Are we done with WannaCry?

Several customers and industry analysts frequently ask us (and other vendors) about independent validation of our capabilities. We wanted to share information about a recent test conducted by MRG-Effitas to validate the effectiveness of various traditional and next-generation endpoint security suites against the EternalBlue and Doublepulsar exploits/backdoor. These threats were unearthed by “The Shadow Brokers” hacking group and are said to have been used by the NSA-linked Equation Group to launch cyber-attacks. The EternalBlue exploit received recent worldwide attention due to the WannaCry outbreak that used this exploit to infect over 230,000 machines in over 150 countries.

And unfortunately WannaCry does not seem to be the end of these threats. Attackers can use these same exploits to not only lock up data to demand ransom, but also to steal employee credentials to exfiltrate other sensitive information (think of this as two-for-one attack – advanced threat combined with ransomware). Worse yet, as seen in this particular case, attackers can bypass traditional and next-generation security measures, including hundreds of intelligence feeds. Further, security researchers who’ve tested security tools claim that these threats bypass 99% of security tools out there and we’re likely sitting with thousands more computers infected across several industries.

MRG-Effitas tested for these exploits against various traditional and next-generation endpoint security suites, including SentinelOne, Cylance, ESET, Symantec and others. The tests began in May 2017 – two months after Microsoft disclosed the MS17-010 vulnerability (EternalBlue exploit) and within weeks of the WannaCry outbreak.

The summary of the MRG-Effitas tests are as follows:

  1. We’re happy to see that SentinelOne passed this test with flying colors. 
    • In the words of MRG-Effitas: “SentinelOne 1.8.4.6202 was able to block every malicious payload DLL or shellcode introduced to the system via the Eternalblue exploit, by blocking it in a generic way. Both original Eternalblue with Doublepulsar and Metasploit port was tested. SentinelOne not only blocks the Meterpreter payload but the original Peddlecheap payload as well. As more and more tests were ongoing, we have seen that multiple (typically next-gen) products were able to block the Meterpreter payload loading in a generic way, but not the Peddlecheap one.”
  2. Other traditional endpoint security suites such as ESET and Kaspersky also stopped the backdoor from being installed.
  3. Symantec EPP seems to have failed with blue-screen-of-death when run within VMWare, but caught the attack on a physical endpoint.
  4. Cylance was the only vendor that failed this test.
    • In the words of MRG-Effitas: “The interesting part of the video starts at 5:00. The Doublepulsar backdoor is already installed and this means the system is already compromised and it would appear that Cylance did not realise this.”
    • The video referenced above is Cylance’s video on WannaCry protection

One of the other pieces explored by the blog is looking beyond the tactics used by WannaCry to other capabilities that may be exploited in the future. For instance, WannaCry is a strain of Windows ransomware that took advantage of the EternalBlue exploit along with a file-based payload. However, the EternalBlue exploit could easily be used with fileless (in-memory) malware that can completely work around the defenses of solutions that miss the exploit or focus on file-based detection. This methodology is discussed in the blog and was also used in the wild by another ransomware family dubbed UIWIX. In other words, customers without holistic protection will leave themselves exposed to another WannaCry-like attack in the future. So look at your security vendors carefully.

Interested in the versions of Windows impacted by MS17-010 – check out the Microsoft Security Bulletin. The most popular versions, such as Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2016 and Windows 10 all have this vulnerability. It’s obviously wise to get the patches and updates installed as soon as possible.

To learn more about how SentinelOne can help, check out our Endpoint Protection Platform online or our datasheet.

The post Are we done with WannaCry? appeared first on SentinelOne.

Windows XP Gets An Unexpected Security Update

Microsoft has recently issued another surprise patch to help protect the surprisingly large Windows XP user base. In this case, the patch is aimed at addressing security flaws used by the NSA and other nation-state hackers. This is on the heels of an out-of-band emergency patch in response to the global “Wannacry” ransomware attack.

What makes this remarkable is the fact that Microsoft formally ended support for the XP platform in 2014.

Most people who aren’t intimately connected to the world of data security don’t know much about recent nation-state hacking tools and methodologies, and that’s probably a good thing. State actors have deep pockets and virtually unlimited ability to hire the best talent and stay focused on a single goal for years at a time.

Nation-states were relatively slow to embrace cyberwarfare, but they’ve been playing catch up for years and have now taken the lead. They have developed some of the most devastating tools seen in the wild today.

Just to cite one example, consider Stuxnet. While no one knows exactly where this nasty worm came from, the best information we have is that it was a joint venture developed by the NSA and Israeli security.

It was developed in order to stop Iran’s nuclear program. Unlike other worms that target highly advanced and secure devices like PCs and smartphones, Stuxnet was designed to target much simpler computers used as control systems for industrial equipment.

In the case of Iran, it was used to target the nation’s centrifuges, which are an integral part of their nuclear program. Once infected, the worm would disrupt their normal function while displaying information to the techs monitoring it that everything was okay, resulting in an inevitable explosion.

The attack was devastatingly effective in the short term, and was responsible for the destruction of nearly 40 percent of Iran’s centrifuges.

It can also be used to attack power stations, rail road switching stations, signal lights and the like, and it could easily be used to wreak havoc on any developed nation.

Of course, in addition to doing all those things, the worm and others like it can be turned on more traditional devices, thus the need for an update, even though support has officially ended for the venerable OS.

The patch certainly isn’t perfect or fool proof, but it will undoubtedly help make computers using XP safer and more secure until their owners can upgrade to a more modern, robust operating system.

Used with permission from Article Aggregator

Algorithmia raises $10.5M Series A round led by Google’s new AI fund

 Word recently spread that Google had quietly launched a new fund for investing into AI companies. Now this fund has made its first (or at least its first public) investment, leading a $10.5 million Series A into Algorithmia, a marketplace and enterprise solution that allows developers to easily tap into its catalog of 3,500 algorithms, functions and machine-learning models. Read More

Big Fix Coming For Many Microsoft Vulnerabilities

If you don’t have your PCs set up for automatic updates, you’re definitely going to want to grab Microsoft’s latest, scheduled for release on their next “Patch Tuesday.” June’s Patch Tuesday 2017 is a bit of a departure, because it’s also going to contain updates for Windows XP and Server 2003, neither of which are officially supported by the company anymore.

The reason they’re being included in this particular update is the fact that a hacking collective known as the Shadow Brokers recently released knowledge of a collection of critical “zero-day” exploits, including a number culled from the NSA’s hacking arsenal.

The update seeks to provide a measure of protection for all Windows Operating Systems, including those whose official support has ended. This is a clear sign of just how serious these exploits are, and how seriously the company takes them.

Any one of these exploits could be used by a skilled hacker to take full control of your PC, remotely.

The fix also includes a patch to address SMB vulnerabilities, like the ones exploited in the recent, global “Wannacry” ransomware attack.

The patch also seeks to address the “LNK RCE” vulnerability, which is an exploit that takes advantage of how Windows handles LNK desktop shortcuts, which could allow code to be executed remotely if the icon in question is properly crafted.

According to the researchers behind the latest fix, “The attacker could present the user a removable drive or remote share that contains a malicious .LNK file and an associated malicious binary. When the user opens this drive (or remote share) in Windows Explorer, or any other application that parses the .LNK file, the malicious binary will execute code of the attacker’s choice, on the target system.”

Security professionals may recognize this, and there’s a good reason for it. This is exactly how the Stuxnet worm operates, which is one of the most devastating worms ever to be devised.

Bottom line: this is a patch you’re not going to want to miss.

Used with permission from Article Aggregator

Are Hackers Testing The Waters For A Power Grid Attack?

Ever since the discovery of the dreaded Stuxnet worm in the wild, security experts have been concerned that a devastating cyberattack could be launched against critical infrastructure, causing signal lights to go haywire, emergency service phone lines to go down, power grids to go offline and more.

In recent months, we’ve seen what could be construed as “test runs” that foreshadow a much larger, targeted attack, and now, there has been another.

This new attack was made using a custom-built application that experts are calling “Industroyer.”

All indications are that this new strain of malware was created by a skilled developer, and possibly a whole team of them. It’s also likely that it was funded by at least one nation-state actor with an eye toward launching a full-scale cyber war that could easily cripple any industrialized nation.

The latest attack was launched against power stations in the Ukraine, and succeeded in causing widespread blackouts.

The Ukraine has suffered similar attacks over the last two years, presumably launched by Russia.

No one has claimed responsibility for the latest attack. It would be premature to automatically attribute it to Russia, but given that nation’s history with the Ukraine, there’s significant circumstantial evidence that points in that direction.

Unfortunately, attacks like this are virtually impossible to prevent. Globally, the control boards that keep power grids worldwide running have no protection at all, and once hacked, the malware’s owner gains full control over them. They could shut them down, cause them to malfunction in ways that could lead to massive explosions and cause untold chaos and trillions of dollars in damage, depending on the severity and scale of the attack.

Worst of all, there’s no defense against such an attack, and the fear is that the successful attack against Ukraine may be just the tip of the iceberg.

It would take years and hundreds of billions of dollars to upgrade the world’s power grid to protect against a catastrophic failure, and any such move would no doubt create new security loopholes.

Welcome to the future.

Used with permission from Article Aggregator

Fleet management tracking provider Samsara raises $40M

 Rapid changes in the shipping industry has caught the attention of investors who are starting to pour large sums of money into the industry. And likely for good reason: as a future where trucks are run autonomously becomes ever clearer, the sensors and software behind that is going to have to be able to keep up. One company, Samsara, is working on just those kinds of sensors and products to… Read More

Apple Is Having A Big Problem With Fake In-App Purchases

It’s been long-held conventional wisdom that the safest place you can purchase apps is either the Google Play Store if you have an Android device, or the Apple Store if you’ve got a device built around iOS.

That’s still true for the most part, but in recent months, Apple has been running into a problem that Google has a lot of familiarity with.

Not long ago, Apple introduced a new system called “App Store Search Ads” which allows developers to display ads in order to increase the visibility of their products.
If you’ve ever used Google’s search engine, then you’ve probably seen something similar in action, because you’ll note that the first couple of entries displayed on any search results page are ads.

Developers can use simple SEO tricks to get a higher ranking based on the keywords a user enters into the search box.

The problem is that Apple doesn’t have the same level of experience that Google does when it comes to dealing with developers who try to game the system.

Google itself suffered from similar problems with their search engine results prior to their famous (or infamous, depending on your point of view) “Panda” update, which went a long way toward curbing the worst abuses in the system.
Unfortunately, Apple isn’t quite there yet. Their new service just isn’t as robust, and unsavory developers are taking advantage. In fact, a researcher named Johnny Lin analyzed the Apple Store’s trending apps and discovered that most of the trending and most visible apps are fake or useless. They contain options for in-app purchases for largely useless services which are costing users billions.

In one example, Lin discovered that the app “Mobile Protection: Clean & Security VPN” tricks users into signing up for an antivirus protection plan that costs a hefty $99.99 a week. Based on sales data, that app is generating more than $80,000 a month for its developer, and represents just the tip of the proverbial iceberg, because in many cases, the entire first page of search results is occupied by similar apps.

No doubt, Apple will move quickly to address the issue and set controls that minimize a developer’s ability to game the system. But for now, be sure to use some extra diligence before installing any new app from the Apple Store, and read the fine print before signing up for any in-app purchases.

If you already have, here’s how you can cancel any unwanted subscriptions:

• Open your “Settings” app and go to the iTunes App Store.
• View your Apple ID
• Enter your password, or press against “Touch ID” when the app prompts you to do so
• Tap “Subscriptions” to see your current list of subscriptions, then tap the ones you want to cancel
• Tap confirm

Once your current subscription period ends, you’re off the hook.

Used with permission from Article Aggregator

Google launches its AI-powered jobs search engine

 Looking for a new job is getting easier. Google today launched a new jobs search feature right on its search result pages that lets you search for jobs across virtually all of the major online job boards like LinkedIn, Monster, WayUp, DirectEmployers, CareerBuilder and Facebook and others. Google will also include job listings its finds on a company’s homepage. The idea here is to give… Read More

Agentology, the referral network for real estate agents, closes on $4.5 million

 Real estate is one of those industries that has been rather slow on the uptake of technology, which makes a lot of sense. Buying and selling a home is one of the biggest, most personal decisions in a person’s life, and the shift to online browsing, transactions, etc. was bound to take longer than other sectors. Brokers, too, have grown accustomed to their ways and are usually hesitant to… Read More

MongoDB launches Stitch, a new backend as a service, and brings Atlas to Azure and GCP

 MongoDB is hosting its annual developer conference in Chicago this week and no good developer conference would be complete without a few product launches. Read More