In September, Google launched the beta of its dedicated interconnects for Google Cloud enterprise users. These direct connections to the Google Cloud Platform essentially give enterprises a private on-ramp to the Google Cloud, which is especially important if they want to mix and match their own data centers with applications that run in Google’s data centers. Today, the dedicated… Read More
One of the most common tactics used by an attacker once they have infiltrated a network is to start moving laterally. They hop from machine to machine in an attempt to traverse the network searching for specific assets, or infecting and gaining persistence over multiple hosts. These lateral movement attempts will also often involve credentials scraping techniques to attempt and steal admin passwords, or pass the ticket techniques to hop from machine to machine.
Lateral movement can be attributed to two main causes – a live attacker traversing a network, or malicious code with automatic spreading abilities (worm-like). The techniques used to perform lateral movements vary: utilizing exploits (for example – EternalBlue SMB exploit), to using remote desktop protocols, utilizing admin tools like powershell and wmi, and executing code on a remote machine.
Given the vast majority of theses techniques do not utilize files or payloads (fileless) – most traditional security controls have a hard time identifying the attacker or piece of code moving around a network. The stealthy nature of these attacks makes them highly efficient and lucrative for the attacker, and can result in mass infections.
How SentinelOne Stops Lateral Movement
SentinelOne’s Lateral Movement Detection engine utilizes the platform’s low level monitoring to gain visibility into all machine operations, including the above script language and protocols. Then by building execution context in real time and applying Behavior AI to identify the anomalies of these various techniques used to move around in the network, it is able to detect and mitigate lateral movement attacks in real time, preventing the spread of malware, or the “roaming around” attacker.
The type of detection and visibility offered by the Lateral Movement Detection is far superior to every EDR tool out there and is integrated holistically for automated operation in our 2.0 platform – no configuration needed.
Watch the video below to see the SentinelOne Lateral Movement Engine in action. An infected machine will attempt to infect additional machines via the network by utilizing ps.exe in order to make that infection happen. We will first show how a machine with the SentinelOne agent installed would detect and block this type of lateral movement attack from an infected machine. We will then take a look at some of the information that SentinelOne provides from the attack such as information about the identified threat and the infected machine, the actual engine that blocked the attack, and our attack storyline that shows the visual forensics of the attack.
Real life – Real time
Last month, the S1 Platform was deployed alongside an existing EDR tool on a prospect network, and within minutes of deployment an attacker was identified moving laterally in the network. Read the full incidence report to learn more about a real live case – from deployment to full mitigation.
The post Announcing Lateral Movement Detection by SentinelOne appeared first on SentinelOne.
If you own a smartphone made by Chinese manufacturer OnePlus, you can thank security researcher Chris Moore for making a discovery that the manufacturer wasn’t going to tell you about.
It turns out that OnePlus phones running the OxygenOS are recording a disturbing amount of user data and sending it back to a company server. The data being collected on users include, but are not limited to:
• Any time the user locks or unlocks the phone
• Any time the user launches, uses or closes an app
• Which WiFi networks the device connects to
• The phone’s IMEI
• The phone number tied to the phone
• Mobile network names
All of this makes it very easy for the company to personally identify users.
When Moore was conducting his tests, he noted that the phone sent more than 16MB of data back to the server in a span of just ten hours. If you’re on a data plan with tight limits, that could max out your usage in no time.
The company issued a response to the findings, confirming that it does indeed transmit analytic data to an Amazon server in two distinct streams, one designed to help them fine-tune their software and the second for sale support, but insists that nothing nefarious is going on. They further stress that users can turn off some of the data collection by going into Settings Advanced, and then deselecting the option to “Join The User Experience Program” which is set to active by default.
Unfortunately, this only deactivates the first of the two data streams. It is apparently impossible to deactivate the second.
The company’s official explanation seems a bit thin, but unfortunately, there’s little to be done. While you can limit the amount of data collected on you, at this time, there’s no way to stop it completely. Keep this in mind if you use a OnePlus phone.
The hits just keep coming, with Disqus being the latest company to issue a breach disclosure. If you’ve never heard of it, Disqus is an incredibly popular, plugin-based comment service for blogs.
Although the breach was only just discovered, it occurred five years ago in July 2012, and impacted more than 17.5 million users.
Evidence of the breach was initially discovered by an independent security researcher named Troy Hunt. It was then reported to the company and disclosed 24 hours later by Jason Yan, the CTO of the company, who had this to say:
“No plain text passwords were exposed, but it is possible for this data to be decrypted (even if unlikely). As a security precaution, we have reset the passwords for all affected users. We recommend that all users change passwords on other services if they are shared.”
Mr. Yan’s advice is excellent, but unfortunately, it highlights a persistent, ongoing problem. Far too many people are still in the habit of using the same password across multiple websites, which means that when one site is breached, it potentially gives the hackers access to all your other accounts that have passwords in common.
It should be noted that since the breach, Disqus has made several upgrades to their security, including implementing even more robust encryption than they’d formerly been using. Again, per Mr. Yan:
“Since 2012, as part of normal security enhancements, we have made significant upgrades to our database and encryption to prevent breaches and increase password security. Specifically, at the end of 2012, we changed our password hashing algorithm from SHA1 to bcrypt.”
The problem is solved for now, but the damage has been done. The best thing you can do at this point is change your password immediately, stop using the same password across multiple websites and be on the alert for phishing emails designed to get you to give up even more information.
In case you missed it, here are some of the biggest stories in cybersecurity from the past week!
U.S. warns public about attacks on energy, industrial firms
The U.S government issued a rare public warning about hacking campaigns targeting energy and industrial firms, the latest evidence that cyber-attacks present an increasing threat to the power industry and other public infrastructure. Read More
Hackers are targeting schools, U.S. Department of Education warns
When Superintendent Steve Bradshaw first received a threatening text message in mid-September, he didn’t know it was coming from a hacker trying to exploit his Montana school district. Read More
Hackers are attacking power companies, stealing critical data: Here’s how they are doing it
Attackers are particularly interested in industrial control systems — and they’re still at it right now. Read More
Cosmetics Brand Tarte Exposed Personal Information About Nearly 2 Million Customers
Tarte Cosmetics, a cruelty-free cosmetics brand carried by major retailers like Sephora and Ulta, exposed the personal information of nearly two million customers in two unsecured online databases. Read More
Cybersecurity pros targeted in latest attack by Group 74
The threat actor known as Group 74 has initiated a new campaign that uses a malicious Visual Basic for Applications (VBA) macro embedded in a document advertising the Cyber Conflict U.S. Conference (CYCON) to target people interested in cybersecurity issues. Read More
Bad Rabbit ransomware: A new variant of Petya is spreading, warn researchers
Updated: Organisations in Russia, Ukraine and other countries have fallen victim to what are thought to be a new variant of ransomware. Read More
Bad Ethereum heist: New phishing scam sees hackers rake in over $15,000 in just two hours
A new Ethereum phishing campaign, targeting users of the online Ethereum wallet website Myethereumwallet.com, has been uncovered. The scam saw hackers make away with over $15,000 (£11,308) in just two hours. Read More
Hackers Prepping IOTroop Botnet with Exploits
Hackers moved one step closer to launching full-scale DDoS attacks using millions of IoT devices herded into the botnet known as Reaper or IOTroop. Read More
McAfee says it no longer will permit government source code reviews
U.S.-based cyber firm McAfee said it will no longer permit foreign governments to scrutinize the source code of its products, halting a practice some security experts have warned could be leveraged by nation-states to carry out cyber-attacks. Read More
Equifax Was Warned
Last year, a security researcher alerted Equifax that anyone could have stolen the personal data of all Americans. The company failed to heed the warning. Read More
Security researchers call for calm after DHS warns of energy grid hacking
A government security alert about foreign hackers probing the networks of U.S. energy companies frightened casual observers, but security experts say the report provided little more than an update on relatively well-known activity and behavior. Read More
Kaspersky: NSA staffer’s laptop was infected with malware
The Russian cybersecurity company releases details from its internal investigation into an NSA hack, which it’s accused of being behind. Read More
APNewsBreak: Georgia election server wiped after suit filed
A computer server crucial to a lawsuit against Georgia election officials was quietly wiped clean by its custodians just after the suit was filed, The Associated Press has learned. Read More
UK government: North Korea was behind the WannaCry cyber-attack that crippled health service
“North Korea was the state we believe was involved in this worldwide attack on our systems,” U.K. Security Minister Ben Wallace said Friday. Read More
Anonymous Attacks Spanish Government Sites
Hacktivist group Anonymous has been firing up its DDoS cannon again, this time aiming it at Spanish government websites, in support of Catalan independence. Read More
Security flaw in LG IoT software left home appliances vulnerable
LG has updated its software security after researchers found flaw that left dishwashers, washing machines, air conditioners, and even a robot vacuum cleaner accessible by hackers. Read More
The Windows phone is officially dead, with the announcement from Joe Belfiore that there would be no new feature updates and no further development.
The writing has been on the wall for a while now, with Microsoft gutting its phone division and laying off thousands of employees. But until Belfiore’s announcement, the company hadn’t made it official.
Microsoft was very slow to recognize how big a footprint smartphones would ultimately have in the market, and as such, paid little attention to them when they were first introduced.
Their first serious effort to try and gain a foothold in the market was with the introduction of Windows CE, a “lite” version of Windows that was plagued with problems almost from the start.
The company tried again with Windows 8, which was redesigned with apps specifically in mind.
Unfortunately, it represented too much of a change and was introduced too quickly. The new OS was not well-received.
Windows 10 essentially represented a “do-over”, and to the company’s credit, it was much more well-received than its predecessor. However, by the time the company hit upon something that may have worked, the market was already too mature, and the big players were already too well-entrenched for the company to have a realistic shot at gaining significant ground.
They struggled to get a sufficient number of developers interested in writing apps for their phone, and even if they had, their app store was plagued with problems. Thus, the company’s decision to pull the plug was not terribly surprising.
Mr. Belfiore stressed that the company would continue to support the platform, providing bug fixes and security patches to all those who wish to continue using them, but as the already small user base continues to shrink, it will eventually reach a point where it’s simply no longer financially viable to do even that.
It’s been almost exactly four months since the last Petya ransomware outbreak. On October 24th, a new variant of Petya called Bad Rabbit was discovered attacking consumers and organizations, mostly in Russia. Below is a copy of the ransom note, which is similar to Petya’s ransom note:
SentinelOne customers are protected from this threat. Below is a video showing the detection:
The malware is distributed by drive-by downloads. It’s icon appears is an Adobe Flash installer.
Once it’s running, it looks for and encrypts files with the following file extensions:
.3ds .7z .accdb .ai .asm .asp .aspx .avhd .back .bak .bmp .brw .c .cab .cc .cer .cfg .conf .cpp .crt .cs .ctl .cxx .dbf .der .dib .disk .djvu .doc .docx .dwg .eml .fdb .gz .h .hdd .hpp .hxx .iso .java .jfif .jpe .jpeg .jpg .js .kdbx .key .mail .mdb .msg .nrg .odc .odf .odg .odi .odm .odp .ods .odt .ora .ost .ova .ovf .p12 .p7b .p7c .pdf .pem .pfx .php .pmf .png .ppt .pptx .ps1 .pst .pvi .py .pyc .pyw .qcow .qcow2 .rar .rb .rtf .scm .sln .sql .tar .tib .tif .tiff .vb .vbox .vbs .vcb .vdi .vfd .vhd .vhdx .vmc .vmdk .vmsd .vmtm .vmx .vsdx .vsv .work .xls .xlsx .xml .xvd .zip
Additionally, Bad Rabbit tries to spread itself. It uses Mimikatz to dump credentials and uses them along with hard coded. Then it tries to spread using the following protocols:
- SMB2 / SMB
The hard coded usernames are:
Admin, Administrator, alex, asus, backup, boss, buh, ftp, ftpadmin, ftpuser, Guest, manager, nas, nasadmin, nasuser, netguest, operator, other user, rdp, rdpadmin, rdpuser, root,superuser, support, Test, User, User1, user-1, work
The hard coded passwords are:
111111, 123, 123321, 1234, 12345, 123456, 1234567, 12345678,123456789, 1234567890, 321, 55555, 777, 77777, Admin, Admin123, admin123Test123, Administrator, administrator, Administrator123, administrator123, adminTest, god, Guest, guest, Guest123, guest123, love, password, qwe, qwe123, qwe321, qwer, qwert, qwerty, qwerty123, root, secret, sex, test, test123, uiop, User, user, User132, user123, zxc, zxc123, zxc321,zxcv
Lateral Movement Detection
The video below shows us detecting the malware as it attempts to spread from an unprotected, infected host (right, red background) to a protected machine (left, black background).
SentinelOne also constructs an attack storyline for the lateral movement for incident response reports and forensics:
- Primary SHA256: 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
- Payload SHA256: 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93
You’ve probably heard about Equifax’s recent troubles. More than 145 million consumer data files were exposed, including names, addresses, social security numbers and more.
The problem was viewed as so serious that Equifax’s CEO stepped down and congressional hearings were launched, but then, a funny thing happened. Equifax got awarded a no-bid government contract worth millions ($7.25 million, to be exact) to help the IRS verify taxpayer identities in order to prevent fraud.
One might wonder how this happened, especially since the company recently got raked over the coals for profiting from the very hack they tried to prevent. During the congressional hearing on the matter, Senator Elizabeth Warren pointed out that Equifax stood to make millions by selling credit monitoring services to the very customers whose data they were supposed to be protecting, so it’s a fair question.
The answer lies in the fact that the IRS regards this service as being critical, and one that cannot stand interruption of any kind. Based on their research, they have concluded that Equifax is the only company capable of providing it.
That conclusion seems strange, given that there are, in fact, two other similar credit reporting agencies, but in any case, the contract was awarded to Equifax in spite of their recent troubles.
The move is understandably raising eyebrows in various sectors, with government watchdog groups and privacy advocates both crying foul.
Unfortunately, in the immediacy, there’s little to be done. This is a case where the wheels of government just don’t turn quickly enough to keep pace with current events. Until another company can be approved to get the job done, Equifax is the only game in town, as far as the government is concerned. Needless to say, this is not exactly what one would call confidence-inspiring.
It’s been once year since Workplace, Facebook’s social network designed specifically for businesses and other organizations, came out of beta to take on the likes of Slack, Atlassian, Microsoft and others in the world of enterprise collaboration. Now, with 30,000 organizations using Workplace across some 1 million groups (more than double the figures Facebook published April)… Read More
We have been getting numerous inquiries about our macOS High-Sierra (10.13) support, so this post is to reassure customers that we supported High-Sierra with our 2.0 build from day 1.
Our RnD team has been working with multiple beta builds of High-Sierra over the last few months. In fact, High-Sierra had the maximum number of beta builds before it was made generally available. And, High-sierra introduced a lot of changes, including the way drivers are being authorized and loaded.
In our 2.0 agent, we now support dyld3-loaded binaries for collecting the information that is used for detecting threats. The agent has some of the best anti-exploit technology built in, including detection of ROP and Stack pivot attacks. We have also made significant performance enhancements by selectively monitoring and injecting into high-risk processes. To use the 2.0 agent, you must upgrade to the 2.0 management console. All settings are backward compatible, so you will be able to run older agents against the 2.0 console.
In our next release, we will be adding the deep visibility functionality to the mainstream agent. This functionality is now available in Beta and gives you unprecedented info about all process, file, dns and network activity on the system. This will ship as version 2.5 before Christmas.
2415 E Camelback Rd
Suite 700, PMB 7019
Phoenix, AZ 85016