Cyber security information center

The new vulnerability that creates a dangerous watering hole in your network

Posted by Wade Williamson on Jul 12, 2016 10:06:41 AM

Security researchers with Vectra Threat Labs recently uncovered a critical vulnerability affecting all versions of Microsoft Windows reaching all the way back to Windows 95. The vulnerability allows an attacker to execute code at system level either over a local network or the Internet. As a result, attackers could use this vulnerability both to infect an end-user from the Internet, and then spread through the internal network. 

Vectra and Microsoft collaborated during the investigation of this issue, and Microsoft has delivered a fix as part of Security Bulletin MS16-087, which is available here.

The vulnerabilities, CVE-2016-3238 (MS16-087), and CVE-2016-3239, stem from the way users connect to printers in the office and over the Internet. This vulnerability could enable a relatively unsophisticated attacker to incorporate IoT devices as part of an attack and quickly infiltrate and spread through a network without detection. While this blog provides an overview of the vulnerability, you can read the in-depth technical analysis here. In addition, a video summary of the vulnerability is available here

The vulnerability in question centers around the ways that network users find and use printers on a network. Needless to say, modern organizations often have many users, and likewise often have many different makes and models of printers. Users expect to connect to and use whatever printer is most convenient, and likewise, mobile users expect to be able to come in to the office and print.

Read More »

Topics: APT, vulnerability, Microsoft


Own a printer, own a network with point and print drive-by

Posted by Nick Beauchesne on Jul 12, 2016 10:00:16 AM

Introduction 

Printers present an interesting case in the world of IoT (Internet of Things), as they are very powerful hardware compared to most IoT devices, yet are not typically thought of as a “real” computer by most administrators. Over the years, many security researchers have studied and reported on printer vulnerabilities. However, the vast majority of this research focused on how to hack the printer itself in order to do things such as change the display on the printer or steal the documents that were printed. In this case, we investigate how to use the special role that printers have within most networks to actually infect end-user devices and extend the footprint of their attack within the network.

A summary of this analysis and video is available here.

Background

To understand this issue, we need to understand a bit about Microsoft Web Point-and-Print Protocol (MS-WPRN) and why it works the way that it does.

Read More »

Time to update how we manage and address malware infections

Posted by Mike Banic, VP of Marketing, Vectra Networks on Jun 28, 2016 9:00:00 AM

Network-based malware detection addresses increasing complexity in the malware ecosystem but doesn’t make attribution a key priority.

Conventional wisdom about malware infection paints a picture that hapless users click on something they shouldn’t, that in turn takes their Web browsers to a drive-by-download website. It then exploits a vulnerability to install a botnet agent that eventually steals all their personal data and uploads it to cybercriminals in another country.

That conventional wisdom isn’t completely wrong, but it needs some serious updating. Today’s malware infections are more typically multi-stage events, wherein a user visits a favorite website with a banner advertisement supplied by a third-party ad network that was supplied by an affiliate ad network.

Read More »

Topics: Cyberattacks, network security, cybersecurity


Ransomware, encryption and machine learning – Three key takeaways from Infosecurity 2016

Posted by Matt Walmsley on Jun 15, 2016 3:00:25 AM

Ransomware, encryption and machine learning – Three key takeaways from Infosecurity 2016

Last week was a long one. Vectra participated for the first time at Infosecurity Europe in London. Now that my feet have recovered from our very busy booth I thought I shared a few of the recurring themes I noticed at the show.

Ransomware. Definitely the threat de rigueur with vendors coming at the problem from various angles, including DNS management and client based solutions. Vectra was part of the buzz too, offering a network-centric approach with our newly announced ransomware file activity detection.

Read More »

Topics: machine learning, Encryption, Ransomware


Ransomware lessons from Julius Caesar

Posted by Jacob Sendowski on Jun 6, 2016 11:59:00 PM

In his youth, Julius Caesar was taken hostage by Sicilian pirates and held for a ransom of 20 talents of silver (about 0.5 tons). He managed to convince the pirates that he was more important than that and encouraged them to demand 50 talents of silver instead.

They obliged and in doing so bought into a view of Caesar as superior to them. Caesar exploited this to good effect: he acted as the leader of the pirates, he practiced combat exercises with them and even read them poetry.

Eventually, Caesar’s associates returned with the silver and he was let go. He vowed to return to collect his money and kill the pirates and he went to great lengths to make good on his promise.

Caesar kept his cool, survived the hostage situation, and recovered his belongings because he had a plan and a strategy.

Read More »

Topics: cybersecurity, Ransomware


DPI goes blind as encryption adoption increases

Posted by Günter Ollmann on Jun 1, 2016 10:49:05 AM

Governments and businesses that have traditionally relied upon deep packet inspection (DPI) or content-level inspection technologies to identify threats or control access across the perimeter of their networks are at the cusp of a dramatic and non-reversible sea change. Month on month organizations have observed the silent shift to encrypted communications, and with that, their visibility and control of network traffic has incrementally diminished.
 
As the encryption of North-South corporate network traffic reaches levels of 60% or more in most environments, organizations are finding themselves in the uncomfortable position of having to plan for the abandonment of the DPI-based perimeter defenses they’ve depended upon for a decade and a half. It would seem that IDS, IPS, DLP, and ADS are rapidly turning dark.
Read More »

Topics: cybersecurity, Deep Packet Inspection


Introducing the Spring 2016 Post-Intrusion Report

Posted by Wade Williamson on Apr 20, 2016 5:00:00 AM

 
Insights from inside the kill chain

Detection_Overview.pngThis week we are proud to announce the release of the third edition of the Vectra Post-Intrusion Report. And while there are plenty of reports from security vendors out there, this one provides something that is unique.

Read More »

Canary in the ransomware mine

Posted by Günter Ollmann on Mar 30, 2016 2:06:10 PM

 

A quick no-frills solution to ransomware inside the enterprise

Ransomware is clearly the scourge of 2016. Every week there is a new and notable enterprise-level outbreak of this insidious class of malware – crippling and extorting an ever widening array of organizations.

For a threat that is overwhelmingly not targeted, it seems to be hitting large and small businesses with great success.

The malware infection can come through the front door of a failed “defense-in-depth” strategy or the side door of a mobile device latched to the corporate network on a Monday morning.

Read More »

Topics: cybersecurity, Ransomware


Plan on losing visibility of your network traffic: Steps to take control

Posted by Günter Ollmann on Mar 8, 2016 11:49:57 AM

The ongoing Apple versus the FBI debate has me thinking more about the implications of encryption. Whether or not national governments around the globe choose to go down the path of further regulating encryption key lengths, requiring backdoors to encryption algorithms, mandating key escrow for law enforcement purposes, or generally weakening the implementations of encrypted communications and data storage in consumer technologies, the use of encryption will increase – and in parallel – network visibility of threats will decrease.

Read More »

Topics: Malware Attacks, SSL Encryption


Apple vs. the FBI: Some points to consider

Posted by Günter Ollmann on Feb 17, 2016 4:30:00 PM

In light of Apple’s response to the FBI’s request to gain access to San Bernardino shooter Syed Farook’s iPhone, I thought I would share some of my thoughts on this. It appears that there is some confusion in the connection of this request from the FBI with the bigger government debate on providing backdoors and encryption.

Let me attempt to break this down a little in the hopes of clearing some of that confusion:

  • Apple has positioned the request from the FBI to be a request to install a “backdoor” in their product. This is not correct. The FBI request is pretty specific and is not asking for a universal key or backdoor to Apple products.
  • The FBI request should be interpreted as a lawful request to Apple to help construct a forensics recovery tool for a specific product with a unique serial number.
  • The phone in question is an Apple 5C, and the method of access requested by the FBI is actually an exploitation of a security vulnerability in this (older) product. The vulnerability does not exist in the current generation of Apple iPhones. 
Read More »

Topics: Cyberattacks, network security, cybersecurity