will be passing a file path of a mutated jpeg file.
Figure 8 Calling MeImgLoadJpeg
This next step is highly dependent on the target function. If the target function will not fail in a manner that will crash your harness (throw an unhandled exception), then you need to create a crash for a failed test case. This can be seen in Figure 1 test.cpp. In this case, the target function has error handling and we are interested in any case which causes an unhandled exception within our DLL. If the DLL throws an unhandled exception, it will crash our test harness. As a result, we only need to check the return value for our own purposes to confirm things are working properly. This is good for initially testing, but we will want to remove any unnecessary code for our actual fuzz run. A non-null return value means the jpeg image was parsed and null means a handled error occurred, which is uninteresting for our case.
Figure 9 Checking the return value
With all this framework in place, we can run our harness with a valid image and confirm we get the expected result.
Figure 10 Test run
Although the above test harness code will successfully execute the target function and fully function within our fuzzer, we can make a few targeted changes to increase performance and results. One of the slowest operations in an application is printing to the screen, and this is true when fuzzing. Error checking is extremely helpful for development; however, printing “Result was not null” or the inverse every time will reduce our executions per second and doesn’t add anything to our fuzzer. Additionally, it is important not to introduce any extra code in our “fuzz” function which could potentially introduce additional code paths. This could cause the mutators to think that it found a new path of interesting code, when in fact it’s only the harness. As a result, you want your “fuzz” function to be the absolute bare minimum required to execute your code and perform other setup actions outside this function.
Now that we have a working test harness, we need to create a test corpus or input files for the fuzzer. The importance of this step for fuzzing cannot be overstated. The test cases produced by a fuzzer or only as good as the ones provided. In most cases, you are looking to create a set of minimal test inputs (and minimal size) that generate maximal code coverage.
Selecting or building a test corpus can be a complicated process. One of the advantages to using a known and popular format like JPEG is that there are many open-source corpora. Strongcourage’s corpus on GitHub is a great repo since it is many corpora combined and is the testing corpus that was used to find CVE-2021-36134. Jackalope does not recursively traverse directories when reading the input directory and does not throw an error in this regard, therefore it is important to make sure your corpus directory is only one level deep.
Using this basic outlined method and running Jackalope in the same fashion as the example test binary, a write access violation crash is found in the MeImgLoadJpeg in just a few minutes. This write access violation bug is filed as CVE-2021-36134.
This violation occurs because of memory being allocated for the destination of a memory copy based on the default three color components of a JPEG image, instead of using the value provided in the input file’s JPEG header. The copy is using the values provided by the file to determine the address of where to copy the image in memory. A write access violation occurs when a malformed image reports having four color components instead of the default three and the memory allocated is not the same size as the actual image.
Given the extensive prior reports and full system vulnerabilities we submitted to NetOp before, we decided not to take the analysis further and determine if the bug was truly exploitable. The code path can be leveraged over the network, by utilizing the teacher’s blank student screen feature. It is worth noting this code runs on both the student and the teacher, so the teacher would be unable to load this image to send to a student without crashing their own system. An attacker could leverage the previously discovered and disclosed vulnerabilities to emulate a teacher and send this image to a student regardless. Since the destination of the memory copy is being calculated based on image width and number of color components, it is plausible for an attacker to control where the “write” takes place; however, they would need to use an address space that could be calculated without invalidating the image further. In addition, the code is writing pixels from the image which is also under the attacker’s control. As a result, this could lead to a partial arbitrary write.
Fuzzing can be a fantastic tool for discovering new vulnerabilities in software. Although having source code can enhance fuzzing, it should not be considered a barrier of entry. Many tools and techniques exist which can be used to successfully fuzz blackbox targets and in turn help enhance the security of the industry.
One goal of the McAfee Enterprise Advanced Threat Research team is to identify and illuminate a broad spectrum of threats in today’s complex and constantly evolving landscape. Leveraging Google Project Zero team’s Jackalope and blackbox fuzzing techniques a JPEG parsing vulnerability, CVE-2021-36134 was discovered in Netop Vision Pro version 9.7.2. As per McAfee Enterprise’s vulnerability public disclosure policy, the ATR team informed Netop on June 25th, 2021, and worked directly with the Netop team. This partnership resulted in the vendor working towards effective mitigations of the vulnerability detailed in this blog.
The post Finding 0-days with Jackalope appeared first on McAfee Blog.
Today, enterprises tend to use multiple layers of security defenses, ranging from perimeter defense on network entry points to host based security solutions deployed at the end user’s machines to counter the ever-increasing threats. This includes inline traffic filtering and management security solutions deployed at access and distribution layers in the network, as well as out of band solutions like NAC, SIEM or User Behavior Analysis to provide identity-based network access and gain more visibility into the user’s access to critical network resources. However, layered security defenses face the major and recurring challenge of detecting newer exploitation techniques as they heavily rely on known behaviors. Additionally, yet another significant challenge facing the enterprise network is detecting post-exploitation activities, after perimeter security is compromised.
Post initial compromise, to be able to execute meaningful attacks, attackers would need to steal credentials to move laterally inside the network, access critical network assets and eventually exfiltrate data. They will use several sophisticated techniques to perform internal reconnaissance and remote code execution on critical resources, which range from using legitimate operating system tools to discover network assets to using novel code execution techniques on the target. Consequently, differentiating between the legitimate and malicious use of Windows’ internal tools and services becomes a high priority for enterprise networks.
To tackle this long-standing problem of detecting lateral movement, enterprise networks must formulate active in-network defense strategies to effectively prevent attackers from accessing critical network resources. Network Deception is one such defensive approach which could potentially prove to be an effective solution to detect credential theft attacks. Detecting credential stealing attacks with deception essentially requires building the necessary infrastructure by placing the decoy systems within the same network as production assets and configuring them with decoy contents to lure the attackers towards the decoy machines and services. Accurately configuring and tuning the deceptive network can deflect the attacker’s lateral movement path towards the deceptive services, consequently allowing the attackers to engage with the deceptive network, helping enterprises protect production assets.
MITRE Shield, a knowledge base maintained by MITRE for active defense techniques highlights many of the methods in adversary engagement. Some of the techniques described by MITRE Shield Matrix with respect to network deception are as below:
| MITRE Shield | Description | ATT&CK Technique |
| Decoy Account – DTE0010 | A decoy account is created for defensive or deceptive purposes. The decoy account can be used to make a system, service, or software look more realistic or to entice an action | Account Discovery, Reconnaissance |
| Decoy Credentials – DTE0012 | Seed a target system with credentials (such as username/password, browser tokens, and other forms of authentication data) | Credential Access, Privilege Escalation |
| Decoy Diversity – DTE0013 | deployment of decoy systems with varying Operating Systems and software configurations | Reconnaissance |
| Decoy Network – DTE0014 | Multiple computing resources that can be used for defensive or deceptive purposes | Initial Access |
| Decoy Personna – DTE0015 | Used to establish background information about a user. In order to have the adversary believe they are operating against real targets | Initial Access, Discovery, Reconnaissance |
| Decoy System – DTE0017 | Computing resources presented to the adversary in support of active defense | Reconnaissance |
Over the course of this paper, we will discuss some of the widely adapted credential theft attacks executed by adversaries after the initial compromise and then move on to discuss defense techniques against the above MITRE Shield attacks and how to use them effectively to detect deceptive credential usage in the network.
Lateral movement refers to the tools and techniques used by attackers to progressively expand their foothold within an enterprise network after gaining initial access. As shown in the figure below, lateral movement activity comprises of several stages starting from credential theft, target enumeration and discovery, privilege escalation, gaining access to network resources and eventually remote code execution on the target before exfiltrating data to accomplish a successful attack. Once inside the network, attackers will deploy a range of techniques at each stage of lateral movement to achieve their end goal. One of the primary challenges an attacker will face while moving laterally inside a network is to hide their activities in plain sight by generating a minimum volume of legitimate looking logs to be able to remain undetected. To achieve this, an attacker might choose to embed the tool within a malicious executable or use the operating system’s internal legitimate tools and services to perform its lateral movement operations, consequently making this network traffic harder to distinguish.
As per the Verizon DBIR report 2020, over 80% of data breaches involve credential theft attacks. Credential theft is one of the primary tasks attackers need to perform post-exploitation and after gaining initial control of the target machine. It will usually be the first step towards lateral movement strategies which will allow attackers to elevate their privileges and acquire access to other network resources. As indicated earlier, attackers have long been abusing Windows legitimate features like SMB, RPC over SMB, Windows Management Instrumentation, Windows Remote Management, and many other features to perform lateral movement activities. Figure 1 below highlights where lateral movement falls within the attack chain and its different stages. To remain stealthier, these activities would span a period ranging from many weeks to months.
Figure 1 – Stages of Lateral movement
To be able to distinguish between the admissible and malicious use of these inbuilt services, it is extremely critical for organizations to deploy advanced Threat Detection solutions. Over the course of this blog, we will discuss various credential theft techniques used by adversaries during lateral movement. We will also discuss an approach that can be used to effectively detect these techniques inside the network.
Attackers use a variety of tools and techniques to execute credential theft attacks. Many of these tools are open source and readily available on the internet. Operating systems like Windows implement Single Sign On (SSO) functionality, which require the user’s credentials to be stored in memory, thereby allowing the OS to seamlessly access network resource without repeatedly asking the user to re-enter those credentials. Additionally, user credentials are stored in memory in a variety of formats like NTLM hashes, reversibly encrypted plaintext, Kerberos tickets, PINs, etc., which can be used to authenticate to services depending upon the supported authentication mechanism. These credentials can be acquired by attackers from memory by parsing appropriate credential storage structures or using the Windows credential enumeration APIs. Consequently, these attacks pose major security concerns, especially in the domain environment if the attacker gains access to privileged credentials which can then be reused to access critical network resources. In the following sections, we discuss some of the widely adapted credential stealing techniques used by malware, with respect to the Windows operating system. Similar credential stealing techniques can also be used with other operating systems as well.
The Local Security Authority Subsystem Service (LSASS) process manages and stores the credentials of all the users with active Windows sessions. These credentials stored in the LSASS process memory will allow users to access other network resource such as files shares, email servers and other remote services without asking them for the credentials again. LSASS process memory stores the credentials in many formats including reversibly encrypted plaintext, NTLM hashes, Kerberos Tickets (Ticket Granting Tickets, etc.). These credentials are generated and stored in the memory of the LSASS process when a user initiates the interactive logon to the machine such as console logon or RDP, runs a scheduled task or uses remote administration tools. The encryption and decryption of credentials is done using LsaProtectMemory and LsaUnProtectMemory respectively and hence a decryption tool using these APIs will be able to decrypt LSASS memory buffers and extract them. However, malware would need to execute with local administrator privileges and enable “SeDebugPrivilege” on the current process to be able access the LSASS process memory.
Below is a code snapshot from one of the famous credential harvesting tools, Mimikatz, enabling the required privileges on the calling thread before dumping the credentials.
Figure 2 – Checking for required privileges
We can see that the NTLM hash of the user’s credentials is revealed, and this can be brute forced offline as shown below. Many Windows services, such as SMB, support NTLM authentication and NTLM hashes can be used directly for authentication eliminating the need for the clear text passwords.
Figure 3 – Cracking NTLM Hashes offline
Attackers avoid using freely available tools like Mimikatz directly on the target machine to harvest credentials since they are easily detected by AVs. Instead, they use recompiled clones of it with minimal functionality to avoid noise. Below is one such instance where malware embeds recompiled Mimikatz code with the minimal required functionality.
Figure 4 – Credential extraction tool embedded inside malicious executable
Detection can also be avoided by using several “living off the land’ mechanisms, available in many post-exploitation frameworks, to execute the credential harvesting tools directly from memory using Reflective PE injection, where the binary is never written to the disk. Yet another approach is to dump the LSASS process memory using process dumping tools, exfiltrate the dump and extract the credentials offline. Microsoft has documented multiple ways to configure additional LSASS process protection which can prevent credentials being compromised.
The SAM database is a file on a local hard drive that stores the credentials for all local accounts on the Windows computer. NT hashes for all the accounts on the local machine, including the local administrator credential hash, are stored in the SAM database. The SAM database file is in %SystemRoot%system32/config and the hashes of the credentials are within the registry HKLM\SAM. Attackers need to acquire elevated privileges to be able to access the credentials from the SAM database. The example below demonstrates how the credentials from the SAM database can be revealed through a simple Meterpreter session.
Figure 5 – Dumping SAM database
Windows Credential Manager stores the Web and SMB/RDP credentials of users if they choose to save them on the Windows machine, thereby preventing the authentication mechanism from asking for those passwords again on subsequent logins. These credentials are encrypted with Windows Data Protection APIs (DPAPI) CryptProtectData, either using the current user’s logon session or a generated master key, and then saved on the local hard drive. Consequently, any process running in the context of the logged in user will be able to decrypt the credentials using CryptUnProtectData DPAPI. In the domain environment, these credentials can be used by attackers to pivot to other systems in the network. Data Protection APIs provide the cryptographic functionalities that can be used to securely store credentials and keys. These APIs are used by several other Windows components like browsers (IE/Chrome), certificates and many other applications as well. Below is one example of how credential dumping tools like Mimikatz can be used to dump stored Chrome credentials.
Figure 6 – Dumping browser credentials
DPAPI can be abused in multiple ways. In the Active Directory domain joined environment, if other users have logged into the compromised machine, provided a malware is running with escalated privileges, it can extract other user’s master keys from the LSASS memory which can then be used to decrypt their secrets. Below is a screenshot of how the master key can be extracted by using the credential dumping tool.
Figure 7 – Extracting DPAPI Master Key
Malware also tends to use multiple variants of credential enumeration APIs available within Windows. These APIs can extract credentials from Windows Credential Manager. Below is one instance of the malware using CredEnumerateW API to retrieve credentials and then search for terminal services passwords which It would use to pivot to other systems.
Figure 8 – Extracting credentials using Windows API
In the domain joined environment, the Kerberos protocol has a significant role to play with respect to authentication and requesting access to services and applications. It provides Single-Sign-On functionality for accessing multiple shared resources within the enterprise network. The Kerberos authentication mechanism in Active Directory involves multiple requests and responses like Ticket Granting Ticket (TGT) and Ticket Granting Service (TGS) supported by a Key Distribution Server (KDC), usually a Domain Controller. Upon successful authentication, a user will be able to access the respective services.
Attackers gaining access to a system joined in the domain would usually look for high value assets like Active Directory Controller, Database server, SharePoint server, Web Server, etc., and these services are registered in the domain with the specific Service Principal Name (SPN) values, which is a unique identifier of the Service Account in the domain. These SPN values are used by Kerberos to map the instance with the logon account allowing the client to authenticate to the respective service. Well known SPN values are listed out here. Once the attacker is authenticated with any domain user credentials and has information about the SPN values of the services within the domain, they can initiate the Kerberos Ticket Granting Service request (TGS – REQ) to the Key Distribution Server with the specified SPN value. Details on how the SPN values are registered and used in Kerberos authentication is documented here. TGS response from the KDC will have the Kerberos Ticket encrypted with the hash of the service account. This ticket can be extracted from the memory and can be brute forced offline to acquire service account credentials, allowing a domain user to gain admin level access to the service.
Kerberoasting is a well-documented attack technique listed in MITRE ATT&CK and it essentially abuses the Kerberos authentication allowing adversaries to request the TGS Tickets for the valid service accounts and brute force the ticket offline to extract the plain text credentials of the service accounts, consequently enabling them to elevate their privileges from domain user to domain admin. As an initial step to this lateral movement technique, the attacker would perform an internal reconnaissance to gain information about the services registered in the domain and get SPN values. A simple PowerShell command after importing the Active Directory PowerShell module, as shown below, can initiate the LDAP query to get information about all the user accounts from the Domain Controller with the SPN value set.
Figure 9 – PowerShell command to generate LDAP query
Attackers can specifically choose to scan the domain for MSSQL service with the registered SPN value used for Kerberos authentication. PowerShell scripts like GetUserSPNs can scan all the user SPNs in the domain or MSSQL service registered in the domain with Discover-PSMSSQLServers or Invoke-Kerberoast scripts. Following is an example output from the script:
Figure 10 – Kerberoasting PowerShell script output
Once an attacker has the SPN value of the SQL service, a Kerberos Ticket Granting Service Ticket request (TGS-REQ) can be initiated to the domain controller with the SPN value. This can be done by a couple of PowerShell commands generating KRB-TGS-REQ as shown below:
Figure 11 – Kerberos TGS request
Consequently, the Domain Controller sends the TGS-RESP with the ticket of the service account which will be cached in the memory and can be extracted by dumping tools like Mimikatz as a .kirbi document. This can be brute forced offline by tgsrespcrack, allowing the attacker to gain unrestricted access to the service with elevated privileges.
As indicted earlier, once an attacker has penetrated the domain network, it will be natural to progress towards targeting critical assets, such as the Active Directory controller. The Active Directory Database Services AD DS Ntds.dit file is one of the most overlooked attack vectors in the domain environment but can have significant impact if the attacker is able to gain the domain administrative rights leading to complete domain compromise.
The Ntds.dit file is the authoritative store of credentials for all the users in the domain joined environment, storing all the information about the users, groups and memberships, including credentials (NT Hashes) of all the users in the domain with historical passwords and user’s DPAPI backup master keys. An Attacker with domain admin rights can gain access to the Domain Controller’s file system and acquire credentials like hashes, Kerberos tickets and other reversibly encrypted passwords of all the users joined in the domain by dumping and exfiltrating the Ntds.dit file. These credentials can then be used by the attacker to further access resources by using attack techniques like PTH within the network since the credentials used across other shared resource could be same.
Multiple techniques can be used to dump the Ntds.dit file from the Domain Controller locally as well as remotely and extract the NTLM hashes/DPAPI backup keys for all the domain joined users. One of the techniques is to use the Volume Shadow Copy Service using the vssadmin command line utility and then extract the Ntds.dit file from the volume shadow copy as shown below.
Figure 12 – Dumping Volume shadow copy for C drive
Sensitive data on Active Directory is encrypted with the Boot Key (Syskey) stored in the SYSTEM registry hive and dumping the SYSTEM registry hive is a prerequisite as well to be able to extract all the credentials.
Publicly available Active Directory auditing frameworks like DSInternals provide PowerShell cmdlets to extract the Syskey from the SYSTEM registry hive and extract all the credentials from the Ntds.dit file.
Ntds.dit can also give access to the powerful service account within the Active Directory Domain, KRBTGT (Key Distribution Centre Service account). Acquiring the NTLM hash of this account can enable the attacker to execute a Golden Ticket attack leading to complete domain compromise with unrestricted access to any service on the domain joined system.
A DCSync attack is a method of credential acquisition which allows an attacker to impersonate the Domain Controller and can consequently replicate all the Active Directory objects to the impersonating client remotely, without requiring the user to logon to the DC or dumping the Ntds.dit file. By impersonating the Domain Controller, the attacker could acquire the NTLM hash of the KRBTGT service account, enabling them to gain access to all the shared resources and applications in the domain joined environment. To be able to execute this credential stealing technique, an attacker would have to compromise the user account with the required permissions, specifically DS-Replication-Get-Changes and DS-Replication-Get-Changes-All, as shown below.
Figure 13 – User with privileges
Once the attacker compromises the user account with the required privileges, Pass-The-Hash attacks can be executed to spawn a command shell with the forged logon session. Credential dumping tools like Mimikatz do this by enumerating all the user logon sessions and replacing the user credentials with the stolen usernames and NTLM hashes provided, in the current logon session. Behind the scenes, this is executed by duplicating the current process’s access token, replacing the user credentials pointed by duplicated access token and subsequently using the modified access token to start a new process with the stolen credentials which will be used for network authentication. This is as shown below for example user “DCPrivUser”.
Figure 14 – Pass-the-Hash attack
Further, as indicated below, any subsequent NTLM authentication from the logon session will use the stolen credentials to authenticate to domain joined systems like the Active Directory Controller.
Attackers can now initiate the AD user objects Replication request to the Domain Controller using Directory Replication Services Remote Protocol (DRSUAPI). DRSUAPI is the RPC protocol used for replication of AD objects. With DCERPC bind request to DRSUAPI, an RPC call to DSGetNCChanges will replicate all the user AD objects to the impersonating client. Attackers would usually target the KRBTGT account since acquiring the NTLM hash of this account will enable them to execute a Golden Ticket attack resulting in unrestricted access to domain services and applications.
Figure 15 – DCSync Attack
As indicated earlier, with the NTLM hash of the KRBTGT account, adversaries can initiate a Golden Ticket attack (Pass-the-Ticket) by injecting the forged Kerberos tickets into the current session which can be used to authenticate to any service with the client that supports pass the ticket (for instance, sqlcmd.exe connection to DB server, PsExec, etc.)
Figure 16 – Golden ticket with forged Kerberos ticket
The credential theft techniques we discussed in the previous sections are just the tip of the iceberg. Adversaries can use many other sophisticated credential stealing techniques to take advantage of system misconfigurations and legitimate administrative tools and protocols and, at the same time, remain undetected for a longer period. With many other event management solutions with SIEMs, used in conjunction with other network security solutions, it becomes a challenge for administrators to distinguish malicious use of legitimate tools and services from lateral movement. Perimeter solutions have their limitations in terms of visibility once the attacker crosses the network boundary and is inside the domain environment. It is extremely critical for organizations to protect and monitor critical network assets like the Domain Controller, Database server, Exchange Servers, build systems and other applications or services, as compromising these systems will result in significant damages. Therefore, enterprise networks must deploy a solution to detect credential stealing attacks as they can be used to pivot to other systems on the network and move laterally once an attacker establishes an attack path to a high value target. If the deployment of a solution within the critical zones of the network can detect the use of stolen credentials before adversaries can reach their target, the critical assets could still be prevented from being compromised.
Network Deception is one such deployment within the domain environment where, using the MITRE Shield techniques like decoy systems and network, decoy credentials, decoy accounts, decoy contents, could potentially help detect lateral movement early in the adversary’s attack path to the target asset and at the same time, report significantly low false detection rates. The idea of deception originates from the decades old honeypot systems but, unlike those, relies more on forging trust and giving adversaries what they are looking for. With its inbuilt proactiveness it is configured to lure attackers towards deceptive systems. As shown in the figure below, Network Deception consists of authentic looking decoy systems placed within the domain network, specifically in the network where the critical assets are placed. These decoy systems (could be virtual machines) are the full-fledged OS with configured applications or services and could be replicating the crucial services like Domain Controller, Exchange or DB server and other decoy machines that could lead to those systems. The image below highlights the key foundational aspects of the Network Deception
Figure 17 – Network Deception
As visualized in the figure above, Network Deception comprises the following key basic facts with respect to the deployment in the domain joined environment:
Since credential theft plays an important role in a successful targeted attack, deception essentially focuses on planting fake credentials on the production and decoy endpoints at multiple places within the OS and monitoring the use of these credentials to pivot to other systems. With respect to the network setup, the following are the key aspects, however this list is not exhaustive, and much more could be added:
Some of the other setup required for effective deployment of deception is as summarized below:
Figure 18 – Deceptive network setup – Basic requirements
To detect the use of deceptive credentials, setting up decoy machines is an essential part of the solution as well. Primarily, decoy machines should enable the access attackers are looking to have during the lateral movement phase. Decoys should also be configured to enable relevant auditing services to be able to generate events. For instance, the following enables the account logon events to be audited:
Decoy machines must be setup to run the log collector agent that can collect the access logs generated and forward them to the correlation server. However, in the domain joined environment, it is also essential to tune the decoy machines to forward only the relevant logs to the correlation server to minimize false positives.
The below highlights some of the auditing required to be enabled on the decoy systems for effective correlation.
Figure 19 – Basic decoy setup
The following sections describe some examples of how deception can be achieved in the domain network, along with a visualization of how credential theft can be detected.
LSASS process memory is one of the prime targets for attackers, as well as malware armed with lateral movement capabilities since it caches a variety of credentials. Credential extraction from the LSASS process requires opening a read handle to the process itself which is closely monitored by EDR products but there are stealthier ways around it.
One of the primary tasks towards achieving credential-based deception is to stage the deceptive credentials in LSASS process memory. This can be accomplished on the production and decoy systems by executing a trivial credential injection code which uses the CreateProcessWithLogonW Windows API with the specified crafted credentials. CreateProcessWithLogonW creates the new logon session using the caller process access token and spawns the process specified as a parameter in the security context of the specified deceptive credentials and it will be staged in the LSASS memory until the process runs in the background. The below shows the example code calling the API with the specified credentials which is also visible when credentials are extracted with Mimikatz.
Figure 20 – Injecting credentials into LSASS memory
One of the parameters to CreateProcessWithLogonW is “dwLogonFlags” which should be specified as LOGON_NETCREDENTIALS_ONLY as shown in the code above. This ensures the specified credentials are used only on the network and not for local logons. Additionally, NETONLY credentials used to create a logon session are not validated by the system. Below is a code snapshot from credential extraction tool Mimikatz, using a similar approach to forge a logon session and replacing the credentials with the supplied ones while executing Pass-the-Hash attacks.
Figure 21 – Mimikatz code for PTH attack
Attackers or malware moving laterally inside the network might do a recon for interesting hostnames via nbtstat/nbtscan. To deflect the lateral movement path, decoy systems can be configured with real looking hostnames that match the production systems. These hostnames will then be visible on NetBIOS scans as shown below.
Figure 22 – Deceptive host names pointing to decoy machines
These decoy systems can also run the relevant client applications pointing to the decoy services, with authentication directed to the decoy Domain Controller in the network. Detection of this attack path happens much earlier, however the decoy network setup keeps the adversaries engaged, helping admins to study their Tools and Techniques.
Figure 23 – Decoy machines running clients pointing to decoy services
A similar deception setup can also be done for the browsers where saved credentials can point to the decoy applications and services within the domain. For instance, Chrome saves the credentials in the SQLite format on the disk which can be decrypted using DPAPI as discussed earlier sections. The below examples demonstrate deceptive browser credentials which can lure adversaries towards the decoy services.
Figure 24 – Inserting deceptive browser credentials
In addition to some of the techniques discussed above, and many others highlighted in the previous sections, setting up deception involves much more advanced configuration of decoy systems to minimize false positives and needs to be tuned to the environment to accurately identify malicious activities. Deception can also be configured to address multiple other phases of lateral movement activity including reconnaissance and target discovery, essentially redirecting the adversaries and giving them a path to the target. Below is a high-level visualization of how the decoy network can look like the domain environment.
Figure 25 – Deception network setup
On the occasion where one of the domain-joined or public facing systems is compromised, authentication would be attempted to other domain joined systems in the network. If an authentication is attempted and any of the decoy systems are accessed and logged on, the use of these planted deceptive credentials should be a red flag and something which must be investigated. The visualization below shows the flow and an event being sent to an administrator on accessing one of the decoy systems.
Figure 26 – Deceptive credentials usage for authentication in the domain
One such example event of successfully logging on to the decoy system is as shown below:
Figure 27 – Alert send to administrator on using deceptive credentials
Credential theft attacks discussed here are mapped by MITRE as below:
| Technique ID | Technique Name | Description |
| T1003.001 | LSASS Process Memory | Attackers may attempt to access LSASS process memory to extract credentials as it stores a variety of credentials. Administrative privileges are required to access the process memory. |
| T1003.002 | SAM Database | Accessing credentials from SAM database requires SYSTEM level privileges. Stores credentials for all the local user accounts on the machine. |
| T1003.003 | NTDS.dit file | Contains credentials for all the domain users. File is present on the DC and domain admin privileges are required to access this file. |
| T1003.006 | DCSync | Attacker can extract the credentials from the DC by impersonating the domain controller and use DRSUAPI protocol to replicate credentials from DC. |
| T1558.001 | Golden Ticket | Attackers acquiring credentials for KRBTGT account can forge the Kerberos ticket called Golden Ticket, allowing them to get unrestricted access to any system in the domain |
| T1558.002 | Silver Ticket | Allows attacker to get admin level access to the service accounts by abusing Kerberos authentication |
| T1558.003 | Kerberoasting | Allows attackers to extract the Kerberos tickets for service accounts from memory and brute force offline to get credentials |
As credential theft attacks play a significant role in an attacker’s lateral movement, so as in-network defense for the defenders. With attackers’ lateral movement tactics evolving and getting more stealthier, defenders will have to adapt to innovative ways of defending the critical network assets. In–network defense strategies like Deception could prove to be a promising and forward-looking approach towards detecting and mitigating data theft attacks. Strategic planting of decoy systems within the production network, inserting decoy credentials and decoy contents on calculative selection of endpoints and decoy systems and accurately setting up the logging and correlation via SIEMs for monitoring the use of decoy contents, could certainly detect and mitigate the attacks early in the lateral movement life cycle.
Endpoint solutions like User Entity Behavior Analytics (UEBA) and Endpoint Detection and Response (EDR) could also play a significant role in building the deception infrastructure. For instance, one of the ways UEBA solutions could prove useful is to baseline user behavior and monitor access to credential stores on the system. UEBA/EDR could raise the red flag on injection of forged Kerberos tickets in the memory. This can provide user level visibility to a greater extent when integrated with SIEM, playing a crucial role in mitigating credential theft attacks.
The post Detecting Credential Stealing Attacks Through Active In-Network Defense appeared first on McAfee Blog.
This month Microsoft released patches for 86 vulnerabilities. While many of these vulnerabilities are important and should be patched as soon as possible, there is one critical vulnerability that McAfee Enterprise wants to immediately bring to your attention due to the simplicity of what is required to exploit, and evidence that possible exploitation is already being attempted.
The list of flaws, collectively called OMIGOD, impact a software agent called Open Management Infrastructure that’s automatically deployed in many Azure services –
CVE-2021-38647 (CVSS score: 9.8) – Open Management Infrastructure Remote Code Execution Vulnerability
CVE-2021-38648 (CVSS score: 7.8) – Open Management Infrastructure Elevation of Privilege Vulnerability
CVE-2021-38645 (CVSS score: 7.8) – Open Management Infrastructure Elevation of Privilege Vulnerability
CVE-2021-38649 (CVSS score: 7.0) – Open Management Infrastructure Elevation of Privilege Vulnerability
Azure customers on Linux machines, including users of Azure Automation, Azure Automatic Update, Azure Operations Management Suite (OMS), Azure Log Analytics, Azure Configuration Management, and Azure Diagnostics, are at risk of potential exploitation. OMI can also be installed outside of Azure on any on-premises Linux system.
The Remote Code Execution is extremely simple and all that is required is to remove the auth header and root access is available remotely on all machines. With this vulnerability the attackers can obtain initial access to the target Azure environment and then move laterally within it.
Campaign: Multiple CVE’s Affecting the Azure OMI Agent Dubbed OMIGOD
Source: MVISION Insights
Multiple security researchers shared proof of concept attacks on the exploitation of the vulnerabilities and, soon thereafter, actors mimicked the efforts and have recently been seen actively exploiting CVE-2021-38647 via botnet activities.
Background on the Mirai Botnet and related campaigns
Source: MVISION Insights
One such botnet is Mirai, which is actively scanning for vulnerabilities, including those identified as OMIGOD, that will allow the operators to infect a system and spread to connected devices. If the Mirai botnet exploits a vulnerable machine, the operators will drop one of the Mirai DDoS botnet versions and close port 5896 on the internet to prevent other attackers from exploiting the same box. Reports of successful exploitation of OMIGOD have reported cryptominers being deployed on the impacted systems.
Microsoft does not have an auto update mechanism; a manual upgrade of the agents is required to prevent exploitation. Microsoft has released a patched OMI version (1.6.8.1), suggested steps by Microsoft are provided in the below link.
CVE-2021-38647 – Open Management Infrastructure Remote Code Execution Vulnerability
McAfee Enterprise will continue to update the following KB document with product coverage of CVE-2021-38647; please subscribe to the KB to be notified of updates.
McAfee Enterprise coverage for CVE-2021-38647 Remote Code Execution Vulnerability
To identify vulnerable systems in your environment, McAfee Enterprise recommends scanning for systems listening on Ports 5986. Port 5986 is the typical port leveraged by the OMI agent. Industry intelligence from the Wiz Research group is also noting vulnerable systems listening on non–default ports 5985 and 1270. It is recommended to limit network access to those ports immediately to protect from the RCE vulnerability.
MVISION Insights provides regularly updated threat intelligence for the ongoing attempts to exploit OMIGOD. The “Multiple CVE’s Affecting the Azure OMI Agent Dubbed OMIGOD” campaign will have up to date Global Prevalence, IOCs, and MITRE techniques being observed in the wild. The IOCs within MVISION Insights can be utilized by the Real-time Search function of MVISION Endpoint Detection & Response (EDR) to proactively search your entire Linux endpoint environment for detection.
Global Prevalence of OMIGOD Exploitation Source: MVISION Insights
Indicators of Compromise related to exploitation of OMIGOD Source: MVISION Insights
The McAfee ENS Firewall Rules will allow for the creation of custom rules to block specific ports until the OMI agent can be updated to the resolved version; please see the below screenshot for a sample rule to block the ports associated with the OMI agent.
Creation of Block Rule for OMI Agent Ports in McAfee ENS Firewall
The Real-time search feature in MVISION EDR with allow for the searching of your entire Linux environment utilizing several different parameters to identify systems that could be potential targets.
The below pre-built queries can be executed to locate systems listening on the noted ports for the OMI Agent and to verify the version of the OMI agent installed on your endpoint.
Processes and CurrentFlow and HostInfo hostname where Processes name equals omiengine
Software and HostInfo hostname where Software displayname contains om
Locating Installed Software Versions of OMI on Linux endpoints in MVISION EDR
Monitoring the traffic and user information of OMI in MVISION EDR
Another method to identify vulnerable systems in your cloud infrastructure is run an on-demand vulnerability scan and create security configuration audits with MVISION Cloud Native Application Protection Platform (CNAPP). Please see below several examples of using the CWPP and CSPM features to locate vulnerable systems by CVE number and detect usage of the “root” account in Microsoft Azure.
Running Vulnerability Scans to Identify Vulnerable Systems by CVE
Setting Security Configuration Audits to be alerted of Root Access in Microsoft Azure
The post McAfee Enterprise Defender Blog | OMIGOD Vulnerability Opening the Door to Mirai Botnet appeared first on McAfee Blog.
Welcome back to our executive blog series, where I chat with some of the pivotal players behind McAfee Enterprise and the Advanced Threat Research Team to hear their takes on today’s security trends, challenges, and opportunities for companies across the globe.
Q: What got you interested in technology and threat research? |
As a little kid, I was always fascinated by technology. I would wrench open devices to study the inner workings, and try to assemble again. At age 12 I worked for three years to assemble my first computer-setup: a Commodore 64, disk-drive, and printer followed by an Amiga with modem. From that point, it was a journey from sysadmin to ethical hacking into specializing in digital forensics and joining FoundStone to setup their EMEA Incident Response team. As I witnessed multiple malware incidents and later some of the largest cyber-attacks ever, I got fascinated by all the mechanics around threat research. From this, I made a move to lead and envision new ways (threat) research can assist both responders and customers.
Q: If you could relive any moment of your life, which would it be? |
Good question. There are so many moments to be thankful for that I cannot choose one but will mention a few that might sound obvious: My baptism, marrying my wife, and the birth of my kids.
Q: What are some of the trends you are currently noticing across the threat landscape? |
Of course, we still have ransomware around as an ongoing issue that keeps evolving and impacting not only companies around the world, but also our lives more and more when fuel is not available, supermarkets are closed, and delivery of goods cannot be executed. Secondly, I would say the volume and number of attacks that happen have increased dramatically over the years. The moment a vulnerability is announced, within days, a proof-of-concept is available and within a week it is used by adversaries (either cybercrime or nation-state motivated). The feedback from our customers has been tremendously positive.
Q: How do you react to constantly changing threats in the market? |
The only way to respond to the constant changing threats is to be flexible and willing to change. What works today might not work tomorrow, which should be part of your strategy when it comes to threat hunting, threat detection, and protection. My team is eager to learn and we are committed to protect our customers, innovate new research techniques, and adapt that into our technology.
The post Executive Spotlight: Q&A with Lead Scientist & Sr. Principal Engineer, Christiaan Beek appeared first on McAfee Blog.
BlackMatter is a new ransomware threat discovered at the end of July 2021.
This malware started with a strong group of attacks and some advertising from its developers that claims they take the best parts of other malware, such as GandCrab, LockBit and DarkSide, despite also saying they are a new group of developers. We at McAfee Enterprise Advanced Threat Research (ATR), have serious doubts about this last statement as analysis shows the malware has a great deal in common with DarkSide, the malware associated with the Colonial Pipeline attack which caught the attention of the US government and law enforcement agencies around the world.
The main goal of BlackMatter is to encrypt files in the infected computer and demand a ransom for decrypting them. As with previous ransomware, the operators steal files and private information from compromised servers and request an additional ransom to not publish on the internet.
McAfee’s EPP solution covers BlackMatter ransomware with an array of prevention and detection techniques.
ENS ATP provides behavioral content focusing on proactively detecting the threat while also delivering known IoCs for both online and offline detections. For DAT based detections, the family will be reported as Ransom-BlackMatter!<hash>. ENS ATP adds 2 additional layers of protection thanks to JTI rules that provide attack surface reduction for generic ransomware behaviors and RealProtect (static and dynamic) with ML models targeting ransomware threats.
Updates on indicators are pushed through GTI, and customers of Insights will find a threat-profile on this ransomware family that is updated when new and relevant information becomes available.
BlackMatter is typically seen as an EXE program and, in special cases, as a DLL (Dynamic Library) for Windows. Linux machines can be affected with special versions of it too but in this report, we will only be covering the Windows version.
This report will focus on version 1.2 of BlackMatter while also noting the important changes in the current version, 2.0.
BlackMatter is programmed in C++ and has a size of 67Kb.
FIGURE 1. Information about the malware
The compile date of this sample is the 23rd of July 2021. While these dates can be altered, we think it is correct; version 1.9 has a compile time of 12 August 2021 and the latest version, 2.0, has a date four days later, on the 16th of August 2021. Is clear that the malware developers are actively improving the code and making detection and analysis harder.
The first action performed by BlackMatter is preparation of some modules that will be needed later to get the required functions of Windows.
FIGURE 2. BlackMatter searching for functions
BlackMatter uses some tricks to try and make analysis harder and avoid debuggers. Instead of searching for module names it will check for hashes precalculated with a ROT13 algorithm. The modules needed are “kernel32.dll” and “ntdll.dll”. Both modules will try to get functions to reserve memory in the process heap. The APIs are searched using a combination of the PEB (Process Environment Block) of the module and the EAT (Export Table Address) and enumerating all function names. With these names it will calculate the custom hash and check against the target hashes.
FIGURE 3. BlackMatter detecting a debugger
At this point BlackMatter will make a special code to detect debuggers, checking the last 2 “DWORDS” after the memory is reserved, searching for the bytes “0xABABABAB”. These bytes always exist when a process reserves memory in the heap and, if the heap has one special flag (that by default is set when a process is in a debugger), the malware will avoid saving the pointer to the memory reserved so, in this case, the variables will keep a null pointer.
In Windows operating systems the memory has different conditions based on whether a program is running in normal mode (as usual) or in debugging mode (a mode used by programmers, for example). In this case, when the memory is reserved to keep information, if it is in debugging mode, Windows will mark the end of this memory with a special value, “0xABABABAB”. BlackMatter checks for this value and, if found, the debugger is detected. To avoid having it run normally it will destroy the function address that it gets before, meaning it will crash, thus avoiding the execution.
FIGURE 4. Preparing the protection stub function
After this check it will create a special stub in the reserved memory which is very simple but effective in making analysis harder as the stub will need to be executed to see which function is called and executed.
This procedure will be done with all functions that will be needed; the hashes are saved hardcoded in the middle of the “.text” section in little structs as data. The end of each struct will be recognized by a check against the “0xCCCCCCCC” value.
FIGURE 5. Hashes of the functions needed
This behavior highlights that the BlackMatter developers know some tricks to make analysis harder, though it is simple to defeat both by patching the binary.
After this, the ransomware will use another trick to avoid the use of debuggers. BlackMatter will call the function “ZwSetInformationThread” with the class argument of 0x11 which will hide the calling thread from the debuggers.
If the malware executes it correctly and a debugger is attached, the debugging session will finish immediately. This code is executed later in the threads that will be used to encrypt files.
FIGURE 6. Another way to detect a debugger
The next action is to check if the user that launched the process belongs to the local group of Administrators in the machine using the function “SHTestTokenMembership”. In the case that the user belongs to the administrator group the code will continue normally but in other cases it will get the operating system version using the PEB (to avoid using API functions that can alter the version) and, if it is available, will open the process and check the token to see if that belongs to the Administrators group.
FIGURE 7. BlackMatter checking if it has administrator rights
In the case that the user does not belong to the Administrator group the process token will use a clever trick to escalate privileges.
The first action is to prepare the string “dllhost.exe” and enumerate all modules loaded. For each module it will check one field in the initial structure that all executables have that keeps the base memory address where it will be loaded (for example, kernel32.dll in 0x7fff0000) and will compare with its own base address. If it is equal, it will change its name in the PEB fields and the path and arguments path to “dllhost.exe” (in the case of the path and argument path to the SYSTEM32 folder, where the legitimate “dllhost.exe” exists). This trick is used to try and mislead the user. For each module found it will check the base address of the module with its own base address and, at that moment, will change the name of the module loaded, the path, and arguments to mislead the user.
FIGURE 8. Decryption of the string “dllhost.exe”
The process name will be “dllhost.exe” and the path will be the system directory of the victim machine. This trick, besides not changing the name of the process in the TaskManager, can make a debugger “think” that another binary is loaded and remove all breakpoints (depending on the debugger used).
FIGURE 9. Changing the name and path in the PEB
The second action is to use one exploit using COM (Component Object Model) objects to try to elevate privileges before finishing its own instance using the “Terminate Process” function.
For detection, the module uses an undocumented function from NTDLL.DLL, “LoadedModulesLdrCallback” that lets the programmer set a function as a callback where it can get the arguments and check the PEB. In this callback the malware will set the new Unicode strings using “RtlInitUnicodeString”; the strings are the path to “dllhost.exe” in the system folder and “dllhost.exe” as the image name.
The exploit used to bypass the UAC (User Access Control), which is public, uses the COM interface of CMSTPLUA and the COM Elevation Moniker.
In the case that it has administrator rights or uses the exploit with success, it will continue making the new extension that will be used with the encrypted files. For this task it will read the registry key of “Machine Guid” in the cryptographic key (HKEY LOCAL MACHINE).
This entry and value exist in all versions of Windows and is unique for the machine; with this value it will make a custom hash and get the final string of nine characters.
FIGURE 10. Creating the new extension for the encrypted files
Next, the malware will create the ransom note name and calculate the integrity hash of it. The ransom note text is stored encrypted in the malware data. Usually the ransom note name is “%s.README.txt”, where the wildcard is filled with the new extension generated previously.
The next step is to get privileges that will be needed later; BlackMatter tries to get many privileges:
| · SE_BACKUP_PRIVILEGE
· SE_DEBUG_PRIVILEGE, SE_IMPERSONATE_PRIVILEGE · SE_INC_BASE_PRIORITY_PRIVILEGE · SE_INCREASE_QUOTA_PRIVILEGE · SE_INC_WORKING_SET_PRIVILEGE · SE_MANAGE_VOLUME_PRIVILEGE · SE_PROF_SINGLE_PROCESS_PRIVILEGE · SE_RESTORE_PRIVILEGE · SE_SECURITY_PRIVILEGE · SE_SYSTEM_PROFILE_PRIVILEGE · SE_TAKE_OWNERSHIP_PRIVILEGE · SE_SHUTDOWN_PRIVILEGE |
FIGURE 11. Setting special privileges
After getting the privileges it will check if it has SYSTEM privileges, checking the token of its own process. If it is SYSTEM, it will get the appropriate user for logon with the function “WTSQueryUserToken”. This function only can be used if the caller has “SeTcbPrivilege” that, by default, only SYSTEM has.
FIGURE 12. Obtaining the token of the logged on user
After getting the token of the logged on user the malware will open the Windows station and desktop.
In the case that it does not have SYSTEM permissions it will enumerate all processes in the system and try to duplicate the token from “explorer.exe” (the name is checked using a hardcoded hash), if it has rights it will continue normally, otherwise it will check again if the token that was duplicated has administrator rights.
In this case it will continue normally but in other cases it will check the operating system version and the CPU (Central Processing Unit) mode (32- or 64- bits). This check is done using the function “ZwQueryInformationProcess” with the class 0x1A (ProcessWow64Information).
FIGURE 13. Checking if the operating system is 32- or 64-bits
In the case that the system is 32-bits it will decrypt one little shellcode that will inject in one process that will enumerate using the typical “CreateRemoteThread” function. This shellcode will be used to get the token of the process and elevate privileges.
In the case that the system is 64-bits it will decrypt two different shellcodes and will execute the first one that gets the second shellcode as an argument.
FIGURE 14. BlackMatter preparing shellcodes to steal system token
These shellcodes will allow BlackMatter to elevate privileges in a clean way.
Is important to understand that to get the SYSTEM token BlackMatter will enumerate the processes and get “svchost.exe”, but not only will it check the name of the process, it will also check that the process has the privilege “SeTcbPrivilege”. As only SYSTEM has it by default (and it is one permission that cannot be removed from this “user”) it will be that this process is running under SYSTEM and so it becomes the perfect target to attack with the shellcodes and steal the token that will be duplicated and set for BlackMatter.
FIGURE 15. Checking if the target process is SYSTEM
After this it will decrypt the configuration that it has embedded in one section. BlackMatter has this configuration encrypted and encoded in base64.
This configuration has a remarkably similar structure to Darkside, offering another clear hint that the developers are one and the same, despite their claims to the contrary.
After decryption, the configuration can get this information:
|
After getting the configuration and parsing it, BlackMatter will start checking if it needs to make a login with some user that is in the configuration. In this case it will use the function “LogonUser” with the information of the user(s) that are kept in the configuration; this information has one user and one password: “test@enterprise.com:12345” where “test” is the user, “@enterprise.com” is the domain and “12345” the password.
The next action will be to check with the flag to see if a mutex needs to be created to avoid having multiple instances.
This mutex is unique per machine and is based in the registry entry “MachineGuid” in the key “Cryptography”. If the system has this mutex already the malware will finish itself.
Making a vaccine with a mutex can sometimes be useful but not in this case as the developers change the algorithm and only need to set the flag to false to avoid creating it.
FIGURE 16. Creation of the mutex to avoid multiple instances
After, it will check if it needs to send information to the C2. If it does (usually, but not always) it will get information of the victim machine, such as username, computer name, size of the hard disks, and other information that is useful to the malware developers to know how many machines are infected.
This information is encoded with base64 and encrypted with AES using the key in the configuration.
FIGURE 17. Encrypted information sent to the C2
The C2 addresses are in the configuration (but not all samples have them, in this case the flag to send is false). The malware will try to connect to the C2 using a normal protocol or will use SSL checking the initial “http” of the string.
FIGURE 18. Get information of the victim machine and user
The information is prepared in some strings decrypted from the malware and sent in a POST message.
FIGURE 19. Choose to send by HTTP or HTTPS
The message has values to mislead checks and to try and hide the true information as garbage. This “fake” data is calculated randomly.
The C2 returns garbage data but the malware will check if it starts and ends with the characters “{“ and “}”; if it does the malware will ignore sending the information to another C2.
FIGURE 20. Checking for a reply from the C2 after sending
BlackMatter is a multithread application and the procedure to send data to the C2 is done by a secondary thread.
After that, BlackMatter will enumerate all units that are FIXED and REMOVABLE to destroy the recycle bin contents. The malware makes it for each unit that has it and are the correct type. One difference with DarkSide is that it has a flag for this behavior while BlackMatter does not.
The next action is to delete the shadow volumes using COM to try and avoid detection using the normal programs to manage the shadow volumes. This differs with DarkSide that has a flag for this purpose.
FIGURE 21. Destruction of the shadow volumes using COM
BlackMatter will check another flag and will enumerate all services based on one list in the configuration and will stop target services and delete them.
This behavior is the same as DarkSide.
FIGURE 22. Stopping services and deleting them
Processes will be checked and terminated as with DarkSide, based on other configuration flags.
After terminating the processes BlackMatter will stop the threads from entering suspension or hibernating if someone is using the computer to prevent either of those outcomes occurring when it is encrypting files. This is done using the function “ZwSetThreadExecutionState”.
FIGURE 23. Preventing the machine being suspended or hibernated
The next action will be to enumerate all units, fixed and on the network, and create threads to encrypt the files. BlackMatter uses Salsa20 to encrypt some part of the file and will save a new block in the end of the file, protected with the RSA key embedded in the configuration with the Salsa20 keys used to encrypt it. This makes BlackMatter slower than many other ransomwares.
After the encryption it will send to the C2 all information about the encryption process, how many files were crypted, how many files failed, and so on. This information is sent in the manner previously described, but only if the config is set to true.
FIGURE 24. Release of the mutex
If one mutex was created in this moment it will be released. Later it will check the way that the machine boots with the function “GetSystemMetrics”. If the boot was done in Safe Mode BlackMatter will set some keys for persistence in the registry for the next reboot and then attack the system, changing the desktop wallpaper.
FIGURE 25. Determining whether the system boots in safe mode or normal mode
Of course, it will disable the safeboot options in the machine and reboot it (it is one of the reasons why it needs the privilege of shutdown).
To ensure it can launch in safe mode, the persistence key value with the path of the malware will start with a ‘*’.
FIGURE 26. Setting the persistance registry key
If the machine starts in the normal way, it will change the desktop wallpaper with an alternative generated in runtime with some text about the ransom note.
FIGURE 27. BlackMatter makes the new wallpaper in runtime
The new versions have some differences compared with versions 1.2 to 1.6:
Additional changes in version 2.0:
These changes suggest the developers are active on social media, with an interest in malware and security researchers.
Unlike some ransomware we’ve seen in the past, such as GandCrab , BlackMatter has good code, but it does have some design flaws that can be used in some cases to avoid having the malware encrypt the files.
This vaccine is not intended to be used in the normal way, rather only in special cases as, while it works, other programs can be affected (we obviously cannot test all third party programs but potential issues are likely to include data corruption and unpredictable behavior), and the fix is not permanent.
Steps to make the vaccine (proceed at your own risk):
In this moment BlackMatter cannot affect the machine as it needs the registry key to make the ransom extension, and the most important thing is, if it cannot make it, it will return the function WITHOUT decrypting the config that is needed too. In this case it will destroy the recycle bin and shadow volumes anyways but later it will finish as it does not have any behavior to do, RSA Key to protect the files, or anything to send to the C2 as the flag was never read from the config (and the default values are false for all of them).
Though the behavior of other programs may be unpredictable, the vaccine is easy to make, and the system will boot, showing that the BlackMatter programmers made a mistake in the design of the code.
This vaccine works for all versions, including 2.0.
The sample uses the following MITRE ATT&CK techniques:
| Technique ID | Technique Description | Observable |
| T1134 | Access Token Manipulation | BlackMatter accesses and manipulates different process tokens. |
| T1486 | Data Encrypted for Impact | BlackMatter encrypts files using a custom Salsa20 algorithm and RSA. |
| T1083 | File and Directory Discovery
|
BlackMatter uses native functions to enumerate files and directories searching for targets to encrypt. |
| T1222.001 | Windows File and Directory Permissions Modification | BlackMatter executes the command icacls “<DriveLetter>:\*” /grant Everyone: F /T /C /Q to grant full access to the drive. |
| T1562.001 | Disable or Modify Tools | BlackMatter stops services related to endpoint security software. |
| T1106 | Native API | BlackMatter uses native API functions in all code. |
| T1057 | Process Discovery | BlackMatter enumerates all processes to try to discover security programs and terminate them. |
| T1489 | Service Stop | BlackMatter stops services. |
| T1497.001 | System Checks | BlackMatter tries to detect debuggers, checking the memory reserved in the heap. |
| T1135 | Network Share Discovery | BlackMatter will attempt to discover network shares by building a UNC path in the following format for each driver letter, from A to Z: \\<IP>\<drive letter>$ |
| T1082 | System Information Discovery | BlackMatter uses functions to retrieve information about the target system. |
| T1592 | Gather Victim Host Information | BlackMatter retrieves information about the user and machine. |
| T1070 | Valid Accounts | BlackMatter uses valid accounts to logon to the victim network. |
| T1547 | Boot or Logon Autostart Execution | BlackMatter installs persistence in the registry. |
| T1102 | Query Registry | BlackMatter queries the registry for information. |
| T1018 | Remote System Discovery | BlackMatter enumerates remote machines in the domain. |
| T1112 | Modify Registry | BlackMatter changes registry keys and values and sets new ones. |
BlackMatter is a new threat in the ransomware field and its developers know full well how to use it to attack their targets. The coding style is remarkably similar to DarkSide and, in our opinion, the people behind it are either the same or have a very close relationship.
BlackMatter shares a lot of ideas, and to some degree code, with DarkSide:
It is important to keep your McAfee Enterprise products updated to the latest detections and avoid insecure remote desktop connections, maintain secure passwords that are changed on a regular basis, take precautions against phishing emails, and do not connect unnecessary devices to the enterprise network.
Despite some effective coding, mistakes have been made by the developers, allowing the program to be read, and a vaccine to be created, though we will stress again that it can affect other programs and is not a permanent solution and should be employed only if you accept the risks associated with it.
The post BlackMatter Ransomware Analysis; The Dark Side Returns appeared first on McAfee Blog.
Hyper-growth and a determination to stand above the crowd compelled a popular Eastern European telecom to upgrade its trusty McAfee Enterprise security infrastructure, which they relied on for many years to protect their 8,000 corporate endpoints. Competitive pressure to keep costs low and cybercriminals at bay for both their internal users and their customers spurred the mobile and fixed telephony company to enhance their existing security architecture with the latest endpoint and cloud-based protections from McAfee Enterprise.
The integrated McAfee Enterprise approach—with ePolicy Orchestrator ( ePO) at the helm as the single-pane-of-glass management hub—enabled the security architect to build out a strong security foundation, with McAfee Enterprise endpoint and data protection solutions and Microsoft Defender as the mainstays of the telecom’s line of defense.
With ransomware and other advanced threats grabbing headlines, the telecom company felt a pressing need to upgrade its McAfee Enterprise infrastructure and expand its on-premises endpoint protection to cloud-based McAfee Enterprise Endpoint Security. The organization also added MVISION Endpoint Threat Detection and Response (MVISION® EDR) and deployed two McAfee Enterprise Advanced Threat Defense appliances for dynamic and static sandboxing. These deployments were easily integrated into the telecom’s existing security architecture—with all solutions managed by McAfee Enterprise ePO software.
McAfee Enterprise Endpoint Security was instrumental in both simplifying and boosting endpoint protection, as multiple technologies—Threat Protection, Firewall, Web Control, and Adaptive Threat Prevention—are consolidated into a single agent. Leveraging threat data from local endpoints and McAfee Enterprise Global Threat Intelligence in the cloud, the telecom’s security team is also empowered to detect zero-day threats in near real time. When a threat is identified on a given endpoint, that information is automatically shared with all the other endpoints. And when an unknown or suspicious file is detected, it is immediately quarantined for analysis by MVISION EDR or the McAfee Endpoint Advanced Threat Defense sandbox.
Investigation had once been a lengthy and laborious manual process, often taking days or weeks. Sometimes detections of malicious activity were even ignored due to time constraints. But, after implementing MVISION EDR, things changed dramatically. Investigations and remediations now take as little as 10 to 15 minutes. The security team is catching more threats than ever before, their workflows are streamlined, and investigations are faster. Best of all, thanks to MVISION EDR, team members have expanded their threat-hunting capacity—without augmenting their staff.
Because McAfee Enterprise Advanced Threat Defense appliances and MVISION EDR are integrated with McAfee Enterprise SIEM solutions and McAfee Enterprise ePO software, suspicious activity at an endpoint automatically triggers an investigation. Advanced analytics and artificial intelligence (AI) in MVISION enable administrators to understand the alert, sort out the facts, and remediate any threat. MVISION EDR does all the preparatory work, gathering and distilling relevant data, such as IP addresses and information about devices and users. Graphic visualizations and AI-guided investigations help analysts quickly get a grasp on what’s happening. The security team can also run real-time queries to see if something similar has occurred anywhere else, and they can conduct historical searches for greater context.
“The volume of malware we have to deal with has definitely shrunk since implementing McAfee Enterprise Endpoint Security. But the addition of MVISION EDR has made an even bigger impact on security posture. When our endpoints do encounter malware, we can now respond many times faster and more effectively than ever before,” points out the security architect.
The enhanced McAfee Enterprise security architecture has transformed the telecom company’s approach to maintaining a more resilient security posture. The company is now taking a more proactive defense as a result of the new, fully coordinated McAfee Enterprise toolset.
In addition to advanced threat-hunting capabilities, the ability to share threat information across the organization via the Data Exchange Layer (DXL) has also contributed to a more proactive stance. For example, whenever a malicious file is identified, that information is automatically added to the McAfee Enterprise Threat Intelligence Exchange threat reputation database and shared with all DXL-connected systems: endpoints, SIEM, Advanced Threat Defense sandboxes, MVISION EDR software, and even the company’s Cisco pxGrid infrastructure, a multivendor, cross-platform network system that pulls together different parts of an IT infrastructure.
The European telecom company has plans to migrate to the cloud, beginning with Microsoft Office 365 and Microsoft Azure. For the time being, the organization plans to keep the McAfee Enterprise ePO management console on premises, but, in the very near future, the plan is to protect internet-only users with cloud-based MVISION ePO.
“Taking measured steps to augment our security infrastructure has helped us succeed at keeping our company and customers secure,” say the security architect. “It’s nice to know that McAfee Enterprise can support us wherever we are in our journey and can extend our integrated security infrastructure from device to cloud when we’re ready.”
The post European Telecom Company Expands Its Footprint to Better Protect Users and Customers appeared first on McAfee Blog.
Microsoft is warning its users of a zero-day vulnerability in Windows 10 and versions of Windows Server that is being leveraged by remote, unauthenticated attackers to execute code on the target system using specifically crafted office documents. Tracked as CVE-2021-40444 (CVSS score: 8.8), the remote code execution flaw is rooted in MSHTML (aka Trident), a proprietary browser engine for the now-discontinued Internet Explorer and which is used in Microsoft Office to render web content inside Word, Excel, and PowerPoint documents. This vulnerability is being actively exploited and protections should be put into place to prevent that. Microsoft has released guidance on a workaround, as well as updates to prevent exploitation, but below are additional McAfee Enterprise countermeasures you can use to protect your business.
Since originally reported, vulnerability exploitation has grown worldwide.
Figure 1. Latest MITRE ATT&CK framework for Exploitation of CVE-2021-40444. Source: MVISION Insights
Additional MITRE ATT&CK techniques have been identified since our original report. MVISION Insights will be regularly updated with the latest IOCs and hunting rules for proactive detection in your environment.
Figure 2. Latest MITRE ATT&CK framework for Exploitation of CVE-2021-40444. Source: MVISION Insights
The following McAfee Enterprise products can protect you against this threat.
Figure 3. Protection by ENS Module
For ENS, it’s important to have both Threat Protection (TP) and Adaptive Threat Protection (ATP) with GTI enabled. We are seeing 50% of detections based on ATP behavior analysis rules.
Figure 4. Protection by ENS Module
More details on Endpoint protection including MVISION EDR are included below.
McAfee Global Threat Intelligence (GTI) is currently detecting the analyzed IOCs for this exploitation. GTI will be continually updated as new indicators are observed in the wild.
ENS Threat Prevention module can provide added protections against exploitation of CVE-2021-40444 until a patch is deployed. The following signature in Exploit Prevention has shown coverage in testing of observed exploits; this signature could cause false positives, so it is highly advised to test in Report Mode or in sandbox environments before blocking in production environments.
Signature 2844: Microsoft Word WordPerfect5 Converter Module Buffer Overflow Vulnerability
Several custom Expert Rules can be implemented to prevent or detect potential exploitation attempts. As with all Expert Rules, please test them in your environment before deploying widely to all endpoints. Recommended to implement this rule in a log only mode to start.
Figure 5. Expert Rule to block or log exploitation attempts
Figure 6. Expert Rule to block or log exploitation attempts
ATP Rules
Adaptive Threat Protection module provides behavior-blocking capability through threat intelligence, rules destined to detect abnormal application activity or system changes and cloud-based machine-learning. To exploit this vulnerability, the attacker must gain access to a vulnerable system, most likely through Spearphishing with malicious attachments. These rules may also be effective in preventing initial access and execution. It is recommended to have the following rules in Observe mode at least and monitor for threat events in ePO.
As with all ATP Rules, please test them in your environment before deploying widely to all endpoints or turning on blocking mode.
The Real-Time Search feature in MVISION EDR provides the ability to search across your environment for behavior associated with the exploitation of this Microsoft vulnerability. Please see the queries to locate the “mshtml” loaded module associated with various application processes.
EDR Query One
Processes where Processes parentimagepath matches “winword|excel|powerpnt” and Processes cmdline matches “AppData\/Local\/Temp\/|\.inf|\.dll” and Processes imagepath ends with “\control.exe”
EDR Query Two
HostInfo hostname and LoadedModules where LoadedModules process_name matches “winword|excel|powerpnt” and LoadedModules module_name contains “mshtml” and LoadedModules module_name contains “urlmon” and LoadedModules module_name contains “wininet“
Additionally, the Historical Search feature within MVISION EDR will allow for the searching of IOCs even if a system is currently offline.
Figure 7. Using Historical Search to locate IOCs across all devices. Source: MVISION EDR
McAfee Enterprise has published the following KB article that will be updated as more information and coverage is released.
McAfee Enterprise coverage for CVE-2021-40444 – MSHTML Remote Code Execution
Since public disclosure of the vulnerability, it has been observed from successful exploitation of CVE-2021-40444 in the wild that threat actors are utilizing a Cobalt Strike payload to then drop ransomware later in the compromised environment. The association between this vulnerability and ransomware point to the possibility that the exploit has been added to the tools utilized in the ransomware-as-a-service (RaaS) ecosystem.
Figure 8. CVE-2021-40444-attack-chain (Microsoft)
The Ransomware Gangs that have been observed in these attacks have in the past been known to utilize the Ryuk and Conti variants of ransomware.
Please see below additional mitigations that can be utilized in the event your environment is compromised and added protections are needed to prevent further TTPs.
Cobalt Strike BEACON
MVISION Insights Campaign – Threat Profile: CobaltStrike C2s
Endpoint Security – Advanced Threat Protection:
Rule 2: Use Enterprise Reputations to identify malicious files.
Rule 4: Use GTI file reputation to identify trusted or malicious files
Rule 517: Prevent actor process with unknown reputations from launching processes in common system folders
Ryuk Ransomware Protection
MVISION Insights Campaign – Threat Profile: Ryuk Ransomware
Endpoint Security – Advanced Threat Protection:
Rule 2: Use Enterprise Reputations to identify malicious files.
Rule 4: Use GTI file reputation to identify trusted or malicious files
Rule 5: Use GTI file reputation to identify trusted or malicious URLs
Endpoint Security – Access Protection:
Rule: 1
Executables (Include):
*
Subrules:
Subrule Type: Files
Operations:
Create
Targets (Include):
*.ryk
Endpoint Security – Exploit Prevention
Signature 6153: Malware Behavior: Ryuk Ransomware activity detected
Conti Ransomware Protection
MVISION Insights Campaign – Threat Profile: Conti Ransomware
Endpoint Security – Advanced Threat Protection:
Rule 2: Use Enterprise Reputations to identify malicious files.
Rule 4: Use GTI file reputation to identify trusted or malicious files
Rule 5: Use GTI file reputation to identify trusted or malicious URLs
Endpoint Security – Access Protection Custom Rules:
Rule: 1
Executables (Include):
*
Subrules:
Subrule Type: Files
Operations:
create
Targets (Include):
*conti_readme.txt
Endpoint Security – Exploit Prevention
Signature 344: New Startup Program Creation
The post McAfee Enterprise Defender Blog | MSHTML CVE-2021-40444 appeared first on McAfee Blog.
Why am I here?
There’s a lot of information out there on critical vulnerabilities; this short bug report contains an overview of what we believe to be the most news and noteworthy vulnerabilities. We don’t rely on a single scoring system like CVSS to determine what you need to know about; this is all about qualitative and experience-based analysis, relying on over 100 years of combined industry experience within our team. We look at characteristics such as wormability, ubiquity of the target, likelihood of exploitation and impact. Today, we’ll be focusing on CVE-2021-40444.
What is it?
CVE-2021-40444 is a vulnerability in Office applications which use protected view such as Word, PowerPoint and Excel which allows an attacker to achieve remote code execution (RCE). CVE-2021-40444 is a vulnerability which allows a carefully crafted ActiveX control and a malicious MS Cabinet (.cab) file to be launched from an Office document.
Most importantly, this vulnerability impacts the applications themselves, as well as the Windows Explorer preview pane.
Who cares?
This is a great question! Pretty much anyone who uses any Microsoft Office applications, or has them installed, should be concerned.
Office is one of the most widely-used applications on the planet. Odds are good you have it open right now. While many companies have disabled macros within Office documents at the Group Policy level, it is unlikely ActiveX is treated similarly. This means that without proper data hygiene, a large proportion of Office users will be vulnerable to this exploit.
Fortunately, “spray and pray” style email campaigns are unlikely to gain traction with this exploit, as mail providers have started flagging malicious files (or at least known PoCs) as potential malware and removing them as attachments.
What can I do?
Good news! You aren’t necessarily completely helpless. By default, Windows uses a flag known as the “Mark of the Web” (MoTW) to enable Protected Mode in Office. Email attachments, web downloads, and similar all have this MoTW flag set, and Protected Mode prevents network operations, ActiveX controls, and macros embedded within a document from being executed, which effectively disables exploitation attempts for this vulnerability.
That said, users have become so inured to the Protected View message, they often dismiss it without considering the consequences. Much like “confirmation fatigue” can lead to installing malicious software, attackers can leverage this common human response to compromise the target machine.
Even more so, while exploitation can occur via the Office applications themselves and via the Explorer preview pane, the Outlook preview pane operates in a completely different manner which does not trigger the exploit. Exactly why this distinction exists only MS can explain, but the upshot is that Outlook users have to explicitly open malicious files to be exploited – the more hoops users have to jump through to open a malicious, the less likely they are to be pwned.
If I’m protected by default, why does this matter?
It depends entirely on how the file gets delivered and where the user saves it.
There are many ways of getting files beyond email and web downloads – flash cards for cameras, thumb drives, external hard drives, etc. Files opened from these sources (and many common applications[1]) don’t have MoTW flag set, meaning that attackers could bypass the protection entirely by sending a malicious file in a .7z archive, or as part of a disk image, or dropping a USB flash drive in your driveway. Convincing users to open such files is no harder than any other social engineering strategy, after all.
Another fun workaround for bypassing default protections is to make use of an RTF file – emailed, downloaded, or otherwise. From our testing, an RTF file saved from an email attachment does not bear the MoTW but can still be used as a vector of exploitation. Whether RTF files become the preferred option for this exploit remains to be seen.
TL;DR
Ha! We put the tl;dr near the end, which only makes sense when the information above is so important it’s worth reading. But if all you care about is what you can actively do to ensure you’re not vulnerable, this section is for you.
Mitigations:
The Gold Standard
In case you simply can’t apply the patch or have a “production patch cycle” or whatever, McAfee Enterprise has you covered. Per our KB we provide comprehensive coverage for this attack across our protection and detection technology stack of endpoint (ENS Expert Rules), network (NSP) and EDR.
https://kc.mcafee.com/corporate/index?page=content&id=KB94876
[1] 7zip, files from disk images or other container formats, FAT formatted volumes, etc.
The post The Bug Report | September 2021: CVE-2021-40444 appeared first on McAfee Blog.
For this week’s executive spotlight, I’m highlighting Kathleen Curry, senior vice president, Global Enterprise Channels at McAfee Enterprise. Curry was named one of CRN’s 2021 Channel Chiefs. Joining the company in April 2020, she was acknowledged for her contributions expanding our partner program initiatives to reward partners for servicing customers in line with their modern needs and consumption preferences. This includes spearheading McAfee Enterprises’ “channel first” initiative and ethos, aimed to better empower our channel partner community and increase their profitability, while at the same time optimizing the end customer experience by scaling through McAfee Enterprise’s channels and partners. Read below for more.
Q: Who has been the most influential person in your life? |
My father instilled in me, from as far back as I can remember, that I can do whatever I set my mind to and that I am the owner of my life story. This helped create a positive, empowered mindset when facing challenges and opportunities throughout my life. And my father always kept our world big. Whether it was traveling to see other cultures, sharing his never-ending love of history, or getting involved in our community, his actions showed me the importance of taking time to connect with others, understand the context of things, and have compassion. While he is no longer with us, I still feel like I get advice from him every day.
Q: What are the most significant problems influencing cybersecurity professionals today? |
The ever-changing threat landscape is a real challenge. Finding the time to keep up on trends, proactively secure an environment, and address unexpected issues has become increasingly difficult. Together with our partners, we can help solve these problems.
Q: How do you separate hype from genuine innovation? |
Execution. True innovation delivers real outcomes. It can be big or small, but mostly, it must be realized and validated.
Q: With cybersecurity and AI capabilities expanding at a rapid pace, what will the future look like for companies like McAfee Enterprise and our partners in the coming years? |
There is tremendous opportunity ahead for us and our partners. With the complexity of the cybersecurity landscape, continuing threats, and talent gaps, our customers need our collective solutions, expertise, and services more than ever. We are charging ahead to optimize our channel program with partner profitability and growth at the forefront. Our dedication to a Channel First strategy coupled with best-in-class solutions positions us extremely well to win and best benefit the customers we serve together.
The post Executive Spotlight: Q&A with SVP of Global Channels, Kathleen Curry appeared first on McAfee Blog.
A special thanks to our Professional Services’ IR team, ShadowServer, for historical context on C2 domains, and Thomas Roccia/Leandro Velasco for malware analysis support.
Following a recent Incident Response, McAfee Enterprise‘s Advanced Threat Research (ATR) team worked with its Professional Services IR team to support a case that initially started as a malware incident but ultimately turned out to be a long-term cyber-attack.
From a cyber-intelligence perspective, one of the biggest challenges is having information on the tactics, techniques, and procedures (TTPs) an adversary is using and then keeping them up to date. Within ATR we typically monitor many adversaries for years and collect and store data, ranging from indicators of compromise (IOCs) to the TTPs.
In this report, ATR provides a deep insight into this long-term campaign where we will map out our findings against the Enterprise MITRE ATT&CK model. There will be parts that are censored since we respect the confidentiality of the victim. We will also zoom in and look at how the translation to the MITRE Techniques, historical context, and evidence artifacts like PlugX and Winnti malware led to a link with another campaign, which we highly trust to be executed by the same adversary.
IOCs that could be shared are at the end of this document.
McAfee customers are protected from the malware/tools described in this blog. MVISION Insights customers will have the full details, IOCs and TTPs shared via their dashboard. MVISION Endpoint, EDR and UCE platforms provide signature and behavior-based prevention and detection capability for many of the techniques used in this attack. A more detailed blog with specific recommendations on using the McAfee portfolio and integrated partner solutions to defend against this attack can be found here.
Forensic investigations identified that the actor established initial access by compromising the victim’s web server [T1190]. On the webserver, software was installed to maintain the presence and storage of tools [T1105] that would be used to gather information about the victim’s network [T1083] and lateral movement/execution of files [T1570] [T1569.002]. Examples of the tools discovered are PSexec, Procdump, and Mimikatz.
The adversary has been observed using multiple privilege escalation and persistence techniques during the period of investigation and presence in the network. We will highlight a few in each category.
Besides the use of Mimikatz to dump credentials, the adversaries used two tools for privilege escalations [T1068]. One of the tools was “RottenPotato”. This is an open-source tool that is used to get a handle to a privileged token, for example, “NT AUTHORITY\SYSTEM”, to be able to execute tasks with System rights.
Example of RottenPotato on elevating these rights:
Figure 1 RottenPotato
The second tool discovered, “BadPotato”, is another open-source tool that can be used to elevate user rights towards System rights.
Figure 2 BadPotato
The BadPotato code can be found on GitHub where it is offered as a Visual Studio project. We inspected the adversary’s compiled version using DotPeek and hunted for artifacts in the code. Inspecting the File (COFF) header, we observed the file’s compilation timestamp:
TimeDateStamp: 05/12/2020 08:23:47 – Date and time the image was created
Another major and characteristic privilege escalation technique the adversary used in this long-term campaign was the malware PlugX as a backdoor. PlugX makes use of the technique “DLL Sideloading” [T1574.002]. PlugX was observed as usual where a single (RAR) executable contained the three parts:
The adversary used either the standalone version or distributed three files on different assets in the network to gain remote control of those assets. The samples discovered and analyzed were communicating towards two domains. Both domains were registered during the time of the campaign.
One of the PlugX samples consisted of the following three parts:
| Filename | Hashes |
| HPCustPartic.exe | SHA256: 8857232077b4b0f0e4a2c3bb5717fd65079209784f41694f8e1b469e34754cf6 |
| HPCustPartUI.dll | SHA256: 0ee5b19ea38bb52d8ba4c7f05fa1ddf95a4f9c2c93b05aa887c5854653248560 |
| HPCustPartic.bin | SHA256: 008f7b98c2453507c45dacd4a7a7c1b372b5fafc9945db214c622c8d21d29775 |
The .exe file is a valid and signed executable and, in this case, an executable from HP (HP Customer participation). We also observed other valid executables being used, ranging from AV vendors to video software. When the executable is run, the DLL next to it is loaded. The DLL is valid but contains a small hook towards the payload which, in our case, is the .bin file. The DLL loads the PlugX config and injects it into a process.
We executed the samples in a test setup and dumped the memory of the machine to conduct memory analysis with volatility. After the basic forensically sound steps, we ran the malfind plugin to detect possible injected code in a process. From the redacted output of the plugin, we observed the following values for the process with possible injected code:
Process: svchost.exe Pid: 860 Address: 0xb50000
Process: explorer.exe Pid: 2752 Address: 0x56a000
Process: svchost.exe Pid: 1176 Address: 0x80000
Process: svchost.exe Pid: 1176 Address: 0x190000
Process: rundll32.exe Pid: 3784 Address: 0xd0000
Process: rundll32.exe Pid: 3784 Address: 0x220000
One observation is the mention of the SVCHOST process with a ProcessID value of 1176 that is mentioned twice but with different addresses. This is similar to the RUNDLL32.exe that is mentioned twice with PID 3785 and different addresses. One way to identify what malware may have been used is to dump these processes with the relevant PID using the procdump module, upload them to an online analysis service and wait for the results. Since this is a very sensitive case, we took a different approach. Using the best of both worlds (volatility and Yara) we used a ruleset that consists of malware patterns observed in memory over time. Running this ruleset over the data in the memory dump revealed the following (redacted for the sake of readability) output:
Figure 3 Output Yarascan memory dump
The output of the Yara rule scan (and there was way more output) confirmed the presence of PlugX module code in PID 1176 of the SVCHOST service. Also, the rule was triggered on PID 3784, which belonged to RUNDLL32.exe.
Investigating the dumps after dynamic analysis, we observed two domain names used for C2 traffic:
In particular, we saw the following hardcoded value that might be another payload being downloaded:
sery.brushupdata.com/CE1BC21B4340FEC2B8663B69
The PlugX families we observed used DNS [T1071.001] [T1071.004] as the transport channel for C2 traffic, in particular TXT queries. Investigating the traffic from our samples, we observed the check-in-signature (“20 2A 2F 2A 0D”) that is typical for PlugX network traffic:
00000000: 47 45 54 20 2F 42 34 42 42 44 43 43 30 32 39 45
00000010: 31 31 39 37 31 39 46 30 36 35 36 32 32 20 48 54
00000020: 54 50 2F 31 2E 31 0D 0A 41 63 63 65 70 74 3A 20
00000030: 2A 2F 2A 0D 0A 43 6F 6F 6B 69 65 3A 20 44 36 43
00000040: 57 50 2B 56 5A 47 6D 59 6B 6D 64 6D 64 64 58 55
00000050: 71 58 4D 31 71 31 6A 41 3D 0D 0A 55 73 65 72 2D
During our analysis of the different PlugX samples discovered, the domain names as mentioned above stayed the same, though the payload values were different. For example:
Other PlugX samples we observed injected themselves into Windows Media Player and started a connection with the following two domains:
Another mechanism observed was to start a program as a service [T1543.003] on the Operating System with the acquired System rights by using the *Potato tools. The file the adversary was using seemed to be a backdoor that was using the DLL file format (2458562ca2f6fabddae8385cb817c172).
The DLL is used to create a malicious service and its name is “service.dll”. The name of the created service, “SysmainUpdate”, is usurping the name of the legitimate service “SysMain” which is related to the legitimate DLL sysmain.dll and also to the Superfetch service. The dll is run using the command “rundll32.exe SuperFrtch.dll, #1”. The export function has the name “WwanSvcMain”.
The model uses the persistence technique utilizing svchost.exe with service.dll to install a rogue service. It appears that the dll employs several mechanisms to fingerprint the targeted system and avoid analysis in the sandbox, making analysis more difficult. The DLL embeds several obfuscated strings decoded when running. Once the fingerprinting has been done, the malware will install the malicious service using the API RegisterServiceHandlerA then SetServiceStatus, and finally CreateEventA. A description of the technique can be found here.
The malware also decrypts and injects the payload in memory. The following screenshot shows the decryption routine.
Figure 4 Decryption routine
When we analyzed this unique routine, we discovered similarities and the mention of it in a publication that can be read here. The malware described in the article is attributed to the Winnti malware family. The operating method and the code used in the DLL described in the article are very similar to our analysis and observations.
The process dump also revealed further indicators. Firstly, it revealed artifacts related to the DLL analyzed, “C:\ProgramData\Microsoft\Windows\SuperfRtch\SuperfRtch.dat”. We believe that this dat file might be the loaded payload.
Secondly, while investigating the process dump, we observed activities from the backdoor that are part of the data exfiltration attempts which we will describe in more detail in this analysis report.
A redacted snippet of the code would look like this:
Creating archive ***.rar
Adding [data from location]
0%
OK
Another indicator of discovering Winnti malware was the following execution path we discovered in the command line dump of the memory:
cmd /c klcsngtgui.exe 1560413F7E <abbreviation-victim>.dat
What we observed here was the use of a valid executable, the AES 256 decryption key of the payload (.dat file). In this case, the payload file was named using an abbreviation of the victim company’s name. Unfortunately, the adversary had removed the payload file from the system. File carving did not work since the disk/unallocated space was overwritten. However, reconstructing traces from memory revealed that we were dealing with the Winnti 4.0 malware. The malware was injected into a SVCHOST process where a driver location pointed to the config file. We observed in the process dump the exfiltration of data on the system, such as OS, Processor (architecture), Domain, Username, etc.
Another clue that helped us was the use of DNS tunneling by Winnti which we discovered traces of in memory. The hardcoded 208.67.222.222 resolves to a legitimate OpenDNS DNS server. The IP is pushed into the list generated by the malware at runtime. At the start of the malware, it populates the list with the system’s DNS, and the OpenDNS server is only used as a backup to ensure that the C2 domain is resolved.
Another indicator in the process dump was the setup of the C2 connection including the User-Agent that has been observed being used by Winnti 4.0 malware:
Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
WMI activity [T1546.003] was also observed to execute commands on the systems.
From a persistence point of view, scheduled tasks [T1053.005] and the use of valid accounts [T1078] acquired through the use of Mimikatz, or creating LSASS dumps, were observed being employed during the length of the campaign.
From a lateral movement perspective, the adversary used the obtained credentials to hop from asset to asset. In one particular case, we observed a familiar filename: “PsExec.exe”. This SysInternals tool is often observed being used in lateral movement by adversaries, however, it can also be used by the sysadmins of the network. In our case, the PsExec executable had a file size of 9.6 MB where the original PsExec (depending on 32- or 64-bit version) had a maximum file size of 1.3 MB. An initial static inspection of the file resulted in a blob of code that was present in the executable which had a very high entropy score (7.99). When running the file from the command line, the following output was observed:
Figure 5 PsExec output
The error notification and the ‘Impacket’ keyword tipped us off and, after digging around, we found more. The fake PsExec is an open-source Python script that is a PsExec alternative with shell/backdoor capability. It uses a script from this location: hxxps://github.com/SecureAuthCorp/impacket/blob/master/examples/psexec.pyi. The file is large since it incorporates a low-level protocol interaction from Impacket. The Python library combined with the script code is compiled with py2exe. The file was compiled during the time of the latest attack activities and signed with an expired certificate.
From what we observed, the adversary had a long-term intention to stay present in the victim’s network. With high confidence, we believe that the adversary was interested in stealing proprietary intelligence that could be used for military or intellectual property/manufacturing purposes.
The adversary used several techniques to exfiltrate the data. In some cases, batch (.bat) scripts were created to gather information from certain network shares/folders and use the ‘rar’ tool to compress them to a certain size [T1020] [T1030]. Example of content in a batch script:
C:\Windows\web\rar.exe a -[redacted] -r -v50000 [Target-directory]
On other occasions, manual variants of the above command were discovered after using the custom backdoor as described earlier.
When the data was gathered on a local system using the backdoor, the files were exfiltrated over the backdoor and the rar files were deleted [T1070.004]. Where external facing assets were used, like a web server, the data was stored in a location in the Internet Information Services (IIS) web server and exfiltrated over HTTP using GET requests towards the exact file paths [T1041] [T1567] [T1071].
An example of the [redacted] web traffic in the IIS logfiles:
| Date /Time | Request | TCP Src port | Source IP | User-Agent | |
| Redacted | GET /****/[redacted].rar | 80 | 180.50.*.* | MINIXL | |
| redacted | GET /****/[redacted].rar | 80 | 209.58.*.* | MINIXL | |
The source IP addresses discovered belonged to two different ISP/VPN providers based in Hong-Kong.
The User-Agent value is an interesting one, “MINIXL”. When we researched that value, we discovered a blog from Dell SecureWorks from 2015 that mentions the same User-Agent, but also a lot of the artifacts mentioned from the blog overlapped with the observations and TTPs of Operation Harvest [link].
What we could retrieve from open-source databases is that the use of this particular User-Agent is very limited and seems to originate from the APAC region.
That seems to be the one-million-dollar question to be asked. Within McAfee, attribution is not our main focus, protecting our customers is our priority. What we do care about is that if we learn about these techniques during an investigation, can we map them out and support our IR team on the ground, or a customer’s IR team, with the knowledge that can help determine which phase of the attack the evidence is pointing to and based on historical data and intelligence, assist in blocking the next phase and discover more evidence?
We started by mapping out all MITRE ATT&CK Enterprise techniques and sub-techniques, added the tools used, and did a comparison against historical technique data from the industry. We ended up with four groups that shared techniques and sub-techniques. The Winnti group was added by us since we discovered the unique encryption function in the custom backdoor and indicators of the use of the Winnti malware.
Figure 6 ATT&CK technique comparison
The diagram reflecting our outcome insinuated that APT27 and APT41 are the most likely candidates that overlap with the (sub-)techniques we observed.
Since all these groups are in a certain time zone, we extracted all timestamps from the forensic investigation with regards to:
When we converted all these timestamps from UTC to the aforementioned groups’ time zones, we ended up with the below scheme on activity:
Figure 7 Adversary’s time of operation
In this campaign, we observed how the adversary mostly seems to work from Monday to Thursday and typically during office hours, albeit with the occasional exception.
Correlating ATT&CK (sub-)techniques, timestamps, and tools like PlugX and Mimikatz are not the only evidence indicators that can help to identify a possible adversary. Command-line syntax, specific code similarity, actor capability over time versus other groups, and unique identifiers are at the top of the ‘pyramid of pain’ in threat intelligence. The bottom part of the pyramid is about hashes, URLs, and domains, areas that are very volatile and easy to change by an adversary.
Figure 8 Pyramid of Pain
Beyond investigating those artifacts, we also took possible geopolitical interests and potential deception into consideration when building our hypothesis. When we mapped out all of these, we believed that one of the two previously mentioned groups were responsible for the campaign we investigated.
Our focus was not about attribution though, but more around where the flow of the attack is, matches against previous attack flows from groups, and what techniques/tools they are using to block next steps, or where to locate them. The more details we can gather at the top of ‘the pyramid of pain’, the better we can determine the likely adversary and its TTP’s.
Well, not really. While correlating the observed (sub-)techniques, the malware families and code, we discovered another targeted attack against a similar target in the same nation with the major motivation of gathering intelligence. In the following diagram we conducted a high-level comparison of the tools being used by the adversary:
Figure 9 Tools comparison
Although some of the tools are unique to each campaign, if taken into consideration over time with when they were used, it makes sense. It demonstrates the development of the actor and use of newer tools to conduct lateral movement and to obtain the required level of user rights on systems.
Overall, we observed the same modus operandi. Once an initial foothold was established, the adversary would deploy PlugX initially to create a few backdoors in the victim’s network in case they were discovered early on. After that, using Mimikatz and dumping lsass, they were looking to get valid accounts. Once valid accounts were acquired, several tools including some of their own tools were used to gain information about the victim’s network. From there, several shares/servers were accessed, and information gathered. That information was exfiltrated as rar files and placed on an internet-facing server to hide in the ‘normal’ traffic. We represent that in the following graphic:
Figure 10 Attack flow
In the 2019/2020 case we also observed the use of a malware sample that we would classify as part of the Winnti malware family. We discovered a couple of files that were executed by the following command:
Start Ins64.exe E370AA8DA0 Jumper64.dat
The Winnti loader ‘Ins64.exe’ uses the value ‘E370AA8DA0’ to decrypt the payload from the .dat file using the AES-256-CTR decryption algorithm and starts to execute.
After executing this command and analyzing the memory, we observed a process injection in one of the svchost processes whereby one particular file was loaded from the following path:
C:\programdata\microsoft\windows\caches\ieupdate.dll
Figure 11 Memory capture
The malware started to open up both UDP and TCP ports to connect with a C2 server.
UDP Port 20502
TCP Port 20501
Figure 12 Network connections to C2
Capturing the traffic from the malware we observed the following as an example:
Figure 13 Winnti HTTP traffic to C2
The packet data was customized and sent through a POST request with several headers towards the C2. In the above screenshot the numbers after “POST /” were randomly generated.
The User-Agent is a good network indicator to identify the Winnti malware since it is used in multiple variants:
Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36
Indeed, the same User Agent value was discovered in the Winnti sample in Operation Harvest and seems to be typical for this malware family.
The cookie value consists of four Dword hex values that contain information about the customized packet size using a XOR value.
We learned more about the packet structure of Winnti from this link.
Applying what we learned about the handshake, we observed the following in our traffic sample:
Dword value 0 = 52 54 00 36
Dword value 1 = 3e ff 06 b2
Dword value 2 = 99 6d 78 fe
Dword value 3 = 08 00 45 00
Dword value 4 = 00 34 00 47
Initial handshake order:
Based on our cross-correlation with samples and other OSINT resources, we believe with a high confidence that this was a Winnti 4.0 sample that connects with a confirmed Winnti C2 server.
The identified C2 server was 185.161.211.97 TCP/80.
When analyzing the timestamps from this investigation, like we did for operation Harvest, we came to the below overview:
Figure 14 Beijing working hours case 2019/2020
Again, we observed that the adversary was operating Monday to Friday during office hours in the Beijing time-zone.
Operation Harvest has been a long-term operation whereby an adversary maintained access for multiple years to exfiltrate data. The exfiltrated data would have either been part of an intellectual property theft for economic purposes and/or would have provided insights that would be beneficial in case of military interventions. The adversaries made use of techniques very often observed in this kind of attack but also used distinctive new backdoors or variants of existing malware families. Combining all forensic artifacts and cross-correlation with historical and geopolitical data, we have high confidence that this operation was executed by an experienced APT actor.
After mapping out all data, TTP’s etc., we discovered a very strong overlap with a campaign observed in 2019/2020. A lot of the (in-depth) technical indicators and techniques match. Also putting it into perspective, and over time, it demonstrates the adversary is adapting skills and evolving the tools and techniques being used.
On a separate note, we observed the use of the Winnti malware. We deliberately mention the term ‘malware’ instead of group. The Winnti malware is known to be used by several actors. Within every nation-state cyber-offensive activity, there will be a department/unit responsible for the creation of the tools/malware, etc. We strongly believe that is exactly what we observe here as well. PlugX, Winnti and some other custom tools all point to a group that had access to the same tools. Whether we put name ‘X’ or ‘Y’ on the adversary, we strongly believe that we are dealing with a Chinese actor whose long-term objectives are persistence in their victims’ networks and the acquisition of the intelligence needed to make political/strategic or manufacturing decisions.
| Technique ID | Technique Title | Context Campaign |
| T1190 | Exploit Public-facing application | Adversary exploited a web-facing server with application |
| T1105 | Ingress Tool transfer | Tools were transferred to a compromised web-facing server |
| T1083 | File & Directory Discovery | Adversary browsed several locations to search for the data they were after. |
| T1570 | Lateral Tool Transfer | Adversary transferred tools/backdoors to maintain persistence |
| T1569.002 | System Services: Service Execution | Adversary installed custom backdoor as a service |
| T1068 | The exploitation of Privilege Escalation | Adversary used Rotten/Bad Potato to elevate user rights by abusing API calls in the Operating System. |
| T1574.002 | Hijack Execution Flow: DLL Side-Loading | Adversary used PlugX malware that is famous for DLL-Side-Loading using a valid executable, a DLL with the hook towards a payload file. |
| T1543.003 | Create or Modify System Process: Windows Service | Adversary launched backdoor and some tools as a Windows Service including adding of registry keys |
| T1546.003 | Event-Triggered Execution: WMI Event Subscription | WMI was used for running commands on remote systems |
| T1053.005 | Scheduled task | Adversary ran scheduled tasks for persistence of certain malware samples |
| T1078 | Valid accounts | Using Mimikatz and dumping of lsass, the adversary gained credentials in the network |
| T1020 | Automated exfiltration | The PlugX malware exfiltrated data towards a C2 and received commands to gather more information about the victim’s compromised host. |
| T1030 | Data transfer size limits | Adversary limited the size of rar files for exfiltration |
| T1070.004 | Indicator removal on host | Where in the beginning of the campaign the adversary was sloppy, during the last months of activity they became more careful and started to remove evidence |
| T1041 | Exfiltration over C2 channel | Adversary used several C2 domains to interact with compromised hosts. |
| T1567 | Exfiltration over Web Service | Gathered information was stored as ‘rar’ files on the internet-facing server, whereafter they were downloaded by a specific ip range. |
| T1071.004 | Application layer protocol: DNS | Using DNS tunneling for the C2 traffic of the PlugX malware |
Note: the indicators shared are to be used in a historical and timeline-based context, ranging from 2016 to March 2021.
PlugX C2:
| sery(.)brushupdata(.)com |
| Dnssery(.)brushupdata(.)com |
| Center(.)asmlbigip(.)com |
Tools:
Mimikatz
PsExec
RottenPotato
BadPotato
PlugX malware:
f50de0fae860a5fd780d953a8af07450661458646293bfd0fed81a1ff9eb4498
26e448fe1105b5dadae9b7607e3cca366c6ba8eccf5b6efe67b87c312651db01
e9033a5db456af922a82e1d44afc3e8e4a5732efde3e9461c1d8f7629aa55caf
3124fcb79da0bdf9d0d1995e37b06f7929d83c1c4b60e38c104743be71170efe
Winnti:
800238bc27ca94279c7562f1f70241ef3a37937c15d051894472e97852ebe9f4
c3c8f6befa32edd09de3018a7be7f0b7144702cb7c626f9d8d8d9a77e201d104
df951bf75770b0f597f0296a644d96fbe9a3a8c556f4d2a2479a7bad39e7ad5f
Winnti C2: 185.161.211.97
Tools:
PSW64 6e983477f72c8575f8f3ff5731b74e20877b3971fa2d47683aff11cfd71b48c6
NTDSDumpEx 6db8336794a351888636cb26ebefb52aeaa4b7f90dbb3e6440c2a28e4f13ef96
NBTSCAN c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e
NetSess ddeeedc8ab9ab3b90c2e36340d4674fda3b458c0afd7514735b2857f26b14c6d
Smbexec e781ce2d795c5dd6b0a5b849a414f5bd05bb99785f2ebf36edb70399205817ee
Wmiexec 14f0c4ce32821a7d25ea5e016ea26067d6615e3336c3baa854ea37a290a462a8
Mimikatz
RAR command-line
TCPdump
The post Operation ‘Harvest’: A Deep Dive into a Long-term Campaign appeared first on McAfee Blog.
McAfee Enterprise’s Advanced Threat Research (ATR) team provided deep insight into a long-term campaign Operation Harvest. In the blog, they detail the MITRE Tactics and Techniques the actors used in the attack. In this blog, our Pre-Sales network defenders describe how you can defend against a campaign like Operation Harvest with McAfee Enterprise’s MVISION Security Platform and security architecture best practices.
Operation Harvest, like other targeted attack campaigns, leverages multiple techniques to access the network and capture credentials before exfiltrating data. Therefore, as a Network Defender you have multiple opportunities to prevent, disrupt, or detect the malicious activity. Early prevention, identification and response to potentially malicious activity is critical for business resilience. Below is an overview of how you can defend against attacks like Operation Harvest with McAfee’s MVISION Security Architecture.
Throughout this blog, we will provide some examples of where MVISION Security Platform could help defend against this type of attack.
As Network Defenders our goal is to prevent, detect and contain the threat as early as possible in the attack chain. That starts with using threat intelligence, from blogs or solutions like MVISION Insights to get prepared and using tools like MITRE Attack Navigator to assess your defensive coverage. The ATR blog details the techniques, indicators and tools used by the attackers. Many of the tools used in Operation Harvest are common across other threat actors and detection details for PlugX, and Winnti are already documented in MVISION INSIGHTS.
Get a quick overview of the PlugX tool:
Easily search for or export PlugX IOCs right from MVISION Insights:
Get a quick overview of the Winnti tool:
Easily search for or export Winnti IOCs right from MVISION Insights:
Cross Platform Hunting Rules for Winnti:
MVISION Insights is also updated with the latest technical intelligence on Operation Harvest including a summary of the threat, prevalence, indicators of compromise and recommended defensive countermeasures.
In this attack, the initial access involved a compromised web server. Over the last year we have seen attackers increasingly use initial access vectors beyond spear-phishing, such as compromising remote access systems or supply chains. The exploiting of public-facing vulnerabilities for Initial Access is a technique associated with Operation Harvest and other APT groups to gain entry. Detecting this activity and stopping it is critical to limiting the abilities of the threat actor to further their execution strategy. Along with detecting the ongoing activity, it is also imperative to verify critical vulnerabilities are patched and configurations are security best practice to prevent exploitation. MVISION UCE provides visibility into threats, vulnerabilities, and configuration audits mapped to the MITRE ATT&CK Framework for protection against suspicious activity.
Many customer-facing applications and web servers are hosted on cloud infrastructure. As a Network Defender, gaining visibility and monitoring for misconfigurations on the infrastructure platforms is critical as this is increasingly the entry point for an attacker. MVISION Cloud Native Application Protection Platform (CNAPP) provides a continuous assessment capability for multiple cloud platforms in a single console so you can quickly correct misconfigurations and harden the security posture across AWS, AZURE or Google Cloud Platforms.
The attackers uploaded several known or potentially malicious tools to compromised systems. Many of these tools were detected on installation or execution by ENS Threat Prevention or Adaptative Threat Prevention Module. The following is a sample of the Threat Event log from ePolicy Orchestrator (ePO) from our testing.
You can easily search for these events in ePO and investigate any systems with detections.
For best protection turn on Global Threat Intelligence (GTI) for both Threat Prevention and Adaptive Threat Protection modules. Ensure ATP Rules 4 (GTI File Reputation) and 5 (URL Reputation) are enabled in ATP. Global Threat Intelligence is updated with the latest indicators for this attack as well.
Additionally, based on other observables in this attack, we believe there are several other Adaptive Threat Prevention Rules that could prevent or identify potentially malicious activity on the endpoint or server. Monitor especially for these ATP events in the ePO threat event logs:
Rule 269: Detects potentially malicious usage of WMI service to achieve persistence
Rule 329: Identify suspicious use of Scheduled Tasks
Rule 336: Detect suspicious payloads targeting network-related services or applications via dual use tools
Rule 500: Block lateral movement using utilities such as Psexec from an infected client to other machines in the network
Rule 511: Detect attempts to dump sensitive information related to credentials via lsaas
Analysis will continue and additional ATP rules we think relate will be added to mitigation guidance in MVISION Insights.
ENS with Expert Rules
Expert Rules are a powerful, customizable signature language within ENS Threat Prevention Module. For this attack, you could use Expert Rules to identify potential misuse of Psexec or prevent execution or creation of certain file types used such as .rar files.
Additional guidance on creating your own Expert Rules and link to our repository are here:
How to Use Expert Rules in ENS to Prevent Malicious Exploits
Per standard practice, we recommend that customers test this rule in report mode before applying in block mode.
Like other attacks exploiting critical vulnerabilities, attackers may gain command and control over exploited systems to deliver payloads or other actions. MVISION EDR can both identify many command-and-control techniques such as Cobalt Strike beacons. In this case, MVISION EDR would have logged the DNS and HTTP connection requests to the suspicious domains and an SOC analysts could use Real Time and Historical search to hunt proactively for compromised machines.
Additionally, Unified Cloud Edge (UCE – SWG) can prevent access to risky web sites using threat intelligence, URL reputation, behaviour analysis and remote browser isolation. Ensure you have a strong web security policy in place and are monitoring logs. This is a great control to identify potentially malicious C2 activity.
The adversary used several techniques and tools to elevate privileges and run Mimikatz to steal credentials. In our simulation, MVISION EDR proactively identified the attempt to download and execute in memory a Mimikatz PowerShell script.
We simulated the attacker malicious attempt using potato tools reproducing a generic privilege escalation. From the EDR monitoring process tree we could observe the sequence of events with a change in terms of user name from a user account to SYSTEM.”
We started a guided investigation on the affected system. Analytics on the data identified anomalies in user behavior. Guided investigations make easier to visualize complex data sets and interconnections between artifacts and systems.
The attackers used a common dual use system utility, in this case Psexec.exe, to move laterally. In many cases, the malicious use of legitimate system tools is difficult to detect with signature-based detection only. MVISION EDR uses a combination of behaviour analytics and threat intelligence to proactively identify and flag a high severity alert on malicious use of Psexec for lateral movement.
Psexec.exe used for lateral movement:
The threat actors behind Operation Harvest utilized various tools to elevate privileges and exfiltrate data out of the impacted environment. Visualizing anomalies in user activity and data movement can be used to detect out of the ordinary behavior that can point to malicious activity going on in your environment. MVISION UCE will monitor user behavior and provide anomalies for the security team to pinpoint areas of concern for insider or external adversarial threats.
Identifying User Access Anomalies with UCE:
Identifying Data Transfer Anomalies with UCE:
MVISION Security Platform provides defense in depth to prevent, disrupt or detect many of the techniques used in Operation Harvest. As a network defender, focus on early prevention or detection of the techniques to better protect your organization against cyber-attacks.
The post McAfee Enterprise Defender’s Blog: Operation Harvest appeared first on McAfee Blog.
FreshRSS 