it’s a must. That’s why VMware added vRealize Log Insight for NSX, a version of Log Insight focused strictly on vSphere and NSX logging. VRealize Log Insight is included in all versions of NSX, starting with NSX 6.2.3. The main difference between vRealize Log Insight for NSX and regular Log Insight is that the former’s EULA is restricted to vSphere and NSX log data. If you’re still on NSX 6.1.x, you can download the new version of Log Insight if you’re eligible for NSX 6.2.3. Let’s take a closer look at which logging components NSX enables, how to enable them, and check out some tips and tricks for using vRealize Log Insight NSX. The breakdown of the NSX and vRealize Log Insight license mapping is as follows: NSX Standard, Advanced and Enterprise licenses provide users with one Log Insight Standard CPU for every NSX CPU. NSX Term Standard, Advanced and Enterprise licenses offer one Log Insight Standard CPU for every NSX Term CPU. The Log Insight Standard CPU for Term licenses will, eventually, expire; the license lists the expiration date. Finally, NSX for Desktop Advanced and Enterprise licenses include one Log Insight Standard CPU for every 50 CPUs of NSX Desktop. Deploy the vRealize Log Insight appliance to begin; the appliance opens up a wizard that guides you through initial setup. Configure vRealize Log Insight to receive log entries from your ESXi hosts. For example, with a distributed firewall, logging occurs on the host where a specific VM runs — it’s ideal to have a centralized logging tool because VMs will probably move around in your cluster. Content packsOnce you deploy vRealize Log Insight, install the NSX content pack that allows vRealize Log Insight to interpret the information it receives from NSX. These content packs are the integration between the central logging server and the application; without them, the application can’t process log entries. To install a content pack, navigate to the menu in the upper right-hand corner of the vRealize Log Insight interface and access the marketplace included in the administration interface. Install the NSX-vSphere Content Pack (Figure A). ![]() Next, it’s time to set up NSX components. First up is the NSX Manager, which is a web interface for monitoring and configuring other NSX components. You can locate the point of entry for the vRealize Log Insight server installation under the Manage tab. This integration allows you to see log entries related to both the NSX Server and vCenter, since each NSX Manager connects to one vCenter instance. Therefore, if NSX has a problem configuring something in vCenter, this problem will appear in the log entries. ![]() Many other components enable logging once created and configured in NSX. For example, in Figure C, you can see where to configure the syslog server for a distributed logical router; this is the same for an NSX Edge appliance, since the Manage and Settings tabs are available for both. ![]() If you also want to configure NSX controllers to send logs to your syslog server, you must configure it directly with the HTTP REST API. If you forward your ESXi logs to vRealize Log Insight, your distributed firewall logs will be automatically forwarded, too. This is because you store firewall log entries in /var/log/dfwpktlogs.log, which are automatically forwarded when you configure a central syslog server for your ESXi host. The firewall does not log any messages by default, so you must change your firewall rules in the vSphere Web Client to enable firewall logging. Once you’ve set up NSX and vRealize Log Insight integration, you can use Interactive Analytics to find entries forwarded by NSX. For example, you can see entries forwarded as part of the distributed firewall log for a SpoofGuard warning. ![]() These messages allow you to create alerts based on your queries so that whenever something happens, you receive a warning either via email or through the vRealize Operations Manager. Dashboards are another important part of the NSX and vRealize Log Insight integration; these dashboards help identify issues in your NSX deployment. The post Integrate vRealize Log Insight and NSX for centralized logging appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/integrate-vrealize-log-insight-and-nsx-for-centralized-logging/
0 Comments
Over the past year, a group of attackers has managed to infect hundreds of computers belonging to government agencies with a malware framework stitched together from JavaScript code and publicly available tools. The attack, analyzed by researchers from antivirus firm Bitdefender, shows that cyberespionage groups don’t necessarily need to invest a lot of money in developing unique and powerful malware programs to achieve their goals. In fact, the use of publicly available tools designed for system administration can increase an attack’s efficiency and makes it harder for security vendors to detect it and link it to a particular threat actor. The Bitdefender researchers have dubbed the newly discovered attack group Netrepser and traced back some of its attack campaigns to May 2016. The group is still active, but to Bitdefender’s knowledge its attacks have never been publicly documented before, which might be in part because its campaigns are highly targeted. After analyzing the way in which Netrepser’s command-and-control server assigns unique tracking IDs to infections, the Bitdefender researchers believe that the attack group has compromised around 500 computers to date. The vast majority of those systems belong to government agencies and organizations, indicating that Netrepser’s goal is cyberespionage, not financially motivated cybercrime. Bitdefender declined to disclose the countries whose government agencies have been targeted, but some of the spear-phishing emails sent by the cyberespionage group contained malicious Microsoft Office documents with Russian names and text. This doesn’t necessarily limit attacks to Russia, because the Russian language is used in many former Soviet Union member countries. The rogue documents had malicious macros embedded in them and contained instructions for users to allow the execution of that code. This is a common malware distribution technique that has been used in many attacks over the past few years. Once executed, the macros drop an obfuscated JavaScript file with a .JS or .JSE extension that is executed natively on Windows through the Windows Script Host (WScript.exe). The code also creates registry start-up entries or scheduled tasks, depending on the Windows version, to ensure that the JS or JSE script is executed after every system reboot. JavaScript code makes up the core of Netrepser’s malware platform. It handles communication with the command-and-control server and downloads additional components based on commands received from it. It can also execute shell commands via cmd.exe to get information about the system, list running processes or enumerate files in directories. The malware’s modules are actually free tools used by system administrators. For example, Netrepser downloads and installs the WinRAR archiving utility, which it then uses to compress and password-protect stolen information before extracting it from an infected computer. It also uses several utilities developed by a company called NirSoft, including its Email Password Recovery and IM Password Recovery tools. These tools can be used to recover forgotten passwords, but Netrepser uses them to steal account credentials from email and instant messaging applications. Another NirSoft tool, called WebBrowserPassView, is used to extract passwords stored inside browsers, while the sdelete utility that’s part of the Windows Sysinternals package is used to securely wipe files. The Netrepser malware can also download and install a keylogger and steal files stored on the computer. Ultimately, it has all the features that one would expect to find in a malware program designed for information theft. While the NirSoft programs are not inherently malicious, they’ve been abused by cybercriminals in the past, so many antivirus and security programs detect them as potentially risky applications. To avoid such detections, the Netrepser attackers modify the utilities before deploying them by using a custom binary packing technique that the Bitdefender researchers haven’t seen before. “By relying on readily-available tools for high-level cyber espionage, the threat actor behind Netrepser not only minimized its development and operational costs, but also made sure that the attack cannot be attributed to known threat actors or nation states,” said Bogdan Botezatu, a senior e-threat analyst at Bitdefender, via email. Moreover, even if one of these tools is detected on a system, the organization’s security team might dismiss the alert as a false positive or a case where an administrator or user attempted to troubleshoot an IT issue, rather than a serious malware incident that needs investigating, Botezatu said. The use of malicious scripts rather than binary malware is a trend. Last year, security researchers found a file-encrypting ransomware program called RAA written entirely in JavaScript and executed through the Windows Script Host. Over the past year there’s also been a wave of attacks that heavily rely on PowerShell, a powerful scripting language built into Windows that’s used to automate system administration tasks. The use of standard Windows utilities and third-party dual-use tools like Meterpreter and Mimikatz in attacks is also increasingly common. Documents leaked in March by WikiLeaks also showed that well-funded intelligence agencies like the CIA intentionally repurpose bits of open-source code in their cyber operations and even techniques and components from known malware. Such false flag operations are intended to throw malware analysts on false leads and complicate attribution efforts. To block JavaScript-based attacks on Windows, organizations can enforce the use of digitally-signed scripts or disable the Windows Script Host entirely on computers if it’s not needed. The post Cyberspies tap free tools to build powerful malware framework appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/cyberspies-tap-free-tools-to-build-powerful-malware-framework/ Microsoft said a recent attack it calls Operation WilySupply utilized the update mechanism of an unnamed software editing tool to infect targets in the finance and payment industries with in-memory malware. The unnamed editing tool was used to send unsigned malicious updates to users in targeted attacks, according to a report published Thursday. “While their software supply chain served as a channel for attacking other organizations, they themselves were also under attack,” said Elia Florio, senior security software engineer, with Windows Defender ATP Research Team. It’s unclear just how many affected parties there were and when the attacks took place. However, Florio said the attacks were selective and purposely went after only the “most valuable targets” in an effort to avoid detection. “We believe that the activity group behind Operation WilySupply is motivated by financial gain. They compromise third-party software packages delivered through updaters and other channels to reach victims who are mostly in the finance and payment industries,” Florio wrote. He said Microsoft began investigating the suspicious activity after computers using the updater were red-flagged by Windows ATP. “Windows Defender ATP initially called our attention to alerts flagging suspicious PowerShell scripts, self-deletion of executables, and other suspect activities,” Florio wrote. A forensic analysis of the Temp Folder on one of the targeted systems revealed the legitimate third-party updater running as service. However, closer inspection revealed the updater also had downloaded an unsigned, low-prevalence executable just before the malicious activity was observed, according to Florio. “The downloaded executable turned out to be a malicious binary (Rivit) that launched PowerShell scripts bundled with the Meterpreter reverse shell, which granted the remote attacker silent control,” Florio wrote. “The malware binary, named by the cybercriminals ue.exe, was a small piece of code with the sole purpose of launching a Meterpreter shell.” Meterpreter is a legitimate pen-testing tool packaged with the Metasploit framework and can be used to carry out in-memory or fileless attacks. Meterpreter attaches itself to a process and is capable of carrying out in-memory DLL injections. It’s one of several open-source tools such as Lazagne that allow attackers to probe deeper into targeted systems, steal credentials and open reverse shells back to the adversary’s control server. In-memory or fileless attacks, Florio said, are a fast growing trend among cybercriminals. Attackers, Florio said, were taking advantage of the trusted relationship within the context of the software supply chain. The victims were unaware that a malicious third-part had infiltrated the remote update channel of the supply chain. Self-updating software has been targeted in the past on a number of occasions, points out Microsoft. Unrelated incidents include adversaries targeting Altair Technologies’ EvLog update process, the auto-update mechanism for South Korean software SimDisk and the update server used by ESTsoft’s ALZip compression application, according to researchers. Noteworthy to the attack was the fact adversaries conducted advanced recon that included qualifying systems with tools such as .NET, IPCONFIG, NETSTAT, NLTEST, and WHOAMI, Florio said. Additional techniques, tactics and procedures Florio noted included; memory-only payloads assisted by PowerShell and Meterpreter running in rundll32; Migration into long-living processes, such as the Windows Printer Spooler or spoolsv.exe; use of common tools like Mimikatz and Kerberoast to dump hashes; ateral movement using Windows Management Instrumentation (WMI), specifically the WMIC /node command; and persistence through scheduled tasks created using SCHTASKS and AT commands. Tips on protection from such attacks include hardening defenses with strong encryption used in update channels, putting script and configuration files in signed containers and adopting Security Development Lifecycle best practices, according to Florio. The post Supply Chain Update Software Unknowingly Used in Attacks appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/supply-chain-update-software-unknowingly-used-in-attacks/ More than 200 Android mobile applications listen surreptitiously for ultrasonic beacons embedded in audio that are used to track users and serve them with targeted advertising. Academics from Technische Universitat Braunschweig in Germany recently published a paper in which they describe their research into the practice of using these beacons to monitor a consumer’s shopping and possibly television viewing habits in order to serve them relevant advertising. The researchers raise a number of privacy concerns about such tracking, and how adversaries can abuse it to deduce a person’s physical location, and even theoretically de-anonymize their use of the Tor browser or crytocurrency such as Bitcoin. “Recently, several companies have started to explore new ways to track user habits and activities with ultrasonic beacons,” researchers Daniel Arp, Erwin Quiring, Christian Wressnegger and Konrad Rieck wrote in “Privacy Threats Through Ultrasonic Side Channles on Mobile Devices.” “In particular, they embed these beacons in the ultrasonic frequency range between 18 and 20 kHz of audio content and detect them with regular mobile applications using the device’s microphone.” The mobile user has no knowledge this is happening; the researchers found this behavior in 234 Android apps, up from 39 in 2015. The researchers analyzed 140 hours of media data from TV streams and audio content. Four of 35 stores visited in two European cities used beacons for tracking, they wrote. While no TV streams included these beacons, the researchers believe it’s only a matter of time before this technology is used in commercials and marketers can track a user’s viewing habits. These beacons can also be used to link those habits to a mobile device. “We conclude that even if the tracking through TV content is not actively used yet, the monitoring functionality is already deployed in mobile applications and might become a serious privacy threat in the near future,” the researchers wrote. The paper presents a means for detecting these beacons, as well as a study of three mobile applications that listen for them: Shopkick, Lisnr and SilverPush. Shopkick, for example, has a number of commercial partners and offers users targeted rewards as they’re walking through a merchant’s door. “In contrast to GPS, loudspeakers at the entrance emit an audio beacon that lets Shopkick precisely determine whether the user walked into a store,” the researchers wrote. Other apps such as Lisnr and Signal360 get location-specific content from the beacons, including coupons and vouchers. “Once the user has installed these applications on her phone, she neither knows when the microphone is activated nor is she able to see which information is sent to the company servers,” the researchers wrote. Silverpush, meanwhile, could accelerate the adoption of these beacons in television commercials; the developers have filed a patent for this purpose, allowing the app to track a user’s viewing habits. “In contrast to other tracking products, however, the number and the names of the mobile applications carrying this functionality are unknown,” the researchers wrote. “Therefore, the user does not notice that her viewing habits are monitored and linked to the identity of her mobile devices.” The paper singles out a number of privacy threats posed by these beacons. In addition to linking identities to viewing habits, such media tracking could also expose a person’s political leanings or other personal preferences. Adversaries can also abuse these beacons and learn about multiple devices linked to the same individual, facilitating targeted attacks, for example. The technology also allows for location tracking without the need for GPS. The researchers also caution that the side-channel could also disclose a relationship between an individual’s Bitcoin address and their mobile phone, or similarly link usage of the Tor browser to a device. “An adversary is able to obtain a detailed, comprehensive user profile by creating an ultrasonic side channel between the mobile device and an audio sender,” the researchers conclude. “Throughout our empirical study, we confirm that audio beacons can be embedded in sound, such that mobile devices spot them with high accuracy while humans do not perceive the ultrasonic signals consciously.” The post Ultrasonic Beacons Are Tracking Your Every Movement appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/ultrasonic-beacons-are-tracking-your-every-movement/ It could put an end to end-to-end encryption in services such as WhatsApp: The U.K. government wants telecommunications providers to help it tap their customers’ communications, removing any encryption the provider applied. The government’s desires are set out in a draft of the regulations obtained by Open Rights Group (ORG), which campaigns for digital civil rights. “These powers could be directed at companies like WhatsApp to limit their encryption. The regulations would make the demands that [Home Secretary] Amber Rudd made to attack end-to-end encryption a reality. But if the powers are exercised, this will be done in secret,” said ORG executive director Jim Killock. The draft of the Investigatory Powers (Technical Capability) Regulations 2017 was circulated by government officials as part of a “targeted consultation” of some of the organizations that would have to comply with the law, the group said. Its requirements will apply to fixed and mobile phone networks, but also the operators of cloud-based messaging services and social networks, according to an analysis of the law by Bird & Bird last November, when the act received royal assent. Operators with over 10,000 users in the U.K. will have to modify their systems to provide government officials with on-demand access to their customers’ communications, according to the draft regulation revealed Friday. Previous surveillance laws in the U.K. have required operators to provide just the communications metadata, information about who is calling whom, when and where. This time, though, the government also wants operators to provide the content of their customers’ communications in an intelligible form, and “to remove electronic protection applied by or on behalf of the telecommunications operator.” That, said ORG, could allow the government to compel companies to introduce backdoors to end-to-end encryption, or put in place other security weaknesses, with little accountability. There will be no pleas of “Sorry officer, the surveillance system broke,” as the draft regulation calls for the spying apparatus to be at least as reliable as the rest of the network. Much of the Investigatory Powers Act — and thus the draft regulation implementing it — applies to companies worldwide as long as one end of the communication is in the U.K., although the government may have difficulty enforcing it, Bird & Bird noted in its analysis of the law. The post UK seeks end to end-to-end encryption appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/uk-seeks-end-to-end-to-end-encryption/ Mike Mimoso and Chris Brook discuss the news of the week, including the Gmail/Google Docs phishing attack, the Intel AMT vulnerability, IBM’s malware-laden USB drives, and drone security. Download: Threatpost_News_Wrap_May_5_2017.mp3 Music by Chris Gonsalves The post Threatpost News Wrap, May 5, 2017 appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/threatpost-news-wrap-may-5-2017/ ![]() File Photo Spyware developer FlexiSpy planned to lure researchers to disclose vulnerabilities in its software through HackerOne. HackerOne had other ideas. Last month, the surveillance firm revealed plans on Twitter to transfer its bug bounty program to HackerOne. The bug bounty program, created in the “interest of transparency,” would have offered researchers between $100 and $5000 to privately disclose bugs to the company. FlexiSpy said that the move was in the approval stage but likely did not imagine there would be any roadblocks. Vulnerabilities of any kind are bad news when exploited, but with this particular bug bounty request, there were ethical considerations to take into account. FlexiSpy offers consumer spyware for sale, which is known to have been installed to track children as well as spouses and partners. Once paid for and installed, the spyware allows users to remotely listen in to live calls, snoop on text messages and VoiP, send fake SMS messages, intercept and view multimedia content, read emails and compromise other apps such as WhatsApp, Facebook, Skype, and Instagram, among others. In response to the request and the online debate which subsequently followed, HackerOne CEO Marten Mickos and CTO Alex Rice clarified the bug bounty platform’s position. On Thursday, the pair said in a blog post that FlexiSpy is not a customer, but has prompted a re-examination of what can occur when company principles clash. Last month, a group of hackers calling themselves the Decepticons allegedly compromised FlexiSpy and leaked the firm’s software source code online. This likely prompted the bug bounty application, but the firm’s dubious legal position and the purpose of the FlexiSpy consumer spyware itself have made bug bounty providers nervous. Bugcrowd has already said publicly that FlexiSpy would not be welcome, and now, HackerOne has explained why the firm, too, will not be accepting FlexiSpy’s application. While HackerOne believes acceptance should not rely on “arbitrary moral judgments” and software legality should be left to courts to decide, there is both “broad evidence” and a general belief that FlexiSpy is operating illegally, of which any company connected to them may eventually also be dragged down. In addition, while vulnerabilities are “universally bad” and the whole purpose of bug bounty programs is to improve overall security and keep the open market flowing, where to draw the line when it comes to grey software is a difficult decision. “As long as FlexiSPY is permitted to market software designed to spy on kids and victims of domestic abuse, vulnerabilities will put those individuals at risk,” HackerOne says. “It is impossible to confidently predict the collateral damage of an exploited vulnerability. On balance, if someone is infected with spyware they’re probably better off infected with secure spyware […] But fixing them benefits the spyware company more than it protects the victims.” The bug bounty platform also argues that “market[ing] their product security as “Secured by HackerOne” directly supports their sales efforts and leads to further distribution and victimization.” Should FlexiSpy be accepted by HackerOne, the company would also be required to publish a vulnerability disclosure policy and commit to protecting hackers against legal action — neither of which are currently the case. “HackerOne will always make vulnerability disclosure programs available to all organizations that operate legally and commit to working with hackers in good faith,” the company says. “These organizations are welcome to host their security@ on the HackerOne platform. We will not take action against them based exclusively on moral judgments.” “However, engaging proactively with the HackerOne community through a bug bounty program is a privilege that is only afforded to organizations that conduct themselves in an ethical manner,” HackerOne added. FlexiSpy will not be permitted to host a bug bounty program on HackerOne and did not immediately respond to comment. More security news
The post HackerOne Rejects FlexiSpy Bug Bounty Program appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/hackerone-rejects-flexispy-bug-bounty-program/ Business Email Compromise (BEC) schemes, where executives are scammed via social engineering and phishing compromises that ultimately lead to fraudulent wire transfers, grew at a jaw-dropping rate of 2,370 percent in the last two years. The FBI yesterday published its latest statistics on these unrelenting crimes, which have been reported in all 50 states in the U.S. and in 131 countries. Most of the stolen money, the FBI said, has been funneled to banks in China and Hong Kong, and since late 2013, businesses have suffered more than $5.3 billion in losses. “Most victims report using wire transfers as a common method of transferring funds for business purposes; however, some victims report using checks as a common method of payment,” the FBI said in its report. “The fraudsters will use the method most commonly associated with their victim’s normal business practices.” The fraud has evolved beyond duping executives into transferring money into mule accounts, to now including requests for personal information, and tax forms such as W-2s for employees. Usually, these scams aren’t very technical, though more and more, fraudsters are making use of cybercrime strategies such as phishing and enticing victims into clicking on links that install malware on a victim’s computer. The bad guys are clearly winning here. In the U.S. between last June and December, the FBI recorded complaints totaling more than $346 million in losses from 3,044 incidents from domestic victims. Non-U.S. losses reported to the FBI were higher: more than $448 million for the same six-month period. Cumulatively from October 2013 to December 2016, the FBI has recorded more than 40,000 incidents and more than $5.3 billion in losses. “The victims of the BEC/EAC scam range from small businesses to large corporations. The victims continue to deal in a wide variety of goods and services, indicating that no specific sector is targeted more than another,” the FBI said. “It is largely unknown how victims are selected; however, the subjects monitor and study their selected victims using social engineering techniques prior to initiating the BEC scam.” The FBI said malware is being used by more of these scammers in advance of a Business Email Compromise, foregoing lengthy social engineering and reconnaissance for a more direct method of gaining access to email and financial accounts. The FBI also identified five typical scenarios ripe for abuse. These include scams where the fraudster poses as a foreign supplier with whom the victim has a relationship, or scenarios where an executive’s email account has been taken over and a request is made on their behalf to someone else in the company to initiate a wire transfer to a mule account. In other cases, the fraudsters may pose as attorneys and pressure executives to wire money in order to resolve supposedly time sensitive matters; these requests are often made at the end of a business day or prior to a weekend or long holiday break. Fraudsters are also targeting departments within businesses such as human resources, bookkeeping and auditing that handle personal information and tax forms. The FBI said this aspect to these scams began prior to the 2016 tax season. Researchers at Dell-SecureWorks have been particularly keen on learning more about BEC scammers, and since last August have published extensive reports on the inner workings of these fraud operations. Insight into a Nigerian “waya-waya” operation targeting manufacturing, chemical and other high-value industries, showed how the attackers used malware to gain a man-in-the-middle position on email communication, intercepting and redirecting executives’ messages in order to cash in. At RSA Conference earlier this year, the researchers used their own social engineering to help shut down another Nigerian scammer by gaining his trust, learning his tradecraft and how to speak his language. This level of interdiction allowed the researchers to ultimately use a blend of technical and interpersonal means to learn personal information about the attacker and put him out of business. The post Business Email Compromise Losses Up 2,370 Percent Since 2015 appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/business-email-compromise-losses-up-2370-percent-since-2015/ Microsoft today asked enterprise customers to test a new anti-malware, anti-exploit technology in Windows 10’s baked-in browser. Windows 10’s latest preview, tagged as build 16188 and released Thursday, includes Windows Defender Application Guard, a virtualization-based feature that isolates the contents of a tab in Edge, the OS’s default browser, from the rest of the system. While Application Guard was announced in September, and went through limited testing in the months since, today marked its first appearance to all Insiders running Windows 10 Enterprise. Users must manually toggle on Application Guard from a setting dialog, then open a tab within Edge by selecting “New Application Guard Window” from the browser’s menu. Application Guard is available only in the U.S. English version of build 16188 for Windows 10 Enterprise, and requires a PC that supports Hyper-V, Microsoft’s virtualization technology. Like sandboxing — another anti-exploit approach browsers rely on — the virtualization of an Edge tab blocks viewed content and downloaded files from harming the system. Malware that gets into the virtualized “container” cannot access the user’s identity credentials, will find no data when it starts sniffing and cannot connect with other systems on the network. Think of it as a malware dead-end. When the user is done browsing — closes the tab, shuts down the browser, logs out of the PC — the isolated tab is thrown away. Any malware that managed to get into the container is tossed, too. Company administrators will be able to define “white lists” of sites — typically those that are, in Windows-speak, “trusted” by the network — which when opened, will appear in traditional tabs. If the user steers to a site that is not on the approved list, then Edge will open it in an Application Guard container. Microsoft has pegged Application Guard to debut in Windows 10’s next feature upgrade, slated to ship in September. Yolando Pereira, a technical program manager on the Windows device security team, said the technology was to appear “in the upcoming release of Windows.” And during a presentation at the RSA security conference in January, Chas Jeffries, a principal program manager, also said Application Guard was set for the 1709 upgrade, currently codenamed “Redstone 3.” Microsoft has said nothing about whether it will extend Application Guard to other editions of Windows 10 — Windows 10 Pro, for example, includes the necessary Hyper-V — expand it to applications other than Edge, or allow rival browser makers to isolate tabs using the technology. The post Microsoft asks Windows 10 Enterprise customers to test new anti-exploit tech appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/microsoft-asks-windows-10-enterprise-customers-to-test-new-anti-exploit-tech/ Two recent espionage campaigns against political and strategic targets in North Korea has been linked to malware that has stayed hidden for the better part of three years. Cisco’s research arm Talos published a report yesterday on the malware it calls Konni. Two attacks in April used phishing emails and decoy documents of interest to the target to drop the Konni remote access Trojan. That allowed the attacker to drop additional malware on compromised systems. Current iterations of the malware include components that allow for data theft, keylogging, screenshot capture and the execution of arbitrary code. Cisco said the malware evolved from mainly stealing information without remote administration to the use of two separate binaries including a dynamic library on compromised machines, new features added to the malware, and better decoy documents. The targets are members of embassies linked to North Korea, as well as public organizations such as UNICEF and the United Nations, Cisco said. The attackers used the Konni malware sparingly, and the most recent attacks were carried out a few days ago. The campaign remains active, as is its infrastructure, which is hosted on a legitimate and free webhost called 000webhost. “Low volume distribution of malware to a small number of targets potentially means that malicious campaigns get lost in the noise of the many samples of malware out there,” said Cisco Talos Technical Lead Martin Lee. “In fact, it is very difficult for threat actors to completely evade leaving traces in telemetry.” Cisco spotted two recent campaigns in April, but throughout the four campaigns Cisco is aware of that date back to 2014, some commonalities exist. For example, the attacks start with phishing emails containing an attachment as the initial infection vector. The victim is lured into opening a .src file which displays a decoy document to the user before executing the malware. April’s campaigns targeted either government agencies and embassies, or public organizations linked to North Korea with two separate decoy documents containing contact information for either embassy officials or members of the U.N. and UNICEF. The .src file drops an executable and a dynamic library onto the machine, and uses a LNK file to maintain persistence. These campaigns were updated with versions of the malware capable of grabbing screenshots, in additional to stealing system information, uploading files, deleting files, downloading code from the internet and executing commands. Cisco said the two command and control domains, Pactchfilepacks[.]net23[.]net and checkmail[.]phpnet[.]us, from these attacks remain active. Cisco published indicators of compromise from all four attacks in its reports. It would not say whether this was a nation-state operation or the work of a criminal outfit. “Attribution is always difficult. We can identify malware, but we can’t necessarily identify who is behind it, or who they work for. All we can say for certain is that this appears to have been a long term campaign with an interest in Korea,” Lee said. “The nature of the decoy documents suggests a certain degree of social engineering and targeting of victims. Yet at the same time, the malware does not appear particularly advanced.” It has evolved, however. The September 2014 campaign, for example, used an image of Myanmar temple as its decoy, while dropping Konni as a phony scvhost executable. It grabbed instructions from two command and control domains, phpschboy[.]prohosts[.]org and jams481[.]site[.]bz, and it could log keystrokes, steal browser cookies, and steal any data on the clipboard. Two years later, the campaign changed decoy documents, dropping instead Office documents in English and Russian titled “N. Korean hydrogen bomb can wipe out Manhattan: propaganda outlet.” These attacks used two binaries for the first time, and dropped the malware into a different directory than the first attack and reached out to a new C2 server at dowhelsitjs[.]netau[.]net. Remote administration functionality first surfaced in the 2016 campaign with file uploading and command execution capabilities. Cisco said that the malware used in this campaign looked for filenames created with the previous version of Konni, indicating the attackers may have been targeting the same victims. The post Stealthy RAT Targeting North Korea Since 2014 appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/stealthy-rat-targeting-north-korea-since-2014/ |
ABOUT USFree, secure collections for I.T recycling and CESG approved data erasure for individuals, businesses and large-scale projects. I.T Asset Disposal | Computer Recycling | Re-marketing & Cashback | Secure Data Erasure. Archives
May 2017
Categories |