Month: May 2020

SDP for Zero Trust ! Game changer

Software Defined Perimeter (SDP) is the most effective architecture for adopting a zero trust strategy, an approach that is being heralded as the breakthrough technology for preventing large-scale breaches.

SDP zero trust

“Most of the existing zero trust security measures are applied as authentication and sometimes authorization, based on policy after the termination of Transport Layer Security (TLS) certificates,” .

“Network segmentation and the establishment of micro networks, which are so important for multi-cloud deployments, also benefit from adopting a software-defined perimeter zero trust architecture.”

SDP improves security posture


A zero trust implementation using SDP enables organizations to defend new variations of old attack methods that are constantly surfacing in existing network and infrastructure perimeter-centric networking models.

Implementing SDP improves the security posture of businesses facing the challenge of continuously adapting to expanding attack surfaces that are, in turn, increasingly more complex.

Network security implementation issues
The report notes particular issues that have arisen that require a rapid change in the way network security is implemented, including the:

1.Changing perimeter
2.IP address challenge,
3.Challenge of implementing integrated controls.

by Categories: Cloud, Zero TrustTags: Leave a comment

Zscaler buys another startup ! Edge networks

Zscaler Inc. is doubling down in its drive to dominate the market for “zero trust” security frameworks with its second acquisition in about six weeks.

The cloud security specialist is acquiring Edgewise Networks, a four-year-old Boston area startup focused on securing communications among applications running in cloud and datacenter networks.

The acquisition of Edgewise Network addresses growing enterprise requirements to detect security threats that can spread rapidly across a network from a single compromised server. The startup’s tools focus on securing so-called “east-west,” or lateral, network traffic by verifying application software and other services.

The result, Zscaler said, is a zero-trust environment in which no one inside or outside a network is trusted by default. The security approach is said to reduce cloud and datacenter attack surfaces, thereby reducing data breaches and application hacks.

The startup’s zero-trust approach discovers individual applications and their legitimate communication patterns. AI and machine learning algorithms are then used to automatically enforce authorized communication to provide a security layer called application segmentation. That approach isolates distinct service tiers from one another within an application to create security boundaries that reduce exposure to attacks originating from other applications.

“Edgewise is highly innovative technology that enables application segmentation without having to do traditional network segmentation which is often done with virtual firewalls,” .

The zero-trust security framework is geared to the growing number enterprise multi-cloud deployments that increasing use micro-services to deliver distributed applications. The many moving parts create more opportunities for security breaches via compromised servers and applications.

The Edgewise framework uses a technique called software identity verification to secure network traffic carried across public and hybrid clouds, datacenter and application containers.

by Categories: Cloud, SecurityTags: Leave a comment

PonyFinal Ransomware ! Now Microsoft comes with a warning

ransomware skull

Microsoft’s security team has issued an advisory today warning organizations around the globe to deploy protections against a new strain of ransomware that has been in the wild over the past two months.

“PonyFinal is a Java-based ransomware that is deployed in human-operated ransomware attacks,”.

Human-operated ransomware is a subsection of the ransomware category. In human-operated ransomware attacks, hackers breach corporate networks and deploy the ransomware themselves.null

This is in opposition to classic ransomware attacks that have been seen in the past, such as ransomware distributed via email spam or exploit kits, where the infection process relies on tricking the users in launching the payload.

HOW PONYFINAL OPERATES

Microsoft says it’s been tracking incidents where the PonyFinal ransomware has been deployed.

The intrusion point is usually an account on a company’s systems management server, which the PonyFinal gang breaches using brute-force attacks that guess weak passwords.

Once inside, Microsoft says the PonyFinal gang deploys a Visual Basic script that runs a PowerShell reverse shell to dump and steal local data. In addition, the ransomware operators also deploy “a remote manipulator system to bypass event logging.”

ponyfinal-scheme.jpg

Once the PonyFinal gang has a firm grasp on the target’s network, they then spread to other local systems and deploy the actual PonyFinal ransomware.

In most cases, attackers target workstations where the Java Runtime Environment (JRE) is installed, since PonyFinal is written in Java. But Microsoft says it also has seen instances where the gang installed JRE on systems before running the ransomware.image: Microsoftnull

Microsoft says that files encrypted with the PonyFinal ransomware usually have an additional “.enc” file extension added to the end of each encrypted file.

by Categories: cybersecurity, Ransomware, SecurityTags: Leave a comment

Valak targetting Exchange Servers

First observed in late 2019, Valak was once classified by cybersecurity researchers as a malware loader. Valak, deemed “sophisticated” by the Cybereason Nocturnus team, has undergone a host of changes over the past six months, with over 20 version revisions changing the malware from a loader to an independent threat in its own right.

After landing on a machine through a phishing attack using Microsoft Word documents containing malicious macros, a .DLL file called “U.tmp” is downloaded and saved to a temporary folder.

A WinExec API call is then made and JavaScript code is downloaded, leading to the creation of connections to command-and-control (C2) servers. Additional files are then downloaded, decoded using Base64 and an XOR cipher, and the main payload is then deployed.

Registry keys and values are set and a scheduled task is created to maintain persistence on an infected machine. Next, Valek downloads and executes additional modules for reconnaissance and data theft.

Two main payloads, project.aspx and a.aspx, perform different functions. The former manages registry keys, task scheduling for malicious activities, and persistence, whereas the latter — internally named PluginHost.exe — is an executable that manages additional components.

Valak’s “ManagedPlugin” module is of particular interest. Functions include a system information grabber that harvests local and domain data; the “Exchgrabber” function which aims to infiltrate Microsoft Exchange by stealing credentials and domain certificates, a geolocation verifier, screenshot capture, and “Netrecon,” a network reconnaissance tool.

In addition, the malware will scour infected machines for existing antivirus products.

The most recent Valak variants have been tracked in attacks against Microsoft Exchange servers in what is believed to be enterprise-focused attacks.

“Extracting this sensitive data allows the attacker access to an inside domain user for the internal mail services of an enterprise along with access to the domain certificate of an enterprise” the researchers say. “With systeminfo, the attacker can identify which user is a domain administrator. This creates a very dangerous combination of sensitive data leakage and potentially large scale cyber spying or infostealing. It also shows that the intended target of this malware is first and foremost enterprises.”

by Categories: Microsoft, SecurityTags: Leave a comment