Cyber security information center

Exploiting the firewall beachhead: A history of backdoors into critical infrastructure

Posted by Günter Ollmann on Sep 28, 2016 11:00:00 AM


Sitting at the edge of the network and rarely configured or monitored for active compromise, the firewall today is a vulnerable target for persistent and targeted attacks

Read More »

Topics: Detection, Datacenter, firewall, backdoors, infrastructure, Data Center


Bringing attack detection to the data center

Posted by Wade Williamson on Sep 12, 2016 11:59:00 PM

Today, we are proud to announce a major update that extends the Vectra cybersecurity platform to the enterprise data centers and public clouds. For this release we wanted to do much more than simply port the existing product into a virtualized environment. Instead, Vectra security researchers, data scientists, and developers started with a fresh sheet of paper to address the real-world challenges and threats that are unique to the enterprise data centers and clouds.

 

Visibility and intelligence that spans the enterprise

First, it was important to remember that the data center can be both integrally connected, yet in some ways separated from the physical enterprise. For example, attacks can spread from the campus environment to the data center environment, and security teams absolutely need to know how these events are connected. On the other hand, 80% of data center traffic never leaves the data center, making it invisible to traditional security controls.

Read More »

Topics: Cyberattacks, cybersecurity, Data Center


Reverse engineering the Shadow Brokers dump: A close look at NOPEN

Posted by Nick Beauchesne on Sep 12, 2016 11:58:00 PM

While digging and reversing my way through the Equation Group dump, I’ve come across a few interesting pieces that probably are not getting the attention they deserve.  While a lot of the initial research has focused on the potential 0-days, the dump also gives a glimpse into the backbone tools and operational methods of a serious hacking group.

Certainly 0-days are great, but in my opinion the previously disclosed Fortidoor exploit is 100x more significant than the Fortigate HTTP 0-days disclosed in the dump.  And while most of the dump is around firewall implants and a few exploits, there are some very interesting ops tools in the drop.  One of those tools is NOPEN. It is referenced multiple times in their script/ops/doc, and seem to be one of the cornerstones of their infrastructure.  It is significant both as a backdoor in a target network or as a tool deployed on a listening post to let you create a multi-layer call-back network. So let's take a closer look at this software.

Read More »

Topics: Malware Attacks, cyber security, Detection


From the Iron Age to the “Machine Learning Age”

Posted by Günter Ollmann on Aug 30, 2016 8:00:00 AM

It is likely self-evident to many that the security industry’s most overused buzzword of the year is “machine learning.” Yet, despite the ubiquity of the term and its presence in company marketing literature, most people – including those working for many of the vendors using the term – don’t actually know what it means.

Read More »

Topics: cyber security, machine learning, cybersecurity


Accelerating action: New technology partnerships help customers bridge the cybersecurity gap

Posted by Kevin Kennedy on Aug 4, 2016 8:00:00 AM


“Without knowledge, action is useless, and knowledge without action is futile.”  -Abu Bakr

Read More »

Topics: network security, cybersecurity


The new vulnerability that creates a dangerous watering hole in your network

Posted by Wade Williamson on Jul 12, 2016 10:06:41 AM

Security researchers with Vectra Threat Labs recently uncovered a critical vulnerability affecting all versions of Microsoft Windows reaching all the way back to Windows 95. The vulnerability allows an attacker to execute code at system level either over a local network or the Internet. As a result, attackers could use this vulnerability both to infect an end-user from the Internet, and then spread through the internal network. 

Vectra and Microsoft collaborated during the investigation of this issue, and Microsoft has delivered a fix as part of Security Bulletin MS16-087, which is available here.

The vulnerabilities, CVE-2016-3238 (MS16-087), and CVE-2016-3239, stem from the way users connect to printers in the office and over the Internet. This vulnerability could enable a relatively unsophisticated attacker to incorporate IoT devices as part of an attack and quickly infiltrate and spread through a network without detection. While this blog provides an overview of the vulnerability, you can read the in-depth technical analysis here. In addition, a video summary of the vulnerability is available here

The vulnerability in question centers around the ways that network users find and use printers on a network. Needless to say, modern organizations often have many users, and likewise often have many different makes and models of printers. Users expect to connect to and use whatever printer is most convenient, and likewise, mobile users expect to be able to come in to the office and print.

Read More »

Topics: APT, vulnerability, Microsoft


Own a printer, own a network with point and print drive-by

Posted by Nick Beauchesne on Jul 12, 2016 10:00:16 AM

Introduction 

Printers present an interesting case in the world of IoT (Internet of Things), as they are very powerful hardware compared to most IoT devices, yet are not typically thought of as a “real” computer by most administrators. Over the years, many security researchers have studied and reported on printer vulnerabilities. However, the vast majority of this research focused on how to hack the printer itself in order to do things such as change the display on the printer or steal the documents that were printed. In this case, we investigate how to use the special role that printers have within most networks to actually infect end-user devices and extend the footprint of their attack within the network.

A summary of this analysis and video is available here.

Background

To understand this issue, we need to understand a bit about Microsoft Web Point-and-Print Protocol (MS-WPRN) and why it works the way that it does.

Read More »

Time to update how we manage and address malware infections

Posted by Mike Banic, VP of Marketing, Vectra Networks on Jun 28, 2016 9:00:00 AM

Network-based malware detection addresses increasing complexity in the malware ecosystem but doesn’t make attribution a key priority.

Conventional wisdom about malware infection paints a picture that hapless users click on something they shouldn’t, that in turn takes their Web browsers to a drive-by-download website. It then exploits a vulnerability to install a botnet agent that eventually steals all their personal data and uploads it to cybercriminals in another country.

That conventional wisdom isn’t completely wrong, but it needs some serious updating. Today’s malware infections are more typically multi-stage events, wherein a user visits a favorite website with a banner advertisement supplied by a third-party ad network that was supplied by an affiliate ad network.

Read More »

Topics: Cyberattacks, network security, cybersecurity


Ransomware, encryption and machine learning – Three key takeaways from Infosecurity 2016

Posted by Matt Walmsley on Jun 15, 2016 3:00:25 AM

Ransomware, encryption and machine learning – Three key takeaways from Infosecurity 2016

Last week was a long one. Vectra participated for the first time at Infosecurity Europe in London. Now that my feet have recovered from our very busy booth I thought I shared a few of the recurring themes I noticed at the show.

Ransomware. Definitely the threat de rigueur with vendors coming at the problem from various angles, including DNS management and client based solutions. Vectra was part of the buzz too, offering a network-centric approach with our newly announced ransomware file activity detection.

Read More »

Topics: machine learning, Encryption, Ransomware


Ransomware lessons from Julius Caesar

Posted by Jacob Sendowski on Jun 6, 2016 11:59:00 PM

In his youth, Julius Caesar was taken hostage by Sicilian pirates and held for a ransom of 20 talents of silver (about 0.5 tons). He managed to convince the pirates that he was more important than that and encouraged them to demand 50 talents of silver instead.

They obliged and in doing so bought into a view of Caesar as superior to them. Caesar exploited this to good effect: he acted as the leader of the pirates, he practiced combat exercises with them and even read them poetry.

Eventually, Caesar’s associates returned with the silver and he was let go. He vowed to return to collect his money and kill the pirates and he went to great lengths to make good on his promise.

Caesar kept his cool, survived the hostage situation, and recovered his belongings because he had a plan and a strategy.

Read More »

Topics: cybersecurity, Ransomware