Category Archives: Cyber-Ark

  • 0

Building a secure DEVOPS pipeline

Category : Cyber-Ark

Thursday, February 22, 2018 at 17:00 CET | 16:00 GMT | 11:00 EST

PwC and CyberArk: Is your Continuous DevOps Pipeline Continuously Secure?

Code fast, beat the competition to market, and make more money. This is the value of DevOps, but are you missing a step? Now that developer and operations teams have settled their differences to leverage countless containers, applications, and virtual machines, to move and produce at unprecedented scale and speed, do you still know who has access to these virtual machines and applications? Where are the secrets and credentials stored? Is your continuous CI/CD pipeline continuously secure? How would you know?

PwC knows.

And by attending this webinar you will learn from PwC’s experience garnered from years of working with clients to help them identify, design and deploy secure DevOps solutions. PwC’s experience in combination CyberArk’s dedication to privileged account security, brings the expertise you need to secure your DevOps pipeline, and stay in compliance without adding roadblocks to DevOps workflows.

By registering for this event, you consent to the event organizers using your contact information for the purposes of contacting you regarding cybersecurity related products, events or news and general marketing communications. 

  • 0


Category : Cyber-Ark

Only days into the Winter Olympics and reports of cyber attacks are making headlines. Officials have confirmed that a cyber attack is to blame for an internet and Wi-Fi shutdown during the opening ceremony.

Noncritical systems were impacted – including the official Olympics website, which according to reports, went offline when organizers shut down servers to address the attack. Wi-Fi service also stopped working.

This follows the Department of Homeland Security’s recent warning that the 2018 Winter Olympics will be a hotbed of cybercriminal activity. While the warning was extended to those in attendance, you don’t have to be sitting in the stands to become an unwitting target.

Whether they’re part of a criminal syndicate or part of a nation-state attack group, cyber attackers love to use high-profile public events as a cover for their malicious activity. Even the most security conscious person can let their guard down when they’re caught up in the spectacle and excitement of something like the Olympics.

With that in mind, here are a few techniques and approaches that we believe attackers will use during the Olympics, both to target spectators on-site and those watching and reading about the Olympics at home or from the office.


Cryptomining attacks are quickly replacing ransomware as the attacks du jour. Attackers will infect websites that are commonly used to view Olympic activity, stream events or provide news on what’s happening at the games.

By visiting an infected site, users unwittingly donate their computing power resource to mine cryptocurrency on behalf of the attacker – all without users knowing they were part of the process.
These attacks don’t require malware to run on the user’s endpoint. The only indication of the attack may be that your computer runs slower due to loss of computing power.

We’ll dig into crypto-attacks more in a subsequent blog post.
High Value Targets:  Olympic viewers back home or in the office

Spear Phishing Campaigns

This is one of the most common methods attackers use to gain a foothold on an endpoint or in an organization. Attackers use peoples’ information to specifically target them with a malicious email, in hopes that they’ll click a link and unleash the payload it’s carrying.

There are already reports that attackers have been targeting Olympic officials for months. Whether you’re watching the games from home or attending, be wary of any email that contains links or attachments to information about events, times and websites to watch the games. Vigilance is the best defense against phishing attacks.
High Value Targets:  Olympic athletes, Olympic officials, country delegations and government representatives, viewers/fans

IoT and Mobile Payment Attacks

Mobile payments and IoT promises to be a big part of the 2018 Winter Olympics. Internet-connected devices have been a favorite target of attackers of the past year, primarily because of the incredibly poor security of most IoT devices. We can expect attackers to test device defenses used during the Olympics – whether it’s cameras, wearables or any other device that will be gathering data on athletes, attendees and officials.

While mobile payments make life much easier for the consumer, the platforms have historically had poor security and represent a real threat to consumer security. Some of the more prevalent mobile payment attacks include spoofed mobile wallets, or malware on the phone itself, which will collect all of your data, passwords and other sensitive information.
High Value Targets:  Fans/attendees, Olympic athletes, Olympic officials

Public Wi-Fi-Related Attacks

Public Wi-Fi-related attacks are an oldie and attacker favorite – something that has manifested in previous Olympics (or any public event where free Wi-Fi is provided).

These types of attacks are incredibly common – free Wi-Fi is typically poorly secured. It’s fairly easy for attackers to use Wi-Fi sniffing software to ferret out the data transmitted over the network. This becomes worrisome when you use pubic Wi-Fi for sensitive transactions like banking or even entering passwords to websites.

If you’re at the games, be extra careful about what network you’re connecting to and try to avoid accessing websites where you need to enter your passwords, sensitive information (like SS numbers) or banking/financial websites.

In addition to these recommendations, visitors should also consider using a mobile hotspot for Wi-Fi access.
High Value Targets: Olympic athletes, fans in attendance



  • 0


Category : Cyber-Ark

In this blog post, we introduce a technique that can help attackers run malicious code over Microsoft Windows 10 (Version 1607) using PowerShell (version 5). CyberArk alerted Microsoft to the weakness, and while Microsoft issued a patch in version 1709, organizations that haven’t implemented the fix remain at risk.

The technique can be carried out on unpatched systems by running code straight from memory while bypassing the Microsoft AMSI (Antimalware Scan Interface) protection giving attackers the ability to run malicious code over a victim’s machine without being detected.


As described in the Microsoft Developer Network (MSDN), AMSI is a generic interface standard that allows applications and services to integrate with any antimalware product present on a machine. It provides enhanced malware protection for users and their data, applications and workloads.

See Figure 0 for details on where AMSI sits.

Figure 0- AMSI Architecture Courtesy of MSFT

AMSI is antimalware vendor agnostic, designed to allow for the most common malware scanning and protection techniques provided by today’s antimalware products that can be integrated into applications. It supports a calling structure allowing for file and memory or stream scanning, content source URL/IP reputation checks, and other techniques.

By default, AMSI works with Microsoft Defender to scan relevant data. Windows Defender will unregister itself from being an “AMSI Provider” and shut itself down when another AV engine registers as an “AMSI Provider.”

In this research, the bypass technique exploits the fact that AMSI’s protection is provided at the same level on which the threat operates. AMSI is implemented as a Dynamic-link library (DLL) that is loaded into every PowerShell session. In the same level of this session, a potentially malicious code (AMSI’s bypass code) can be executed.

AMSI & PowerShell

Starting with Windows 10, AMSI by default provides protection to PowerShell, which is a very strong system tool used by both system administrators and attackers.

A few important things to note:

  • AMSI protects PowerShell by loading AMSI’s DLL (amsi.dll) into the PowerShell’s memory space.
  • AMSI protection does not distinguish between a simple user with low privileges and a powerful user, such as an admin. AMSI loads its DLL for any PowerShell instance.
  • AMSI scans the PowerShell console input by using Windows Defender to determine whether to block the payload operation or allow it to continue.

API monitoring in figure 1 shows the AMSI behavior behind the scenes:

  • The string that was submitted to the PowerShell console (“echo ‘Avi-G’”).
  • The AmsiScanString() function (under API monitor) which has been automatically invoked with the new input string insertion.

Figure 1- AmsiScanString

Bypassing AMSI General Flow

In our research, we were able to bypass the PowerShell AMSI protection of a simple user with low privileges. Malwares can use the same technique to run their malicious payloads above any kind of user.

We used the following components to perform the bypass:

Figure 2- POC components

Obtainer- a simple C# code script that is crafted as a PowerShell module, responsible for obtaining our AmsiDumpsi.dll.

Operator– AmsiDumpsi.dll is responsible for patching the real amsi.dll->AmsiScanString() function.

In Figure 3, you can see the compete process:

Figure 3- Bypassing Flow

It’s worth mentioning that the first AMSI bypass attempt was to simply unload the Amsi.dll by calling to the FreeLibrary() Api. The module was successfully unloaded, but PowerShell crashed because the process kept using the handle to the Amsi.dll.

Deep Diving into the POC code

Let’s take a short look at the original AmsiScanString() function:

Figure 4- Original AmsiScanString() Function

As you can see at 7fff9c1b2530 – 7fff9c1b2560, AmsiScanString() verifies the argument’s integrity. Right after that, the function initializes the user arguments to be transferred to the real scan. AmsiScanBuffer() treats the user console input string as a buffer to be scanned.

Our AmsiDumpsi.dll patches the original AmsiScanString() function straight in the memory. Here you can see the function at runtime after the patch:

Figure 5- AmsiScanString() After Patching

By changing the second function line, we’re zeroing one of the given arguments (rdx) and causing an error. For that reason, the function will jump straight to the end (instead of scanning the string with AmsiScanBuffer() ) in order to store the error code in the eax register and to return it to the caller function (see address- 00007fff9c1b2579).

By changing the 00007fff9c1b2579 line, we’ve changed the error code to be zero, so now eax will contain 0 [move eax,0] (instead of the original instruction [move eax,0x80070057h]) and the function returns 0.

As we can see in Microsoft’s documentation, returning 0 is equal to S_OK. S_OK means that the function successfully “scanned the payload” (bypassed the scan) and we can keep going.

Figure 6- AmsiScanString() Documentation

Now let’s look at the Obtainer code:

Figure 7- Obtainer loads AmsiDumpsi.dll

As you can see, we have a simple C# code, which was crafted into a PowerShell module by using the Add-Type cmdlet. This module loads the AmsiDumpsi.dll.

Here we can see the patch function in the AmsiDumpsi.dll:

Figure 8- Patch Function

As you can see, AmpsiDumpsiAttached() performs the following steps:

  1. Get a Pointer to the real amsi->AmsiScanString() function.
  2. Look for the original function error code (0x80070057) that the function returns in case of an error.
  3. Enable writing into the required memory address by setting the PAGE_EXECUTE_READWRITE permission.
  4. Patch the second AmsiScanString line by submitting the 4831d2 opcodes [xor rdx,rdx].
  5. Set the AmsiScanString error_code to 0.

Here’s a video that demonstrates this:


Let’s see what happens when we try to obtain a malicious Mimikatz payload into the PowerShell session by using the Net.Webclient->DownloadString method and the iex(Invoke-expression) cmdlet, which invokes the downloaded string into the PowerShell session:

Figure 9- AMSI and Defender protects against the new malicious payload submissions

As you can see, the Defender pops up and blocks the string (payload) from being invoked. If we try to look for the obtained Mimikatz function (by using the get-item function), we can’t find it.

After loading our AmpsiDumpsi.dll using the Obtainer, we can see the obtained Mimikatz function, while no Defender alerts have popped up:

Figure 10- Bypassing the AMSI protection, new Mimikatz payload submitted into the process memory


This research demonstrates how a bypass can be utilized on unpatched systems via PowerShell, regardless of a user’s privileges.

The advantages of the technique presented here are that amsi.dll is loaded in every PowerShell process; the API call for the AmsiScanString is performed regularly; and AMSI seems to be working correctly. Because of this, you’re only able to see that it actually doesn’t operate as it should if you protect the DLL in memory or examine its code at runtime.

For this reason, it’s important that organizations push this patch to all systems to avoid unnecessary risk.




  • 0

Malware, Mistakes and Meaningful Measures to Protect Critical Infrastructure

Category : Cyber-Ark

Security and industry experts have long advocated for the need to increase the protection of critical infrastructure – including transportation systems, energy and utilities providers, and financial services. The implications of an attack on our nation’s systems are far reaching – from disrupting delivery of key services to impacting public safety.

Just recently, researchers presented an analysis of Triton, a malware used in the third ever recorded cyber attack against industrial equipment. Findings indicate that the malware was able to enter the plant via an exploit in “security procedures that allowed access to some of its stations as well as its safety control network.” Additionally, recent erroneous alerts regarding missile strikes caused panic in Hawaii and Japan – each alleged to be the result of human error. These incidents shine an important light on the cyber security procedures used to safeguard these critical systems – from external attackers or insiders, whether intentional or not.

From an attacker perspective, whether they already compromised the network or target a specific mission critical objective, their TTP (tactics technique and procedure) will include getting access to privileged accounts to achieve their ultimate goal.

Historically, we’ve seen situations where the software and systems used to run critical infrastructure were compromised through shared privileged accounts and default passwords that haven’t been changed. These hardcoded passwords are static and can be guessed or brute forced by attackers. Once attackers gain access to privileged accounts, they can gain full control to the system.

In past attacks on similar systems, the attackers used this access to emergency communications for ‘prank attacks,’ such as the case in Montana in 2013 where a zombie outbreak was broadcast to residents. In light of the severity and panic-inducing nature of the recent erroneous emergency reports, these former ‘prank attacks’ take on a more ominous outlook in demonstrating the destructive potential of such false alerts.

These examples also provide insight into how malicious attackers could compromise sensitive systems and infrastructure, as well as the steps needed to protect them from outside attacks. This starts with identifying where privileged accounts exist, implementing stronger management of the credentials that provide access to and control over such critical infrastructure, and ensuring ongoing management and visibility into those accounts.



  • 0

Building a Secure DevOps Pipeline

Category : Cyber-Ark

A PwC Cybersecurity and Privacy white paper

Businesses across the world are turning to DevOps—fusing software development, integration, test, and operations practices—to accelerate digital transformation and enhance business performance. Along with its agility and velocity, DevOps requires more scalable and agile security methodologies.

Read this white paper to understand how PwC’s strong capabilities in working with clients to identify, design and deploy improved processes and technical solutions for DevOps are also inclusive of a critical element: secrets management. PwC’s experience in working with CyberArk lets IT organizations efficiently manage secrets and authorization privileges across the DevOps pipeline, helping security teams mitigate risks and improve compliance without hindering DevOps workflows.

  • 0

15 Cyber Security Stats At-A-Glance

Category : Cyber-Ark


 | Security and Risk | 

Last year, the world witnessed a barrage of crippling cyber attacks—from the unprecedented breach of a Credit Bureau that compromised personal data of 145 million consumers, to leaked government tools belonging to the NSA, to major ransomware campaigns including WannaCryBad Rabbit and NotPetya, to revelations that Yahoo’s breach included 3 billion accounts. Many of the most destructive cyber attacks in 2017 were executed by successfully exploiting privileged accounts. Unsecured privileged accounts give attackers access to your highest value assets and data.

As the attack surface continues to expand on pace with technological advancements, the threat will only increase without mitigation. Following is a list of 15 cyber security stats, curated from a number of industry sources, to help illustrate the current landscape and underscore the urgency of putting privilege first in 2018:

  1. By 2020: 4 billion people will be online50 billion devices will be connected to the internet and data volumes will be 50x greater than they were in 2016 (Source: Microsoft)
  2. Percentage of computer users who will click on a link from an unknown sender: 50 percent (Source: TechRepublic)
  3. Amount of money that ransomware victims have paid out over the past two years: $25 million (Source: The Verge)
  4. Global average cost of a data breach: $3.62 million (Source: IBM)
  5. Average cost for each lost or stolen record containing sensitive and confidential information: $141 (Source: IBM)
  6. Number of unfilled cyber security jobs by 2021: 5 million (Source: CSO Magazine)
  7. Average number of days attackers spend inside systems, undetected: 99 days (Source: FireEye)
  8. Percentage of organizations who admit to not fully informing customers when their personal data was compromised in a cyber attack: 50 percent (Source: CyberArk via Vanson Bourne)
  9. Percentage of security pros who say their organization can’t stop every attempt to break into their internal network: 46 percent (Source: CyberArk via Vanson Bourne)
  10. Percentage of boards that participate in the review of current security and privacy risks: 31 percent (Source: PwC)
  11. Percentage of business leaders who do not understand what they should do if a cyber security incident occurs: 52 percent (Source: CyberArk via Vanson Bourne)
  12. Organizations currently using cloud services: 93 percent (Source: McAfee)
  13. Organizations actively using containers today: 83 percent (Source: Forbes)
  14. Percentage of security and DevOps pros who failed to identify all places where privileged accounts or secrets exist: 99 percent (Source: CyberArk via Vanson Bourne)
  15. Percentage of security pros who report that their organization has not implemented a privileged account security solution for DevOps: 73 percent (Source: CyberArk via Vanson Bourne)



  • 0

The Power and Potential of Robotic Process Automation. And the Security Risks.

Category : Cyber-Ark

The Power and Potential of Robotic Process Automation. And the Security Risks.

Robotic process automation (RPA) is a powerful and emerging technology that streamlines and standardizes many human user processes as well as harmonizes different systems across an organization’s environment. So what do IT security professionals need to know about RPA platforms and the connection to privileged credentials? Very simply, it is a new attack vector and organizations need to protect these accounts with the RPA platform.

Because RPA software interacts directly with business applications and mimics the way applications use and mirror human credentials and entitlements, this can introduce risks when the software robots automate and perform routine business processes across multiple systems.

Attend the seminar and LEARN MORE

  • 0

Using Azure, AWS or Google? Protect Privileged Accounts in the Cloud for Consistent Enforcement of Security Policies

Category : Cyber-Ark

CyberArk enables organizations to protect cloud assets by providing powerful solutions for securing privileged accounts and credentials at each stage of the cloud journey.

An increasing number of organizations don’t use just one cloud provider. For various reasons including business flexibility, multiple business lines, prior acquisitions, geographic coverage and redundancy, they use multiple cloud providers. Additionally, large organizations often have legacy, on-premises and hybrid environments, in which case, the same IT administrators may access and manage multiple compute, development and automation environments.

CISOs and IT leaders want, as a best practice, to be able to enforce the same security and access policies across the entire enterprise regardless of the compute environments, delivery pipelines and automation tools.

To implement this best practice, enterprises typically want to manage privileged user credentials and access permissions with a digital vault as a single control point.

CyberArk provides solutions for Azure and other cloud providers, including AWS and Google. In response to strong customer demand, CyberArk continues to enhance and expand its cloud and DevOps capabilities to meet the evolving needs of organizations adopting the cloud.

Whether your organization has fully embraced the cloud or is just starting the journey, it is essential to implement robust privilege management policies to protect your cloud assets. CyberArk has the solutions, resources and cloud expertise to help enterprises protect and secure the “keys to their cloud kingdom.”

For more information about securing your cloud assets, please check out “Securing the Enterprises Cloud Workloads on Microsoft Azure” and other resources available on our website.



  • 0

CYBERARK LABS: Evolution Of Credential Theft Techniques Will Be The Cyber Security Battleground Of 2018

Category : Cyber-Ark

In the past year, organizations continued to struggle to address cyber security risks created in the wake of rapid technology adoption. Technology adoption needs to be aligned with effective risk management strategies, and the challenge most organizations face is that today’s technologies often lack the security of more mature technologies. This has opened organizations to attacks targeting privileged credentials. Look no further than cyber attacks and data breaches at companies like Yahoo! and Uber that flooded the dark web with billions of credentials for potential misuse.

In the wake of these attacks, the coming year will see increased use of automation and expanding hybrid cloud and DevOps environments that will create fertile ground for attackers based on a growing variety of privileged credentials associated with human and non-human users. These credentials include those associated with employee and remote vendor session and browsers, service accounts, access keys, machine identities, SSH keys and embedded passwords.

Based on its research, CyberArk Labs believes that credential-based attacks and exploitation will accelerate and dominate the threat landscape in 2018. Following are specific examples of where privileged credential risk will be most prevalent.

  • Attackers Hide Behind Machine Identities – While federated identities are increasing, identity boundaries are decreasing across devices and networks, creating a murky security environment. The number of identities will only increase in the coming years with the adoption of services-oriented environments. One of the implications is an expanded attack surface, one no longer limited to the exploitation of domain admin credentials as a primary target. Security teams must be prepared to not only determine “who” – but increasingly “what” can be trusted. By stealing machine identities, attackers can keep a lower profile on the network while using related credentials to control processes and even security policies. For example, CI/CD tools can become critical assets – the most sensitive on the network. When credentials for these tools are exploited, an attacker can gain control of the entire DevOps workflow and weaponize the tools to push malicious code or configurations.
  • Key Chaos Leads to Unintended Consequences – The prevalence of SSH keys to access cloud resources and the lack of adoption of PKI for DevOps environments are leading contributors to key chaos, which increases security risk and the chances of key exposure or compromise through simple mistakes or human error. Security teams must improve oversight and management to avoid these keys becoming easy targets for attackers. The main concerns associated with unmanaged keys center on the proliferation of machine and human identities that provide privilege escalation opportunities. For example, a user with access to a machine-assigned role with account-level privileges may be able to steal that machine’s identity and adversely affect the cloud account. Additionally, the use of temporary tokens can be a double edged sword. Temporary tokens are an improvement to static keys, generally expire after a period of time, and are used to permit dynamic privilege. Temporary tokens can provide better security, but only if managed and provisioned properly, including oversight of who has those keys at any moment of time.
  • Security as a Target: Authentication in Attackers’ Crosshairs – Cloud is pushing towards identity consolidation as we consume more “services” and less raw technology. Consolidation of identity means more opportunity for lateral movement across services, and a compromise of the authentication service may lead to a total loss of the identity. Current authentications methods such as two-factor and single sign-on must adapt to protect against emerging threat vectors, or become targets themselves. If these tools are compromised, they allow attackers unprecedented flexibility, and the ability to compromise networks at a deep level. From a defensive perspective, evolving block chain technology could be adopted to remove the single point of trust and failure that allows Golden Ticket and SAML techniques. Block chain authentication could be used to remove the trust from Active Directory, for example, and move that trust to the whole network. This will force attackers to compromise a substantial amount of assets and sensors (to have consensus) before being able to authenticate. Authentication and the larger realm of security controls will continue to be an enticing target given heightened power and trust.



  • 0

Preventing Attacks Launched Deep Within the Network

Category : Cyber-Ark

Attacks that exploit Kerberos, a Windows authentication protocol, have been behind some of the biggest breaches in recent history. These attacks are troublesome for many different reasons, including a complete and total loss of control over the domain controller. Threat actors have uncovered a number of different vulnerabilities that exist within the Kerberos protocol, and when successful, they’re able to elevate unprivileged domain accounts to those of the domain administrator account. The intent of the attacker is to leverage Kerberos tickets to appear to be a legitimate, fully authorized user when authenticating to various systems within the network.

These attacks are extremely difficult to detect, and even more difficult to prevent. Other solutions in the market have the ability to detect Kerberos attacks but come with limited functionality, agent-based performance issues, and well documented by-passing techniques calling into question the value and effectiveness of these solutions. CyberArk Privileged Threat Analytics is the only solution able to detect, alert, prevent and remediate a variety of different flavors of Kerberos-style attacks (Golden Ticket, Overpass-the-Hash, DCSync and PAC [MS14-068] attacks).

Attackers will get inside. It’s what they do. Far too many organizations continue to focus on defending solely against perimeter attacks without considering the impact and devastation of an attack launched from deep within the network. Moreover, while vaulting credentials is certainly a best practice, privileged credentials are often not required for the attacker to be successful in this type of an attack so organizations will undoubtedly benefit from the analytics capabilities CyberArk can provide. This type of attack needs to be prioritized and top of mind for every security operations teams.

In this demo, we walk through an example of how CyberArk Privileged Threat Analytics is able to not only detect, but also automatically stop an attack, preventing further damage to a domain controller. This scenario presents a situation where an attacker gains access to a compromised machine and utilizes a post-exploitation tool to move laterally to a domain controller. The attacker then uses a hash stolen from a logged-in user on the compromised machine, performs an Overpass-the-Hash attack, and gains access to the domain controller. Watch the video below to see how CyberArk detects this activity and breaks the attack chain before irreparable damage is done.

Request a live demo to see Privileged Threat Analytics in action or download the Data Sheet for more information.


Author: Corey OConnor