Wednesday, November 29, 2023

Accelerate your Terraform development with Amazon CodeWhisperer

In April 2023, AWS announced the general availability of Amazon CodeWhisperer, an AI-based coding companion that generates real-time single-line or full-function code suggestions. Now, at AWS re:Invent 2023, HashiCorp and AWS have announced the support for Terraform in Amazon CodeWhisperer. CodeWhisperer helps accelerate Terraform development by providing code suggestions that reduce total development effort, allowing Terraform practitioners to focus on end-to-end Terraform workflows. Customers can now take advantage of real-time generative AI Terraform suggestions, an open source reference tracker, and built-in security scans in Amazon CodeWhisperer.

HashiCorp Terraform and Amazon CodeWhisperer

Amazon CodeWhisperer provides code suggestions based on large language models (LLMs) trained on billions of lines of code, including Amazon's internal code and IaC config files as well as open source code. To generate high-quality Terraform suggestions, HashiCorp and Amazon CodeWhisperer teams worked together to source sample Terraform modules and configurations written in HashiCorp Configuration Language (HCL). The teams collaborated on providing model validations, working to ensure the output generated by the CodeWhisperer meets the requirements of Terraform practitioners.

The rise of HashiCorp Configuration Language (HCL)

CodeWhisperer and Terraform is a powerful combination, as HCL has once again been confirmed as a high-growth programming language by Octoverse, indicating that operations and IaC work are gaining prominence among developers. Specifically, HCL adoption has grown 36% year-over-year, demonstrating that developers are increasingly using declarative languages to leverage infrastructure deployments.


How CodeWhisperer and Terraform work together

To use CodeWhisperer with Terraform, you simply install the latest AWS Toolkit plugin in your integrated development environment (IDE) of choice. CodeWhisperer automatically detects when customers write a new Terraform configuration file (*.tf file) and generates code suggestions using comments.

Here are a few examples of what CodeWhisperer can do:

Let’s start with a simple example, suppose you want to create multiple Amazon EC2 instances using the latest Amazon Linux 2 machine image. You would start with a simple prompt to configure Terraform Cloud, followed by instructions to create the instance by looking up the Amazon Machine Image (AMI) for Amazon Linux 2. CodeWhisperer will provide suggestions for each resource block. You can select the alternative suggestions and use the tab key to accept the suggestion:


CodeWhisperer is also trained in understanding advanced HCL syntax and expressions. For example, you could ask it to do variable validations for bucket names with 10-20 characters without special characters. CodeWhisperer can generate suggestions as shown here:


Another example is to create an EC2 Security Group and populate the ingress rules using dynamic blocks expression and the existing locals:


Better with Terraform enhanced editor validation

When writing Terraform code, either by hand or by leveraging an AI-based coding companion such as CodeWhisperer, errors are a fact of life. If the generated Terraform has missing artifacts or has validation errors, developers often find themselves context-switching between their editor and the CLI to validate code, leading to frustration and reducing productivity.

Enhanced editor validation in the Terraform extension for Visual Studio Code automatically validates Terraform code as early as possible, creating an enhanced, integrated authoring experience by highlighting errors and providing guidance to help resolve issues quickly.

Examples of these new validations include:

  • Identifying missing variable declarations or required attributes
  • Highlighting unexpected attributes or blocks
  • Issuing warnings for deprecated attributes.

Validation errors are immediately identified within the Terraform extension for the Visual Studio Code editor, no context switching is needed.

Start generating code

You can start using Terraform code generation in Amazon CodeWhisperer using AWS’ getting started resources. To complement your generative workflows you can install the Terraform extension for Visual Studio Code and learn about enhancements recently added to the extension.

from HashiCorp Blog

Security Onion 2.4 Feature o' the Day - Configure OS Updates

Security Onion 2.4 includes lots of new features! SOC's new Configuration interface allows you to configure operating system updates:

You can read more about this in our documentation:

More Security Onion 2.4 Features

To see other Security Onion 2.4 features, please see our other Feature o' the Day blog posts:

You can also check out our Release Notes:

Migrating from 2.3 to 2.4

If you're still running Security Onion 2.3, please note that it reaches End Of Life on April 6, 2024:

If you would like to migrate your data from 2.3 to 2.4, you can find an overview of the process at:

from Security Onion

Discover Why Proactive Web Security Outsmarts Traditional Antivirus Solutions

In a rapidly evolving digital landscape, it's crucial to reevaluate how we secure web environments. Traditional antivirus-approach solutions have their merits, but they're reactive. A new report delves into the reasons for embracing proactive web security solutions, ensuring you stay ahead of emerging threats.

To learn more, download the full report here.

The New Paradigm

If you've been relying on the old-style antivirus-based approach to website security up to now, then we could summarize why you need to update to the more proactive approach simply by saying — prevention is always preferable to cure. That's the overarching rationale for adopting a proactive web security solution, but let's break it down into a few more detailed reasons for updating to the newer and more effective proactive approach.

To be clear, we're not denying that an antivirus-approach solution is ideal for detecting and responding to threats, but there's no escaping the fact that it's limited by design: it's reactive. A traditional antivirus-approach solution flags known malicious signatures once they're already in your environment, so it only acts when detections match the signatures in its database.

It may be good at identifying and quarantining known vulnerabilities in client-side code, but it wasn't made for proactive defense. The modern threat landscape contains many more routes of attack than just vulnerabilities in client-side code, so it makes sense to use an approach that is more intelligent and forward-looking.

Research company Gartner has stated in their latest release: "Zero-day vulnerabilities are rarely the primary cause of a breach. The most successful protection approach combines preparation for unknown threats with a risk reduction strategy, emphasizing publicly known vulnerabilities and identified control gaps."

It means that contemporary best practice has shifted towards a more proactive approach to business website security, so either read on to find out why a proactive solution beats the antivirus approach for that particular job, or download the full Proactive Approach Report here.

Comprehensive scoping

Most antivirus-approach solutions tend to focus on vulnerabilities in checkout pages. That's understandable because they are such popular magnets for web-skimming and Magecart attackers. But cybercriminals will try plenty of other points of entry too, including login pages, form submission pages, and redirects, for example.

These alternative points of entry are often overlooked, yet they can be just as vulnerable. Login pages, for instance, can be targeted by brute force attacks or credential stuffing. Form submission pages can be exploited through techniques like JS injection or cross-site scripting. Redirects can also be manipulated to lead users to malicious websites.

Moreover, cybercriminals are constantly evolving their tactics and techniques. They're not just limited to exploiting known vulnerabilities; they're also capable of finding and exploiting zero-day vulnerabilities, which are unknown to the software vendor and therefore have no available patches.

A proactive solution monitors all critical and sensitive website pages. It maps privacy risks and identifies misconfigurations before cybercriminals can exploit them to launch attacks. With a solely antivirus-based approach, you can't do this. It can only respond when the malware is already in place. Download the full Proactive Approach Report here to see what superior protection looks like.

Full dynamic inventory

Something else that antivirus software won't do is create an automated inventory of all the assets in your digital supply chain. Modern websites rely on a whole host of external apps to provide additional functionality, things like enhancing the user experience and providing marketing information to the owner.

But when you outsource so many of these functions to third parties, you're effectively trusting your own and your customers' data and security to strangers. Are their security processes watertight? Do they perform regular security updates in response to emerging threats? How do they protect sensitive customer data?

Modern websites rely on dozens or even hundreds of third-party apps and their designers often use code from open-source libraries and frameworks to reduce production time. If your site leans on lots of third-party apps too then you need a system to identify them all and establish what they're doing.

A good-quality proactive solution will have an automated inventory function that comprehensively maps them all. It locates all the tools in your digital supply chain and establishes a baseline for what 'normal' looks like for every bit of code behavior. It can then call your attention to anything that deviates from what's expected. Can an antivirus-approach solution do this? No. It can only react when it detects the malware that's already active in your system. A good example is the Log4J vulnerability, where supply chains were compromised and vulnerability went undetected for weeks. Only proactive approach solutions were able to quickly identify and remediate this critical vulnerability. Download the full Proactive Approach Report to learn more about its automated inventory mapping.

Prioritizing risk

A proactive monitoring platform makes use of multiple data and business intelligence resources to offer precise insights to users. Monitoring thousands of web assets all over the world gives the system a huge and growing database of common code, application, and domain behaviors to reference. Since it knows what common behaviors look like, it's constantly learning what unexpected events look like too. Its advanced identification mechanisms evolve alongside the threats they're monitoring to protect customers from possible attacks.

A proactive system draws on this wealth of information to build a risk profile for your business.

Antivirus-approach solutions can only address script vulnerabilities, but a proactive solution accurately assesses the most important potential risks for your business context.

This leads us to alert fatigue. Some security teams reduce their effectiveness by reacting to everything, including lots of minor alerts that pose little risk to the business. By only flagging meaningful risks and disregarding what can be safely ignored, the proactive system reduces time-wasting false positives and cuts down on alert fatigue.

So, proactive monitoring keeps your security staff focused on the risks that matter most so they can apply their talents where they are most needed.

Validating your security posture

A proactive solution can also validate the security tools you already use, things like WAF, DAST, cookie consent, bot managers, SCA, and more. It can be difficult to maintain a secure web app environment where all these tools work together safely, but with a proactive system, security teams can make sure that everything is correctly configured and working as it should, with no loopholes left open for attackers to exploit. If problems do arise with any of your tools, the proactive system alerts you straight away and guides you to fix the issue.

Again, this is something that the antivirus-approach solution can't address. A proactive approach solution gives you comprehensive oversight of your existing security tools and ensures they are functioning properly.

Security baseline

A proactive system also allows you to set your security baseline in terms of your own level of risk appetite by letting you safely approve or reject the actions it flags for attention. Once this is done your security teams won't be constantly responding to alerts that barely matter, and your business can strike a balanced approach to remaining secure that doesn't unnecessarily restrict its operations. By gaining full visibility into your web exposure you can proactively prioritize which threats are critical to your organizations and which ones are just a waste of your IT resources' time. A reactive antivirus-approach solution doesn't allow you to customize to this degree.


Reflectiz is a leading proactive approach solution provider, with a system that outperforms traditional detection methods to defend your organization's digital environment against unpredictable evolving web threats. The modern threat landscape is one in which cyber attackers can use a seemingly harmless script (which an antivirus-approach solution might miss) to cripple a business overnight. The cost of data breaches and privacy violations is very high, so can you afford to carry on being reactive? Diverse web threats now demand a more vigilant, forward-looking security posture, and a proactive approach system is the right kind to deliver it. Download the full Proactive Approach Report here for the most up-to-date response to next-gen threats to your business.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News

Vulnerability in crypto wallets created online in the early 2010s | Kaspersky official blog

Researchers have discovered several vulnerabilities in the BitcoinJS library that could leave Bitcoin wallets created online a decade ago prone to hacking. The basic issue is that the private keys for these crypto wallets were generated with far greater predictability than the library developers expected.

Randstorm vulnerabilities and consequences

Let’s start at the beginning. Researchers at Unciphered, a company specializing in crypto wallet access recovery, discovered and described a number of vulnerabilities in the BitcoinJS JavaScript library used by many online cryptocurrency platforms. Among these services are some very popular ones — in particular,, now known as The researchers dubbed this set of vulnerabilities Randstorm.

Although the vulnerabilities in the BitcoinJS library itself were fixed back in 2014, the problem extends to the results of using this library: crypto wallets created with BitcoinJS in the early 2010s may be insecure — in the sense that it’s far easier to find their private keys than the underlying Bitcoin cryptography assumes.

The researchers estimate that several million wallets, totaling around 1.4 million BTC, are potentially at risk due to Randstorm. Among the potentially vulnerable wallets, according to the researchers, 3–5% of them are actually vulnerable to real attacks. Based on the approximate Bitcoin exchange rate of around $36,500 at the time of posting, this implies total loot of $1.5-2.5 billion for attackers who can successfully exploit Randstorm.

The researchers claim that the Randstorm vulnerabilities can indeed be used for real-world attacks on crypto wallets. What’s more, they successfully exploited these vulnerabilities to restore access to several crypto wallets created on before March 2012. For ethical reasons, they didn’t publish a proof-of-concept of the attack, as this would have directly exposed tens of thousands of crypto wallets to the risk of theft.

The researchers have already contacted the online cryptocurrency services known to have used vulnerable versions of the BitcoinJS library. In turn, these services notified customers who could potentially be affected by Randstorm.

The nature of Randstorm vulnerabilities

Let’s look in more detail at how these vulnerabilities actually work. At the heart of Bitcoin wallet security lies the private key. Like any modern cryptographic system, Bitcoin relies on this key being secret and uncrackable. Again, as in any modern cryptographic system, this involves the use of very long random numbers.

And for the security of any data protected by the private key, it must be as random as can possibly be. If the number used as a key is highly predictable, it makes it easier and quicker for an attacker armed with information about the key-generation procedure to brute-force it.

Bear in mind that generating a truly random number is no stroll in the park. And computers by their very nature are extremely unsuited to the task since they’re too predictable. Therefore, what we usually have are pseudo-random numbers, and to increase the entropy of the generation (cryptographer-speak for the measure of unpredictability) we rely on special functions.

Now back to the BitcoinJS library. To obtain “high-quality” pseudo-random numbers, this library uses another JavaScript library called JSBN (JavaScript Big Number), specifically its SecureRandom function. As its name suggests, this function was designed to generate pseudo-random numbers that qualify for use in cryptography. To increase their entropy, SecureRandom relies on the browser function window.crypto.random.

Therein lies the problem: although the window.crypto.random function existed in the Netscape Navigator 4.x browser family, these browsers were already obsolete by the time web services began actively using the BitcoinJS library. And in the popular browsers of those days — Internet Explorer, Google Chrome, Mozilla Firefox, and Apple Safari — the window.crypto.random function was simply not implemented.

Unfortunately, the developers of the JSBN library failed to make provision for any kind of check or corresponding error message. As a result, the SecureRandom function passed over the entropy increment step in silence, effectively handing the task of creating private keys to the standard pseudo-random number generator, Math.random.

This is bad in and of itself because Math.random is not cut out for cryptographic purposes. But the situation is made even worse by the fact that the Math.random implementation in the popular browsers of 2011–2015 —  in particular Google Chrome — contained bugs that resulted in even less random numbers than should have been the case.

In turn, the BitcoinJS library inherited all the above-mentioned issues from JSBN. As a result, platforms that used it to generate private keys for crypto wallets got much fewer random numbers from the SecureRandom function than the library developers expected. And since these keys are generated with great predictability, they’re much easier to brute-force — allowing vulnerable crypto wallets to be hijacked.

As mentioned above, this isn’t a theoretical danger, but rather a practical one — the Unciphered team was able to exploit these vulnerabilities to restore access to (in other words, ethically hack) several old crypto wallets created on

Randstorm: who’s at risk?

BitcoinJS utilized the vulnerable JSBN library right from its introduction in 2011 through 2014. Note, however, that some cryptocurrency projects may have been using an older-than-latest version of the library for some time. As for the bugs afflicting Math.random in popular browsers, by 2016 they’d been fixed by changing the algorithms for generating pseudo-random numbers. Together, this gives an approximate time frame of 2011–2015 for when the potentially vulnerable crypto wallets were created.

The researchers emphasize that BitcoinJS was very popular back in the early 2010s, so it’s difficult to compile a full list of services that could have used a vulnerable version of it. Their report gives a list of platforms they were able to identify as at risk:

  • BitAddress — still operational.
  • BitCore (BitPay) — still operational.
  • Bitgo — still operational.
  • info — still operational as
  • Blocktrail — redirects to or .
  • BrainWallet — dead.
  • CoinKite — now sells hardware wallets.
  • CoinPunk — dead.
  • Dark Wallet — redirects to .
  • DecentralBank — dead.
  • info ( — still operational.
  • EI8HT — dead.
  • GreenAddress — redirects to .
  • QuickCon — dead.
  • Robocoin — dead.
  • Skyhook ATM — redirects to .

Besides Bitcoin wallets, Litecoin, Zcash, and Dogecoin wallets may also be at risk, since there are BitcoinJS-based libraries for these cryptocurrencies, too. It seems natural to assume that these libraries could be used to generate private keys for the respective crypto wallets.

The Unciphered report describes a host of other intricacies associated with Randstorm. But what it all basically boils down to is that wallets created between 2011 and 2015 using the vulnerable library may be vulnerable to varying degrees — depending on the particular circumstances.

How to protect against Randstorm

As the researchers themselves rightly state, this isn’t a case where fixing the vulnerability in the software would suffice: “patching” wallet owners’ private keys and replacing them with secure ones just isn’t doable. So, despite the fact that the bugs have long been fixed, they continue to affect the crypto wallets that were created when the above-discussed errors plagued the BitcoinJS library. This means that vulnerable wallet owners themselves need to take protective measures.

Because the task of drawing up a complete list of cryptocurrency platforms that used the vulnerable library is difficult, it’s better to play it safe and consider any crypto wallet created online between 2011 and 2015 to be potentially insecure (unless you know for sure that it’s not). And naturally, the fatter the wallet — the more tempting it is to criminals.

The obvious (and only) solution to the problem is to create new crypto wallets and move all funds from potentially vulnerable wallets to them.

And since you have to do this anyway, it makes sense to proceed with the utmost caution this time. Crypto protection is a multi-step process, for which reason we’ve put together a comprehensive checklist for you with loads of additional information accessible through links:

  1. Explore the main crypto threats and protection methods in detail.
  2. Understand the differences between hot and cold crypto wallets, and the most common ways they are attacked.
  3. Use a hardware (cold) wallet for long-term storage of core crypto assets, and a hot wallet with minimal funds for day-to-day transactions.
  4. Before transferring all funds from the old wallet to the new one, equip all your devices with reliable protection. It will guard your smartphone or computer against Trojans looking to steal passwords and private keys or clippers that substitute crypto wallet addresses in the clipboard, as well as protect your computer from malicious crypto miners and unauthorized remote access.
  5. Never store a photo or screenshot of your seed phrase on your smartphone, never post your seed phrase in public clouds, never send it through messengers or email, and don’t enter it anywhere except when recovering a lost private key.
  6. Securely store your private key and the seed phrase for its recovery. This can be done using the Identity Protection Wallet in Kaspersky Premium, which encrypts all stored data using AES-256. The password for it is stored nowhere except in your head (unless, of course, it’s on a sticky note attached to your monitor) and is unrecoverable — so the only one with access to your personal documents is you.
  7. Another option is to use a cold crypto wallet that doesn’t require a seed phrase to back up the private key. This is how, for example, the Tangem hardware wallet works.

from Kaspersky official blog

Okta Discloses Broader Impact Linked to October 2023 Support System Breach

Nov 29, 2023NewsroomCyber Attack / Data Breach

Identity services provider Okta has disclosed that it detected "additional threat actor activity" in connection with the October 2023 breach of its support case management system.

"The threat actor downloaded the names and email addresses of all Okta customer support system users," the company said in a statement shared with The Hacker News.

"All Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers are impacted except customers in our FedRamp High and DoD IL4 environments (these environments use a separate support system NOT accessed by the threat actor). The Auth0/CIC support case management system was not impacted by this incident."

News of the expanded scope of the breach was first reported by Bloomberg.

The company also told the publication that while it does not have any evidence of the stolen information being actively misused, it has taken the step of notifying all customers of potential phishing and social engineering risks.

It also stated that it "pushed new security features to our platforms and provided customers with specific recommendations to defend against potential targeted attacks against their Okta administrators."

Okta, which has enlisted the help of a digital forensics firm to support its investigation, further said it "will also notify individuals that have had their information downloaded."

The development comes more than three weeks after the identity and authentication management provider said the breach, which took place between September 28 to October 17, 2023, affected 1% – i.e., 134 – of its 18,400 customers.

The identity of the threat actors behind the attack against Okta's systems is currently not known, although a notorious cybercrime group called Scattered Spider has targeted the company as recently as August 2023 to obtain elevated administrator permissions by pulling off sophisticated social engineering attacks.

According to a report published by ReliaQuest last week, Scattered Spider infiltrated an unnamed company and gained access to an IT administrator's account via Okta single sign-on (SSO), followed by laterally moving from the identity-as-a-service (IDaaS) provider to their on-premises assets in less than one hour.

The formidable and nimble adversary, in recent months, has also evolved into an affiliate for the BlackCat ransomware operation, infiltrating cloud and on-premises environments to deploy file-encrypting malware for generating illicit profits.

"The group's ongoing activity is a testament to the capabilities of a highly skilled threat actor or group having an intricate understanding of cloud and on-premises environments, enabling them to navigate with sophistication," ReliaQuest researcher James Xiang said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News

Culture, Teams and Adoption of FinOps

Gary Harmson (Principal Customer Engineer @Google) and Ieva Jonaityte (Technical Account Mgr @DoIT) talk about the team dynamics, culture and training that drive FinOps success. 

SHOW: 775





Topic 1 - Welcome to the show and back to the show. Gary, tell us about your background and what areas you focus on at Google Cloud these days. 

Topic 2 - Let’s begin by talking about language, specifically the gaps in language (and understanding) between engineering teams and finance teams. What works today and where are the biggest gaps and challenges?

Topic 3 - One of the challenges of Cloud billing, and hence FinOps, is the 100s or 1000s or line-items. What are they for? How are they changing? What are some of the things/tools out there to make sense of all of this spend? (e.g. visualization, tagging, etc.)

Topic 4 - We’re all familiar with budgeting (pre-activity) and complaints about project/cost overruns (post-activity), but what are some of the things happening mid-project, or on-going to avoid the surprises or overruns?

Topic 5 - How much of these on-going changes/tracking is done by the engineering teams and how much is being done by finance teams? 

Topic 6 - Can you share with us examples of how companies have evolved with good FinOps principles and hygiene in place? 


from The Cloudcast (.NET)

DJVU Ransomware's Latest Variant 'Xaro' Disguised as Cracked Software

Nov 29, 2023NewsroomRansomware / Cyber Threat

A variant of a ransomware strain known as DJVU has been observed to be distributed in the form of cracked software.

"While this attack pattern is not new, incidents involving a DJVU variant that appends the .xaro extension to affected files and demanding ransom for a decryptor have been observed infecting systems alongside a host of various commodity loaders and infostealers," Cybereason security researcher Ralph Villanueva said.

The new variant has been codenamed Xaro by the American cybersecurity firm.

DJVU, in itself a variant of the STOP ransomware, typically arrives on the scene masquerading as legitimate services or applications. It's also delivered as a payload of SmokeLoader.

A significant aspect of DJVU attacks is the deployment of additional malware, such as information stealers (e.g., RedLine Stealer and Vidar), making them more damaging in nature.

In the latest attack chain documented by Cybereason, Xaro is propagated as an archive file from a dubious source that masquerades as a site offering legitimate freeware.

Opening the archive file leads to the execution of a supposed installer binary for a PDF writing software called CutePDF that, in reality, is a pay-per-install malware downloader service known as PrivateLoader.

PrivateLoader, for its part, establishes contact with a command-and-control (C2) server to fetch a wide range of stealer and loader malware families like RedLine Stealer, Vidar, Lumma Stealer, Amadey, SmokeLoader, Nymaim, GCleaner, XMRig, and Fabookie, in addition to dropping Xaro.

"This shotgun-approach to the download and execution of commodity malware is commonly observed in PrivateLoader infections originating from suspicious freeware or cracked software sites," Villanueva explained.

The goal appears to be to gather and exfiltrate sensitive information for double extortion as well as ensure the success of the attack even if one of the payloads gets blocked by security software.

Xaro, besides spawning an instance of the Vidar infostealer, is capable of encrypting files in the infected host, before dropping a ransom note, urging the victim to get in touch with the threat actor to pay $980 for the private key and the decryptor tool, a price that drops by 50% to $490 if approached within 72 hours.

If anything, the activity illustrates the risks involved with downloading freeware from untrusted sources. Last month, Sucuri detailed another campaign called FakeUpdateRU wherein visitors to compromised websites are served bogus browser update notices to deliver RedLine Stealer.

"Threat actors are known to favor freeware masquerading as a way to covertly deploy malicious code," Villanueva said. "The speed and breadth of impact on infected machines should be carefully understood by enterprise networks looking to defend themselves and their data."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News

GoTitan Botnet Spotted Exploiting Recent Apache ActiveMQ Vulnerability

Nov 29, 2023NewsroomMalware / Threat Intelligence

The recently disclosed critical security flaw impacting Apache ActiveMQ is being actively exploited by threat actors to distribute a new Go-based botnet called GoTitan as well as a .NET program known as PrCtrl Rat that's capable of remotely commandeering the infected hosts.

The attacks involve the exploitation of a remote code execution bug (CVE-2023-46604, CVSS score: 10.0) that has been weaponized by various hacking crews, including the Lazarus Group, in recent weeks.

Following a successful breach, the threat actors have been observed to drop next-stage payloads from a remote server, one of which is GoTitan, a botnet designed for orchestrating distributed denial-of-service (DDoS) attacks via protocols such as HTTP, UDP, TCP, and TLS.

"The attacker only provides binaries for x64 architectures, and the malware performs some checks before running," Fortinet Fortiguard Labs researcher Cara Lin said in a Tuesday analysis.

"It also creates a file named 'c.log' that records the execution time and program status. This file seems to be a debug log for the developer, which suggests that GoTitan is still in an early stage of development."

Fortinet said it also observed instances where the susceptible Apache ActiveMQ servers are being targeted to deploy another DDoS botnet called Ddostf, Kinsing malware for cryptojacking, and a command-and-control (C2) framework named Sliver.

Another notable malware delivered is a remote access trojan dubbed PrCtrl Rat that establishes contact with a C2 server to receive additional commands for execution on the system, harvest files, and download and upload files from and to the server.

"As of this writing, we have yet to receive any messages from the server, and the motive behind disseminating this tool remains unclear," Lin said. "However, once it infiltrates a user's environment, the remote server gains control over the system."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News

Zero-Day Alert: Google Chrome Under Active Attack, Exploiting New Vulnerability

Nov 29, 2023NewsroomZero-Day / Web Browser

Google has rolled out security updates to fix seven security issues in its Chrome browser, including a zero-day that has come under active exploitation in the wild.

Tracked as CVE-2023-6345, the high-severity vulnerability has been described as an integer overflow bug in Skia, an open source 2D graphics library.

Benoît Sevens and Clément Lecigne of Google's Threat Analysis Group (TAG) have been credited with discovering and reporting the flaw on November 24, 2023.

As is typically the case, the search giant acknowledged that "an exploit for CVE-2023-6345 exists in the wild," but stopped short of sharing additional information surrounding the nature of attacks and the threat actors that may be weaponizing it in real-world attacks.

It's worth noting that Google released patches for a similar integer overflow flaw in the same component (CVE-2023-2136) in April 2023 that had also come under active exploitation as a zero-day, raising the possibility that CVE-2023-6345 could be a patch bypass for the former.

CVE-2023-2136 is said to have "allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page."

With the latest update, the tech giant has addressed a total of six zero-days in Chrome since the start of the year -

Users are recommended to upgrade to Chrome version 119.0.6045.199/.200 for Windows and 119.0.6045.199 for macOS and Linux to mitigate potential threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News

Tuesday, November 28, 2023

Forrester names Microsoft Intune a Leader in the 2023 Forrester Wave™ for Unified Endpoint Management

Maintaining a secure and optimized digital environment allows new ideas to flourish wherever they occur. In the modern workplace, where devices and locations are no longer fixed, Microsoft Intune eases the task of managing and protecting the endpoints of businesses everywhere. It helps secure systems and simplify management, reduces costs, and frees up resources for creativity and innovation, which propel real business growth. The Forrester Wave Unified Endpoint Management, Q4 2023 report recognizes Intune as a Leader.

Wave graphic showing Microsoft is identified as a leader in Unified Endpoint Management scoring higher than competitors in strategy and Market presence.

Propelling business growth

The Forrester report recognizes the advances made to the Microsoft Intune platform in the last year:

This new platform approach aims to help customers simplify management, reduce costs, and transform experiences with AI and automation, all factors that enable Microsoft to vastly outperform others across key metrics like devices under management and revenue growth.

Moving to cloud management with Intune aids customers in applying Zero Trust security principles, improves user experience, and streamlines operations with AI and automation. Exemplary endpoint management doesn’t often get the credit for propelling business growth like research and development initiatives. But companies that reduce the administrative overhead on their talent have more hours and focused attention available to tackle more challenges and innovate. And “talent” isn’t just made up of users; IT and security teams can tackle more valuable projects after simplifying and automating management tasks for themselves. As just one example, new cloud-based controls to manage the local admin passwords for Windows devices make this critical security operation simpler and reduces the need for on-premises resources.

The report also made note of the Microsoft Intune Suite, saying “it includes new support for mobile application management (MAM)-only, ruggedized, remote control, privilege management, and DEX (digital experience) use cases.”

The Intune Suite extends the capabilities of Intune and powers better digital experiences. Solutions like Endpoint Privilege Management ease the burdens on help desks and keep users productive, and Remote Help makes real-time troubleshooting faster, easier, and more secure for users and administrators alike. The time saved and frustration spared keep everyone focused on progress rather than process.

Defining the endpoint management experience 

In The Unified Endpoint Management Landscape, Q3 2023 report, Forrester offers this market definition of unified endpoint management: “[Unified endpoint management] solutions help EUC (end user computing) professionals balance three priorities at once: exceptional DEX, cost-efficient management, and foundational threat prevention.” 

Exceptional digital experience

How is the Intune digital experience exceptional? Devices are verified as healthy and made more secure without impeding the flow of work—or even rising to the notice of the user. Zero-touch provisioning with Autopilot creates a seamless out-of-box experience. Single sign-on, recently added to Intune’s now-comprehensive MacOS management capabilities, reduces password fatigue and helps users get to work with fewer interruptions. Mobile application management allows users to use their own mobile and Windows devices to access secure resources without enrollment, allowing them greater freedom to work (and be inspired) where they see fit. That Intune works so well with Microsoft Entra ID, Microsoft Defender, Windows, and Windows 365, further enhances the experience of work with fewer hassles and greater peace of mind.

Cost-efficient management

As a truly unified platform, Intune allows admins to manage Windows, Linux, MacOS, Android, iOS, and specialty devices. This reduces the burden of consolidating data from multiple sources and of switching between tools for privilege management, update management, and user experience. Intune instead offers broad management and protection capabilities and true visibility into endpoint performance in one place. With the Intune Suite, the productivity of admins and users can be accelerated even more.

Many enterprises are able to realize the value of Intune at no additional cost as part of their Microsoft 365 licenses. Additional savings can be realized by consolidating specialized management tools with redundant features, by retiring on-premises infrastructure, and by moving to true cloud-native management. Automation of tasks with flows, PowerShell runbooks, and scripts extends efficiency into the day-to-day operations of administrators, and the ability to grant Conditional Access to bring-your-own devices eases the need for dedicated, company-owned devices for employees. The reduction in support tickets and security incidents afforded by the baselines and tools that keep devices compliant and hardened against threat reduce costs of remediation.

Foundational threat prevention

Microsoft Intune offers fundamental capabilities for creating and enforcing Zero Trust security at enterprise scale, and was given the top score in the Security category of the report. Device health compliance capabilities help keep potentially compromised devices from accessing sensitive resources. Privilege management and Conditional Access policy enforcement permit users to remain productive without increasing risk. The ability to define and enforce data protection policies at the device level keeps information flowing to the right places and helps prevent it from leaking to the wrong ones. Using Intune in concert with Microsoft Defender for Endpoint extends the security capabilities even further.

Strategic strength

The Forrester Wave™: Unified Endpoint Management, Q4 2023 report evaluates product strategy in addition to current features when identifying leaders, and Microsoft received the highest possible score in this area. According to the Forrester report, The Unified Endpoint Management Landscape, Q3 2023, “AI will fundamentally change the job of endpoint administrators, allowing them to query endpoints faster and more granularly, help inform policy decisions, and even replace scripting.”

Microsoft has begun to realize that future today with insights driven by machine learning already informing the Intune service. SOC and IT admins using Intune and the Intune Suite will see data from those services used by Microsoft Security Copilot, and expanded capabilities will emerge as the technology evolves.  

Innovation and improvements to Intune are driven by our engineers, partners, and customers. We’re grateful to all our stakeholders for the hard work, extensive feedback, and broad adoption of Intune (Forrester indicates Microsoft has the largest Market presence, too) that has enabled the solution to become a leader in unified endpoint management.

Microsoft Intune

Protect and manage endpoints in one place.

Chief information security officer collaborating with a practitioner in a security operations center.

Learn more

While we hope that this recognition gives confidence to all those who are interested in Intune, we know that diving deep into how a solution really works is key to making any investment. Check out Intune and Windows Tech Takeoff sessions to get technical breakdowns of existing workloads and explore what’s new.  You can also subscribe to our ongoing news by returning to the Microsoft Intune blog home then join the conversation on Twitter at @MSIntune and LinkedIn.

Learn more about Microsoft Intune.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (formerly known as “Twitter”) (@MSFTSecurity) for the latest news and updates on cybersecurity.

The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave™ are trademarks of Forrester Research, Inc. The Forrester Wave™ is a graphical representation of Forrester’s call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave™. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. 

Forrester Wave™: Unified Endpoint Management, Q4 2023, Andrew Hewitt, Glen O’Donnell, Angela Lozada, Rachel Birrell. November 19, 2023. 

The post Forrester names Microsoft Intune a Leader in the 2023 Forrester Wave™ for Unified Endpoint Management appeared first on Microsoft Security Blog.

from Microsoft Security Blog

Transform Your Data Security Posture – Learn from SoFi's DSPM Success

Nov 28, 2023The Hacker NewsData Security / Posture Management

As cloud technology evolves, so does the challenge of securing sensitive data. In a world where data duplication and sprawl are common, organizations face increased risks of non-compliance and unauthorized data breaches.

Sentra's DSPM (Data Security Posture Management) emerges as a comprehensive solution, offering continuous discovery and accurate classification of sensitive data in the cloud.

This informative webinar, "Securing Sensitive Data Starts with Discovery and Classification: SoFi's DSPM Story" unveils the success story of SoFi, a pioneering cloud-native financial services provider, and its journey with Sentra's DSPM. It explores the challenges and triumphs in securing cloud data and a roadmap to implementing effective DSPM strategies in your organization.

Expert Panel:

  • Aviv Zisso: As Director of Customer Success at Sentra, Aviv brings deep insights into data security needs and solutions.
  • Pritam H Mungse: SoFi's Director of Product Security, Pritam, has a wealth of experience navigating complex security landscapes.
  • Zachary Schulze: Zachary, a Senior Staff Application Security Engineer at SoFi, offers a practical perspective on applying DSPM in real-world scenarios.

These industry experts will share their firsthand experiences, challenges, and successes in implementing DSPM at SoFi.

Key Takeaways:

  • Discover and classify your sensitive cloud data to enrich data catalogs and build internal dashboards.
  • Determine your data security posture and risk level by considering various factors, such as environments, internal policies, and data sensitivity.
  • Monitor for suspicious activity and threats.

This webinar is tailored for IT professionals, including CISOs, security analysts, IT managers, and anyone involved in data security and cloud management. Whether you're looking to refine your organization's data security strategy or seeking insights into the latest trends and practices, this session is for you.

Expect a dynamic session with real-life case studies, interactive Q&A, and practical takeaways that you can implement in your organization.

Secure your place in this must-attend webinar. Join us on December 13 to gain pivotal insights into securing cloud data. This is an unmissable opportunity for professionals seeking to elevate their data security methodologies with Sentra's DSPM.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News

Design Flaw in Google Workspace Could Let Attackers Gain Unauthorized Access

Nov 28, 2023NewsroomData Security / Data Breach

Cybersecurity researchers have detailed a "severe design flaw" in Google Workspace's domain-wide delegation (DWD) feature that could be exploited by threat actors to facilitate privilege escalation and obtain unauthorized access to Workspace APIs without super admin privileges.

"Such exploitation could result in theft of emails from Gmail, data exfiltration from Google Drive, or other unauthorized actions within Google Workspace APIs on all of the identities in the target domain," cybersecurity firm Hunters said in a technical report shared with The Hacker News.

The design weakness – which remains active to this date – has been codenamed DeleFriend for its ability to manipulate existing delegations in the Google Cloud Platform (GCP) and Google Workspace without possessing super admin privileges.

Domain-wide delegation, per Google, is a "powerful feature" that allows third-party and internal apps to access users' data across an organization's Google Workspace environment.

The vulnerability is rooted in the fact that a domain delegation configuration is determined by the service account resource identifier (OAuth ID), and not the specific private keys associated with the service account identity object.

As a result, potential threat actors with less privileged access to a target GCP project could "create numerous JSON web tokens (JWTs) composed of different OAuth scopes, aiming to pinpoint successful combinations of private key pairs and authorized OAuth scopes which indicate that the service account has domain-wide delegation enabled."

To put it differently, an IAM identity that has access to create new private keys to a relevant GCP service account resource that has existing domain-wide delegation permission can be leveraged to create a fresh private key, which can be used to perform API calls to Google Workspace on behalf of other identities in the domain.

Successful exploitation of the flaw could allow exfiltration of sensitive data from Google services like Gmail, Drive, Calendar, and others. Hunters has also made available a proof-of-concept (PoC) that can be utilized to detect DWD misconfigurations.

"The potential consequences of malicious actors misusing domain-wide delegation are severe," Hunters security researcher Yonatan Khanashvili said. "Instead of affecting just a single identity, as with individual OAuth consent, exploiting DWD with existing delegation can impact every identity within the Workspace domain.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News

Key Cybercriminals Behind Notorious Ransomware Families Arrested in Ukraine

Nov 28, 2023NewsroomRansomware / Cybercrime

A coordinated law enforcement operation has led to the arrest of key individuals in Ukraine who are alleged to be a part of several ransomware schemes.

"On 21 November, 30 properties were searched in the regions of Kyiv, Cherkasy, Rivne, and Vinnytsia, resulting in the arrest of the 32-year-old ringleader," Europol said in a statement today. "Four of the ringleader's most active accomplices were also detained."

The development comes more than two years after 12 people were apprehended in connection with the same operation. The individuals are primarily linked to LockerGoga, MegaCortex, and Dharma ransomware families.

The suspects are estimated to have targeted over 1,800 victims across 71 countries since 2019. They have also been accused of deploying the now-defunct Hive ransomware against high-profile organizations.

Some of the co-conspirators are believed to be involved in penetrating IT networks by orchestrating brute-force attacks, SQL injections, and sending phishing emails bearing malicious attachments in order to steal usernames and passwords.

Following a successful compromise, the attackers stealthily moved within the networks, while dropping additional malware and post-exploitation tools such as TrickBot, Cobalt Strike, and PowerShell Empire to ultimately drop the file-encrypting malware.

The other members of the cybercrime network are suspected to be in charge of laundering cryptocurrency payments made by victims to decrypt their files.

"The investigation determined that the perpetrators encrypted over 250 servers belonging to large corporations, resulting in losses exceeding several hundreds of millions of euros," Europol said.

The collaborative effort involved authorities from France, Germany, the Netherlands, Norway, Switzerland, Ukraine, and the U.S.

The disclosure comes less than two weeks after Europol and Eurojust announced the takedown of a prolific voice phishing gang by Czech and Ukrainian police that's believed to have netted millions in illegal profits by tricking victims into transferring funds from their 'compromised' bank accounts to 'safe' bank accounts under their control.

It also arrives a month after Europol revealed that law enforcement and judicial authorities from eleven countries dismantled the infrastructure associated with Ragnar Locker ransomware and arrested a "key target" in France.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News

Stop Identity Attacks: Discover the Key to Early Threat Detection

Nov 28, 2023The Hacker NewsThreat Detection / Insider Threat

Identity and Access Management (IAM) systems are a staple to ensure only authorized individuals or entities have access to specific resources in order to protect sensitive information and secure business assets.

But did you know that today over 80% of attacks now involve identity, compromised credentials or bypassing the authentication mechanism? Recent breaches at MGM and Caesars have underscored that, despite best efforts, it is not "if" but "when" a successful attack will have bypassed authentication and authorization controls. Account takeover, when an unauthorized individual gains access to a legitimate user account, is now the number one attack vector of choice for malicious actors.

With so much focus on controls for prevention, the necessary detection and rapid response to identity-based attacks is often overlooked. And since these attacks use stolen or compromised credentials, it can be difficult to distinguish from legitimate users without a layer of detection.

Dive deep into the world of advanced security tactics to enable fast detection and response to identity-based attacks in this insightful webinar. Register now to secure your spot.

In this session, you will:

  • Understand how the misuse of trusted identities amplifies risks
  • Learn how application detection and response fit into a comprehensive threat defense
  • Discover how tracking user journeys can drastically shorten the Mean Time to Detect (MTTD)
  • Delve into the power of automating behavior modeling and its transformative impact on security operations
  • Gain insights from contemporary cases where organizations have successfully implemented these cutting-edge strategies

Since modern identity threats can subvert traditional identity preventive controls, such as multi-factor authentication (MFA), monitoring the behavior of identities in a consistent and context-aware manner enables early detection when credentials have been compromised.

Adam Koblentz, Field CTO of RevealSecurity, has consulted with hundreds of organizations on identity threats and countermeasures, and will walk you through practical approaches and new strategies to close the gap on threat detection. This webinar will provide you with the best practices to automate the analysis of user and entity behavior within applications, detect anomalies that are indicators of a privileged user account take over, and apply to rapid response to stop breaches before they lead to data theft, data loss or other negative consequences.

Don't wait to augment your identity defense strategy. Learn how the implementation of application detection and response will result in high-quality alerts, reduced Mean Time to Detect (MTTD) times and reduced risk of identity based attacks.

Reserve Your Webinar Spot ➜

Interested in learning more? Follow us on LinkedIn today.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News

Hackers Can Exploit 'Forced Authentication' to Steal Windows NTLM Tokens

Nov 28, 2023NewsroomCyber Attack / Vulnerability

Cybersecurity researchers have discovered a case of "forced authentication" that could be exploited to leak a Windows user's NT LAN Manager (NTLM) tokens by tricking a victim into opening a specially crafted Microsoft Access file.

The attack takes advantage of a legitimate feature in the database management system solution that allows users to link to external data sources, such as a remote SQL Server table.

"This feature can be abused by attackers to automatically leak the Windows user's NTLM tokens to any attacker-controlled server, via any TCP port, such as port 80," Check Point security researcher Haifei Li said. "The attack can be launched as long as the victim opens an .accdb or .mdb file. In fact, any more-common Office file type (such as a .rtf ) can work as well."

NTLM, an authentication protocol introduced by Microsoft in 1993, is a challenge-response protocol that's used to authenticate users during sign-in. Over the years, it has been found to be vulnerable to brute-force, pass-the-hash, and relay attacks.

The latest attack, in a nutshell, abuses the linked table feature in Access to leak the NTLM hashes to an actor-controlled server by embedding an .accdb file with a remote SQL Server database link inside of an MS Word document using a mechanism called Object Linking and Embedding (OLE).

"An attacker can set up a server that they control, listening on port 80, and put its IP address in the above 'server alias' field," Li explained. "Then they can send the database file, including the linked table, to the victim."

Should the victim open the file and click the linked table, the victim client contacts the attacker-controlled server for authentication, enabling the latter to pull off a relay attack by launching an authentication process with a targeted NTLM server in the same organization.

The rogue server then receives the challenge, passes it on to the victim, and gets a valid response, which is ultimately transmitted to the sender that challenges the CV as part of the attacker-controlled CV↔ SA authentication process receives valid response and then passes that response to the NTLM server.

While Microsoft has since released mitigations for the problem in the Office/Access version (Current Channel, version 2306, build 16529.20182) following responsible disclosure in January 2023, 0patch has released unofficial fixes for Office 2010, Office 2013, Office 2016, Office 2019, and Office 365.

The development also comes as Microsoft announced plans to discontinue NTLM in Windows 11 in favor of Kerberos for improved security.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News

VSAN vs SAN. What is the Difference?

In our fast-changing digital world, storage solutions are vital to keep businesses running smoothly and their essential apps and services working without any hiccups. Two prominent players in the realm of storage are a traditional Storage Area Network (SAN) and its virtual counterpart – virtual SAN. These solutions serve as the backbone for storing, managing, and accessing data, yet they differ in their approaches and capabilities. This article delves into the nuances of virtual SAN and traditional SAN systems, their key features, and a comparative analysis to help you make an informed decision about your storage infrastructure.


What is Virtual SAN (VSAN)?

Virtual Storage Area Network (VSAN) is a software-defined storage solution that, using protocols like iSCSI or Fibre Channel, creates a virtualized pool of storage resources from multiple physical storage devices, such as hard drives or solid-state drives. In this way, the latter become available to virtual machines (VMs) and applications in a data center or cloud environment. This virtualized storage can be dynamically allocated and managed to meet the storage needs of different VMs and applications. In essence, virtual SAN serves as a virtual storage appliance that can be seamlessly integrated with popular hypervisors such as VMware vSphere, Microsoft Hyper-V, KVM, or Citrix (formerly XenServer). This integration allows organizations to establish block-mode storage solutions optimized for structured data. Unlike traditional SAN, which often comprises a complex web of distinct hardware components, VSAN offers a more streamlined approach by being deployable on industry-standard x86 servers, provided they run a compatible virtualized host environment.

By using software-defined storage techniques, VSAN abstracts and virtualizes physical storage, offering greater flexibility and efficiency in storage management. It is often used to enhance data storage and management in virtualized and hyperconverged infrastructure environments.

What is Traditional SAN?

Traditional Storage Area Networks, often referred to as SAN, have been a staple in the world of data storage for many years. SAN operates as a dedicated network that connects storage devices to servers, offering centralized storage management and data access. In a SAN setup, storage devices are typically separate from the servers and are accessed through specialized hardware.

SANs have traditionally been known for their reliability, performance, and suitability for mission-critical applications. However, they can also be complex to manage and expensive to implement due to the need for specialized hardware components.

Key Features of VSAN

  1. Reduced Data Latency: VSAN eliminates the need for external networked storage, reducing data latency and ensuring faster response times. This is especially important for applications demanding low-latency access to data.
  2. Enhanced Data Protection: With its distributed architecture, VSAN provides robust data protection, automatically replicating data to other servers. This protection extends to safeguarding against server failures, ensuring data integrity and availability.
  3. Simplified Storage Management: VSAN offers centralized management, streamlining storage resource management and health monitoring. This ease of management translates to increased efficiency and reduced room for error in provisioning and maintenance.
  4. Integration with Containers and Virtual Machines: VSAN seamlessly integrates with virtualization technologies, including containers and VMs. This versatility allows organizations to run both traditional and modern applications on the same storage infrastructure, enhancing flexibility and adaptability.
  5. Cost-Efficiency: VSAN’s ability to pool existing server local storage and flash components into a virtualized pool leads to cost savings. This cost-effectiveness makes it an attractive option for organizations seeking efficient storage solutions without breaking the budget.

Key Features of SAN 

  1. High Performance: Traditional SANs excel in providing high-speed data access and low latency, making them suitable for performance-critical applications. They are often chosen for their reliability and consistency.
  2. Data Protection: SANs are known for their robust data protection features, including RAID configurations and failover capabilities. These features ensure data integrity and minimize downtime in the event of hardware failures.
  3. Deployment for Structured Workloads: SANs are ideal for handling structured data workloads, making them suitable for environments with demanding data processing requirements.
  4. Support for Critical Workloads: Traditional SANs can handle mission-critical workloads effectively, ensuring uninterrupted operations even in high-stakes scenarios.
  5. Enterprise-Grade Features: SANs often come equipped with enterprise-grade features, making them well-suited for large organizations with complex storage needs. These features may include advanced security, scalability, and comprehensive management tools.

VSAN vs SAN: A Comparative Analysis

Now, let’s delve into a comparative analysis to understand the core differentiators between VSAN and SAN, shedding light on how these storage solutions impact on efficiency, performance, and the bottom line of organizations.

The choice between VSAN and SAN should align with your organization’s specific requirements and priorities. VSAN offers simplicity, scalability, and cost-effectiveness, making it an attractive choice for modern data-driven environments. In contrast to traditional SANs, which segregate storage into separate hardware components, VSAN adopts a distinct approach. It enables administrators to distribute storage across servers and consolidate these resources logically. On the other hand, SAN excels in high-performance scenarios and may be preferred for mission-critical workloads. The decision ultimately hinges on your organization’s unique needs and long-term storage strategy.

Why choose StarWind Virtual SAN?

Selecting the right Virtual SAN (VSAN) solution for your enterprise can be a daunting task, but StarWind Virtual SAN (VSAN) stands out as a top choice, catering to the specific needs of Enterprise ROBO, SMBs, and Edge environments. In contrast to traditional SAN solutions that rely on complex hardware configurations, StarWind Virtual SAN takes a “software replaces hardware” approach, making it an integral part of the hyperconverged infrastructure (HCI).

StarWind Virtual SAN revolutionizes storage by combining flash and disk resources within a cluster to create a virtual shared storage pool accessible to all hosts. This innovative approach significantly reduces the cost and complexity associated with virtualization, eliminating the need for physical shared storage like SAN, NAS, and DAS. The result is a streamlined and cost-effective solution, making it an ideal choice for organizations facing budget constraints and resource limitations, such as SMBs. With a proven track record of serving customers since 2009, StarWind’s Virtual SAN product has gained the trust of over 63,800 businesses.


In the ongoing debate of VSAN vs. SAN, it’s essential to recognize that both have their merits and can address diverse storage requirements. The decision ultimately depends on factors such as budget, scalability needs, performance demands, complexity of infrastructure, and the extent to which your organization values flexibility and simplicity in storage management. As the digital landscape evolves, making an informed choice between VSAN and SAN becomes increasingly crucial for staying competitive and efficient in today’s data-driven world.

This material has been prepared in collaboration with Iryna Chaplya, Technical Writer at StarWind.

Related materials:

Deployment and Infrastructure a software-defined storage solution that operates on industry-standard x86 servers

does not rely on external networked storage, reducing complexity and the need for specialized hardware

consists of physical appliances networked together to handle block-level data

often requires a dedicated infrastructure, including Fibre Channel switches and storage arrays, making them more hardware dependent

Latency and Responsiveness eliminates the need for external storage, and, depending on implementation and used protocol, may minimize data latency, resulting in faster response times. This is critical for applications requiring low-latency access to data. can offer high performance and low latency, but the reliance on external storage and additional network layers can introduce additional latency compared to some VSAN implementations (for example, with NVMe-oF protocol)
Scalability allows for seamless scalability by adding more servers to the cluster, making it suitable for organizations with evolving storage needs may face scalability limitations due to hardware constraints, potentially requiring costly upgrades or replacements
Data Protection and Availability designed with data protection in mind, automatically replicating data to other servers. This distributed architecture ensures data availability, even in the event of server failures.


offers data protection features but may require manual intervention and configuration to ensure high availability


Management and Cost provides centralized management, simplifying storage resource management and monitoring. Its cost-efficiency stems from the ability to leverage existing server local storage and flash components. can be expensive to implement and maintain, requiring a team of experts for hardware management and monitoring

from StarWind Blog

Disable Windows Event Logging – Security Spotlight

The “Security Spotlight” blog series provides insight into emerging cyberthreats and shares tips for how you can leverage LogRhythm’s security tools, services, and out-of-the-box content to defend against attacks.

In this Security Spotlight, we’ll be talking about a technique attackers use to disable your Windows logging and increase their dwell time (MITRE ATT&CK® Technique T1562).

What is Windows Event Logging?

Windows Event Logging, specifically Security Logging, is the cornerstone of most organizations’ log monitoring strategy. In real-world deployments, LogRhythm typically observes that Windows Security logging consumes from 30% to 50% of an organization’s total logging capacity. Naturally, this has made it a prime target for nullification, a tactic commonly employed by attackers to mitigate the effectiveness of Security Information and Event Management (SIEM) installations.

One method to achieve this involves adding a registry key named “MiniNt” to a specific path in the registry. Once added, this key triggers the Windows system to behave as if it is operating in a Windows Preinstallation Environment. In this state, the system does not record any events in the Security Log, effectively disabling the generation of security event logs.

What Happens When Attackers Disable Windows Logging?

The widespread adoption of SIEM, which was driven primarily by initiatives like GDPR, has led adversaries to enter environments knowing that they must devise strategies to counter the expected SIEM installation. Hence, adversaries may strategically seek to disable Windows event logging to minimize traceable data that could cause their detection and subsequent audit. This deactivation can be applied system-wide or directed at specific applications.

These maneuvers empower adversaries to operate covertly, leaving minimal evidence of their intrusive activities. To counter, defenders must vigilantly monitor such potential activities and implement robust security measures to thwart any unauthorized alterations to event logging.

While diligent threat actors have likely employed this strategy for years, it has become an increasingly popular part of attacks because attackers expect their victim’s SIEM to expose them if logging is not disabled.

This dynamic reflects the never-ending arms race between defenders and attackers. In response to the push to standardize logging as a fundamental cybersecurity practice, attackers have adapted to evade routine monitoring.

How Can LogRhythm Help You?

Similar to other log monitoring rules in a SIEM, the challenge often lies not in creating the rule itself but in understanding the problem and mapping out potential detection routes. In this instance, the Analytic Co-Pilot team has developed a rule for both LogRhythm SIEM and LogRhythm Axon that looks for a specific command that must be used to update the registry with the “MiniNT” suffix.

In addition, the alert triggers when someone runs the command required to check for the presence of the suffix. This dual functionality makes the rule effective both in detecting attacks and detecting attackers who may be doing recognizance.

For more information on how to enable these rules within your LogRhythm deployment, check out our community page to read more, download, and then import the rule into your platform.

For other Security Spotlight episodes, you can access the full playlist here.

The post Disable Windows Event Logging – Security Spotlight appeared first on LogRhythm.

from LogRhythm

Monday, November 27, 2023

Terraform stacks, explained

Back in October at HashiConf 2023, we announced Terraform stacks, a new feature to simplify infrastructure provisioning and management at scale. This announcement has us and the broader Terraform community excited about one of the biggest changes to hit HashiCorp Terraform in recent years. While stacks are still under development, we wanted to share a few more details and answer some questions.

What challenges will Terraform stacks solve?

There are a number of benefits to using small modules and workspaces to build a composable infrastructure. Splitting up your Terraform code into manageable pieces helps:

  • Limit the blast radius of resource changes
  • Reduce run time
  • Separate management responsibilities across team boundaries
  • Work around multi-step use cases such as provisioning a Kubernetes cluster

Terraform’s ability to take code, build a graph of dependencies, and turn it into infrastructure is extremely powerful. However, once you split your infrastructure across multiple Terraform configurations, the isolation between states means you must stitch together and manage dependencies yourself.

Additionally, when deploying and managing infrastructure at scale, teams usually need to provision the same infrastructure multiple times with different input values, across multiple:

  • Cloud provider accounts
  • Environments (dev, staging, production)
  • Regions
  • Landing zones

There is not a built-in way to provision and manage the lifecycle of these instances as a single unit in Terraform today, making it difficult to manage each infrastructure root module individually.

We believe these challenges can be solved in a better and more valuable way than just wrapping Terraform with bespoke scripting and external tooling, which requires heavy lifting and is error-prone and risky to set up and manage.

What are Terraform stacks and what are their benefits?

Stacks are a new approach that help users automate and optimize the coordination, deployment, and lifecycle management of interdependent Terraform configurations, reducing the time and overhead of managing infrastructure. Key benefits include:

  • Simplified management: Stacks reduce the need to manually manage cross-configuration dependencies and manually duplicate configurations for a single infrastructure deployment.
  • Improved productivity: Stacks empower users to rapidly create and modify multiple consistent infrastructure configurations with differing inputs together, not individually, all with one simple action.

Stacks aim to be a natural next step in extending infrastructure as code to a higher layer using the same Terraform shared modules users enjoy today.

Common use cases for Terraform stacks

Here are the common use cases for stacks, out of the box:

  • Deploy an entire application with components like networking, storage, and compute as a single unit without worrying about dependencies. A stack configuration describes a full unit of infrastructure as code and can be handed to users who don’t have advanced Terraform experience, allowing them to easily stand up a complex infrastructure deployment with a single action.
  • Deploy across multiple regions, availability zones, and cloud provider accounts without duplicating effort/code. Deployments in a stack let you define multiple instances of the same configuration without needing to copy and paste configurations, or manage configurations separately. When a change is made to the stack configuration, it can be rolled out across all, some, or none of the deployments in a stack.

How do I use a Terraform stack?

Stacks introduce a new configuration layer, which sits on top of Terraform modules and is written as code.


The first part of this configuration layer, declared with a .tfstack.hcl file extension, tells Terraform what infrastructure, or components, should be part of the stack. You can compose and deploy multiple modules that share a lifecycle together using what are called components in a stack. Add a component block to this configuration for every module you'd like to include in the stack. You don’t need to rewrite any modules since components can simply leverage your existing ones.


The second part of this configuration layer, which uses a .tfdeploy.hcl file extension, tells Terraform where and how many times to deploy the infrastructure in the stack. For each instance of the infrastructure, you add a deployment block with the appropriate input values and Terraform will take care of repeating that infrastructure for you. When a new version of the stack configuration is available, plans are initiated for each deployment in the stack. Once the plan is complete, you can approve the change in all, some, or none of the deployments in the stack.


Consider an example of deploying three Kubernetes clusters, each with one or more namespaces, into three different geographies. In a stack, you would use one component to reference a module for deploying the Kubernetes cluster and another component for a module that creates a namespace in it. In order to repeat this Kubernetes cluster across three geographies, you would simply define a deployment for each geography and pass in the appropriate inputs for each, such as region identifiers.

If you decided to add a new namespace to each of your Kubernetes clusters, it would result in plans queued across all three geographies. To test this change before propagating it to multiple geographies, you could add the namespace to the US geo first. After validating everything worked as expected, you could approve the change in the Europe geo next. You have the option to save the plan in the Asia geo for later. Having changes that are not applied in one or more deployments does not prevent new changes that are made to the stack from being planned.

What’s next for Terraform stacks?

At HashiConf 2023, we announced the Terraform Cloud private preview of stacks to generate early hands-on feedback and ensure that we develop stacks in tune with what our users need.

While our initial private preview is limited to Terraform Cloud, certain stacks functionality will be incorporated in upcoming releases of the Community edition of Terraform. As we get closer to general availability of stacks, we'll be adding stacks in Terraform Enterprise. Workspaces will continue to have their use cases and Terraform will continue to work with both workspaces and stacks.

We hope you’re as excited about stacks as we are, and appreciate your support as we transform how organizations use Terraform to further simplify infrastructure provisioning and management at scale.

from HashiCorp Blog