Research Blogs Feed Zscaler Blog — News and views from the leading voice in cloud security. en Join Us Live: Three Secrets to Stopping Ransomware Cold Zscaler will be hosting a webinar covering ransomware's ins and outs and what you can do to keep your organization safe. Learn more and secure your spot here. Ransomware continues to dominate headlines worldwide, with recent estimates surpassing $20 billion of damages in 2020 alone. Today’s adversaries are using a diverse set of methodologies to attack each target and easily bypass legacy security solutions. While ransomware can cause serious damage and disruption to a business’s networks, finances, and reputation, we assure you that it’s not all doom and gloom—if you know the secrets to stopping these attacks. We’ll be discussing all of that at our upcoming virtual event, The Three Secrets to Stopping Ransomware Cold, and I hope you’ll join us. I’ll be joined by Deepen Desai, CISO and VP of Security Research at Zscaler, and Tony Fergusson, our Director of Transformation Strategy. The three of us have spent years analyzing and combating ransomware, and we’ll dive into new techniques attackers are using to avoid detection, trick users, and coerce organizations into paying (it’s not just about losing data anymore). We’ll also explore the best ways to protect your enterprise from these highly disruptive attacks. The session will cover: How the latest ransomware campaigns exploit security weaknesses How ransomware hides inside encrypted traffic to bypass inspection What it takes to sandbox suspicious files effectively Why cloud scalability can close security gaps How a zero trust approach to connectivity eliminates your attack surface Ransomware isn’t going away—it is however getting more disruptive, more impactful, and more expensive. Legacy tools do not have the inspection capabilities to keep up with the demands of inspecting all traffic, quarantining threats at scale without performance dips, or delivering the always-on security necessary to defend today’s remote workforce. Zscaler, on the other hand, has already helped thousands of customers prevent ransomware and other cyberattacks using the Zscaler Zero Trust Exchange, the world’s largest inline security platform built for the cloud. Live webinar dates and times: America: Tuesday, September 29, 2020 | 11:00 AM PT | 2:00 PM ET EMEA: Wednesday, September 30, 2020 | 10:00 AM BEST | 11:00 AM CEST APAC: Wednesday, September 30, 2020 | 10:00 AM IST | 2:30 PM AEST Register today for one of these sessions. We look forward to seeing you there! About Bryan Lee Bryan is a Principal Product Manager at Zscaler, with more than ten years of experience in cybersecurity. His areas of expertise are espionage threats, cybersecurity operations, and threat intelligence. About Deepen Desai Deepen is the Zscaler CISO and VP of Security Research at Zscaler ThreatLabZ. Deepen has been actively involved in threat research and analysis for 13 years and is affiliated with various security working groups. About Tony Ferguson Tony is the Director Transformation Strategy at Zscaler and has more than 25 years of experience in IT networking and security across a range of organizations and industries, including manufacturing, information technology, and financial services. Bryan Lee Changing the Mindset: From Cost Center to Business Enabler Robert Berkenpas is the Group Manager Infrastructure & Operations at MOWI. His post originally appeared on LinkedIn and you can view a short video about MOWIs work-from-anywhere journey here. It is not unusual that innovation happens when we are faced with a crisis. Dealing with a shortage of resources, lacking time, being faced with an economic downturn or a global health crisis, our plans and budgets which have been thoroughly calculated, debated, and negotiated, all a sudden are no longer the rule book by which we play. Unusual times cause us to be quick on our feet, rethink, pivot, and make changes that had been unimaginable before. Just six months ago, had you told me that MOWI’s offices and production facilities, like the Brugge production plant for example,were going to look like ghost towns, only with essential personnel on the floor that handle and filet freshly caught salmon from Norway (even ramping up production volume) with the factory actually being run from our employees’ homes, I would have called you crazy. Here we are, half a year into the worst pandemic of my life-time that has affected millions of people around the world and brought so many businesses around the globe to a standstill. Being one of the largest seafood producers in the world, MOWI has an obligation to care for our employees and the fish we raise and to secure the supply of food for people all around the world. While it has been a difficult time, I want to highlight a positive development that I have been very lucky to observe over the past few months: IT being recognized as a business enabler rather than a cost center. Earlier this year, when it became evident that COVID-19 was spreading globally and social distancing was going to be essential, my team stepped up and rolled out technology that would enable us to work anywhere, to keep our employees, their loved ones and all our colleagues safe. When people had started working from home it became evident that our incumbent VPN was not able to handle the sheer amount of users and data. We had already completed a proof-of-value of Zscaler Private Access (ZPA) which enabled us to fast-track the rollout to all staff in less than a month and proved to us that we had been on the right path when we evaluated ZPA. We deployed the solution remotely and got a few confused looks when we told people to just turn off their VPNs and continue working. Over the next weeks my team received many compliments on the ease of use - no more generating codes and entering pins as you fire up your VPN, just turning on your laptop and starting to work. The success we have had with Zscaler didn’t go unnoticed across all areas of the business. This has been one of those rare occasions in my career where we have been able to change the trajectory of our department, even for our business, through this very important technology decision that we made. My team proved that IT is there to support the business, not to put unnecessary obstacles in their way as it was often perceived in the past and as a bonus increase security. We probably pulled off the fastest IT project in the history of the company and demonstrated to our colleagues across the board that we have a vision on how to leverage technology to enable business outcomes. This recognition has already manifested itself in our team being invited to meetings and discussions that we were previously not included in, or being brought to the table at an early stage where our expertise can actually propel projects forward. The mindset has changed and the company is more aware than ever about the value IT brings and how they can leverage our expertise to drive positive business outcomes, not just solve technical problems. We are learning a lot with new technologies, like using AI to improve feed patterns for our fish, or leveraging cloud technology to become a mobile workforce. And this is just the beginning. When we as a business leverage technology to optimize or create new processes, we ensure that our company keeps innovating and supports a sustainable future. I am a firm believer that technology and innovation will create opportunities for MOWI when IT comes in as an innovator and a key partner in the business to make sure we add value at every step of the way. And I would like to salute and pay respect to my team because they are doing an awesome job, they delivered and exceeded the expectations of the business and I am really proud of them Robert Berkenpas Five Data Protection Challenges and How to Combat Them Five challenges As the modern workforce evolves and continues to trend toward digital business models, company data and applications are migrating to the cloud from on-premise data centers. While this evolution gives individuals and lines of business (LOBs) more control, reduces cost, and enables businesses to run more efficiently than ever before, it also changes the role of IT from local security enforcers to global business enablers, and increases the need for a unified data protection offering to secure data and prevent data loss. Creating a security strategy to support this shift to a new reality of distributed data and cloud adoption across the organization isn’t simple, and businesses will first need to overcome a number of challenges. Hidden data loss in encrypted traffic – When workers were in-office and on the company network, data and applications resided in central data centers, encrypted traffic was limited, and on-prem solutions were sufficient. With the move to the cloud, encryption has shifted from the exception to the rule. If your data protection solution isn’t classifying and controlling data in encrypted traffic, you will miss the majority of sessions in which data exposure and misuse is a possibility, leaving your organization vulnerable to data loss and breaches. Gaps between data protection services – With the move to the cloud, data is distributed across SaaS and public cloud applications, and each is often created and maintained by individuals and LOBs across the organization. For example, a cloud access security broker (CASB) service is used to secure SaaS applications, while a secure web gateway (SWG) with data loss prevention (DLP) is used to secure internet applications, and cloud security posture management (CSPM) is used to secure public cloud applications. This complexity makes data protection uniformity and communication challenging, and can cause redundant functions and gaps in visibility and control across applications. Limited context when controlling data usage – Granular visibility and control are imperative when protecting company data. Most data protection options provide IT limited visibility into who is attempting access, the user’s location, and the state of the application, limiting the control needed to enable effective and safe data usage and making data protection decisions unnecessarily difficult. Poor user experience – With workers and applications moving from on-prem data centers to the cloud, the infrastructure in use is now the internet itself, limiting IT’s ability to anticipate, identify, and mitigate issues. When the majority of apps used by workers are out of the organization’s control, it becomes more difficult to ensure employees have a good user experience and maintain productivity. Compliance violations across clouds – Failing to meet and maintain required industry regulations can mean hefty fines and even loss of business. With data distributed across cloud applications and services, compliance visibility and remediation ability are reduced, potentially putting your company at risk. Five ways to combat them To combat these challenges and make the transition to the cloud as seamless as possible, your data protection solution and protocols should include: Full SSL inspection of all traffic – Stolen data is often disguised and sent uninspected through SSL, and according to the latest Google Transparency report, 95 percent of traffic is encrypted and therefore not subject to inspection by traditional DLP solutions. Partial inspection of your traffic leaves your business vulnerable to data loss, as sensitive data passing through may be missed. A cloud-based data protection solution can inspect every byte leaving your network, ensuring your data is secure. Unified protections – Provide a consistent level of security to all your users worldwide, whether onsite or remote, by moving your security to the cloud. Zscaler Cloud Data Protection can monitor data in motion across locations with Cloud DLP and unified data at rest across SaaS and public cloud applications with out-of-band CASB. Elastic scale with consistent enforcement – Zscaler prevents sensitive data from leaving your network instead of limiting you to damage control after data has been compromised. With Zscaler Cloud DLP, policy follows users wherever they work—on- or off-network—providing the same level of protection to all users at all times. The Zscaler security cloud scales elastically with performance guaranteed by service-level agreements. Improved user experience – Many appliance-based security offerings require traffic to be backhauled to a central location, creating bottlenecks and causing latency, which directly affects user experience and productivity. A solution that embraces the concept of Secure Access Service Edge (SASE) puts data security as close as possible to the user, reducing latency and significantly improving user experience. Compliance reporting and remediation – Enable unified compliance visibility and control company-wide across internet and SaaS applications using 14 different compliance standards, including Cloud Security Alliance (CSA), GxP, Health Insurance Portability and Accountability Act (HIPAA), and General Data Protection Regulation (GDPR), among others. As data and applications move from the office to the cloud, your company must stay one step ahead to avoid becoming the next victim of data loss. Company and customer data security should be a top priority with a cloud-based data protection solution. To learn more about how to close gaps in your data protection strategy with Zscaler CASB and Cloud DLP, read this white paper or download this eBook. Steve Grossenbacher is a Director of Product Marketing at Zscaler Steve Grossenbacher How Microsegmentation Differs from Network Segmentation Microsegmentation as both a term and a network security concept has been in the playbooks for years. Its main purpose is to reduce the network attack surface by limiting east-west communication through the application of granular security controls at the workload level. Laid out this way, it’s pretty easy to understand what microsegmentation is. However, as with all newer security-related terminology, it’s harder to determine what microsegmentation isn’t — because marketers and salespeople get ahold of the term and distort it in an effort to be relatable, sell more products, or even just to make comparisons with the trusted and familiar. That said, it is important for network security engineers and architects to understand the difference between microsegmentation and network segmentation, from which microsegmentation was born. Network segmentation in a nutshell Network segmentation is the practice of creating sub-networks within the overall network to prevent attackers from moving laterally once inside the perimeter and to boost system performance. Typically companies build network segments via VLANs or firewalls, and the newly created zones are based on geographic region or existing network tiers — data, applications, or network. Administrators can group like resources by type and sensitivity, and set controls that permit only specific network communication between zones. Network segmentation is generally considered a north-south network traffic control, meaning that once inside a designated zone of the network, communication/software/users are trusted. Such trust models lead to breaches, and that’s a major reason microsegmentation evolved. Further, VLANs and firewalls are network-based constructs, and managing the security of a network by network characteristics is no longer a viable solution in today’s public cloud and container environments. Not only is the use of physical data centers declining due to the advantages cloud offers, but IP addresses, ports, and protocols are easily spoofed or hijacked by malicious adversaries. When an adversary can blend in with normal traffic, how effective is the security control? Further, data center-defined segments are too big and cumbersome to manage. Thousands of coarse-grained policies need to be created for each network zone, and no human alone can possibly tackle all the exception handling required by network-based policies. In other words, network segmentation is a heavy load to carry. It’s a necessary one in certain circumstances, but it can’t be the primary method of managing east-west, internal network traffic. The basics of microsegmentation In the simplest terms, the differences between microsegmentation and network segmentation can be boiled down to: Segmentation Microsegmentation Coarse policies Granular policies Physical network Virtual or overlay network North-south traffic East-west traffic Address based/network level Identity based/workload level Hardware Software Microsegmentation originated as a way to moderate lateral traffic between servers in the same segment, but it has evolved over the years to include intra-segment traffic so that server A can talk to server B or Application A can communicate with Host B, etc., if the identity of the requesting resources matches the permission configured for that server/application/host/user. Since policies and permissions for microsementation are based on resource identity (versus a user’s/person’s identity), it is independent from the underlying infrastructure which means: Fewer policies to manage Centralized policy management across networks Policies that automatically adapt regardless of infrastructure changes Gap-free protection across cloud, container, and on-premises data centers Of course it’s not that cut-and-dried, but at its core, microsegmentation is a method of creating intelligent groupings of workloads based on characteristics of the workloads communicating inside the data center. As such, microsegmentation is not reliant on dynamically changing networks or the business or technical requirements placed on them, which means that it is both stronger and more reliable security. Choosing between segmentation and microsegmentation When it comes to the network security strategy, organizations shouldn’t be choosing “either/or”. Network segmentation is best for north-south traffic and microsegmentation adds a layer of protection for east-west traffic — server-to-server, application-to-server, web-to-server, etc. Using the age-old (and some security professionals might say “tired”) analogy: Network segmentation is the thick walls and wide moats of the castle while microsegmentation is the castle guards standing at the doors of each stateroom armed with pitchforks and knives. You can’t have security at only one juncture and for limited purposes. The same can be said for security in the cyber realm. Want to learn more? Discover how Zscaler Workload Segmentation simplifies microsegmentation by automating policy creation and management, while protecting your applications and workloads in the cloud and data center. Nagraj Seshadri is a Sr. Director of Marketing at Zscaler. Portions of this post were originally published on the Edgewise site. Nagraj Seshadri From "Department of NO” to "Department of KNOW” This post originally appeared on LinkedIn, September 10, 2020. COVID-19 changed business operations for everyone. Employees shifted to a work-from-anywhere (WFA) model, and that strained legacy networking and security systems. CISOs assumed risks they would never have tolerated before. IT teams bolstered VPN capacity to support the new load, but with a troubling new risk: enabling remote access for all employees introduced new cyber attack vectors. At the same time, companies had to cope with the pandemic’s effect on the business’ bottom line—and that often meant repurposing IT budgets to revenue-generating initiatives. To regain their budgets, their influence, and their headcount, CISOs must change their mindset to focus on business needs. IT security can no longer be about controlling the network perimeter. It must shift to strategic planning that answers the question “How do I enable the business?” To succeed in a COVID-19 world and beyond, IT must align enterprise security with company goals. IT must now consider the business’ core competencies, the business needs that drive its success, the business’ direction, and IT’s own governance and compliance responsibilities. (Pro tip: That last one shouldn’t include sustaining legacy networks.) IT: Gatekeeper or guide? IT security has traditionally enjoyed a less-than-favorable reputation as “The Department of No.” IT’s role in protecting the business meant it often had to get in the way: “No, you can’t adopt that cloud SaaS.” “No, you can’t move the database offsite.” “No, you can’t work remotely.” IT’s priority was to maintain the status quo. Anything that could rock the boat was out of scope, and they were often the gatekeepers for process deployment. Why? IT typically gets little attention from employees...until those employees need something. Or a disaster occurs. Then IT gets everyone’s (not-always-welcome) attention. That’s a lot of pressure, and provides at least some understandable rationale for IT’s traditionally-conservative approach. If the pandemic has shown us anything, it’s that IT can adapt quickly if they have to—especially when there is a clear need to move beyond the status quo. Legacy solutions (in this case, VPNs) weren’t equipped to handle a massive change in how employees did business. So new solutions were found and implemented—such as Zero Trust Network Access (ZTNA). In responding to a crisis as dramatic as the recent pandemic, IT had to focus on enabling business objectives. They needed to be guides that led the company to a better solution. That required assessing change by asking new questions: Does a solution incur (or perpetuate) technical debt? Technical solutions often get implemented to answer an immediate need and employ the quickest methods to achieve that goal—perhaps building on legacy infrastructure because it’s “easy.” But does this convenient solution create bigger problems by limiting future growth, scalability, or flexibility? How long until the solution produces value? Often, integrating new solutions with legacy systems can add complexity and result in long waits for ROI (if it even arrives). Does that delayed value still outweigh the costs associated with scrapping legacy dependencies? How long until the solution improves productivity? Bolting new systems on top of old ones often results in a Rube-Goldberg contraption of login, access, and security protocols. What is the time frame for getting users up and running on complex processes? The new CISO mission: Enable business growth Change is hard, and enterprise CISOs must work with CIOs to lead the charge. It can be difficult to even know where to start. How do you redesign legacy systems that have powered a company for years, if not decades? One path forward is cloud-delivered ZTNA—offering CISOs a manageable (and navigable) path to digital transformation. ZTNA is a connectivity architecture that changes the nature of application access by removing the requirement for a “trusted network.” Users gain access to applications based on defined policies that consider user identity and context. Everyone is challenged and only allowed access to what they need, for true least-privilege access. This offers previously-unimaginable levels of visibility and control. ZTNA provides CISOs and CIOs with a platform to enable enterprise growth. A colleague of mine, the CISO for a Fortune-500-company, led his enterprise’s transition from legacy castle-and-moat security to ZTNA. In his words, ZTNA allowed his security teams to go from “the department of no” to “the department of know.” Rather than being the group that traditionally says, “You can’t do that, it’s not secure,” his IT department can now say, “We can do that, and with the information we’ve gained, we can also enable these other things as well!” My CISO colleague had been tasked with finding a better approach to remote access as the company expanded their mobile workforce and adopted a “cloud-first” strategy—legacy remote access systems were too rigid and slow to handle the change. His cloud-first ZTNA approach enabled his company to become more agile and more flexible. Convincing company execs to invest in ZTNA was challenging. But the CISO emphasized three value propositions to evangelize ZTNA internally: Better security, performance, management, cost-efficiency: The company’s old VPNs routed traffic indirectly—incurring latency, complicating administration, increasing MPLS costs, and (greatly) extending attack surface. ZTNA connects a user directly to a target resource, rather than the network, reducing attack surface and optimizing routing. Deployment speed: VPNs cannot be set up quickly. VPN deployment requires extensive capacity planning, making them a difficult option for enabling a quick pivot to remote access. By contrast, cloud-based ZTNA is designed to scale. Deployment is quick: install a simple agent on the user’s access device, place connectors in the application environments, and integrate user context from an IAM system to inform granular access policies. Traffic visibility: Cloud-delivered ZTNA offers comprehensive, central administration and provides IT leaders with complete visibility into user activity. My CISO colleague leveraged the Zscaler Zero Trust Exchange to roll out a ZTNA solution to department heads, as part of a pilot program. He was soon inundated with requests to make it available to the whole company. His immediate challenge became processing paperwork fast enough to accommodate demand! Their security is now invisible to users. Users connect directly to whatever authorized assets and applications they need to be productive, without having to first get access to a network. For my CISO colleague and his company, ZTNA has also greatly improved user experience compared to their legacy VPN: ZTNA is faster, easier to use, and increases performance, no matter whether the resource is in the datacenter or the cloud. Transformation enables business value As recent events have shown, IT teams must adapt legacy environments to changing needs. Cloud-first digital strategies drive corresponding security transformation, since network-centric systems often can’t accommodate the change gracefully or cost-effectively. ZTNA can enhance business growth by providing secure, seamless user access to authorized applications across any environment, any location, any device—enabling new workflows and accelerating digital transformation. A cloud-enabled ZTNA approach minimizes the risk of adopting digital transformation strategies and keeps access options viable even as security budgets shrink and corporate budgets tighten. By eliminating the need to expand expensive security stacks and costly MPLS backhaul, ZTNA allows companies to take advantage of new technology and remain agile in order to scale for the future. And by providing comprehensive visibility and flexible, secure application access, ZTNA allows IT security to empower, rather than impede, business transformation. Lisa Lorenzin is the Director of Transformation Strategy at Zscaler Lisa Lorenzin Working From Home: Greater Efficiency Brings Productivity Due to some unprecedented circumstances, the work world was recently catapulted a decade into the future. Until now, the "workplace of the future” where employees work beyond their office desk was often discussed in detail but wasn’t actually implemented nearly as frequently. That was until these external circumstances arose, finally making the flexible workplace a reality. As a result of mandated quarantines, companies were forced to send a large number of staff to work from home. And if their legacy infrastructure wasn’t equipped to handle this sudden increase, companies looked to solutions to quickly and securely accommodate these employees. If companies were not yet reliant on the agility of the cloud, they had to contend with various different bottlenecks, including an often-overwhelmed VPN. After all, the volume of data that now had to travel from homes, first through the existing security and MPLS infrastructure then to applications and data in the data centre, had suddenly changed enormously. This meant that access from home offices to the required working environment sometimes did not work well. IT departments were inventive and ready to make exceptions with regard to security, for example, by switching off firewalls to grant employees the connectivity they required. An extensive retrospective review of the situation in many different departments is now beginning. IT, HR and operations divisions are now required to use the analysis to draw conclusions concerning future workplace models. Employees are now voicing their preferences, many stating that they don't want to miss out on the flexibility of their home offices. Even though the balancing act between daily working life and family life, which was temporarily handled in confined circumstances at home, caused unprecedented strain for all those concerned, some employees have shown a preference to work at home. This means that companies have to rethink their stance and policies around working from home. Hybrid models, with the flexibility to relocate the workplace to home offices on a day-by-day basis, are at the top of the agenda. Because when all is said and done, the performance delivered by employees when working from home was, in fact, impressive. Even before the pandemic, studies demonstrated that productivity when working remotely did not necessarily suffer compared with working in the office. In fact, it was quite the opposite. Lack of commutes, interruptions by colleagues, high noise levels in open-plan offices and the associated social controls – these are just some of the many factors that sometimes negatively influence employee productivity. The pandemic forced employees to make a considered allocation of labour resources at home. They needed phases of undisturbed concentration on work, alternating with a focus on family duties. If unrestricted access to the work environment was possible, meaning that a good user experience was a given, the experience of working from home was positive. Polish Agency – ARMA, The Agency for Restructuring and Modernisation of Agriculture, updated its remote access for employees to a cloud-based solution within the first few weeks of the pandemic. Although it was originally only planned as remote access for its 300 IT employees, that was quickly changed to support a total of 6,000 employees who suddenly found themselves working from home. It was a resounding success. As a result of secure, high-performance access to the internal infrastructure via Zscaler Private Access, employee efficiency increased by an estimated 10 to 30 percent (depending on the type and scope of tasks) during the first few weeks. Thanks to the unrestricted rapid access, employees could handle their usual workload within a shorter period of time and could therefore also meet the needs of their families during the lockdown phase. Ultimately, home office workers must have unrestricted access to the data and applications they need to do their jobs, whether they are located in the data centre or in multicloud environments. The IT department does not want to accept any compromises with regard to security and also wants to protect the data streams of mobile and remote employees from malware. And all of this must be accomplished while not impacting the user experience. The solution that benefitted ARMA is one based on zero trust, which no longer opens up the entire company network to remote workers. Instead, it only connects the employees with the specific applications and data they need without putting them on the entire network and putting your entire organization at risk. In this digital era, employees should be able to work remotely wherever they are and a cloud-based solution makes this a possibility. Just ask ARMA IT. You can read more about ARMA’s work-from-anywhere journey here. Florian Baeuml is Senior Regional Vice President CEER at Zscaler. Florian Baeuml Malware Leveraging XML-RPC Vulnerability to Exploit WordPress Sites We have written a number of blogs about vulnerabilities within and attacks on sites built with WordPress. And, when you consider that 34 percent of all websites in the world are built with WordPress, it’s understandable that cybercriminals will continue to focus their attention on this popular platform. One of the most common attack vectors employed by these bad actors is to launch an XML-RPC attack. XML-RPC on WordPress, which is enabled by default, is actually an API that provides third-party applications and services the ability to interact with WordPress sites, rather than through a browser. Attackers use this channel to establish a remote connection to a WordPress site and make modifications without being directly logged in to your WordPress system. However, if a WordPress site didn’t disable XML-RPC, there is no limit to the number of login attempts that can be made by a hacker, meaning it is just a matter of time before a cybercriminal can gain access. Recently, the Zscaler ThreatLabZ team came across a scheme to attack WordPress sites where a malicious program gets a list of WordPress sites from a C&C server which then are attacked leveraging the XML-RPC pingback method to fingerprint the existing vulnerabilities on the listed WordPress sites. Even though we saw a payload used in this attack in our Zscaler cloud and also found a campaign of similar files on VirusTotal, we haven’t found any specific spam templates used for this campaign. Additionally, the payloads appear to be new and had no specific attribution, so we have given a new name to this program based on its activity—Win32.Backdoor.WPbrutebot. Technical analysis In our research, we found several samples pertaining to this campaign but we analyzed one sample here for brevity and as an example. In the sample set we worked on, we found that almost all samples used Microsoft-version information, but all of them lack a legitimate Windows Digital Signature and left the company name as TODO, which implies that these files are being generated through a script and this section is still a work in progress. Figure 1: The common metadata used in most files in this campaign. Another feature we found was that InternalName was always a sequence of 2s. Unfortunately, we weren’t able to conclude if this was intentional or not. The initial layer of the malware is for decoding the URIs used to make initial contact with the C&C server. The first section is unpacked as shown in Figure 2: Figure 2: The decryption loop of this program. This decryption loop is a simple XOR decryption that sequentially runs from B5 to C7, which gives us /lk4238fh317/update.php. Figure 3 shows the debugger dump. Figure 3: The decrypted string of this program. Next, the domain is generated using another XOR-based decryption where the key goes from B5 to C0. Figure 4: The decryption loop for this program. The domain generated is k6239847[.]lib. This URL is then used with blockchain DNS. Figure 5: The DNS query. The blockchain DNS URI is decrypted using a similar XOR loop as shown in Figure 6. The value compared depends on the size of the blockchain DNS URI. Figure 6: The decryption loop. These are first assembled in heap using RtlAllocateHeap. Figure 7: The decrypted strings. The code shown in Figure 8 is called several times to allocate heap to save decrypted strings that are used later to perform network activity or for creating files. Figure 8: The API call details. This same code is reused to assemble user-agent strings, which are later used for making internet connections. Figure 9: The user-agents employed in this attack. This is then used to create a DNS request for the blockchain DNS server. Figure 10: The concatenated URL. The DNS request generated produces a C&C IP of 217.8.117[.]48, which can be confirmed online at explorer.emercoin[.]com/nvs/dns. Figure 11: The domains found at The segment of a URL created during the first decryption loop (as shown above) is then used with the IP address to contact the C&C. The URL created is 217.8.117[.]48/lk4238fh317/update. The C&C then replies back with 217.8.117[.]48/j537djjlhg763/svchst.exe, which is the downloaded payload. The payload is downloaded at C:\Users\User-Name\AppData\Roaming\svchst.exe. Figure 12: The program downloading an updated version of itself. The downloaded sample (MD5:86374F27C1A915D970BE3103D22512B9) is an updated version of the parent sample, which downloads itself to ensure that the latest version of the malicious program is running on the system. This sample also performs a DNS query on k6239847[.]lib. The string is obfuscated by breaking the string in two parts—k623 and 9847.lib, which are concatenated in memory. This time, a command is run using cmd.exe /C ping -n 1 -w., where -n means the number of echo requests to send and -w is the timeout in milliseconds to wait for each reply. is popular DNS service by Cloudflare. The full command is cmd.exe /C ping -n 1 -w -n 1 -w3000 > Nul & Del /f /q \"%s. The program then enumerates system information including information such as user name, processor architecture, and more. Figure 13: The algorithm to initiate the /xmlrpc.php attack. Figure 14: The attack vectors found in the file. Here, the malicious program is using <methodName>wp.getUsersBlogs</methodName> to execute a brute force attack via the “wp.getUsersBlogs” method of xmlrpc.php where an attacker is actually doing a reverse IP lookup for the IPs fetched from the C&C and is looking for all the available methods on the corresponding DNS. Once found, it attempts to gain the login via cookie-based authentication by logging into WordPress using cURL, authenticating the server (which ran the cURL script) and providing the username/password to the login page of the desired WordPress site. Here is a redacted list of a few WordPress sites the attacker is trying to attack leveraging this malware payload: Figure 15: The list of WordPress sites targeted for a brute force attack. We then went on hunting for similar samples. We were able to unearth more samples connecting to the same domains (k6239847.lib) and IP address ( The samples we found had similar activity but used a .space TLD domain as one of its C&C. Cloud Sandbox detection The malware payload was successfully detected and blocked by the Zscaler Cloud Sandbox as seen in the Figure 16. Figure 16: The Zscaler Cloud Sandbox successfully detected the malware. Advanced Threat Signature name: Win32.Backdoor.Wpbrutebot Conclusion Due to its popularity, WordPress is a common target for cyberattacks. As such, WordPress admins need to be on alert to reports of newly found vulnerabilities and attacks. In addition, WordPress admin should keep the XML-RPC option disabled and refrain from using logins from third-party applications. Zscaler continues to protect our customers from such attacks and detects these malicious programs in our Cloud Sandbox in real time. MITRE ATT&CK TTP Mapping T1212 Credential Access T1110 Brute Force T1556 Modify Authentication Process T1497 Sandbox Evasion T1055 Process Injection T1003 OS Credential Dumping T1491 Defacement IOCs Hashes: 2ed7662ec8e2022d9cebec3a8ebaf838 c09cf4312167fa9683d8e8733004b7e6 86374f27c1a915d970be3103d22512b9 d88a7fca98e89aaf593163b787165766 03caf1cf96f95b82536fc8b7d94c5a61 74f5107acd2e51dc407253f15d718be3 a54fa899a524f0cd34ae90f9820b41e0 IPs: 207.148.83[.]241 5.132.191[.]104 66.70.228[.]164 Avinash Kumar Why Coca-Cola Consolidated Chose Zscaler to Help Employees Work From Anywhere With a work-from-anywhere model becoming the new normal, and no end in sight for some, companies all over the globe have had to adapt quickly to support a workforce that went from mostly in the office to 100-percent remote in a matter of days. With this shift, prominent concerns have emerged, with security and productivity at the forefront. This shift, and its subsequent challenges, became a reality for Coca-Cola Consolidated, the largest bottler of Coca-Cola products in the U.S., when it encouraged thousands of employees to work from home indefinitely beginning on March 16. An unexpected but necessary turnaround Company leaders knew they needed to act fast to ensure a continued positive user experience for employees migrating off the corporate network. This meant IT could no longer troubleshoot issues as quickly or ensure quality connections to business-critical internal applications, such as Office 365 and Microsoft Teams. On top of seamless access to internal apps, Zscaler helped Coca-Cola Consolidated ensure open internet traffic security with Cloud Firewall, Cloud Access Security Broker (CASB), Cloud DLP, and Cloud Sandbox defenses. Avoiding VPN connections, which can cause latency and decrease productivity, was also a priority made possible by Zscaler. Simplifying and securing Office 365 Zscaler is fully compliant with Office 365 connectivity recommendations and has been working with Coca-Cola Consolidated since 2018 to complement the Office 365 experience, making the remote work transition seamless. Zscaler Client Connector (formerly Zscaler App) was the ideal solution for Coca-Cola Consolidated, when faced with an influx of remote workers, minimizing stress for leadership and employees working from anywhere, and providing reliability in a time of uncertainty. With Zscaler, all traffic to Microsoft gets peeled off, so Coca-Cola Consolidated didn’t have to worry about scaling its hardware to deploy Office 365, Teams, and other applications, or configuring its security devices to be Microsoft-compliant. Additionally, Zscaler optimizes connectivity to Microsoft and automates all configurations, further streamlining access and enhancing the user experience. Zscaler provides the following benefits for Office 365 traffic: Direct internet for a fast user experience across all ports and protocols. Easy deployment with no hardware needed. One-click configuration to automate Office 365 IP address changes and exempts from SSL inspection. Optimized connectivity with Zscaler Cloud Firewall and Bandwidth Control. Establishing a culture of visibility to inform leader decisions With office teammates no longer at headquarters, Coca-Cola Consolidated had to strategize how to maintain visibility to monitor key business metrics. Client Connector was able to provide this visibility to improve applications and the user experience for teammates, validate budget spent on IT resources, and keep leaders informed of progress toward business objectives. Client Connector provided leadership with data and dashboard metrics, making it easier for company leaders to make important business decisions quickly while also planning for the future. Making security a priority With thousands of teammates now working from anywhere, using an array of devices, Coca-Cola Consolidated needed a solution that would provide uniform security, regardless of location or device. Client Connector was able to streamline this process, while seamlessly deploying to teammates behind the scenes without interfering with work or causing a lapse in productivity. To learn more about how Zscaler helps companies empower their workforce to work from anywhere, watch this webinar: 5 Ways to Improve Your Users Office 365 At-Home Experience. Steve Grossenbacher is a director of product marketing at Zscaler Steve Grossenbacher OneMain Financial: Benefits of Leaving Broadcom for Zscaler I’m sure you’ve heard us talk a lot about the myriad reasons to dump your Broadcom appliances and move to the Zscaler cloud platform. But, if you think we’re a bit biased on the subject (OK, maybe we are a bit), then maybe you’d like to hear from one of the hundreds of our customers that have made the switch. We spoke with Daniel Kelly, senior vice president of IT at OneMain Financial, one of the largest lending-exclusive financial companies in the United States. This financial leader has been in existence for more than 100 years and has lent more than $152 billion to customers across 44 states since 2005. The company recently switched from a stack of Broadcom (formerly Blue Coat) appliances to Zscaler Internet Access and Mr. Kelly shared some of the results with us. Benefits Before we look specifically at OneMain Financial, let take a quick look at something that is top of mind of just about every executive—costs. Over just a three-year span, organizations can save millions with a cloud-based security-as-a-service platform over a hardware-based security stack. As if that wasn’t enough reason to switch, here are some of the specific benefits seen by OneMain Financial after it switched from Broadcom appliances to Zscaler: Improved performance: OneMain reported zero employee complaints after the switch to Zscaler. It also discovered that 95 percent of its traffic in the Zscaler cloud has less than 1 millisecond of latency. SSL inspection: As 96 percent of its traffic was encrypted, OneMain Financial was now able to inspect all of that traffic, which it used to be blind to. Microsoft: With Zscaler, OneMain Financial was able to take advantage of the Microsoft best practice—moving away from the express routes and to Zscaler directly out to the internet. Disaster recovery: The process of disaster recovery planning was made easier. OneMain Financial no longer needed to worry about matching up proxies in each data center with the proxies in the main data center. Cost: The Zscaler platform provides OneMain with predictable costs as there are no capacity limitations and no hardware refreshes needed. Staff: The IT team used to have to reboot their proxy servers at least once a month, sometimes three times a night, to keep the devices healthy and working properly. Now, IT team members can spend their time on strategic initiatives instead of on appliance maintenance. Simplified administration: Policy administration is centralized. With Zscaler, changes only need to be made in one location instead of 10 different places, as was the case before. And since any changes would have to have been done manually at each location, there was always the chance of an error being introduced along the way. Support: Zscaler provided OneMain Financial with a dedicated technical account manager to provide assistance, and OneMain Financial reported that the support with Zscaler has been stronger than with Broadcom. Even before the Broadcom acquisition, OneMain Financial often found it difficult to get support for the Blue Coat appliances it was using. Lessons learned Of course, undertaking a task, such as replacing your entire legacy appliance stack, can seem daunting. But Mr. Kelly offered some tips and suggestions that anyone contemplating this type of move cloud use to their advantage. Identify legacy proxy references early. OneMain had several servers that accessed the internet directly, and that number has evolved over time. But it wasn’t well-documented as to which servers those were. So Kelly and team had to spend quite a bit of time tracking down all of that information. OneMain also monitored the traffic from its legacy appliances to see that the volume went down as it shifted to Zscaler. By the time OneMain’s appliances were decommissioned, that number was was nearly zero. Pilot users with special access privileges: Kelly and team focused on providing access to those employees that need special privileges, for example, members of the marketing team that require access to social media sites that are blocked for rest of company. After working through all of the special privileges, converting the rest of the users to Zscaler was easy. Manage partners with whitelisted addresses: Many partners were whitelisting OneMain’s IP addresses. It is imperative that organizations reach out to customers to get a complete list of those addresses. (For OneMain Financial, the list of those partners and IP addresses was also not well documented, but they are now, according to Mr. Kelly.) After the shift to Zscaler, partners can either trust the Zscaler IP addresses or rely on ZIA Service Edges (formerly known as VZENs) to anchor OneMain’s IP addresses. Going mobile: Mr. Kelly and the IT team preferred to use Zscaler Client Connector (formerly Z App) for its mobile workforce. However, due to the large number of virtual desktops in use by OneMain Financial, the team developed a hybrid approach for its mobile users. Mr. Kelly recommends working with your end-user computing teams to determine the best approach for your organization. Better in the cloud Like so many others, OneMain Financial has discovered the benefits of leaving their Broadcom appliances behind and moving to Zscaler. Isn’t time you do as well? Check out this webinar to hear more about OneMain Financial’s journey or visit our website to learn how Zscaler can help you break free from Broadcom. Steve Grossenbacher is a director of product marketing at Zscaler Steve Grossenbacher TikTok Spyware A recent threat to ban TikTok in the United States has taken the internet by storm and received mixed reactions from social media and internet users. U.S. President Donald Trump has ordered ByteDance, the parent company of TikTok, to sell its U.S. TikTok assets and also issued executive orders that would ban the social media apps TikTok and WeChat from operating in the U.S. if the sale doesn’t happen in the next few weeks. On the other side, ByteDance has filed a lawsuit suing the Trump administration. When popular applications come under fire and are featured prominently in the news, hackers get excited as these newsworthy apps can become their latest target. And TikTok is no exception. Generally, after an application gets banned from an official app store, such as Google Play, users try to find alternative ways to download the app. In doing so, users can become victims to malicious apps portraying themselves as the original app. Recently there was a huge wave of SMS messages, as well as Whatsapp messages, making the rounds asking users to download the latest version of TikTok at hxxp://tiny[.]cc/TiktokPro. In reality, this downloaded app is a fake app that asks for credentials and Android permissions (including camera and phone permissions), resulting in the user being bombarded with advertisements. Recently, we have come across another variant of this app portraying itself as TikTok Pro, but this is a full-fledged spyware with premium features to spy on victim with ease. (Please note this is a different app and not the same as the one being spread by hxxp://tiny[.]cc/TiktokPro.) Technical Analysis App Name : TikTok Pro Hash : 9fed52ee7312e217bd10d6a156c8b988 Package Name : com.example.dat.a8andoserverx Upon installation, the spyware portrays itself as TikTok using the name TikTok Pro. As soon as a user tries to open the app, it launches a fake notification and soon the notification as well as the app icon disappears. This fake notification tactic is used to redirect the user's attention, meanwhile the app hides itself, making the user believe the app to be faulty. This functionality can be seen in Figure 1. Figure 1: App icon and fake notification. Behind the scenes, there are number of process occurring simultaneously. First, an activity named MainActivity fires up, taking care of hiding the icon and showing the fake notification. It also starts an Android service named MainService. The spyware also appears to have an additional payload stored under the /res/raw/ directory. This is a common technique used by malware developers to bundle the main payload inside the Android package to avoid easy detection. As seen in Figure 2, the app tries to open the payload from the /res/raw/ directory and generate an additional Android Package Kit (APK) named .app.apk : Figure 2 : The decoy code for the fake TikTok. Upon analysis, we discovered that this is a decoy functionality and no new payload is generated. The conditions to build an additional payload are never met. Going one step further, we rebuilt the malware to execute the apparent functionality of generating a payload, but discovered that the APK stored in the /res/raw/ directory is empty. The placement of the decoy functionality is likely designed to confuse the malware researchers. It is also possible that this functionality is under development, making this placeholder code incomplete. Coming back to the execution flow, once the spyware hides itself, it starts an Android service named MainService. Android services are components that can be made to execute independently in the background without the victim's knowledge. MainService is the brain of this spyware and controls almost everything—from stealing the victim's data to deleting it. All of its capabilities are discussed later in this blog. Figure 3 : Code showing the hiding icon and starting service. As MainService is the main controller, the developer has taken the appropriate actions to keep it functional and running at all times. The malware developer uses various tactics to do so, and one of them is using Android's broadcast receivers. Broadcast receivers are components that allow you to register for various Android events. In this case, it registers three broadcast receivers: MyReceiver - Triggers when the device is booted. Intercept Call - Triggers on incoming and outgoing calls. AlarmReceiver - Triggers every three minutes. MyReceiver and AlarmReceiver start the MainService whenever appropriate events occur. This tactic is very common among malware developers to ensure the malware is not killed by the Android OS or by any other means. Figure 4 shows MyReceiver in action where it eventually calls the MainService service. Figure 4 : MyReceiver broadcast receiver. The InterceptCall receiver is triggered whenever there is an incoming or outgoing call. It sets particular parameters in relation to call details and a further service named calls takes the control as seen in Figure 5. Figure 5 : Code for the calls service As seen above, the calls service stores incoming call details in .mp3 format in the /sdcard/DCIM/.dat/ directory with file name appended with "In_'' for incoming calls and "Out_'' for outgoing calls. How these recorded calls are sent to the command and control server (CnC) is taken care of by MainService, which is discussed next. MainService is the central controller of this spyware. It controls each and every functionality based on the commands sent by the command and control (C&C) server. As soon as this service is started, it creates two processes that take care of connection and disconnection to the C&C server. This functionality can be seen in Figure 6. Figure 6 : The timer task. MainService has the following capabilities: Steal SMS messages Send SMS messages Steal the victim's location Capture photos Execute commands Capture screenshots Call phone numbers Initiate other apps Steal Facebook credentials, etc All of the above functionalities take place on the basis of commands sent by the attacker. Stolen data is stored in external storage under the /DCIM/ directory with a hidden sub-directory named ".dat". Below is the list of all the commands catered by the C&C server. Command Action Unistxcr Restart the app dowsizetr Send the file stored in the /sdcard/DCIM/.dat/ directory to the C&C server Caspylistx Get a list of all hidden files in the /DCIM/.dat/ directory spxcheck Check whether call details are collected by the spyware S8p8y0 Delete call details stored by the spyware screXmex Take screenshots of the device screen Batrxiops Check battery status L4oclOCMAWS Fetch the victim's location GUIFXB Launch the fake Facebook login page IODBSSUEEZ Send a file containing stolen Facebook credentials to the C&C server FdelSRRT Delete files containing stolen Facebook credentials chkstzeaw Launch Facebook LUNAPXER Launch apps according to the package name sent by the C&C server Gapxplister Get a list of all installed applications DOTRall8xxe Zip all the stolen files and store in the /DCIM/.dat/ directory Acouxacour Get a list of accounts on the victim's device Fimxmiisx Open the camera Scxreexcv4 Capture an image micmokmi8x Capture audio Yufsssp Get latitude and longitude GExCaalsss7 Get call logs PHOCAs7 Call phone numbers sent by the C&C server Gxextsxms Get a list of inbox SMS messages Msppossag Send SMS with message body sent by the C&C server Getconstactx Get a list of all contacts Rinxgosa Play a ringtone bithsssp64 Execute commands sent by the C&C server DOWdeletx Deletes the file specified by the C&C server Deldatall8 Delete all files stored in the /sdcard/DCIM/.dat/ directory We don't have the space to cover all of the commands, but let's take a look at some of the major ones. Facebook phishing One of the interesting features of this spyware is the ability to steal Facebook credentials using a fake login page, similar to phishing. Upon receiving the command GUIFXB, the spyware launches a fake Facebook login page. As soon as the victim tries to log in, it stores the victim's credentials in /storage/0/DCIM/.fdat Figure 7 : Fake Facebook login The second command is IODBSSUEEZ, which further sends stolen credentials to the C&C server, as seen in Figure 8. Figure 8: Sending data to the attacker. This functionality can be easily further extended to steal other information, such as bank credentials, although we did not see any banks being targeted in this attack. Calling functionality Command PHOCAs7 initiates calling functionality. The number to call is received along with the command, as seen in Figure 9. Figure 9 : The calling functionality. The phone number is fetched from a response from the C&C server and is stored in str3 variable, which further is utilized using the tel: function. Stealing SMS The Gxextsxms command is responsible for fetching all the SMS messages from the victim's device and sending it over to the C&C server. Figure 10: Stealing SMS messages. Similarly, there are many crucial commands that further allow this spyware to perform additional functionality, such as executing commands sent by the C&C, clicking photos, capturing screenshots, stealing location information, and more. Further analysis Upon further research, we found this spyware to be developed by a framework similar to Spynote and Spymax, meaning this could be an updated version of these Trojan builders, which allow anyone, even with limited knowledge, to develop full-fledged spyware. Many of the functionalities seen in this spyware are similar to Spynote and Spymax based on the samples we analyzed with some modifications. This spyware sample communicates over dynamic DNS. By doing so, attackers can easily set up the Trojan to communicate back to them without any need for high-end servers. Other common functionalities include executing commands received from the attacker, taking screenshots of the victim's device, fetching locations, stealing SMS messages and most common features that every spyware may poses. Stealing Facebook credentials using fake Facebook activity is something we didn't observe in Spynote/Spymax versions but was seen in this spyware. This framework allows anyone to develop a malicious app with the desired icon and communication address. Some of the icons used can be seen below. We found 280 such apps in the past three months. A complete list of hashes can be found here. Figure 11: Icons used to pose as famous apps. All of these apps are developed by the same framework and hence have the same package name and certificate information as seen in Figure 12. Figure 12 : Package name and certificate information. Conclusion Due to the ubiquitous nature of mobile devices and the widespread use of Android, it is very easy for attackers to victimize Android users. In such situations, mobile users should always take the utmost precautions while downloading any applications from the internet. It is very easy to trick victims to fall for such attacks. Users looking forward to using the TikTok app amidst the ban might look for alternative methods to download the app. In doing so, users can mistakenly install malicious apps, such as the spyware mentioned in this blog. The precautions you take online have been covered extensively in almost all of our blogs; even so, we believe this information bears repeating. Please follow these basic precautions during the current crisis—and at all times: Install apps only from official stores, such as Google Play. Never click on unknown links received through ads, SMS messages, emails, or the like. Always keep the "Unknown Sources" option disabled in the Android device. This disallows apps to be installed on your device from unknown sources. We would also like to mention that if you come across an app hiding it's icon, always try to search for the app in your device settings (by going to ​​​​​​Settings -> Apps -> Search for icon that was hidden). In the case of this spyware, search for app named TikTok Pro. MITRE TAGS Action Tag ID App auto-start at device boot T1402 Input prompt T1411 Capture SMS messages T1412 Application discovery T1418 Capture audio T1429 Location tracking T1430 Access contact list T1432 Access call log T1433 Commonly used port T1436 Standard application layer protocol T1437 Masquerage as legitimate application T1444 Suppress application icon T1508 Capture camera T1512 Screen capture T1513 Foreground persistence T1541 Shivang Desai Work From Anywhere: City of Los Angeles Creates Better Work-Life Balance What began as a response to a global pandemic has evolved into something far greater at the City of Los Angeles. Los Angeles government leaders believe the flexibility they have afforded city employees is making a long-lasting positive impact on their work and their lives. Here’s how the Information Technology team of the second-largest city in the United States achieved what many thought to be impossible. Keeping the “City of Angels” running during a pandemic The Los Angeles Information Technology Agency, or ITA, is responsible for an operating environment larger than many Fortune 500 organizations. When shelter-in-place mandates hit Los Angeles during the COVID-19 outbreak, the ITA had to execute an all-encompassing business continuity plan in mere days. The scope was daunting: safely enable 50,000 municipal employees across 44 departments to keep mission-critical city services running. In total, 4 million residents, 48 million tourists, and 503,000 businesses were counting on the City of Los Angeles. Enter Ted Ross and the ITA team. “In less than two weeks, we were able to deploy a work-from-anywhere platform that enabled our employees to access all their applications and data from the safety of their homes. We did this while keeping critical city services running, such as emergency and health services, trash collection, infrastructure repairs, payment processing, and contact tracing,” said Ted Ross, general manager and CIO at the City of Los Angeles. Innovating in times of crisis COVID-19 forced organizations to innovate more quickly than they would have under “normal” circumstances, proving that it is possible to equip employees for the mobile, cloud, and data-centric world that we live in. For the City of Los Angeles, the pandemic accelerated its strategic plan to build a next-generation IT infrastructure by investing in cloud infrastructure and security, which includes Zscaler Internet Access and Zscaler Private Access. By expanding the services from Zscaler, the city rolled out a cloud-hosted work-from-anywhere platform with strong security and an easy experience for its end users. While the pandemic forced Mr. Ross to get his staff enabled to work remotely, work-from-anywhere will likely be a part of how the City of Los Angeles operates as a municipality moving forward. And they are not alone. San Mateo County, which is located in Silicon Valley in California, was already well on its way to embracing remote work, having 35 percent of its workforce on a flexible work schedule pre-pandemic and scaling to 90 percent within a matter of days. Working from anywhere for a better work-life balance The ITA team, like so many of us, has discovered something beyond strong security and easy access to applications—better work-life balance. Employees are talking about being able to better manage their busy personal and work schedules. Imagine not having to commute in L.A. traffic everyday. Working for a company whose business is enabling work-from-anywhere, I can attest to this personally. But more often, I hear from our customers that they are noticing this on a larger scale. “Since the implementation of our work-from-anywhere platform, we have, in fact, seen a significant increase across many of our divisions in the quantity and the quality of work. At the same time, our employees have more flexibility to manage their personal lives,” said Mr. Ross. Anyone familiar with LA’s traffic knows what it feels like being stuck in what is ranked as the most stressful commute in the U.S, with the average Los Angeles commuter spending almost 1 hour per day commuting. This is time lost as people are neither productive at work nor spending it with their families. A work-from-anywhere policy can save time and improve mental well-being. Finding a silver lining The coronavirus has caused a lot of harm to communities around the world, but there are lessons to be learned from this pandemic that will make all of us more resilient in the future. Private and public organizations around the world, such as the City of Los Angeles, whose ITA team kept the city running during the worst pandemic of our lifetime while keeping its employees safe, laid the foundation for a new era of incorporating work from anywhere, which will benefit employees, citizens, and the organization’s mission. It takes innovative leaders, such as Ted Ross, to lay the foundation for other companies, cities, and counties in California, the United States, and around the world to follow suit. You can view a short video about the City of LA’s work-from-anywhere journey here. Peter Amirkan is the senior vice president for the public sector at Zscaler. Peter Amirkhan These Four Enhancements Make ZPA Even Better for Supporting Work-from-Anywhere As users work remotely, the quality of their experience when accessing private applications is an absolute priority. A better experience equals better productivity. Since COVID-19, the number of unique Zscaler Private Access (ZPA) users has increased more than 13x! This has made ZPA one of the most popular zero trust remote access solutions in the world, already helping such customers as Johnson Controls, TT Electronics, MOWI, National Australia Bank, Ciena Bank, and so many more. To continue to help our customers deliver the fastest and most secure user experience, we are always innovating and making Zscaler products more efficient. For the folks who are already familiar with ZPA, I think you’ll love these four enhancements we’ve recently added: 1. This one’s dedicated to you: We created the concept of dedicated instances within ZPA. This means that the customer application cache is now stored in dedicated instances. Since Zscaler is a multitenant cloud for some of the largest customers in the world, dedicated resources for large customers won’t impact other customers. Any performance degradation is limited to the customers within a cluster, which minimizes customer impact by containing any potential problems. 2. Cranking up the speed: We have sped up communication between different components of the ZPA service. ZPA Service Edges, which stitch together app-to-user connections, now have the ability to load-balance across different instances in the Central Authority (the brains of the Zscaler cloud). ZPA Services Edges can scale more effectively and minimize any delays during application access. Put simply, more efficient connections between different components equals faster application access. 3. Closer to your users: The golden rule of real estate—location, location, locations—also applies to cloud services. ZPA has always been designed to direct traffic to the closest ZPA Service Edge (BTW, over the last few months we have added new ZPA Service Edges in Melbourne, Toronto, Milan, Zurich, Warsaw, New Delhi, and Miami, and beefed up ZPA capacity in Shanghai, Mumbai, and Cleveland). But if the admin configures the geo DNS suboptimally, it could result in a less-than-ideal user experience. For example, if a user is located in China, the application, the App Connector, and the Service Edge would also, ideally, be in China. However, if the DNS query was set to resolve in Texas, then the ZPA Service Edge in Dallas, Texas, might be selected to perform the user-to-app connection. Obviously, not ideal, especially when it comes to data residency laws. ZPA's new override of the geo DNS helps network admins avoid such issues. In the earlier example, ZPA would now automatically ensure that a ZPA Service Edge in China is selected to broker the user-to-private app connection. NOTE: ZPA can now select Service Edges for App Connectors based on the Service Edge’s utilization. 4. Quieting down the chatter: ZPA has the ability to perform health monitoring and discover previously unknown applications (shadow IT) as remote users access them. IT can then apply granular policies to lock apps down. If thousands of applications are being discovered, this of course means lots of checking to see if the app, and its underlying infrastructure, is up and running. A new enhancement allows App Connectors to provide access without having to always report the health of applications being discovered—less traffic volume speeds up application access. We also released new documentation for monitoring App Connector performance. The great thing about these cloud features is that all ZPA customers automatically have it by default! There are no appliances to update. This is the power of a cloud service. Remote work won’t be going away anytime soon. To support users as they work from anywhere and everywhere, you’ll need to be wary of technologies, such as VPN, and select cloud-delivered products that help you scale, remain secure, and, most importantly, BOOST productivity—the game changers! Not every cloud service is equal. So, when selecting one for accessing private apps, make sure it’s got the goods to get the job done. Or, more accurately, help your USERS get their jobs done. Take ZPA for a free Test Drive or request a demo. Chris Hines is a director of product marketing for Zscaler Private Access Christopher Hines LinkedIn Job Seeker Phishing Campaign Spreads Agent Tesla Making the decision to leave your current job and seek employment elsewhere can be an exciting time as you imagine how much better your life and career will be when you find that dream job. But that excitement can quickly turn to anger and despair when the job search tool you were using to help you land that dream job turned out to be a phishing attack that stole your identity. Sadly, this isn’t just a hypothetical scenario, as the Zscaler ThreatLabZ team observed a scheme just like this come across the Zscaler cloud. In August 2020, we observed network activity to a malicious site that used LinkedIn, a popular professional networking and job search site, as the lure for a social engineering scheme designed to steal a user’s credentials and spread malicious binaries. The bad actors also used a legitimate site hosting company, called Yola, to host the malicious content in an attempt to further look legitimate. The .NET-based binaries hosted on this site are related to the Agent Tesla malware and another previously unseen in-the-wild malware family. Its major functionality is information stealing and exfiltrating data through SMTP. In this blog, we provide a detailed description of the tools, techniques, and procedures of this threat actor and the malicious binaries hosted on this site, as well as the credential phishing methods used. LinkedIn-based social engineering Figure 1 below shows the site that was set up by attackers on a legitimate website hosting server provided by Yola. URL: hxxps:// Figure 1: The main web page uses the LinkedIn logo but actually hosts the malicious content. The web user interface of the site uses the well-known LinkedIn logo and poses as a recruitment company called “Jobsfinder 3ee,” which pretends to help the candidates find relevant jobs in various geographical regions around the world. The download links on the web page lead to a ZIP archive containing the infostealer .NET-based binary. Example URL: hxxps:// The complete list of URLs used in this campaign, along with the filenames, is provided in the indicators of compromise (IoC) section later in the blog. During the course of monitoring this threat actor, we noticed that the download links on the web page were updated frequently. On August 7, 2020, we observed that the original ZIP archives on the server were replaced with password-protected archives. In addition to the malicious binaries hosted on this page, the user is also given the option to upload a CV. When the user clicks on this button, they are redirected to a credential phishing site. Credential phishing site URL: hxxps:// This site spoofs the LinkedIn login page as shown in Figure 2. Figure 2: The credential phishing page designed to look like a LinkedIn page. This is a multistage social engineering attack. Once the credentials are entered by the user, a new web page is displayed (as shown in Figure 3), which prompts the user for the following information: Upload CV Country Mobile Number Figure 3: This multistage LinkedIn phishing page asks for more personal information. Threat attribution This threat actor specifically targets users of LinkedIn. It was a low volume campaign targeting users in the healthcare and aviation industry sectors. In addition to the Agent Tesla malware, it also used a custom payload that we have not seen before. The following attributes of the threat actor's infrastructure indicate the focus is LinkedIn users. The main web page is designed to advertise itself as a job recruitment consulting company called Jobsfinder 3ee. The LinkedIn credential phishing pages are multistage and also require the users to upload their CV. In March 2018, a domain—jobsfinder3ee[.]online—was registered, which hosted a web page that spoofed LinkedIn on a WordPress site. We correlate the owner of that domain with a low confidence level to the campaign we discuss in this blog. The old webpage hosted at jobsfinder3ee[.]online is shown in Figure 4. Figure 4: An old web page that spoofed LinkedIn and used the name "Jobsfinder 3ee", which is similar to the current campaign. All the Yandex-based email addresses that were used to exfiltrate the data using SMTP from the victim's machine, in this case, followed a specific pattern. The email addresses contained strings related to LinkedIn, such as: "linkedinjob" or "". Also, the passwords for these email addresses were randomly generated consisting of 16 lowercase characters. Based on this, we conclude that these email addresses were registered specifically for the LinkedIn campaign by the threat actor. Payload technical analysis For the purpose of technical analysis, we will consider the .NET binary with following details. MD5 hash: 072462810ba6e5a7161b35b8535b55bd Filename: quote08-04-20.exe Since all the binaries in this campaign share the same packer, we first describe in detail the multiple stages of unpacking required to access the final payload. Unpacking details This binary spoofs the metadata data of a legitimate Comodo security application, as shown in Figure 5. Figure 5: The packed file version information. The resource section, as shown in Figure 6, contains multiple bitmap images that are later assembled together and decrypted to extract the next-stage payload, as explained later in the blog. Figure 6: The assembly embedded as a byte array. There is a .NET assembly embedded inside the main payload as a byte array as shown in Figure 7. Figure 7: The byte array to be decoded and loaded by Assembly.Load(). This byte array is decoded and loaded at runtime using the Assembly.Load() method, as shown in Figure 8 and Figure 9. The decoding routine is simple. It subtracts the value 0x11 from each byte of the byte array to get the resulting .NET assembly, which will be loaded using reflection. Figure 8: The decryption routine. Figure 9: The decryption routine. It creates a delegate to invoke the Main() method of the stage 1 decrypted DLL to carry out the further stages of unpacking. It is interesting to note that the string, “Load”, which is used to invoke the Assembly.Load() method, is encoded, as shown in Figure 10. Figure 10: The Load string built from split characters. This was a similarity shared among all instances of packers used in the campaign where the “Load” string was split into individual characters and assembled at runtime. This could be done to bypass static analysis-based solutions that search for Assembly.Load() method in the decompiled code. Stage 1 DLL MD5 hash: 4c83623bbe9777daf64cb9ac94ec0bde This DLL is a 32-bit .NET binary that spoofs itself as a legitimate application from VMWare, as shown in Figure 11. It is important to note that the stage 1 DLL was the same for all the instances of the .NET binaries observed in this campaign. Figure 11: The Stage 1 version information. This DLL contains another encoded .NET assembly embedded inside, which will be decoded and loaded at runtime, as shown in Figure 12. Figure 12: The payload has a byte array similar to the first packer. Stage 2 DLL The stage 2 DLL, which is decoded and loaded by the stage 1 DLL, is responsible for extracting the metadata and the final payload from the multiple bitmap images that are stored in the resource section. The main method inside this assembly is called ReadMRes() with the name "resourceLib," which extracts the relevant information from the bitmap images, as shown in Figure 13. Figure 13: The ReadMRes responsible for decryption. The result of the above subroutine is an array of key-value pairs, as shown in Figure 14. Figure 14: The dictionary of key value pairs decrypted earlier. This array contains useful metadata that is used by the payload in later stages for choosing the Windows registry key path, the name used for persistence, and the name of the dropped binary. This array also contains a gzip compressed payload in element index: 15. Figure 15 shows the relevant code that will decompress it. Figure 15: Decompressing the gzip compressed data. After gzip decompression, we obtain a .NET payload that is obfuscated using ConfuserEx. Once we deobfuscate the ConfuserEx protection, the main method of the final payload is shown in Figure 16. Figure 16: Entry point of final payload (Agent Tesla). The final unpacked payload, in this case, is Agent Tesla. Since Agent Tesla is a well-known password stealer spyware, we will not be describing its technical functionalities in detail in this blog. String decryption All the strings are encrypted using the RijndaelManaged algorithm with a key size of 256-bit and an initialization vector size of 128-bit. Figure 17 shows the string decryption routine that accepts an integer as an argument and is used to calculate the index of the encrypted string in an object array. Figure 17: The RijndaelManaged-based string decryption routine. Figure 18 shows the object array containing an array of integers with the following format: 32 bytes from offset 0 - Decryption key for Rijndael algorithm. 16 bytes from offset 32 - Initialization vector. Remaining bytes - Encrypted String. Figure 18: The array containing encrypted strings data. Based on this, we can write a string decryptor for the final payload. The complete list of decrypted strings are mentioned in Appendix II. Custom malware analysis MD5: f89b4dff6e126e9a5f0a64d590f7b42e In addition to Agent Tesla, we also encountered another payload previously unseen in the wild. It is a very basic information stealer capable of stealing keylogs, clipboard data, and screenshots. It sends stolen data to an embedded email address. All layers of the packer used in the sample are the same as the ones used in Agent Tesla samples. The unpacked final payload is signed with a certificate from “DESKTOP-K179H9L\GO TECH COMPUTER” as shown in Figure 19. Figure 19: The digital certificate used to sign the custom malware. It contains the following PDB string: C:\Users\GO TECH COMPUTERS\source\repos\WindfastStrap\WindfastStrap\obj\Debug\WindfastStrap.pdb This information stealer's activity includes: Making heavy use of timers for various activities. Dropping and running a binary called chrom.exe from the resources section. Deleting all the files from C:\Users\Public\Downloads and creating this path if it does not exist already. Creating a Windows registry run key with the name, "Windows Application" for the purpose of persistence. Creating timers for stealing keylogs, clipboard data, and screenshots. Screenshots are temporarily saved in the path: C:\Users\Public\Downloads before they are exfiltrated with the name formatted as {MM-dd-yyyy hh:mm:ss}.jpg. Killing the following processes: taskmgr regedit Outlook Foxmail Emailing subject lines used for exfiltrating different types of data, which are described below: Screenshots: SC_{ComputerName}_WD- Keylogs: KL_{ComputerName}_WD- Clipboard : CopiedText_{ComputerName}_WD-{WindowsVersion} e.g SC_MyPC_WD-8 Figure 20: The function responsible for sending saved screenshots over SMTP. Variants of this sample were first seen on Virustotal in June 2020. The initial samples were distributed without any packer. All older variants were signed by the same signer and have similar PDB strings containing the username “GO TECH COMPUTERS” in the PDB path. Below are the other PDB strings observed. C:\Users\GO TECH COMPUTERS\source\repos\PDFExtra\PDFExtra\obj\Debug\PDFExtra.pdb C:\Users\GO TECH COMPUTERS\source\repos\excel++\excel++\obj\Debug\excel++.pdb In some variants, the subject lines used are slightly different than this payload as described below. COPY & PASTE @ MYPC SCREENSHOT Dotz @ MYPC KEYBOARD @ MYPC Dropped binary - chrom.exe The dropped binary called chrom.exe in this case is a command line executable that uses the Google Chrome browser's icon. It is run by this stealer with a hidden window. Most of the activities of this executable are related to building commands and executing them using compsec or cmd.exe. It creates the following directories: %temp%/xtmp Is64.txt (0 32 bit or 1 64 bit) is64.bat (put 1 or 0 in is64.txt based on existence of folder) is64.fil (contains cmd.exe path) %temp%/efolder Upon execution, it shows the following message: Figure 21: The dropped payload runs in the background in a hidden window. Since it runs in a hidden window, it just displays the above message and waits for a keypress event. Zscaler Cloud Sandbox detection Figure 22 shows the Zscaler Cloud Sandbox successfully detecting this .NET-based threat. Figure 22. This threat was successfully detected by the Zscaler Cloud Sandbox. In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators at various levels, as seen here: Win32.Backdoor.AgentTesla HTML.Phish.Linkedin Conclusion This threat actor is targeting LinkedIn users, and has built an entire web and email infrastructure specifically for it. As always, users should be cautious when receiving emails out of the blue, even if those emails appear to be related to something you are interested in, such as help finding a new job. And always be sure to only enter credentials or upload your CV on verified websites. If the site comes to you from an unsolicited email, be wary. The Zscaler ThreatLabZ team will continue to monitor this campaign, as well as others, to help keep our customers safe. MITRE ATT&CK TTP Mapping ID Tactic Technique T1566 Phishing LinkedIn phishing T1204.002 User Execution: Malicious File User extracts zip file and executes the binary. T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder Payload sets the run registry key for persistence. T1140 Deobfuscate/Decode Files or Information Strings and other data are obfuscated in the payload. T1202 Indirect Command Execution cmd.exe is used for execution of some commands. T1036.001 Masquerading: Invalid Code Signature Masquerading Comodo digital signatures. T1036.005 Masquerading: Match Legitimate Name or Location Using the Job and CV related filenames and the use of LinkedIn string in domain name. T1027.002 Obfuscated Files or Information: Software Packing Payloads are packed with a multilayer packer. T1497 Virtualization/Sandbox Evasion Agent Tesla has AntiVM capabilities T1555.003 Credentials from Password Stores: Credentials from Web Browsers Agent Tesla can steal credentials from Web browsers T1056.001 Input Capture: Keylogging Both the payloads can capture keystrokes T1539 Steal Web Session Cookie Agent Tesla can steal cookies T1010 Application Window Discovery One of Agent Tesla capabilities T1057 Process Discovery One of Agent Tesla capabilities T1518 Software Discovery One of Agent Tesla capabilities T1082 System Information Discovery One of Agent Tesla capabilities T1016 System Network Configuration Discovery One of Agent Tesla capabilities T1033 System Owner/User Discovery One of Agent Tesla capabilities T1124 System Time Discovery One of AgentTesla capabilities T1125 Video Capture One of Agent Tesla capabilities T1113 Screen Capture One of Agent Tesla capabilities T1123 Audio Capture One of Agent Tesla capabilities T1115 Clipboard Data Both payloads steal clipboard text. T1005 Data from Local System Both payloads steal data from local system. T1119 Automated Collection Both payloads do automated collection. T1029 Scheduled Transfer Both payloads exfiltrate data at regular intervals. T1041 Exfiltration Over C2 Channel Both payloads exfiltrate over their C2 channel T1020 Automated Exfiltration Both payloads do automated exfiltration T1071.003 Application Layer Protocol: Mail Protocols Both payloads use SMTP protocol Indicators of compromise (IOCs) Hashes f89b4dff6e126e9a5f0a64d590f7b42e 73ee4b60893b0ccc20079882aae66e2f 39648125d1ea711fee091b5ee58eb533 072462810ba6e5a7161b35b8535b55bd 940db8fcba320925e423b44a22e703f1 78d029254cb2350260967feb983d487f a29a4aea13be816b7929bf103136887d 830bbf1855da3a145831ec55d1c37d17 PDB Strings C:\Users\GO TECH COMPUTERS\source\repos\WindfastStrap\WindfastStrap\obj\Debug\WindfastStrap.pdb C:\Users\GO TECH COMPUTERS\source\repos\PDFExtra\PDFExtra\obj\Debug\PDFExtra.pdb C:\Users\GO TECH COMPUTERS\source\repos\excel++\excel++\obj\Debug\excel++.pdb Network IOCs linkedlnnetworking.yolasite[.]com mpivn[.]org/LinkedIn-jobs Filenames Click here and upload your CV.exe Click here and upload your Job Description & company Infomations.exe Job Description & company QUOTE08-04-20.exe Appendix I Table of extracted email addresses and passwords MD5 Email Password 8cb05c44406adbe13690d816759658da <redacted> f4755749ad038edc337c3b23c7b065f5 <redacted> 73ee4b60893b0ccc20079882aae66e2f <redacted> 072462810ba6e5a7161b35b8535b55bd <redacted> 940db8fcba320925e423b44a22e703f1 <redacted> 78d029254cb2350260967feb983d487f <redacted> Appendix II Decrypted strings Below is the complete list of decrypted strings which were extracted from samples used in this campaign. -convert xml1 -s -o " <b>]</b> <font color="#000000">( "encrypted_key":"(.*?)" %PostURL% %ftphost%/ %ftppassword% %ftpuser% %insregname% %startupfolder% %urlkey% & > < " )</font></font> .html .jpeg .tmp .zip /log.tmp 00000000-0000-0000-0000-000000000000 154E23D0-C644-4E6F-8CE6-5069272F999F 1f2aa2d7-39c9-4d9f-ba17-371040cce426 2F1A6504-0641-44CF-8BB5-3612D865F2E5 360 Browser 360Chrome\Chrome\User Data 3C886FF3-2669-4AA2-A8FB-3F6759A77548 3CCD5499-87A8-4B10-A215-608888DD3B55 3E0E35BE-1B77-43E7-B873-AED901B6275B 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 720d6d91-c1cd-4df7-a390-4b4adfffb8d0 77BC582B-F0A6-4E15-4E80-61736B6F3B29 7Star 7Star\7Star\User Data :Zone.Identifier ;Anonymous= ;Password= ;Port= ;Server= ;User= </Host> </Name> </Pass> </Password> </Port> </User> </b> </data> </font> </html> </name> </password> </protocol> </server_ip> </server_port> </server_user_name> </server_user_password> </string> <Host> <Name> <Pass encoding="base64"> <Pass> <Password> <Port> <Server> <User> <account> <array> <br> <data> <dict> <font color="#00b1ba"><b>[ <font color="#00ba66">↓</font> <font color="#00ba66">←</font> <font color="#00ba66">→</font> <font color="#00ba66">↑</font> <font color="#00ba66">{ALT+F4}</font> <font color="#00ba66">{ALT+TAB}</font> <font color="#00ba66">{BACK}</font> <font color="#00ba66">{CAPSLOCK}</font> <font color="#00ba66">{CTRL}</font> <font color="#00ba66">{DEL}</font> <font color="#00ba66">{END}</font> <font color="#00ba66">{ENTER}</font> <font color="#00ba66">{ESC}</font> <font color="#00ba66">{F10}</font> <font color="#00ba66">{F11}</font> <font color="#00ba66">{F12}</font> <font color="#00ba66">{F1}</font> <font color="#00ba66">{F2}</font> <font color="#00ba66">{F3}</font> <font color="#00ba66">{F4}</font> <font color="#00ba66">{F5}</font> <font color="#00ba66">{F6}</font> <font color="#00ba66">{F7}</font> <font color="#00ba66">{F8}</font> <font color="#00ba66">{F9}</font> <font color="#00ba66">{HOME}</font> <font color="#00ba66">{Insert}</font> <font color="#00ba66">{NumLock}</font> <font color="#00ba66">{PageDown}</font> <font color="#00ba66">{PageUp}</font> <font color="#00ba66">{TAB}</font> <font color="#00ba66">{Win}</font> <hr> <html> <name> <password> <protocol> <server> <server_ip> <server_port> <server_user_name> <server_user_password> <string> ABCDEF ALLUSERSPROFILE APPDATA Account Accounts All Users Amigo Amigo\User Data Application: Application: AuthTagLength Backend=([A-z0-9\/\.-]+) Becky! BlackHawk Brave Brave Browser BraveSoftware\Brave-Browser\User Data CPU: CatalinaGroup\Citrio\User Data CentBrowser CentBrowser\User Data ChainingMode ChainingModeGCM Chedot Chedot\User Data Chrome Chromium Chromium\User Data Citrio ClawsMail Close CocCoc CocCoc\Browser\User Data Coccoc Comodo Dragon Comodo\Dragon\User Data Computer Name: Cookies Cool Novo CoolNovo Coowon Coowon\Coowon\User Data Copied Text: Copy CoreFTP CreateDecryptor CyberFox Data DataDir DecryptTripleDes Dispose DynDNS DynDNS\Updater\config.dyndns E69D7838-91B5-4FC9-89D5-230D4D4CC2BC Edge Chromium Elements Browser Elements Browser\User Data Email EmailAddress EncPassword EndsWith Epic Privacy Epic Privacy Browser Epic Privacy Browser\User Data Eudora Executable FTP Navigator FTPCommander FTPGetter Falkon Browser False Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer FileZilla Firefox FlashFXP Flock Flock Browser Folder.lst Foxmail FoxmailPath GetBytes HKEY_CURRENT_USERSoftwareFTPWareCOREFTPSites HKEY_CURRENT_USER\SOFTWARE\Vitalwerks\DUC HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1 HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites\ HKEY_CURRENT_USER\Software\Paltalk\ HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine HKEY_CURRENT_USER\Software\RimArts\B2\Settings HKEY_LOCAL_MACHINE\SOFTWARE\Vitalwerks\DUC HOST HTTP Password Host HostName IE/Edge IMAP Password INSERT INTO CONFIG VALUES('AccountController',' INTEGER IPEnabled IceCat IceDragon IncomingServer IndexOf InstancesOf Internet Download Manager Iridium Browser Iridium\User Data IterationCount JDownloader K-Meleon KeyDataBlob Kometa Kometa\User Data Length Liebao Browser Load Login Data MM/dd/yyyy HH:mm:ss MacAddress MailAddress Major MapleStudio\ChromePlus\User Data Microsoft Primitive Provider Minor Mode Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv: Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729) NO-IP Name Name= No Password None OBJECTIDENTIFIER OCTETSTRING OSFullName: ObjectLength Open VPN Opera Opera Browser Opera Mail Opera Software\Opera Stable Orbitum Orbitum\User Data Outlook POP3 Password POP3Host POP3Password POPPass POST PWD= Padding PaleMoon Paltalk PassWd Password Password: Password: Path=([A-z0-9\/\.\-]+) Pidgin PocoMail PopPassword Port PortNumber Postbox Profile Programfiles(x86) Psi/Psi+ PublicKeyFile QIP Surf QIP Surf\User Data QQ Browser RAM: Read RegRead Replace ReturnAddress SELECT * FROM Win32_Processor SEQUENCE { SMTP SMTP Password SMTP Server SMTPHost SMTPPass SMTPServer SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions SRWare Iron STOR Safari Browser SavePasswordText SchemaId SeaMonkey SerialNumber Server Settings Sleipnir 6 SmartFTP SmtpPassword SmtpServer Software\DownloadManager\Passwords\ Software\IncrediMail\Identities\ Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676 Software\Microsoft\Windows NT\CurrentVersion\Windows Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Software\Microsoft\Windows\CurrentVersion\Run Software\OpenVPN-GUI\configs Software\OpenVPN-GUI\configs\ Software\Paltalk Sputnik Sputnik\Sputnik\User Data Substring SystemDrive Tencent\QQBrowser\User Data TheBat Thunderbird Time: Torch Browser Torch\User Data TransformFinalBlock Trillian True Type UC Browser UCBrowser\ UNIQUE URL: URL: USERPROFILE USERname Unknown Uran User User Name: UserName Username Username: Username: Value Version Vivaldi Vivaldi\User Data WS_FTP WScript.Shell WaterFox Web Credentials Win32_BaseBoard Win32_NetworkAdapterConfiguration WinMgmts: WinSCP Windows Credential Picker Protector Windows Credentials Windows Domain Certificate Credential Windows Domain Password Credential Windows Extended Credential Windows Secure Note Windows Web Password Credential Write Writing is not allowed Writing is not alowed Yandex Yandex Browser Yandex\YandexBrowser\User Data [PRIVATE KEY LOCATION: "{0}"] [^\u0020-\u007F] \"(hostname|encryptedPassword|encryptedUsername)":"(.*?)" \%insfolder%\ \%insfolder%\%insname% \.purple\accounts.xml \360Chrome\Chrome\User Data \8pecxstudios\Cyberfox\ \Account.CFN \Account.stg \Accounts\Account.rec0 \Accounts_New \Apple Computer\Preferences\keychain.plist \Cbc \Claws-mail \Common Files\Apple\Apple Application Support\plutil.exe \Comodo\IceDragon\ \CoreFTP\sites.idx \Default\ \Default\EncryptedStorage \Default\Login Data \EncryptedStorage \FTP Navigator\Ftplist.txt \FTPGetter\servers.xml \FileZilla\recentservers.xml \FlashFXP\3quick.dat \Flock\Browser\ \Google\Chrome\User Data \Google\Chrome\User Data\ \Ipswitch\WS_FTP\Sites\ws_ftp.ini \Iridium\User Data \K-Meleon\ \Local State \Login Data \Mailbox.ini \Microsoft\Edge\User Data \Moonchild Productions\Pale Moon\ \Mozilla\Firefox\ \Mozilla\SeaMonkey\ \Mozilla\icecat\ \NETGATE Technologies\BlackHawk\ \OpenVPN\config\ \Opera Mail\Opera Mail\wand.dat \Pocomail\accounts.ini \Postbox\ \Psi+\profiles \Psi\profiles \SmartFTP\Client 2.0\Favorites\Quick Connect\ \SmartFTP\Client 2.0\Favorites\Quick Connect\*.xml \Storage\ \The Bat! \Thunderbird\ \Trillian\users\global\accounts.dat \VirtualStore\Program Files (x86)\Foxmail\mail\ \VirtualStore\Program Files\Foxmail\mail\ \Waterfox\ \accountrc \accounts.xml \browsedata.db \cftp\Ftplist.txt \clawsrc \falkon\profiles\ \fixed_keychain.xml" \jDownloader\config\database.script \mail\ \passwordstorerc \settings.ini \tmpG a102 abcçdefgğhıijklmnoöpqrsştuüvwxyz1234567890_-.~!@#$%^&*()[{]}\|';:,<>/?+= account address appdata application/x-www-form-urlencoded application/zip auth-data autofill b80adc15-8437-481a-99c8-560b4fb51daa blob0 category control cookies.sqlite created= current discord encryptedPassword encryptedUsername entries entropy facebook global-salt gmail hack hostname image/jpg incredimail instagram item1 item2 journal key3.db key4.db liebao\User Data logins logins.json master_passphrase_pbkdf2_rounds=(.+) master_passphrase_salt=(.+) metaData movie moz_logins name nssPrivate objects opera: origin_url pAuthenticatorElement pIdentityElement pPackageSid pResourceElement pass= passkey0 password password-check password= password_value porn port= processorID profiles.ini programfiles programfiles(x86) qxrultabnwnjqwvy remote signons.sqlite signons3.txt skype smtp smtp_server startProfile="([A-z0-9\/\.]+)" startProfile=([A-z0-9\/\.]+) str2 str3 t6KzXhCh table text/html twitter uCozMedia uCozMedia\Uran\User Data uninstall use_master_passphrase=(.+) user= username username= username_value webpanel whatsapp win32_processor wow_logins yyyy-MM-dd HH:mm:ss yyyy_MM_dd_HH_mm_ss {(.*),(.*)}(.*) {0:X2} Atinderpal Singh Agencies Need to Ask These Seven Critical Questions of Security Providers In the ever-changing security landscape, federal agencies are challenged to find a security solution that not only works right now but will also address future security needs without adding unanticipated costs. To help agencies choose a service that works for them, we compiled a list of the seven critical questions to ask vendors about the security solutions they provide. With this information in hand, agency IT decision makers can choose the service that best fits with their agency missions and priorities. 1. What FedRAMP status do you have today? Many vendors say their services and technology are adequate enough to secure sensitive government data. However, without third-party verification to validate these claims, you could not only be risking the efficacy of your investment but also the security of your networks. 2. Does the service scale, and does scaling in any way cause outages? Cloud-native and resilient services mean fewer security interruptions to the mission. You need to know if the service scales, and if scaling will cause outages. Often, updates to legacy infrastructure require an outage window, which is downtime for your users. A true multitenant cloud platform that scales reduces outages, which is why it's important to choose a cloud-native service. 3. Is the service zero trust by default? By default, zero trust security means the system was designed with zero trust principles from its inception. For context, zero trust requires identity verification from everyone trying to gain access to the system and its applications. Access is granted based on policy requirements being met while all other connections are denied by default. This added layer of security prevents data breaches and secures agency data. 4. How does the solution peer with SaaS providers? Knowing how your data moves improves performance. Ask whether the vendor peers with SaaS providers, such as Microsoft and Salesforce, and how these peering relationships will impact performance and cost. 5. How long does it take and how much does it cost to set up a proof of concept? Chances are, if the company says it can set up a proof-of-concept/proof-of-value quickly, then their solution is likely cloud-native and resilient. If a vendor says it's going to take eight weeks or more to provide a proof-of-concept, and with additional costs, then the service is likely not easy to scale. 6. How does it interact with O365? Is it easy to configure? How does it perform? Nearly every federal agency uses Office 365, meaning hundreds of thousands of users rely on it for everything from creating documents to hosting team meetings. Any security-as-a-service solution must interact well with O365, must be easy to configure, and must perform well without interruption. If configuration isn’t seamless, you spend more on professional service hours to get it working. 7. Will videos on iOS and Android impact SSL decrypt, bandwidth, and network performance? Mobile devices are ubiquitous within the government, and they need to perform as well as desktop devices. Whether users are deployed in the field or working from home, they need the ability to stream video and other high-bandwidth apps and content. Be Sure and Secure Don’t fall for a lift-and-shift of old appliances to the cloud. Asking these seven questions will help you determine whether your security provider truly has a cloud-native platform that is dynamic, scalable, and resilient. For more detail about what to assess in their answers, download the white paper: The 7 Critical Questions Agencies Should Ask Security Providers Mark Harman is a sales engineer at Zscaler. Mark Harman A New Paradigm Shift Threatens the Fate of VPN If you’d told me five months ago that today I would be solely working out of my home office in San Jose, California, I would have said you were crazy. As each month has passed, I have begun to realize that there is a very good chance this work situation might very well be the new normal. (I’ve been trying to hold out, telling myself: “It will all go back to normal soon.”) But, here I am, still working from home. I'm sure many IT teams are feeling the same way. This sudden surge in remote work, leading to frantic calls to VPN vendors to buy more capacity and scale up ASAP—only to be told that they would need to wait 30, 60, or even 90 days just to get new appliances delivered—was thought to be a temporary, crisis-mode response. A blip. And who could blame these IT leaders? Prior to our social-distanced world, only a fraction of companies had employees working remotely the majority of the time. Now everyone does. The shift from crisis response to long-term access strategy is top-of-mind for every organization. What should I invest in? Should I still be using VPN? What about network appliances in general? How do I protect data now? What the he!! do we do? Know this. Work-from-home (WFH) will become a less of an exception and more of a rule. Google is extending WFH until at least next summer, and Facebook just made a similar announcement, telling its employees to stay home through July 2021. A couple of weeks ago, Siemens announced its plan to allow 140,000 employees to work from anywhere. This new way forward will require a new approach to connecting users to business apps. Access needs to move beyond the classic network security perimeter (i.e., a VPN that connects an IP address to a network exposed to the internet) to the user’s location, to the device, and to where the application is running. No more implied trust, but rather zero trust delivered at the new edge. The identity of the user is now critical. So is the posture of the device in use. The ability to scale remote connectivity services as you continue to hire will also be critical. This is why companies, such as Okta, Microsoft, CrowdStrike and, yes, even Zscaler, are becoming more widely adopted to enable remote work. These are all cloud-delivered access services that are tightly integrated to secure the new edge and, most importantly, are designed for this specific purpose. So, where does the remote access VPN fit in this new world? Every day there is news about a new exploit: recently, 900 passwords to VPN servers leaked out. The image below illustrates a VPN password vulnerability that occurred when an attacker sent a uniform resource identifier (URI) to the VPN gateway in search of a particular resource. Image: ZDNet A few customers asked about the benefits of Zscaler Private Access (ZPA) in regard to this kind of attack. My friend Lisa Lorenzin, who worked for a VPN vendor prior to Zscaler, said it best: First off, ZPA App Connectors don't have an inbound listener, so a hacker can't just scan the internet and find them, as was done here to the VPN servers. Second, we don't store user credentials at all, and we offer the option of admin SSO—so there is no way for an attacker to ever get user login credentials by hacking us, and hopefully not admin creds either. Third, we manage updates on our connectors, so there is no possibility for customers get hacked due to an 8-month-old vulnerability!! Fourth, the exploit was an attacker sending a specially crafted URI to the VPN gateway. Since ZPA App Connectors have no listener, they are not susceptible to that class of attack. And since ZPA Service Edges only accept connections from mutually authenticated TLS, an attacker wouldn't be able to send it to the broker either. Even operational technology (OT) networks are now vulnerable to security attacks through VPN. We’re talking about the critical infrastructure in the oil and gas, water, and electric utilities industries. This is because, with everything else IT has to worry about, it’s difficult to find time to administer VPN patches and updates. Since VPNs allow for access to network resources, hackers are targeting them as a means to gain access to critical data. The same tools IT has used for 20 years to help provide secure access to apps is now threatening their environments. It’s like a bad sequel to The Terminator movie series or something. But there is a silver lining here. I’ve spoken with several IT leaders who have adopted a zero trust approach to providing remote users with access to business applications as an alternative to using a VPN. Robert Berkenpas from Mowi, the largest salmon producer in the world, is using this approach to ensure his employees are productive so they can help build a more environmentally friendly future for the industry. His IT team moved from being perceived as a cost center to business enabler. Marc De Serio, CTO at Henry M. Jackson Foundation, is using this zero trust approach to preserve the supply chain that helps military researchers battle COVID-19. Jay Tillson, head of architecture at TT Electronics, an electronics manufacturing company, architected a future that puts cloud and identity-based access at the forefront of its IT vision. (He’s going to be doing a live architecture session—be sure to watch it.) My advice to you is to stop and think about what your long-term access strategy should look like. Ask yourself, what is the business asking of you? Think about the technologies that are critical to your success and the success of the organization. You may find that your VPN isn’t suited for the job. And if you do, you wouldn’t be the only one. Chris Hines is Director of Product Marketing for Zscaler Private Access Christopher Hines Dirty Devices: Are They on Your Network? When COVID-19 was first declared a pandemic, companies scrambled to get employees working away from the office as quickly as possible. The speed at which this shift needed to happen posed some serious challenges for businesses, especially those already struggling to provision managed devices for their existing remote workforce. Additionally, providing a seamless transition to this new, work-from-anywhere—and on any device—world has led to dips in productivity for businesses whose infrastructure simply couldn't keep up with the new demands. While helping our customers navigate these challenges, we found that many companies had difficulty purchasing additional managed devices for their large, newly remote workforce. In many cases, IT teams asked employees to use their own devices for work to prevent interruptions in business continuity. In doing so, security concerns wound up taking a backseat to the need for speed. Fast forward five months, and now we have a situation in which users are connecting to corporate networks using a myriad of personally owned devices and connecting on unsecured home networks. Unfortunately, devices can become infected with malware without the user’s knowledge, which drastically increases an organization’s risk. In light of these threats, IT teams must adopt a new security posture built around zero trust that prevents dirty devices from harming an organization’s distributed networks. The last thing IT would want to do is put dirty devices on the network, right? Understanding device posture Devices that have been used for remote work and for personal use should no longer be trusted by default. Instead, the device and its posture must be fully vetted before it’s allowed to connect to the network. To do that, you need the proper information about the endpoint (type, software, OS, device health, etc.). This is why we’re partnering with CrowdStrike, which provides endpoint security and remediation in the case of infection. Adopting zero trust network access (ZTNA) Getting insight into the devices your employees are using is important. But another essential part of protecting your network and everything on it is to keep devices off the network altogether. Zscaler Private Access (ZPA) is a ZTNA service that decouples application access from network access. In this case, devices are never inherently trusted, but are only provided access to applications based on policies and only after proper authorization and authentication have taken place. With ZPA, user devices are never on the network. Instead, the internet is used as a medium to connect specific users to specific applications. ZPA enables secure access to private applications and integrates with CrowdStrike to pull relevant information about the endpoint. Security at the new edge With remote work, security must extend beyond the classic network perimeter. The new perimeter is the user, the application being accessed, and the device being used. Supporting this model must be IT’s priority for the foreseeable future to enable work from anywhere and scale as needed. Continuous assessment of the device, zero trust network access with ZPA, and remediation can protect networks and applications against the spread of attacks by dirty devices. Delivered as a cloud service, ZPA is designed to connect the right users to the right applications, while scaling across all devices. For employees connecting from home, office, or any other network, ZPA consumes information from the endpoint to continually assess permissions based on context—the user’s location, device, application, and more—and provides a fast, secure, and seamless way for users to connect to applications. With so many people working on their unsecured home networks using personally owned laptops and smartphones, there can be no doubt that many devices have already been exposed to multiple threats. According to ThreatLabZ researchers, there was a 30,000% increase in cyber attacks leveraging COVID-related lures to target consumers and corporations. Attackers are exploiting public concerns related to the pandemic to trick users globally into downloading malicious apps, many of which give cybercriminals access to these devices and their data. Knowing that devices have been under attack—and there’s a possibility some of those attacks have successfully infiltrated your users’ endpoints—there are two steps you must take: Test the devices to ensure they have not been compromised so that they cannot spread malware to other devices and networks. Prevent devices from connecting to the network. The threat of dirty devices is real, so you can’t do one or the other. You need to do both. Whether your employees are continuing to work remotely, or they’re beginning to go back to the office, you must ensure that their dirty devices don’t place your network at risk. By combining ZPA and CrowdStrike, you get end-to-end security and protection—from the device to the application. User access is restricted using device posture that is provided by CrowdStrike and connectivity provided by the ZPA service. This combination delivers secure access to applications with complete context of every user and device’s identity, location, and posture. Additional resources: Watch the webinar: Ensuring Business Continuity By Securing Your Remote Workforce Explore the microsite: Support Your Work-from-Anywhere Initiatives Kanishka Pandit is a product marketing manager for Zscaler Private Access Kanishka Pandit Day in the Cloud: Education and Entertainment For a Good Cause Trying to get a large group of people together—even for a good cause—seems like a near impossibility these days. Still, it’s important—maybe more important than ever—to continue learning and interacting and supporting others, while taking every opportunity to enjoy a bit of entertainment whenever we can! The philanthropic spirit is an important part of the Zscaler culture and guides many of our actions. And it was this culture of giving back that compelled us to host our first Day in the Cloud—an online educational and entertaining event for Zscaler customers and partners. The day began with a webinar titled “Zero Trust Architecture with Amazon Workspaces,” hosted by business and security leaders from Amazon Web Services (AWS) and Zscaler. That session was followed by, “Ensuring Business Continuity by Securing Your Remote Workforce,” hosted by CrowdStrike and Zscaler, which provided insight into enabling the new work-from-anywhere workforce. Both webinars included live Q&A with the hosts, and both sessions can be viewed on-demand. See the AWS webinar here and the CrowdStrike webinar here. Attendees also had the opportunity to gather information at the virtual AWS and CrowdStrike booths, as well as the Learning Lounge, Knowledge Hub, Partner Zone, and Virtual Briefing Center—all hosted by Zscaler. The highlight of the event was an online concert by Grammy-winning singer-songwriter Jason Mraz. For each concert attendee, Zscaler had pledged a donation to No Kid Hungry, a campaign dedicated to ending childhood hunger in America. Jason’s performance was intimate and a complete delight for long-time fans and new ones—and it helped us raise $31,380 to help No Kid Hungry continue its essential work. We’re grateful to our partners, attendees, Jason Mraz, and No Kid Hungry for making this concert a great all-around success! Following the show, I had the opportunity to join in a small, virtual meet-and-greet with Jason along with some Zscaler customers and their families. It turned into an inspiring conversation about creativity and collaboration (musical and otherwise) and how they are able to continue in full force in spite of the restrictive confines of the global quarantine. The Day in the Cloud was our first event in our new, virtual environment, which includes our Virtual Briefing Center, where you can find videos and other resources to guide you on your cloud journey. We invite you to explore the space and schedule a customized briefing based on your interests and your organization's specific needs. If you missed the Day in the Cloud, we hope you will join us next time! Steve Grossenbacher is a Director of Product Marketing at Zscaler Steve Grossenbacher PurpleWave—A New Infostealer from Russia Infostealer is one of the most profitable tools for cybercriminals, as information gathered from systems infected with this malware could be sold in the cybercrime underground or used for credential stuffing attacks. The Zscaler ThreatLabZ team came across a new Infostealer called PurpleWave, which is written in C++ and silently installs itself onto a user’s system. It connects to a command and control (C&C) server to send system information and installs new malware onto the infected system. The author of this malware is advertising and selling PurpleWave stealer on Russian cybercrime forums for 5,000 RUB (US$68) with lifetime updates and 4,000 RUB (US$54) with only two updates. Figure 1: A PurpleWave selling post on a Russian forum. The author selling PurpleWave claims that this stealer is capable of stealing passwords, cookies, cards, and autofill forms of Chromium and Mozilla browsers. This stealer also collects files from the specified path, takes screenshots, and installs additional modules. The capabilities of the PurpleWave stealer include: Stealing passwords, cookies, cards, autofill(s) data, browser history from Chromium and Mozilla. Collecting files from the specified path Capturing the screen Stealing system information Stealing Telegram session files Stealing Steam application data Stealing Electrum wallet data Loading and executing additional module/malware Figure 2: The PurpleWave login panel. The author also built a dashboard where the attacker can keep an eye on the infection counts according to dates, access the stolen logs of infected machines, and change the malware configuration settings. Figure 3: The PurpleWave infection dashboard. The dashboard also provides the attacker with the ability to customize the configuration of the PurpleWave stealer. Figure 4: The dashboard for customizing the PurpleWave configuration. Technical analysis Upon execution of the PurpleWave binary, it gives a fake error message in the Russian language that can be customized by the attacker in their panel. But in the background, it performs all of its malicious activities. Figure 5: The fake error message in Russian. (It translates to: Memory control blocks damaged.) The name of the stealer (PurpleWave) and the version (1.0) are hardcoded and encrypted in the binary. Most of the strings in the binary are encrypted, but they get decrypted on runtime with the help of the decryption loop present in the binary (shown in Figure 6). Figure 6: The common decryption function for the encrypted strings in the binary. The PurpleWave binary creates a mutex with the name “MutexCantRepeatThis” to avoid multiple executions of malware instances. After that, it sends the HTTP POST request with the custom header and body to the C&C URL to get the configuration data. Figure 7: Sending request to the C&C server to get the config data. It creates an HTTP request header with content type as “form-data”. The boundary is assigned with “boundaryaswell” to act as a marker and user agent is set with “app”. It creates a request body with a form name as “id” and the value assigned to it is 1. Figure 8: The configuration request with the custom header and body. The received data contains the customized configuration, which may change per the binary. We have observed three different configurations and different hosts of the PurpleWave binaries. Figure 9: The configuration from different PurpleWave binaries. dirs - It consists of directory information from which files to be collected. fake - It has the fake alert message to be shown to the user on execution. loaders - It consists of an additional module name to be installed on the infected system. For Config-2, PurpleWave will traverse path “%userprofile%/Desktop” and collect the files having extensions txt, doc and docx. In Config-3, it will not collect any files but it has a module named “Kv2TDW4O” in the loaders, which will get downloaded and executed on the system. Installing additional modules For installing additional modules mentioned in the received configuration (Config-3), PurpleWave again creates an HTTP POST request with the same headers mentioned in the previous request to the C&C host followed by “/loader/module_name”. Figure 10: The request to download an additional module. PurpleWave enumerates the loaders list from a JSON configuration, downloads the module name from the C&C server and stores it in %appdata% directory, then executes it. Figure 11: Downloading and executing additional modules. The downloaded module that we observed in some PurpleWave binary is the Electrum wallet stealer, which is written in .NET and capable of stealing Electrum wallet data from the infected system. Figure 12: Collecting Electrum wallet data. Data stealing PurpleWave is capable of stealing credentials, autofills data, card data, cookies, and browser history from Chromium and Mozilla. For Chromium browsers, it fetches the login credentials from “\%AppData%\Local\{Browser}\User Data\Default\Login Data”, cookies from “\%AppData%\Local\{Browser}\User Data\Default\Cookies”, and other information, such as autofills data, card data, and browser history, from “\%AppData%\Local\{Browser}\User Data\Default\Web Data”. Figure 13: Stealing browser data. The stolen browser info is collected in the form of a form-data field with the names shown below followed by their value. Username - browser[BrowserName][passwords][index][login] Password - browser[BrowserName][passwords][index][password] Figure 14: Stolen browser information. Along with the browser’s data, the stealer captures the current screen and appends it to the browser's stolen data in the form-data with the filename as “screenshot.png”. Figure 15: A captured screenshot. After that, it collects all the information about infected systems, such as operating system, CPU info, GPU info, machine GUID, username, machine name, and more. Figure 16: The system information collected by PurpleWave. The stealer also collects the SSFN files from the Steam application. The Steam application is used for playing, discussing, and creating games. The SSFN file exists to verify the users each time they login to their Steam account. It fetches the Steam path from the registry “Software\\Valve\\Steam” and reads all the SSFN files stored into the config directory. PurpleWave also steals session-related files from the Telegram application. It reads the value of the default key in the system registry branch “HKCU\Software\Classes\\DefaultIcon” to obtain a path of Telegram and collects all the files starts with “map” in the “D877F783D5D3EF8C” directory. Figure 17: Collecting Steam and Telegram data. PurpleWave merges all the collected file data, browser data, screenshots, Steam data, Telegram data, and system info, then sends it to a C&C server using an HTTP POST request. Figure 18: Sending stolen data to C&C server Coverage The observed indicators in this attack were successfully blocked by the Zscaler Cloud Sandbox. Figure 19: The Zscaler Cloud Sandbox report for PurpleWave. In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators at various levels. The following advanced threat protection signatures have been released for detecting the malware: Win32.PWS.PurpleWave Conclusion Zscaler believes that PurpleWave represents an active and ongoing threat, as the C&C servers are still alive and responding as of this writing. The malware also still appears to be available for purchase on the black market. PurpleWave has incredible potential to steal sensitive information. The malware is in the early stages of development, with the author likely to enhance its stealing capabilities and add more features. We will continue to keep track of this threat to ensure coverage. MITRE ATT&CK™ tactic and technique mapping Tactic Technique T1083 File and directory discovery T1082 System information discovery T1033 System user discovery T1124 System time discovery T1016 System network configuration discovery T1020 Automated exfiltration T1041 Exfiltration over C&C channel T1071 Uses web protocols T1105 Downloads additional files T1555 Credentials from web browsers T1539 Steal web session cookies T1005 Data from local system T1113 Screen capture Indicators of Compromise (IOCs) Hashes B18BCB300AE480B16A0E0B9110E1C06C D8A36DCE73E91780B52B6F387C5CFD78 9E4D3F4439ED39C01F3346FBDB7488AE 657C3DDAFF433067C7F74F3453C7EB37 E770544551F94296B9A867E42435206F E23DED17CDF532790F708E8A550969EB BC693652D5F57E792551C3A62049BA0B B5FB35BE12C66F16F55AF2C2ABC77E55 AD24A6614C528DE81283FE4A618682C7 AC17A56355914E231B2AD52E45D6F779 7A728F42940F5BCB50AC9A5C57C1D361 53BC8E68A9028C58941B78E4AD867B83 394298EED78D455416E1E4CF0DEB4802 30898909FD4BF93FE23C62E6962BED11 02350FFA6B82CD2079797ED4BA1DD240 0212EB9562992DA05AB28EFFB9D64D8A 01C8D886BD213F983D0FD5AD35D78A9A URLs sh1213709[.]a[.]had[.]su/config sh1213709[.]a[.]had[.]su/gate sh1213709[.]a[.]had[.]su/loader/Kv2TDW4O sh1213709[.]a[.]had[.]su/loader/9ZNzBRpT sh1213709[.]a[.]had[.]su/loader/Ds5UabYT sh1213709[.]a[.]had[.]su/loader/MTIQK8lV manget6z[.]beget[.]tech/config manget6z[.]beget[.]tech/gate ec2-3-134-252-78[.]us-east-2[.]compute[.]amazonaws[.]com/config ec2-3-134-252-78[.]us-east-2[.]compute[.]amazonaws[.]com/gate bibaiboba[.]beget[.]tech/config bibaiboba[.]beget[.]tech/gate sumakokl[.]beget[.]tech/config sumakokl[.]beget[.]tech/gate ikaschyn[.]beget[.]tech/config ikaschyn[.]beget[.]tech/gate h98801x4[.]beget[.]tech/config h98801x4[.]beget[.]tech/gate Mohd Sadique Meet Zscaler: Language, Localization, and Learning - How Isabella Muma Found Her Way to Zscaler From the journalism spotlight in Cameroon to making waves behind-the-scenes at Zscaler in Munich, Isabella Muma has had a remarkable journey. Fluent in three languages, she supports almost every team at Zscaler and is passionate about clean content, collaboration, and her co-workers. Outside of work, she loves to draw, write poetry, appreciate art, and study history and ancient civilizations. See why Isabella makes Zscaler a Great Place to Work! What is your background? I was born and raised in Cameroon in Central Africa. My full name is Ngela-ah Isabella Muma, but Ngela-ah is hard for people to pronounce, especially in Europe, so I go by Isabella or Bella. My background is in journalism. After getting a bachelor’s degree in journalism, I got my first job at a prominent non-profit organization as a communications officer, then transitioned to radio and print journalism. I also had the opportunity to work in the film and entertainment industry as a scriptwriter for a time. That was a very adventurous part of my career and it was something I really loved. In 2014, I moved to Germany to get my master’s degree in trade journalism and corporate communication. When I came here, I really had no knowledge of German, so I had to go through the process of learning the language before proceeding with my studies. After learning German and completing my master’s studies, I got a job at a PR agency in Munich, which specializes in IT security. So I moved from the nice small town of Würzburg to Munich in 2018, and that’s how my journey to Zscaler started. Tell us about your journey to Zscaler I joined the PR agency not long after Zscaler became a client and I was put on the team to manage the account and projects. At the kickoff meeting with the Zscaler management team in Munich, my boss at the time introduced me, saying, “This is Isabella. She speaks English, French, and German, so she’s really valuable to us when it comes to handling information in English.” At the time I didn’t realize that someone in the Zscaler management team was taking note of my language skills! I continued working on the Zscaler account at the PR agency. Then, one blessed afternoon I got an email from someone at Zscaler about a content localization role that needed a candidate who could speak English, French, and German. It was a tough decision because I loved my job at the agency, but I eventually decided to take a leap of faith and apply, and I got the position. My transition was really easy because I not only had the language requirements for the job, but had also been working on the Zscaler account for ten months and was quite well-versed in Zscaler’s vision and products. I officially joined Zscaler in October 2019, and my first day was the Zenith Live event in Portugal, so I really hit the ground running. It was so fun—hectic—but fun! My coworkers made all the difference. They were always ready to help me out and point me in the right direction, so they made it easy for me to settle into the new role. I like to refer to them as the “ready to help team.” I think this is the type of team every ‘freshman’ needs, and I was lucky to have that. What do you do in your role at Zscaler? In my role, I manage all localization projects, so every white paper, video, eBook—every asset coming from HQ that is relevant to the European or Japanese markets—I make sure they are translated into the local languages and adapted for the respective markets. I collaborate closely with the field marketing teams to pick out and design what’s relevant to a specific region or country, make sure all the assets are transcreated, and send them back to field marketing so that they can easily run their campaigns within the targeted regions and countries. What is your favorite part of your job? I really love that I have the chance to work with so many different people. I work with almost every team at Zscaler: field marketing, sales, product management, sales enablement, public relations, dev, digital, you name it! I also work with two translation agencies, one in the UK and the other in Japan, that have team members all over the world. It’s been really great to work with a wide variety of people who have very different ideas, ways of working, and ways of dealing with a particular situation. It helps me to always keep an open mind and constantly work on my teamwork and leadership skills. What’s your favorite Zscaler memory? Not long ago, during a conference call with the entire EMEA team, I learned I had been nominated for the Bravo Award. I had no idea I was even nominated, and I ended up being chosen! That made me feel really good, and it showed that even though I work very quietly behind the scenes, my work is being noticed. We live in a fast-paced world where people tend to focus more on themselves and their work, and may not take the time to recognize others and the work they do. This award said loud and clear to me, “we see you, and your work is valuable.” That was a really beautiful surprise and had a big impact on me. What do you like to do outside of work? I love to be creative and my hobbies definitely reflect that. I’ve always loved writing and drawing, so I try to continue those when I can. I’ve also picked up writing poetry. I like to call my work “alternative poetry.” I actually have a whole collection of poems now, and am hoping to publish them in the future and integrate them into another very creative project I have in mind. I also love to take long walks and travel when we’re not in a pandemic. I usually try to travel home to Cameroon to visit my family, but unfortunately couldn’t do that this year. Chatting on the phone and catching up over video chat has been a great way to decrease the distance and stay connected. What advice would you give to someone looking to get into your field? Love what you do and always keep an open mind - we’re constantly learning. If I didn’t keep an open mind, I wouldn’t have made the decision to join Zscaler in the first place, and I wouldn’t have contributed as much as I have so far. Also, approach tasks and goals with the “we” mentality instead of “me.” I work with different groups, I manage different people within projects, and I always approach it with a “we” perspective. When dealing with a challenge or project, I like to ask questions and work together rather than dictating what I think is right. Especially when working with outside agencies, you have to understand that it’s a team effort that requires being patient and flexible, but firm. At the end of the day, it’s not just about me or the team, it’s about the company as a whole. Join Isabella and the rest of the team! Visit our careers page to explore opportunities in marketing as well as the many other roles in which you can help Zscaler drive secure digital transformation for enterprises around the world. Read Next: Meet Zscaler: What Three Years at Zscaler Means to Carolina Monge Meet Zscaler: Mission Accomplished — How Patrick Perry Transitioned from The Force to Being a Force For His Team Meet Zscaler: From Sales to Enablement - How Megan Allen Found Her Passion Kristi Myllenbeck Cybercriminals Targeting Multiple Vulnerabilities in WordPress Plugins WordPress is, by far, the most popular open source software used to build and host websites. So much so that, according to a July 2020 survey, around 455,000,000 websites are using WordPress. Overall, WordPress sites make up 14.7 percent of the Top 100 websites in the world. And some of the sites that use WordPress as their CMS, include NBC, CNN, TechCrunch, People magazine, the NFL, Best Buy, CBS Radio, and UPS. These are just a few of the Fortune 500 companies powered by WordPress. So, many organizations should be concerned when cyberattacks are focused on the vulnerabilities in this popular CMS, which we have reported on previously in this blog. Recently, the Zscaler ThreatLabZ team discovered a number of phishing and scam campaigns hosted on popular CMS sites built using WordPress. We uncovered the entire campaign, including how some of the WordPress plugins were exploited for malicious intents. In this blog, we are going to look at the three plugin vulnerabilities that are being actively exploited by attackers to compromise the WordPress sites. The following image shows the overall hits of the WordPress sites affected by these campaigns observed in the past 3 months in our Zscaler Cloud. Figure 1: Hits of the compromised WordPress sites. Vulnerability 1: WooCommerce plugin WooCommerce is a popular WordPress e-commerce plugin widely used by online merchants. A few years ago, researchers found an arbitrary file deletion vulnerability in a WooCommerce plugin that is earlier than version 3.4.5. This vulnerability allows an attacker to execute arbitrary code on the target system. WooCommerce has patched this vulnerability in version 3.4.6. Even though the patched version of the vulnerability is available, we observed many sites still using the outdated versions, which made them vulnerable to this scam. Let's see the working flow of this scam campaign in detail. The following picture depicts the source code of the compromised site with the injected obfuscated redirector script that is present in the site. Figure 2: The source page of the compromised WordPress site ( We deobfuscated the injected JavaScript code. The script is redirecting users to the IP Figure 3: The deobfuscation of the injected redirector script. Figure 4 shows the redirected traffic to the above-mentioned IP address ( Figure 4: The redirection traffic captured in the Fiddler session. After multiple redirections, the attacker takes the victim to the following scam campaign. Figure 5: The scam page redirected from the IP address ( The scam campaign tricks the user into creating a trading account by opening the link highlighted in Figure 6. Figure 6: The masquerade link that acts as a web link to create a demo trading account. Once the user clicks the link, it redirects the user to an adult site instead. The following picture shows the redirection traffic of the final landing page. Figure 7: Web traffic of the redirection page. Figure 8: User redirected to adult content from the compromised site ( Figure 9: The overall web traffic of the scam campaign captured in the Fiddler session. Vulnerability 2: WordPress Yoast SEO plugin Similarly, we have observed the same scam campaign was hosted by exploiting the Yoast SEO plugin with different scam templates. A stored cross-site scripting vulnerability was discovered in the past year by researchers in Yoast SEO plugin. The vulnerability allows attackers to inject a redirector script in the affected WordPress site. A patched version of this vulnerability was released under version 11.6 and the current updated version is 14.4.1. Figure 10: The source page of the WordPress site with an outdated Yoast SEO plugin version. The same redirection script is injected on the compromised WordPress site as shown in Figure 11. Figure 11: The same injected redirector script in the compromised WordPress site ( Here, the scam campaign used by the attacker states that “Women earn money” online using the same trading platform that also sends victims to the adult-related sites. Figure 12: A different scam campaign template used by attackers. Vulnerability 3: WordPress All in One SEO Pack plugin A stored cross-site scripting vulnerability was discovered last week in the popular WordPress All in One SEO Pack plugin. The vulnerability allows authenticated users to inject malicious scripts by accessing the wp-admin panel's “all posts” page. All versions of this plugin before version 3.6.1 are vulnerable. The patched version of this vulnerability was released on July 15, 2020, and the current updated version is 3.6.2. Figure 13 shows the source code of the compromised WordPress site with the injected redirector script. The phishing redirection takes place only if the getProcessHash() function satisfies the condition. The redirection will take place if the compromised site contains the “email” string with the preceding hash value(#). Fig 13: Source code of the compromised WordPress site with the injected script. Figure 14 shows the vulnerable version of the All in One SEO Pack plugin in the source of a compromised WordPress site. Figure 14: The outdated version of the All in One SEO Pack plugin. Figure 15: The deobfuscated phishing redirection URL. We were able to see the web traffic of the phishing site redirected from the compromised WordPress site during the Fiddler session. Figure 16: Redirection traffic to the phishing site captured in the Fiddler session. The final destination of this campaign is a spoofed Microsoft phishing site. Figure 17: The hosted Microsoft phishing campaign from the compromised WordPress site. Figure 18: Credential theft from the Microsoft phishing campaign. Figure 19: The overall web traffic of the phishing campaign captured in the Fiddler session. Conclusion Cybercriminals are actively tracking the most popular content management systems (WordPress) to find loopholes and vulnerabilities to exploit them to perform malvertising activities. Website owners should be aware of such campaigns and should maintain their plugin versions patched with the latest security updates. The Zscaler ThreatLabz team is actively tracking such campaigns and blocking them to protect our customers. Indicators of Compromise Vulnerability 1 and 2 Malicious IP: Scam site: Compromised WordPress sites: Vulnerability 3 Phishing URL: Compromised WordPress sites: Gayathri Anbalagan Android Spyware Targeting Tanzania Premier League The Zscaler ThreatLabZ team is always hunting for malware out in the wild. Recently, there have been endless cases where attackers were targeting mobile users with malware leveraging the COVID-19 pandemic. Amidst all the COVID-related malware activities, we actually came across some Android malware samples that weren't COVID-19 related. Instead, they were targeting the ongoing Tanzania Mainland Premier League football season. The Tanzania Mainland Premier League is the top-level professional football (or soccer, as it is most commonly known here in the United States) league in Tanzania, Africa. We came across some of the Android Packages (APKs) that were targeting two of the most famous football clubs in Africa, namely Simba SC and Yanga (Young Africans) SC. Figure 1: Logos for the Tanzania football clubs targeted in a recent scam. We also found some legit apps on the Google Play store that are related to these clubs. As seen in Figure 2, the spyware portrays itself as official apps of the above-mentioned teams. Figure 2: Real vs. fake logos for Simba SC and Yanga SC. These apps are basically spyware, which include the following capabilities: Read SMS messages Fetch contacts Record audio Calling functionality Access real-time location Read/write external storage Steal photos Access the camera These capabilities basically sum up a perfectly developed spyware with full-fledged features to spy on anyone. Upon further analysis, these APKs turned out to be developed using a popular surveillance tool named SpyMax. Its predecessor, SpyNote, was one of the most widely used spyware frameworks. In the past, there were instances where SpyNote was notoriously used to victimise Netflix users and a wide range of other Android users. SpyMax seems to be new favorite among attackers in the underground forums. We found some evidence where SpyMax has been developed in these underground forums with its main focus on the latest Android compatibility and antivirus evasion. Figure 3: Underground forum discussions about SpyMax. As seen in Figure 3, many of the discussions are about trying to make SpyMax samples fully undetectable (FUD) from antivirus scans. Though SpyMax is free in itself, some developers claim to have developed their own versions that are undetected by antivirus software and are selling the samples at rates ranging from $45 to $350 per month. The same user in Figure 3 posted about his or her costs as can be seen in Figure 4. Figure 4: A user discussing the costs of a FUD version of SpyMax. Getting back to the campaign, we unfortunately could not track back to the command and control (C&C) server, as it was not active during our analysis. But we were able to get hold of some more samples that were designed by the same attacker or group of attackers. (Hashes can be found in IOC section at the end of this blog.) One such sample developed by the attacker using SpyMax was a live streaming app that claimed to stream live football matches from the Tanzania Premier League. The main purpose behind this is likely to reach a wide range of football fans and attack their devices. The icons of the app can be seen in Figure 5 (Live Stream is the first from the left). Fig 5: Fake (Spyware) apps All these apps behave in exact same way. As soon as the victim tries to open the app, it crashes with message saying "App is not installed" before suddenly hiding the icon. This activity makes victim believe that the app might be faulty and got removed implicitly from mobile device. But in reality, the app hides itself from the victim and plays it's hideous activities of spying on the user and sending all the stolen data back to the attacker. Conclusion Nowadays, developing high-end surveillance apps (also termed spyware or stalkerware) is as easy as developing a basic Android app with the help of tools, such as SpyMax. Even a novice can develop spyware and attack large number of public. As seen in this case, the attacker used SpyMax to target Android users interested in an ongoing football season. From a user point of view, it's always advisable to take utmost care when online, especially in times when work-from-home has become the norm. The precautions you take online have been covered extensively; even so, we believe this information bears repeating. Please follow these basic precautions during the current crisis—and at all times: Install apps only from official stores, such as Google Play. Never click on unknown links received through ads, SMS messages, emails, or the like. Always keep the "Unknown Sources" option disabled in the Android device. This disallows apps to be installed on your device from unknown sources. We would also like to mention that if you come across the incident of app hiding it's icon as seen in case above, always try to search for the app in your device settings. (​​​​​​Settings -> Apps -> Search for icon that was hidden) IOCs Hash Package Name aa67921f19809edc87f1f79237e123e9c5c67019 com.yanga.yanga 2ed2d804754d83aa5de32c27b4ca767d959bf3e8 com.yellowfans.yanga bea206cf83eea30bf5d0734d94764796d956c4f5 com.livestream.livestream 1cc01da09849e17f83940d9250318d248f7ab77d com.simba.simba 4c7a41d7b0a225f0fa61fe7dc18695e03c2690c8 com.yellowfans.yanga Shivang Desai Modernizing Security with Six Capabilities for Zero Trust Architectures Security modernization is top of mind for most organizations, especially with increasingly complex hybrid environments and the need to support a remote workforce. At the same time, IT budgets are shrinking in many organizations, and the cost to maintain aging legacy infrastructure continues to grow. To combat rising costs, organizations, including those in the public sector, are turning to cloud-based services with the goal of enabling posture-driven, conditional access and zero-day threat sharing. Large enterprises need to simplify the security environment with cross-platform automation that provides secure access to applications and data. While there is no one tool to provide all of these capabilities, a zero trust network access (ZTNA) model provides ubiquitous policies based on identity—meaning that users will have the same experience anywhere they connect. This provides consistency within organizations, giving users the ability to seamlessly access applications and data in cloud environments and data centers, while IT administrators balance security and control. There are six core capabilities of zero trust that organization can adopt to modernize their security environments: Seamless direct access to external and internal applications Zero trust gives users direct access to external (internet or SaaS) and internal (data center, IaaS, PaaS) applications and data, remotely and securely. Rather than backhauling traffic through virtual private networks (VPNs), the zero trust model reduces traffic and latency, while ultimately improving the user experience. As remote work continues to expand, users need the ability to connect to data in data centers and clouds from their homes. Context-aware access Access policies should correlate between user, device, application, and other aspects of the environment. As organizations build policies for context-aware access to data and information, they should include vendors, architects, users, privacy teams, and compliance teams in the conversation. It is important to have representation from all the teams involved to form a symbiotic relationship and a united organization. Users should only be given access to resources and applications necessary for their job functions. By adopting a zero trust security model, only authenticated users will be granted access to applications they are specifically authorized to use. As attack surfaces grow with more distributed environments, zero trust can further limit east-west traffic on the network so that users cannot reach applications they were not intended to reach. Flexible deployment across all users and locations A cloud-based zero trust service can provide a scalable environment without placing a significant burden on the IT team. Organizations need different policy requirements that allow for flexibility of deployment to be able to deploy these tools as quickly as possible. It should be seamless to scale capabilities up or down, without having to deploy new on-premises hardware or additional licensing. Deployment can be simple— many organizations already have aspects of zero trust in their infrastructure, including endpoint management, continuous diagnostics and mitigation, software-defined networking, micro-segmentation, and cloud monitoring. To get started, teams should identify their most significant pain point and define a zero trust use case that addresses that issue. Then, they can implement multiple use cases for a solution that spans multiple scenarios and user communities. Seamless user experience It is important to focus on the user experience and make the security and access as transparent as possible, especially when accessing critical agency applications and key collaboration tools. Legacy VPNs backhaul traffic through the security stack, creating a poor user experience and significant latency—especially with the rise in remote work. Instead, zero trust connections provide direct, secure access to applications in any location. Comprehensive visibility and troubleshooting that enables rapid user-issue resolution Zero trust provides IT administrators with a centralized view to manage, administer, and log users in one place. With full visibility and control into the distributed environment, zero trust technologies improve administrators’ visibility and troubleshooting to enhance the user experience and promote efficiency within the agency. Security and compliance tools to mitigate cyber threats and protect applications and data By using cloud-based security and compliance tools as part of a zero trust security model, organizations can protect data and applications without having to go through frequent updates. This can free up time for teams to focus on more critical needs and on improving policies, instead of patching security holes. As technology evolves, cloud and mobility are disrupting and accelerating digital transformation. Remote work requires a modern approach to security, and cloud-delivered security access service edge (SASE) models transition security from network-centric controls and to user-centric and application-centric security, designed to support highly distributed teams working beyond the traditional network perimeter. This “new normal” allows IT to become digital business enablers by adopting new security tools and technologies in the cloud to deliver on the organization’s objectives and promote digital transformation. Stan Lowe is the Zscaler Global Chief Information Security Officer Stan Lowe How the Cloud Helps San Mateo County CARE for its Employees and Citizens Sean Thakkar is the Deputy CIO for the County of San Mateo, California. His post originally appeared on LinkedIn and you can view a short video about the County's work-from-anywhere journey here. When I travel across San Mateo County’s 100 miles of shoreline, with its secluded beaches, jagged cliffs, and mountains rising between valleys—ultimately leading to the San Francisco Bay—I can’t help but forget that I am in the heart of Silicon Valley. Being home to the world’s most well-known start-up scene, the Valley continues to be at the forefront of technological advancement. Located in the midst of it, the Information Services Division (ISD) of San Mateo County invests heavily in the latest technologies to provide world-class services for our employees, citizens, and constituents. Much like all of Silicon Valley, the citizens of San Mateo County expect their government to use technology as a means to meet the needs of its tech-savvy inhabitants. This includes deploying a modern infrastructure so businesses and individuals can interact with the county via a variety of web and online services. To support our constituents’ expectations, we have been on a digital transformation journey, investing heavily in cloud technologies such as Okta, Workday, Office 365, and Zscaler. As part of Creating A Remarkable Experience (CARE), which is our internal dogma, and being in Silicon Valley, we have been ahead of the curve and embraced the culture of remote work. Moving to cloud-based security has allowed us to provide all those employees on flexible schedules and those, whose work happens outside a traditional office environment with the same experience accessing the applications they need for their daily work in the field or at home as if they were in an office. On a daily basis, they interact with our citizenry; they travel between the homes of our constituents to provide human services, they are outside building roads or fixing street lights. As COVID-19 emerged, we had to pivot to focus our attention on the safety and well-being of 10,000 County employees and contractors, while conducting County business and providing services to our citizens in a timely and effective manner. Having been on this journey of heavily investing in SaaS and cloud security, we had a lot of the infrastructure in place that would ultimately assist us in our transition from having 35 percent of our workforce on a flexible schedule to 90 percent of our employees working from home within a matter of days. This allowed us to provide critical services with minimal disruption. Additionally, we ramped up our County website to provide critical COVID-19-related information and urgently needed services in an easy-to-use fashion. We prepared hospitals and rented entire hotels to allow people suspected of having the virus, or those who were homeless or didn’t have family members who could take care of them, to safely shelter in place. We purchased personal protective equipment (PPE) to protect our first responders, such as our Sheriff, Fire, and Emergency services, and hospitals. And we equipped our first responders with technologies that were always up and available so that they could focus their attention on providing services to the people who needed it the most. Many of our staff have worked around the clock to get ahead of this pandemic and provide security and safety to our citizens. For the technology and services that enable their dedication, I credit our County Manager Mike Callagy, Deputy Manager Iliana Rodriguez, my boss Jon Walton, and my colleague Michael Wentworth for having the foresight to show the people of San Mateo County that we CARE in every sense of the word. I also want to specifically thank our Board of Supervisors, which has been supporting our vision from its inception. This pandemic has once more demonstrated that we need to have a “nonstop” environment with an uptime of 99.9999%. Any infrastructure that requires maintenance, such as routers, switches, and firewalls, should be replaced with the cloud-delivered infrastructure needed to reduce latencies and improve employee and citizen experiences. To me, this crisis has proved that we were doing the right things leading up to the coronavirus pandemic. I believe there are a few technologies that will stand the test of time—those that can be explained in a sentence or two that are going to be successful as we transform from our current reality to a new way of conducting business. To me, Zscaler and Nutanix belong in that category. The last few months have shown that the hard work we put into our jobs always pays off, specifically when we are faced with crisis situations that require us to accomplish things under difficult and stressful circumstances. Working as a team, practicing positive thinking, and believing that we can overcome the challenges at hand will help us overcome any difficulties we may face. I keep reminding my team to focus on the tasks at hand and not dwell on the problems of tomorrow. As human beings, we can accomplish things we would never have believed were possible and, as leaders, we need to guide the people around us through a time like this to empower them and make them stronger—both personally and professionally. From my experience, going through a digital transformation at a local government agency, I have learned the following: Work with trusted partners both on the applications side as well as on the services side Execution is the key, so set the speed that meets your strategic needs Act with a sense of urgency Do not become a professional firefighter You can eat the elephant, but only one bite at a time Anxiety and stress are par for the course Having technologies that assist with remote work is table stakes I will also apply these learnings to our next big mission, which is to bridge the digital divide in our County. For example, even though many kids in our school systems get Google Chromebooks from school, if they don’t have access to the internet at home, the technology doesn’t help them with their homework. Thus, we are planning on making Wi-Fi ubiquitous for the whole County, to all those kids whether they live alongside our beautiful beaches, in the valleys, or the mountains. At this time, we have free Wi-Fi available at 100 sites, covering 25 percent of our total geography. Now our goal is to identify the pockets and regions where the digital divide is most prevalent and provide free internet access to help bridge that gap. Sean Thakkar New Voicemail-Themed Phishing Attacks Use Evasion Techniques and Steal Credentials In July 2020, researchers at ThreatLabZ observed an increase in the use of voicemail as a theme for social engineering attacks. Through the intelligence gathered from the Zscaler cloud, we discovered several newly registered domains that use VoIP and voicemail as themes for their credential-stealing phishing campaigns. In the most recent instance we saw, attackers were spoofing Cisco’s Unity Connection voicemail platform. This social engineering campaign is specifically designed to reach end users in large enterprises. The use of voicemail delivered in an email message, and the use of phishing pages that spoof enterprise applications, such as Office 365 and Outlook, signal the attackers’ motives. If successful in obtaining a user’s credentials, attackers can access confidential data from the enterprise, potentially selling it or holding it for ransom. They can also leverage company information to launch targeted attacks, which can give them an even greater foothold in the network and cause extensive damage and potential loss for the enterprise. In this blog, we will describe how the current attacks are being carried out, the campaign’s variants and evasion techniques, and the various social engineering tactics in use. Distribution method The attacks are being distributed through email with an HTML attachment that contains JavaScript code which redirects the user to the credential phishing site. Contents of the email are crafted to mimic a system-generated voicemail notification, luring the user to open the attachment to access the recorded voice message as shown in Figure 1. Figure 1: Email message spoofing a voicemail notification HTML attachment analysis We observed different variants of HTML attachments used in these credential-phishing campaigns. Variant #1 The email attachment is an HTML file that contains a short code snippet of JavaScript. It uses window.location.replace() to redirect the user to the phishing site, as shown in Figure 2. Figure 2: Contents of HTML attachment We discovered more than 200 HTML email attachments of this variant, and we observed the following similarities between them. All of these HTML attachments followed the naming convention: Play_VN_<string_of_11_digits>.html An icon of a telephone was used in the filename for social engineering purposes All these HTML attachments have a very low detection rate on VirusTotal as shown in Figure 3 below. Furthermore, the first sample of this variant was observed in the wild on April 21, 2020; the fact that this theme is still being used suggests that the threat actors have achieved decent success with it. Figure 3: No detection against AV engines, as seen on VirusTotal Variant #2 In the second variant, the HTML attachment contains JavaScript code that is used to decode the next-stage HTML. It uses a simple URL encoding which is decoded using the unescape() function and then loaded in the browser as shown in Figure 4. Figure 4: HTML attachment containing encoded JavaScript The decoded content shown in Figure 5 uses the meta-refresh tag to redirect the user to the target credential phishing site. Figure 5: Decoded content which uses meta-refresh tag to redirect Phishing content loaded remotely using JavaScript In a few variants of the phishing landing pages, we observed that the final landing page used an external JavaScript to display the credential-phishing page in the browser. Figure 6 shows the source code of the phishing page; the highlighted part is the external JavaScript used to display the phishing content. All of these external JavaScript files use long filenames of 32 characters resembling an MD5 hash. Figure 6: Phishing landing page referencing an externally hosted JavaScript to load phishing content Unlike common credential-phishing landing pages, we can see in this case that there is no information related to the brand being targeted. This allows the threat actors to bypass many automated URL analysis engines and extend its survival. Figure 7 shows the relevant JavaScript code and where the user’s credentials are being sent. This code is present in randomly named and externally hosted JavaScript files. Figure 7: JavaScript file used to send user’s credentials to attacker’s server Figure 8 shows a sample packet capture which highlights the method used to exfiltrate the stolen credentials to the attacker’s site. It sends the credentials in the Base64-encoded format. It is important to note that in the first attempt, this phishing page will always give the "password incorrect" message, which prompts users to enter their passwords more cautiously the next time. Figure 8: Packet capture showing credentials being exfiltrated Captcha-based evasion technique In one of the campaigns related to voicemail, attackers used Google’s reCAPTCHA on the landing page to evade automated URL analysis, as shown in Figures 9 and 10. Figure 9: Google’s reCAPTCHA used for evading automated URL analysis Figure 10: Google reCAPTCHA used as a security challenge on the phishing page for evasion Users will be redirected to the main credential-phishing page after solving the captcha. The final phishing page spoofs the Microsoft Office 365 login page, as shown in Figures 11 and 12. Figure 11: Credential-phishing landing page to steal Office 365 credentials Figure 12: Office 365 phishing page XYZ top-level domain abuse Below is a list of domains we identified that were registered between June and mid-July 2020 and were used by the threat actor(s) for conducting credential-phishing campaigns using the voicemail theme. novoips[.]xyz voced-mxd[.]xyz voicenotes-sms[.]xyz newvmwav-voi[.]xyz xvxvoip[.]xyz vmpla-yvmc[.]xyz voip-sms[.]xyz voipmails-srv[.]xyz voipsms-ss[.]xyz voicemail-srv[.]xyz voicemail-sms[.]xyz These domains share some similarities in their naming convention: All the domains were using the top-level domain (TLD) of XYZ The domain names contained keywords such as “voip,” “voicemail,” and “sms” for social engineering purposes Most of these domains were registered with the German-based hosting service: “1und1” The URL pattern used for credential phishing is: hxxp://<email_address> The parameter e in the URL corresponds to the recipient's email address If the URL is accessed directly without the email address in the URL as a parameter, the user will be redirected to the site We can see that the attackers took several measures to ensure that automated URL analysis cannot be performed and the URLs look convincing to the end user. Other TLDs that were abused by the threat actor in this campaign are: .club and .online. The complete list of domains used in this variant of the campaign are mentioned in the Indicators of Compromise (IOCs) section at the end of this blog. Cisco Unity Connection spoofed theme On July 6, 2020, we observed in the Zscaler cloud several connection attempts to the domain: which is a site created by the threat actor to spoof Cisco’s Unity Connection voicemail portal, as shown in Figure 13. Figure 13: Web page spoofing Cisco Unity Connection – voicemail portal An icon of an audio file is displayed to the user. Once this icon is clicked, the user is redirected to the credential-phishing landing page, which is designed to target multiple brands, as shown in Figure 14. Figure 14: Landing page targeting multiple brands Below is the list of brands targeted by this campaign. Office 365 Mimecast Outlook Web Access (OWA) Gmail Yahoo Others (generic) Once the user clicks on any of the above links, a corresponding phishing page is displayed. As an example, the OWA phishing page is displayed (Figure 15) when the user clicks the “Outlook Web Access” link on the web page. Figure 15: OWA phishing page Zscaler’s detection status Zscaler’s multilayered cloud security platform detects indicators at various levels, as seen here: HTML.Phish.Microsoft HTML.Phish.Office365 Conclusion This threat actor leverages well-crafted social engineering techniques and combines them with evasion tactics designed to bypass automated URL analysis solutions to achieve better success in reaching users and stealing their credentials. As an extra precaution, users should not open attachments in emails sent from untrusted or unknown sources. As a best practice, in general, users should verify the URL in the address bar of the browser before entering any credentials. The Zscaler ThreatLabZ team will continue to monitor this campaign, as well as others, to help keep our customers safe. Indicators of Compromise (IOCs) Domains using voicemail and VoIP themes authtication[.]voicereport[.]club callervm[.]on-smsvoice[.]xyz cs[.]tu-mbla[.]xyz kb[.]mousecable[.]club msgvoip[.]voip2[.]xyz nosms[.]voicemail-srv[.]xyz novoip[.]smvm[.]xyz owabusiness[.]evolp-voicemessage[.]club preview[.]voice-mailapp[.]club res[.]ms-cable[.]club rs[.]mousecable[.]club serv[.]dedicat-servvmd[.]xyz serv[.]micserv-llc[.]xyz serv[.]voip-servernet[.]xyz server[.]pressvp-net[.]xyz server[.]voi-cememnet[.]xyz servingnet[.]voipmails-srv[.]xyz servnet[.]dedicat-servvmd[.]xyz servnet[.]micserv-llc[.]xyz servnet[.]newvmwav-voi[.]xyz servnet[.]pressvp-net[.]xyz servnet[.]voi-cememnet[.]xyz servnet[.]voip-servernet[.]com servnet[.]voip-servernet[.]xyz servnet[.]voip-serversoftonline[.]xyz servxds[.]voipmsx-serv[.]xyz split[.]spiral-servsnet[.]xyz srvnet[.]voip-servernet[.]com vm[.]vc-blacks-see[.]club vmails[.]voicemail-srv[.]xyz vmcaller[.]xvxvoip[.]xyz vn[.]pr-nijim[.]xyz voicemails[.]voicemail-sms[.]xyz voicemessage[.]p2pvolp-connection[.]club voicenote[.]on-smsvoice[.]xyz voicenote[.]voip-sms[.]xyz voicenots[.]xvxvoip[.]xyz voip-server[.]voced-mxd[.]xyz voip[.]svpx[.]xyz voipmsg[.]vmr232[.]xyz vpxrsd[.]voic-e-mx[.]xyz websrv[.]sercu-voipvm[.]online Externally hosted JavaScripts used to load the phishing content sunrare[.]com/o/50e86e68f0f3c0f8fefb78cae4070fab/assets/js/eb0c32d32967828335971031a7f69473[.]js birdeiye[.]com/tlc/1fb28f1a6214fadb63727b59f6c47b48/assets/js/9b40ffe428c251fa9290c96cebe7ec22[.]js birdeiye[.]com/tlc/f14277d7aeb98e7d97598d37d9c9b0b6/assets/js/a7ea834d6055724f803fb685792a53ba[.]js selagikamana[.]com/zqp/572a5796b6771661fd5c14e5eb030fa4/assets/js/fb011c8479de271fa425cb3c0090354a[.]js www[.]sunrare[.]com/o/61f414c3c63cd9cdddb5c074ead6bf42/assets/js/aef79e7c7ea0af42bc3f2bbda0389025[.]js donzipelt[.]com/def/4dd0b3fe161066f007fc67e1f7e2b1f0/assets/js/9d9e5f30ac5d845e86ef027d5048d578[.]js donzipelt[.]com/def/5dc46609ba95bde0af73bf1503a37ccb/assets/js/3dd94d0fa362965267e407d9da2f0d50[.]js www[.]sunrare[.]com/o/d1990b1a24c0e238566a817a620d1730/assets/js/05f957ca65d7884c707ff9ceb0ed35d0[.]js jessicabenaridesigns[.]com/poc/0991088e015559e0f28a5b8c1ceaec99/assets/js/9d66beb85e9baf57b3d5613327f18532[.]js duduknax[.]com/tol/414de52007f92181334cff78781dbcf8/assets/js/d23a1f5183fbd7361f25331bffbe0080[.]js sunrare[.]com/o/e9fe886b01d023891df84892932fe818/assets/js/70fd63b8279390b9e497bc7bb5e8ebf9[.]js pocopassdfgnow[.]website/d9304846708577b8218634513d040c7d/assets/js/f65b3324ecb14d0f8519d74fb71d69ed[.]js www[.]sunrare[.]com/o/962ffb6ffd63e7f264d7647ae43bd0d2/assets/js/f0de7b83ce53ac9ad95f159c83238fc8[.]js www[.]sunrare[.]com/o/a1c3fd81c71ea04ca54a0849ed87f71a/assets/js/8f2ee1290175a2c989609540b51966ed[.]js zetcontechnologies[.]com/app/7879f9ee764455df97e00f7e29e57ed6/assets/js/3a4ae029e8613b15ee9636d3069eefac[.]js zetcontechnologies[.]com/app/3c6be750a9d9afea5b5d045b69a0ecdc/assets/js/d4f97f5c855bc87fb716531c15b41982[.]js duduknax[.]com/tol/a01a19c1f9c346b46e67c10b62ee929f/assets/js/bfc47b5a191c01ebedb48d6687736093[.]js duduknax[.]com/tol/3c0d8af5aa88acfe9f4785b183bc0b0f/assets/js/8d56426a10faecebed92e7ad44f9a37e[.]js duduknax[.]com/tol/6a75a934186109a9da52d1a277bd5225/assets/js/5ce9e997caf186f4d487f68dc2dbbcf6[.]js lompintsc[.]com/del/0cbd7a8540753de4d507786645a5066b/assets/js/67a61205f2dcbfa7635a394295bc5666[.]js lompintsc[.]com/del/da40d7bebec2d1368a18990bb519a410/assets/js/fb6637c96873022b36531ddf2a4efd01[.]js lompintsc[.]com/del/63da6c6c93262b3d47bb128f05164db8/assets/js/b36705e19d470036493436da163570a9[.]js lompintsc[.]com/del/7712b26261d18e81c851bc02e281e9ef/assets/js/985931acc11fbf06a720dbf089b3856f[.]js lompintsc[.]com/del/4746f26dddc4ffcea1c1b517f23fe3ab/assets/js/9e02714fc2166ff8ffdc683c00134039[.]js reallaunchers[.]co[.]in/me/d0b18ce7a90d9a329dc45ea25b364839/assets/js/8cb0c9c283c4300724b1b3efb265834e[.]js reallaunchers[.]co[.]in/me/90e1cf6dfa12605f92c9c81a2feb2a3e/assets/js/02a810708e34dc9992da0f296981c5c6[.]js reallaunchers[.]co[.]in/me/1287eec8c39a8fbf29d8f22f1b05951f/assets/js/6e206308e8ff21f65dd4683151955def[.]js reallaunchers[.]co[.]in/me/28cdb51800f6ac197371e04799f9b2f8/assets/js/60ed882d1941f778d8c21dca759eb815[.]js lonkamps[.]com/3632d3a40e5fa966afa789e58a89517d/assets/js/8e2decef1d03d9908180d2bce761f9a6[.]js plazipovc[.]com/8651f7f29d9da5768e4a121e4cf6e0e8/assets/js/a3fff382761006906580234b739ab40e[.]js charlesbat[.]com/15a2b4810e0e6d4b09657616a58127e3/assets/js/56faf1d8d82e1a5bf1f948fe8cdab282[.]js lonkamps[.]com/8d10bdc6213ad9495fccecfc3916d754/assets/js/116542ef8641ab1787d260fdc497ce86[.]js lonkamps[.]com/91fb4c8ad24e428138d41739bd43d7d2/assets/js/3a9d761a4e957acb3c5d2b49fdddb027[.]js lonkamps[.]com/6eacd882af394260d82176b1b2da41df/assets/js/5c4e608d5857fab525ced80b98d8f2e1[.]js charlesbat[.]com/9cc926e58ca86d5871814fa3cfe6f822/assets/js/2d43a2cb2d1287e9d8406519f008e597[.]js lonkamps[.]com/6aea44e686ffeae7d8afaeaee98e51b0/assets/js/f392a8ed26a59b5423a904f1450eaea3[.]js lonkamps[.]com/2ff478f17372963b19f0d9561b520e6d/assets/js/bc55dd90e976e60e4948472839d028e8[.]js lonkamps[.]com/5f2b041f3e93018e4061864d9245470d/assets/js/5237ec7cc3430a2e768fa25594e2ff95[.]js lonkamps[.]com/2d1d238ba6c5fb08801b07f82e8649bd/assets/js/c890b9085890f08953dfcd9585dcc834[.]js lonkamps[.]com/3bf30618619351b695669f462c1a16c7/assets/js/42a4033acc09ef391e3a25631158e490[.]js northdallashometheater[.]com/[.]xmlrpc/c3a5d87a700619ab4a5582bf5cf60f35/assets/js/255188349058257aca886ff198957324[.]js Sudeep Singh Security Advisory: Windows DNS Server Vulnerability ( CVE-2020-1350) Background Today is July 2020 Patch Tuesday, and Microsoft has released updates/fixes for multiple vulnerabilities. One of them is a critical vulnerability with a CVSS score of 10. What is the issue? Windows DNS Server Remote Code Execution Vulnerability (CVE-2020-1350) Microsoft released an update for CVE-2020-1350, a Critical Remote Code Execution (RCE) vulnerability in Windows DNS Server that is classified as a ‘wormable’ vulnerability and has a CVSS base score of 10.0. This issue results from a flaw in Microsoft’s DNS server role implementation and affects all Windows Server versions. Non-Microsoft DNS Servers are not affected. Systems impacted Windows Server 2019 Windows Server 2019 (Server Core installation) Windows Server, version 1909 (Server Core installation) Windows Server, version 1903 (Server Core installation) Windows Server, version 2004 (Server Core installation) Windows Server 2016 Windows Server 2016 (Server Core installation) Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2012 Windows Server 2012 (Server Core installation) Windows Server 2012 R2 Windows Server 2012 R2 (Server Core installation) What can you do to protect yourself? According to Microsoft, this vulnerability is not currently known to be used in active attacks. It is essential that customers apply Windows updates to address this vulnerability as soon as possible. If applying the update quickly is not practical, a registry-based workaround is available that does not require restarting the server. It is important to have updated security software and the latest software patches applied to the endpoints. As always, avoid opening suspicious emails containing attachments or links that come from any unknown sources. And disable macros in Office programs. Do not enable them unless it is essential to do so. Zscaler coverage Zscaler ThreatLabZ has added detection signatures for exploitation of this vulnerability through our Advanced Cloud Firewall protection. Advanced Cloud Firewall Signatures Win32.Exploit.CVE-2020-1350 Details related to these threat signatures can be found in the Zscaler Threat Library. Reference Krishna Kona Merger Acceleration: How ZTNA Speeds M&A Time to Value This post originally appeared on LinkedIn on July 7, 2020. After all the effort and long legal hassle, the mission is accomplished: Your merger or acquisition is complete! Two companies are now one. The hard work is done! Well, not so fast. Now begins a structural process dreaded by many IT teams: connecting two disparate company infrastructures into a cohesive unit. This means long hours, costly process creation, and complex patchwork to provide both sets of users with cross-company connectivity. If only there were a simpler and more efficient way to accomplish these goals. There is: Zero Trust Network Access (ZTNA). Merging legacy systems? Complex, expensive, risky, slow...I could keep going The purpose of M&A is to combine resources for two (or more) companies to advance defined business goals. What often gets in the way of resource availability is access. Different companies use different networks, architectures, and systems to house and distribute resources to their workforce. One of the first CIO priorities during and after a merger is providing easy and—more importantly—secure access to newly acquired or merged data, infrastructure, and applications to people in both companies. In a perfect world, all acquired companies would come with a straightforward and complete integration plan. Flip a switch, and employees, systems, applications, networks, data centers, and facilities synchronize automatically, no hassles. If only it were ever that simple. Some enterprises create dedicated teams and draft playbooks to standardize integration activities, all in an effort to realize the strategic and financial benefits of acquisitions sooner. Full system integrations can be extraordinarily complex and—thanks to unanticipated scope creep—more expensive than initial assessment. Cost-constrained parent companies stretch integration out over an extended timeline, ranking system importance and prioritizing the integration process in phases. In the meantime, employees are left to fend for themselves with disparate, isolated systems that don’t necessarily enable cross-communication between users. And the integration phases that do move forward have to fight for resources with competing priorities and initiatives. This ad-hoc integration approach rarely yields an acceptable outcome. The costs of Integrating legacy technologies into a cohesive network is a nightmare to estimate and contain. Yearly budget refresh cycles often don’t take this integration into account, and the money allocated for updating hardware, systems, and applications isn’t sufficient for one company (let alone two). This leads to ongoing maintenance and security efforts for multiple disparate networks—which is its own cost and resource nightmare. Companies attempting to integrate legacy network and security infrastructures after an acquisition or merger often resort to “creative” ways to get users access to resources in disparate networks—jury-rigged efforts that could poke holes in firewalls and secure access protocols. And with these jury-rigged solutions come increased security concerns, user issues, and troubleshooting nightmares for IT. Operation teams spend countless hours trying to identify and resolve issues due to the network address translations (NAT), routing, and firewall rule manipulations. ZTNA: Rapid asset access Fully integrating two legacy networks can be a costly and time-consuming process. Newly-acquired infrastructure may not natively offer employees access to parent-company applications. And parent-company employees may not have access to newly-acquired resources. So IT outfits employees with VPN connectivity. These VPN connections work, but strain network resources—especially as the number of VPN users climbs. Worse, the increased VPN connections extend both networks’ attack surfaces. VPN access is a poor substitute for direct connectivity. Managing it is costly, and VPNs introduce risk. And of course, dealing with more than one acquisition at a time further complicates these issues. The VPN approach produces gaps in security: But how can you avoid incurring that risk? The (unintuitive) answer is to not converge networks in the first place. ZTNA provides a simple solution: Add connectors to each network data center, add a software agent to each user’s device, and set policies that allow users to connect to the applications they need, accessible from either network (or from wherever users connect). ZTNA uses policies to authorize user access to applications and networks. ZTNA accelerates M&A time to value, providing cross-company connectivity for users in weeks rather than months or years (or never!). ZTNA simplifies M&A-related systems integration ZTNA (also known as a software-defined perimeter, or SDP) is a set of technologies that operates on an adaptive trust model: Trust is never implicit, and access is granted on a “need-to-know,” least-privileged basis as defined by granular policies. ZTNA gives users seamless and secure connectivity to private applications without ever exposing the network, apps, or data to the internet. Connectivity is direct, delivered via nearby computing-edge cloud services, and accessible from anywhere. (In this way, ZTNA can ultimately supplant a corporate network with outdated perimeter security.) Unlike network-centric solutions like VPNs or firewalls, ZTNA takes a fundamentally different approach to securing access to internal applications based on four core principles: ZTNA completely isolates the provisioning of application access from any requirement for network access. This isolation reduces risks to the network, such as infection by compromised devices, and only grants application access to authorized users. Cloud-enabled ZTNA offers outbound-only connections ensuring both network and application infrastructure are made invisible to unauthorized users. IP addresses are never exposed to the internet, creating a “darknet” which obscures internal resources from unauthorized view. ZTNA’s native app segmentation ensures that once users are authorized, application access is granted on a one-to-one basis. Authorized users have access only to specific applications, rather than the unfettered access to the full network in a legacy environment. ZTNA takes a user-to-application approach rather than a network-centric approach to security. The network becomes de-emphasized and the internet becomes the new corporate network, leveraging end-to-end encrypted TLS micro-tunnels instead of MPLS. With ZTNA in place, IT may never need to bother with full acquired-company-infrastructure integration. Managing user access to authorized applications (governed by user- and app-centric policies) provides application segmentation without requiring network segmentation. Once a user is added to a policy and application authorization is granted, a user can gain access to an application on either network without requiring the networks to be connected. Managing integration complexities like IP remediation and circuit overlaps isn’t trivial: Merging networks is complicated, time-consuming, prone to error, and expensive. ZTNA provides immediate access to internal resources for joined organizations. And—for whatever reason—if a parent company still wants to integrate acquired infrastructure, that work can be conducted behind the scenes and without the same urgency, since users already have access to necessary resources/applications. With the proper planning, systems can be included in the budget planning cycle and then migrated during refresh either to an enterprise data center or the cloud. Access is better today than tomorrow (or next year) ZTNA never inherently trusts anyone from inside or outside the network until verified. (ZTNA removes the distinction between “inside” and “outside” since connectivity is secured between the user and application. Security is not based on gateway access through a secured network perimeter.) Access to internal business systems or applications can be granted only after authorization. Network access is not required, and applications are masked from the open internet. After M&A activity, ZTNA allows IT teams to focus on integrating data, systems, and applications on their own terms, where and however it best meets the business’ needs. In the meantime, workforces from each company can access whatever resource they need, wherever it may be, and from wherever they may connect without complex network integrations, without VPN security exposure and resource use, and without expensive retooling of network architectures. Pamela Kubiatowski is Sr. Director of Transformation Strategy (Consultant) at Zscaler. Pamela Kubiatowski How Information Security Within the Department of Defense is Evolving Businesses around the globe are moving to the cloud for the multitude of benefits it offers. Those benefits have not gone unnoticed by government agencies, which are looking for a secure way to share information while reducing costs and infrastructure complexity. Among them is the U.S. Department of Defense, which has made great strides in recent years on its journey to the cloud. Evolving information security The Department of Defense (DoD) developed the Joint Information Environment (JIE) framework to address inefficiencies of siloed architectures. The JIE created a unified way in which the DoD agencies would modernize their IT networks. This framework helped ensure agencies and mission partners could share information securely while reducing wasted manpower and continued infrastructure expenditures. A few dozen stacks that the Defense Information Systems Agency (DISA) centrally manages replaced the more than 190 agency security stacks located at the base/post/camp/station (B/P/C/S) around the globe. The secure cloud compute architecture (SCCA) of the single security architecture (SSA) provided a security framework for the adoption of cloud services from commercial cloud service providers. The JIE was an innovative concept that took the DoD from a highly fragmented and siloed architecture, in which each agency managed its own cybersecurity strategy, to an architecture in which there is a unified SSA. Having taken the first step of consolidating security under a unified security architecture, the DoD is ready to begin the next transformational step—moving from managing and maintaining that architecture itself to having it provided as a service. Background: SSA and cloud computing Within the JIE framework, two of the most difficult technical challenges were the SSA and cloud computing. > SSA The original benefits of the SSA: Collapsing network security boundaries Reducing the Department’s external attack surface Standardizing management, operational, and technical security controls Two of the most critical components of the SSA are the Joint Regional Security Stacks (JRSS) and the internet access points (IAPs). The JRSS initiative provides the starting point for the JIE SSA network security stacks that will protect the enterprise network. It will provide the lateral security for the tenant community of interests at the B/P/C/S and installation campus area networks. The JIE perimeter defense starts at the IAP, which is a security stack that acts as a secure gateway to the internet from the DoDIN. The IAP also allows approved connections from the internet to the non-classified IP Router Network (NIPRNet) of the DoDIN. It provides enterprise security functions, such as enterprise email security gateway, intrusion detection, firewall, and access controls. > Cloud computing One of the early challenges identified for the JIE with regard to cloud computing was managing cybersecurity as part of the SSA. In response, the DoD leverages the SCCA and the Federal Risk and Authorization Management Program (FedRAMP). FedRAMP establishes a standard approach for accessing and authorizing cloud computing services, and DoD uses it for low- and moderately- sensitive data. The SCCA is a suite of enterprise-level cloud security and management services. It provides a standard approach for boundary and application-level security for impact Level 4 and 5 data hosted in commercial cloud environments. The purpose of the SCCA is to provide a barrier of protection between the DoD Information Services Network (DISN) and the commercial cloud services that the DoD uses while optimizing the cost-performance trade in cybersecurity. Evolving to a cloud-first approach The DoD has publicly stated it wants to get out of the infrastructure business and consume information technology as a service from cloud service providers. JIE was a step in the right direction, but many of the underlying designs are rooted in architectures that were developed more than 10 years ago. These architectures have taken nearly a decade to roll out into production and have kept the DoD consuming mass amounts of infrastructure. Moving from a network-centric to resource-centric framework The current JIE design is network-centric, meaning that the focus is on securing the network itself with the assumption that once the network is secured, resources and users will be protected as well. This belief has been experientially proven wrong and there are many examples of exploitations that have occurred because too much trust was placed on the secured network. What the DoD needs is a modern approach that adopts the zero trust architecture as NIST is defining it, which offers this operative definition: The basic tenets of the NIST-defined zero trust architecture are: All data sources and computing services are considered resources. All communication is secured regardless of network location. Access to individual enterprise resources is granted on a per-session basis. Access to resources is determined by dynamic policy—including the observable state of client identity, application, and the requesting asset—and may include other behavioral attributes. The enterprise ensures that all owned and associated devices are in the most secure state possible and monitors assets to ensure that they remain in the most secure state possible. All resource authentication and authorization are dynamic and strictly enforced before access is allowed. The enterprise collects as much information as possible about the current state of network infrastructure and communications, and uses it to improve its security posture. The DoD has already begun exploring zero trust solutions and the zero trust architecture is becoming the focus for protecting resources from inside the network while solutions, such as the IAP and content access point (CAP), protect the perimeter. Once the zero trust architecture is embraced and implemented, the network itself becomes just a means of information delivery. Zscaler and information security in the DoD With a cloud-based security stack being delivered as a service, Zscaler is positioned to provide the perimeter security that today is being delivered by the IAP and CAPs. The zero trust framework of Zscaler, combined with cloud-based endpoint detection and response (EDR) solutions, can replace the overly complex and expensive regional security stacks that have proven to be a major bottleneck to performance. The benefits for the DoD for transforming JIE to an as-a-service model will be realized in cost savings, greater scalability, better performance for the end user and warfighter, and ultimately in a greater cybersecurity capability. Rich Johnson is a DoD Sales Engineer at Zscaler Rich Johnson Zscaler, a 2020 Honoree of the Cybersecurity Impact Awards We are honored to share that Zscaler has been selected as a 2020 Cybersecurity Impact Awards honoree. The Cybersecurity Impact Awards recognize Washington, D.C., Maryland, and Virginia-based companies, including Federal headquarters location in this region, for cybersecurity leadership and innovation. Winners exemplify innovation in their solutions to reduce risk in the modern age. At Zscaler, we value our relationships with Federal agency customers and policymakers on the Hill, which is why Zscaler’s Federal headquarters is located in close proximity, in Tysons, VA. Our mission is to help Federal agencies securely transform their networks and applications for a mobile and cloud world. As organizations shift to cloud-based IT environments and support more telework, they also need to modernize their access and security infrastructure. Agencies face additional challenges as their network perimeter expands, including increased attack surfaces, poor user experience, and unreliable visibility and control. We have recognized the need for organizations to shift the security focus from securing the network to securing the users—on any device (BYOD), in any location, and on any network. Zscaler’s innovative Secure Access Service Edge (SASE) platform meets the security requirements of Federal agencies while eliminating the need for expensive legacy appliance-based remote access solutions. Through our FedRAMP-authorized internet and secure web gateway solution and zero trust remote access service, agencies are able to create fast, secure connections between users and applications, regardless of location—which has been critical, especially during these times of increased telework. Over this past year, we have worked closely with Federal agencies to successfully pilot Trusted Internet Connections (TIC 3.0) and zero trust network programs, which have resulted in improved performance and availability, improved mobile access, and reduced costs. Zscaler’s continued work to support FedRAMP, improve TIC, and encourage zero trust adoption directly supports Federal digital transformation and the opportunity to use the cloud to modernize Federal missions. Visit the award site for more information on the Cybersecurity Impact Awards and list of 2020 winners. Go to the Zscaler for Government website to learn more about how Zscaler cloud services can enable government agencies to securely connect users to the internet and applications, regardless of device, location, or network. Stephen Kovac is Vice President of Global Government and Head of Corporate Compliance, Zscaler Stephen Kovac Deep Dive Into the M00nD3V Logger ThreatLabZ observed a multifunctional information-stealing Trojan named "M00nD3V Logger'' that is being dropped by a multistage loader. Due to its multiple stealing features, M00nD3V Logger has gradually gained popularity on hacking forums. Recently Blueliv published a blog discussing the relationship of M00nD3V with the HawkEye stealer, along with information about the bad actor selling M00nD3V. Aside from keystroke logging, the M00nD3V Logger has the ability to steal confidential information such as browser passwords, FTP client passwords, email client passwords, DynDNS credentials, JDownloader credentials and capture Windows Keystrokes, as well as gain access to the webcam and hook the clipboard. In all, it has the ability to steal passwords from 42 applications. M00nD3V Logger is also equipped with other major functionality, including a botkiller, an antivirus killer, communicating over SMTP/FTP/proxy, downloading additional plugins, and the BouncyCastle crypto package. These mechanisms makes this logger unique and popular on hacking forums. Figure 1: An image from the owner account. Delivery mechanism During our research, we found M00nD3V was delivered via spam mail or through a compromised website that drops a payload on the victim's machine. One such spam mail claims to be from "Hyundai Heavy Industries Co., Ltd" regarding a bid on a project for Qatargas. The spam mail includes zip attachments that contain malicious executables. Figure 2: Spam Mail Figure 3: M00nD3V Logger subscription and payment method pages. In this blog, we will provide a detailed technical analysis of commercial M00nD3V Logger malware. Technical analysis dab9565e03fae2c5c18c9071a713153a - Parent File (.Net) e9cf47f3b0750dd0ee1ca30ea9861cc9 - Loader (.Net) bf8801bcd5a196744ccd0f863f84df71 - Final Payload (.Net) Delivering malware without triggering any suspicious activity while blending into an existing benign Windows process makes detection a bit harder. Here, the M00nD3V malware does one such trick to deliver its payload without getting easily noticed. Figure 4: The M00nD3V malware register running with RegAsm.exe - Microsoft utility. Figure 4 shows the post execution of the malware. In case of a whitelisted application, the endpoint antivirus will not trigger any malicious activity. Hence, the malware can do its job on the fly without getting caught. The malware also runs by elevating its own privileges. Unpacking routine The malware unpacks the encrypted payload using multibyte XOR decryption. While unpacking, the malware also uses null bytes in the XOR key. Hence, a few bytes are not actually ciphered. First layer decryption The hard-coded pass variable "zvjzpeuCFasb" is used as a key. When converted to Unicode string, the same pass variable is: "z\x00v\x00j\x00z\x00p\x00e\x00u\x00C\x00F\x00a\x00s\x00b\x00". The key length is 24 bytes. Figure 5: First-level decryption using multibyte XOR. Even though key length is 24, the malware uses only the first 16 bytes to decrypt the resource section of the encrypted data. The above decryption routine results in a .NET PE file. In this dumped file, there is also a similar XOR routine to decrypt the data but with a different key to run the final payload. Second layer decryption Here, the hard-coded pass variable "WcqqicsgTUaj" is used as a key. When converted to Unicode string, the same pas variable is: "W\x00c\x00q\x00q\x00i\x00c\x00s\x00g\x00T\x00U\x00a\x00j\x00". We have written a Python script to decrypt the encrypted payload, which can be found in Appendix I and Appendix II. Payload analysis StubConfig Class contains the configuration details - some of them are initialized with Base64 values while others are hardcoded. Figure 6: StubConfig details. Before starting to log user data, the M00nD3V Logger initializes its configuration. The initialization phase includes several checks, such as an anti-debugger, a bot killer, an antivirus killer, and more. Figure 7 shows the initialization module. Figure 7: Initialization phase Initialization details: DependencyLoader - Downloads the DLL from m00nd3v[.]com/M00nD3v/Decryption/BouncyCastle[.]Crypto.dll and loads it in memory. ExecutionDelay - Sleeps for 5000 milliseconds before executing. SingleInstance - Checks to see if a single instance is running or not by checking for the hardcoded mutex value {99ed2fc7-0fdc-42ef-8b82-78d1c7c554e3} and sets a flag accordingly. If an app is running with the same mutex, then the loader exits from environment. DecryptCredential - Uses the Rijndael256 algorithm to decrypt the Stub configuration values [cipher data is Base64 encoded value and key is hardcoded mutex value] and set them to their respective variables, as show in Figure 8. Figure 8: The decrypt credential. Persistence - Copies the parent file to AppData directory and begins the startup entry [SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run]. Antidebugger - Checks to see if any of the following processes are running: SbieDll.dll, Wireshark, Winsock Packet Editor. If any are found, the malware terminates. Figure 9: AntiDebugger checks during the initialization process. Antivirus killer - Uses Image File Execution Options (IFEO) to interfere with the executables shown in Figure 10. By modifying the registry entry [Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\], the malware attaches rundll32.exe as debugger to each of the executables. This way, it disables all the listed applications to run. Figure 10: Application list Process elevation - As shown in Figure 11, the malware contains a process elevation module, which is responsible for elevating the privilege of the malware executable. The malware sets the security identifier type as "WorldSid" with AceQualifier AccessDenied. It is applicable to the "Everyone" group, so if anyone attempts to kill the process, it won't be allowed to terminate. Figure 11: Process elevation. Bot killer - Scans all running processes and Windows Startup registry entries [ \\Run\\ and \\RunOnce\\ ], then passes the file location path to module IsFileMalicious() to tag either the process or file as malicious and delete it accordingly. [Note: In case of a running process, it additionally checks for each process window visibility property. If it is set to false, then it is tagged as malicious.] Figure 12 shows the checks used inside IsFileMalicious(). Here, ‘fileloc’ is the full path of the file or process. Figure 12: Malicious checks of the file. Before starting to log the stored credentials and other personal data, it checks whether the malware was previously installed or not on the victim's machine by looking for a specific file name with a combination of Processor Id and Volume Serial Number in the temp directory. If the file is not present, then it creates and writes Rijndael256 encrypted data, which is a combination of the current executable path and the hardcoded StubConfigEncryptionKey, and then shows a fake message box to fool the victim. Figure 13: The Rijndael256 key. The malware has three kinds of communication methods to send logged data: SMTP, FTP, and proxy. But this stub is configured to use only and send data over SMTP only. Before starting any logging functionality, it checks whether the respective logging functionality variable is set in the Stub config entry or not. If the value is not set in config, then it won't execute the "keystroke functionality". As shown in Figure 14, the Stub is configured to execute the keystroke but not the webcam as the webcam value is not assigned. Figure 14: Stub configuration. The Stub starts its core stealing functionality by sending full victim machine information, as shown in Figure 15, to the attacker over SMTP port 587 Figure 15: Basic machine information sent to the attacker. Network communication Via SMTP The malware communicates with the attacker over SMTP using port 587. The malware crafts an email with the captured details shown in Figure 16 and sends it to the attacker. The attackers use "" service to transfer the captured data. Figure 16: Information sent via SMTP. The LogTypeName mentioned below is used to tag the data to inform the attacker what module it is running currently. Figure 17: Log type. Via FTP While uploading data over FTP, it first converts plain text data to bytes and creates FTP requests by configuring all the FTP request fields (i.e., ftp_host, credentials, method). The value for all these fields is set from the Stub configuration class. The FTP method used to upload files is "STOR". Figure 18: Communicaiton via FTP. Via proxy The malware sets the proxy URL from the config class and uploads the below-mentioned data using the POST method. Figure 19: Communication via proxy. The values encrypted with Rijndael256 where the key is the Proxy Key, which is configured in the Stub config class. Each stealing module runs independently with individual threads, as shown in Figure 20. Figure 20: The core modules. Password stealer: M00nD3V Logger has the capability to steal passwords and cookies from all possible browsers and email clients, as well as FTP clients. Interestingly, the malware has three separate classes named "ChromiumProvider", "MailProvider", and "MozillaProvider" as shown in Figure 21. Each provider has a functionality to retrieve and decrypt the password for the application that is assigned to that provider. Figure 21: Provider list. The malware first tries to decrypt the password with the data protection APT (DPAPI) library. But if it isn't successful, then it attempts to decrypt the passwords using "BouncyCastle", which the malware downloaded from "m00nd3v.]com/]M00nD3v/Decryption/BouncyCastle.Crypto.dll". It includes "GcmBlockCipher" and "AeadParameters" classes, whose instances help the malware decrypt the final password. Figure 22: The BouncyCastle code. The collected passwords are sent to the attacker over SMTP. Figure 23: The collected passwords sent over SMTP. Webcam The malware has the capability to secretly access the device's webcam and capture the image. The malware copies the captured image onto the clipboard, extracts the image from clipboard, then saves it in the temp directory. To send stolen images over SMTP, it reads the image path and attaches the .bmp image as an email attachment with a personalize the subject line, such as "Dear M00nD3v user Please find the attachment of Webcam. Regards M00nD3v" Figure 24: The webcam module. Similarly, the other modules named keystrokes, clipboard, and screen sender, execute with individual threads and send stolen data to the attacker, then sleep for some period of time before repeating the same stealing process. Figure 24: The Zscaler Cloud Sandbox report for the M00nD3V Logger. The following is the advanced threat protection signatures released for detecting the malware: Win32.Backdoor.M00nD3v MITRE ATT&CK™ tactic and technique mapping T1503 Credentials from Web Browsers T1112 Modify Registry T1060 Persistence T1057 Process Discovery T1105 Remote File Copy T1497 Defense Evasion, Discovery T1083 File and Directory Discovery T1089 Disabling Security Tools T1055 Process Injection T1548 Abuse Elevation Control Mechanism T1115 Clipboard Data T1113 Screen Capture T1125 Video Capture T1056 Input Capture T1048 Exfiltration Over Alternative Protocol T1183 Image File Execution Options Injection IOCs: dab9565e03fae2c5c18c9071a713153a - Parent File (.Net) e9cf47f3b0750dd0ee1ca30ea9861cc9 - Loader (.Net) bf8801bcd5a196744ccd0f863f84df71 - Final Payload C&C: m00nd3v[.]com Appendix I : Python Script to decrypt first level decryption: file=open('enc.bin','rb') file.close() xor_key="z\x00v\x00j\x00z\x00p\x00e\x00u\x00C\x00" fl='' index=0 for i in range(len(cont)): fl+=chr(ord(cont[i])^ord(xor_key[index%16])) #Malware doesn’t use full key index+=1 hexval=[] for i in fl: temp=hex(ord(i)) temp=temp[2:] if len(temp) !=2: temp='0'+temp hexval.append(temp) hexva=("".join(hexval)) import binascii binstr=binascii.unhexlify(hexva) f=open('fixed','wb') f.write(binstr) f.close() Appendix II : Python script to decrypt second level decryption: file=open('enc2.bin','rb') file.close() xor_key="W\x00c\x00q\x00q\x00i\x00c\x00s \x00g\x00T\x00U\x00a\x00j\x00" xor_key=xor_key[0:16] fl='' index=0 for i in range(len(cont)): fl+=chr(ord(cont[i])^ord(xor_key[index%16])) #Malware doesn’t use full key index+=1 hexval=[] for i in fl: temp=hex(ord(i)) temp=temp[2:] if len(temp) !=2: temp='0'+temp hexval.append(temp) hexva=("".join(hexval)) import binascii binstr=binascii.unhexlify(hexva) f=open('fixed2','wb') f.write(binstr) f.close() Rohit Chaturvedi Your Appliances are Holding You Back. It’s Time to Break Free. For more than 12 years, our founder and CEO, Jay Chaudhry, has been talking about how the cloud would become one of the biggest disruptors, changing the way we all do business. He envisioned a future where the cloud would ultimately eliminate the traditional corporate network, making the internet the new corporate network and providing organizations with greater resiliency and flexibility. Executives, IT leaders, and network professionals at public agencies and private organizations around the globe have taken notice and begun embracing the benefits of the cloud. But some are still hesitant to abandon their legacy security appliances for the cloud, and that’s understandable. After all, it isn’t easy to move away from something you have spent so much money, time, and energy to build and maintain. And humans are, by nature, resistant to change. But the recent global crisis has underscored the need for organizations to become more flexible and agile so they can seamlessly enable employees to work from anywhere—at least anywhere but the office—and be ready for new business challenges the future will surely bring. Such agility is only possible with the cloud. The evidence is clear The move to the cloud is happening and the numbers bear this out. According to a Gartner report, worldwide IT spending on legacy data center systems is falling. Another Gartner report forecasts that 80 percent of organizations will have migrated away from on-premises data centers by 2025. While I like reading these reports, what I enjoy more are the multitude of articles, blogs, and videos talking about the benefits organizations are seeing by moving away from their legacy appliances. Organizations of all sizes and from different industries are discovering the benefits of a move to the cloud, including cost savings, reduced risk, and more. The problem with appliances Security appliances were never designed for the world of mobility and the cloud, and legacy appliance vendors have struggled to pivot and embrace these technological shifts. As applications are moving out of the data center and into the cloud, and employees are off the network more than they are on it, the traditional secure web gateway has become obsolete. As a response, hardware vendors have been attempting to spin up “cloud” instances of their hardware appliances. But, as we’ve said before, that’s like building a Netflix streaming service using thousands of DVD players. It simply can’t scale like a true cloud-built platform and it can’t perform like one. On the business side, as the legacy hardware business landscape has changed, many vendors have undergone acquisitions and leadership changes as the industry fights to stay relevant. All of these changes result in an unclear future for their products and services—and customers. From a performance standpoint, physical appliances and virtual machines can’t inspect all content and SSL traffic at scale, while hybrid solutions don’t provide identical policy enforcement. Allowing some traffic to go uninspected, particularly the majority of traffic that’s encrypted, is risky due to the sizable percentage of attacks hiding in SSL traffic. A lack of identical security is risky, too, especially with the high number of employees connecting to their applications from everywhere using the internet. There’s a good chance that you’ve been adding point products to your security stack in an attempt to stave off new types of attacks and provide added services and functionalities. Managing and integrating all of these disjointed point products results in unnecessary cost and complexity. And we all know that rising costs don’t go over too well in the boardroom. The benefits of a cloud platform Employee mobility, applications moving to the cloud, the changing face of cybercrime, and a business requirement to improve performance while reducing costs—these are the realities of business today. This landscape demands a comprehensive platform built specifically to address these issues—a platform built and maintained by a cloud security pioneer that has been innovating services and running a global cloud for more than 12 years. IT leaders looking to securely accelerate their digital transformation are turning to the Zscaler cloud platform, built on the secure access service edge (SASE) framework, first defined by Gartner. SASE flips the security model. Instead of focusing on a secure perimeter, SASE focuses on the entities, such as users and devices, and pushes security as close to them as possible for a fast experience. Based on an organization’s defined business rules, SASE dynamically allows or denies connections to applications and services. Zscaler’s integrated security platform is based on the SASE framework. It reduces the attack surface and provides identical protection with consistent policy enforcement everywhere users connect, as it scales security services dynamically across 150 global data centers. Users always connect to their nearest data center for a fast, local, and secure experience, and every connection is secured with a full range of services, including Cloud Firewall, Cloud Sandbox, CASB, Cloud Browser Isolation, and much more. The Zscaler proxy architecture delivers full content inspection at scale, even inside SSL. The Zscaler Cloud Security Platform integrates multiple point products with single-pass authentication, inspection, and policy enforcement. It reduces complexity for customers by moving all services to the cloud with a central console, and it gets 120,000 security updates per day to protect against the latest threats. Best of all, there is no hardware or software to install or manage. You simply point your traffic to Zscaler and we do the rest. Isn’t it time? When it comes to the security of your data as well as the user experience for your employees, can you rely on a vendor with outdated technology and an uncertain product roadmap? Or should you put your trust in an industry pioneer who has been named a Leader in the Gartner Magic Quadrant for nine consecutive years? It seems like an easy answer. Still not convinced? Then join me on July 21 for a live webinar where I’ll discuss how you can easily break free from your appliances. Steve House is the senior vice president of product management at Zscaler. Steve House CyberGate RAT and RedLine Stealer Delivered in Ongoing AutoIt Malware Campaigns In our most recent blog, we had detailed a malware campaign that uses a malicious document (DOC) file to deliver an AutoIt script which, in turn, delivers the Taurus stealer to steal credentials, cookies, history, system info, and more. Along similar lines, we recently came across a new malware campaign that uses a similar AutoIt script to deliver a new variant of the CyberGate RAT and RedLine stealer. This blog will walk you through a detailed analysis of the payload delivery mechanism, capabilities, and Command and Control (C&C) communication. We also observed the usage of custom C&C protocols to exfiltrate sensitive information. We will shed light on the custom protocol used by the Cybergate RAT. Below is the detection timeline for AutoIt malware campaigns in the past month. We observed several hits for the AutoIt malware involving various malware families, including AZOrult, Xtreme RAT, Taurus stealer, RedLine Stealer, and CyberGate RAT. The Zscaler ThreatLabZ team is closely monitoring the developments on these campaigns to ensure coverage. Figure 1: Hits of AutoIt-based malware in the past month. Zscaler Cloud Sandbox captured the CyberGate RAT and RedLine stealer successfully. We observed that both of them are packed with the same packer and use the same payload delivery mechanism. The tactics, techniques, and procedures (TTPs) observed in these two campaigns are similar in nature, so we suspect that the same actors are behind these attacks. Payload delivery mechanism As observed in a previous blog, the source of the stealer was spam mail containing a link to download the malware or an attached DOC file that downloads the malware. While tracking this campaign, we found that this malware is served by phishing sites. At the time of our analysis, we found a live phishing site of a cryptocurrency blockchain exchange called Resistance, which is serving the RedLine stealer. Figure 2: A crypto blockchain exchange phishing site. Wrapper analysis The files downloaded from these phishing sites are self-extracting archives (SFX), which contain a cabinet file and a script to execute embedded files. The cabinet file can be found under the RCData resource directory with the name ‘CABINET’ and command for execution in the resource directory of the name ‘RUNPROGRAM’. Figure 3: The resource directory of the wrapper file. The cabinet file contains three files with a ‘com’ extension and the file names are random and different in other AutoIt scripts. Those files are: - This is a legit Autoit3.exe having an invalid header used to run AutoIt scripts - A Windows Base64 encoded AutoIt script by certutil - The encrypted payload The command-line script present in the ‘RUNPROGRAM’ resource directory to execute embedded files is shown below: cmd /c <nul set /p ="M" > & type >> & del & certutil -decode R & R & ping -n 20 First, it corrects the header of ‘’ (Autoit3.exe) by appending “M”, stores it in ‘’, then it deletes ‘’. After that, it decodes the Base64 encoded AutoIt script using ‘certutil’ with the parameter “-decode”, saves it to a file “R”, and then runs this AutoIt script with Autoit3.exe ( In the end, it uses the ping command as a sleep timer. The AutoIt script uses custom obfuscation and all the hardcoded strings are encrypted in the malware, as we have seen previously in this campaign. Upon execution, the AutoIt script drops and hides the following four files in the directory “%APPDATA%\\cghost” for achieving persistency on the system. We found this persistency technique in the AutoIt script only if the final payload is RAT. - Copy of AutoIt interpreter aGuDP - Copy of Autoit script - Copy of encrypted payload dLzSj.vbs - VBS script to execute AutoIt interpreter with the script The VBS file contains: CGXdBksrYqQnDIwn = GetObject("winmgmts:\\.\root\cimv2:Win32_Process").Create("%appdata%\cghost\ %appdata%\cghost\aGuDP" , "%appdata%\cghost", Null, OJxMEkRRELvrj ) For persistence, it creates an internet shortcut file ‘cghost.url’ in the startup directory with the following contents: [InternetShortcut] URL="%APPDATA%\cghost\dLzSj.vbs" The AutoIt script has multiple sandbox evasion tricks to avoid detection. It also checks to see if a file and computer name exists in the system and checks for a particular domain. Figure 4: The malware performs multiple checks before execution. This malware wrapper avoids its execution in the Windows defender antivirus simulator by checking for the presence of the “C:\aaa_TouchMeNot.txt” file in the system. The malware terminates execution if it finds the following computer names, which are used by AV emulators: “NfZtFbPfH” - Kaspersky “tz” - Bitdefender “ELICZ” - AVG “MAIN" - VBA “DESKTOP-QO5QU33” - Assuming this is the attacker’s machine name It checks for the sleep API patch with 'GetTickCount' to detect the sandbox emulation. It also checks for the domain ‘OJtmGmql.OJtmGmql’, it will exit if the domain is alive. These are random strings and found to be different in every other wrapper. If it passes all the above checks then it injects the shellcode for the 'RC4' algorithm based on the system architecture into the specified running process or the current process memory. Figure 5: The RC4 algorithm shellcode. The RC4 key is XOR-encrypted in the AutoIt script which can be found in a function calling along with the encrypted data and process path for injection. Figure 6: The encrypted RC4 key. This RC4 key is found to be different in every case. The AutoIt script reads the encrypted payload ( and decrypts it using the RC4 shellcode with the hardcoded key “537180” (in this case). Figure 7: The RC4 algorithm in the first shellcode. After that, it injects another shellcode in the memory, which creates a mutex first with the name of ‘JFTZRATSJPATTZLFCUTTH’, then it takes the decrypted PE file, injects it into the process, and executes it. The final payload is decrypted and executed in the memory only so it will not get captured by the antivirus if it has static detection. We have written a python script to decrypt the encrypted payload, which can be found in Appendix I. The payloads dropped by this wrapper are CyberGate RAT or RedLine stealer. CyberGate RAT The CyberGate RAT from this campaign looks like a new variant that we have not seen in the past. CyberGate allows an attacker to browse and manipulate files, devices, and settings on the victim's machine as well as download and execute additional malware. It also has a wide range of information stealing abilities, such as keyloggers, screen capture, and remote enabling of webcams. The capabilities of the CyberGate RAT that we found in this variant include: Collecting the system info Creating a specified directory Downloading and executes additional files Getting the content of a specified file Stealing the browser’s credentials Capturing the screen Running a keylogger The C&C address and port information are encrypted and hardcoded in the binary. Encryption is simple XOR with the hardcoded key “2qYNYM2Z74XL”. Figure 8: The XOR decryption of the encrypted IP address. The unique bot ID is created by adding the username, computer name, and the serial number of the victim machine and calculating the MD5 hash. Bot ID = MD5(UserName+ComputerName+SerialNumber) Figure 9: Bot ID creation. Network traffic analysis This variant of CyberGate RAT has a hardcoded and encrypted C&C IP address and it uses a 3970 port to communicate on the TCP protocol. The complete traffic is compressed with zlib compression and encrypted with RC4 with the hardcoded key present in the binary. Figure 10: CyberGate network traffic. Figure 11: Packet structure. Client and server packets are encrypted or decrypted by RC4 with the same hardcoded key “draZwyK8wNHF”, which is present in the binary. After the decryption of server packets, the data starts with the marker of 14 bytes “@@XXXXXXXXXX@@” and followed by the zlib compressed data. We have seen this marker in the previous version of Cybergate RAT. Figure 12: The decrypted packet data. After decompression, the data starts with the command followed by the parameters and separated by the marker “##$##”. Structure: <Command>##$##<Parameters>##$## Figure 13: The decrypted communication between the client and the C&C server. In the first request, the command will send the calculated unique bot ID to the server. The second command will search for the stored credentials in the Chrome and Firefox browser profiles. If it matches the parameters, then it sends the credentials to the server along with the machine info, including socket name, user name, computer name, product name, and bot ID. Figure 14: The credentials and machine info that is sent to the server. The command “Ky8pr22KrbW3” or “neAWM9TC4tsk” creates the specified directory in the %appdata%. It then downloads and stores the specified file inside and executes it. Figure 15: The command to download and execute additional malware. We have found the following commands in this variant of the CyberGate RAT. Commands Descriptions 4hybWKLmEShM Send the unique bot ID to the server ECDnG66CYsZc Steal the browser’s credentials and machine info dYh3GKy2DK Store data to the registry Ky8pr22KrbW3 Download and execute additional malware neAWM9TC4tsk Download and execute additional malware and exit itself EffNaMNRW43T Capture the screen 5Qvape9Wv6eA Start the keylogger We have written a python script to decrypt the CyberGate RAT and C&C traffic. It can be found in Appendix II. RedLine stealer The final payload is the .NET binary file of RedLine stealer. This stealer is available for sale on Russian forums and was seen before in a COVID-themed email campaign. Proofpoint published a blog about that campaign. The capabilities of this stealer include: Collecting information about the victim’s system Collecting credentials, cookies, credit cards from Chromium- and Gecko-based browsers Collecting data from FTP clients (FileZilla, WinSCP) Collecting data from IM clients (Pidgin) Collecting cryptocurrency wallets Downloading and executing the specified file Figure 16: The RedLine stealer classes and C&C domain. The RedLine stealer uses SOAP over HTTP protocol for its C&C communication. After getting connected with the C&C server, RedLine fetches the client configuration settings from the server. Figure 17: Fetching the client configuration settings. This client configuration settings include GrabBrowsers, GrabFTP, GrabFiles, GrabImClients, GrabPaths, GrabUserAgent, and GrabWallets. Figure 18: The RedLine client configuration settings. After collecting the data as per the configuration, it sends all the data back to the server. Figure 19: Sending the stolen data to server. After that, it sends the request to the server to get the task to download a file, execute a file, access a link, or inject a file to a process along with the victim’s machine info, such as IP, location, OS, and more. Figure 20: Sending the request to the server to get a task. Coverage The observed indicators in this attack were successfully blocked by the Zscaler Cloud Sandbox. Figure 21: The Zscaler Cloud Sandbox report for the CyberGate RAT. Figure 22: The Zscaler Cloud Sandbox report for the RedLine stealer. In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators at various levels. The following is the advanced threat protection signatures released for detecting the malware: Win32.Backdoor.CyberGate Win32.Backdoor.RedLine Win32.PWS.AutoIT And the following are the Cloud IPS (non-web) signatures that enable detection of the CyberGate RAT: Win32.Backdoor.CyberGate Conclusion We are observing an increase in the usage of AutoIt script as a wrapper to deliver malware by threat actors. This trend appears to be getting stronger with a lot of obfuscation, anti-analysis and anti-sandbox tricks, and fileless techniques being adopted by the AutoIt-based malware. The final payloads we have seen in these campaigns are RATs and Infostealers, which are capable of stealing sensitive information and installing additional malware. Also, the usage of a custom protocol for the exfiltration of sensitive information poses a great challenge for network security solutions to block the data exfiltration attempt. The Zscaler ThreatLabZ team will continue to monitor AutoIT-based malware campaigns to share the information with the community and to keep our customers safe. MITRE ATT&CK™ tactic and technique mapping Tactic Technique T1059 Execution through Command-Line interface T1060 Persistence in startup directory T1055 Process injection T1140 Obfuscated files T1503 Steal credentials from web browsers T1056 Keylogging T1539 Steal web session cookies T1083 File and Directory Discovery T1057 Process Discovery T1012 Query Registry T1082 System Information Discovery T1497 Sandbox Evasion T1005 Collect Data from Local System T1113 Captures Screen T1094 Custom C&C Protocol T1132 Base64 Data Encoding T1065 Uncommonly Used Port T1002 Data Compressed T1020 Data Exfiltration T1022 Data Encrypted IOCs Cybergate RAT 37.252.5[.]213/55.exe (Download URL) 37.252.5[.]213[:]3970 (Cybergate C&C) 433dd4dce13e86688a3af13686c84d1c Packed file 608D98351812A3C2C73B94A6F5BEF048 Encoded autoit file 340F2664D7956A753D8EA2FA5C0044FF Encrypted payload 53A116D2B8AB11B92B293B4AD18CC523 Decoded autoit script 391317CC132C65561811316324171F8C Shellcode 1 63CFBCE717C7761B6802E3C1B1F8ACCF Shellcode 2 88A81C67556D4470F23F703D64606E16 Cybergate RAT RedLine Stealer resisproject[.]me (Phishing site) bbuseruploads[.]s3[.]amazonaws[.]com/583b9547-e88c-4247-a01e-655ff985a7ae/downloads/5a2556c5-ec0f-4699-b67c-40b9f2a43fc7/ (Download URL) resisproject[.]cc (Phishing site) bitbucket[.]org/kapow37047/win64/downloads/ResistanceWallet_2.2.8.exe (Download URL) yellowbag[.]top (RedLine C&C) 70EFF6AE73C0E276D385929D9E253D02 Packed file C96BF5CECA92A5362F342A7EE19FDC88 Encoded autoit file F1AA91851E0F66AAC3F65E4C237E8B51 Encrypted payload 106FCC5A6B51E4B2213694C7B5FF3C08 Decoded autoit script 729BB625379513FC677606888941248B RedLine Stealer 4B0F5B53264C56125BD5C889E063BBCA Packed file 67E67250B0DB02F824804EC17A757B1E Encoded autoit file 67BB52ECFE627A96076AFAFD2DDE32C7 Encrypted payload 293918878C0CE8CFFBD344B16EAC656E Decoded autoit script 9E286AB918E5FACF45B2AE0195CEF54B RedLine Stealer Appendix I Python Script to decrypt encrypted Cybergate payload and RedLine payload: import sys from Crypto.Cipher import ARC4 #RC4 keys keys = ['537180', '7010', ‘2379’] enc_file = sys.argv[1] dec_file = sys.argv[2] for key in keys: cipher = data = open(enc_file, 'rb').read() out = cipher.decrypt(data) if out[:2] == "MZ": with open(dec_file, 'wb') as wf: wf.write(out) print("[+] Decrypted PE file - " + dec_file) break Appendix II Python Script to decrypt & decompress Cybergate traffic: import zlib from Crypto.Cipher import ARC4 def dec_packet(packet): result = "" marker = "##$##" #packet = str(bytearray.fromhex(packet)) if len(packet) == 2: return result try: if packet.startswith("\x0d\x0a"): packet = packet[2:] packet = packet.split(marker)[1] if packet.startswith("\x0d\x0a"): packet = packet[2:] except: pass try: key = b'draZwyK8wNHF' cipher = rc4_out = cipher.decrypt(packet) if rc4_out.startswith("@@XXXXXXXXXX@@"): rc4_out = rc4_out[14:] result = zlib.decompress(rc4_out) return result except: return result Mohd Sadique How the Power of Storytelling Can Protect Your Organization from Security Incidents Harrison Lewis is the CIO of Northgate Gonzalez Market. His post originally appeared on LinkedIn. With an uptick in ransomware attacks and security incidents since the outbreak of COVID-19, the current crisis is shining a light on the gaps within corporate security strategies. Many organizations have been faced with the dilemma of compromising security for business continuity; relaxing their security posture to keep the business going and enabling employees to work from home. In addition, with the advent of artificial intelligence (AI) and machine learning (ML), attacks on corporate networks have become more sophisticated and once more demonstrate that the old dogma of having your own security appliances onsite and being responsible for patching them is not an effective measure to protect your organization. I can’t recall the number of times I have spoken to peers who had just experienced a breach or were going through a ransomware attack that was preventable. More often than not, the absence of action can be attributed to a lack of awareness of what is possible today. I strongly believe that the solution to protect our organizations from devastating security incidents is twofold. First, we need to change the way we think about security breaches; not about if but when they will happen. My secret to driving this cultural shift within an organization, both at the executive level and within the IT organization, is to use the power of storytelling to help people realize and understand the importance of security. Only if you take current examples of incidents and educate your leadership team on why and how this happened and why your organization is or isn’t protected against similar breaches will you change their perception of security over time. How we see ourselves as executives of an organization also influences how and what we communicate. First and foremost, we are businesspeople with the goal to help our businesses be successful. Each of us has an area of expertise in our own discipline, be it finance, operations, sales, marketing, IT, etc. And within this ecosystem, the CIO bears the responsibility of communicating the importance of fortifying cybersecurity measures to the rest of the leadership team. A common roadblock to getting the entire team onboard is jargon, or more broadly, the inability to make security seem intertwined with the company’s daily operations to fellow leaders. Storytelling is a great solution to this because it’s a way to make otherwise unfamiliar and complex topics approachable. Stories allow people to relate to a subject and make them shift their perspectives to think ahead. For example, imagine you are driving, and a car passes you. A few minutes later, you see this same car parked on the side of the road after getting into an accident. Seeing such a narrow window, you would naturally start to think “What if I had been that car involved in that accident?” and if you were that car, “Is there anything that I could have done to prevent this accident?” or “How would I respond if I were in that situation?” Similarly, your role as the CIO is to be that person who brings those “what if” considerations to your organization, to get everyone thinking about a potential situation. If you continuously communicate examples of incidents and the impact they have on an organization's business, making security a business discussion, your peers will gain a deeper understanding of the importance of security for the overall business success. Second, organizations need to invest in hosted cloud-security solutions. The times of procuring, managing, and maintaining security appliances are over. Instead, we need to look at cloud solutions that can scale easily, can leverage massive computing power to apply AI and ML, which is impossible to do in your own data center, can protect all users and applications regardless of their location and are close to the edge to guarantee a fast experience for our users. By using a hosted service, you can significantly reduce your risk by lessening the latency between the discovery of a new vulnerability and the time at which you are protected against it. A cloud security provider, such as Zscaler, will be informed about a new vulnerability faster and can immediately protect its customers from it without having this trailing effect of your organization identifying an enhancement or patch, communicating it to the right person and hoping this person isn’t busy patching other vulnerabilities. Leveraging a cloud security platform will also help with the skills gap the industry is experiencing. By moving to a cloud security service, your staff can shift its focus to value-adding projects instead of chasing security patches. I have implemented the Zscaler platform to increase security posture, protecting all our endpoints with the same high level of security at any time and location. For my organization, this meant a significant transition from initially trying to fit Zscaler into our legacy paradigm to now having transformed our network and taking full advantage of the platform. Making a shift like this means changing the culture of your organization, influencing the way your leadership team thinks about security, and adjusting the roles and responsibilities of your IT team. But with constant, clear, and comprehensible communication and the power of storytelling, you can effectively drive this transformation. While the pandemic may have been a catalyst for many organizations to rethink the way they approach security, we should not return to our traditional security approach post-COVID-19. Once employees return to their offices and business travel resumes, people will still continue to work outside the “traditional perimeter” as road warriors have for quite some time. It is on us as IT leaders to ensure that we continue to highlight the importance of changing the way we approach security so that the businesses that we serve will not suffer from security incidents but prosper instead. If you enjoyed this post, you might also enjoy: A New At-Home Workforce in 48 Hours by Nitin Agarwal Going Virtual: Lessons Learned from Scaling to More Than 6,500 Remote Offices by Craig Williams, CIO of Ciena How an Outage Prepared CAPTRUST for a Pandemic by Jon Meyer, CTO, CAPTRUST Harrison Lewis Meet Zscaler: Mission Accomplished — How Patrick Perry Transitioned from The Force to Being a Force For His Team You would never know from his unfailingly positive disposition and lighthearted nature that Patrick Perry has done seven overseas tours with the Army. He brought his team-first philosophy and technological know-how into his role at Zscaler, where he is a Zscaler advocate for federal prospects. First and foremost, however, he is a family man, and loves spending time with his wife and five children. Read his story to learn why Patrick makes Zscaler a Great Place to Work! Tell us about your background and career in the Army I grew up in Southern California in an area outside of Los Angeles and ended up moving to Washington to finish up high school. Nineteen days after I graduated high school, I decided to enlist in the Army. I did basic training, then did what we call advanced individual training, and received my first duty assignment in Korea. I spent a year in Korea, then did what’s called a consecutive overseas tour and went directly from Korea to Germany and lived there for two and a half years. During that time I also did a deployment in Kosovo. I got some promotions in Germany, and everything was going well with my career, so I decided to stay in longer. I re-enlisted and moved to Fort Lewis, Washington, in the Seattle-Tacoma area. That’s when a lot of my life changed. Over the course of five years, I deployed to Iraq twice, went to about five different military schools to continue my training, moved to Fort Bragg, North Carolina, met my wife, joined the special operations community, and went to airborne school. During that time, I also went to Afghanistan three times. That brings us to 2010, when my family and I moved to Stuttgart, Germany. While there, I stayed in special operations and worked for the special operations command for Africa where I traveled to the continent a few times. When we decided to move back to the U.S., I joined a unique unit in northern Virginia and stayed there until the end of my career in the Army. In that time, I did more military schooling, deployed to Iraq and Afghanistan a couple more times, made some of my best friends, and fell in love with a place where I never thought I’d want to live: the D.C. Metro Area. What brought you to Zscaler? When I retired from the military and started my transition into the civilian workforce, I was blessed to be able to intern at Zscaler. I did a two and a half month internship last summer, where I was brought on board, learned the Zscaler culture, and really got good firsthand experience with life outside the military. Obviously, I’d only known the military my entire adult life, and interning at Zscaler exposed me to a lot of things. Whether it was company culture, job capabilities, or how the business works, executives gave me their time, and it was just an all-around amazing experience. While interning at Zscaler, I also was offered an internship with Major League Baseball (MLB), so I respectfully requested to do both. Zscaler was fine with it, but made me promise to come back! Though I loved the work and the people at MLB, my family and I weren’t willing to move to New York City, as my wife is still active military and there isn’t an Army base in NYC. So I finished my MLB internship, wrapped everything up with the Army, and started with Zscaler in December 2019 while on terminal leave. Tell us about what you do at Zscaler My role is constantly evolving, integrating with product management, sales, architectural support, and engineering—all geared toward our federal team efforts. I have a foot in the product management world to try and help shape Zscaler products to meet DoD (Department of Defense) and federal compliance requirements. I also do a bit of business development and outreach, and I assist in the meetings with federal and military organizations to explain and evangelize Zscaler and our products from an engineering and architecture perspective. How did your role in the Army relate to your current position at Zscaler? My specialty has always been in (IT) networking, which has obviously changed quite a bit since 1998, especially in the Army. But I’ve always kind of been in the IT world, and I’ve evolved through those changes, being a part of major IT transitions in the Army’s networks and growing IT environments as well as its different security levels. For the last 13 years in special operations, I was given a lot more flexibility to work outside of the specific Army toolset that we would normally use. So I was able to get my hands on more commercial equipment and do more commercial-like IT stuff, which I think prepared me well for my current role at Zscaler. From my time in the military, I’ve built a network of trust with many people throughout the military, especially at an objectivity and technical level, so it’s been great to be able to sit down with these people, some of whom I’ve known for 20-plus years, and tell them all about Zscaler and how it can help solve problems for the DoD. Above all, the military prepared me for Zscaler company culture. Honestly, the principles at Zscaler are very close to what we preach in the military, with cohesive teamwork being one of the top priorities. Nobody is too good to do anything that will benefit the organization. Helping others is always a focus: if you’re not bringing somebody up, then get out of the way. What is your favorite part about your role at Zscaler? First of all, I love that every day I’m learning something new. The organization is truly trying to sell transformation, not just a product that does something else a little better than another product. That’s big to me. But to get your mind wrapped around that, you’ve got to learn every day how to rethink problem sets. I really enjoy that because I like the challenge of a continuous education model. But in regard to performing my job, I love sitting down with people in the DoD and IC (Intelligence Community) and really working through how Zscaler capabilities work, with the goal of shifting their mindset. With 22 years of experience, I can talk to customers quickly and relate to them, and when they get that “aha” lightbulb that pops up above their head, it’s just magic. What do you like to do outside of work? First and foremost, I’m a father and a husband, so outside of work I spend most of my time with my family. Our kids are very active—our girls do competitive Irish dancing and horseback riding, one of our sons plays baseball, the boys have done wrestling, they’re in Boy Scouts—so we spend a lot of time shuttling our kids from event to event. It’s like a part-time job! Since COVID, a lot of their activities have been postponed, but we still try to focus on spending quality time and interacting with our kids outdoors. Other than that, I enjoy fitness, sports, hanging out with friends, reading, and brewing beer. I also love to take on home improvement projects. That’s increased a lot since work-from-home orders and I’ve never gotten more done on my honey-do list than I have in the last three months! What advice do you have for someone looking to get into a role similar to yours? You’ve got to find something you’re truly passionate about, and it’s got to be pretty specific. It’s easy to say, “I like to talk to people,” or “I like to guide teams.” But that could be a million different things. And a big thing for people coming out of the military is, “I like to lead people.” Well that doesn’t really mean anything outside the military—because organizations want to know, what specifically do you want to “lead people” to do? Finding something that you’re passionate about and narrowing that down to a specific focus is really important. Secondly, find a company with a mission that you’re excited about and truly believe in. Don’t take a job just for the money or because they have good perks. When you believe in the mission of a company, it truly takes that passion to an exponentially higher level. Specific to emerging technology, my advice is to never think that the way you already think is the right way to think. You should spend a great deal of time questioning and challenging your own assumptions. Don’t be afraid to change the way you think, because that’s the only way you will learn and truly create new ideas. Join Patrick and the rest of the team Visit our careers page to explore opportunities in emerging technology on the federal team as well as the many other roles in which you can help Zscaler drive secure digital transformation for enterprises across the globe. Read Next: Meet Zscaler: What Three Years at Zscaler Means to Carolina Monge Meet Zscaler: How a Busy Family Man, Salesman, and Outdoorsman Just Keeps Truckin’ Meet Zscaler: From Sales to Enablement - How Megan Allen Found Her Passion Kristi Myllenbeck Zscaler and Silver Peak: Helping Organizations Enable a Secure Access Service Edge and Embrace a Cloud-First Future Please listen to a podcast on WAN and security transformation with experts from Zscaler, Silver Peak, and Cushman & Wakefield. No one knows what the work world will look like once the pandemic restrictions are lifted and employees are allowed back into the office. Will everyone return to their headquarters and branch offices? How many people will staff your branch locations? Will employees be working from home permanently? With so much uncertainty, organizations must be prepared for any combination of these outcomes. But, is your existing, hardware-based network and security infrastructure flexible enough to adapt to whatever comes next? Days gone by We’re all familiar with the traditional network infrastructure where the data center was the heartbeat of an organization. Applications and data were stored there, and it was the home of your security stack. And all of your users’ application traffic was backhauled from branch offices to the data center. This hub-and-spoke setup was more than adequate when all employee traffic flowed through the data center. But not anymore. Now more than ever, more of your corporate traffic is bound for the internet because a greater number of applications have migrated to the cloud. And, with mobility and anywhere anytime internet access, organizations are faced with the challenge of securing their employees who are working outside of the office. All of this has dramatically changed corporate traffic patterns. Yet, for many, the corporate infrastructure has remained the same. Many organizations still rely on a router-centric WAN model that backhauls all branch application traffic over MPLS to the data center, bogging down their appliances and resulting in a poor user experience. Embracing SD-WAN Organizations looking for something better have turned their focus to SD-WAN as an alternative to and a replacement for cumbersome router-centric WANs. With SD-WAN, organizations can enable local internet breakout to greatly improve cloud application performance and deliver a superior user experience. And, by routing more traffic directly to the internet, organizations can embrace broadband connectivity to reduce their MPLS costs while also reducing their branch hardware footprint. SD-WAN also helps organizations simplify operations by centralizing policy management and control. Software-defined policies enable IT to quickly make network and policy changes and automatically deploy them across the entire network with just a few mouse clicks. Moving to SD-WAN also improves reliability and creates redundancy, as organizations can dynamically route traffic over a variety of connection types (MPLS, broadband, 4G/LTE), something that legacy infrastructures may not support. However, one of the biggest worries for IT is how to maintain full access and security controls with no security compromises. After all, direct-to-internet connections increase the attack surface and highlight the need for advanced security services to protect branch locations from threats. But installing next-generation firewalls at every branch to address security needs is too expensive and too complex to manage across dozens, hundreds, or thousands of locations. So how can IT teams achieve better security without adding complexity, deploying a bunch of hardware in every branch location, or increasing operational overhead? That’s where Zscaler and Silver Peak come in. Partners in the cloud Together, Zscaler and Silver Peak deliver a secure SD-WAN solution that protects enterprises from threats, optimizes application performance, and delivers SD-WAN connectivity that automatically adapts to changing business requirements. This is especially critical now as organizations not only react to the current global situation but also prepare business continuity plans for the next inevitable crisis. Zscaler and Silver Peak have partnered to deliver SD-WAN with cutting-edge cloud security services that can be configured and deployed in minutes. Organizations can achieve optimal application performance, simplify branch WAN infrastructure and enforce consistent, always-up-to-date security across the enterprise. The Zscaler/ Silver Peak partnership delivers a secure access service edge (SASE) architecture by integrating best-of-breed networking and best-of-breed cloud-delivered security. For IT, that means lower costs, simplified operations and security enforcement that follows the users wherever they connect. For users, it means fast, secure, and uninterrupted access to business-critical applications. With Zscaler and Silver Peak, organizations can: Empower their IT teams to be more responsive to business needs. They can provision and secure new sites with “zero-touch” setup while increasing productivity and the end-user experience with 99.999-percent availability. Leverage a SASE architecture to unify SD-WAN and cloud security in a seamless solution, enabling local breakout to boost performance and enhance reliability. Enable an infrastructure that can automatically adapt to changing business conditions. IT teams can centrally define security requirements once to deliver optimal connectivity and security to all employees, guests, and devices—wherever they are. But don’t take my word for it. Customers have seen the power of the Zscaler and Silver Peak partnership and how our integrated solution can provide a secure and efficient experience for their employees. Nuffield Health The largest not-for-profit healthcare provider across the U.K. relies on Silver Peak and Zscaler to deliver secure SD-WAN, increase bandwidth, and enable the fast and secure application performance and user experience required for their more than 143 hospitals and well-being centers. “Silver Peak together with Zscaler has made our cloud transformation faster, more secure, and easier than we could’ve imagined,” said Dan Morgan, IT Operations Director at Nuffield Health. Cushman & Wakefield Cushman & Wakefield, a global commercial real estate services firm with users who need a secure, responsive network that provides the same experience no matter where they connect, relies on Zscaler and Silver Peak as a foundation for its cloud and SD-WAN strategy. “I would recommend closely looking at Zscaler and the partnerships that they’ve built – specifically with Microsoft and Silver Peak as a foundation for a well-performing enterprise,” said Rob Franch, Chief Technology Officer at Cushman and Wakefield. Embracing change The way employees do their jobs has changed. The location of their work apps has changed. And the threats to your company are constantly changing and becoming more sophisticated. Isn’t it time your legacy network and security thinking changed too? Global organizations of all sizes rely on Zscaler and Silver Peak to help them realize the full transformational promise of the cloud. Click here to learn more about how Zscaler and Silver Peak work together to ensure cloud-delivered secure access for your users anywhere they work. Jen Toscano is a Senior Product Marketing Manager at Zscaler Jen Toscano Ditch the Complexity and Cost of CASB Point Product Overlays Ask just about any industry analyst and you will hear the same thing—enterprises with a significant cloud presence need a cloud access security broker (CASB) to protect their cloud-based data. But not all CASB offerings are the same. Organizations must be careful to select a CASB solution that fits in today’s ever-changing cloud-based world. View this infographic for a quick look at the key challenges of data protection in a cloud-first world. A growing need The adoption of software as a service (SaaS) applications has fundamentally changed the way employees do their jobs and accomplish their corporate goals. And it doesn’t seem like SaaS adoption is going to slow down any time soon. According to recent estimates, the global SaaS market size is projected to reach $307.3 billion by 2026, up from $158.2 billion in 2020. SaaS solutions are quite easy to adopt and use, and can be readily available to employees around the globe. However, as these tools have been quickly adopted, the risks have increased. It's impossible to train every employee to consistently use security best practices with their SaaS applications, and lapses can lead to costly mistakes for the organization. The traditional approach to solve this is to add a CASB as a separate overlay to report on SaaS usage and provide some level of control. Unfortunately, this is usually independent of the rest of the organization's security offerings and is another separate data protection function that adds unneeded complexity without solving the key challenges of SaaS usage. A challenging time With the threat of cyberattacks looming over every piece of internet traffic, organizations can ill afford to trust the security of their data, and potentially their entire network, to an unproven solution that doesn’t fit with the most widely recommended security architecture today—secure access service edge (SASE). Let’s take a look at just some of the struggles with CASB point product overlays: Unproven architecture: Most CASB point overlays can’t decrypt all traffic or scale on demand to meet a business’ changing needs or handle an organization’s full traffic load. Lack of integration: Most CASB point overlays don’t work with inline secure web gateways (SWGs)—and often treat inline and out-of-band CASB separately, leaving policy and reporting separate for SaaS vs. the rest of the organization’s traffic. Unproven private access: CASB point overlays lack integrated private access or don’t comply with the principles of zero trust network access (ZTNA), leaving applications and users exposed. Complex deployment: Adding overlays for inline traffic on top of an existing SWG is complex to deploy, and results in redundant (and reduced) functionality. File-centric inspection: Most CASB point overlays can’t see beyond web traffic and offer limited security functions, exposing the organization to threats. Multiple agents: CASB point overlays often require yet another endpoint agent to work. While customers are looking to reduce agents on endpoints, CASB point overlays are asking them to take on one more. A better CASB Organizations have quickly discovered that adding on point products to their legacy infrastructure isn’t the answer to the challenges of today’s cloud- and mobile-first world. Instead of making cloud security easier, most of these add-ons just add cost and complexity. Network, security, and IT leaders realize that a fully integrated solution is the best fit in today’s landscape. What these industry leaders are looking for, and what thousands of global corporations have already discovered, is the power of the Zscaler CASB and its critical role in the integrated Zscaler Cloud Security Platform. With Zscaler, organizations get: Proven architecture: The Zscaler platform was built from the ground up for full decryption and data classification at scale to identify hidden threats and data exposure. It runs on a proven architecture that processes more than 100 billion transactions per day. Deep integration: Zscaler integrates CASB and SWG into a single offering and has been validated by Gartner as the Leader in the SWG Magic Quadrant nine years in a row. Integrated private access: Our fully cloud-delivered service gives organizations visibility into application access across SaaS, public cloud, and private data centers to ensure that only authorized users have access. Simple to deploy: Zscaler CASB eliminates redundancies as traffic is only decrypted and inspected once in a single pass. There are no complex overlays or proxy-chaining to deploy, third-party firewalls and proxy logs to fetch, or additional agents to install. And all of this is under a single pane of glass to simplify deployment and management. Reduced risk: Threat prevention is fully integrated into the Zscaler platform of services. Cloud Firewall, Cloud Sandbox, CASB, and Cloud DLP work together to identify and stop threats based on the full context of apps, users, and file contents across locations. Browser Isolation: With Zscaler Cloud Browser Isolation, organizations no longer need a reverse proxy or agents. You control how users get access to SaaS content by serving them pixels instead of data based on the context of the user. A trusted solution Your internet traffic is under attack as never before. Don’t believe me? The FBI found that online crimes reported to the Bureau's Internet Crime Complaint Center (IC3) have increased by 400 percent since January 2020. And our Zscaler cloud saw a 30,000 percent increase in phishing, malicious websites, and malware targeting remote users between January and March 2020. Data is the currency of cybercriminals and it has never been more valuable. You can’t trust your data to an add-on solution that wasn’t built to be deeply integrated with the rest of your organization’s security and data protection. That’s why more than 400 of the Forbes Global 2000 organizations trust their data to Zscaler. Shouldn’t you? Want to learn more? Read this paper on data protection challenges. View this infographic on the five data protection challenges. Learn more about our overall data protection platform. Learn more about CASB. Chris Morosco is Senior Director of Product Marketing at Zscaler. Chris Morosco In a COVID-19 World, Zero Trust is More Relevant Than Ever This post originally appeared on LinkedIn, May 27, 2020. You’re an IT administrator. You thought everybody working from home would be a dream come true: None of the desktop deployments, support tickets, or hand-holding that takes up a big chunk of your time. Finally, you could get some “real” work done! Turns out that employees working from home (WFH) is more like your worst nightmare. How secure is their home internet connection? Their network? Is their device security up-to-date? Do you trust their security habits in the wild? And those newly-remote workers have a lot of questions for you. “How do I use the VPN?” “How do I get admin rights on my machine?” “Should I open this email?” “What’s a virus?” With WFH, you’re still buried in support requests, they’re just of a different flavor. On top of that, to accommodate the added remote-access traffic, you have to increase the capacity of a legacy VPN architecture that wasn’t designed for this scenario. If only the process of transitioning employees to WFH was simpler! Zero trust network access (ZTNA) makes it simpler. And a ZTNA solution that leverages a cloud-based architecture can decouple security from network access, ensuring secure application access regardless of the device, the network, or the application. IT in a time of crisis The near-universal switch to WFH means employees now work outside the corporate security “moat.” Cybercriminals view this environment as a vast, ripe, untapped field of opportunity. Companies that have embraced cloud-delivered security solutions combining security, simplicity, and speed have quickly adapted to WFH needs. But if you aren’t there yet, now is the time to start! Pivoting from legacy technologies to forward-looking ZTNA solutions offers benefits that can help you adapt to change and build in resilience for the future. Delivering a secure, productive, work-from-home experience with ZTNA offers six tangible benefits: Seamless direct access to both external (internet, SaaS) and internal (data center, IaaS, PaaS) applications Context-aware access that correlates user, device, application, and other characteristics Flexible deployment across all users and locations for instant and seamless expansion without complex on-premises hardware deployment or licensing delays Excellent user experience when accessing critical corporate applications and key collaboration tools such as Zoom or Microsoft Teams Comprehensive visibility and troubleshooting that enables rapid user-issue resolution Security and compliance tools to mitigate cyberthreats and protect applications and data Let’s break these points down. 1. Direct access With a fully-remote workforce, you need to ensure direct, secure access capable of connecting any user to any application, regardless of where the users or applications sit. The downfall of legacy security architectures is their dependence on a security perimeter. This forces user traffic to flow through the perimeter defenses, no matter where the target application lives: in the data center, a private cloud, a hybrid cloud, or public cloud. ZTNA solutions establish connections between users and the applications, and cloud-enabled ZTNA lets traffic flow along the shortest secure path between them. This eliminates the hair-pinning caused by backhauling traffic from a single ingress point to other locations, reduces data center traffic, and improves the user experience by reducing latency. 2. Context-awareness Legacy castle-and-moat network security allows anything that gets through perimeter security to gain access to the whole network and any systems attached to it. Why should employees be granted access to all applications, data, and resources? Threat actors who breach the perimeter enjoy that same privilege of “east/west” lateral movement. It makes more sense to limit user access to only what users need. Zero Trust security allows you to tag users and applications so that authorized users only see what applications you want them to see. (There’s a security benefit, too; those threat actors can’t attack what they can’t see.) Context-aware access delivers benefits beyond just work-from-home security: mergers and acquisitions (M&A), cloud migration, third-party access, and more. ZTNA solutions address all of these scenarios with simple policies that are user-centric, rather than network-centric. 3. Flexible deployment One reason IT teams resist change is scope: they don’t want to change all of the network to protect some of the network. This is why zero trust is catching on now. When zero trust was introduced ten years ago, implementing it with network-centric security tools was a monolithic task—you had to convert almost all of your network in order to protect any of it! Now, with cloud-enabled ZTNA solutions, you can tackle this challenge one use case at a time. For example, you can enable zero trust access for an existing group of VPN users without a rip-and-replace process. Once the zero trust access is fully operational, decommission VPN access for that group. Then iterate as necessary. 4. User experience As VPN use scales, so do problems. You’re backhauling tons of external traffic that must traverse the security stack. On top of that, latency increases drastically with hundreds (if not thousands) of remote workers fighting to pass through VPN concentrators. One solution is bigger, more expensive security devices at both HQ and branch offices, but it’s a complicated and expensive one. Zero trust connections allow users to directly access applications, no matter where either sit. Direct access via internet breakouts means lower latency and a better user experience. 5. Better visibility In a legacy environment, you can’t protect what you don’t know is there. One huge disadvantage of legacy solutions is that all the appliances across the enterprise network generate an enormous amount of uncentralized data. Bad actors love to hide in that data, hoping to be overlooked. Any security solution must provide full visibility into user traffic. ZTNA solutions allow you to examine who is accessing what, and where, anywhere in the network. 6. Tighter security With users, applications, and data distributed across the internet (and more to come), securing access to your most sensitive resources is a massive challenge. Distributed resources means a larger attack surface; more people working from home over VPNs means more ways for bad actors to breach your perimeter. Now is the time for zero trust. A context-based zero trust approach secures the connection between the user and application without regard for networks or locations. Policies are created and enforced that only let specific users access specified applications. Users can access the applications they need, from any device, without exposing the network to bad actors or increasing the network attack surface. No more trust issues Cloud-delivered ZTNA transitions your security from network-centric controls and remote network connectivity to application-centric security and least-privilege access. This means more-secure connectivity that easily and cost-effectively adapts to enterprise digital transformation efforts. Zero trust security architectures ensure full protection for users and applications alike. ZTNA solutions enable secure, productive work-from-home and work-from-anywhere environments (including the office). You can protect your employees, partners, and customers while continuing to survive, thrive, and adapt to new challenges. Read more: Gartner ZTNA and Enabling the "Work from Anywhere" Reality Zero Trust and its Role in Securing the New Normal Deliver a productive and secure work-from-home experience (PDF) Lisa Lorenzin is Director of Transformation Strategy at Zscaler Lisa Lorenzin Targeted attacks on Australian Networks (ACSC Advisory) - Zscaler Coverage Background Earlier today Australian Cyber Security Centre (ACSC) released an advisory regarding a cyber campaign targeting Australian networks. The campaign is dubbed ‘Copy-paste compromises’ due to the threat actor’s heavy usage of proof-of-concept exploit code from open source. What are the issues? 1. Telerik UI Arbitrary code execution vulnerability (CVE-2019-18935) A vulnerability in Telerik UI for ASP.NET could allow for arbitrary code execution. ASP.NET is an open-source server-side web-application framework designed for web development to produce dynamic web pages. Successful exploitation of this vulnerability could allow for remote code execution within the context of a privileged process. Depending on the privileges associated with this application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of this vulnerability could have less impact than if it was configured with administrative rights. Systems impacted Progress Telerik UI for ASP.NET AJAX versions prior to 2020.1.114 Reference: 2. CVE-2019-0604 - Microsoft SharePoint Remote Code Execution Vulnerability A remote code execution vulnerability was discovered in Microsoft SharePoint when the software fails to check the source markup of an application package. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account. Exploitation of this vulnerability requires that a user uploads a specially crafted SharePoint application package to an affected version of SharePoint. Systems impacted Microsoft SharePoint Enterprise Server 2016 Microsoft SharePoint Foundation 2010 Service Pack 2 Microsoft SharePoint Foundation 2013 Service Pack 1 Microsoft SharePoint Server 2010 Service Pack 2 Microsoft SharePoint Server 2013 Service Pack 1 Microsoft SharePoint Server 2019 Reference: 3. Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance (CVE-2019-19781) A vulnerability in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution. The scope of this vulnerability includes Citrix ADC and Citrix Gateway Virtual Appliances (VPX) hosted on any of Citrix Hypervisor (formerly XenServer), ESX, Hyper-V, KVM, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX). Systems impacted: Citrix ADC and Citrix Gateway version 13.0 all supported builds Citrix ADC and NetScaler Gateway version 12.1 all supported builds Citrix ADC and NetScaler Gateway version 12.0 all supported builds Citrix ADC and NetScaler Gateway version 11.1 all supported builds Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds. Reference: 4. Deserialization vulnerability in Microsoft IIS A deserialization vulnerability exists in versions of Microsoft’s Internet Information Services (IIS) using the .NET framework (.NET). The vulnerability exploits the service’s VIEWSTATE parameter to allow for remote code execution by unauthorized users. A specially crafted VIEWSTATE parameter with malicious content is required for actors to successfully exploit this vulnerability. The contents of this parameter are protected by Message Authentication Code (MAC) validation on upto date installs of .NET on IIS and an actor must obtain the IIS server Machine Key to exploit this vulnerability. 5. Downloader and Malware Payloads There are reports of malware downloader payloads including malicious documents distributed as an attachment via spear phishing campaigns. These attached documents are weaponized with above exploits leading to the download of PowerShell Empire, HTTPCore, or HTTPotato payloads for C&C communication. What can you do to protect yourself? All the vulnerabilities exploited in this campaign have been publicly disclosed previously and corresponding patches/mitigations were provided by the product developers. It is important to have updated security software and the latest software patches applied to the endpoints. As always, avoid opening suspicious emails containing attachments or links that come from any unknown sources. And disable macros in Office programs. Do not enable them unless it is essential to do so. Zscaler coverage Zscaler ThreatLabZ is actively monitoring this campaign and has ensured coverage for all known threat indicators and payloads. Advanced Threat Protection Signatures Win32.Exploit.CVE-2019-18935 Win32.Exploit.CVE-2019-0604 Linux.Exploit.CVE-2019-19781 Html.Malurl.Gen Malware Protection ASP/Webshell ASP/Twoface.B Win64.Riskware.JuicyPotato Win32.Riskware.LazyCat VBA.Downloader.PowershellEmpire Win32.Downloader.CobaltStrike Advanced Cloud Sandbox provides proactive coverage against payloads involved. Details related to these threat signatures can be found in the Zscaler Threat Library. References ACSC Advisory: ACSC has previously reported about these attacks here: Krishna Kona Taurus: The New Stealer in Town A sandbox is a valuable tool in the ongoing battle against cybercriminals and bad actors are continually looking for ways to avoid detection. One of the newest ones we observed, Taurus, includes techniques to evade sandbox detection. Was this new malware able to go undetected by the Zscaler Cloud Sandbox? (Spoiler alert: It wasn't.) Let's take a closer look at the Taurus stealer. In early June 2020, we observed and began tracking a new malware campaign. During our research, we observed that the "Predator the Thief" cybercriminal group is behind the development of this stealer, named Taurus, and is selling it on dark forums for $100 or rebuilt with a new domain for $20. The group selling Taurus claims that this stealer is capable of stealing passwords, cookies, and autofill forms along with the history of Chromium- and Gecko-based browsers. Taurus can also steal some popular cryptocurrency wallets, commonly used FTP clients credentials, and email clients credentials. This stealer also collects information, such as installed software and system configuration, and sends that information back to the attacker. Taurus is designed to not execute in countries within the Commonwealth of Independent States (CIS), which includes Azerbaijan, Armenia, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Uzbekistan, and Ukraine. (Turkmenistan and Ukraine are both unofficial members of the organization. Georgia was a member of the CIS but left the group in 2008.) Infection cycle Figure 1: Infection cycle of the Taurus campaign Distribution method While tracking the campaign, we noticed that attackers initiated this campaign by sending a spam mail to the victim containing a malicious attachment. Below are the details of the spam mail we observed: From: "" <> Received: from (unknown []) Date: Fri, 5 Jun 2020 16:56:35 Subject: Penalty Charge Notice Attachment: pay-violation1011066.doc The attachment (pay-violation1011066.doc) contained malicious macro code to download further payloads. Figure 2: The attached malicious doc asks users to enable a macro. Installation Once the document is opened, it prompts the user to enables the macro. Once the content is enabled, an AutoOpen() subroutine is called, which will run the malicious Visual Basic for Applications (VBA) macro wherein a PowerShell script is executed via BitsTransfer, downloads three different files of the Taurus Project from the Github site, then saves them in a Temp folder with predefined names. Figure 3: The obfuscated VBA macro code The macro contains the URL of the payload as a combination of the following obfuscations: Base64 encoded and reversed string. Upon decrypting the obfuscated macro code, we see the PowerShell script, as shown in Figure 4. Figure 4: The decrypted PowerShell script used to download the payload. Further, these three files get downloaded from Github and dropped in the %Temp% directory. The three files are: 1. → saved with the name “” → Legitimate AutoIt3.exe 2. → saved with the name “st6zh” → Base64-encoded AutoIt script having certificate header 3. → saved with the name “” → Taurus Stealer Here, PowerShell is using the Certutil.exe command to decode the payload and execute it on the victim's machine. The Twitter handle @3xp0rt, which exposes documents from a Russian hacking forum, shows some of the claims of the Taurus project. Figure 5: The Taurus project claims to have the stealing ability of malware. The author claims that Taurus has the following stealing capabilities: Stealing cookies, Auto-form details, browsing history, and credit card information from Chromium- and Gecko-based browsers. Cookies and passwords from Microsoft Edge browsers. Credential stealing of some cryptocurrency wallets, including Electrum, MultiBit, Ethereum, Jaxx Liberty, Bytecoin, Atomic, and Exodus Stealing credential of FTP clients, including FileZilla, WinFTP, and WinSCP Stealing session files from applications, including Discord, Steam, Telegram, and Authy Stealing account information of the Battle.Net service Stealing Skype history Stealing credentials from NordVPN Stealing credentials from Pidgin, Psi+, and Psi Stealing credentials from Foxmail and Outlook Collects system information, such as system configuration and list of installed software. Figure 6: The Taurus login panel. The Taurus project has also built a dashboard where the attacker can keep an eye on the infection counts according to geolocations. Figure 7: The Taurus dashboard to see infection count according to geolocation. This dashboard also provides the attacker with the ability to customize the configuration of Taurus. Figure 8: The attacker can update the configuration of Taurus in the dashboard. Technical analysis of the payload Once PowerShell downloads the three different files from the GitHub repository, it uses the utility “Certutil.exe” to decode the payload. Out of three downloaded files, the first one is an AutoIT interpreter that is used to run the decoded AutoIT script. Then, Certutil.exe decrypts the second file, which is a Base64-encoded AutoIT file having a certificate as a header. This AutoIT file will decrypt the third file, which is the Taurus Stealer. After deobfuscating the AutoIT script, we noticed that it has multiple anti-sandbox techniques. It checks for the Sleep patch in the sandbox using the GetTickCount function. Figure 9: The anti-sandbox patch with the GetTickCount API. It also checks for the existence of specific files, the computer name, and internet connectivity using the Ping function. Figure 10: Taurus performs multiple checks for files, the computer name, and internet connectivity. Finally, the AutoIT script reads and decodes the file, then loads the deobfuscated shellcode for injecting the decoded payload into dllhost.exe. Figure 11: Building a path for dllhost.exe. Figure 12 shows details of the deobsfucated shellcode, which will inject the payload. Figure 12: The shellcode checking for the executable to inject in the dllhost.exe. Before starting the actual activity of the stealer, the malicious program is started by loading configuration into memory step by step. Figure 13: Storing config into memory. We have successfully been able to see the further activity of the malicious program, which is the actual purpose of this malware—stealing. Figure 14 shows the system information being fetched by the stealer. Figure 14: The system information fetched by the stealer. Fileless approach While disassembling the code, we figured out that all the stolen data is being sent as a Zip file. Interesting part is that malware allocates a memory space for the Zip file and embeds the Zip file directly to the request data. Figure 15: All the stolen data is put into a Zip file. Network Communication After zipping all the stolen data, the malicious program tries to send that data to a Command and Control (C&C) server after building the URL at run time, which is also pre-defined in the malicious program (Ofcourse XORed). Figure 16: The URL building to send the stolen data to the C&C. URL pattern: http://<Domain>/gate/cfg/?post=<digit>&data=<data> Cloud Sandbox detection We have analyzed the sample in the Zscaler Cloud Sandbox and successfully detected the malware. Figure 17: The Zscaler Cloud Sandbox successfully detected the malware. Conclusion We are actively monitoring for new threats in the Zscaler cloud to protect our customers. We have added details of this malware to our threat library. VBA - EXE - MITRE ATT&CK TTP Mapping T1064 Macros in document used for code execution. T1086 PowerShell commands to execute payloads T1132 Data Encoding T1020 Automated Exfiltration T1003 Credential Dumping T1503 Credentials from Web Browser T1539 Steal Web Session Cookie T1106 Execution through API T1518 Software Discovery Indicators of Compromise (IOCs) ECCD93CFA03A1F1F4B2AF649ADCCEB97 - Doc file 3E08E18CCC55B17EEAEEDF3864ABCA78 - Encrypted AutoIT script 221BBAC7C895453E973E47F9BCE5BFDC - Encrypted Taurus Stealer 5E3EA2152589DF8AE64BA4CBB0B2BD3B - Decrypted Taurus Stealer CnC: bit-browser[.]gq Atest001[.]website Panel 64.225.22[.]106/#/login Avinash Kumar Targeted Attack Leverages India-China Border Dispute to Lure Victims Malicious threat actors are always ready to take advantage of current affairs to maximize the success rate of their attacks. The Zscaler ThreatLabZ team recently came across one such attack trying to leverage the current India-China border dispute to lure victims to open an attached malicious document. Key points The attack is fileless as no payload is written on disk and no persistence is created. The shellcode uses a fake HTTP host field while communicating with the command and control (C&C) server to download the shellcode. It uses the DKMC framework to hide communication in plain sight using steganography. It relies on the Cobalt Strike beacon using a malleable C&C profile. Infection It appears as if victims were sent a malicious lure document as an email attachment. The document is named “India-China border tensions.doc” and contains an article by The Times of India article about the same topic. Figure 1: The infection flow of this attack. Document The document contains one line that reads “Geostrategic article for SE Asia Security Analyst,” indicating that the target might be a security analyst for southeast Asia. Figure 2: The malicious document containing a new article reference. Interestingly, the document contained corrupted macro code leading us to believe that it was built in a hurry using some automated macro obfuscation tool without proper testing. Though the macro is corrupt, we were able to extract the PowerShell command using static analysis. The code obfuscation is very basic. It just subtracts value 4 to decrypt the PowerShell command. Figure 3: The macro command decryption function. Part of the PowerShell command after the base64 decoding looks like this: Figure 4: Part of the PowerShell code designed to run shellcode. Almost exact code from the DKMC framework is used to run embedded base64 encoded shellcode. The PowerShell script is designed to run the shellcode in 32-bit mode only. It checks if the PowerShell script is running with a 64-bit PowerShell process using the command int pointer size, which will be 8 bytes [64bits] on a 64-bit process. If that is the case, then it tries to run the PowerShell in 32-bit mode with the shellcode injection script code as an argument. Injected shellcode This shellcode on execution downloads another shellcode but with a valid GIF header, again borrowing a technique from DKMC. Interestingly, this shellcode uses a fake HTML host header and a predefined User-Agent field, in this case, to download a GIF payload from the C&C IP over HTTPS. Figure 5: The shellcode starting with well-known module list access instructions. C&C IP: Request example: GET /avatar_32px.jpg HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: Connection: Keep-Alive Cache-Control: no-cache Downloaded payload This GIF file, just after the GIF magic bytes [“GIF89a” in this case, which is also a valid assembly instruction] contains a shellcode followed by an XOR-encrypted payload. The shellcode decrypts and executes this payload, which turns out to be a Cobalt Strike beacon. Figure 6: The shellcode and payload before decryption. Figure 7: The shellcode and payload after decryption. The beacon is configured to point to the following C&C address “,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books” and the same host field and user agent. In another instance, we found a .NET payload, which injects an RSA-encrypted payload into a notepad.exe file after decryption with the MD5: 9c2ee383d235a702c5ad70b1444efb4d In this case, the beacon payload is downloaded from https://114.67.110[.]37/QBah. The shellcode and additional payload are similar except for the C&C addresses. Noticeably, both beacon DLLs use a C&C, and the watermark is exactly the same in both: 305419896. As Cobalt Strike is a well-known commercial tool for red teams, we are not getting into its technical details. Attribution As of now, we are not able to attribute this attack to a specific actor with enough confidence. But here are few observations. The group OceanLotus is known to use DKMC, Cobalt Strike, and fileless payloads. But the use of a proper GIF header for shellcode seems to be new for them. On the other hand, the watermark value (305419896) found in the beacon configuration has also been used by the Trickbot Group. Zscaler Cloud Sandbox report Figure 8: The Zscaler Cloud Sandbox report for this malware. Note: The document will crash in this case but if fixed to run, the Zscaler Cloud Sandbox will block its activity. In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators at various levels. Check out our Threat Library for more details about Win32.Backdoor.CobaltStrike. Conclusion Threat actors always try to find ways to blend into real traffic. In this case. they are using an SSL/TLS connection and a host header set to a legitimate Microsoft website. One such evasion trick that we covered in our earlier blog was the use of FakeTLS header. The Zscaler ThreatLabZ team is continuously monitoring threat actors and ensuring protection against such threats. Acknowledgment Thanks to Adtiya Sharma for providing support in the research. MITRE ATT&CK TTP Mapping ID Technique Description T1193 Spearphishing Attachment Document is delivered as an email attachment T1086 PowerShell Uses PowerShell to run shellcode T1204 User Execution Uses doc attachment requiring user interaction T1140 Deobfuscate/Decode Files or Information Decrypt payloads during execution T1027 Obfuscated Files or Information Uses encrypted payloads T1036 Masquerading Uses fake GIF header magic bytes and filename T1043 Commonly Used Port 443 T1008 Fallback Channels Uses more than one C&C T1071 Standard Application Layer Protocol Uses HTTPs Note: The TTP list above contains TTP observed during the campaign as a Cobalt Strike beacon has many more features. A complete list of techniques can be found here. IOCs Hashes db89750a7fab01f50b1eefaf83a00060 bd665cd2c7468002f863558dbe110467 d8aa162bc3e178558c8829df189bff88 9c2ee383d235a702c5ad70b1444efb4d 6208516f759accb98f967ff1369c2f72 9632bec3bf5caa71d091f08d6701d5d8 a7662d43bb06f31d2152c4f0af039b6e 5cd9b0858b48d87b9622da8170ce8e5d Network IOCs 47.240.73[.]77 114.67.110[.]37 userimage8.360doc[.]com image91.360doc[.]com welcome.toutiao[.]com Appendix Beacon Config [9632bec3bf5caa71d091f08d6701d5d8]: { "BeaconType": [ "HTTPS" ], "Port": 443, "SleepTime": 2000, "MaxGetSize": 1048576, "Jitter": 30, "MaxDNS": 255, "PublicKey": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqkaeSkv+M5R/uTJPUwinLLSQ2X8C/vPURmKkkDXjabFDduIL3hsJ16AWuCdTswnKts0tqvWlVyq8UrGFhg94SILuL7dIWNTBpz3TCFhBWmg+5M9+HN9BDJV5v2MZzSzhzP71unV2uRBqo8N09SREY2qMDA/12+7hTlnzwu4dPgwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==", "C2Server": ",/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books", "UserAgent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", "HttpPostUri": "/N4215/adj/", "HttpGet_Metadata": [ "Accept: */*", "Host:", "session-token=", "skin=noskin;", "csm-hit=s-24KU11BB82RZSYGJ3BDK|1585758520", "Cookie" ], "HttpPost_Metadata": [ "Accept: */*", "Content-Type: text/xml", "X-Requested-With: XMLHttpRequest", "Host:", "sz=160x600", "oe=oe=ISO-8859-1;", "sn" ], "SpawnTo": "AAAAAAAAAAAAAAAAAAAAAA==", "PipeName": "", "DNS_Idle": "", "DNS_Sleep": 0, "SSH_Host": "Not Found", "SSH_Port": "Not Found", "SSH_Username": "Not Found", "SSH_Password_Plaintext": "Not Found", "SSH_Password_Pubkey": "Not Found", "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Config": "Not Found", "Proxy_User": "Not Found", "Proxy_Password": "Not Found", "Proxy_Behavior": "Use IE settings", "Watermark": 305419896, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": [ "CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread" ], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": "Host:\r\n" } Beacon Config[a7662d43bb06f31d2152c4f0af039b6e]: { "BeaconType": [ "HTTPS" ], "Port": 443, "SleepTime": 5000, "MaxGetSize": 2097607, "Jitter": 30, "MaxDNS": 255, "PublicKey": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDjGBTLCLwB7GPYyUi4sZYnhkQVCfDL4WwPx+YV4YziSbxIzrKAVpZTaiD8srY15LMHBNyE4St+yozCA5JHsYE46tV9A9jiH/oiv0bfcWt5GsYTd5yD5m4FRgAq4awsASqnhLIEtolnofSOhCgQDX+m1hGT00rsK3R8MMl1DOCowIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==", "C2Server": ",/s,,/s", "UserAgent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko", "HttpPostUri": "/S", "HttpGet_Metadata": [ "Host:", "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Cookie: BAIDUID=NSAB29B2991BAA:FG=2", "wd", "ie=utf-8" ], "HttpPost_Metadata": [ "Host:", "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Cookie: BAIDUID=NSAB29B2991BAA:FG=2", "wd", "ie" ], "SpawnTo": "nM+xbKt6yXlj++MYE0T3iQ==", "PipeName": "", "DNS_Idle": "", "DNS_Sleep": 0, "SSH_Host": "Not Found", "SSH_Port": "Not Found", "SSH_Username": "Not Found", "SSH_Password_Plaintext": "Not Found", "SSH_Password_Pubkey": "Not Found", "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 96, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Config": "Not Found", "Proxy_User": "Not Found", "Proxy_Password": "Not Found", "Proxy_Behavior": "Use IE settings", "Watermark": 305419896, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": [ "CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread" ], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": "" } Atinderpal Singh Gartner ZTNA and Enabling the “Work From Anywhere” Reality Summary The need to enable work from anywhere is accelerating adoption of ZTNA services Gartner's newly released new guidance around ZTNA technologies Five considerations for selecting a ZTNA service The recent movement to large remote workforces has accelerated the adoption of cloud-based technologies. But there's one in particular called zero trust network access (ZTNA) that has been enabling the remote workforce. This is due to ZTNA's ability to scale at a moment's notice while providing a great experience for users. And, as the world begins to open up, IT leaders must cope with the new reality of work-from-anywhere, security must remain top-of-mind. Traditional networks, VPNs, and DMZs use IP addresses and network locations to establish network connectivity for users. This architecture was designed to provide access to apps in the data center, not a hybrid and multicloud world. Because of this, users are left frustrated due to a highly latent experience. The reliance on network connectivity also leads to excessive trust and exposure of network resources to the internet. Bad actors take advantage of this exposure, targeting users as a means of gaining access to sensitive data accessible on the network. I call it risk with no reward. Network teams, risk managers, and infrastructure security teams are constantly forced to decide whether to reinvest in old architectures or to replace them with a modern, cloud-based approach. This tug of war between old and new is, at times, uncomfortable but must be overcome. Reintroducing ZTNA We first wrote about zero trust network access (ZTNA) last year when Gartner released its initial Market Guide for Zero Trust Network Access back in April 2019. Recently, Gartner has announced an updated version of the guide. As a reminder, Gartner defines ZTNA as "products and services that create an identity-and context-based, logical-access boundary encompassing a user and an application or set of applications.” Ever since users and applications gained the ability to work and run outside the network, the classic network perimeter has eroded (if you don’t control the network, you can’t do network security). ZTNA allows for authorized users to have identity and contextual-based access to specific applications—and never the network. This level of precision ensures that access is limited in scope and that applications are never exposed to the internet. Since users are never on the network, this also removes the potential for lateral movement on the network, a common way that malware spreads. Since many ZTNA services are cloud-based and hosted by the vendor, they bring with them all the benefits you can expect from the cloud. More points-of-presence leads to a better user experience. Like Netflix, Airbnb, or any cloud service, a distributed cloud brings more scale and agility in times of need. It also brings security to where your users are, ensuring you always have the level of security required regardless of their location, device, or even the app or app environment. We also extended the ability for customers to run a piece of our cloud in their own data center so their on-premises users can benefit from ZTNA too. There are no appliances to manage or long lists of firewall rules required. You simply define the user and hostname policies, with the cloud service—which is always running—enforcing them for you. With users and applications already in the cloud, it makes sense for your secure access capabilities to live there as well. Getting started Teams often ask us where they should begin with ZTNA and for guidance around putting a plan in place. We urge them to just pilot ZTNA projects (we even created a ZTNA test drive for our ZPA service to help). Of course, this should be part of a larger strategy that is not solely focused on private apps, but a broader initiative around the use of a cloud-delivered access service to provide access to all apps. Gartner calls this the secure access service edge (SASE). Many organizations begin with using ZTNA as an alternative to their VPN, especially given the abundance of remote work being done today. As you think about your access strategy going forward, and how it relates to your plan for opening offices back up, consider using ZTNA for on-premises users as well. This will bring the same user-to-app segmentation on-premises that is valued when users are remote. In turn, it will helps you reduce the complexity of network segmentation, reduce the risk of lateral movement on your network, and instead rely on identity-based access based on policy, and enforced by a local broker (while hosted by you, the software package is still managed by the ZTNA vendor). If your organization is likely to embrace a consolidation strategy over the next few years, also consider ZTNA to accelerate IT integration during M&A or divestitures. This removes the need to consolidate networks, allows you to standardize security levels across multiple entities, and ensures that users are productive as quickly as possible. Five things to keep in mind when selecting a ZTNA service When considering ZTNA, be sure to evaluate a cloud-based ZTNA service. This will come in handy, especially now with many users still working remotely during the pandemic. You won’t need to worry about capacity limitation or be constrained by bandwidth (that was the old appliance-based world). Make sure the vendor has trusted brokers running across enough locations to ensure your users have the best experience possible. A good rule of thumb is that the more points of presence available, the more you’ll be able to reduce latency. Users will appreciate that. Choose a vendor that can support both web and legacy apps, not a vendor that is limited to web applications. You most likely have legacy and customer applications that are not web-based. Since work from anywhere will mean a mix of BYOD and managed devices, ensure the ZTNA service has the ability to support each. This will require the option to support access in the case of no endpoint (BYOD) or end (managed) running on the device. Prioritize ZTNA vendors that integrate with end-user management technologies (e.g., CrowdStrike, Carbon Black, Microsoft, etc.) for simpler deployment of the agent and advanced device posture management I wish you good fortune as you look to support your “work from anywhere” workforce, and maintain the security of your private apps while doing so. ZTNA will, I’m sure, make things easier for you. We’re here if you need any guidance along the way. More resources: Read the Gartner Market Guide for Zero Trust Network Access Check out our Zscaler Private Access data sheet Take ZPA for a Free Test-Drive Hear from National Oilwell Varco about the ways they're using Zscaler Private Access Chris Hines is Director of Product Marketing for Zscaler Private Access Christopher Hines Meet Zscaler: From Sales to Enablement - How Megan Allen Found Her Passion Though Megan Allen’s enthusiasm for sales may have started at age five, she wasn’t afraid to pursue a new career direction at Zscaler. Enablement and helping others is where she finds her passion. In her spare time, she runs with her dog, goes to UNC Chapel Hill basketball games with her husband, and loves refurbishing old furniture. See why Megan is one reason Zscaler is a Great Place to Work! Tell us about your background I grew up in central North Carolina, near Chapel Hill, and went to college at Methodist University in Fayetteville, NC, where I got a degree in business administration with a minor in club and resort management. After college, I moved to Charlottesville, Virginia, and took a job at a Forbes Five-Star resort called Keswick Hall. I worked originally in food and beverage there, as the club manager, then moved into sales for group events. In 2016, I took a job at Marriott International as a sales executive and fell in love with sales even more. My first year in the role, I achieved President’s Circle, and months later received a promotion to senior account executive and relocated back to North Carolina. In this new role, I supported 20 enterprise accounts that were headquartered in Greensboro, NC, and helped with their group travel needs—including large conferences and tradeshows—and organized any transient rates they needed set up globally. What drew you to Zscaler? I had always wanted to get into the tech industry, but never thought I could because of my hospitality background. Despite my doubts, I decided to look into tech jobs because Raleigh is a booming area for tech companies. In January 2019, I found a sales development representative position at Zscaler. Though I was taking a few steps back from where I had progressed in the hospitality world, I knew that was what it was going to take to get into a new industry. I took on the sales development rep (SDR) role at Zscaler in the Raleigh office and absolutely loved it! During that time, I specifically focused on SLED (public sector) East accounts. I loved the team, the fast-paced environment, the grind, and the competitiveness that naturally came with the job. I performed really well in the role and crushed my goals. I like to think that my success came from having a different lens since I had a hospitality background, but I am sure it was a mix of several different things. How did you transition to your current role as a sales enablement program manager? When I first started, the SDR team had five or six people in the Raleigh office, and it’s now about 18. We grew quickly, so I had the opportunity to help managers onboard several new SDRs, and I really, really loved it. I loved enabling them, helping them learn, and I found a lot of passion in something I didn’t know I was passionate about. After nine months at Zscaler, I talked to my manager about potentially focusing solely on onboarding. At the time I didn’t know enablement existed, and I didn’t know that the enablement team was growing. We tossed around different ideas and several weeks later, the sales enablement manager for the commercial sales team was posted. I took the role in December and have been moving a million miles a minute since then, but I’m truly enjoying it. What do you do in your role at Zscaler? My role is constantly changing, which keeps it interesting. I’m mainly focused on onboarding all new commercial reps, so that includes SDRs, corporate and territory reps, and renewals reps. I’m dedicated to onboarding them for their first two weeks and then setting up continued enablement for those teams across the globe when they need help in specific areas. Continued enablement might include objection handling, creative pipeline generation (PG), or anything sales process-related. On top of my focus areas within the commercial sales team, I also help out the sales strategy and enablement team (SSEN) on various other projects. A side fun gig is hosting our bi-weekly Rev Up LIVE webinar for our sales organization. This is a fun, segmented show where we bring new updates to the team, talk about best practices in the field, and highlight a variety of other topics. What’s your favorite Zscaler memory thus far? I have a lot of favorite memories at Zscaler! As part of the public sector team, watching it grow, and being part of its success has been a big highlight. Also, being promoted internally to a job where I have found my passion is a huge milestone in my career. I love helping people. Coming up with creative ideas, collaborating, and helping people where they need help is where I find my passion, and being able to identify a role that aligns with that has been amazing. I think one of my favorite memories at Zscaler thus far was having the opportunity to launch a new enablement tool at our Halftime event in February for our entire sales organization. Originally, I was tasked with leading a breakout session but was then asked to host a main-stage launch, which was terrifying but really exciting all at the same time. Presenting on a stage in front of more than 300 peers gives you a new appreciation for public speaking. What’s a fun fact about you? I was a competitive figure skater growing up. It’s a really random sport for someone from North Carolina, but I started when I was five years old and reached Junior level before quitting to go to college. Looking back, figure skating could potentially be what really sparked my career in sales. I remember wanting to go to a skating camp in Canada, but my mom told me I’d have to raise money in order to go. So I recruited my mom and grandmother to help me make our family recipe for chicken Brunswick stew and made it to sell to friends, family, and members of my church. Every summer, when it was time to go to skating camp, I’d break out my list of previous customers and call down the list. I’d even upsell them and say, “You only ordered two quarts last year, do you want to order three this year? You can freeze them!” Looking back, 8-year-old me was fearless, and this is probably the first glimpse into my future sharky salesperson mentality. What do you like to do outside of work? I enjoy anything outdoors—I like hiking and running. I go on runs with my husky Afton and sometimes he’s the one pulling me along. My husband and I are huge fans of UNC Chapel Hill and go to most of the home basketball games - GO HEELS! We also love traveling and are avid (Baltimore) Ravens fans, so we have a goal of seeing an NFL game in every stadium, which gives us the motivation to explore many great cities around the country. I also really enjoy refurbishing furniture. I buy cheap old furniture that’s scuffed up, and I sand, repaint and install new hardware as needed. I’ve made pieces for friends but sometimes keep them for my own home. My mom owns an antique consignment shop at the beach, so I sometimes redo furniture and put it in her store for sale, though I’m then often limited to painting everything a different shade of blue because it’s by the beach. I get really excited whenever something sells, and love to think that something I’ve made will be enjoyed in someone else's home. What advice do you have for someone looking to get into sales or enablement? Don’t be afraid to start back at the bottom. I know that can be a scary thing, especially for someone entering a new industry, but don’t be afraid to take a step back and learn from the ground up. Take chances, whenever an opportunity is presented to you. I’m not saying become a ‘yes man,’— you need to know your bandwidth—but also know that if a leader has given you that opportunity, it’s because they know that you’re capable of achieving it. Take on that challenge to demonstrate your creativity, leadership skills, and to develop your career. Take on those challenges, don’t be afraid to speak up, and don’t be afraid to put yourself out there! Join Megan and the rest of the team Visit our careers page to explore opportunities in sales enablement program management as well as the many other roles in which you can help Zscaler drive secure digital transformation for enterprises around the world. Read Next: Meet Zscaler: How Becky Miller Balances Profession and Passion Meet Zscaler: What Three Years at Zscaler Means to Carolina Monge Meet Zscaler: How a Busy Family Man, Salesman, and Outdoorsman Just Keeps Truckin’ Kristi Myllenbeck A New At-Home Workforce in 48 Hours Nitin Agarwal is the President and Group CIO, CTO and Chief Digital Officer of Edelweiss Financial Services. The past few months have been, to say the least, a challenge for organizations around the world. Keeping an organization up and running while ensuring that your new at-home workforce is productive and secure is not an easy task. We at Edelweiss Financial have been affected by this global pandemic, as well. However, our transition from more than 11,000 employees working in 450 offices around the globe to having all of them work from home was made easier as we had already been working on a business continuity plan, although it wasn’t in anticipation of anything on the scale of what is happening today. As part of that plan, we had been working on moving away from a hardware- and perimeter-based infrastructure to a more software-defined and zero trust-based model. To that end, about six months ago, we successfully deployed Zscaler Internet Access (ZIA). So, when we realized that we needed to implement a private access solution to ensure that our staff and colleagues could gain secure access from home, we turned to Zscaler Private Access (ZPA). The service was rolled out to our entire staff within 48 hours, and that couldn’t have come at a better time, as our legacy infrastructure wasn’t built to handle the immense growth in traffic brought about by our employees suddenly working from home. For example, when they were in the office, our employees would hold around 20 to 30 video meetings each day using Microsoft Teams. While working from home, that number has risen to about 2,500 video meetings each day. In addition, we used to have about 1,000 users logging in concurrently to our various internal networks. These days, we have about 4,000 users concurrently logging into our secure application while working from home. Needless to say, increases like this would have killed our VPN infrastructure. Being a financial services company, the security of our data (and our customer data) is of paramount importance. So even though people are working from home, we could not relax on our security standards. This became an even greater challenge as we discovered that the majority of our employees used desktop computers in the office and didn’t have company-supplied devices to use at home. But it was an issue we were able to overcome with ZPA. As of today, about 95 percent of our staff is working from home, and they're fully enabled and accessing internal and external applications using ZIA and ZPA. In the end, we achieved our goal of securely implementing a work-at-home program for our employees without disruption or loss of productivity. It’s been great for us to implement and enable so many people in such a short time. What was made clear to us during this entire exercise was that, if your infrastructure is not dependent on any particular hardware and location, you will be in much better shape to successfully handle the many challenges that lie ahead in our growing cloud and mobile world. If you enjoyed this post, you might also enjoy: Going Virtual: Lessons Learned from Scaling to More Than 6,500 Remote Offices by Craig Williams, CIO of Ciena How an Outage Prepared CAPTRUST for a Pandemic by Jon Meyer, CTO, CAPTRUST Johnson Controls Accelerated its Cloud Transformation to Deliver Life-Safety Services During COVID-19 by Peter Daly, Director of Network Services – Global Infrastructure, Johnson Controls Nitin Agarwal The Return of the Higaisa APT Cybercriminals will often use LNK files attached in an email to launch an attack on unsuspecting victims. And we recently noticed another campaign using this technique. In May 2020, we observed several LNK files in the wild, which we attribute to the same threat actor based on the code overlap, similar tactics, techniques and procedures (TTPs) and similar backdoor. For those who are unfamiliar, an LNK file is a shortcut or "link" used by Windows as a reference to an original file, folder, or application similar to an alias on the Macintosh platform. The final backdoor, to the best of our knowledge, has not been documented before in the public domain. Recently, Malwarebytes published a blog about this attack, but the details of the backdoor were not mentioned in that blog. This backdoor uses sophisticated and deceptive techniques, such as FakeTLS-based network communication over a duplicated socket handle and a complex cryptographic key derivation routine. We attribute this attack (with a moderate confidence level) to the South Korean advanced persistent threat (APT) actor Higaisa. The decoy files used in the two instances of the LNK attack targeted users of Chinese origin. The infection chain used by the LNK files is very similar to the instance observed in March 2020 by Anomali. The C&C network infrastructure was correlated to Higaisa APT. In this blog, we provide a detailed description of the distribution strategy, threat attribution, shellcode, anti-analysis techniques and the final backdoor of this campaign. Distribution strategy The LNK files used by this threat actor contain decoy files that are displayed to the user while the malicious activities are carried out in the background. The decoy content could be an internet shortcut file (.url file extension) or a PDF file. In this section, we will describe the various themes used in this campaign. On May 12, 2020, we discovered two LNK files that used the Zeplin platform ( as the decoy theme. Zeplin is a collaboration platform used by developers and designers in the enterprise industry. The details of the LNK files include: MD5 hash: 45278d4ad4e0f4a891ec99283df153c3 Filename: Conversations - iOS - Swipe Icons - Zeplin.lnk MD5 hash: c657e04141252e39b9fa75489f6320f5 Filename: Tokbox icon - Odds and Ends - iOS - Zeplin.lnk These LNK files contain internet shortcut files that will be opened by the web browser installed on the system. The URLs correspond to a project as shown below: Project URL for file with MD5 hash: 45278d4ad4e0f4a891ec99283df153c3 Project URL for file with MD5 hash: c657e04141252e39b9fa75489f6320f5 If the user is not logged into the site,, then it will redirect the user to the login page as shown in Figure 1. Figure 1: The login page displayed by Zeplin. The previously mentioned LNK files were present inside a RAR archive file format with the following information: MD5 hash of RAR archive: 2ffb817ff7ddcfa216da31f50e199df1 Filename: Project link and New copyright policy.rar The contents of the RAR archive are shown below: ├── Project link and New copyright policy │ ├── All tort's projects - Web lnks │ │ ├── Conversations - iOS - Swipe Icons - Zeplin.lnk │ │ └── Tokbox icon - Odds and Ends - iOS - Zeplin.lnk │ └── Zeplin Copyright Policy.pdf The contents of the decoy PDF are related to Zeplin’s copyright policy as shown in Figure 2. Figure 2: The decoy PDF displaying Zeplin’s copyright policy notice. On May 30, 2020, we discovered two more LNK files, which we attribute to the same threat actor as described below. MD5 hash: 4a4a223893c67b9d34392670002d58d7 Filename: Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk This LNK file drops a PDF file at runtime and opens it with the default PDF viewer on the system. MD5 hash of the dropped PDF file: 4dcd2e0287e0292a1ad71cbfdf99726e Filename of decoy PDF: Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf The contents of this PDF file are shown in Figure 3. Figure 3: The decoy PDF displaying the CV of a student from Hong Kong Polytechnic University The contents of the PDF correspond to the CV (curriculum vitae) of a student from Hong Kong Polytechnic University include: MD5 hash of the dropped PDF file: 28bfed8776c0787e9da3a2004c12b09a Filename of decoy PDF: International English Language Testing System certificate.pdf The second LNK file we observed on May 30, 2020 contained a PDF corresponding to the International English Language Testing System (IELTS) results of a student. Figure 4: A student's IELTS examination results. LNK metadata analysis The LNK file format contains a wealth of metadata information that can be used for attribution and correlating the files to a particular threat actor. While most of the metadata from the LNK files in this attack was erased, we found the Security Identifier (SID) value preserved in the LNK files. Using the LECmd tool, we extracted the SID value from the LNK files which are detailed in the table below: LNK file MD5 hash SID value 997ab0b59d865c4bd63cc55b5e9c8b48 S-1-5-21-1624688396-48173410-756317185-1001 c657e04141252e39b9fa75489f6320f5 S-1-5-21-1624688396-48173410-756317185-1001 4a4a223893c67b9d34392670002d58d7 S-1-5-21-1624688396-48173410-756317185-1001 45278d4ad4e0f4a891ec99283df153c3 S-1-5-21-1624688396-48173410-756317185-1001 We wrote a YARA hunting rule to discover other LNK files in the wild with the same SID value as shown below: rule ZS_LNK_SID { strings: $a = "S-1-5-21-1624688396-48173410-756317185-1001" wide condition: $a } The only instances we found were the above four LNK files. So, in addition to other indicators shared between these four LNK files, the common SID values helped us to further attribute them to the same threat actor. Technical analysis For the purpose of technical analysis, we will use the LNK file with MD5 hash: 45278d4ad4e0f4a891ec99283df153c3. If the Chrome browser is already installed on the machine, then the icon of the LNK file will appear to be the same as the Chrome browser icon. This is because the IconFileName property in the LNK file is set to the path of the Chrome browser as shown below: IconFileName - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe The target property of the LNK file specifies the command that will be executed at runtime as shown in Figure 5. Figure 5: The LNK command target. This command starts the infection chain and involves multiple stages as detailed below : Copies the original LNK file to the temporary directory in the location: %temp%\g4ZokyumB2DC.tmp Iterates over the files in the C:\Windows\System32 directory to search for certutil.exe Copies certutil.exe to %temp%\gosia.exe Uses findstr.exe to search for the marker “TVNDRgA” inside the original LNK file. Using the market, a base64 encoded blob is extracted to the temporary file: %temp%\cSi1rouy.tmp Uses certutil.exe to decode the base64 encoded blob to the file: %temp%\o423DFDS.tmp The resulting decoded file has the CAB file format. Uses expand.exe to extract the contents of the CAB file to the %temp% directory. The components of the cab file are shown in Figure 6. Figure 6: The CAB file contents. Here is a brief description of each component of the CAB file. They are described in more details later in the blog. 3t54dE3r.tmp – Contains the shellcode that will be loaded and executed at runtime. 34fDFkfSD32.js – The JavaScript that is used to initiate the infection chain after extraction of CAB file contents. Conversations - iOS - Swipe Icons – Zeplin.url – This is the internet shortcut file that will be used to open the URL: with Chrome browser on the machine. Svchast.exe – This is the shellcode loader binary that spoofs the name of a legitimate Windows binary called svchost.exe. Other details include: The LNK file will open the internet shortcut file (which opens by default with the web browser and loads the URL). It copies the CAB file component, 3t54dE3r.tmp to the location: C:\Users\Public\Downloads\3t54dE3r.tmp It uses wscript.exe to execute the JavaScript file: 34fDFkfSD32.js JavaScript file analysis MD5 hash of the JavaScript file: a140420e12b68c872fe687967ac5ddbe The contents of the JavaScript are shown in Figure 7. Figure 7: The JavaScript file contents Below are the main operations performed by this JavaScript file. It runs the ipconfig command to gather information about the machine's network adapter configuration. It then redirects the results of this command to the file: C:\\Users\\Public\\Downloads\\d3reEW.txt It copies svchast.exe to the Startup directory in the location: %AppData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\officeupdate.exe for persistence: It copies svchast.exe to the location: C:\\Users\\Public\\Downloads\\officeupdate.exe It uses schtasks.exe to create a scheduled task with the name: “Driver Bootser Update” which will be used to execute the officeupdate.exe binary It executes svchast.exe binary. It sends an HTTP POST request to the URL: hxxp:// and exfiltrates the ipconfig output gathered from the machine. Shellcode loader analysis MD5 hash: a29408dbedf1e5071993dca4a9266f5c Filename: svchast.exe The file svchast.exe is used to load the shellcode stored in the file 66DF3DFG.tmp in the path: C:\Users\Public\Downloads\66DF3DFG.tmp This path is hardcoded in the loader. The shellcode is loaded using the following steps: It reads the contents of the file, “C:\Users\Public\Downloads\66DF3DFG.tmp” into a newly allocated memory region marked with PAGE_EXECUTE_READWRITE permission. It transfers the control to this memory region to start the execution of the shellcode. Shellcode analysis In this section, we have detailed the interesting code sections of the shellcode. Anti-debugging technique The shellcode uses an anti-debugging technique to calculate a 32-bit hash of the code section. This is done to detect the presence of any software breakpoints or tampering of code done for the purpose of reverse engineering. When a software breakpoint is added in the debugger, a byte with the value 0xCC is added by the debugger in place of the original operation code (opcode). As a result of this, the hash calculation is corrupted. Such anti-debugging techniques can be easily bypassed by using hardware breakpoints instead of software breakpoints. As an example, let us set a software breakpoint at the comparison instruction right after hash calculation and check the resulting hash calculated (shown in Figure 8). Figure 8: The software breakpoint detection by anti-debugging techniques in the shellcode. As can be seen in Figure 8, due to the software breakpoint, the computed hash was corrupted. Because of this, the code can detect the presence of a debugger. The shellcode will exit the execution if it detects a debugger. However, if we set a hardware breakpoint, the computed hash will be correct as shown in Figure 9. Figure 9: The hardware breakpoint bypasses the anti-debugging technique in the shellcode. We re-wrote the algorithm used by the shellcode to calculate the hash of the code section in Python and it can be found in Appendix I. Decryption of data in the buffer The shellcode uses a 16-byte XOR key for decrypting the data as shown in Figure 10. Figure 10: Decryption of the data in the buffer. XOR decryption used to decrypt the strings. The 16-byte XOR key used for decryption is: key = [0xE4, 0xFD, 0x23, 0x99, 0xA3, 0xE1, 0xD3, 0x58, 0xA6, 0xCC, 0xDB, 0xE8, 0xF2, 0x91, 0xD2, 0xF8] We re-wrote the decryption code in Python and can been seen in Appendix II. Since we believe this to be a new backdoor, we have shared the complete list of decrypted strings in Appendix IV for reference. Key generation routine In the first thread created by the shellcode, it generates a cryptographic session key that will be transmitted later to the C&C server to protect the communication channel between the bot and the server. In this section, we detail the key generation routine. There are multiple parts that are concatenated together to form the final key. Part 1: It calls UUIDCreate() API to generate a UUID. It uses the format string: “%08X....-%04X...-%0llX” to format the UUID using sprintf(). Example UUID: DB7C6235-FD1A-45B6-224F868 Part 2: It calls UUIDCreate() to generate a 16-byte UUID. The last byte of the UUID is used to generate a byte that will be used to perform the ROR operation later. It uses an ROR and ADD instruction-based algorithm to compute a 32-bit hash that will be appended to first two steps (listed above). The algorithm used to compute the 32-bit hash in this case is similar to the one used in the anti-debugging section. This algorithm has been re-written in Python and can be found in Appendix I. Format: uuid2 = [<--- 16 bytes of UUID --->] [ROR byte 0x00 0x00 0x00] [32-bit hash] It uses CryptBinaryToStringA() to generate Base64 encoded data using UUID2. Part 3: It uses Windows Crypto APIs to generate an MD5 hash using UUID1 (from Part 1). Before the hash is calculated, the length of the UUID is extended to 0x48 bytes by padding with null bytes. This can be re-written in Python as: data = uuid1 + “\x00” * (0x48 - len(uuid1)) md5 = hashlib.md5() md5.update(data) hash1 = md5.hexdigest() It calculates an MD5 hash of the above-generated hash once again. hash2 = md5(hash1) It uses CryptDeriveKey() to derive a 128-bit AES key. Figure 11: The cryptographic session key derivation routine. It appends hash2 with null bytes to extend the length to 0x48 bytes and then encrypts it using the AES-128 bit key derived in step 3 above. The encrypted hash is used to derive the AES key for encryption. All these parts are concatenated together before transmitting to the C&C server for registering the AES key for encrypted communication. Initialization of a TLS session After decrypting the C&C server address, the shellcode proceeds to send an HTTP GET request to fetch the resource: “msdn.cpp” on the server. WinHTTPSetOption() is used to set the WINHTTP_OPTION_SECURITY_FLAGS value to 0x3300, which allows it to ignore any certificate errors that might occur at the time of the request. Figure 12 shows that the content-length request header field in the HTTP GET request is set to: 0xffffffff manually at the time of invoking the WinHTTPSendRequest. Figure 12: The initial request sent to the C&C server for deception purposes to make it look like a TLS session The HTTP GET request looks like: GET hxxps://45.76.6[.]149/msdn.cpp HTTP/1.1 Connection: Keep-Alive User-Agent: WinHTTP/1.1 Content-Length: 4294967295 << this field was manually set to -1 by the shellcode Host: 45.76.6[.]149 This HTTP GET request was sent for deception purposes to make it look like a valid TLS session. As we will see later, a FakeTLS session is used by the shellcode to perform C&C communication with the server. Duplication of socket - ShadowMove similarity We discovered an interesting code section in this shellcode which creates a duplicate socket to connect to the C2 server. The method is very similar to the ShadowMove lateral movement technique which was presented in Usenix 2020. At first glance, due to the high level of code overlap in this shellcode with the above technique, we believed it to be using the ShadowMove lateral movement technique. However on further inspection, we concluded that this technique was used to create a duplicate socket that will be used for FakeTLS communication as described in the next section. Below are the details of the steps used by the shellcode to create a duplicate socket used for communication with the C2 server: It calls the NtQuerySystemInformation() native API with the InfoClass parameter set to: SystemExtendedHandleInformation (0x40). This fetches detailed information for all the handles and their corresponding object names. The information is returned in the form of a SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX structure. It uses a GetCurrentProcessID to find the process ID of the current process. It compares the UniqueProcessID member of the SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX structure with the current process ID. If they are equal, then it proceeds to the next step. It compares the HandleValue member of the SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX structure with the socket handle. If they are equal, then it proceeds to the next step. It creates a new thread that calls the native API, NtQueryObject() to retrieve information about the object. The information is returned in the structure: __PUBLIC_OBJECT_TYPE_INFORMATION. If the TypeName member of the structure __PUBLIC_OBJECT_TYPE_INFORMATION is equal to “\Device\Afd”, then it proceeds to the next step. It is important to note that Windows sockets have the object type “\Device\Afd”. It calls getpeername() to get the IP address and port number corresponding to the above socket. It compares the IP address and port number with the expected values corresponding to the C&C server. If the correct socket is found, then it calls DuplicateHandle() to duplicate this socket. Figure 13 shows the code section that locates the socket handle. Figure 13: The subroutine that is used to iterate over system handles. Figure 14 shows the code section that checks if the socket handle corresponds to the socket used to communicate with the C&C server. Figure 14: The subroutine that used to locate the target socket handle used to communicate with the C&C server. FakeTLS We observed interesting use of the FakeTLS method in this shellcode. It creates a FakeTLS header using the byte sequence: [0x17 0x03 0x01] as shown in Figure 15. Figure 15: The subroutine used to craft the FakeTLS header. It is important to note that this FakeTLS method has been used in the past by APT groups, such as Lazarus. The reason for using this technique is to confuse network monitoring security systems that do not perform proper SSL inspection and, as a result, allow the traffic to pass through. Also, we noticed two requests sent by the bot using the FakeTLS header in the initialization phase. Request 1 [Fake session key] In the first request, the routine: Uses time() to get the current time. Uses srand() to seed the pseudo-random number generator using the value obtained in step 1. Uses rand() to generate a random number. Generates a total of 0xC3 random bytes using the above method. Appends a total of 0x3C bytes with the value 0xAD to the data generated in step 4. So a total of 0xFF bytes are generated in the format: [0xC3 bytes of random data][0x3C bytes with value 0xAD]. This data is appended to the FakeTLS header and sent using ws2_32.send() to the C&C server as shown in Figure 16. Figure 16: The FakeTLS packet appended with random data. It is important to note that this memory chunk is freed using VirtualFree() after sending it in a request to the C&C server. So we do not believe this was used as a session key because, in that case, the bot would have to preserve the key somewhere. Request 2 [Real session key] In the second instance of the request sent to the C&C server, we noticed the FakeTLS header appended with the cryptographic session key generated earlier as shown in Figure 17. Figure 17: FakeTLS header appended with cryptographic session key. The data appended to the FakeTLS header has the following format: [command padded to 4 bytes][size padded to 4 bytes][base64-encoded data from Part2][Hash2 - padded to 0x48 bytes][AES-128 bit Encrypted Key]. Below is an example of a packet with the FakeTLS Header and the data appended after it. The structure of the packet is detailed in Figure 18. Figure 18: The packet structure containing the FakeTLS header and custom format used for C&C communication. Other messages contain encrypted data right after the TLS header. C&C communication The shellcode creates two more threads that work together to handle the commands exchanged between the backdoor and the C&C server. Below are the main steps used by the C&C command handler: IT creates a dispatch thread that will handle the commands posted to it by the worker thread. The dispatch thread creates a message queue using the PeekMessageW() API. The worker thread sends the message ID along with the command buffer to the message queue using PostThreadMessageW() API. Once a message is posted to the dispatch thread by the worker thread, it is retrieved using the GetMessageW() API. This message will be dispatched to the appropriate command handler based on the ID of the message as detailed below. There are two sets of command IDs. One of them corresponds to commands from client to server and the other set corresponds to commands from server to client. Corresponding to each command, there is a size of the command. As an example, Client to server: The command ID 0x65 corresponds to the backdoor registering the system ID (calculated using UUID) with the C&C server and the cryptographic session key as shown in Figure 18 above. Server to client: The command ID 0x64 is used to receive the encryption key that will be used by the client to encrypt the data sent to the server. At the time of analysis, since the C2 server was not responding, we cannot conclusively determine the commands that were supported by this backdoor. Zscaler Cloud Sandbox detection Figure 19 shows the Zscaler Cloud Sandbox successfully detecting this LNK-based threat. Figure 19: The Zscaler Cloud Sandbox detection. In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators at various levels: LNK.Dropper.Higaisa Conclusion This new instance of attack from the Higaisa APT group shows that they are actively updating their tactics, techniques and procedures (TTPs) and incorporating new backdoors with evasion techniques. The network communication protocol between the backdoor and the C&C server is deceptive and complex, which was designed to evade network security solutions. Users are advised to take extra precaution while opening LNK files sent inside email attachments. LNK files can have the file icon of legitimate applications, such as Web browsers or PDF reader applications, so the source of the files should be verified before opening them. The Zscaler ThreatLabZ team will continue to monitor this campaign, as well as others, to help keep our customers safe. MITRE ATT&CK TTP Mapping Tactic Technique T1193 - Spearphishing Attachment LNK files delivered inside RAR archives as an email attachment T1059 - Command-Line Interface Commands run using cmd.exe to extract and run payload T1204 - User Execution LNK file is executed by user double click T1064 - Scripting Use of Visual Basic scripts T1060 - Registry Run Keys / Startup Folder Copies executable to the startup folder for persistence T1053 - Scheduled Task Creates scheduled task named “Driver Bootser Update” for persistence T1027 - Obfuscated Files or Information Parts of shellcode and its configuration is encrypted using XOR encryption algorithm T1140 - Deobfuscate/Decode Files or Information Decodes configuration at runtime T1036 - Masquerading Masquerades as legitimate documents, has embedded decoy documents T1033 - System Owner/User Discovery Discovers username using GetUserNameA T1016 - System Network Configuration Discovery Discovers network configuration using GetAdaptersInfoA T1082 - System Information Discovery Discovers various information about system i.e. username, computername, os version, etc T1094 - Custom Command and Control Protocol Uses custom protocol mimicking TLS communication T1043 - Commonly Used Port Uses port 443 T1090 - Connection Proxy Discovers system proxy settings and uses if available T1008 - Fallback Channels Has code to communicate over UDP in addition to TCP T1132 - Data Encoding Uses base64 for encoding UUID T1032 - Standard Cryptographic Protocol Uses AES-128 to encrypt network communications T1095 - Standard Non-Application Layer Protocol Communicates over TCP T1002 - Data Compressed Can use LZNT1 compression T1022 - Data Encrypted Uses AES-128 for data encryption T1020 - Automated Exfiltration Automatically sends system information to CnC based on configuration and CnC commands T1041 - Exfiltration Over Command and Control Channel Sends data over its CnC channel Indicators of Compromise (IOCs) LNK file MD5 hashes 21a51a834372ab11fba72fb865d6830e aa67b7141327c0fad9881597c76282c0 c657e04141252e39b9fa75489f6320f5 45278d4ad4e0f4a891ec99283df153c3 997ab0b59d865c4bd63cc55b5e9c8b48 4a4a223893c67b9d34392670002d58d7 LNK file names International English Language Testing System certificate.pdf.lnk Tokbox icon - Odds and Ends - iOS - Zeplin.lnk 20200308-sitrep-48-covid-19.pdf.lnk Curriculum Vitae_WANG LEI_Hong Kong Polytechnic University.pdf.lnk Conversations - iOS - Swipe Icons - Zeplin.lnk HTTP POST requests to register the bot hxxp://sixindent[.]epizy[.]com/inter.php hxxp://goodhk[.]azurewebsites[.]net/inter.php hxxp://zeplin[.]atwebpages[.]com/inter.php HTTP GET request to C&C server hxxps://comcleanner[.]info/msdn.cpp hxxps://45[.]76[.]6[.]149/msdn.cpp Appendix I Anti-debugging hash computation # Hash of code section before decryption should be equal to 0x733C7595 # Hash of code section after decryption should be equal to 0x6621A914 # read the shellcode contents contents = open(“shellcode.bin”, “rb”).read() # x86 ROR instruction re-written in Python ror = lambda val, r_bits, max_bits: \ ((val & (2**max_bits-1)) >> r_bits%max_bits) | \ (val << (max_bits-(r_bits%max_bits)) & (2**max_bits-1)) # x86 movsx instruction re-written in Python def SIGNEXT(x, b): m = 1 << (b - 1) x = x & ((1 << b) - 1) return (x ^ m) - m # limit = length of code section used for hash calculation # First 0xcb06 bytes are used to calculate the hash for i in range(0xcb06): result = ror(result, 0xa, 32) t = SIGNEXT(ord(contents[i]), 8) & 0xffffffff result += t result = result & 0xffffffff print “final hash is: %x” %(result) Appendix II XOR decryption code to extract plaintext strings and C&C server address import binascii, struct, sys # read the contents of shellcode contents = open(sys.argv[1], "rb").read() # XOR decrypt the strings def decrypt_data(encrypted, key): decrypt = "" for i in range(len(encrypted)): db = encrypted[i] kb = key[i % len(key)] if(type(kb) == type("")): kb = ord(kb) if(type(db) == type("")): db = ord(db) decrypt += chr(db ^ kb) return decrypt def extract_c2(contents): key = contents[0xcb0e:0xcb1e] encrypted = contents[0xcb1e:] decrypt = "" decrypt = decrypt_data(encrypted, key) return "{}:{}".format(decrypt[432:].split("\x00")[0],struct.unpack("<h",decrypt.encode()[422:424])[0]) print("==C2 Server==\n{}\n".format(extract_c2(contents))) # Encrypted data is present at offset, 0xacc0 and has a total length of 0x12b0 encrypted = contents[0xacc0:0xacc0+0x12b0] #16-byte XOR key key = [0xE4, 0xFD, 0x23, 0x99, 0xA3, 0xE1, 0xD3, 0x58, 0xA6, 0xCC, 0xDB, 0xE8, 0xF2, 0x91, 0xD2, 0xF8] print("==Strings==") for item in decrypt_data(encrypted, key).split("\x00"): if item: print(item) Appendix III Script to generate AES key message from wincrypto import CryptCreateHash, CryptHashData, CryptDeriveKey, CryptEncrypt, CryptImportKey, CryptExportKey, CryptGetHashParam, CryptDecrypt from wincrypto.constants import CALG_SHA1, CALG_AES_256, bType_SIMPLEBLOB, CALG_AES_128, CALG_MD5 import binascii, base64, struct, uuid ### Hash functions ### ror = lambda val, r_bits, max_bits: \ ((val & (2**max_bits-1)) >> r_bits%max_bits) | \ (val << (max_bits-(r_bits%max_bits)) & (2**max_bits-1)) # x86 movsx instruction re-written in Python def SIGNEXT(x, b): m = 1 << (b - 1) x = x & ((1 << b) - 1) return (x ^ m) - m def get_hash(uuid1): result = 0 for i in range(len(uuid1)): result = ror(result, 0xa, 32) t = SIGNEXT(uuid1[i], 8) & 0xffffffff result += t result = result & 0xffffffff return result ### UUID convert from bytes to base64 ### uuid0 = uuid.uuid4().bytes uuid0_wh = uuid0 + b"\x00\x00\x00" + struct.pack("<I",get_hash(uuid0))#hash of uuuid1 uuid0_enc = base64.b64encode(uuid0_wh) + b"\x0d\x0a" #append "\r\n" added by windows API ### Derive key from UUID #### #Generate uuid uuid1 = str(uuid.uuid4()) #Append NULL bytes to make length equal to 0x48 data = uuid1 + (b"\x00" * (0x48 - len(uuid1))) #Generate MD5 hash hasher = CryptCreateHash(CALG_MD5) CryptHashData(hasher, data) uuid1_md5 = CryptGetHashParam(hasher,0x2) #Append NULL bytes to md5 and again generate md5 hash to make length equal to 0x48 uuid1_md5_md5 = uuid1_md5 + (b"\x00" * (0x48 - len(uuid1_md5))) hasher = CryptCreateHash(CALG_MD5) CryptHashData(hasher, uuid1_md5_md5) #Derive AES key aes_key = CryptDeriveKey(hasher, CALG_AES_128) #Encrypt Send MD5 hash using AES encrypted_hash = CryptEncrypt(aes_key, uuid1_md5_md5) #append more NULL bytes to Encrypted hash to make length 0x90 encrypted_hash_padded = encrypted_hash + (b"\x00" * (0x90 - len(encrypted_hash))) #Again use encrypted hash to calculate its md5 and derive new AES key hasher = CryptCreateHash(CALG_MD5) CryptHashData(hasher, encrypted_hash_padded) aes_key = CryptDeriveKey(hasher, CALG_AES_128) #generate message buffer to send to server to register key fake_tls_header = b"\x17\x03\x01" client_key_message_header = b"\x65\x00\x00\x00\xd8\x00\x00\x00" buffer = client_key_message_header + uuid0_enc + b"\x00\x00" + uuid1_md5_md5 + encrypted_hash_padded buffer = fake_tls_header + struct.pack(">h", len(buffer)) + buffer binascii.hexlify(buffer) len(buffer) Appendix IV Decrypted strings from the shellcode WinHTTP /1.1 GET /msdn.cpp \Device\Afd https:// jsproxy.dll InternetInitializeAutoProxyDll InternetDeInitializeAutoProxyDllInternetGetProxyInfo DIRECT szFmt:%dszS:%s szWS:%ws szD:%d szP:%p szX:%x szN:%d Init Error:%d connect _CbConnect Over ikcp_udp recv in Uninstall module:%d InitModule:%d ContentLength :%d szHttpRecv :%d szTunnel Proxip:%s Proxport:%d CurProxIp:%s CurProxPort:%d IeProxy ip:%s port:%d type:%d ProxyNumber:%d GET POST http://%s/../... %s..%d 200 OK Host: Content-Length: Connection: Keep-Alive HTTP/1.0 HTTP/1.1Authorization: Basic DELETE news QUERY SUBMIT en-us/msdn library ?hl=en-US ?wd=http ?lan=ja-jp cbreover dispatch Appendix V Structure of packet containing AES key struct Packet { struct FakeTls { struct AppDataHeader{ byte tls_header_app_data_constant; byte tls_version_major; byte tls_version_minor; } tls_app_data_header ; ushort PacketSize; } FakeTlsHeader ; struct PacketData { int Command ; //(0x65 Client to Server 0x64 Server to Client) AES key int DataSize ; char SystemId[0x22]; char Padding[2]; byte data[DataSize] ; } command ; } packet; Sudeep Singh The Results Are In: Zscaler Excels in Recent AV-TEST As you know, the Zscaler ThreatLabZ team is intently focused on the security of our customers. We know exactly how much traffic we’re securing for our clients (2.4 trillion transactions last month). We know how many times we blocked malicious content in that same timeframe (1.3 billion), and we know how many policies we enforced (190.2 billion). Continuously measuring the performance of the world’s largest security cloud is just one of the many ways our team makes sure customer data is protected at all times. That said, third-party testing of our products is something we take seriously, as it provides independent assurance that we are providing the effective cloud security solutions we promise to our customers. Benchmarking our products’ security internally is great as it enables all our teams to celebrate milestones in our cloud’s expansion, such as last month’s achievement of protecting over 100 billion transactions per day. However, what’s most important for us is that we consistently deliver on our customers’ expectations for threat and data protection. Customer feedback and third-party tests help us do exactly that. In June 2020, AV-TEST released its Zscaler Internet Security Protection Test report following its evaluation of the Zscaler Security Cloud Platform. Zscaler was tested for its ability to protect against zero-day threats and known malware, as well as the effectiveness of the Zscaler Internet Access (ZIA) security stack and Advanced Cloud Sandbox functionality. The test focused primarily on the detection rate of malicious portable executable (PE) files and other malicious files (such as HTML and JavaScript), and phishing URLs. AV-TEST also evaluated Zscaler on its percentage of false positives for websites and downloaded files. False positives do not themselves pose a threat, but an administrator must sift through them and, in high numbers, a common problem, false positives take time away from addressing real threats. In total, more than 23,000 different samples were used in the testing, and we’re proud to say that Zscaler received top marks in all categories, with: In prevalent malware testing, a blocking rate of 99.7% was delivered by using the Zscaler Internet Access Security Stack and Advanced Cloud Sandbox In real-world testing, based on blocking of known recent indicators, a testing protection rate of 97.7% was delivered by using the Zscaler Internet Access Security Stack and Advanced Cloud Sandbox In real-word testing, the Zscaler Cloud effect, which shares threat intelligence across the platform, helped to increase protection from 94.4% to 97.7% Using Advanced Cloud Sandbox, coupled with the use of the Zscaler Cloud Platform and Cloud Effect, provided the best overall detection results. Despite these great results, what really sets Zscaler apart from competitors is our Advanced Cloud Sandbox and Zscaler Cloud Effect. Our Advanced Cloud Sandbox conducts native inline behavior analysis by inspecting malicious file types and quarantining file delivery until it is confirmed clean. Because the Zscaler Cloud Sandbox is built on top of a proxy architecture, Zscaler Cloud Effect increases protection by sharing threat intelligence across users and organizations via the Zscaler Cloud Platform and Advanced Cloud Sandbox. Download the AV-TEST report here to see all the results. For many of our customers, Zscaler is their secure internet. Our customers rely on an effective 100% cloud-delivered security platform as the springboard for a secure move to the cloud. Testing the performance of products internally, externally, and in response to a diverse range of real-world scenarios is how we ensure that we’re continuing to exceed our customers’ needs and expectations. Additional resources: Test your cyberrisk posture with our Internet Threat Analysis Tool Read the Gartner Magic Quadrant report to find out why Zscaler has been a Leader for nine consecutive years. Learn more about Zscaler Cloud Sandbox Steve Grossenbacher is a Director of Product Marketing at Zscaler Steve Grossenbacher Top Exploit Kit Activity Roundup—Spring 2020 This is the eleventh in a series of quarterly roundups by the Zscaler ThreatLabZ research team in which we collect and analyze the activity of the top exploit kits (EKs) during the past three months. For the past few quarters, the exploit kit activity was fairly low and we did not see many changes in the kit behavior. Exploit kits are rapidly deployable software packages designed to leverage vulnerabilities in web browsers and deliver a malicious payload to a victim’s computer. Authors of EKs offer their services for a fee, distributing malware for other malicious actors. What follows are highlights from the EK activity we observed during the past quarter. Among the highlights, we observed that the focus for EK payloads has shifted from ransomware to banking Trojans. RIG EK RIG EK is one of the oldest and the most common exploit kit seen in the threat landscape. Many exploit kits have entered and exited the landscape but RIG EK has been the most persistent of them, slowly adding changes to the kit to evade detection. We are seeing a rise in RIG EK activity recently and this trend can be seen in Figure 1. Figure 1: RIG EK activity from March 1-May 25, 2020 The geographical distribution for the RIG EK activity can be seen in Figure 2. Figure 2: RIG EK activity distribution. We will walk through one of the RIG EK cycles that we observed this quarter. Figure 3: The RIG EK infection cycle. The first connection is an HTTP 302 redirect from a malvertisement URL to the RIG EK landing page. The attackers have continued making changes and we can see the use of unicode characters in obfuscation. The obfuscated JavaScript on the RIG EK landing page can be seen in Figure 4. Figure 4: The RIG EK landing page with obfuscated JavaScript. Near the end of the landing page, we see a obfuscated call to the JavaScript eval function, which is highlighted in Figure 5. Figure 5: The RIG EK landing page JavaScript eval function call. Upon execution of the script, we see the following command execution trying to download payload to the temp directory. Figure 6: The RIG EK payload download. The script connecting to the RIG EK payload download URL can be seen in Figure 7. Figure 7: The RIG EK payload download and execution. The final script execution leads to a Dridex banker Trojan download, which is dropped to the temp location C:\Users\XXXX\AppData\Local\Temp\Low\n5jpumqp.exe. Some of the other payloads seen with RIG EK are AZOrult and Ursnif. Fallout EK The Fallout EK is relatively new to the threat landscape and was first seen close to the end of 2018. We saw some activity for Fallout EK this quarter. The hits for Fallout EK activity can be seen in Figure 8. Figure 8: Fallout EK activity hits. The geographical distribution of Fallout EK activity is seen in Figure 9. Figure 9: Fallout EK activity distribution. We will walk through one of the Fallout EK cycles that we saw this quarter. The infection cycle can be seen in Figure 10. Figure 10: The Fallout EK infection cycle. The Fallout EK redirect page does a basic browser check for Internet Explorer and redirects victims to the Fallout EK landing page. This fingerprint and redirect is seen in Figure 11. Figure 11: The Fallout EK fingerprinting. Once the victim is found to be using Internet Explorer, they will be redirected to the Fallout EK landing page, which can be seen in Figure 12. Figure 12: The Fallout EK landing page. The encoded payload is seen in Figure 13. Figure 13: The Fallout EK encoded payload download. This infection cycle resulted in the download of an infostealer. We have seen Fallout EK downloading GrandCrab ransomware, AZOrult and other RATs in the past. Spelevo EK Spelevo is a recent EK which came into focus mid-2019. We observed some activity for the Spelevo EK this quarter. The hits for Spelevo EK activity are seen in Figure 14. Figure 14: Spelevo EK hits. The geographical distribution of Spelevo EK activity is seen in Figure 15. Figure 15: Spelevo EK activity distribution. The obfuscated JavaScript on the Spelevo EK landing page can be seen in Figure 16. Figure 16: The Spelevo EK landing page. The obfuscated JavaScript execution results in a flash payload download as shown in Figure 17. Figure 17: The Spelevo EK Flash payload download. The decompiled Flash payload can be seen in Figure 18. Figure 18: The Spelevo EK decompiled Flash payload. There was no payload download for this infection cycle, but the Spelevo EK has been seen downloading banking trojans and ransomware in the wild. Conclusion We saw less exploit kit activity for the past few quarters but now the activity is slowly increasing. Currently, the only activity we've seen was the RIG EK, Fallout EK and Spelevo EK. We did not see activity for other EKs, such as KaiXin EK, Terror EK, Underminer EK, and Grandsoft EK. Exploit kits are effective, as they can infect a victim's machine during web browsing without the user's knowledge. The attackers monetize the successful infections in a variety of ways, such as by collecting a ransom to retrieve data encrypted by ransomware, mining cryptocurrencies using the victim's system resources, or installing banking Trojans to steal a victim's identity. Attackers frequently change their techniques by obfuscating the source code or integrating new exploit codes into their EKs in order to evade detection. To help avoid infections from exploit kits, users should keep browser plugins and web browsers up to date with the latest patches to protect against common vulnerabilities targeted by exploit kits. The Zscaler ThreatLabZ research team has confirmed coverage for these top exploit kits and subsequent payloads, ensuring protection for organizations using the Zscaler cloud security platform. Rohit Hegde Meet Zscaler: How a Busy Family Man, Salesman, and Outdoorsman Just Keeps Truckin’ More than 20 years in sales makes Ted Rutsch a veteran on the Sales America Public Sector team, but he couldn’t be more excited to be part of the Zscaler family at a time of great transformation. Outside of work, Ted balances his time as a family man and outdoorsman, while also making time to see his favorite bands in concert. We interviewed Ted for his one-year work anniversary on May 13, 2020. See why Ted makes Zscaler a Great Place to Work! What is your background? I started my sales career in the dregs, cold calling in my early 20s, doing more than 100 calls per day. I worked my way up through the ranks, mostly in telecommunications. I worked for Cable and Wireless USA, AT&T, and British Telecom. Then the telecom bubble burst in the early 2000s, and one of the last projects I worked on in telecom was some IT security-related stuff. I thought it was really interesting and knew that was the path I wanted to take. So from there, I started working for some small startups around firewalls and VPNs and it just went from there. I fell into security, I loved it, and I stayed there. What drew you to Zscaler? A few years ago I had the foresight to see that cloud was going to be the trend going forward and so I started looking for a cloud security company. After looking at companies like Salesforce, OKTA, and Saviynt, I saw the Zscaler presentation and was like, “Are you hiring? I’m in.” It took two years of pursuing Zscaler and waiting for them to get their FedRAMP certification before they were ready to build out the Public Sector team, but once they were ready I was on board. Give us an overview of your role at Zscaler I’m in sales, so naturally, I’m driven by money, but personally, I’m driven by the win. Most importantly, I want to continue to deliver something of value to my customers and we are in an amazing position to do that here. In my role, I cover the Federal financial and regulatory agencies, which include the Department of Treasury, SEC, FDIC, SSA, the Federal Reserve System, and a bunch of independents. I leverage my relationships and the strength of my team to bring the value of the Zscaler platform to these agencies. In my first year, we have already onboarded four new accounts including a large, recently awarded five-year deal. What’s your favorite Zscaler memory? I loved the new hire onboarding training. I got to meet new hires from across the company including product managers, inside sales, sales engineering, and new leadership coming over to Zscaler from other competing companies. It also helped me establish relationships within the company that I still leverage today. It really defined that I was in the right place. They worked us through real-world scenarios for selling Zscaler and it definitely showed how much the company was investing in their people, which was great to see. I actually just brought a friend of mine over to be a Sales Engineer for Zscaler. He told me, “I’ve never been in a place where everyone was so invested in my success. At my previous company, they brought me in and said ‘good luck.’” Everybody has been super supportive here in making sure he gets up to speed and is getting the training he needs. How has COVID-19 affected your role? I’ve been working from my home office for more than 20 years now, so not much is different for me. I do like to get out every once in a while, but we don’t really have the option currently. Normally I’m heading to downtown D.C. for meetings two to three days a week to meet with customers, as business gets done much more easily face-to-face. For sales, there’s nothing that’s better than an in-person meeting but we are making do with Zoom, Teams, and Webex as best we can. We are not really complaining since the current crisis has actually helped accelerate our business! Do you have any tips for working from home? Working from home, I’ve actually found myself working too much, if anything. I’ve always been driven, I’m very competitive, so if I don’t do certain things throughout the day where I feel like I’ve accomplished something, I don’t feel good about myself, so I focus on specific goals each day. Once I get those done, I’m like, ‘okay, today was a good day, I made these paths forward and things are good.’ I break those goals down every morning, focus on those, and check them off as I go. I do think it’s important to still get dressed up for meetings—I put my suit coat on, and I always put my video out there, because it shows that I’m vested and interested and taking this seriously. Do your best to still put your best foot forward. Make sure you have that personal drive and ambition to be focused. Working from home isn’t for everybody, some people get easily distracted, but for me, working from home has always been a blessing. What are your hobbies outside of work? I’m a big live music fan. I have been to countless concerts and more than 80 Grateful Dead shows. All of the concerts I was planning to attend this summer have been canceled or postponed though, so I’m pretty disappointed about that. I also love to get outdoors to hike, mountain bike, fish, hunt, and ski. Outside of music and outdoor activities, my family takes up most of my time. I’ve been married for 20 years and have two sons and one granddaughter. My youngest son is about to head off to college. He got a football scholarship to Stevenson University, so we’re really proud of him and excited we get to watch him play for four more years. And we see our granddaughter (pictured above) very often and she is a lot of fun. Any last thoughts about your role, your team, or Zscaler? We’re a successful 12-year-old company that just started our Federal initiatives, so the Federal team is over-the-top excited about the opportunity. They’re serving it up to us on a silver platter, so we’re about to explode, and the Federal team is ready to deliver. The use case is just too good to pass up. It’s a very exciting time for our team. Overall, if anyone is thinking about coming to Zscaler, they’d be lucky to be here. It’s the perfect place to be right now, and there are not many companies that can say that right now. Join Ted and the rest of the team! Visit our careers page to explore opportunities in regional sales management as well as the many other roles in which you can help Zscaler drive secure digital transformation for enterprises around the world. Read Next: Meet the People Who Make Zscaler a Great Place to Work Meet Zscaler: How Becky Miller Balances Profession and Passion Meet Zscaler: What Three Years at Zscaler Means to Carolina Monge Kristi Myllenbeck is a copywriter at Zscaler Kristi Myllenbeck Going Virtual: Lessons Learned from Scaling to More Than 6,500 Remote Offices Craig Williams is the CIO of Ciena. His post originally appeared on LinkedIn. For years, my team felt we had discovered the secret to making work more productive, effective, and enjoyable while balancing it with our lives outside the office. I can speak to this from personal experience as I have been a virtual CIO at Ciena for three years; living, working and traveling from my home in Raleigh, North Carolina. While Ciena’s headquarters is in Maryland, our employee base of more than 6,500 employees is dispersed globally across more than 35 countries. And, many of our employees worked remotely full-time before the COVID-19 pandemic. Even though we all observed the teleworking culture change slightly over time, it was not until this global pandemic forced many companies into the grand experiment of running businesses close to 100% remotely that they understood the importance of having the right tools to support working from virtually anywhere. Contrary to the traditional—or may I say "old-school"—belief that employees are less productive when working remotely, I can attest to the opposite. Since my colleagues at Ciena have been working 100% from home as well for the past few months, I have heard unanimously that people are indeed very—if not more—productive than before. This has sparked a conversation inside our organization that is shifting from working remotely to working where you need to at any given time. I will say that working remotely during a pandemic is harder than when we’re not faced with a global crisis, but I’m confident that this new world order will set the stage for a paradigm shift to remote working for years to come. Obviously, working remotely will never replace face-to-face communication. But thanks to many innovative technological advancements in the past decade, we are now able to communicate and collaborate efficiently using Microsoft Teams, Zoom, Slack, G Suite, and numerous other applications. In my opinion, virtual video conferencing technologies make meetings more interactive. We can all simultaneously engage, observe nonverbal cues, interact via chat, take live polls and even record meetings for reference after the call. Some may argue that, if facilitated well, virtual meetings can lead to better and more productive outcomes than meetings in the physical office. I’ve also noticed that by going virtual, we can shorten our meetings so we’re as efficient as possible, which helps to avoid online fatigue. As a CIO, I am aware that organizations are still struggling to make remote working a seamless reality. However, based on personal experience, I can share a few firsthand best practices that may ease this transition. At Ciena, our digital transformation journey has not only allowed my immediate team to work from home successfully, but it has also enabled us to scale from 70 to more than 6,500 “office locations” without impacting our network architecture. For some background, Ciena provides networking hardware and software solutions—the nuts and bolts of the internet. For decades, Ciena has helped the world’s largest telecom and internet content providers deliver reliable connectivity. Whether it is a phone call, email, video transfer or large amounts of data moving between organizations, Ciena’s technology is hard at work, helping to make communications happen. We’re in the business of accelerating our customers’ digital transformation—which is especially important as companies increasingly take a digital-first approach with remote workforces. Rethink resources to enable growth and productivity When we set out to embark on our own digital transformation journey a few years ago, it began with simplifying our network and investing in collaboration tools that drive employee engagement with video functionality. We approached this transformation first by thinking about what we would do if we could start over as a company of our size. We made it a point to rethink our entire infrastructure, applications, systems and support models in order to support our growing company and to enable employees to work from anywhere on any device. We conducted an audit to assess what was already in our wheelhouse to meet the diverse needs of our growing workforce. During this audit, we also took a hard look at the next 5 to 10 years, and what we’d need to implement now to enable employee productivity. Invest in tools to recreate the office environment at home We also invested in a new cloud security platform. The Zscaler platform has been a wonderful product that allows us to secure users accessing the open internet and SaaS applications from all endpoints being secured through Zscaler Internet Access and the integrated Cloud Firewall, which is a security feature that, with our previous solution, was only available at the corporate offices. In addition, Zscaler Private Access securely provides remote access to internal applications without the need for a VPN. As a result, our VPN infrastructure is not nearly as critical as it used to be and that also means that our corporate resilience has improved significantly, too. Now, the experience that our users have while working from home (or anywhere for that matter) is no different than if they are on our WAN in one of our corporate offices. Consult trusted sources for real-world feedback When making major decisions about what IT investments to make, turn to colleagues or trusted sources within your network to help you better understand if products can deliver what they promise. For example, I suggest that potential vendors conduct a “bake-off” between different products to showcase a side-by-side comparison. This pandemic sparked a conversation about best practices for working virtually—if we couldn’t return to the corporate offices, which technologies and processes would we implement to further improve the experience? I believe the next step of our transformation will be redefining what an “office” looks like to incorporate a blend between corporate and home offices. While some people may be more comfortable working at a physical office location because their job functions are not completely conducive to working remotely, it shouldn’t be about being in an office to be seen and to demonstrate productivity. We should be able to work seamlessly anywhere, on any device at any time. It is my mission to help change the negative perception of working from home into a positive one that will alleviate the strain on our environment while contributing to the well-being of our people. At Ciena, we are fortunate that our employees have been so flexible in this sudden transition to working remotely. If you enjoyed this blog, you might also enjoy: How an Outage Prepared CAPTRUST for a Pandemic by Jon Meyer, CTO, CAPTRUST Johnson Controls Accelerated its Cloud Transformation to Deliver Life-Safety Services During COVID-19 by Peter Daly, Director of Network Services – Global Infrastructure, Johnson Controls GROWMARK is Sowing Success While Working From Home By Eric Fisher, Director of IT Enterprise Systems at GROWMARK, Inc. While at Home, NOV Still Powers the Industry That Powers the World By Alex Philips, Chief Information Officer, National Oilwell Varco How DB Schenker Kept Employees Safe with a Cloud Approach to Remote Access By Gerold Nagel, SVP of Global Infrastructure Services, DB Schenker Craig Williams Be Humble: Crisis Leadership is an Exercise in Humility This article originally appeared on LinkedIn on April 30, 2020. I recently participated in a webinar on the topic of leadership. The experience gave me a new perspective on what it means to be a leader in difficult times. I’ve heard it said, “Anyone can lead an organization when everything is great. The true test of leadership is what you do when all hell breaks loose.” My experience with leadership, organizations, and crises tells me this is very true. The current crisis demands good leadership Many IT and security people become leaders (CIOs and CISOs) due to their technical abilities and accomplishments. Often, they have little to no training or experience in leading people. They tend to manage tasks instead of “to boldly go.” This works if everything goes well, and many of these leaders accumulate higher levels of importance and responsibility. But now that the environment has changed, it’s easy to see that CIO and CISO leaders minted only through technical prowess have a soft set of skills that don’t adapt well in a crisis. Any crisis tests a leader’s ability. Some leaders fold under the strain, others rise to the occasion. When the NotPetya attack hit Merck, for example, CISO Terry Rice successfully led his organization by approaching the problem as a leadership challenge that required technical acumen, rather than as a technical problem alone. This current situation is shining a harsh light on how people lead, what good leadership looks like, and the value of good leadership to an organization. In a crisis, often we see people get angry and frustrated with the need for action. But we also lack information that could drive good action. Lack of information during a crisis is like a fog that hides the crucial information that leaders need. We need action, but action without good data makes things worse. In the military, this is known as the “fog of war.” The responsibility of picking good action falls to the leaders. Good leaders use experience (including others' experience) to make the best decision. How do we lead in an uncertain time? The most important leadership trait is humility. Humility provides us a way to navigate the fog of war. We leaders are often reluctant to admit, “I don’t know.” We’re supposed to know. If we don’t, we fear the perception of weakness -- or even worse, of being undeservedly in charge. But the moment we refuse to say “I don’t know” is exactly the moment bad decisions get made. Humility is key at this moment. Leaders can’t and don’t have every answer. Leaders are responsible for making the decision, but the information required to make the decision doesn’t always come from us. There are many individuals in any organization that might have the right information, or the right perspective, or the right data. They may even know more than us. The true test of leadership is letting them help. It requires strength of character to turn to these people and say, “Help me make the right decision.” A good leader is comfortable with (or at least not ruled by) their own ignorance. This allows them to freely solicit information and data to make better, more informed decisions. Humility is a strength, not a weakness Humility drives us to think about our team members as instructors, rather than competitors. We’ve all experienced “the horrible boss.” All of us have worked with supervisors who belittle our contributions but then use them to their advantage. In a crisis, it is easy to become that kind of person. Don’t. Look around for contributors, and celebrate their efforts. Lift them up, and put them in the spotlight. Leaders use humility to build trusting relationships. We can’t lead without the trust of our teams. They will only give their best to people they trust. A relationship of trust is built on three main components: Integrity: Make fair decisions that demonstrate impartiality. Competency: Make well-supported decisions based on data and need. Consistency: Make rational decisions that offer stability. If we have integrity, people know they can trust us. If we are competent, they know we will do due diligence. If we are consistent, they can depend on our leadership. The only way to meet these three criteria is through humility: Admit we don’t know everything and let the people who can help us shine. As leaders, we know that we will make mistakes. We will fail many times on the way to becoming a good leader (and even after). Leadership is a skill that requires introspection, training, and practice. Leadership isn’t a light switch we can flip on: the skills and experience that create good leaders are hard-won but critical. Knowing when and how to get help with big decisions requires humility, and is key to making good decisions in a crisis. Organizations need good technology leaders now more than ever. They are essential for getting us through this crisis. Be humble. Stan Lowe is the Global CISO for Zscaler. Stan Lowe New Campaign Abusing StackBlitz Tool to Host Phishing Pages There are numerous tools available to help individuals create new, exciting webpages. And, there seem to be just as many hackers looking to exploit these tools for their own gain. Recently, the Zscaler ThreatLabz Team came across various phishing campaigns that leverage the StackBlitz tool, using the preboot library functionality that helps ease the transition of the hosted webpage immediately from the server side to the client side. StackBlitz is an online integrated development environment (IDE) where anyone can create Angular JavaScript and React TypeScript projects that are immediately posted online. Attackers have targeted this method to host phishing pages. The purpose of the preboot library function is to help manage the transition of state from a server-generated web view to a client-generated web view. Figure 1 shows the working flow of the StackBlitz tool. Figure 1: A demonstration workflow of the StackBlitz tool. Figure 2: This is the Whois lookup info for the domain In this blog, we will describe the phishing attacks hosted using the StackBlitz tool and its delivery vector in detail. We found these phishing URLs through our Threat Intelligence collection framework as well as online submissions to ThreatLabZ team for review. Spam method 1 In this case, the spam link will be delivered via Microsoft’s OneDrive shareware service, pretending to be a document shared by a particular health organization. Once the user clicks the download link, it redirects the user to the Outlook phishing page. Figure 3: The spam campaign with the phishing link. Figure 4 shows the page after the user clicks on the download button. It takes a little bit of time to fetch the web page from the StackBlitz development server. Figure 4: Fetching data from the dev server. Finally, it lands to the Outlook phishing campaign, as shown in Figure 5. Figure 5: The Outlook login phishing page. The SSL certificate of the hosted domain is shown in Figure 6. Figure 6: Wildcard SSL certificate applies to all subdomains Figure 7 shows the source code of the hosted phishing page with the preboot library functionality. As mentioned earlier, this library manages the user experience from the time when a server view is visible until the client view takes over control of the page. Figure 7: The source code of the Outlook phishing page. The function will be invoked from the (preview-d52be7f9f266a450f65cb.js) JavaScript. Figure 8 shows the source code of the preview JavaScript. Figure: 8: The (preview-d52be7f9f266a450f65cb) script invokes the preboot function. While analyzing the preboot function, we also identified that the preboot library functionality uses the CachedFetch() module to check if a cached copy of the page is available or not. Figure 9: The preboot functionality with CachedFetch(). The preboot function returns the hosted webpage as a JSON file as shown in Figure 10. Figure 10: The original source code of the hosted webpage in JSON format. Figure 11: The post-infection web traffic that is sent to the cybercriminals. Figure 12: Fiddler capture of the Outlook phishing campaign. Spam method 2: In this case, the spam link will host a web page with a message stating that you received a shared document with the associated document download link. Once the user clicks the download link, it redirects them to the OneDrive phishing campaign. Figure 13: The spam campaign with phishing link. If the user clicks the download document button, it will redirect the user to the OneDrive login phishing page (angular-ivy-aabnsh(.)stackblitz(.)io). Figure 14: The redirection traffic of the spam link. Figure 15: The OneDrive login page for the phishing campaign. Figure 16 shows the source code of the hosted phishing campaign with the preboot library functionality. Figure 16: The source code of the hosted phishing page. If the user unknowingly clicks any of the phishing login methods to view the document, it will redirect the user to relevant phishing page. Here, we clicked on the Office365 login method to view the document, which redirected us to a webpage that looks exactly like a legit Office365 site. Figure 17: The Office365 login phishing campaign. As we mentioned earlier, the source code of the webpage will be common to all the websites hosted using the StackBlitz tool, except for the URL link, which is passed as parameter for the preboot function. Figure 18: The source code of the Office365 login phishing page. Here, we have accessed the hosted phishing campaign a second time to showcase the working functionality of the CachedFetch() and observe the overall web traffic. Figure 19: The overall traffic of the phishing campaign captured in the Fiddler tool. Once the login information has been entered by the user, the form will post the user’s credential details to malicious sites that are operated by the cybercriminals. Figure 20: The post-infection web traffic. Figure 21-26 shows different phishing pages that are hosted using the StackBlitz tool ( Figure 21: The Microsoft login phishing campaign. Figure 22: The Gmail login phishing campaign. Figure 23: The Yahoo login phishing campaign. Figure 24: The AOL login phishing campaign. Figure 25: The Rackspace login phishing campaign. Figure 26: The Other Email login phishing campaign. Conclusion Cybercriminals use tools, such as StackBlitz, to come up with smarter ways to start phishing campaigns and make it harder for security vendors to detect such campaigns. The Zscaler ThreatLabZ team is actively tracking these kinds of phishing attacks to ensure coverage for and to keep our customer safe. IOC: Spam 1 js-pgrnce(.)stackblitz(.)io wny(.)asia/a/linkage(.)php Spam 2 autojovi4x4(.)com/usa(.)html angular-ivy-aabnsh(.)stackblitz(.)io angular-ivy-yfhcr3(.)stackblitz(.)io notas(.)dyndns(.)dk/del3/login(.)php Other phishing domains observed: 1nxbcc-hedxe8(.)stackblitz(.)io 2podk-ff4mtn(.)stackblitz(.)io 6eyyd-zjrnne(.)stackblitz(.)io 7djnd-jzc89e(.)stackblitz(.)io angualar-ivy-aabnsh(.)stackblitz(.)io angula-ivy-epksfd(.)stackblitz(.)io angular-4ulsja(.)stackblitz(.)io angular-4vjbos(.)stackblitz(.)io angular-9gejbd(.)stackblitz(.)io angular-c8ebxa(.)stackblitz(.)io angular-e9ebhj(.)stackblitz(.)io angular-e9hqf9(.)stackblitz(.)io angular-emu4e4(.)stackblitz(.)io angular-exrste(.)stackblitz(.)io angular-f6xehy(.)stackblitz(.)io angular-ivy-1tsaka(.)stackblitz(.)io angular-ivy-2nghsv(.)stackblitz(.)io angular-ivy-3etd9y(.)stackblitz(.)io angular-ivy-4pk3st(.)stackblitz(.)io angular-ivy-62mfgk(.)stackblitz(.)io angular-ivy-8vrqfq(.)stackblitz(.)io angular-ivy-aabnsh(.)stackblitz(.)io angular-ivy-ayzk51(.)stackblitz(.)io angular-ivy-bkvyy7(.)stackblitz(.)io angular-ivy-c8ebrc(.)stackblitz(.)io angular-ivy-d55uqm(.)stackblitz(.)io angular-ivy-dug3fr(.)stackblitz(.)io angular-ivy-epksfd(.)stackblitz(.)io angular-ivy-feppa5(.)stackblitz(.)io angular-ivy-ikp1nd(.)stackblitz(.)io angular-ivy-jtatnb(.)stackblitz(.)io angular-ivy-jxxbb8(.)stackblitz(.)io angular-ivy-kxyakr(.)stackblitz(.)io angular-ivy-rsphh3(.)stackblitz(.)io angular-ivy-rv7qqo(.)stackblitz(.)io angular-ivy-tphvml(.)stackblitz(.)io angular-ivy-uvhyey(.)stackblitz(.)io angular-ivy-wwnxei(.)stackblitz(.)io angular-ivy-xkuivv(.)stackblitz(.)io angular-ivy-yfhcr3(.)stackblitz(.)io angular-ivy-zbaxnt(.)stackblitz(.)io angular-ivy-zff34d(.)stackblitz(.)io angular-jwnijt(.)stackblitz(.)io angular-kc1uhi(.)stackblitz(.)io angular-lcj5yi(.)stackblitz(.)io angular-lvy-bkvyy7(.)stackblitz(.)io angular-n21op8(.)stackblitz(.)io angular-nujspf(.)stackblitz(.)io angular-nvavzw(.)stackblitz(.)io angular-ojbaxu(.)stackblitz(.)io angular-pcn7ny(.)stackblitz(.)io angular-qx5ttm(.)stackblitz(.)io angular-soswe4(.)stackblitz(.)io angular-tjrwpf(.)stackblitz(.)io angular-vdwkgy(.)stackblitz(.)io angular-vv96yb(.)stackblitz(.)io angular-xeqzqy(.)stackblitz(.)io angular-xm7khp(.)stackblitz(.)io angular-zinz3v(.)stackblitz(.)io angular-zpsmud(.)stackblitz(.)io angular-zxmgsz(.)stackblitz(.)io angular-zzrtvx(.)stackblitz(.)io angular-vv96yb(.)stackblitz(.)io angular-pnpebe(.)stackblitz(.)io angular-cmjdm7(.)stackblitz(.)io angular-ivy-6d2vss(.)stackblitz(.)io hjgjhjn-csg4mf(.)stackblitz(.)io js-1withj(.)stackblitz(.)io js-2dfx8svt(.)stackblitz(.)io js-3jeoen(.)stackblitz(.)io js-6jce4b(.)stackblitz(.)io js-7tkbpg(.)stackblitz(.)io js-8j8wbj(.)stackblitz(.)io js-azirnd(.)stackblitz(.)io js-bfwssp(.)stackblitz(.)io js-bgqenm(.)stackblitz(.)io js-fx8svt(.)stackblitz(.)io js-iqgiwv(.)stackblitz(.)io js-iqqiwv(.)stackblitz(.)io js-kfkbak(.)stackblitz(.)io js-mdurny(.)stackblitz(.)io js-pgrnce(.)stackblitz(.)io js-pihxqe(.)stackblitz(.)io js-rzhdtg(.)stackblitz(.)io js-tk13zi(.)stackblitz(.)io js-v4zgeb(.)stackblitz(.)io js-xerqcn(.)stackblitz(.)io officeloginaccount(.)stackblitz(.)io react-ba2roi(.)stackblitz(.)io rxjs-lv18nb(.)stackblitz(.)io typescript-byr97k(.)stackblitz(.)io typescript-dbnwsw(.)stackblitz(.)io typescript-nxgptb(.)stackblitz(.)io typescript-qeklm1(.)stackblitz(.)io typescript-qgtbfk(.)stackblitz(.)io Gayathri Anbalagan You Deserve Better Than a Branch Firewall Firewalls have long been an integral part of the branch network architecture. But recent trends have turned the once-sturdy firewall into something of a relic and are driving organizations to move toward a cloud firewall. Here’s why. What’s past is prologue If your branch offices are like most others, they’ve been home to regional teams or, perhaps, certain departments, such as a customer service center. They generally have fewer employees than headquarters and they also tend to have a select number of IP-enabled devices, such as printers and security cameras, in use on a regular basis. Most often, your branch employees accessed applications hosted in the data center or they connected to a regional internet egress point. This accounted for roughly 75 to 80 percent of the network traffic in a branch office. These branch offices also had some local traffic segmentation and some minimum access controls in place. Under these conditions, the traditional firewall appliance was more than adequate to accommodate your user traffic. But did you notice something missing? Yep. Security. There’s not a lot of security here. Instead, the focus of these branch firewalls was to provide basic access controls and connections to the data center or providing application and device access. That is the role of the branch firewall. Something’s different Branch office network architecture has been evolving as a result of two trends that have changed the way employees work and the way organizations conduct business: cloud and mobility. Thanks to the cloud, applications are no longer housed in the corporate data center. Salesforce, Office 365, and many other business-critical apps are in the cloud, and branch users are connecting to them directly over the internet. In fact, roughly 75 to 80 percent of traffic is now going to the internet instead of the data center, a total reversal from a few years ago. Direct-to-internet connections must be secured, but the question becomes how. Can you put a full next-generation firewall (NGFW) security stack in every branch? And what happens when employees leave the branch and connect from home or use public Wi-Fi? In the past, employees were connected to specific applications over secure links that you controlled. Now, employees are accessing data, applications, and websites over unsecured links, increasing the risk to your organization. Put it all into context With all of these changes, your fundamental architecture also has to change. Migration to an architecture that allows direct-to-internet connections is critical, but to allow direct connections, security has to evolve as well. You can no longer afford to have centralized security—you need to inspect locally. Furthermore, you need deep inspection with context about the traffic you’re inspecting. But, to build that context, you need a lot of data. Traditional hardware-based security is based on what’s known—signatures are compared to lists of known threats and if they match, the threat gets blocked. But there is no guarantee that what is good today is going to be good tomorrow. After all, web pages don't just contain plain text nestled inside HTML tags. Instead, they are filled with Java applets, flash videos, and ActiveX, and other objects designed to run programs. Hackers routinely embed malicious scripts and applications in legitimate websites, turning a previously “safe” site into a suddenly dangerous one. And all of this is hidden within SSL-encrypted traffic, helping bad actors evade detection and putting visitors at risk. Without native SSL inspection capabilities, your security appliances would allow employees to access these sites, risking infection to their systems and possibly the network. It’s well known that signature-based security is no match for today’s threat actors. Security must go deeper and look at the context of every transaction, which would encompass the operating system on the user’s machine, the transport or gateway being used to connect to the destination, and the destination the user is trying to access. Even the DNS comes into play. Additionally, this context takes into account the party that registered the domain and looks to see if this party is associated with any other domains, particularly those known to be suspicious. All of this information is needed to build context and get a true picture of any potential threat, and it needs to happen instantly. Not today With traditional hardware-based security, most architectures would require the trade-off of a positive user experience to attempt to achieve this context—if they could achieve it at all. But a poor user experience is unacceptable with a growing work-from-anywhere workforce. So, IT teams need to achieve this deeper context while still providing a best-in-class user experience. That is what the new world demands. And these demands are more than branch firewalls can deliver. Appliance-based firewalls can’t provide identical security without compromising the user experience. Today’s security solutions must be scalable with the ability to accommodate unlimited bandwidth needs, and they must provide identical security no matter where users connect—the branch, the HQ, at home, or on the road. Branch firewalls lack the capacity to handle growing bandwidth needs and lack the functionality to secure users in the cloud and mobile world. In short, branch firewalls are irrelevant in this new world. Virtual and next-generation firewalls As an answer, some organizations are turning to virtual firewalls, but they have the same limitations as physical firewalls. The only difference between a virtual and physical firewall is the form factor, which allows you to bring a virtual system online or add to its capacity more quickly and easily than a piece of hardware. However, that is the only difference. Its functions and limitations are exactly the same. Many see virtualization as a way to scale, but this approach can end up being costly. As your capacity needs grow, the vendor may be able to quickly accommodate you, but you’re going to pay for it every time. And virtual firewalls still don’t address the security challenge. A better solution Since your applications and your users are moving to the cloud, shouldn’t your security? A cloud-built solution can better address the needs of today’s branch offices and your employees. A cloud-built solution enables secure, direct-to-internet connections for a fast user experience without any appliances to purchase, deploy, or manage. It also brings the entire security stack close to the user to ensure identical protection when they leave the branch office. And, a cloud-built solution reduces costs and complexity by reserving the use of MPLS for data center traffic only. Unlike appliances, a cloud-native solution scales elastically to handle SSL inspection and the demands of cloud application traffic, which often require multiple long-lived connections. It also provides security and access controls for internet traffic on all ports, not just 80 and 443, to prevent advanced threats. It logs every session and delivers real-time visibility and policy enforcement across all users, all locations, all applications, and all ports and protocols from a single console. You deserve better and so do your users Even before the recent work-from-home mandates, the world of the branch office was changing. Traditional firewalls just weren’t built to function in a world where applications have moved out of the data center, the internet is the new transport network, and employees are working from everywhere, not just the office. In addition, firewalls can’t provide the level of security necessary to fight increasingly sophisticated and targeted threats. Don’t your branch offices, and your employees, deserve something better? Are you ready to move away from your traditional branch firewall? Let Zscaler show you how. Naresh Kumar is Director of Product Management, Zscaler Naresh Kumar