Severe Flaws Disclosed in Brocade SANnav SAN Management Software

Apr 26, 2024NewsroomSupply Chain Attack / Software Security

Several security vulnerabilities disclosed in Brocade SANnav storage area network (SAN) management application could be exploited to compromise susceptible appliances.

The 18 flaws impact all versions up to and including 2.3.0, according to independent security researcher Pierre Barre, who discovered and reported them.

The issues range from incorrect firewall rules, insecure root access, and Docker misconfigurations to lack of authentication and encryption, thus allowing an attacker to intercept credentials, overwrite arbitrary files, and completely breach the device.

Some of the most severe flaws are listed below -

• CVE-2024-2859 (CVSS score: 8.8) - A vulnerability that could allow an unauthenticated, remote attacker to log in to an affected device using the root account and execute arbitrary commands

• CVE-2024-29960 (CVSS score: 7.5) - The use of hard-coded SSH keys in the OVA image, which could be exploited by an attacker to decrypt the SSH traffic to the SANnav appliance and compromise it.

• CVE-2024-29961 (CVSS score: 8.2) - A vulnerability that can allow an unauthenticated, remote attacker to stage a supply chain attack by taking advantage of the fact the SANnav service sends ping commands in the background at periodic intervals to the domains gridgain[.]com and ignite.apache[.]org to check for updates

• CVE-2024-29963 (CVSS score: 8.6) - The use of hard-coded Docker keys in SANnav OVA to reach remote registries over TLS, thereby allowing an attacker to carry out adversary-in-the-middle (AitM) attack on the traffic

• CVE-2024-29966 (CVSS score: 7.5) - The presence of hard-coded credentials for root users in publicly-available documentation that could permit an unauthenticated attacker full access to the Brocade SANnav appliance.

Following responsible disclosure twice in August 2022 and May 2023, the flaws have been addressed in SANnav version 2.3.1 released in December 2023. Brocade's parent company Broadcom, which also owns Symantec and VMware, released advisories for the flaws earlier this month.

Hewlett Packard Enterprise has also shipped patches for a subset of these vulnerabilities in HPE SANnav Management Portal versions 2.3.0a and 2.3.1 as of April 18, 2024.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News https://ift.tt/xiOkXlB
via IFTTT

Take off with XOSTOR

We're excited to announce that the eagerly awaited release of XOSTOR 1.0 is almost here! Transitioning from its beta phase, XOSTOR will officially launch on April 30th, coinciding with the release of Xen Orchestra 5.94. This milestone marks its readiness for production environments, offering users a seamless upgrade and enhanced functionality.

📹

Join us live on our YouTube channel this Tuesday, the 30th at 3 PM CEST, for our special release session! Tune in to witness the launch and get firsthand insights directly from our team.

🤝 A Powerful Alliance Creating a Powerful Tool

XOSTOR is the new hyperconvergence addition to Vates VMS, positioning itself as a compelling alternative to vSAN. This release is the culmination of four years of dedicated collaboration with our partner, LINBIT, the developers behind the DRDB software that forms the foundation of XOSTOR. With XOSTOR, users can efficiently consolidate their server local storage spaces, creating a robust Virtual SAN that enhances data accessibility and resource management.

✉️ Setting up your XOSTOR

We continue our commitment to delivering top-tier experiences with your Virtual Management System, highlighted by the introduction of our new tool, XOSTOR 1.0. If you are considering deploying XOSTOR 1.0 in your production environment, please contact us. We will assign a dedicated team member to facilitate a seamless integration of XOSTOR and ensure a smooth rollout and an excellent POC.

Contact us

💡

XOSTOR is currently designed for compatibility with infrastructures ranging from 3 to 7 hosts in a pool.

🏗️ Creating a Trial

If you're eager to discover the full range of features and capabilities that XOSTOR offers, you can initiate a demo directly within XOA. This demo provides you with a month of access to all the functionalities of XOSTOR, allowing you to experience the power of hyperconvergence with your infrustructure.

1. Updating Hosts and XCP-ng Patches:

Before starting a trial you must update all of your hosts and apply all XCP-ng patches before deploying XOSTOR.

If you have not deployed XOSTOR before, you can simply update your hosts and apply XCP-ng patches as you normally would.

💡

If you had deployed XOSTOR in the past (during the Beta phase), you need to update your hosts, but you won't be able to use the Rolling Pool Update features.

The proper methods for updating your hosts and applying XCP-ng patchs can be found in our XCP-ng Update Documentation.

2. Update XOA:

The next step is updating your XOA. To access XOSTOR you will need to update to the "latest" branch of the 5.94 XO release. Both the "latest" branch and "stable" branch are production ready environments. The "latest" branch provides updates as soon as they become avliable and the "stable" branch provides those same updates a month after release.

Once you have updated your XOA reboot the updated hosts.

3. Install XOSTOR:

After rebooting and logging into your XOA, you are ready to begin your trail of XOSTOR. To do this, select XOSTOR from the menu on the left side of your screen.

Once inside the XOSTOR menu, select your pool and click "New". This will launch your first XOSTOR hyperconvergence system and begin your one month trail.

from Xen Orchestra https://ift.tt/7ceY8sE
via IFTTT

Falcon Fund in Focus: Nagomi Helps Customers Maximize Their Cybersecurity Investments

Preventable breaches are a common problem. According to research by Nagomi, a leader in the nascent field of automated security control assessment, 80% of breached organizations already had a tool in place that could have prevented it. 

One solution is to maximize the use of security tools they already have. Many enterprises grapple with ineffective and reactive security operations, worsened by using multiple disparate security products. Tools are purchased but not fully deployed, ROI is never realized and teams are stuck in a constant state of reacting to alerts rather than making progress.

“I don’t need more tools … I need to find a way to deploy the tools I already have more effectively,” one CISO told Nagomi. “This is why I don’t sleep at night … I have no way of knowing my security stack’s effectiveness.”

Facing increasingly fast and stealthy threat actors, CISOs need to know their security investments are effective against evolving threats. This is where Nagomi adds tremendous value. And with support from the CrowdStrike Falcon Fund, they are changing the way security teams balance risk and defense.  

Falcon Fund Invests in Nagomi

Falcon Fund has invested in Nagomi to help organizations boost the effectiveness of their existing security tools. Falcon Fund, an investment fund managed by CrowdStrike in partnership with Accel, is focused on global, cross-stage investments in companies that provide differentiated capabilities to joint customers.

Nagomi, formerly known as Vena Security and founded in January 2023, offers a proactive defense platform that enables customers to better use their security stacks to defend against current and emerging threats in the wild. Nagomi transforms fragmented best-of-breed solutions into best-of-suite security for customers by providing end-to-end visibility of defense capabilities mapped against MITRE ATT&CK®. With this information, security teams can prioritize the most urgent risks based on their unique threat profile and get prescriptive remediation plans to reduce threat exposure.

Nagomi is quickly innovating to deliver a threat-centered, data-driven and actionable approach to cybersecurity — one that enables customers to provide high-level security maturity metrics to executives while showing security practitioners exactly how to reduce risk, fix misconfigurations and make strategic decisions with business context.

Nagomi’s early success proves the value of its proactive approach to security. Within six months of launching, Nagomi was successfully deployed by Fortune 500 customers and has seen significant adoption in some of the world’s most complex security environments. 

How the Integration Works

Nagomi helps CrowdStrike customers get the most from their CrowdStrike Falcon® deployment by monitoring for configuration gaps and testing for attacks across their IT infrastructure as well as other security tools. Nagomi’s proactive defense platform uses CrowdStrike’s modern cloud architecture to ingest detections, host details and policy settings to map the deployment of CrowdStrike Falcon sensors. Nagomi then tests adversary tactics, techniques and procedures (TTPs) against the mapped deployment to recommend configuration policy changes.

The integration provides CrowdStrike customers with:

• Proactive risk management: Continuously analyze threats and corresponding defenses to identify gaps and remediation opportunities to prevent exploitation.
• Actionable defense plans: Pinpoint risk and modify configuration settings based on vulnerability to adversary TTPs.
• Clear communication: Share the current state of risk with peers and leadership using evidence-based data that considers business limitations and constraints.
  

Visit the CrowdStrike Marketplace to request the Nagomi integration and learn more.

Additional Resources

• Read Nagomi’s press release.
• Learn about CrowdStrike Falcon Fund.
• Read previous Falcon Fund blog posts on Aembit and Prelude Security.

from Cybersecurity Blog | CrowdStrike https://ift.tt/nFK0AWd
via IFTTT

Citrix Connect Kicks Off in New York City!

Citrix Connect, an invite-only, one-day Technical Summit featuring exclusive content presented by Citrix thought leaders, kicked off in New York City on April 16. 

‘Connecting’ is what it’s all about

We want to connect with you, our valued customers, and:

• Share our vision and strategy for how Citrix provides innovative solutions that align with your business goals.
• Preview our product roadmap and share exciting developments and enhancements planned for our solutions.
• Offer deep dive technical discussions from our experts that will empower you to stay ahead and leverage the latest advancements in technology.
• Foster an environment in which to engage in meaningful conversations with your peers!

The first of 10 events happening throughout 2024 around the globe, Citrix Connect NYC was an exciting gathering of 100+ customers and partners from the Northeastern US, delving into the latest Citrix vision and strategy. I was joined by Calvin Hsu, VP of Product Marketing for Citrix, as well as several of our top thought leaders and experts. The agenda was packed full of exclusive content, and the response from customers has been energizing to say the least. 

“I would recommend people to come to Citrix Connect, not only just to get the ideas what other peers are doing in the industry, but also to understand what the roadmap is of Citrix, what they are trying to solve for not only for one industry, [but] for other industries, because you can utilize those ideas to incorporate in your [organization].” – Director of IT Infrastructure

What we covered

Our day started with breakfast together, where it was great to chat with customers who have been with us for years, meet newcomers to our space, and get a feel for how technology is influencing everyone’s business. In the opening keynote, I  delved into Citrix’s vision and strategy, centered around the new Citrix platform. From there, we moved into sessions covering major announcements and developments, including:

• What’s new in Citrix DaaS and CVAD
• How to overcome challenges when moving from VPN to Zero Trust Network Access
• Leveraging Citrix Enterprise Browser for SaaS and Web applications & security
• NetScaler: Enterprise ADC for your mission-critical applications
• Demo: EHR and Beyond – Delivery of Your Digital Healthcare Ecosystem
• Lunchtime Tech Talks
• Technical Session – Citrix Observability Platform
• Modern Citrix Management with WEM
• Migrating to the latest CVAD 2402 LTSR

Throughout the day, customers were given the opportunity to ask questions and go deeper into topics of interest. We ended the day with a networking reception, a great opportunity to spend 1:1 time with our peers. This in-person experience is one we’re excited to continue. The agenda and details will be tailored to each city, but the goal remains the same: keep our valued customers in-the-know, and come together to make authentic, in-person connections as we’ve missed doing over the last few years. We know it can be difficult to find time and budget to travel, which is why we are bringing our leaders to a city near you.

Join us!

Citrix Connect will be hosted in 9 more cities around the globe throughout the year. Make sure you keep an eye out for more confirmed dates, and request to attend in a city near you. https://events.citrix.com/connect

from Citrix Blogs https://ift.tt/wKmCkMf
via IFTTT

The Good, the Bad and the Ugly in Cybersecurity – Week 17

The Good | U.S. Govt Sends Spyware Abusers, Cybercriminals, and Crypto Launderers to Court

The U.S. government this week took three decisive actions against cyber criminals: a visa ban on thirteen spyware makers and sellers, sanctions against four Iranian nationals for their roles in recent cyberattacks, and an official charge for two cryptomixers.

Following the February announcement to set visa restrictions on commercial spyware developers and vendors, the Department of State has cracked down on the first thirteen individuals and their families. Excluding visa applications in this case effectively bans those who are linked to such operations from entering the U.S. The abuse of spyware has been a rising issue in recent years as adversaries use it to target persons of interest such as journalists, human rights advocates, academics, and government employees.

Two front companies and four individuals were sanctioned by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) for their association to cyber activities supporting the Iranian Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC) over the span of five years. Collectively, the identified threat actors have targeted over a dozen U.S. organizations, including the U.S. government and defense contractors through spear phishing and malware attacks, compromising over 200,000 employee accounts.

Up to $10 Million Reward & Possible Relocation

These individuals conducted malicious cyber ops against U.S. firms and government agencies on behalf of Iran’s IRGC.

If you have info on them, contact us. Your tip could be worth millions of $ and a plane ticket to somewhere new. pic.twitter.com/EjOGLXDeJl

— Rewards for Justice (@RFJ_USA) April 23, 2024

Responsible for processing more than $2 billion in ill-got funds for various criminal enterprises over nine years, two individuals have been charged by the Department of Justice for money laundering and operating an unlicensed money-transmitting business. Their services ‘Samourai’ and ‘Ricochet’ allowed criminals to sidestep law enforcement and hinder crypto exchanges from tracking the illegal source of the funds. Such services often provide a haven for criminals who require large-scale laundering efforts and evasion from sanctions.

The Bad | Nation-State Actors Breach MITRE Research Center via Ivanti Zero-Days

MITRE Corporation disclosed a breach of their systems this week after threat actors chained two Ivanti zero-day vulnerabilities together in the attack. The breach was discovered in January when suspicious activity was found on MITRE’s unclassified prototyping network, Network Experimentation Research and Virtualization Environment (NERVE). MITRE’s research and development centers employ the nation’s leading scientists and engineers, building digital solutions for military, security, and intelligence organizations across the U.S.

After containing the incident, MITRE stated that affected parties were properly informed and relevant authorities engaged, with current efforts focused on restoring operations. Ongoing investigations show that the core network and partner systems were unaffected by the intrusion.

The threat actors compromised the non-profit’s VPNs by exploiting two Ivanti Connect Secure zero-days: an authentication bypass flaw tracked as CVE-2023-46805 (CVSS 8.2) and CVE-2024-21887 (CVSS 9.1), a command injection flaw. Together, they allowed the attacker to use session hijacking to bypass multi-factor authentication (MFA) measures and move laterally through the network’s VMware infrastructure with an administrative account. Forensics also show the actors employing a combination of webshells and backdoors to establish persistence and harvest credentials.

The breach is suspected to be the work of state-sponsored threat actors and serves as a striking reminder that even cutting edge and highly-funded organizations are not immune from cyber threats. Targets on the level of NERVE, which in this case houses invaluable information on experimental methodologies and technologies, continue to be extremely lucrative for nation-state adversaries looking to either potentially steal or sabotage sensitive resources.

MITRE has released tactics, techniques, and procedures (TTPs) related to the breach in effort to spread lessons learned within the infosec community. CISA has also shared technical details and IoCs in a recent advisory.

Source: MITRE Corporation

The Ugly | GRU-Based APT Exploits Old Windows Flaw with New GooseEgg Tool to Target Government Entities

Despite being patched back in October 2022, a Windows Print Spooler vulnerability tracked as CVE-2022-38028 (CVSS 7.8) has made its way back into headlines this week. This time weaponized by GRU-linked threat group APT28 (aka Forest Blizzard or Strontium), the flaw delivers a previously unknown custom malware dubbed ‘GooseEgg’ to perform a slew of post-compromise activities.

GooseEgg has been leveraged possibly as early as April 2019 and has now been observed in attacks targeting North American, Western European, and Ukrainian governments, non-profit organizations, educational institutions, and transportation entities.

Typically, GooseEgg is deployed with a batch script named either execute.bat and doit.bat, which triggers the executable and sets up persistence in the form of a scheduled task designed to run servtask.bat. The malware tool works by enabling the deployment of a malicious DLL (usually containing wayzgoose) capable of spawning other applications with SYSTEM-level permissions that allow attackers to perform remote code execution (RCE), backdoor installations, and lateral movement.

Source: Microsoft

APT28 is often known to use publicly available exploits alongside this Windows Print Spooler flaw, including CVE-2023-23397 and the PrintNightmare vulnerabilities tracked as CVE-2021-34527 and CVE-2021-1675. Researchers note that APT28 deploys GooseEgg to enable checking exploit success, customer version identification, and privilege escalation – all in support of their main objective to steal credentials and maintain access on the compromised target.

Advanced and well-resourced threat groups like APT28 continually refine their approach, testing new and custom malware and techniques to avoid attribution. CISA has since added CVE-2022-38028 to its KEV catalog and urged federal agencies to identify any systems vulnerable to the flaw and apply the available patch.

from SentinelOne https://ift.tt/itP4ULV
via IFTTT

Palo Alto Networks Outlines Remediation for Critical PAN-OS Flaw Under Attack

Apr 26, 2024NewsroomNetwork Security / Zero Day

Palo Alto Networks has shared remediation guidance for a recently disclosed critical security flaw impacting PAN-OS that has come under active exploitation.

The vulnerability, tracked as CVE-2024-3400 (CVSS score: 10.0), could be weaponized to obtain unauthenticated remote shell command execution on susceptible devices. It has been addressed in multiple versions of PAN-OS 10.2.x, 11.0.x, and 11.1.x.

There is evidence to suggest that the issue has been exploited as a zero-day since at least March 26, 2024, by a threat cluster tracked as UTA0218.

The activity, codenamed Operation MidnightEclipse, entails the use of the flaw to drop a Python-based backdoor called UPSTYLE that's capable of executing commands transmitted via specially crafted requests.

The intrusions have not been linked to a known threat actor or group, but it's suspected to be a state-backed hacking crew given the tradecraft and the victimology observed.

The latest remediation advice offered by Palo Alto Networks is based on the extent of compromise -

• Level 0 Probe: Unsuccessful exploitation attempt - Update to the latest provided hotfix

• Level 1 Test: Evidence of vulnerability being tested on the device, including the creation of an empty file on the firewall but no execution of unauthorized commands - Update to the latest provided hotfix

• Level 2 Potential Exfiltration: Signs where files like "running_config.xml" are copied to a location that is accessible via web requests - Update to the latest provided hotfix and perform a Private Data Reset

• Level 3 Interactive access: Evidence of interactive command execution, such as the introduction of backdoors and other malicious code - Update to the latest provided hotfix and perform a Factory Reset

"Performing a private data reset eliminates risks of potential misuse of device data," Palo Alto Networks said. "A factory reset is recommended due to evidence of more invasive threat actor activity."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News https://ift.tt/wTyr7JO
via IFTTT

Kaspersky Thin Client 2.0 update | Kaspersky official blog

Many companies have long since moved from the traditional workstation model to the virtual desktop infrastructure (VDI). VDI provides a number of advantages — one being better cybersecurity (not least because work data doesn’t leave corporate servers; it always lives in a virtual machine). However, despite a popular misconception, VDI alone doesn’t mean guaranteed security. It always matters how secure the endpoint device is that connects to the virtual workplace.

By and large, there are two options for using VDI. The first is to employ traditional workstations; the second is to use thin clients. Common advantages of a thin client include the following:

• no moving parts: they don’t have active cooling systems or mechanical hard drives, which significantly increases the service life of the thin client (up to 7-10 years);
• low energy consumption, which leads to direct savings;
• lower price and cost of ownership (in comparation even with desktops and laptops for office work);
• ease of maintenance and operation.

However, from our point of view, this isn’t the main advantage of using a thin client. Any workstation, be it a desktop PC or a laptop, must be provided with additional layers protection. And a thin client can be made secure as-is if its operating system is based on the secure-by-design principle. It’s precisely such an operating system — Kaspersky Thin Client 2.0 — that we propose to use in thin clients connected to virtual desktop infrastructure.

What is Kaspersky Thin Client, and what’s new in version 2.0?

Essentially, Kaspersky Thin Client 2.0 is an updated operating system for thin clients, created in accordance with our Cyber Immune approach; as such, it doesn’t require additional security measures. Kaspersky Thin Client is based on our KasperskyOS system, which minimizes the risk of its compromise even in the event of complex targeted attacks.

The updated Kaspersky Thin Client version 2.0 can connect to remote environments deployed on the Citrix Workspace platform and VMware Horizon infrastructure using HTML5 technology. Kaspersky Thin Client 2.0 also supports connection to individual business applications deployed on the Microsoft Remote Desktop Services infrastructure, Windows Server, and terminal servers running Windows 10/11.

Another key change in KTC 2.0 is the increase in performance. We managed to increase both the speed of application delivery and the speed of system updates (due to the compact size of the OS image). Now deployment time of thin clients under KTC 2.0 through automatic connection takes about two minutes.

You can learn more about the updated operating system for thin clients on the Kaspersky Thin Client page.

from Kaspersky official blog https://ift.tt/w6YT1ZU
via IFTTT

A new report explores the economic impact of generative AI

A new report from inaugural Technology & Society Visiting Fellow Andrew McAfee looks at the potential economic impacts of generative AI.

from AI https://ift.tt/JSFRKQn
via IFTTT

Is a single cloud enough to secure your backups? 5 cool cross-cloud solutions you should consider

Nowadays, you can hardly find a company with no backup or DR strategies in place. Data is becoming the most valuable organization’s asset so making sure it remains safe and available is becoming a key priority. But does it really matter where your backups are stored? Well, Veeam actually answered that question by bringing in the “3-2-1” backup rule meaning you should have at least 3 copies of your data, 2 of which are local but on different media and at least 1 copy offsite. Sounds reasonable.

What about the devices to store your backup data? The legend says tapes were first. Huge capacity, ability to keep data for a long time, but unfortunately slow. Disks! Great capacity, durability, and faster than tapes, but more expensive.

In my previous article, I’ve highlighted the cost of public cloud storage for your backups. So, cloud can perfectly become that “offsite” option for keeping your data safe. Moreover, you don’t have to worry about its maintenance since such large cloud providers as Amazon, Google, and Microsoft cover their infrastructure for good. Or do you?

Apparently, none of the cloud storage providers grants you 100% accessibility and security. Sure, they are getting closer to this number, but an unexpected power outage or something like that may knock out their services one day. This happened last year to Amazon S3 when the service had suffered from the erroneous activity. This year, S3 went down due to a power outage. Fortunately, Amazon did not lose their customers’ data, still their service was down. So, the key word in the 3-2-1 backup rule is “at least” one copy offsite. Thus, today, we’ll have a closer look at solutions gathering under one umbrella multiple public clouds support allowing you to keep several backup copies in different clouds.

What we, actually, are looking at

If you look carefully at the backup process, it, with the reasonable error margin, will look as it appears in the figure below:

Some solutions create backups and move it to the repository. There, data is kept for a while and then is shifted to the cloud where it stays as long as you need.

In this article, I rather discuss the dedicated software serving as a “data router”. In other words, the software involved in this process:

Now, let’s have a look at what we have on the table!

Rclone

Thinking about something that lets to back up your data to several clouds, Rclone and CloudBerry were the first solutions that popped up in my head. Rclone acts as a data mover synchronizing your local repository with cloud-based object storage. You, basically, create a backup using something else (i.e., Veeam Backup & Replication), allocate it on-premises, and the solution sends it to several clouds. Being first developed for Linux, Rclone has a command-line interface to sync files and directories between clouds.

OS compatibility

The solution can be run on all OS, but the command-line interface is kept.

Cloud Support

The solution works with most popular public cloud storage like Microsoft Azure, Amazon S3 and Glacier, Google Cloud Platform, Backblaze B2, etc.

Feature set

Rclone commands work wonderfully on whatever remote storage system, be it public cloud storage or just your backup server somewhere else. It can also send data to multiple places simultaneously, but bi-directional sync does not work yet. In other words, everything you make to your files in the cloud does not affect their local copies. The synchronization process is incremental on the file-by-file basis. It should also be noted that Rclone preserves timestamps on files, so you can find the right backup easy.

The solution provides two options for moving data to the cloud: sync and copy. The first one, sync, allows moving the backup to the cloud automatically as soon as they appear in the specified local directory. The second mode, copy, as it comes from its name, allows only copying data from on-premises to cloud. Deleting your files locally won’t affect the ones stored in the cloud. There’s also the check mode enables to verify hash equality. Learn more about Rclone: https://rclone.org/

CloudBerry Backup

CloudBerry Backup is built from the self-titled backup technology developed for service providers and enterprise IT departments. It is a cross-platform solution. Note that it’s full-fledged backup software, allowing you to not only move backups to the cloud but also create them.

OS compatibility

It is a cross-platform solution.

Cloud Support

So far, the solution can talk to Microsoft Azure, Amazon S3 and Glacier, Google Cloud Platform, Backblaze B2, and much more!

Feature set

Being intended for big IT departments and cloud service providers, CloudBerry Backup provides some features that make the solution really handy for these guys. First, it offers the room for the client customization up to the complete rebranding of the solution. Now, let’s look at the backup side of this thing!

The solution allows backing up files and directories manually. If you are too lazy for that, you can sync the selected directory to the root of the bucket. Also, CloudBerry Backup enables to schedule backups. Now, you won’t miss them! Another cool thing is backup jobs’ management and monitoring. Thanks to this feature you are always aware of backup processes on the client machines. The solution offers AES 256-bit end-to-end encryption to ensure your data safety.

Learn more about CloudBerry Backup: https://www.cloudberrylab.com/managed-backup.aspx

StarWind VTL

Have you ever heard about virtual tape libraries (VTL)? I thought these things died out, but I apparently was wrong.

OS compatibility

Unfortunately, this product is available only for Windows.

Cloud Support

So far, StarWind VTL can talk to popular cloud storages like AWS S3 and Glacier, Azure, and Backblaze B2.

Feature set

The product has many cool features for ones who want to back up to cloud. First, it allows sending data to the cloud’s respective tier with their further automatic de-staging. This automation makes StarWind VTL really cool. Second, the product supports both on-premises and public cloud object storages. Third, StarWind VTL, as well as solutions reviewed above, supports deduplication and compression making your storage utilization more efficient. Eventually, there’s a room for encryption options because the product allows client-side encryption.

StarWind VTL also has several inherent VTL features. This means that it, potentially, can give us more than just a thing that accepts your backups from something Veeam-like and throws them to the public cloud.

All manipulations in StarWind VTL environment are done via Management Console and Web-Console, the web-interface that makes VTL compatible with all browsers.

Learn more about StarWind Virtual Tape Library: https://www.starwindsoftware.com/starwind-virtual-tape-library

Duplicati

Duplicati is designed for online backups from scratch. Yes, it is one more today backup software allowing to send your data directly to multiple clouds. Duplicati also can use local storage as a backend.

OS compatibility

It is free and compatible with Windows, macOS, and Linux.

Cloud Support

So far, the solution talks to Amazon S3, Mega, Google Cloud Storage, and Azure.

Feature set

Duplicati has some awesome features. First, the solution is free. Notably, its team does not restrict using this software for free even for commercial purposes. Second, Duplicati employs decent encryption, compression, and deduplication making your storage more efficient and safe. Third, the solution adds timestamps to your files, so you can easier find the specific backup. Fourth, willing to make their users’ life simpler, Duplicati team has developed backup scheduler. Now, you won’t miss the backup time! The thing that makes this piece of software special and really handy is backup content verification. Indeed, you never know whether the backup works out until you literally back up from it. Thanks to this feature, you can pinpoint the broken backups before it gets too late.

The solution is orchestrated via the web interface, allowing you to run it from whatever browser.

Learn more about Duplicati: https://www.duplicati.com/

Duplicacy

Duplicacy is readily amenable to popular cloud storages. Apart from the cloud, it can use your SFTP servers and NAS boxes as its backends.

OS compatibility

The solution is compatible with Windows, Mac OS X, and Linux.

Cloud Support

So far, the Duplicacy can offload data to Backblaze B2, Amazon S3, Google Cloud Storage, Microsoft Azure, and much more!

Feature set

Duplicacy not only routes your backups to cloud but also creates them. Note that each backup created by this solution is incremental. Each of them is treated as a full snapshot, allowing simpler restoring, deletion and backups transition between storages. Duplicacy sends your files to multiple cloud storages and uses strong client-side encryption. Another cool thing about this solution is its ability to provide multiple clients with simultaneous access to the same storage.

Eventually, I’d like to mention Duplicacy’s comprehensive GUI that features one-page configuration for quick backup scheduling and managing retention policies. If you are a command-line interface fan, you can manage Duplicacy via the command line.

Learn more about Duplicacy: https://duplicacy.com/

So what?

Undoubtedly, keeping one copy in the public cloud is good. As far as it complies the 3-2-1 backup rule, everything should be wonderful. Yet, public cloud services fail and get messed up since none of them runs on a foolproof and outageproof infrastructure. If you are out of luck one day, the cloud service will go down at that very moment when you decide to retrieve your data. That day, it would be nice to have an extra backup in another cloud.

Sure, there are plenty of wonderful backup solutions that can talk to multiple public cloud storages. I shed light on them in this article. Some of them are full-fledged backup software (i.e., CloudBerry Backup, Duplicati, and Duplicacy), while others can just talk to multiple clouds. Among the reviewed today solutions, there’s also a product allowing creating virtual tape libraries. It is really awesome because it streamlines your backup environment bringing not only the ability to talk to multiple clouds but also some inherent VTL features. Hope, this article comes in handy, and you’ll employ one of the reviewed solutions in your backup infrastructure.

from StarWind Blog https://ift.tt/H46ErfL
via IFTTT

Talos IR trends: BEC attacks surge, while weaknesses in MFA persist

Business email compromise (BEC) was the top threat observed by Cisco Talos Incident Response (Talos IR) in the first quarter of 2024, accounting for nearly half of engagements, which is more than double what was observed in the previous quarter.  

The most observed means of gaining initial access was the use of compromised credentials on valid accounts, which accounted for 29 percent of engagements. The high number of BEC attacks likely played a significant role in valid accounts being the top attack vector this quarter. Weaknesses involving multi-factor authentication (MFA) were observed within nearly half of engagements this quarter, with the top observed weakness being users accepting unauthorized push notifications, occurring within 25 percent of engagements.  

Talos IR Quarterly Trends Report (Q1 2024)

An overview of the top attacker trends, malware and the most-targeted industries.

Talos IR Trends (Q1 2024).pdf

174 KB

There was a slight decrease in ransomware this quarter, accounting for 17 percent of engagements. Talos IR responded to new variants of Phobos and Akira ransomware for the first time this quarter. 

Manufacturing was the most targeted vertical this quarter, closely followed by education, a continuation from Q4 2024 where manufacturing and education were also two of the most targeted verticals. There was a 20 percent increase in manufacturing engagements from the previous quarter. 

The manufacturing sector faces unique challenges due to its inherently low tolerance for operational downtime. This quarter, Talos IR observed a wide range of threat activity targeting manufacturing organizations including financially motivated attacks, such as BEC and ransomware, and some brute force activity targeting virtual private network (VPN) infrastructure. The use of compromised credentials on valid accounts was the top observed attack vector within attacks targeting the manufacturing sector this quarter, which represents a change from the previous quarter when the top attack vector observed in these types of engagements was exploiting vulnerabilities in public-facing applications.   

Watch discussion on the report's biggest trends

Surge in BEC 

Within BEC attacks, adversaries will send phishing emails appearing to be from a known or reputable source making a valid request, such as updating payroll direct deposit information. BEC attacks can have many motivations, often financially driven, aimed at tricking organizations into transferring funds or sensitive information to malicious actors.  

BEC offers adversaries the advantage of impersonating trusted contacts to facilitate internal spearphishing attacks that can bypass traditional external defenses and increase the likelihood of deception, widespread malware infections and data theft. 

In one engagement, adversaries performed a password-spraying attack and MFA exhaustion attacks against several employee accounts. There was a lack of proper MFA implementation across all the impacted accounts, leading to the adversaries gaining access to at least two accounts using single-factor authentication. The organization detected and disrupted the attack before adversaries could further their access or perform additional post-compromise activities.    

In another cluster of activity, several employees received spear-phishing emails that contained links that, when clicked, led to a redirection chain of web pages ultimately landing on a legitimate single sign-on (SSO) prompt that was pre-populated with each victim’s email address. The attack was unsuccessful because none of the employees interacted with the email, which was likely due to multiple red flags. For example, the email was unexpected and sent from an external email address, and there was small text within the email that referred to the email as a fax, which was all indicators of a phishing attempt. 

Ransomware trends 

Ransomware accounted for 17 percent of engagements this quarter, an 11 percent decrease from the previous quarter. Talos IR observed new variants of Akira and Phobos ransomware for the first time this quarter. 

Akira 

Talos IR responded to an Akira ransomware attack for the first time this quarter in an engagement where affiliates deployed the latest ESXi version, “Akira_v2,” as well as a Windows-based variant of Akira named “Megazord.” These new Akira variants are written in the Rust programming language, which is a notable change from the previously used C++ and Crypto++ programming languages.  

Talos IR could not determine how initial access was gained, which is common because ransomware attacks often involve multi-stage attack strategies that add additional complexity during the investigation process. Once inside the network, the adversaries began collecting credentials from the memory of the Local Security Authority Subsystem Service (LSASS) and the New Technology Directory Services Directory Information Tree (NTDS.dit) database, where Active Directory data is stored, and leveraged Remote Desktop Protocol (RDP) for lateral movement. Prior to encryption, Megazord ransomware began executing several commands to disable tools and impair defenses, including “net stop” and “taskkill.” Akira_v2 appended the file extension “.akiranew” during encryption, while Megazord ransomware appended the file extension “.powerranges”.   

First discovered in early 2023, Akira operates as a ransomware-as-a-service (RaaS) model and employs a double extortion scheme that involves exfiltrating data before encryption. Akira affiliates are known to heavily target small- to medium-sized businesses within several verticals primarily located within the U.S. but have targeted organizations within the U.K., Canada, Iceland, Australia and South Korea. Akira affiliates are notorious for leveraging compromised credentials and exploiting vulnerabilities as a means of gaining initial access, such as the SQL injection vulnerability, tracked as CVE-2021-27876, affecting certain versions of Zoho ManageEngine ADSelfService Plus, and the vulnerability, tracked as CVE-2023-27532, affecting certain versions of Veeam’s Backup & Replication (VBS) software.    

Phobos 

Talos IR has previously observed variants of Phobos ransomware, such as “Faust,” but this quarter, Talos IR responded to an engagement with the “BackMyData” variant of Phobos ransomware. The adversaries leveraged Mimikatz to dump credentials from Active Directory. The adversary also installed several tools in the NirSoft product suite designed to recover passwords, such as PasswordFox and ChromePass, for additional credential enumeration. 

The adversaries used PsExec to access the domain controller before setting a registry key to permit remote desktop connections. Shortly after, the adversaries also modified the firewall to allow remote desktop connections using the Windows scripting utility, netsh. The remote access tool AnyDesk was downloaded to enable remote access as a means of persistence in the environment. Talos IR assessed with high confidence that Windows Secure Copy (WinSCP) and Secure Shell (SSH) were likely used to exfiltrate staged data. Adversaries also relied on PsExec to execute commands, such as deleting volume shadow copies, as a precursor to deploying the ransomware executable. After encryption, the ransomware appended the file extension “.fastbackdata”.   

A notable finding was the persistent use of the “Users/[username]/Music” directory as a staging area for data exfiltration to host malicious scripts, tools and malware, a common technique used by numerous ransomware affiliates to evade detection and remain persistent in the environment. Talos IR also identified a digitally signed executable, “HRSword,” developed by Beijing Huorong Network Technology. It is a tool the affiliate used during the attack for potential secure file deletion and as a defensive measure to disable endpoint protection tools, which Phobos affiliates were previously using, according to public reporting.   

Phobos ransomware first emerged in late 2018 and shared many similarities with the Crysis and Dharma ransomware families. Unlike other ransomware families, there are many variants of Phobos ransomware, such as Eking, Eight, Elbie, Devos and Faust. There is little information known about the business model leveraged by the Phobos ransomware operation. In November 2023, Cisco Talos analyzed over a thousand samples of Phobos ransomware to learn more about the affiliate structure and activity, which revealed that Phobos may operate a RaaS model due to the hundreds of contact emails and IDs associated with Phobos campaigns, indicating the malware has a dispersed affiliate base. Talos assessed with moderate confidence that the Phobos ransomware operation is actively managed by a central authority, as there is only one private key capable of decryption in all observed campaigns. 

Other observed threats  

Talos IR responded to an attack where adversaries were attempting to brute force several Cisco Adaptive Security Appliances (ASAs). Although the adversaries were unsuccessful in their attack, this activity is in line with the recently observed trend affecting VPN services. 

Cisco Talos has recently seen an increase in malicious activity targeting VPN services, web application authentication interfaces, and Secure Shell (SSH) globally. Since at least March 18, Cisco has observed scanning and brute force activity sourcing from The Onion Router (TOR) exit nodes and other anonymous tunnels and proxies. 

Depending on the target environment, a successful attack could result in unauthorized access to a target network, possibly leading to account lockouts and denial-of-service (DoS) conditions. The brute force attempts include a combination of generic usernames and valid usernames unique to specific organizations. The activity seems indiscriminate and has been observed across multiple industry verticals and geographic regions. 

Initial vectors 

The most observed means of gaining initial access was the use of compromised credentials on valid accounts, accounting for 29 percent of engagements, a continuation of a trend from the previous quarter when valid accounts were also a top attack vector. 

Security weaknesses 

For the first time, users accepting unauthorized MFA push notifications was the top observed security weakness, accounting for 25 percent of engagements this quarter. The lack of proper MFA implementation closely followed, accounting for 21 percent of engagements, a 44 percent decrease from the previous quarter. 

Users must have a clear understanding of the appropriate business response protocols when their devices are overwhelmed with an excessive volume of push notifications. Talos IR recommends organizations educate their employees about the specific channels and points of contact for reporting these incidents. Prompt and accurate reporting enables security teams to quickly identify the nature of the issue and implement the necessary measures to address the situation effectively. Organizations should also consider implementing number-matching in MFA applications to provide an additional layer of security to prevent users from accepting malicious MFA push notifications. 

Talos IR recommends implementing MFA on all critical services including all remote access and identity access management (IAM) services. MFA will be the most effective method for the prevention of remote-based compromises. It also prevents lateral movement by requiring all administrative users to provide a second form of authentication. Organizations can set up alerting for single-factor authentication to quickly identify potential gaps. 

Top observed MITRE ATT&CK techniques 

The table below represents the MITRE ATT&CK techniques observed in this quarter’s IR engagements and includes relevant examples and the number of times seen. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic based on the way they were leveraged. Please note, this is not an exhaustive list. 

Key findings from the MITRE ATT&CK framework include:  

• Remote access software, such as SplashTop and AnyDesk, were used in 17 percent of engagements this quarter, a 20 percent decrease from the previous quarter.  
• The use of email hiding rules was the top observed defense evasion technique, accounting for 21 percent of engagements this quarter.   
• Scheduled tasks were leveraged by adversaries the most this quarter for persistence, accounting for 17 percent of engagements this quarter, a 33 percent increase from the previous quarter.  
• The abuse of remote services, such as RDP, SSH, SMB and WinRM, more than doubled this quarter compared to the previous quarter, accounting for nearly 60 percent of engagements. 

Reconnaissance	Example
T1589.001 Gather Victim Identity Information: Credentials	Adversaries may gather credentials that can be used during their attack.
T1598.003 Phishing for Information: Spearphishing Link	Adversaries may send a spearphishing email with a link to a credential harvesting page to collect credentials for their attack.
Resource Development	Example
T1586.002 Compromise Accounts: Email Accounts	Adversaries may compromise email accounts that can be used during their attack for malicious activities, such as internal spearphishing.
T1583.001 Acquire Infrastructure: Domains	Adversaries may acquire domains that can be used for malicious activities, such as hosting malware.
T1608.001 Stage Capabilities: Upload Malware	Adversaries may upload malware to compromised domains to make it accessible during their attack.
T1583.008 Acquire Infrastructure: Malvertising	Adversaries may purchase online advertisements, such as Google ads, that can be used distribute malware to victims.
T1608.004 Stage Capabilities: Drive-by Target	Adversaries may prepare a website for drive-by compromise by inserting malicious JavaScript.
Initial Access	Example
T1078 Valid Accounts	Adversaries may use compromised credentials to access valid accounts during their attack.
T1566 Phishing	Adversaries may send phishing messages to gain access to target systems.
T1189 Drive-by Compromise	Victims may infect their systems with malware over browsing, providing an adversary with access.
T1190 Exploit in Public-Facing Application	Adversaries may exploit a vulnerability to gain access to a target system.
T1566.002 Phishing: Spearphishing Link	Adversaries may send phishing emails with malicious links to lure victims into installing malware.
Execution	Example
T1059.001 Command and Scripting Interpreter: PowerShell	Adversaries may abuse PowerShell to execute commands or scripts throughout their attack.
T1059.003 Command and Scripting Interpreter: Windows Command Shell	Adversaries may abuse Windows Command Shell to execute commands or scripts throughout their attack.
T1569.002 System Services: Service Execution	Adversaries may abuse Windows service control manager to execute commands or payloads during their attack.
Persistence	Example
T1053.005 Scheduled Task / Job: Scheduled Task	Adversaries may abuse the Windows Task Scheduler to perform task scheduling for recurring execution of malware or malicious commands.
T1574.002 Hijack Execution: DLL Side-Loading	Adversaries may execute their own malicious code by side-loading DLL files into legitimate programs.
Privilege Escalation	Example
T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control	Adversaries may bypass UAC mechanisms to elevate their permissions on a system.
Defense Evasion	Example
T1564.008 Hide Artifacts: Email Hiding Rules	Adversaries may create inbox rules to forward certain incoming emails to a folder to hide them from the inbox owner.
T1070.004 Indicator Removal: File Deletion	Adversaries may delete files to cover their tracks during the attack.
T1218.011 System Signed Binary Proxy Execution: Rundll32	Adversaries may abuse the Windows utility rundll32.exe to execute malware.
T1112 Modify Registry	Adversaries may modify the registry to maintain persistence on a target system.
T1562.010 Impair Defenses: Downgrade Attack	Adversaries may downgrade a program, such as PowerShell, to a version that is vulnerable to exploits.
Credential Access	Example
T1621 Multi-Factor Authentication Request Generation	Adversaries may generate MFA push notifications causing an MFA exhaustion attack.
T1003.005 OS Credential Dumping: NTDS	Adversaries may dump the contents of the NTDS.dit file to access credentials that can be used for lateral movement.
T1003.001 OS Credential Dumping: LSASS	Adversaries may dump the contents of LSASS to access credentials that can be used for lateral movement
T1003.002 OS Credential Dumping: Service Account Manager	Adversaries may dump the contents of the service account manager to access credentials that can be used for lateral movement.
T1110.002 Brute Force: Password Cracking	Adversaries may use brute force account passwords to compromise accounts.
Discovery	Example
T1069.001 Permission Groups Discovery: Local Groups	Adversaries may attempt to discover local permissions groups with commands, such as “net localgroup.”
T1069.002 Permission Groups Discovery: Domain Groups	Adversaries may attempt to discover domain groups with commands, such as “net group /domain.”
T1201 Password Policy Discovery	Adversaries may attempt to discover information about the password policy within a compromised network with commands, such as “net accounts.”
Lateral Movement	Example
T1021.001 Remote Services: Remote Desktop Protocol	Adversaries may abuse valid accounts using RDP to move laterally in a target environment.
T1534 Internal Spearphishing	Adversaries may abuse a compromised email account to send internal spearphishing emails to move laterally.
T1021.002 Remote Services: SMB / Windows Admin Shares	Adversaries may abuse valid accounts using SMB to move laterally in a target environment.
T1021.004 Remote Services: SSH	Adversaries may abuse valid accounts using SSH to move laterally in a target environment.
T1021.001 Remote Services: Windows Remote Management	Adversaries may abuse valid accounts using WinRM to move laterally in a target environment.
Collection	Example
T1114.002 Email Collection: Remote Email Collection	Adversaries may target a Microsoft Exchange server to collect information.
T1074.001 Data Staged: Local Data Staging	Adversaries may stage collected data in preparation for exfiltration.
T1074 Data Staged	Adversaries may stage collected data in preparation for exfiltration.
Command and Control	Example
T1105 Ingress Tool Transfer	Adversaries may transfer tools from an external system to a compromised system.
T1219 Remote Access Software	Adversaries may abuse remote access software, such as AnyDesk, to establish an interactive C2 channel during their attack.
Exfiltration	Example
T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage	Adversaries may exfiltrate data to a cloud storage provider, such as Dropbox.
Impact	Example
T1486 Data Encrypted for Impact	Adversaries may use ransomware to encrypt data on a target system.
T1490 Inhibit System Recovery	Adversaries may disable system recovery features, such as volume shadow copies.
T1657 Financial Theft	Adversaries may commit financial fraud during the attack.

from Cisco Talos Blog https://ift.tt/pBkoKfl
via IFTTT