Saturday, June 3, 2023

A bad IT manager blames his network management tools

network management tools

NetworkTigers on network management tools and how to use them.

A poor workman blames his tools, the saying goes. Does the same hold true for network managers? What does a good network manager really need to prevent hacks, minimize disruption, and keep a network up and running at full capacity? Is network security and efficiency simply a result of the network management tools available, or is there more to the overall picture? 

New study findings show 75% of business communication happens via “old-school” methods such as phone calls and email attachments, rather than a centralized secure system

A new study from TechAnalysis Research finds that a majority of the time, a network manager’s main concern may be human rather than technological. The survey of over 1,000 employees, ages 18-74, illustrates that a majority of medium to large US businesses still utilize and seem to prefer “old school” communication methods such as email, text, or over the phone. Percentages do not vary drastically for older versus younger employees or with outside clients versus internal communications. Collaboration, meanwhile, is still done on less secure channels. Of those surveyed, 47% say that most internal collaboration largely occurs through emailing documents or using a shared network drive. Less than 25% of employees report using specialized company collaboration software. 

These findings are significant, as they show how simply risk gets introduced into an overall network. Even businesses that have invested in project management systems or SaaS solutions do not always use them, instead often copying and attaching documents to less secure email options. This not only introduces an element of risk with important documents but also can involve duplication of work as employees transfer data from one tool to another to speak the same language. 

Human error and network dysfunctionality

The University of North Georgia reports that even in today’s enlightened digital age, 95% of cybersecurity breaches are still due to human error. From phishing attempts, sharing passwords, incorrectly configured VPNs and more, the human element cannot be discounted when analyzing what causes tech failure. Even more so than disgruntled ex-employees, simple mistakes make up most network security issues. 

How can a network manager properly circumvent these kinds of breakdowns? Employee training and inter-departmental communication is a key step in creating a secure, flourishing network within a company, no matter how large or small. 

Staffing issues and network management positions

The same University of North Georgia study finds that over 300,000 cybersecurity jobs in the U.S. remain empty. Meanwhile, job postings in tech have risen by 74% over the last five years. More network management positions are being created every day, but retention remains a challenge. Employee turnover has increased by 50-75% in recent years, as hiring managers struggle with endless cycles of re-skilling and recruiting. Too often, positions go unfilled with IT professionals being asked to take over multiple roles in a department. 

Couple this picture of understaffed IT departments, less than tech-literate employees and lax communication practices with the fact that there is a hacking attempt every 39 seconds, according to the University of Maryland. Is it any wonder that only 38% of organizations worldwide would self-describe themselves as ready to face a sophisticated cyber attack? The number even seems too high when you consider the kinds of cybersecurity fail and hacks that should never have happened that take place regularly. 

Understanding the full picture of network efficiency and security

A network manager may only be as good as his network management tools – but more likely, he or she is only as successful as the rest of the team, as well as the prioritization that his or her department receives. All of the latest network tools can’t make a difference when they’re implemented by an understaffed, undersupported IT department. Additionally, even the most secure of networks can easily be compromised by employees who don’t know how to take network security seriously. 

IT services play an increasingly vital role in today’s economy and in every business’s infrastructure. It’s more than time that network professionals are taken seriously as they try to raise their voices about important concerns in today’s business landscape. 

Firewall evolution through the ages

firewall evolution

NetworkTigers discusses firewall evolution and advances in technology.

Since the advent of the internet, firewalls have been a cybersecurity cornerstone and a network’s first line of defense. Initially, basic devices designed to follow simple filtering rules for filtering internet traffic; today’s firewalls perform many security functions and even employ machine learning to make security recommendations based on data they collect from your network. Let’s take a look at how firewall technology has evolved.

First, what does a firewall do?

Firewall evolution has made great strides, but firewalls essentially perform the same task: filtering network traffic to prevent unauthorized access to system components, applications and systems. A properly configured firewall keeps the “bad guys” from walking through the front door of a network but also prevents employees or other legal users from accidentally poking into areas they should stay away from.

Timeline: the creation and evolution of the firewall

1988: packet filtering systems

The first firewalls were created in 1988 by Digital Equipment Corporation (DEC). According to Palo Alto Networks, these early firewalls were “packet-filtering systems that inspected the information in the packets by looking at the destination address, its protocol, and the port number used. If the traffic did not match the packet filter’s rules, the firewall would take action by dropping the packet without a response or rejecting the packet with a notification to the sender.”

These primitive firewalls are referred to as Stateless Firewalls, as they did not examine the state of the packet in question. Firewall evolution was about to take a big step.

1989: stateful firewalls

As needs progressed and applications advanced, more robust security measures were needed. 

To meet this demand, AT&T Bell Labs created stateful firewalls, also known as Circuit Level Gateways. These firewalls can record all connections and data related to active sessions and connection states. 

A downside to these firewalls is their vulnerability to Denial of Service attacks, as they could be easily overwhelmed with junk connections.

1991: application layer firewalls

DEC reclaimed the spotlight to usher in the next generation of technology in the form of the application layer firewall. Called a DEC SEAL (Secure External Access Link), this new firewall was able to examine the data moving to and from all running software. It was created specifically to protect computers from malware. 

1994: the firewall toolkit (FWTK)

Security was further boosted in the mid-90s when the Firewall Toolkit (FWTK) was developed by Marcus Ranum, Weir Xu and Peter Churchyard. This application firewall would become the foundation upon which one of the first commercial firewall products, Trusted Information Systems’ Gauntlet, would be built. 

Able to identify the legitimacy of File Transfer Protocols (FTP) and Hypertext Transfer Protocols (HTP), this new technology could better sort malicious connection attempts from real ones, making it harder for threat actors to achieve successful Denial of Service attacks.

2004: UTM firewalls

The International Data Corporation (IDC) created the term Unified Threat Management (UTM) which is then applied to firewalls that serve as cybersecurity Swiss Army knives. UTM firewalls provide system defenses in the form of web filtering, gateway antivirus protection, intrusion protection systems, VPNs and more. These firewalls still act as traffic filters but offer comprehensive tools for real-time network security and monitoring. 

2009: NGFWs

The Next-Generation Firewall (NGFW) is developed, building further on UTM technology. NGFWs combine the previously developed features with tools that include Deep Packet Inspection (DPI), sandboxing, application control, URL filtering, network profiling and more. 

NGFWs allow for the support of secure, encrypted traffic to protect data from unauthorized viewing. They provide administrators with deep, granular visibility into applications and user activity and they can identify evasive maneuvers used by threat actors to sneak into networks.

NGFWs also allowed for flexibility, as they were offered in physical and virtual options.

2020: ML-Powered NGFWs

The early 2020s saw a significant firewall evolution in the form of ML-Powered NGFWs. These firewalls use machine learning to predict threats and deliver improved network protection.

Until now, firewalls were reactive tools that required manual updates and maintenance. They were integral security components but did not take a lead role in security and acted exclusively as static fortifications. 

The integration of machine learning, however, turns tradition on its head. ML-Powered NGFWs can identify modern threats and even their variants. They can flag network behavior abnormalities and, because they scan and analyze so much network telemetry, they can make security recommendations tailored to specific systems. ML-Powered NGFWs perform these tasks and reports continually in real time to even protect users from zero-day exploits.

Whereas older firewalls acted as stationary turrets, machine learning has given firewall technology the ability to patrol and present complete visibility into network devices, activity and trends.

Cloud-based firewalls

The advent of the cloud has also had a dramatic effect on firewall technology and usage. Users no longer have to own or purchase equipment and applications that require space, monitoring and maintenance, as cloud-based firewalls exist offsite and are serviced by a third-party administrator. While moving to the cloud is often undertaken to streamline processes or save money, traditional software and hardware-based firewalls still have a leg up on them in some situations.

Cloud firewall pros and cons

Cloud firewalls can be quickly deployed, don’t require owning any hardware and are automatically updated and maintained. Cloud firewall users also don’t need to hire IT administrators to keep their systems streamlined and functional.

However, cloud firewall users are at the mercy of third-party providers which may be unsettling. Additionally, they aren’t as customizable as in-house options and can potentially slow your network down. 

Traditional firewall pros and cons

Software and hardware-based firewalls give users complete control over their security. They can be customized to suit an organization’s specific needs and allow for independence, as a third-party company is not involved in deployment. In many cases, in-house firewalls are also faster than those running in the cloud.

While the cost of purchasing hardware can be a deterrent, moving to the cloud can be more expensive once subscription fees are totaled up. Additionally, organizations can save a great deal of money by investing in refurbished firewalls purchased from reputable dealers. Traditional firewalls require maintenance, however, so an IT administrator must be on hand.

The future of firewall evolution

While the tech sector has seen devices and applications come and go, firewall progress is more relevant than ever in today’s cyber environment. 

The introduction of ML-Powered NGFWs is likely the tip of the iceberg compared to future firewalls. Advances in AI will make them smarter, stealthier and better at blocking threats. As machine learning becomes deeper and more agile, tomorrow’s firewalls may more accurately predict threats before they materialize and continue to give hackers a run for their money.

Cybersecurity news roundup March 20, 2023

news roundup march 20

SAN MATEO, CA, March 20, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.

LA Housing Authority breached for an entire year, LockBit claims to have 15TB of data

The Housing Authority of the City of Los Angeles (HACLA), in a statement that follows up on a ransomware attack disclosed earlier this year, says that it suffered “unauthorized access to certain servers between January 15 2022 through December 31 2022.” The servers reportedly contained personal data including names, Social Security numbers, dates of birth, passport numbers, driver’s license numbers or state identification numbers, tax identification numbers, military identification numbers, and more. Ransomware gang LockBit is taking credit for the breach and claims to have collected over 15TB of information they plan to publish or sell on the dark web. Read more.

ALPHV ransomware gang claims to have hacked Amazon’s Ring

The ALPHV cybercrime gang has claimed it hacked Amazon’s Ring, a popular security and doorbell camera manufacturer, with their BlackCat ransomware. The gang is threatening to leak the company’s data on its site, even though Ring has said there is no evidence that any of its systems have been breached. The company stated that a third-party vendor they work with recently experienced a “ransomware incident,” clarifying that no customer data is in their possession and that they’re awaiting more details on the breach. Read more.

New Golang-based GoBruteforcer observed in the wild

GoBruteforcer is a new Golang-based malware that has been observed attacking “web servers running phpMyAdmin, MySQL, FTP, and Postgres to corral the devices into a botnet.” The vector in which GoBruteforcer is carried is yet to be determined and the malware appears to be built specifically to attack “Unix-like platforms running x86, x64 and ARM architectures.” According to Palo Alto Networks Unit 42 researchers, the malware uses a “Classless Inter-Domain Routing (CIDR) block for scanning the network during the attack” and the developers responsible for it “chose CIDR block scanning as a way to get access to a wide range of target hosts on different IPs within a network instead of using a single IP address as a target.” Read more.

Fraudulent ChatGPT extension infecting Chrome users to make malicious Facebook ads

A fake ChatGPT extension for users of Google’s Chrome web browser can hijack a victim’s Facebook account and use it to create fake ads for the malware at the account holder’s expense. Threat actors have been employing this tactic to create an “army of Facebook bots.” The extension, called “Quick access to ChatGPT,” has been pulled from the Google Play store, but not before gaining around 2,000 downloads a day since its appearance on March 9. Fake browser extensions are one of the many ways that threat actors have capitalized on the popularity of ChatGPT. Read more.

Dangerous “Medusa” ransomware gaining momentum in 2023

A ransomware outfit called Medusa has been increasingly active in 2023, demanding millions of dollars from victims worldwide. While it is unknown if Medusa has a Linux encryptor, attacks on Windows systems allow the threat actor to determine how they wish to encrypt targeted data. To make decryption even more challenging, Medusa ransomware also runs a command to “delete locally stored files associated with backup programs, like Windows Backup. This command will also delete virtual disk hard drives (VHD) used by virtual machines.” There is currently no way to decrypt affected files for free. Read more.

AI-generated YouTube videos are being used to spread malware

Threat actors have been leading victims to download infostealer malware including Raccoon, RedLine, and Vidar. The videos appear as though they offer viewers cracks for software such as Photoshop or Office and they appear at an alarming rate. Attackers link victims to malicious links and even populate the videos with fake comments to make them appear legitimate after hacking into a legitimate account. While account recovery can take as little as a few hours, those with large followings could see hundreds of clicks in a short amount of time. Read more.

Clop ransomware gang extorting companies with zero-day Fortra GoAnywhere bug

Last month, developers working on the GoAnywhere MFT file transfer solution disclosed that a zero-day remote code execution vulnerability had been found and exploited. The Clop ransomware gang has claimed credit for the attacks, claiming to BleepingComputer that they exploited the flaw over the course of 10 days, targeting 130 companies. Reports of demands have been coming in, lending credence to Clop’s claims. While ransom amounts have not yet been disclosed, Clop has previously demanded as much as $10 million for similar attacks. Read more.

More cybersecurity news

Cybersecurity priorities study released

cybersecurity priorities

NetworkTigers discusses cybersecurity priorities in 2023.

The most recent Foundry study has been released offering up a clearer picture of the field as it stands at the start of 2023. The 2022 study surveys some of the top cybersecurity officials worldwide to illustrate and explore some of the main concerns, issues, and progress observed by a variety of businesses in the realm of cybersecurity.

Some of the top issues highlighted by the study illustrate that data security is finally beginning to be recognized as the cornerstone of business success that it is in today’s day and age. Some, however, point to worrying trends as businesses continue to overlook must-needed data security upgrades and developments. 

Key takeaways from the 2022 Foundry study

Foundry’s Security Priorities Study 2022 consulted with 872 security industry leaders. Of the respondents, 55% were located in North America, 18% Europe, the Middle East, and Africa (EMEA respondents), and 27% were located in the Asia Pacific region (APAC respondents).  

In many ways, cybersecurity leaders believe their industry is finally valued and understood as a major factor in creating a more stable and lasting business model. Gone are the days when IT and tech support were seen as optional or an area to cut corners. Instead, the results from this year’s study report that 82% of top IT cybersecurity executives regularly engage with the board. Respondents from all areas responded that they meet with the board of their respective companies at least once a quarter and up to multiple times a month. This helps illustrate the amount of respect and attention cybersecurity has gained in recent years from business leaders in general. 

This renewed focus is likely partly a result of several high-profile hackings, such as SolarWinds and other notable data breaches. With the average cost of a cybersecurity incident expected to land at $8 trillion globally in 2023, it is no surprise that businesses worldwide are dedicating more face time to top IT cybersecurity professionals. 

On the other hand, a whopping 90% of security leaders also believe that one of the main issues they face is convincing every area of their respective organization to take cybersecurity seriously, and invest the attention and resources necessary to combat evolving threats. This 90% believes their organization is not properly addressing cyber risk, despite their efforts. 

The following are the top three priorities of cybersecurity professionals in order to help their organizations understand the true cost of cybercrime:

  1. Increasing preparedness to respond to possible future security incidents
  2. Upgrading IT and data security 
  3. Improving security awareness among end-users

The main trend continues to be a significant allocation of overall IT spending on security. An average of $65 million is allocated per annum towards security but varies greatly depending on the size of the organization in question. For larger enterprises, data security spending reaches $122 million on average. For small businesses, the number tops out at $16 million. This, however, represents a significant increase from 2020’s average small business IT security budget of just $5.5 million. In just two years’ time, the amount dedicated towards security has more than tripled for the average small business worldwide. 

Some of the top investments in security are:

  • SOAR (34%)
  • Zero Trust technologies (32%)
  • SASE (32%)
  • Deception technologies (30%)
  • Ransomware brokers (30%)

Another evolving trend in the field of corporate risk protection is cyber insurance. Most businesses report now holding cyber insurance policies and rating them favorably. Respondents’ average response rates their insurance policy at a 7.9 on a scale of 1-10, 10 being most satisfied. 

The most common concern in cybersecurity 2022

Most cybersecurity professionals could easily predict the answer to the following trend. When asked if they were aware of what caused security incidents in their organization over the course of the covered year, 87% said that they did know exactly where the risks had originated from. Additionally, the majority report that the risks originated with non-malicious user errors. 

This statistic illustrates a common theme in cybersecurity. One of the biggest risks to an organization’s data security is the employees who work there. At times, the risk may be due to a disgruntled ex-employee, but all too often it comes from the average user who either does not know how to or does not care to protect their own data access points. 

User error is commonly cited as one of the top issues that security professionals face. According to a separate IBM Cyber Security Intelligence Index Report from 2022, 95% of all data breaches are due to human error. 

To address this concern, security experts report that employee awareness and training issues are towards the top of reported redirects that require time from their day. The issue is closely followed by unanticipated business risks, which pull attention 25% of the time, as well as meeting the demands of regulatory compliance, which leads the pack at 28%.

“The Wifi is down” should be a thing of the past

WiFi is down

NetworkTips on improving wireless infrastructure and banishing “the WiFi is down” from your vocabulary.

How often have you heard the dreaded complaint, “the WiFi is down”? Fast and reliable wifi is one of the most important elements of a home office and increasingly, a comfortable living space. WiFi connects us not only to the world outside but also to all of the smart devices, computers, consoles, entertainment units, and more that we rely on every day. 

If you’re struggling with WiFi connectivity issues, there are many steps that you can take to check to make sure you’re optimizing your current network setup, as well as certain upgrades you might want to consider to your gear. Whatever the issue, investing in reliable, fast WiFi is one of the most important steps you can take to ensure you can work, relax, stream, and download in comfort. 

Quick fixes for faster internet

Before you consider changing your existing network gear, there are some tried and true fixes you can take first with what you already have in place. The following steps can help optimize your network setup and ensure that your router is working at its fullest capacity.

  1. Move your router: We don’t always think of it because WiFi is invisible, but putting your router in certain locations can cause issues with your connection. The most common blockage to your WiFi connection may be your neighbor’s setup. Apartment buildings often share crowded 2.4 GHz band networks, causing slower download times as networks jostle for access. If you share a wall with your neighbor, move the router to another area. 

Other common blockages include microwaves, TVs, and other appliances. Although it may be tempting to hide the tangled wires, never set up a router behind a television set, as this can lead to weakened signals and interference. When in doubt, avoid setting up the router by any appliances, especially older microwaves and anything that uses radio frequency, such as baby monitors. 

Finally, if you’ve moved the router away from all of your other appliances, you may still want to check on the layout of your space. Older homes and buildings with concrete or masonry walls, or thick timber can cause disrupted signals. So too can areas of water, such as large aquarium tanks. While you likely won’t be able to redesign the walls of your home, you might want to consider setting up your home office in the room with the router setup to reduce blockages. And definitely avoid setting up the aquarium in the same room if you have one. 

  1. Change bands: Most current routers operate off of two frequencies, 2.4 GHz and 5GHz. Both have their own strengths and weaknesses. For instance, 5GHz offers faster connections but less signal strength. 2.4 GHz is a better choice for connections further away from the router but is slower and more susceptible to radio interference. If one band isn’t working for you, try changing to the other. 
  1. Change your WiFi password: Prioritizing your network security can save you not only time and worries but also money. Cybercrime will cost the world $8 trillion in hacks, data breaches, stolen assets, ransoms and more in 2023. The number is only predicted to grow up to $10.5 trillion annually by 2025. One of the fastest ways you can keep your network secure and prevent WiFi leeches from draining off your signal is to ensure you’re operating on a private network with a secure password

Useful upgrades for a better wireless network 

If you’ve tried everything above already, there are several steps you can take in addition to optimize your network connections: 

  1. Check your plan: Some carriers offer higher-speed access with an upgrade. It can’t hurt to check to see if your carrier has a better offer that will make your WiFi network complaint free. In today’s economy, investing in high-speed internet is investing in your own connection to the world. 
  1. Consider a WiFi booster: For larger area layouts, a WiFi booster may do the trick to strengthen the signal throughout every room. A booster works by picking up the signal from your current router and amplifying it. It then rebroadcasts the stronger signal to devices. While they come in wireless and wired varieties, Network Tigers recommends choosing a wired or powerline booster for stronger, faster connections. Wireless boosters, while convenient, are subject to the same issues that might already be affecting your existing router, such as thick walls and radio interference. A wired booster on the other hand plugs directly into coaxial cable and so is a more fool-proof choice. Additionally, powerline boosters can be plugged directly into an electrical outlet in whatever area is having trouble being reached by your current signal. 
  1. Try a mesh network: If more than one area is a problem, if you’re trying to cover over 3,000 square feet with signal, or if you have a non-traditional layout with brick or concrete walls, then a mesh network might be the fix you need. A mesh network conjoins two or more routers into one stronger, flexible WiFi network. Mesh WiFi is designed to fill in dead zones while auto-selecting the strongest network to join to deliver the signal. Once installed, it works seamlessly, so unlike with an extender, you won’t have to switch to another network in certain areas. 

Ready for the final step? You may want to consider switching to the newest generation of WiFi available, WiFi 6. WiFi 6 is engineered to reach up to 9.6 Gbps. That’s compared to the 3.5 Gbps averaged by WiFi 5. This lightning-fast connectivity is more than you would ever need for just one device. However, the benefits are designed to be shareable across multiple devices simultaneously, so you can stream, download, and access the internet across one existing network faster, better, and more securely. When it comes to making your network complaint-free, WiFi 6 is the latest option on the market to ensure you have the best possible system setup.

Cybersecurity news March 13, 2023

cybersecurity news March 13

SAN MATEO, CA, March 13, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.

Hackers hitting SonicWall SMA devices with TinyShell backdoor malware

A hacking campaign believed to be tied to China has been observed attacking unpatched SonicWall Secure Mobile Access 100 devices with malware. The malware, “a collection of bash scripts and a single ELF binary identified as a TinyShell backdoor,” is designed to give an attacker access to SonicWall devices so that they may “steal user credentials, provide shell access, and persist through firmware upgrades,” according to a statement from security firm Mandiant. How the malware is delivered is currently not confirmed, although researchers suspect that attackers have been taking advantage of known security flaws to do so. Read more.

Data belonging to 9 million AT&T customers exposed in hack of third-party vendor

The hack of a third-party marketing vendor in January exposed data belonging to around 9 million AT&T customers, according to a statement by the company. The breach has exposed customer names, wireless account numbers, wireless phone numbers, and email addresses, but AT&T has said that no Social Security numbers, passwords, or payment information was leaked. The name of the compromised vendor has not been released and AT&T has notified law enforcement of the incident. Read more.

US House of Representatives member data for sale on dark web following breach of healthcare administrator

The FBI is currently investigating the breach of DC Health Link, the organization that members of the US House of Representatives use for healthcare plans. In an email to those impacted, Catherine L. Szpindor, the U.S. House Chief Administrative Officer, said that thousands of enrollees may have had their Personal Identifiable Information (PII) exposed. The data is up for sale on the dark web with the broker, under the name IntelBroker, claiming to have already sold it. A sample of the data shows that the breach has affected 170,000 individuals, exposing their names, addresses, Social Security numbers, phone numbers and more. Read more.

Fortinet issues patches for 15 security bugs, one of which can allow remote access

Fixes for 15 security vulnerabilities have been released by Fortinet, with one in particular addressing a critical bug that could give an attacker remote access. Fortinet has described the flaw as “a buffer underwrite (‘buffer underflow’) vulnerability” in the FortiOS and FortiProxy administrative interface. The bug can also be exploited to cause weaponized memory corruption. The flaw has not been witnessed in the wild but Fortinet users are encouraged to update immediately to secure their systems. Read more.

A dual-pronged “Hiatus” cyber espionage campaign is targeting DrayTek routers servicing medium-sized businesses

A campaign has been discovered in which threat actors are infecting DrayTek routers with malware to both steal data and “co-opt routers to become part of a covert command-and-control (C2) infrastructure for mounting hard-to-trace proxy campaigns.” The hackers are using two binaries to achieve this task: tcpdump, a utility that “monitors router traffic on ports associated with email and file-transfer communications on the victim’s adjacent LAN” and HiatusRAT, which can allow remote control over the infected router. Researchers believe that, based on the amount of data collected, the campaign is being spearheaded by a state-backed actor. Read more.

CISA adds three new flaws to its Known Exploited Vulnerabilities catalog

CISA’s Known Exploited Vulnerabilities Catalog (KEV) has been updated with three new flaws that can disrupt IT management systems. CVE-2022-35914 (CVSS score: 9.8) is a Teclib GLPI Remote Code Execution Vulnerability. CVE-2022-33891 (CVSS score: 8.8) is an Apache Spark Command Injection Vulnerability. CVE-2022-28810 (CVSS score: 6.8) is a Zoho ManageEngine ADSelfService Plus Remote Code Execution Vulnerability. The first is the most severe of the three, all of which have been observed being exploited in the wild. Read more.

Hackers using Windows Mock Folders UAC bypass to distribute Remcos RAT

A new phishing campaign sees threat actors dropping Remcos RAT malware using an old Windows User Account Control that is still effective today. The campaign involves sending victims a fake invoice with a DBatLoader executable file hiding in a tar.lz archive. The unusual file choice is thought to help the attack escape detection. “Before loading Remcos RAT, DBatLoader creates and executes a Windows batch script to abuse a Windows UAC bypassing method documented in 2020.” Read more.

LastPass hack was possible due to vulnerability in engineer’s software unpatched for 3 years

As more information regarding the major hack of LastPass comes to light, it’s been reported that attackers were able to compromise a company engineer’s home computer due to a three-year-old, now-patched flaw within Plex. The vulnerability “allows a remote, authenticated attacker to execute arbitrary Python code in the context of the current operating system user.” The flaw exists in a version of Plex that is “75 versions ago,” according to the developer. The incident highlights the domino effect that neglecting software updates can have on security. Read more.

Play ransomware group attacks City of Oakland, begins leaking data

California’s City of Oakland is reeling from a ransomware attack last month that saw attackers access multiple government networks. The threat actors, associated with the Play ransomware gang, have begun releasing stolen information, which implies that city officials did not turn over a ransom payment. The attack has resulted in disruptions that include non-emergency systems, phone lines and permit applications being taken offline. It is currently unclear what data was stolen in the breach, but it is expected to contain personal information about city employees. Read more.

Researchers find flaw in quantum-resistant algorithm chosen by US government

Experts have discovered a flaw in CRYSTALS-Kyber, a quantum-resistant encryption algorithm chosen by the US National Institute of Standards and Technology (NIST) for future security applications in the face of the exponential growth of computing power. The CRYSTALS-Kyber vulnerability can be exploited via specific “side-channel attacks on up to the fifth-order masked implementations of CRYSTALS-Kyber in ARM Cortex-M4 CPU,” according to a paper released by Elena Dubrova, Kalle Ngo, and Joel Gärtner of KTH Royal Institute of Technology. In response to the findings, NIST’s Dustin Moody said “there exist papers that attack pretty much every cryptographic algorithm using side channels. Countermeasures are developed, and many attacks aren’t realistic or practical in real-world scenarios.” Read more.

More cybersecurity news

What is Secure Access Service Edge (SASE)?

secure access service edge

NetworkTigers discusses the functionality and benefits of Secure Access Service Edge security architecture.

Secure Access Service Edge (SASE) is a security architecture model that delivers converged security and network as a service capability, including Zero Trust Network Access (ZTNA), Cloud Access Security Broker (CASB), Secure Web Gateway (SWG), Network Firewall (NGFW), and SD-WAN. SASE supports on-premises, remote working, and secure access use cases for branch offices. In addition to security, SASE delivers higher productivity, improved collaboration, and better agility.

How does SASE work?

SASE combines cloud-based and networking security into a single-pass, high-performance model with centralized management. It decreases operational complexity while improving security posture and access performance. When a SASE model is implemented correctly, it eliminates legacy solutions and perimeter-based appliances. 

Instead of forwarding traffic to security appliances, users connect to SASE cloud services to safely log in and use online data, services, and apps while security measures are enforced regularly. Local traffic from endpoints and office branches is encrypted and sent to the correct destination without first passing through data center focal points, which can be a colocation facility, laaS, or a global point of presence (PoP).

In SASE, “edge” refers to the cloud vendor’s systems that run on their data centers and appliances. This “edge” connects applications, devices, and remote workers to your network perimeter without VPNs. Users log in from any location and authenticate their identities to access cloud services transferred to cloud platforms such as Azure and Cloud Google across this “edge.”  

What are the benefits of SASE?

SASE frameworks provide distant and mobile employees with secure, reliable, fast access to cloud applications. Businesses that deploy a SASE model can enjoy the following benefits:

Least privileged access

SASE offers secure access to private cloud applications controlling the access to any resource or device based on the identification of the user, application, context, device, or policy. This principle of least privilege (POLP) blocks lateral movement of a criminal breach and dangers from unmanaged devices connecting to your network by restricting access depending on location or IP address.

Additionally, SASE uses zero trust principles, which assume a harmful network and require user and device authentication and policy and location compliance before allowing users to connect to your network.

Threat reduction and prevention  

With data planes and distributed control, the SASE model allow resource and application masking, isolation, and segmentation. This enables the SASE architecture to provide extensive security at various points along the access chain. For instance, inline decryption and encryption are supported by SASE, which protects against hostile insiders and web-based attacks such as ransomware, malware, and phishing.

SASE also includes evaluation and risk profiling depending on the location, device, or user that ensures all connections are accessed and secured.

Enhanced user experience

When users are on the network and manage applications and infrastructure, it’s easier to govern user experience. However, organizations still rely on the VPN paradigm to connect users to their network for security, even with applications spread across many clouds. Unfortunately, VPNs offer a bad user experience and, by exposing IP addresses, increase an enterprise’s attack surface.

The SASE framework is cloud secure and manages internet exchange connections proactively while optimizing connectivity to services and cloud applications to reduce latency. Well-peered cloud services result in a better end-user experience by providing holistic visibility and reducing end-to-end network latency.

Improved performance 

SASE is adaptable and efficient as it offers enhanced and faster access to the internet with a global network architecture optimized for high availability and high capacity. All your workers can access the resources they need securely and easily, regardless of location. You can adapt this model to suit your growing needs as new apps are introduced or new employees join your organization.

SASE reduces the different security solutions your business needs by merging them into a single service. This enhances network and application performance, making management easier and saving you time plus money. Additionally, network congestion is reduced because network traffic uses route optimization and moves along the cloud’s edge.

Cost savings 

The different types of third-party services you need to acquire, monitor and maintain can be reduced if you integrate security services into your network infrastructure. Using SASE’s single platform can help your IT team minimize the resources and the time they spend to handle the security services and the infrastructure within it. 

All of these translate into cost savings for your business because SASE’s SaaS model allows technological advancements and rapid expansion at a reduced cost. Due to its Security-as-a-Service concept, SASE offers reduced, predictable OpEx and eliminates CAPEx for on-premises infrastructure. 

Security features of SASE

SASE works by migrating all network controls and security to the cloud edge. It implements this process using the following components:

  • Software-Defined Wide Area Network (SD-WAN) – SD WANs use software to offer seamless connections across different networks. They transmit data packets quickly as they use optimized routes for your traffic.
  • Zero Trust Network Access (ZTNA) – ZTNA ensures streamlined access to apps and data. It operates on the premise that no device or user is trustworthy and has to be authenticated thoroughly before authorizing a connection.
  • Secure Web Gateway (SWG) – SWG blocks access from harmful links and sites and blocks unknown and unsecured traffic from accessing your network. SWG can also prevent a large attack surface from threats like DDoS attacks.
  • Firewall as a Service (FWaaS) – FWaaS protects apps and information from unauthorized access. It also has more advanced features, such as DNS security and URL content filtering, to identify harmful data packets that may infiltrate your network.
  • Cloud Access Security Broker (CASB) – CASB minimizes unauthorized access by providing role-based access to applications and data. It also ensures regulatory compliance and controls shadow IT.

Protect and manage your business network with a SASE model

SASE is an innovative network architecture solution to the current cyber threats enterprises face in their IT environments. To learn more about how a SASE model can benefit your company, Contact NetworkTigers today to explore secure remote or internet access services. We can help you choose the best options for a robust cloud-based security infrastructure.

Block ransomware with endpoint security best practices

endpoint security

NetworkTigers discussing best practices for endpoint security.

2022 was a banner year for ransomware, further enforcing that endpoint security plays a crucial role in your network’s safety. The year, from professional sports leagues and educational institutions to microchip manufacturers and federal governments, demonstrated that many of the world’s largest organizations were not adequately protected from attack and that ransomware purveyors were becoming bolder and more brazen when it came to their targets and their strategies. 

The effects and disruption caused by ransomware escalated to the extent that the FBI and CISA issued multiple statements containing steps for supply chain vendors and other organizations to follow to slow the avalanche of attacks. According to IDC, a third of all global organizations have suffered a ransomware attack leading to a 13% increase since 2021.

As we forge into 2023, it’s become clear that ransomware will continue to be an existential cyber threat. However, this doesn’t mean that you are powerless against it. One of the best ways to safeguard your system against a ransomware attack is to employ endpoint security and strictly adhere to the following best practices. 

Regularly check every endpoint to ensure that it is protected and current

A missed update or accidental misconfiguration can be all an attacker needs to initiate an attack against your network. Ensure that all security options are engaged and endpoints use the most current software to maintain optimum security. Whether manually or automatically, regular scans of all endpoints are critical.

Enable and require multi-factor authentication

Even though hackers are becoming adept at circumventing MFA in some cases, this additional level of security is still recommended, as it places another obstacle between an attacker and your system. 

Enable all security features

Endpoint security solutions are loaded with options. Ensure all your features are enabled to limit what types of threats may slip through the cracks, especially those that specifically detect behavior indicative of a ransomware attack. 

Regularly review your exclusions

While exclusions are intended to prevent your security solution from using resources to scan trustworthy file types, they can add up and become messy enough even to include some malicious file types that accidentally end up on the list. Regularly check this list to ensure it doesn’t get sloppy and make your exclusions as specific as possible to keep sneaky malware at bay.

Maintain excellent IT hygiene

Keeping your IT neat, tidy and current is paramount regardless of what you are protecting. Good hygiene requires consistently updating, streamlining, backing up, refreshing, scanning and monitoring your systems to promote speedy operation and airtight security. From configuration errors to components that no longer receive manufacturer support, even minor missteps can spell doom if an opportunistic hacker discovers them.

Limit data access

Be sure to adhere to a data access hierarchy. This can be done via MFA or by restricting access based on department. Adhering to this can prevent lateral movement in your system, even if a hacker gains a degree of penetration.

Data encryption

A VPN is a great way to encrypt data and keep your traffic confidential. From specific files to physical hard drives and cloud drives, encrypt critical data so that even if access is gained, it will be useless to an attacker. This is a fundamental tenet to stick to in today’s world of remote workforces, as opportunities for thieves to make off with employee laptops, drives or other endpoint devices have increased.

Enable automatic updating and patching on all devices and apps

Automatic patching pushes updates into your network as they are made available, thereby keeping your endpoint security refreshed. With threat actors continually scanning for vulnerabilities, an automatic update may make the difference between your network’s safety and an intrusion initiated just moments before you could install a patch that would have prevented it manually.

Maintain a strict Bring Your Own Device (BYOD) policy

Employees using personal devices to access company networks or drives is a Pandora’s box of security issues. However, many organizations allow this as it prevents them from issuing hardware to their staff and makes remote employees more inclined to engage with work. A BYOD policy should be in place that heavily restricts what devices can connect to the company network, what apps they are allowed to use, and what websites can and cannot be visited. Organizations dealing with especially critical or dangerous data should provide devices to their workers with these restrictions in place.

Employ Advanced Endpoint Protection (AEP)

While antivirus software and firewalls remain foundational endpoint security components, modern threats can sometimes slip by these measures. Traditional methods excel at blocking known threats, from popular Trojans to spyware. AEP uses artificial intelligence and machine learning to identify unknown threats, protecting your network from fileless malware, script-based attacks and zero-day threats that have yet to become publicized. As threat actors themselves leverage machine learning against their victims, 2023 is predicted to be the year that sees dueling AIs duke it out over everything from network control to physical battlefield supremacy.

Continually reinforce the importance of awareness

Regardless of the technology, it would seem that the human element will continue to be a weak spot when it comes to endpoint security for the foreseeable future. Attackers know this; many have turned to social engineering instead of password cracking to persuade victims to simply hand over the keys. From regular newsletters highlighting current threats to meetings that refresh employees on how to identify scammers, the importance of vigilance can’t be overstated.

Look to the future

In addition to awareness, staff should also be updated on the cutting edge of the cyber threat landscape. Policies should allow workers to positively identify the sender of messages that purport to be from coworkers or superiors to avoid spear phishing schemes. As deepfake technology enables threat actors to create convincing video messages and audio calls, workforces must understand what is around the bend before it falls into their lap.

Cybersecurity news weekly roundup March 6, 2023

roundup march 6

SAN MATEO, CA, March 6, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.

CISA: beware of Royal ransomware, operated by former Conti gang members

CISA has issued a warning regarding the capabilities of Royal ransomware. According to the agency, “after gaining access to victims’ networks, Royal actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems.” The operators of Royal are believed to be Conti Team One, an offshoot of the highly capable Conti Russian ransomware gang that was dismantled last year. Royal can infect Windows or Linux systems and attackers can choose what percentage of files to encrypt, lowering chances of detection. Read more.

BlackLotus malware has been updated to bypass security patches

The BlackLotus UEFI bootkit has been updated with Secure Boot bypass capabilities, meaning that even fully patched Windows 11 systems can be infected with the malware. BlackLotus emerged last year with features that make it undetectable by antivirus program and is remarkable for being the “first public example of UEFI malware that can avoid the Secure Boot mechanism, thus being able to disable security protections that come with the operating system.” Microsoft addressed the vulnerability to BlackLotus last summer, but their efforts have not been enough to close the security gap. Read more.

“Decider” is a free tool created by CISA to help MITRE ATT&CK mapping

“Decider” is an open-source tool released by CISA designed to assist security pros in generating reports via the MITRE ATT&CK framework. By adopting and standardizing this framework, organizations can more easily and effectively share findings related to cyberattacks and threat actor behavior. According to CISA, “Decider helps make mapping quick and accurate through guided questions, a powerful search and filter function, and a cart functionality that lets users export results to commonly used formats.” It can be downloaded from CISA’s GitHUB and the organization encourages users to submit feedback and feature suggestions for the software. Read more.

CISA: ZK Java Framework RCE flaw being exploited by hackers

CISA reports that it has added CVE-2022-36537 to its Known Exploited Vulnerabilities Catalog, as the remote code execution flaw within ZK Framework has been observed being exploited in the wild. The flaw allows threat actors to view and retrieve file contents “by sending a specially crafted POST request to the AuUploader component.” Federal agencies have until March 30th to apply the security updates needed to patch the vulnerability. According to the agency, “this type of vulnerability is a frequent attack vector for malicious cyber actors and poses a significant risk to the federal enterprise.” Read more.

An employee’s compromised home computer led to the LastPass hack

The recent hack of LastPass has been deemed to have stemmed from an attack on an employee’s home computer. An attacker accessed the device via a vulnerability in a media software package. The hacker then installed keylogger malware which they used to capture the login credentials that the employee used to access the engineer’s LastPass corporate vault. While unconfirmed, it is believed that the compromised software was Plex, as the platform also reported a breach not long after LastPass revealed theirs. Read more.

US Marshalls Service hit with ransomware attack

The US Marshalls Service has been hit with a ransomware attack that “compromised some of its most sensitive information, including law enforcement materials, and the personal information of employees and potential targets of federal investigations.” The impacted system was not connected to other parts of the network. However, its compromise still allowed threat actors to access law enforcement information regarding cases, the personal information of employees and targets of federal investigations. Upon discovery of the attack on February 17th, the affected system was quarantined and a forensic investigation was immediately initiated. Read more.

New EX-22 tool makes exfiltration a “cakewalk” for ransomware attackers

Exfiltrator-22, or EX-22, is a new post-exploitation framework spotted in the wild. Designed to operate under the radar within enterprise networks, security firm CYFIRMA said EX-22 “comes with a wide range of capabilities, making post-exploitation a cakewalk.” The malware is advertised as undetectable on Telegram and YouTube and is available for $1,000 monthly via subscription. EX-22 is still receiving tweaks and signals that post-exploitation-framework-as-a-service (PEFaaS) models are the latest methods in which threat actors work to make hacks as easy as possible. Read more.

New ChromeLoader malware campaign targets Nintendo Switch and Steam users

Malicious software has been observed masquerading as VHD files that contain hacks or cracks for Nintendo Switch and Steam games. The malware, a versatile threat called ChromeLoader, is primarily used to compromise web browsers to direct users to malicious sites or carry out click fraud using browser extensions. However, it has also been modified to steal data and even launch ransomware. Steam and Nintendo Switch users are urged not to download game cheats and only click links from reputable sources. Read more.

More cybersecurity news

Can refurbished network equipment fill the global chip shortage gap?

Network switch

While some experts predict relief may be around the corner, the global chip shortage is still plaguing network administrators. Thankfully, refurbished network equipment can be purchased at discount rates without sacrificing the quality needed to maintain efficient work and tight security. Buying gear from an experienced refurbished or used reseller can be a component of an overall strategy that allows you to keep your network current despite current market challenges. 

How did the chip shortage happen?

It’s easy to place all the blame for semiconductor supply issues on the pandemic-related work restrictions, but the problem is not quite so simple. Several simultaneous stresses, including skyrocketing demand for electronics, weather-related plant closures, and product hoarding, have merged to create the ongoing situation.

When will the chip shortage end?

Unfortunately, even the most optimistic predictions don’t foresee the semiconductor market stabilizing any time soon or even this year. Continued geopolitical issues such as trade tensions between China and the US and Russia’s invasion of Ukraine (a major supplier of the raw materials needed to build chips) continue to throw wrenches into the works of an industry that experts don’t see regaining its balance in the short term. Even though the US government is making significant efforts to put the country in a more self-sustaining position regarding semiconductor manufacturing, the high-tech facilities being built in Texas, Ohio, Arizona, and New Mexico aren’t expected to open until 2024 at the earliest.

The chip shortage’s effects on cybersecurity

While physical products may be sluggish to get into the hands of consumers, technological advancement has not slowed.

Cybersecurity incidents and concerns rose at unprecedented rates during the pandemic as personnel thinned, networks became flooded with work-from-home devices, and criminals seized opportunities to take advantage of the ensuing chaos and fear.

Most people can afford to wait when purchasing game consoles, musical instruments, and even automobiles. However, the hardware that keeps networks moving and cybercriminals at bay is not a luxury. Those waiting to update older or no longer supported routers, firewalls, and other devices could not do so as hardware supplies dwindled, and restock was few and far between. With criminals continually scanning for weak spots more than ever before, network and IT teams cannot afford to continue using equipment not up to the task of providing modern security.

How refurbished network equipment can fill the gap

The used equipment market has remained largely unaffected by the chip shortage. Network administrators who aren’t dedicated to grabbing only the latest and greatest gear will find the market flooded with pristine equipment left over from those who are. While enterprise organizations needing company-wide overhauls may experience challenges when finding exactly what they’re looking for at scale, small business owners will find no difficulty getting most of the parts they need from an experienced reseller

Why buy refurbished network equipment?

  • Less expensive. Refurbished and used gear is deeply discounted compared to brand-new options. Working with a quality secondary market reseller can avoid many headaches related to inflation-based price hikes. 
  • Real-world tested. An added cost-saving benefit is that older gear has been circulating long enough for administrators to understand its quirks, shortcomings, and best use cases. Manufacturers will have issued patches and updates to address any issues that may be present, making last year’s gear sometimes safer than today’s.
  • Warranty. Reputable resellers provide buyers with a warranty on their purchases. Some offer limited guarantees about defects and functionality; others may even allow you to extend your contract under special circumstances.
  • Communication. Manufacturers offer customer service, but major companies are generally not renowned for personable correspondence. Quality resellers are often staffed by people with network administrator experience who understand the demands of their customers and are empathetic to their needs. A bonus to corresponding with a reseller is that they can recommend products from any maker. Even the most generous company support representative is inclined only to recommend products built by their employer.  
  • You can extend the life of your tech. Upgrading incrementally instead of skipping generations and jumping to the newest equipment allows for a more gradual network transition. Installing a new component in one area often requires installing one elsewhere to maintain compliance and seamless integration. You can minimize this by purchasing refurbished gear that doesn’t require as much modernization.
  • It’s better for the environment. Using refurbished gear is that it keeps it out of the landfill longer and results in less packaging to throw away.

Additional ways to cope with the chip shortage

  • Optimize what you have. Many network devices are not implemented to capacity. Consolidating port usage and re-cabling can free up space, allow you to operate more efficiently, and let you put off new purchases until necessary.
  • Use the cloud. While far from novel in 2023, moving to the cloud remains a viable way to limit your equipment requirements. However, the cloud is not for everyone, and careful considerations must be made to ensure that the costs and changes required for the transition won’t negatively affect your operations.
  • Build based on what you can get. Design your network based on what’s available instead of your preference. Creative problem-solving can help you navigate supply issues and prepare you for future scenarios in which you must adapt.
  • Plan ahead. With restocks taking weeks or even months to appear, assuming you can order what you need when you need it is no longer a viable strategy. Take a hard look at your equipment and determine what components will reach the end of their usable life first. You can place orders for gear near retirement so that you can swap it out as needed without downtime.