RSS Security

🔒
❌ About FreshRSS
There are new articles available, click to refresh the page.
Before yesterdayResearch - Companies

Threat Roundup for September 10 to September 17

17 September 2021 at 20:28
Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 10 and Sept. 17. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral...

[[ This is only the beginning! Please visit the blog for the complete entry ]]

Gem State University Saves a Small Fortune on TCO With Humio

16 September 2021 at 12:49

This blog was originally published on humio.com. Humio is a CrowdStrike Company.

Overview

The University of Idaho uses Humio to ingest and analyze network security log data at scale. Humio provides incredible cost-savings compared to their previous logging solution, helping the university increase security insights, streamline incident detection and response efforts, and reduce TCO.

“With Humio, it’s easier and faster to search than it was with previous solutions. We can get to the root of malicious activity like phishing attacks more quickly and efficiently.” — Mitch Parks, Chief Information Security Officer, University of Idaho

Challenge: Reducing Log Management Cost and Complexity

Like many budget-conscious organizations, the IT services department at the University of Idaho is always looking for creative ways to do more with less. The university was using their previous solution to capture and analyze network security log data, but the solution was costly and complicated to scale.

“Because of budget constraints, we could only afford to license 100 gigabytes of data per day. A security incident like a denial-of-service attack can easily drive up our log volumes, trigger licensing caps, and impair forensics.” — Mitch Parks, Chief Information Security Officer, University of Idaho

Solution: Humio Logs Everything at Scale in Real Time

After investigating a number of log management alternatives, including open-source solutions, the university selected Humio as its next-generation security log management platform.

“The open-source approach would have required as many as 12 servers, and we would have needed a dedicated IT person to deploy and maintain it,” recalls Parks. “That just didn’t make sense from an investment perspective. I had read about how other universities had successfully switched to Humio and decided to take a look at it.”

“We evaluated Humio for about 30 days and were quite impressed,” explains Carl Pearson, IT security analyst for the university. “The product is easy to set up and use, and doesn’t require a dedicated IT admin or a SIEM expert, or take a lot of my time to manage.”

Results: Faster and Deeper Insights, Lower TCO

Humio’s state-of-the-art log management platform helped the university improve visibility, slash operations expenses and complexity, and reduce risk and exposure.

“With Humio we save at least $10K a year in licensing fees alone,” says Parks. The university can now retain at least a year’s worth of full log data, which is paramount when sophisticated threat actors can penetrate networks and evade detection for weeks or even months on end.

“With other solutions, we spent a lot of time and effort cleaning up our logs to save space. In the process, we removed Active Directory events and other information that we actually needed later for forensics. We don’t have to worry about any of that anymore with Humio.” — Mitch Parks, Chief Information Security Officer, University of Idaho

Once they started using Humio, Parks and Pearson quickly found additional use cases for the platform beyond security. The IT Services team now uses Humio to identify potential system performance and availability issues, flag possible software licensing violations, and gather other IT operations and application insights.

The post Gem State University Saves a Small Fortune on TCO With Humio appeared first on crowdstrike.com.

Shining a Light on DarkOxide

15 September 2021 at 16:30

Since September 2019, Falcon OverWatch™ has been tracking an as yet unattributed actor, conducting targeted operations against organizations within the Asia Pacific (APAC) semiconductor industry. CrowdStrike Intelligence tracks this activity cluster under the name DarkOxide.

CrowdStrike Intelligence has not yet determined the motivation of this activity cluster, but its tactics, techniques and procedures (TTPs) and target scope indicate it is more likely focused on the theft of sensitive information than on direct financial gain.

Telltale TTPs Reveal a Cluster of Activity

The DarkOxide cluster exhibits a very specific set of TTPs that have changed very little over the last two years.

Initially, the actor engages a target via a business-oriented social media platform under the guise of carrying out a recruitment drive (to read more about this technique, see https://attack.mitre.org/techniques/T1566/003/). The target is then encouraged to download a lure document purportedly relating to a job opening. In reality, this file is a malicious executable with a double file extension. The executables in these lures have used non-standard executable file extensions such as .PIF (program information file) and .SCR (screensaver). As Windows, by default, hides the extension of known file types, these files initially appear to be legitimate document files when viewed in Windows File Explorer. 

To date, the targets of the phishing attacks have included engineering staff with access to sensitive documents and source code, indicating that theft of intellectual property is the likely motivation for these operations.

The following screenshot shows the detection that appears in the CrowdStrike Falcon UI when a victim runs one of these malicious screensaver files. In this case, the customer had enabled preventions, allowing the pattern of activity to be recognized by the sensor and terminated before the actor could complete the installation of their remote access software.

(Click to enlarge)

When the payload is executed, it utilizes a number of scripting interfaces, including PowerShell and Visual Basic Script, to download a further malicious binary executable. This second executable, also with a .PIF or .SCR extension, in turn installs a copy of the legitimate remote access tool, Remote Utilities, with a preconfigured command-and-control (C2) address. In a small number of cases in addition to Remote Utilities, the actor also installed the Total Manager Pro file manager. It is likely that this was in order to conduct file system searches, or to package files for exfiltration.

Although the Remote Utilities binary, rutserv.exe, is a legitimate signed binary, its use is relatively rare across CrowdStrike’s customer set.

As of at least March 2020, this TTP has been slightly modified, removing the first stage downloader and moving directly from the initial phishing attack to the installation of the Remote Utilities software.

The following table shows how these TTPs have been shared across a number of intrusions and how they map to the MITRE ATT&CK® framework.

In June 2021, the cluster was observed deploying additional tooling to a host. Again these tools were commercial off-the-shelf software. The tooling observed included:

  • Total Spy: a commercial spyware suite with capabilities including keylogging, screen capture, messaging capture and social network capture
  • RDP Wrapper: an open source tool allowing RDP access to the host
  • DWServe: an open source tool allowing the host to be remotely controlled from a web browser

In almost all cases, the cluster’s activity has been frustrated, either by preventions enabled by the customer, or by early notifications from Falcon OverWatch, allowing the affected systems to be contained before the actor could take further actions on objectives. In the single case where follow-up activity was observed, it consisted of modifications to the registry in order to allow further access to the host via Remote Desktop Protocol. (To read more about these techniques see: https://attack.mitre.org/techniques/T1112/ and https://attack.mitre.org/techniques/T1133/.)

Since CrowdStrike began tracking DarkOxide, the activity cluster has continued to conduct operations against a number of semiconductor companies, almost exclusively located within the South Asia region. 

Your Best Defense Against DarkOxide

Over the past two years, Falcon OverWatch, alongside CrowdStrike Intelligence, has been tracking an activity cluster, DarkOxide, actively targeting the semiconductor industry. Although the actor’s TTPs have remained largely consistent, they have demonstrated the capacity to adapt and improve their processes, having recently streamlined their activity by removing the need for a first-stage downloader in their intrusion process. 

Defenders in the semiconductor industry should be particularly alert to this activity, which drives home the need to enlist end users as the first line of defense. The actor is actively targeting employees via social media to gain initial access. Well-trained staff can be an asset in combating the continued threat of phishing and related social engineering techniques.

As noted above, the Falcon platform can identify and prevent actors’ use of malicious files with double extensions, but it is crucial the sensor is rolled out across the environment with appropriate prevention settings turned on. Defenders can slow down malicious activity by employing strict user account management based on the principle of least privilege. 

Finally, but most crucially, this activity shows the lengths to which threat actors go in their attempt to evade automated detections. Whether by gaining access through phishing activities, or by using legitimate tooling to achieve actions on objectives, threat actors are always looking for new ways to pierce an organization’s defenses. A managed threat hunting service, like Falcon OverWatch, provides the continuous monitoring that is required to identify and disrupt  malicious activity before the damage is done.

Indicators of Compromise

First Stage Payload

SHA256 Hash Lure Filename
48c19ad7436f3d311e9e63327801d0a2d6d25c0d7c7bbc3d2c6a32afb95a0187 Final.exe
9d34f653edf948d9f46522081ff00dddf2f4b62b18d138c49e3b281ca953aeb1 Resume pdf.pif
1fcb6b54b17a6c3df0047a48280b4dcab8b2f2cad2ef4b8c802b05119cedce42 Talent Recruitment Web meeting system.pif
6d1480cd5b10739af130850f9d9bfa7ebe50024c5db68dd231bc7e4bd560ffa6 msi6.9.pif
9d68049510581ff4827fd72510c59d685ce54609b07733be17492bf2403442b4 Job description sr.scr
b414dca98e117d3755903ff27ffc07880f1fe2bfabfb49f6956cf82c06f4eab1 Job description sr.scr
8045f3e00e52c663ab942f39ec779ffc7ac90197ece8e574e5a70c422aa32b36 Job detail description.scr
49fbf9884299fbc6b09e640449fdc834f82a752908d381a68e2057a9861e3618 Job description.scr
186a7abdfcc2df113148650eb1673620a11bb8bfcf3c53f8a1c7429703cda715 Job detail description.scr
45e6653af40fb838eae0657a34905d5ba36052bd41819873d2afc240874b14b6 Qualcomm Job description India.scr
041398a0d34794df5b8d22683f5be7991647416f6243c7bc0441abd7c71c7c27 Qualcomm Job details.scr

Second Stage Payload

SHA256 Hash Filename
9d34f653edf948d9f46522081ff00dddf2f4b62b18d138c49e3b281ca953aeb1 one.pif

Legitimate Binaries Observed

SHA256 Hash Filename
5ada6d1fd62bb1740ea80a30788e55988758acc2b835e6835d6524af1e7afcbd rutserv.exe
C295bd2653d6d8752ff5805b4114eee8e4370a0f16e922d81aecc5f49fa8c9c9 rfusclient.exe
966ef76fe3476d530b1b97a6f40947ed14ada378f13e44ecfe774edc998cd0b0 srvinst.exe
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4 rdpwrap.dll
07935229c213d1735655cc8453daa29718da2656546e05d5b3990cb49c248b98 RDPWInst.exe
43fbae4f6637c8eaa955db7e394eebd39cd261f91f36a5bc646303f123e68f13 tsmon.exe
39235102a3aeeb88678cad8d841292fc17ec3b0551cf57d755fdd523985567e8 tsmon4.exe
1ad4b06e282e3c3f22c6d194dabdc272215154f004c57b93b3882c161efc5279 tsmon5.exe
4515d7ee0d5e2e2e236499d35a154b427f07124e9edd379b6e9d62af2ae88c4d tsmon6.exe

Hard-Coded Command and Control for Remote Utilities

  • 54.149.69[.]226
  • 54.188.107[.]146
  • 60.254.95[.]183 
  • 34.221.96[.]116

Additional Resources

The post Shining a Light on DarkOxide appeared first on crowdstrike.com.

Humio Recognized as Top 3 Observability Award Winner by EMA

15 September 2021 at 13:03

Humio delivers modern log management with streaming observability to enable customers to log everything and answer anything in real time. Today, Humio is proud to be recognized by Enterprise Management Associates (EMA) as a Top 3 Award Winner for Log Management and Observability. This award is further validation of Humio’s approach to delivering streaming observability for our customers. 

Overcoming Today’s Observability Challenges

To prevent system outages and keep your organization safe, it’s more important than ever to have real-time visibility into your organization’s systems to log all of your data, turning data into actionable insights that help your team quickly respond to incidents. EMA has recognized Humio’s unique ability to ingest data from almost any source to help organizations answer any question. 

Humio’s index-free architecture enables real-time querying and alerting and delivers intelligent insights based on the context of each query. The end result is that developers, infrastructure operations teams and business staff can discover previously hidden correlations between business KPIs, user experience, application performance, infrastructure configuration, code changes and more. 

“Our developers are digging into their logs much more than before, setting alerts, creating dashboards. It really means the world in a self-service, developer-focused microservice environment.” — Humio customer Kasper Nissen, cloud architect at Lunar

Humio’s Business Impact

EMA highlights the business impact of Humio in the following features:

  • Index-free logging to enhance productivity for developers and accelerate software development
  • Empowers users in real time by providing machine learning-driven identification of important events
  • Business-driven optimization for IT and DevOps
  • Built-in, cloud-native log management, such as for Kubernetes 
  • Setup of continuous compliance management through automated auditing 

Torsten Volk, managing research director at EMA, summarizes the power of Humio, saying, “Humio helps organizations tap into their vastly unused operations data without having to worry about the boundaries of individual data sources or the time it will take to execute complex queries that cross these boundaries. This ability to simply correlate anything with anything else is exactly what is needed to create a data-driven culture within all parts of an organization. When you log everything, you can basically ask any question. This is exciting.”

Read the full report to learn how customers can use Humio to transform their businesses.

Additional Resources

The post Humio Recognized as Top 3 Observability Award Winner by EMA appeared first on crowdstrike.com.

Senior UX Writer Hema Manwani on Kickstarting a Career in Cybersecurity and Shifting to Remote Work

14 September 2021 at 20:04

For Hema Manwani, a successful day at work is one where she helps guide someone from point A to point B. But she’s not a logistics manager or a dispatcher — she’s a writer. A newly hired Senior UX Writer at CrowdStrike to be more specific. 

Having started her new position just four months ago, Hema joins us here to share the details of her transition to the cybersecurity industry, her first impressions of CrowdStrike and the most rewarding part of her day.

Hema Manwani

Q. What brought you to CrowdStrike and what do you do here? 

I’m a senior UX writer for the platforms team. My goal is to write usable, simple, understandable content so that our users are able to accomplish their goals. 

I joined CrowdStrike about four months ago after coming across a video by a UX writer from CrowdStrike. I normally don’t stop to watch LinkedIn videos unless they’re recommended to me by someone, but something about this one drew me in. She was presenting a topic that sounded very technical, but she was breaking it into usable and easy patterns so the audience could understand. The main job of a UX writer is to make it easy for the users to understand. I was intrigued by the presentation and thought it could be a good challenge to pursue. So I reached out to her on LinkedIn to congratulate her on a job well done and she actually shared a job opportunity with me. I have years of experience writing in financial services and tech, but I didn’t know much about cybersecurity. I gave it a shot anyway. Long story short, I applied and now I’m here. 

Q. That’s a great story. We always try to impart on people that they don’t necessarily need experience in cybersecurity to apply for a job at CrowdStrike. Did you have reservations about applying without industry experience? 

That topic came up when I was trading messages with the presenter via LinkedIn, and she said to me, “Everybody here is learning.” That was reinforced during the interview process too. During my last round of interviews, which was a group session, people asked about my knowledge and interest in cybersecurity. I mentioned to them that I didn’t know much about the field, but after watching that LinkedIn talk, I was very interested in learning. 

The best part was when everyone in the interview confirmed, “Everybody’s learning here. You won’t meet a person at CrowdStrike who says, ‘Hey, I am the guru of everything. Come to me and I’ll answer all your questions.’” That experience has instilled a lot of confidence in me. While there are many people here that are experts at many things, in all the time I’ve been here I’ve always seen the team encouraging each other to ask questions. There’s no such thing as a “wrong” question here. 

Q. Can you tell me about what you do in a typical day?

That’s a very good question! People often assume that because I’m a writer, I write all day. But writing is just a small part of what I do. 

As a UX writer, I collaborate with cross-functional teams a lot. I spend time in working sessions with our researchers, engineers and designers to understand the product and how it works, what’s feasible and what’s not, and how we can make a great experience for our customers. I have to understand what our users are seeing, what their pain points are. Then I take all of that information and make it easy for our customers to understand how to use the product and what it can do every step of the way through conversational language. My job is done when a user can get from point A to point B without any questions or confusion.

Q. What do you find different or unique about working at CrowdStrike?

CrowdStrike is a remote-first organization. That’s by design from the start, long before COVID-19. That was a change for me. Many people have the idea that employees have to be at a workplace together, especially when a role is so collaborative, like mine. The expectation is that you need to sit with the designer, co-create the designs, maybe do some whiteboarding and stuff like that. 

So while I was excited to join as a remote worker, I wondered, Is it going to work seamlessly? How are our teams going to work if we don’t sit down and talk to each other in the same room? What I found is that even though it’s a very fast-paced environment, people are always there to support you, to answer your questions. CrowdStrike is unique in that remote-first culture — even before COVID-19, remote collaboration was the norm. So I’ve never felt stuck with a problem on my own, even though my position is remote. CrowdStrike has definitely proved it’s a myth that you need to be in the same room as your team members to successfully collaborate.

Q. What do you like to do in your spare time?

I love to read — and I’m a fast reader too! I can read a novel in a day. I also write a lot outside of work. I’ve been published in newspapers and three times in the Chicken Soup for the Soul series. I write about social issues and topics that touch me personally. I also enjoy talking to other people to get new perspectives on different topics. I feel there’s always something you can learn from other people. 

Check out some of Hema’s writing below:

Are you interested in getting from point A to point B? Browse our job listings today to start planning your path to CrowdStrike.

The post Senior UX Writer Hema Manwani on Kickstarting a Career in Cybersecurity and Shifting to Remote Work appeared first on crowdstrike.com.

Big Game Hunting TTPs Continue to Shift After DarkSide Pipeline Attack

14 September 2021 at 18:15

The eCrime ecosystem is an active and diverse economy of financially motivated threat actors  engaging in a myriad of criminal activities to generate revenue. With the CrowdStrike eCrime Index (ECX), CrowdStrike’s Intelligence team maintains a composite score to track changes to this ecosystem. The ECX is composed of several key observables covering different aspects of criminal activity that are combined using a mathematical model. In recent weeks, the Intelligence team observed a notable shift in big game hunting (BGH) activity and tactics, techniques and procedures (TTPs) that resulted in a downward trend of the ECX. As noted in a previous CrowdStrike Intelligence blog, the intense attention surrounding the Colonial Pipeline and JBS incidents had a significant impact on the criminal marketplace and the political landscape. Get more Intel updates on the latest eCrime activity and TTPs at Fal.Con, our annual cybersecurity conference, Oct. 12-14 — register for free today.

ECX Suggests Downward Trend in Ransomware Operations Following Colonial Pipeline Attack

By the time of the Colonial Pipeline attack on May 7, 2021, observed BGH ransomware incidents had reached a yearly high. However, publicly observable BGH activity declined throughout early June 2021, immediately after the incident, amid reports of mounting U.S. pressure to pursue BGH actors. A similar decline was also observed in the number of specific leaks posted to adversaries’ dedicated leak sites (DLS). Despite the decline in the ECX, there has been sustained ransomware activity, likely indicating that a number of adversaries are remaining active despite the dismantling of other groups.

BGH Actor Developments 

BGH adversaries responded to the Colonial Pipeline ransomware incident and the resulting widespread media coverage in many ways. Some named actors shuttered ransomware-as-a-service (RaaS) affiliate programs — at least publicly — while others have continued deploying ransomware. 

CARBON SPIDER (operators of DarkSide ransomware) continues to create active command-and-control (C2) servers to deploy their Domenus PS backdoor and Cobalt Strike post-exploitation framework. The activation of new C2 servers demonstrates that CARBON SPIDER has not halted activities despite allegedly losing control of DarkSide-related infrastructure and having their ransomware funds seized by the U.S. government.1 However, in late July 2021, CrowdStrike Intelligence observed a new ransomware called BlackMatter being distributed. Code overlaps indicate that BlackMatter is highly likely the successor of CARBON SPIDER’s DarkSide ransomware. CARBON SPIDER has also created a Linux version of BlackMatter that resembles the Linux version of DarkSide in multiple ways. After taking a short break, CARBON SPIDER reinstated their BGH operations involving this RaaS and have stated that they have an interest in purchasing and executing unauthorized access to corporate networks.

RIDDLE SPIDER (operators of Avaddon ransomware) closed down their operations in late June. Earlier in June 2021, media sources allegedly received emails containing a password and links to 7zip files containing Avaddon ransomware decryption keys.2 RIDDLE SPIDER’s DLS also went offline in June. While CrowdStrike Intelligence cannot confirm RIDDLE SPIDER’s motivations for closing down the Avaddon RaaS, the decision was likely influenced by the Colonial Pipeline incident and its resulting effects throughout the ransomware industry.

GRACEFUL SPIDER had several members of their group arrested on June 16, 2021, by a joint international law enforcement operation.3 These members were involved in laundering cryptocurrency funds acquired through the use of GRACEFUL SPIDER’s Clop ransomware.  The immediate impact to GRACEFUL SPIDER operations resulting from these arrests is currently unclear. GRACEFUL SPIDER’s DLS site remains active after the arrests, with two new listings in June, indicating they have not ceased their activity.

PINCHY SPIDER (developers and operators of the popular REvil RaaS) continued operating at a high pace throughout June and early July 2021, and the group introduced a new ransomware named REvix, which is used to target ESXi and Linux environments. However, on the morning of July 13, 2021, PINCHY SPIDER’s REvil infrastructure supporting their DLS and payment portal went offline. On the same day, the forum administrator of the Russian-language criminal forum XSS banned the actor Unknown (aka UNKN), who has acted as the public spokesperson for PINCHY SPIDER since 2019. PINCHY SPIDER had released REvil version 2.08 a few days prior, confirming the ransomware was under active development, and version 1.2 of REvix was observed on July 23. 

On Sept. 7, after an approximately three month hiatus, CrowdStrike Intelligence observed PINCHY SPIDER’s REvil infrastructure come back online. Financial activity in terms of BTC transactions from previously identified REvil addresses was also detected on Sept. 5.

On June 4, a sample of INDRIK SPIDER’s Hades ransomware was identified using the name PAYLOADBIN, similar to Babuk Locker’s DLS site Payload.bin. INDRIK SPIDER likely switched the names in an effort to avoid attribution by law enforcement and therefore avoid Office of Foreign Assets Control (OFAC) sanctions. Prior to this recent name change, INDRIK SPIDER attempted to change the names of Hades and their Phoenix CryptoLocker ransomware at least one other time to avoid OFAC sanctions. The changes made to avoid these sanctions indicates that INDRIK SPIDER desires to continue their deployment of ransomware.

In July 2021, CrowdStrike Intelligence determined that Grief ransomware is developed by DOPPEL SPIDER, likely as an intended successor to DoppelPaymer ransomware. The cessation in DoppelPaymer activity coincided with the emergence of the Grief DLS that was first observed in May. Analysis of recently identified Grief samples indicates a number of technical overlaps with DOPPEL SPIDER’s wider toolset that provides a definitive link to the adversary.

WIZARD SPIDER continues to actively deploy Conti ransomware and update the Conti DLS. In June 2021, WIZARD SPIDER continued to target large entities in Europe and the United States, including organizations in real estate, education and local government. Recent developments related to the Colonial Pipeline and JBS incidents have not slowed down WIZARD SPIDER’s ransomware operations. This indicates WIZARD SPIDER remains largely unaffected by external pressure, similar to their response to the September 2020 takedown efforts targeting TrickBot infrastructure

Outlook

The confluence of U.S. and international law enforcement pressure and forum bans on ransomware activity has led to a highly fluid and chaotic situation in the eCrime ecosystem. The ECX has indicated a change in BGH activity May through June 2021 as well as the persistence of ongoing BGH incidents at a level observed in the first quarter of 2021. However, the downward trend in BGH victims posted to DLSs in June likely indicates that some BGH actors have shifted TTPs to make tracking their activity more difficult.

Numerous adversaries have shown themselves keen to take advantage of the situation and to attract new affiliates. These adversaries have explicitly expressed their intent to continue ransomware operations despite reports of possible U.S.-Russian collaboration — or more aggressive unilateral enforcement actions by the U.S. — in response to incidents, suggesting that a complete drop in BGH activity is highly unlikely to occur in the near future. 

The ECX remains a valuable tool used to identify significant events affecting the eCrime ecosystem. The ECX provides an easily referenced index to mark areas of disruption or change in the eCrime ecosystem in real time.

Monitor the ECX regularly in the CrowdStrike Adversary Universe to make sure you stay up-to-date on eCrime trends.

Endnotes

  1. https[:]//www.justice[.]gov/opa/pr/department-justice-seizes-23-million-cryptocurrency-paid-ransomware-extortionists-darkside
  2. https[:]//www.bleepingcomputer.com/news/security/avaddon-ransomware-shuts-down-and-releases-decryption-keys/
  3. https[:]//www.npu.gov[.]ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/

Additional Resources

The post Big Game Hunting TTPs Continue to Shift After DarkSide Pipeline Attack appeared first on crowdstrike.com.

How Fast Can You Grep?

14 September 2021 at 12:54

This blog was originally published Sept. 28, 2017 on humio.com. Humio is a CrowdStrike Company.

Assume that you have a 1GB text you want to search.

A typical SSD lets you read on the order of 1GB/s, which means that you can copy the file contents from disk into memory at that speed.

Next, you will then need to scan through that 1GB of memory using some string search algorithm.

If you try to run a plain string search (memmem) on 1GB, you realize that it also comes at a cost. A decent implementation of memmem will do ~10GB/s, so it adds another 1/10th of a second to your result to search through 1GB of data. Total time: 1.1 second (or 0.9GB/s).

Now, what if we compress the input first?

Imagine for simplicity that the input compresses 10x using lz4 to 0.1GB (on most workloads we see 5–10x compression). It takes just 0.1 second to read in 0.1GB at 1GB/s from disk into main memory. lz4 decompresses at ~2GB/s on a stock Intel i7, or 0.5 second for 1GB. Add search time of 0.1 second to a total of 0.6s for reading from disk and decompressing, and we can now search through 1GB in just 0.7s (or 1.4GB/s). And all of the above is on a single machine. Who needs clusters?

Compressing the input has the obvious additional advantage that the data takes up less disk space, so you can keep more data around and/or keep it for a longer period of time. If, on the other hand, you use a search system that builds an index, then you’re likely to bloat your storage requirements by 5–10x. This is why Humio lets you store 25–100x the data of systems that use indexing.

Assuming we’re on a 4-core i7 machine, we can split the compressed data it into four units of work that are individually decompressed and searched on each core for an easy 4x speed up; 1/4th of 0.6 seconds on each core is 0.125s. This gives us a total search time of 0.225 seconds, or 4.4GB/s on a single 4-core machine.

But we can do better.

All of the above assumes that we work in main memory, which is limited by a theoretical ~50GB/s bandwith on a modern CPU, in practice we see ~25GB/s.

Once data is on the CPU’s caches it can be accessed even faster. The downside is that the caches are rather small. The level-2 cache for instance is 256kbytes. In the previous example, by the time the decompression of 1/4 of 1GB is done, the beginning of those 256MB have long been evicted from the cache.

So what if we move the data onto the level-2 cache in little compressed chunks, so that their decompression also fits in the same cache, and then search in an incremental way? Memory-accesses on the level-2 cache are ~10x faster than main memory, so this would let us speed up the decompress-and-search phase by an order of magnitude.

To achieve this, we preprocess the input by splitting the 1GB into up to 128k chunks that are individually compressed.

Adding all this up for a search of 1GB to 0.1s for read-from-disk, 0.004s main-to-core 0.1GB @ 25GB/s, and blazing 10x at 0.0125s to decompress-and-search, for a total of 0.1265 seconds reaching 7.9GB/s.

But what if the 1GB file contents is already in the operating system’s file system cache? If it was recently written, or if this is the second time around doing a similar search.The loading the file contents would be instantaneous, and the entire processing would be just 0.0265 seconds, or 37GB/s.

Loading data from disk can be done concurrently with processing data, so the loading and processing can overlap in time. Notice that we’re now again dominated by I/O (the blue bar above is wider than the other ones combined), which is why Humio searches faster the better the input compresses. If you search more than a few GBs, then processing is essentially limited by the speed at which we can load the compressed data from disk.

To enable even faster searches you simply employ multiple machines. The problem is trivially parallelizable, so to be searching at 100GB/s would just need 3 machines the likes of a desktop i7.

The beauty is that this generalizes not just to search, but many other data processing problems which can be expressed in Humio’s query language. Whatever processing is presented the entire input; which makes it easy to extract data and do aggregations such as averages, percentiles, count distinct, etc.

But in the Real World…

Many interesting aggregate computations require non-trivial state (probabilistic percentiles need a sample pool, the hyper-log-log we use for count distinct needs some fancy bitmaps), and these ruin the on-CPU caching somewhat, thereby reducing the performance. Even something as simple as keeping the most recent 200 entries around slows down things.

In all honesty, most of the above is more or less wishful thinking. It’s the theoretical limits of an optimal program. For several reasons, we really only get around 6GB/s or 1/6th of the theoretical speed, not ~37GB/s per node that I tallied up above. Trouble is that our system does many other things that end up influencing the outcome, and it is really hard to measure exactly where the problem is at the appropriate level of detail without influencing the outcome. But performance is still decent — and (unfortunately) our customers are asking for more features, not more performance, at present.

The system really lends itself to a data processing problem where lots of data is ingested but queries are relatively rare. So it’s a good match for a logging tool: logs arrive continually, they are relatively fast to compress, and few people such as sysops and developers initiate queries. Humio easily sustains a large volume of ingest, we have seen successful single-node deployments taking in +1TB/day; when someone comes around to ask a question, it will use all available processing power (for a short while) for just that single query.

In a later post, I’ll get back to how we improve these tradeoffs using stream processing to maintain ‘views’ that are readily available for retrieval.

The post How Fast Can You Grep? appeared first on crowdstrike.com.

HIMSS and Beyond: What’s Next in Healthcare Security

9 September 2021 at 13:28

The Healthcare Security Crisis

The FBI has released many warnings of ongoing ransomware attacks targeting U.S. healthcare and first-responder networks over the last three years, with ransomware families being updated with new names as hackers exchange sophisticated hacker-for-hire code and models to exploit vulnerable healthcare facilities. From penalties and Health Insurance Portability and Accountability Act (HIPAA) violations to denial of service availability, healthcare providers are forced to invest in security for endpoints, Internet of Things (IoT) devices and surgical devices (or other medical care equipment) while facing challenges in manpower, expertise and integration with existing systems. 

The challenge of maintaining protected health information (PHI) and network security isn’t limited to hospital and hospice providers — many manufacturers of healthcare and life-saving equipment are also expanding their certifications, adding much-needed network security certifications into their already lifesaving and preserving Internet of Medical Things (IoMT) and IoT devices. From robotic-assisted surgery devices to monitoring devices and technology, IoMT is here to stay, and it’s expanding — while hackers have already begun looking for ways to compromise these devices to launch their attacks against a system. Hospital networks are a complex and diverse grouping of medical and non-medical devices, managed separately but integrated continuously. Often, administrators have looked to two different lists when trying to determine endpoints on their system versus medical devices, due to each being administered by separate teams. 

New CrowdStrike Partner: Nihon Kohden

Because the number of attacks has grown so sharply in the last two years, Nihon Kohden is one of the first to onboard CrowdStrike Falcon® endpoint information into its larger patient monitoring systems to establish full facility threat visibility, protection and efficiency. Nihon Kohden has certified and validated the Falcon platform, rigorously examining and testing how it interacts to keep medical devices secure from ransomware and other denial-of-availability type attacks. The two companies are providing best-of-breed security that doesn’t impact availability or response of medical devices. Nihon Kohden will be offering the CrowdStrike solution as part of its Nihon Kohden Network Care service, and CrowdStrike is proud to be a partner as it moves toward solving issues so many medical manufacturers struggle with post-initial approval.

IoT/IoMT systems often report into patient records and data storage, combining to make a homogenous attack surface that provides avenues for adversaries to exploit. CrowdStrike’s partnerships offer increased visibility and understanding of these systems, driven by the vital requirement for comprehensive protection of these areas.

These partnerships address an area that many are hesitant to talk about — the divide between IT services and clinical engineering IoMT services. While all healthcare providers have provided endpoint security and firewalls in a traditional way to protect their hospital networks, CrowdStrike is leaping ahead to find ways to protect the many lifesaving medical devices in use every day and prevent those devices from becoming an avenue of attack. 

The new security model sees all endpoints and devices as equally important on the network, from understanding all users, privileges, and service accounts to industrial control systems, IoT/IoMT medical tech and more. CrowdStrike and our partners provide visibility for all devices to collect and correlate data across multiple security layers — email, endpoint, IoT device, patient portal and network — with advanced detection and response capabilities. 

This holistic approach offers quicker detection of threats, as well as improved investigation and response times through incident analysis. Medical and manufacturing industries have some of the most vital requirements for Zero Trust solutions, and CrowdStrike helps monitor every transaction and every session, correlating and alerting against known attack patterns with a backend team of experts that analyze new patterns as new bad actors make themselves known by their activity.

New CrowdStrike Partner: Medigate

That’s not the only fantastic medical partnership announcement this month: CrowdStrike recently announced a healthcare partnership with Medigate, a company built around security, asset management and operational analytics for medical providers. Hospitals that have both Medigate and CrowdStrike Falcon protecting their network will have new insight into discovery, profiling and network monitoring, to provide visibility into all managed and unmanaged endpoints including medical devices with network access. 

The integrated solution offers security teams at healthcare delivery organizations the industry’s first consolidated view of threat activity. It also ensures automated, next-gen incident response capability spanning all network-connected assets. 

Partnering for Success with IoT and Healthcare

It takes solid partnerships to deliver in a new age of healthcare security — and it’s even more important for security vendors to integrate and play well together as we bring our unique experience and understanding to form new and improved security solutions. CrowdStrike Falcon’s single lightweight-agent architecture uses cloud-scale artificial intelligence (AI) to offer real-time protection and visibility across the hospital or facility, preventing attacks on endpoints on or off the network. Falcon Zero Trust protects the identities of every user, human or service account/machine that accesses the domain controller. Falcon Discover™ IT hygiene helps provide a census across the network or facility, finding all devices that connect to the network. Humio enables collection of events and extraction of valuable information from any endpoint, identity or source at scale. All of these are powered by the proprietary CrowdStrike Threat Graph® database engine, making CrowdStrike one of the world’s most advanced data platforms for security.

It takes Zero Trust solutions, endpoint detection and response (EDR), automation and threat discovery to work with security professionals on signal and network interoperability. These are the critical solutions that will determine the fate and security of the healthcare infrastructure — from vendors and automation, to the conjunction of network and operations into one visible stream. CrowdStrike is pleased to partner with other medical, IoT device and healthcare-specific attack experts and technologies to create best-of-breed solutions that will meet the strident demands of the healthcare IoT space. 

Additional Resources

The post HIMSS and Beyond: What’s Next in Healthcare Security appeared first on crowdstrike.com.

Everything You Think You Know About (Storing and Searching) Logs Is Wrong

9 September 2021 at 13:20

This blog was originally published Aug. 25, 2020 on humio.com. Humio is a CrowdStrike Company.

Humio’s technology was built out of a need to rethink how log data was collected, stored, and searched. As the requirements for data ingest and management are increasing, traditional logging technologies and the assumptions on which they were built no longer match the reality of what organisations have to manage today.

This article explores some of those assumptions, the changes in technology that impact them, and why Humio’s purpose-built approach is a better option for customers to get value with real-time search and lower costs.

3 assumptions about log data

There are three main assumptions that just don’t hold true today (and we like things that come in threes because it makes for neat sections in a blog).

1. Indexes are for search, therefore searches need indexes – False

Traditional thinking about how to do search at scale comes down to one concept: indexing the data. Indexing traditionally involves scanning the documents in question, extracting and ranking the terms, etc., etc. For many years, the ubiquitous technology for this has been Apache Lucene. This is the underlying technology in the search engines of many tools, and in more recent years has been “industrialized” into a really flexible technology thanks to the work of Elastic with the Elasticsearch tools.

But it’s not the best choice for logs (or more specifically streaming human-readable machine data). The assumption that indexes are best for all search scenarios is wrong.

This is no reflection on the technology itself; it’s designed for randomised search and it does that very well. Elastic gets a pass, they didn’t set out to build a log aggregation and search tool.

The other vendors that did set out to build such a tool and took an index-based approach may also get a pass, because indexing was the prevailing technology at the time.

2. Compression, and the obverse, are slow – Not anymore

Data can be compressed to make storage more efficient, but the perception remains that compressing and decompressing data will slow things down significantly. But compressing data can actually make search faster. There are two pieces to that discussion.

Firstly, if you design and optimise your system around compression, it makes reading, writing, storing, and moving data faster. Humio does exactly that, and you can read about some of this thinking in a Humio blog post: How fast can you grep?. Compression is assumed to be slow because so many users have experienced it in systems where it was introduced as an afterthought, a kludge to help solve the storage requirements of indexed data.

Secondly, compression algorithms are still making progress and being optimised. There are arguments that the latest techniques are reaching theoretical limits of performance, but let’s not declare that everything that will be invented has been.

Humio makes use of the Zstandard family of compression algorithms, and they are FAST. More about that in a bit.

3. Datasets become less manageable with size/age, or are put in the freezer – Datasets are not vegetables!

We often talk to prospective customers that have a requirement for Hot/Warm/Cold storage; and in the context of uncompressed, indexed data, this can make sense. People are used to the concept that storage is expensive, and that the storage “tier” is something the application needs to be aware of (e.g., hot data on local disk, warm data on SAN, etc).

Two things have changed significantly here; storage is no longer as expensive as people are used to it being, and a whole new class of storage has become available to application developers and users alike, Object Storage.

The merits of Object Storage are covered in a bit more detail in a recent post: (The Indestructible Blob, and described in the Humio How-To Guide: Optimize the stack with cloud storage.

How does Humio break these conventions?

We’re not going to give you all the details for what Humio does in these areas, but we can certainly discuss the general ways in which Humio reexamined these assumptions, and some of the results of doing so.

Indexes are not the solution

Indexing streaming data for the purposes of search is expensive, slow, and doesn’t result in a faster system for the kinds of use cases customers have for Humio. The interesting thing is that even the leading vendors of other data analytics platforms know this. They have had to work around this very problem to achieve acceptable solutions with things like “live tail” and “live searches”, etc. These index-based tools have to work around their own indexing latency to get the performance needed to claim “live” data … that should have been a big hint that maybe indexing wasn’t needed at all!

By moving away from the use of indexes (Ed: Humio still does actually index event timestamps, but we get the point), Humio does not have to do any of the processing and index maintenance that goes along with it. This means that:

  • When data arrives at Humio it is ready for search almost immediately. We’re taking 100-300 ms between event arrival and that same event being returned in a search result (manual search or a live search that is already running, or an alert, or a dashboard update).
  • Humio does not have to maintain indexes, merge them with new indexes, track which indexes exist, fix corruption in indexes, none of that. For those technologies that do rely on indexes, the indexes themselves become very large. Assuming the index is used to make the entire event searchable, indexing can make the data up to 300% larger than it was in its raw form.
  • With Humio, all queries are against the same datastore; there’s no split processing between historical and live data. Now consider where indexing is used for “search” and some sort of live streaming query is used to power “live” views of the data: tools that take this approach will often show users a spike in a live dashboard, but the user cannot search those events in detail or even view them in the live view.

Find out more about how Humio’s index-free architecture from a blog post: How Humio’s index-free log management searches 1 PB in under a second.

Compression everywhere

Humio uses optimal compression algorithms to ensure minimal storage space is required (did I mention we don’t build indexes?); often achieving 15:1 compression against the original raw data, and in some cases exceeding 30:1 compression.

These compression algorithms allow for extremely fast decompression of the data. Humio analyses and organises incoming data so it can make use of techniques like compression dictionaries, meaning we can do this for the optimally-sized segment files in storage (i.e., we don’t have to build and access monolithic blocks of data to achieve high compression ratios).

This is a good original article to read to get some more background on the kinds of techniques Humio uses from Facebook Engineering: Smaller and faster data compression with Zstandard.

Find out more about Humio compression: Humio product page: Humio: Keep 5-15x more data, for longer.

Accessing data

The final piece of the puzzle here is getting access to the right data when a user issues a query. Humio can’t go scanning all the raw event content no matter how fast it might be. This is where the storage pattern that Humio utilises comes into the picture, and the heuristics for a node in the cluster to get access to the data and scan it.

Firstly, segment files are built around optimally-sized groups of data (some secret sauce is added here to make that happen effectively and transparently to the user). These segment files also have accompanying bloom filters built, which means Humio can quickly and effectively identify only the relevant segments for any given query.

The segments work really well on local or network-attached storage, and their size and nature make them an excellent fit for Object Storage.

What does a query pipeline typically look like?

  1. A query is issued against a Humio cluster. Humio identifies which segment files are relevant, based on the time range and scope of the query.
  2. The nodes that handle the query then fetch the relevant segment files for their part of the query job:
    1. First, check on the local storage/cache for the segment.
    2. Secondly, check the other nodes in the cluster for the segment.
    3. Finally, fetch the segment from the object storage.
  3. Complete the scan and return the results to the query coordinator.

Fun fact: Because the object storage can be so efficient, you can tell Humio to always fetch missing segments from the object storage rather than the other nodes in the cluster as that’s sometimes the fastest way to do things.

For more information on the Humio architecture, see this blog post that summarizes a presentation given by Humio CTO Kresten Krab Thorup: How Humio leverages Kafka and brute-force search to get blazing-fast search results.

Conclusion

Humio has reconsidered the problem of ingesting and searching log data. Through a new approach and new technologies that are available, it has built a solution that scales efficiently and performs better than the systems that have come before it, often by more than an order of magnitude in terms of speed, storage, and total cost of ownership.

Want to find out more? Set up some time with us for a live demo, or see how it performs for yourself with a 30-day trial.

The post Everything You Think You Know About (Storing and Searching) Logs Is Wrong appeared first on crowdstrike.com.

Threat Protection from Cloud to Ground: Unified Power of EDR with SaaS and Application Security

9 September 2021 at 09:39

There’s no stopping when it comes to scaling your business, so why should your security remain stagnant? With your organization constantly expanding and your IT and security stack increasing in tools, your threat landscape is bound to grow with it. And by leveraging an increasing number of external applications and software-as-a-service (SaaS)-delivered solutions, you’re broadening your attack surface for new threats to take hold. To ensure full coverage that scales with your business, your security and IT teams need to extend visibility into your application environment and implement effective response controls before an adversary can do serious damage like moving laterally and injecting malware

CrowdStrike and its CrowdStrike Store partners DoControl and TrueFort help deliver comprehensive SaaS and application security, leveraging the CrowdStrike Falcon® platform’s single, intelligent agent and rich contextual data. The CrowdStrike Store extends the power of the Falcon platform to ensure you can stay ahead of modern attackers — DoControl’s new automated SaaS security app and the Zero Trust capabilities of TrueFort’s existing Fortress application help you to stop threats in your application environment at scale.

Remediate Compromised Assets Hidden in Your SaaS Apps

With many enterprises using SaaS applications daily — like Box, Google Drive, Slack and more — across all functions of the business, your critical corporate data is left outside your security perimeter and relies on the security measures of each SaaS application independently. With increased collaboration in these applications from vendors, partners and customers, controlling data access in an efficient and effective manner is key to ensure complete coverage while minimizing the likelihood of a data breach. 

By combining the Falcon platform’s rich telemetry with further visibility and control of SaaS applications on unmanaged devices where Falcon is not present, end users and external collaborators are prevented from uploading, accessing and sharing malicious assets on any of your corporate SaaS applications, ensuring that your employees and external collaborators are protected from malware and advanced threats. To achieve complete control over this growing attack surface, DoControl and CrowdStrike have partnered to help you identify and control the SaaS applications in your environment to achieve speed and agility of response.

(Click to enlarge)

DoControl automatically cross-references CrowdStrike Falcon detections with the same files stored in your SaaS applications to identify and remediate malicious activity at speed and scale. By immediately alerting your security teams to said cross-referenced detections, workflows can be triggered to remediate hosts by killing processes and file executions and deleting the files. With DoControl and CrowdStrike, you can prevent files from being added, stored or accessed by employees or external collaborators with known compromises, allowing you to gain control over your SaaS applications with faster and more accurate identification and response. By combining DoControl with CrowdStrike Falcon’s rich endpoint telemetry, you can easily manage assets, improve visibility and automate workflows to prevent data breaches in corporate SaaS applications. 

Gain Zero Trust Application Protection

Applications and workloads are top breach targets and avenues for adversaries to move laterally in your network. To proactively protect your organization from attacks, you need to fully understand application behavior and reduce excessive trust to effectively block or contain threats like ransomware, insider threats, supply chain attacks and other cyberattacks. TrueFort Fortress has enhanced its existing Zero Trust application protection capabilities with CrowdStrike Falcon to deliver micro-segmentation for all of your applications and workloads. 

The TrueFort Fortress app in the CrowdStrike Store leverages the Falcon platform’s rich endpoint data alongside its firewall creation, management and enforcement capabilities to help you gain visibility and control for detection and response at the application level. The Fortress app allows you to visualize your application flows and dependencies, automatically generate policies based on observed behavior, monitor for anomalies, streamline investigations, enable automated policy enforcement, and deliver robust reports — reducing excessive trust and related risks. By using application behavior telemetry from the Falcon platform, machine intelligence, and automation, Fortress continuously assesses and learns each application’s trusted runtime behaviors and creates a dynamic application trust graph, giving you comprehensive visibility. With this Zero Trust baseline for authorized behavior, your team is empowered to continuously identify and remediate risk-related deviations across all of your cloud, hybrid, containerized and on-premises workloads. With TrueFort and CrowdStrike, you can automate adaptive application security to stop threats, reduce your attack surface and stay compliant.  

Learn more about how to use TrueFort and CrowdStrike for micro-segmentation in our joint webcast, Stop Cyberthreats with Microsegmentation, on Sep 15, 2021.

Your Business Is Growing — So Should Your Security

With your business growth and increased scale, you need to focus on securing your environment end-to-end with unified platform-delivered solutions that can give you holistic visibility and control to stop breaches. With powerful application and SaaS security delivered by TrueFort and DoControl — available in the CrowdStrike Store — your team can automate detection and response in your complex application environment with proactive and effective tools to prevent malicious activity, stop advanced threats and maintain a high level of security efficacy. 

To learn more about DoControl and TrueFort or try these apps today, visit the CrowdStrike Store.

Additional Resources 

The post Threat Protection from Cloud to Ground: Unified Power of EDR with SaaS and Application Security appeared first on crowdstrike.com.

2021 Threat Hunting Report: OverWatch Once Again Leaves Adversaries with Nowhere to Hide

8 September 2021 at 05:00

This time last year, the CrowdStrike Falcon OverWatch™ reported on mounting cyber threats facing organizations as they raced to adopt work-from-home practices and adapt to constraints imposed by the rapidly escalating COVID-19 crisis. Unfortunately, the 12 months that followed have offered little in the way of reprieve for defenders. The past year has been marked by some of the most significant and widespread cyberattacks the world has seen. 

The OverWatch team has seen attempted interactive intrusion activity continue at record levels. Both eCrime and targeted intrusion adversaries have continued to evolve and mature their tradecraft, finding new ways to evade technology-based defenses. 

In the newly released Falcon OverWatch annual report, 2021 Threat Hunting Report: Insights From the Falcon OverWatch Team, threat hunters share the trends in adversary tradecraft that have emerged over the past year. This report, now in its fourth year, documents OverWatch’s ongoing campaign to disrupt adversaries’ attempts at interactive intrusions.

In the battle defined by both stealth and speed, OverWatch is winning — leaving adversaries with nowhere to hide

Threat Hunting by the Numbers

The 2021 Threat Hunting Report reveals the scale and spread of potential interactive cyber intrusions uncovered and disrupted with the help of OverWatch. In the 12 months from July 1, 2020 to June 30, 2021, OverWatch tracked adversaries in the networks of organizations from every corner of the globe and nearly every industry vertical. No organization is outside the reach of today’s highly motivated adversaries. 

OverWatch has eyes-on-glass 24/7/365, looking for even the faintest signal of adversary activity. Adversaries do not sleep — they are not restricted by time zone or geography. Adversaries also move fast — they are capable of moving laterally to additional hosts within just minutes of achieving initial access. It is in this context that OverWatch’s around-the-clock vigilance proves so critical.

In this past year alone, OverWatch’s human threat hunters have directly identified more than 65,000 potential intrusions. That’s approximately 1 potential intrusion every 8 minutes ― every hour of the day and night. 

Human-triggered detections are only half of the OverWatch equation. In order to detect intrusion attempts at speed and on a global scale, OverWatch draws on its threat hunting findings to continuously advance the autonomous detection techniques in the CrowdStrike Falcon®platform. Over the last year, threat hunters have distilled their findings into the development of hundreds of new behavioral-based preventions for the Falcon platform, resulting in the direct prevention of malicious activity on approximately 248,000 unique endpoints.

With a powerful combination of human expertise and industry-leading technology, OverWatch can not only disrupt the most sophisticated intrusion attempts today, but also develop insights into detections that ensure swift identification and prevention of known threats into the future.

What You’ll Find in This Year’s Report

  • An overview of how OverWatch combines human ingenuity with patent protected workflows to find the threats technology alone cannot (the SEARCH methodology)
  • A 10,000-foot view of the interactive threat landscape as observed by OverWatch
  • Six detailed case-studies providing insights into how adversaries are carrying out their campaigns in the wild 
  • A new look not only at the most common tactics, techniques and procedures (TTPs) used by adversaries, but also those OverWatch believes defenders should have on their radar
  • An analysis of potential intrusions by vertical, including a special feature on the telecommunications vertical, which saw attempted intrusions double this past year 
  • Recommendations for defenders looking to better protect their organization from current and emerging threats

Whether you’re a seasoned defender looking to learn the latest or a cyber professional just starting out, the 2021 OverWatch Threat Hunting Report has something for you. Be sure to download your copy of the report today.  

Additional Resources

The post 2021 Threat Hunting Report: OverWatch Once Again Leaves Adversaries with Nowhere to Hide appeared first on crowdstrike.com.

McAfee DLP Agent Stack Buffer Overflow RCE

17 September 2021 at 17:00

EIP-2015-0041

The vulnerability affects both Data Loss Prevention (DLP) Endpoint for Windows and the DLP Discover products from McAfee. The vulnerability is present within the included lasr.dll module, which is part of the Keyview SDK3 , and is responsible for parsing Ami Pro (.sam) files during server content inspection. A file format parsing vulnerability results in a stack-based buffer overflow that can be abused to achieve remote code execution.

Vulnerability Identifiers

  • Exodus Intelligence: EIP-2015-0041
  • MITRE CVE: CVE-2021-31844, CVE-2021-31845

Vulnerability Metrics

  • CVSS Score: 8.2

Vendor References

Discovery Credit

  • Exodus Intelligence

Disclosure Timeline

  • Disclosed to affected vendor: February 24th, 2021
  • Disclosed to public: September 14th, 2021

Further Information

Readers of this advisory who are interested in receiving further details around the vulnerability, mitigations, detection guidance, and more can contact us at [email protected].

Researchers who are interested in monetizing their 0Day and NDay can work with us through our Research Sponsorship Program.

The post McAfee DLP Agent Stack Buffer Overflow RCE appeared first on Exodus Intelligence.

Talos Takes Ep. #68: The various pivots and pitfalls in a malware investigation

17 September 2021 at 14:39
By Jon Munshaw. The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page. On this week's episode, Vitor Ventura from our research team walks through his recent work on connecting several...

[[ This is only the beginning! Please visit the blog for the complete entry ]]

Threat Source newsletter (Sept. 16, 2021)

16 September 2021 at 18:00
Newsletter compiled by Jon Munshaw.Good afternoon, Talos readers.   It's a bird, it's a plane, it's a rat! We've been tracking a series of trojans targeting the aviation industry, and trying to lure victims in by sending them spam related to flight itineraries and other transportation...

[[ This is only the beginning! Please visit the blog for the complete entry ]]

Operation Layover: How we tracked an attack on the aviation industry to five years of compromise

16 September 2021 at 17:48
By Tiago Pereira and Vitor Ventura. Cisco Talos linked the recent aviation targeting campaigns to an actor who has been targeting the aviation industry for two years.The same actor has been running successful malware campaigns for more than five years.Although always using commodity malware, the...

[[ This is only the beginning! Please visit the blog for the complete entry ]]

CVE-2021-26333

15 September 2021 at 10:07

AMD Chipset Driver Information Disclosure Vulnerability

We recently discovered a critical information disclosure vulnerability that affected the AMD Platform Security Processor (PSP) chipset driver for multiple CPU architectures.

The vulnerability allowed non-privileged users to read uninitialised physical memory pages, where the original data was either moved or paged out.

The complete report can be downloaded here.

The official advisory by AMD can be found here.

Please note that the list of affected products may not be complete, as we were able to verify this vulnerability in two different systems using Ryzen 2000 and 3000 series CPUs, which are not currently listed in the AMD advisory.

*Latest Ryzen 5000 series CPUs chipset driver for PSP was not tested, but it is recommended that you update to the latest version.

At the time of writing the latest chipset drivers for the affected CPU architectures, can be found here.

*Update 17/09/2021: AMD revised their advisory with additional CPU architectures that were affected, including Ryzen 5000 series and Threadripper CPUs.


Disclosure Timeline

  • Vendor Contacted: 08/04/2021
  • Vendor Replied: 09/04/2021
  • Vendor Acknowledged: 12/5/2021
  • Public Disclosure: 14/09/2021

The post CVE-2021-26333 appeared first on ZeroPeril Blog.

CVE-2021-1386

7 April 2021 at 16:02

Another local privilege escalation vulnerability in Cisco AMP, Immunet & ClamAV

If you have been following our blog you will know that Zeroperil recently found a local privilege escalation vulnerability affecting Cisco AMP and Immunet; CVE-2021-1280. At the same time we also found a secondary vulnerability affecting Cisco AMP and Immunet, resulting in local privilege escalation which is detailed in this post.

Disclosure was coordinated with Cisco in order to allow the issue to be fixed before being made public.

CVE-2021-1386 is very similar to CVE-2021-1280 in that it again involves SFC.exe which is a system service loading a DLL, and also involves freshclam.exe.

Using the ProcMon tool from Microsoft SysInternals we were able to see that the SFC.exe service attempts to load the DLL libclamunrar_iface.dll.9.0.4 and searches for this DLL in each directory contained within the system PATH environment variable.

sfc searching for unrar library
SFC.exe searches for libclamunrar_iface.dll.9.0.4

Using ProcMon we could also see that freshclam.exe (which is periodically executed by the system service SFC.exe) also attempts to load libclamunrar_iface.dll.9.0.4 from each directory contained within the system PATH environment variable.

In order to exploit this vulnerability, an attacker would need to be able to write a DLL into one of the system PATH locations. This isn’t as difficult as you may think, during our time on Red Team engagements we have often seen misconfigured directory permissions on directories that are in the PATH environment.

For example Python 2.7 by default has a world writable installation directory, and the installer often adds the installation directory to the PATH environment variable.

In the image below, the vulnerability is being exploited using a default installation of Python 2.7, signified by the SUCCESS output in ProcMon as the malicious dll is successfully loaded from the C:\Python27\ directory.

freshclam searches for libclamunrar_iface.dll.9.0.4
freshclam.exe searches for libclamunrar_iface.dll.9.0.4

Using this technique it was possible for a standard low privileged user to obtain SYSTEM privileges:

SYSTEM cmd.exe
cmd.exe with SYSTEM privilege obtained by exploiting the vulnerability

Conclusion

In order to mitigate vulnerabilities and attacks like this, it is essential that you ensure the system PATH environment variable does not contain writable paths, something that every enterprise should check after installing new software.

Software vendors should run tools such as ProcMon as part of their quality assurance pipeline, in order to detect this kind of vulnerability.

Affected Products

  • Cisco AMP for Endpoints Windows Connector
  • ClamAV for Windows
  • Immunet

Timeline

Initial discovery: 10/12/2020
Reported: 10/12/2020
Vendor replied: 11/12/2020
Issue acknowledged: 14/12/2020
Disclosed: 07/04/2021

The Cisco disclosure of this issue can be found here.

The post CVE-2021-1386 appeared first on ZeroPeril Blog.

Coordinated Disclosure Policy

31 March 2021 at 14:57

We have updated our coordinated disclosure policy document.

TL; DR

Public disclosure will generally occur within a 90 days time frame of first notifying the vendor of an issue.

There are a few caveats to this, such as situations where the vendor fails to respond.

Please read the full disclosure policy document for more information.

Download

The post Coordinated Disclosure Policy appeared first on ZeroPeril Blog.

HookDump

30 March 2021 at 12:57

Full-spectrum EDR hook detection with low false positives

One of our side projects recently required us to generate a list of functions being hooked by an EDR with the following requirements:

  • Low false positive rate
  • Check a list of DLL’s not just NTDLL
  • Locate hooks in the second or third instruction of a function
  • Detect WOW syscall stub tampering
  • No ASCII art

We did a quick Google to see if there was an existing tool that could give us an answer quickly and found that EDR hooking is something that has been generating a lot of noise recently on social media, some of it good and some we are unsure if it’s a joke; one blog we read showed a screenshot of redirected functions from kernel32 to kernelbase, with the claim they found some hooks!

In the end we decided to spend a few hours putting together our own tool; the imaginatively titled HookDump

Dumping the hooks of an EDR

The details

Naive hook scanning solutions will simply scan a loaded DLL for jmp instructions in the first byte of a function, leading to many false positives, for example exported variables etc.

HookDump has a low (zero?) false-positive rate, this is achieved by loading each DLL examined twice, once using LoadLibrary and secondly by reading from disk into a buffer. Exported functions are resolved in both loaded copies, several instructions are disassembled from both copies and then the instructions are compared. Using this method HookDump can detect hooks in the first second or third instruction of a function.

Hooks visible in the second instruction of function, NTDLL

We have observed some EDR’s creating a fake entry for NTDLL in the PEB module list, combined with page guards/no-execute memory access permissions and exception handlers, trusted execution flow is redirected to the real NTDLL in an attempt to thwart shellcode manually locating function addresses by parsing the exports table. This is an old technique going back to 2005; Piotr Bania first detailed it in Phrack magazine #63. HookDump is able to locate the original copy of NTDLL and examine it for hooks.

HookDump also examines multiple DLL’s instead of just looking at NTDLL, the list of libraries is stored in the source file LibraryList.inl and was created by dumping a list of DLL’s loaded in explorer.exe using SysInternals ProcessExplorer.

Dumping hooks located in DLL’s other than NTDLL

Update Version 1.1

Some security products also modify the WOW64 syscall stub in 32 bit executables, HookDump now also detects this. Using this method, there is usually no need for direct jmp hooks in NTDLL so you may find that the tool only detects WOW64 syscall modification and no other hooks when running the 32 bit version. As with any tools like this, if you are unsure of the output, proper verification can be achieved by attaching a debugger and locating the hooks manually.

Source Code

Source code is available in the Zeroperil GitHub repository. Obviously, this hasn’t been tested against every single security product. If you find a bug, please feel free to fix it and send us a pull request 🙂

The post HookDump appeared first on ZeroPeril Blog.

❌