This is the fourth DeadBolt campaign this year against QNAP customers, but it differs from previous attacks in exploiting an unpatched bug instead of a known vulnerability.

A critical zero-day security vulnerability in QNAP's network-attached storage (NAS) devices has been actively exploited in the wild to deliver the DeadBolt ransomware variant.

The vendor warned that the exploitation was first spotted over the weekend, and that "the campaign appears to target QNAP NAS devices running Photo Station with internet exposure." Photo Station allows users to centrally store and manage full resolution photos across devices via QNAP NAS.

QNAP is keeping the details of the bug under wraps for now, but it did recommend in its advisory that users disable the port forwarding function on the router to help mitigate their risk (along with applying strong passwords and performing regular data backups).

The discovery also prompted the company to push out an emergency firmware fix. The updated versions are:

*   QTS 5.0.1: Photo Station 6.1.2 and later
*   QTS 5.0.0/4.5.x: Photo Station 6.0.22 and later
*   QTS 4.3.6: Photo Station 5.7.18 and later
*   QTS 4.3.3: Photo Station 5.4.15 and later
*   QTS 4.2.6: Photo Station 5.2.14 and later

The DeadBolt gang has been hammering QNAP NAS hard this year; this is only the latest campaign using bugs in the system to infect devices. Previous waves of exploitation were seen in May using known vulnerabilities, and twice in June.

DeadBolt stands apart from other NAS-focused ransomware families, researchers noted earlier this year, because it deploys a multitiered scheme aimed at both the vendors and their victims, and offering multiple cryptocurrency payment options.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Critical QNAP NAS Zero-Day Bug Exploited to Deliver DeadBolt Ransomware

The high stakes and unique priorities for Internet of Medical Things devices require specialized cybersecurity strategies.

The Internet of Medical Things (IoMT) arguably stands alone when it comes to the threshold of comprehensive IoT security that healthcare delivery organizations must continually meet. Hospitals, physician practices, and integrated delivery systems need to not only keep their own organizations' Web-connected devices and equipment always compliant and secure, but they also must ensure patient safety isn't at risk (and avoid the significant reputational harm that comes from a public breach).

Adding to this challenge is that healthcare organizations tend to deploy uniquely heterogeneous fleets of IoMT devices that contain higher volumes of particularly vulnerable legacy devices. No other industry harnessing IoT capabilities has stakes as high as healthcare, nor such challenging obstacles. As a result, healthcare security teams must carefully craft approaches to address and mitigate certain risks that simply don't exist in other modern IoT implementations.

There are three key points to understand when building an effective IoMT vulnerability management and security strategy. First, because they face thousands of new vulnerabilities every month, IoMT security teams must pick their battles. Second, managing high device churn means introducing security from the moment of adoption. And third, security leaders must form collaborative teams of experts to manage myriad high-risk devices.

**1\. Pick Your Battles**

On average, IoMT device manufacturers publish 2,000 to 3,000 vulnerabilities _every month_. However, they publish patches for only about one in 100 at best. Healthcare delivery organizations can't simply scan IoMT devices for vulnerabilities because doing so will cause many legacy devices to crash. Security teams may attempt to just segment every device for vulnerability remediation and mitigation, but doing this for every device is complex — and maintaining such a segmentation for IoT and IoMT is even more so. Teams cannot rely on scans, don't have nearly enough patches, and new devices are continually added. Soon enough, segmentation erodes and security teams end up with a flat network.

Here's the good news: Just 1% to 2% of IoMT vulnerabilities actually present a high risk in their given environment. An IoMT device's actual risk is very much a function of environmental specifics — a device's connections, nearby devices, its particular use case, and so on. By conducting an _environment-specific_ exploit analysis, security teams can identify a device's true risks and concentrate their finite resources accordingly. Segmentation and other techniques can then focus on fixing the top 1% to 2% of high-risk devices and vulnerabilities.

Security teams should also be aware that attackers are playing this same game — they're probing for vulnerabilities within environments that can serve as springboards for their attack chains. A simple IoMT monitoring device with no data or significant effect on patient outcomes can still become the first domino in a major security event.

**2\. Introduce Security at Adoption**

Security teams must grapple not only with entrenched legacy IoMT devices, but ever-changing device inventories that churn at a rate of 15% per year. To counter this difficulty, security leaders must demand a seat at the decision-making table when new devices are adopted — or at the very least, a heads-up to properly analyze and address vulnerabilities before devices enter active use. That level of consideration is standard across other industries and must be foundational for an effective IoMT security strategy.

In fact, in most other industries an IT department could veto the adoption of solutions that pose a security liability for the organization. Within healthcare delivery organizations, however, IoMT devices with security issues may nevertheless be essential to the higher-priority goal of providing exceptional patient care and patient experiences. That said, healthcare organizations that incorporate security into their IoMT device _acquisition_ processes enable better ongoing security and risk remediation outcomes.

**3\. Form Collaborative Teams of Experts**

Unlike in industries where CSOs might manage homogeneous arrays of inexpensive IoT sensors and have carte blanche to dismiss devices that present any risk they don't like, healthcare demands an entirely different, and holistic, decision-making process. Clinicians carry tremendous weight when it comes to technology decisions because an IoMT device with high risk from an IT security perspective might significantly reduce risks to a patient from a health perspective. IoMT devices that enhance the patient experience, such as vulnerable NICU cameras that nevertheless allow parents to view their newborns, may also justify putting security teams in a tough position.

While it is understandable to decide in favor of supporting health outcomes, security leaders must be prepared to introduce protections that facilitate those decisions. Maximizing IoMT security effectiveness in these challenging circumstances requires security leaders to build an expert team with substantial collected knowledge of current threats and a collaborative mindset enabling the preparation of optimal countermeasures.

**Make IoMT Security an Organizational Priority**

Healthcare security leaders must help their organizations to recognize the tremendous importance and value of IoMT security, even if patient outcomes and experiences come first. At the same time, security leaders should not be daunted by the difficulty of IoMT risk management. Every small step that reduces risk paves the road to a strong security posture.

The 3 Fundamentals of Building an Effective IoMT Security Strategy

Investor participation from prior round demonstrates confidence in the company's current and future performance.

**NEW YORK and TEL AVIV, Israel, Sept. 6, 2022 /PRNewswire** — Cymulate, the market leader in Extended Security Posture Management (XSPM), today announced a $70 million Series D investment led by existing investors One Peak, together with Susquehanna Growth Equity (SGE), Vertex Ventures Israel, Vertex Growth, and Dell Technologies Capital. Cymulate has raised $141M to date.

The latest investment, which is among the largest for continuous security testing vendors, doubles Cymulate's funding raised to date and accelerates the Company's global expansion and pace of innovation.

In a recent report on Continuous Threat Exposure Management (CTEM) GartnerⓇ analysts observed, "_Previous approaches to managing the attack surface are no longer keeping up with digital velocity — in an age where organizations can't fix everything, nor can they be completely sure what vulnerability remediation can be safely postponed. CTEM is a pragmatic and effective systemic approach to continuously refine priorities, walking the tightrope between those two impossible extremes._"\* The global shortage of 2.72 million cybersecurity professionals, and overstretched in-house security resources further exacerbates the need for Cymulate's real-world solutions which closes security gaps quickly and efficiently, rationalizes technology, helps upskill staff and improves processes.

"We are thrilled to lead this round of investment in Cymulate," said David Klein, Managing Partner of One Peak. "Cyber posture management and continuous security validation have dramatically increased in popularity in response to the onslaught of ransomware and cyber warfare for businesses across all size ranges. Cymulate is the clear leader in the sector, and we look forward to continuing to support the Company in further accelerating its already strong growth trajectory."

Cymulate sets the industry standard for organizations to use automation to continuously validate their threat exposure and cyber posture, by testing their cloud and on-premise networks against the latest threats in the wild. The Company's Extended Security Posture Management platform leverages its native offensive security technology and capabilities to widely support customers' security and business needs. XSPM incorporates four fundamental pillars tied together with analytics to provide actionable security posture insights: Attack Surface Management, Continuous Automated Red Teaming, Breach & Attack Simulation, and Advanced Purple Teaming. Cymulate's customers see their cyber risk reduced by nearly 50% during the first three months of use. Running daily risk assessments, the cyber risk of Cymulate's customers continues to decrease in the first year without any security drift.

The Series D funding will be used to extend Cymulate's technological capabilities and further accelerate its global growth. The Company more than doubled its ARR in 2021 and grew more than 200% in North America alone. Cymulate has more than 500 customers globally, including Fortune 500 companies and strategic partners such as Optiv and Wipro. By the end of this year, Cymulate plans to further expand its staff by 75% to continue supporting its go-to-market efforts.

"In a market where every business must be prepared to fight advanced threats, I am proud of our team's ability to innovate and respond quickly to the constant turbulence of cybersecurity," said Eyal Wachsman, CEO and Co-Founder of Cymulate. "Our funding from existing investors is a further testament to their confidence in our company, direction, and continued vision. We look forward to reaching our next innovation milestones and expanding into new markets across the globe."

Alongside their Series D funding, Cymulate also recently announced two C-level executive appointments to bolster the company's leadership, namely the appointment of Maria Mastakas as Chief Operating Officer and Carolyn Crandall as Chief Marketing Officer and Chief Security Advocate of Cymulate.

_\*Gartner, Implement a Continuous Threat Exposure Management (CTEM) Program, July 2022.  
__GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved_.

**About Cymulate**

Cymulate's SaaS-based Extended Security Posture Management (XSPM) provides security professionals with the ability to continuously challenge, validate and optimize their on-premises and cloud cyber-security posture with visualization end-to-end across the MITRE ATT&CK® framework. The platform provides automated, expert and threat intelligence led risk assessments that are simple to deploy and use for organizations of all cybersecurity maturity levels. It also provides an open framework to create and automate red and purple teaming by generating penetration scenarios and advanced attack campaigns tailored to their unique environments and security policies.

For more information, visit www.cymulate.com.

Register here for a free trial.

**About One Peak**

One Peak is a leading growth equity firm investing in technology companies in the scale-up phase. One Peak provides growth capital, operating expertise and access to its extensive network to exceptional entrepreneurs, with a view to help transform innovative and rapidly growing businesses into lasting, category-defining leaders. In addition to Cymulate, One Peak's investments include Neo4j, DocPlanner, Spryker Systems, PandaDoc, Keepit, Paysend, Ardoq, Quentic, HighQ, Coople, DataGuard, Brightflag and many more.

To learn more, visit www.onepeak.tech.

SOURCE: Cymulate

Cymulate Raises $70M Series D Funding for Continuous Security Posture Testing

Here are some strategies for protecting the business against botnets poised to take advantage of remote-work vulnerabilities.

Cyberattacks launched or controlled via botnet are nothing new, but they are on the rise and pose an ever-growing threat.

A recent Russian botnet masquerading as a proxy service compromised millions of devices across the globe, giving cybercriminals access to stolen online accounts until the Feds shut it down. Attacks that happen at a large scale in this manner can have devastating effects. Indeed, botnets represent one of the top techniques attackers use to gain access to networks and systems, which is why it's vital to take steps to mitigate botnet attacks from wherever your employees are working.

The economics of botnets have greatly affected the volume of attacks, as well. Large networks of compromised computers and devices across the Internet can be used to carry out multiple attacks against a broad range of targets. Our research shows that DDoS botnet attacks are on the rise, with a 14% increase in attacks since 2019. Overall, 69% of Comcast Business DDoS customers experienced attacks, a 41% increase over 2020, while 99% experienced repeat attacks.

Botnet attacks are a major threat because they deploy in large numbers and are constantly evolving. The underlying host computing systems are spread across thousands of different owners, and shutting down botnets requires careful coordination across law enforcement, hosting providers, and network carriers.

In addition, botnet resources can be repurposed, which has led to the creation of an indirect black marketplace. Cybercriminals trade botnet assets and use them for different cyberattack types based on where they can make the most money. Essentially, botnets have become a fungible asset for organized crime.

**Botnet DDoS Attacks Present a Challenge for Security Teams**

The rapid shift to remote work provided convenience and efficiency, but it also created new opportunities for threat actors to exploit. Corporate networks are more vulnerable when accessed using unsecured work-from-home environments; personal computing devices are not always protected; and the use of video-conferencing software by remote workers makes an easy target, according to the FBI's "Internet Crime Report 2021."

DDoS attacks are sudden and can penetrate business systems even when protected by firewalls. Endpoint defenses like antivirus cannot protect against DDoS attacks, which are tricky for security experts to identify even after a complete outage. On-premises DDoS prevention equipment is expensive and still leaves upstream connectivity vulnerable to network saturation.

Once these attacks happen, consequences include server crashes, unresponsive applications, and network outages that take businesses offline for legitimate users. Simply put, DDoS attacks cost victims significant time, money, and brand reputation.

**Mitigating and Defending Against Botnet Attacks**

Protecting against botnets requires a layered, defense-in-depth approach. The first line of defense involves network security controls that maintain a global IP reputation database of known malicious IPs and domains, as well as compromised systems belonging to botnets.

Ask your security vendors how they block network connections using IP reputation. On average, 10% to 15% of global malicious IPs change daily, so confirming that your vendor provides frequent updates is critical to ensuring effective botnet protection. Assess the size and reputation of your security vendors' threat intelligence research team, as well as the sources and size of their IP and domain reputation databases.

The second line of defense requires the detection of network traffic based on protocol behavior and session flow. Modern detection techniques use a combination of machine learning algorithms and threshold-based countermeasures.

The challenge for defenders is that botnets can launch multiple types of attacks. The network behavior shown by ransomware exploits is different from brute-force credential stuffing or the click fraud perpetuated against e-commerce Web servers. So, the layered defense required to prevent botnet attacks will vary based on the risks for each individual business.

For example, modern DDoS botnet attack patterns have multiple vectors, are short in duration, and high in intensity, as highlighted by the 2021 Comcast DDoS Threat Report. This makes DDoS extremely challenging to detect for security personnel who must identify issues in minutes but have only seconds to react before an outage occurs.

**Building a Layered Cybersecurity Plan**

Basic cybersecurity hygiene is critical to defending against the threat of botnets. Frequent and continuous vulnerability scanning, configuration hardening, and an organized patch management policy are basic steps in preventing your host systems from becoming botnet victims.

Next, organizations should implement network access controls, multifactor authentication, and a zero-trust policy for users, all of which make it harder for bad actors to access your network or host computers. Lastly, continually training employees on how to identify suspicious activity such as phishing attempts and what steps to take when compromised can mitigate botnet attacks.

Botnet attacks are here to stay, so it is important that users and businesses evaluate their systems, partner with the right vendors and service providers, and implement a cybersecurity program with executive sponsorship to protect themselves against attacks.

Botnets in the Age of Remote Work

The phishing-as-a-service offering targets accounts from tech giants, and also has connections to PyPI phishing and the Twilio supply chain attack.

A phishing-as-a-service offering being sold on the Dark Web uses a tactic that can turn a user session into a proxy to bypass two-factor authentication (2FA), researchers have found.  

The service, widely called EvilProxy, uses reverse proxy and cookie-injection methods to give threat actors a way around 2FA "on the largest scale, without the need to hack upstream services," researchers from Resecurity said in a report published Monday. The principle is actually fairly simple, they added: After victims are lured to a phishing page, threat actors use a reverse proxy to fetch all the legitimate content users expect to see — including login pages — and then sniff victims' traffic as it passes through the proxy.

"This way they can harvest valid session cookies and bypass the need to authenticate with usernames, passwords, and/or 2FA tokens," researchers wrote.

At the same time, the approach gives cybercriminals ways to attack developers to facilitate supply chain attacks that affect customers downstream, they said.

In recent attacks, EvilProxy is being used to target consumer accounts belonging to top tech power players such as Apple, Dropbox, Facebook, GoDaddy, Google, Instagram, Microsoft, Twitter, and Yahoo.

**EvilProxy: An Evolution**

EvilProxy represents an evolution in phishing strategies, according to the report, given that reverse-proxy approaches are most commonly seen in advanced persistent threat (APT) and cyber-espionage activity. Now, the service makes this capability widely available to the cybercriminal marketplace, researchers said.

Some sources refer to the EvilProxy service as "Moloch," which is connected to a previously developed phishing kit that targeted the financial institutions and e-commerce sector, researchers said.

However, EvilProxy has different victims in mind, according to a demonstration video its actors released in May. Google and Microsoft accounts, in particular, appear to be the primary targets of EvilProxy threat actors.

**Acquiring the Service**

Cybercriminals can buy EvilProxy on a subscription basis based on the online service they plan to target — such as Facebook or LinkedIn — after which it is activated for a specific period of time, depending on the plan description, researchers said. Plan options include 10, 20, or 31 days, according to listings for the service on multiple Dark Web hacker forums, they said.

One of EvilProxy's key actors goes by the handle "John\_Malkovich" and acts as an administrator to vet new customers on major underground communities, including XSS, Exploit, and Breached, researchers said.

Cybercriminals can pay for EvilProxy via an operator on Telegram in a manual arrangement that deposits the funds received to an account in a customer portal hosted in TOR. The service also is available on the Dark Web hosted on the TOR network, with a kit available for $400 per month.

The home portal of the EvilProxy service makes it easy for those who purchase it to get on with their phishing campaigns, providing multiple tutorials and interactive videos regarding the use of the service and configuration tips, researchers said.

"Being frank, the bad actors did a great job in terms of the service usability, and configurability of new campaigns, traffic flows, and data collection," they acknowledged.

Once the service is activated, an operator must provide SSH credentials to further deploy a Docker container and a set of scripts that, after successful activation, will forward the traffic from the victims via two gateways defined as "upstream."

As is common in phishing campaigns, attackers register domain names that appear similar in spelling to related online services to mask them for use used in phishing campaigns, researchers noted.

**Connections to Recent Supply Chain Cyberattacks**

EvilProxy is notable also for its connections to recent threat activity — the first known phishing attack on users of the Python Package Index (PyPI), the official repository for the Python language, and a supply chain attack related to a credential breach at Twilio, researchers said.

Regarding the former, EvilProxy supports attacks against PyPI with the inclusion of a payload called JuiceStealer to the service, researchers said. The info-stealing malware was used in the PyPI phishing attack, and suspiciously added to EvilProxy just before that attack happened, researchers said.

EvilProxy also supports attacks on GitHub and the widely used JavaScript package manager NPJMS. This enables the service to deliver advanced phishing campaigns for supply chain attacks by targeting software developers and IT engineers, who may inadvertently add compromised code to applications and widen the spread of the attack without end users suspecting a thing, researchers said.

Indeed, the Twilio attack was a reminder of what can happen when enterprises are caught unawares, noted one security professional. In that attack, threat actors used phished Okta credentials to gain access to internal systems, applications, and customer data, affecting about 25 downstream organizations that use Twilio's phone verification and other services.

"Too many organizations assume that strong authentication is enough to protect their internal assets and data," Ronen Slavin, co-founder and CTO of Cycode, a software supply chain security solution provider, tells Dark Reading. "As a result of this mindset, most organizations over-credential their developers and expose way too many hard-coded secrets in places like repos, build logs, containers, and more."

With phishing attacks getting more advanced in both their methods to bypass security protections and target developers, enterprises need to be more wary of who within the organization has advanced access to systems, he adds.

"The key learning from this attack is to assume that developer accounts are compromised and that insiders could be malicious," Slavin says.

EvilProxy Commodifies Reverse-Proxy Tactic for Phishing, Bypassing 2FA

Ransomware in particular poses a major threat, but security vendors say there has been an increase in Linux-targeted cryptojacking, malware, and vulnerability exploits as well, and defenders need to be ready.

Linux may not quite stack up to Windows when it comes to the raw number of attacks against systems running the operating system, but threat actor interest in Linux-based servers and technologies has ramped up significantly recently.

That's likely in response to growing enterprise use of Linux infrastructures — especially in the cloud — to host mission critical applications and data, according to a report from Trend Micro this week. The firm identified a 75% increase in ransomware attacks targeting Linux systems in the first half of 2022 compared to the same period last year.

The report also said that researchers from the company spotted 1,961 instances of Linux-based ransomware attack attempts on its customers in the first six months of 2022 versus 1,121 in 1H, 2021.

**Surging Linux, VMware ESXi Ransomware Attacks**

The increase was consistent with Trend Micro's previous observations about threat actors broadening their efforts to target Linux platforms and ESXi servers, which many organizations use to manage virtual machines and containers.

The security vendor has described the trend as being spearheaded by the operators of the REvil and DarkSide ransomware families, and gaining momentum with the release of a LockBit ransomware variant for Linux and VMware ESXi systems last October.

Earlier this year, Trend Micro researchers observed yet another variant called "Cheerscrypt" surfacing in the wild that also targeted ESXi servers. And, several other security vendors have reported observing other ransomware such as Luna and Black Basta that can encrypt data on Linux systems.

Ransomware is currently the biggest, but not the only, threat targeting Linux systems. A report that VMware released earlier this year noted an increase also in cryptojacking and the use of remote-access Trojans (RATs) designed to attack Linux environments.

The company for instance discovered that threat actors are using malware such as XMRig to steal CPU cycles on Linux machines to mine Monero and other cryptocurrencies.

"Cryptomining malware on Linux saw an increase in the first half, likely from the fact that cloud-based crypto-mining has seen growth by malicious actors perpetrating this threat," notes Jon Clay, vice president of threat intelligence with Trend Micro.

VMware's report also observed expanded use of tools such as Cobalt Strike to target Linux systems and the emergence of a Linux implementation of Cobalt Strike called "Vermilion Strike."

Like Trend Micro, VMware too noted an increase in the volume and sophistication of ransomware attacks on Linux infrastructure — especially host images for workloads in virtual environments. The company described many of the ransomware attacks against Linux systems as targeted, rather than opportunistic, and combining data exfiltration and other extortion schemes.

**An Entry Point to High-Value Enterprise Environments**

Windows continues to be — by far — the most heavily targeted operating system, simply because of the size of its installed base. Clay says of the 63 billion threats that Trend Micro blocked for customers in the first half of 2022, only a very small percentage were Linux-based. Though there were millions of Linux threat detections in 1H, 2022, there were billions of attacks on Windows systems over the same period, he says.

But the growing attacks on Linux systems are troubling because of how Linux is starting to be utilized within critical areas of the business computing infrastructure. VMware pointed out in its report that Linux is the most common operating system across multicloud environments, and 78% of the most popular websites are powered by Linux. Thus, successful attacks on these systems could cause considerable harm to the organization’s operations.

"Malware targeting Linux-based systems is fast becoming an attacker's way into high-value, multi-cloud environments," VMware warned.

Even so, security protections might be lagging, Clay points out.

"Threat actors are seeing opportunities to attack this operating system as it is more common to see it running critical areas of a business operation," he says. "Because historically it hasn’t seen a lot of threats target it, security controls may be missing or not enabled properly to protect it."

**Protecting Linux Environments**

Linux administrators need to first of all follow standard security best practices to secure their systems, researchers say, such as keeping systems patched, minimizing access, and conducting regular scans.

Mike Parkin, senior technical engineer at Vulcan Cyber, says it's significant to note the major differences in how Linux- and Windows-based systems are used when assessing risk and managing patching. Linux systems are usually servers found both on-premises and in cloud deployments. While there are a lot of Windows servers, there are far more Windows desktops, and those are often what gets targeted, with the servers then being compromised from that initial Windows toehold.

Further, Linux user awareness around social engineering should be an organizational focus.

"Linux system administrators are, hopefully, less likely to fall for typical phishing and social engineering attacks than the general population," Parkin says. "But the standard advice applies — users need to be trained to be part of the solution rather than part of the attack surface."

Clay meanwhile says the first thing organizations need to do is to inventory all the Linux-based systems they’re running and then look to implement a Linux-based security approach to protect against different threats.

"Ideally, this would be part of a cybersecurity platform where they could deploy security controls automatically as Linux systems come online and model their controls for Windows-based systems," he says. "Ensure this includes technologies like machine learning, virtual patching, application control, integrity monitoring, and log inspection."

Defenders Be Prepared: Cyberattacks Surge Against Linux Amid Cloud Migration

Managed firewalls are increasingly popular. This post examines the strengths and weaknesses of managed firewalls to help your team decide on the right approach.

The recent remote work explosion driven by the COVID pandemic has forced many organizations to reconsider how they provide network security. The incredible proliferation of potential attack vectors and constantly changing types of attacks present in such a heavily distributed computing environment mean that keeping firewalls up to date has become a burden on security teams that's heavier than ever.

Firewall configurations are a touchy subject. Every network security professional has their preferred hardware and software, and we can all share horror stories about challenges we've experienced in their absence.

In this article, I'll examine the pros and cons of managed firewalls (MFWs) to help make the decision a little easier for your team.

**What Are Managed Firewall Services?**

MFW services typically provide on-demand, administration, monitoring, maintenance, and management of your firewall. These services are available for both cloud-based and on-premises firewalls.

The typical MFW service provider will offer services such as:

*   Firewall system health monitoring and alerting
*   Service and incident management
*   Software lifecycle management (updates, patches, etc.)
*   Security policy implementation, reporting, analysis and remediation
*   System vulnerability checks and security reviews
*   Network traffic monitoring

"Think of a managed firewall service as bringing in an expert, rather than outsourcing. You're partnering with someone with decades of experience and advanced training on your infrastructure in order to secure every last packet. Network security is hard, and a lot of times the easiest way to achieve your requirements is through a specialist." **—Eddie Doyle, Cybersecurity Evangelist, Check Point**

**What Are the Pros and Cons of Managed Firewall Services?**

**Pros**

MFW services offer the following potential benefits:

*   **Greater expertise:** Providers will generally have experts in your preferred hardware and software already on staff, speeding implementation.
*   **Reduced staff burden:** Outsourced providers maintain their own certifications and trainings, and they take over all equipment and software updates. This allows your team to focus on more strategic areas that can add greater value to the organization.
*   **Faster incident response:** Service-level agreements (SLAs) can ensure immediate incident response without adding additional organizational head count or off-hour team load.
*   **Proactive security:** MSPs typically devote significant attention to threat intelligence monitoring in order to adjust your protection as events and updates warrant. Doing so takes the burden off of your internal team.
*   **Reduced update burden:** Hardware, software, and firmware updates are time-consuming chores. MSPs will keep your equipment up to date and save your team time.
*   **Improved manufacturer support:** MFW providers often have direct manufacturer connections due to the volume of devices they operate. For an organization that may not have a large volume of equipment, an MSP may be able to improve issue resolution.
*   **Easier scale:** Growing organizations may be able to scale their protection more quickly and more cost-effectively using an MFW provider by eliminating hiring and equipment purchase processes.
*   **Improved backup and recovery:** An MFW provider will often have access to significant backup and recovery resources (including on-call staff) that can result in faster restore times than internal resources.
*   **Compliance expertise:** Industries with complex regulatory and/or data-handling requirements such as healthcare or payment processing can often use an MFW provider with regulated industry experience.

**Cons**

MFW services may not be good solutions for organizations that have concerns in the following areas:

*   **Small size:** Organizations with smaller budgets, lower traffic volumes, or more streamlined networks may find managing their firewalls internally is more cost effective.
*   **Strict data access requirements:** Organizations with strict compliance and data security may find that the liability of individuals from outside the organization potentially accessing sensitive data is too great. Public companies, for example, may find that providers accessing logs represent a privileged disclosure.
*   **Security context:** If your organization runs particularly complex operations, or is subject to novel attacks, an outsourced provider may not have enough context regarding your internal infrastructure to understand the severity level of alerts they are seeing.
*   **Knowledge loss:** Network security is an important IT function. If you fully outsource your firewall with the intent of reducing staff, your organization may lose significant internal capabilities knowledge.

**The Co-Managed Firewall Option**

To minimize some of the cons and other objections, it's also possible to subscribe to a co-management model. Many providers offer shared responsibility programs that allow the organization to maintain full access and perform their own administrative tasks as desired or required. While this can increase complexity, it can also offer increased flexibility.

I hope the above has helped you determine whether a managed firewall service is right for your organization. If you're struggling with your network security, or want to know if it's time to make a change, visit Atlantic Data Security.

**About the Author**

    

Eric Anderson is a cybersecurity architect, instructor, and evangelist at Atlantic Data Security. He's been working in technology and network security since 1985, loves sharing his experiences and insights, and frequently speaks on security issues.

The Pros and Cons of Managed Firewalls

Having a better understanding of how clouds are built, connected, and managed helps organizations mitigate risks and reduce attack surfaces.

Enterprises are investing in multiple cloud solutions to fuel growth and transform legacy applications into something more universally usable. However, the path to success can be fraught with missteps and unknowns that can create excessive risk. Cloud environments are often stitched together using APIs, custom coding, and other methods that add complexity.

That growing complexity has the potential to substantially increase risk and open organizations up to cyberattacks, and complexity further increases as more services and capabilities are added, compounding risk. Having a better understanding of how clouds are built, connected, and managed helps organizations mitigate risks and reduce attack surfaces.

**Establish Situational Awareness**

Business management expert Peter Drucker famously wrote, "You can't manage what you don't measure," and measurement is one of the most important tools for successfully managing a complex cloud environment. Organizations must take the critical step of measuring their infrastructure by establishing an inventory of systems, applications, and users.

There are numerous ways to measure, ranging from manually performing inventory to using automated tools to help with the process. Most firms settle on a mix of both. Selecting the appropriate management and monitoring tools is challenging, especially in hybrid and multi-cloud environments. Those environments use APIs to integrate dissimilar technologies and usually have their own monitoring and management tools and multiple tools can obscure situational awareness, which creates additional risk.

Properly remediating risk requires creating a single source of truth, which means that new management and monitoring tools must be deployed. Those tools should provide a unified and centralized view of the organization’s infrastructure, while also tearing down the silos created by dissimilar tools. However, people often create a false equivalency between multiple-cloud deployments and managing multiple datacenters, which can lead to selecting the wrong tools. The tools and skillsets differ between cloud and datacenter management, which can lead to missteps that will derail implementation. Organizations may have to purchase new tools or turn to experts to integrate the tools.

**Minimizing Mistakes**

In the rush to deploy cloud solutions, many may overlook what may be obvious to seasoned professionals. Reducing errors means defining objectives and building plans. Those deploying to the cloud must have a clear understanding of the business case, who the stakeholders are, and the desired results.

The flexibility and speed of the cloud make it easy to overlook security leading practices. Establishing those practices requires plans that incorporate cybersecurity at the earliest possible moment. Without proper cybersecurity controls, actions such as establishing a new feature or granting access will increase the attack surfaces and the associated risk.

Simply adding external users can lead to unexpected cybersecurity issues and can expand potential attack surfaces. Case in point is when an organization grants external access to a vendor or partner. Organizations must carefully consider the overall impact of granting that access and if that third party can make unauthorized changes, or access proprietary information, as well as how those user credentials are being secured.

Leading practices include defining security policies, deploying multifactor authentication, auditing access and being aware of threat environments. Some organizations will need to train in-house staff or turn to external experts to ensure that cyber issues are addressed and resolved before they have an impact.

**Building a Continuous Process**

Clouds are very fluid and allow changes to be accomplished quickly. New services can often be enabled with a simple command or click of the mouse. However, that fluidity can create unexpected complexity. What's more, change can have a cascading impact that brings additional risk and complexity to cloud management.

Mitigating risk using a set-and-forget approach is no longer appropriate for securing the cloud; organizations must make risk mitigation as fluid as the cloud. What's more, developers today have the power to constantly change, update, and expand the cloud environment. Accelerated change means that organizations need to be proactive and establish controls and policies to reduce risk.

By adopting continuous processes that insert controls into the development and deployment process, organizations can inject security into the development process. However, keeping security controls up to date can be an onerous task, which ultimately reduces the velocity of enabling change. Here, automation reduces the burden associated with cybersecurity in the cloud.

There are numerous tools that automatically validate code, perform testing of new code, and identify potential problems in real-time. Those tools leverage automation so that interference with the creative process is kept to a minimum. This type of automation does not simply enhance the security of the cloud environment, it will also enhance its resiliency and uptime.

Embracing multicloud, hybrid, or public cloud solutions does not have to be a step into the unknown. Enterprises can ease the transition to the cloud and avoid unnecessary risk by implementing policies, controls, and leveraging automation at the outset of cloud adoption. Having a proper handle on managing the cloud helps when further mitigating risk. What’s more, with the proper tools in place, enterprises may be able to expose additional opportunities, which in turn can help to grow the business.

3 Critical Steps for Reducing Cloud Risk

The US government and the Open Source Security Foundation have released guidance to shore up software supply chain security, and now it's up to developers to act.

Lessons learned from the SolarWinds software supply chain attack were translated into concrete guidance this week when the US Cybersecurity and Infrastructure Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA) released a joint best practices framework for developers to avoid future supply chain attacks.

Besides the US government's recommendations, developers also received npm Best Practices from the Open Source Security Foundation, to establish supply chain security open source best practices.

"The developer holds a critical responsibility to the security of our software," the agencies said about the publication, titled Securing the Software Supply Chain for Developers. "As ESF examined the events that led up the SolarWinds attack, it was clear that investment was needed in creating a set of best practices that focused on the needs of the software developer."  

OpenSSF's announcement, meanwhile, noted that the npm code repository has grown to include 2.1 million packages.

Developers like Michael Burch, director of application security for Security Journey, applaud the industry's proactive approach, but Burch adds that it's now up to the cybersecurity sector to put these guidelines into action, particularly a recommendation for the implementation of software bills of materials (SBOMs).

"What we need now is the AppSec community to come together on the back of this guidance, and create a standard format and implementation for SBOMs to boost software supply chain security," Burch said.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Feds, npm Issue Supply Chain Security Guidance to Avert Another SolarWinds

The operators of the emerging cross-platform ransomware BianLian increased their command and control infrastructure this month, indicating an acceleration in their operational pace.

A new player to the ransomware space called BianLian is ramping up activity, and has already targeted organizations in Australia, North America, and the United Kingdom.

According to an advisory from cybersecurity firm Redacted, there has been a "troubling" rise in the rate at which BianLian is bringing new command-and-control (C&C) servers online.

The ransomware was created with Golang (Go), the Google-created open source programming language, and targets SonicWall VPN devices and the Microsoft Exchange Server ProxyShell vulnerability chain (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).

"While we lack the insight to know the exact cause for this sudden explosion in growth, this may signal that they are ready to increase their operational tempo, though whatever the reason, there is little good that comes from a ransomware operator having more resources available to them," the researchers noted in the Friday post.

BianLian has been rising popularity since it was first outed in mid-July, according to researchers at Cyble Research Labs, which published details on the ransomware last month.

**The BianLian Ransomware Attack Flow**

To begin its attacks, the ransomware gang leverages the access gained through the ProxyShell vulnerabilities to install a Web shell or ngrok payload for monitoring activities. The group has been taking care to avoid detection and minimize observable events as it hunts for data and identifies machines to encrypt, researchers said.

In a campaign observed by Redacted, once in, BianLian most often utilized standard "living off the land" (LoL) techniques for network profiling and lateral movement, the report noted. These included net.exe to add and/or modify user permissions; netsh.exe to configure host firewall policies; and reg.exe to adjust various registry settings related to remote desktop and security policy enforcement.

In addition to leveraging the LoL techniques, the group is also known to deploy a custom implant as an alternative means to maintain persistent network access. The main objective of this "simple but effective" backdoor is to retrieve arbitrary payloads from a remote server, load them into memory, and then execute them.

"BianLian have shown themselves to be adept with the methodology to move laterally, adjusting their operations based on the capabilities and defenses they encountered in the network," the report stated.

BianLian, like other new cross-platform ransomware such as Agenda, Monster, and RedAlert, is also able to start servers in Windows Safe Mode to execute its file-encrypting malware while remaining undetected by security solutions installed on the system. Other measures taken to circumvent security barriers include deleting snapshots, purging backups, and running its Golang encryption module via Windows Remote Management (WinRM) and PowerShell scripts.

The group's emergence adds to the growing number of threats using Go as a base language, allowing adversaries to make quick changes in a single code base that can then be compiled for multiple platforms.

**Ransomware Runs Wild**

Acronis' mid-year cyber-threats report found that ransomware continues to be the top threat to large and midsize businesses, including government organizations, while research from Sophos indicates ransomware gangs may be working in concert to orchestrate multiple attacks.

Further complicating the security landscape is the emergence of data marketplaces that make it easier for threat actors to find and use data exfiltrated during ransomware attacks in follow-up attacks.

Despite the growing risk level and sophistication of ransomware attacks, ransomware coverage is lacking even among businesses with cyber insurance, according to a BlackBerry survey.

The Redacted advisory recommended using a layered approach when trying to mitigate the threat posed by ransomware actors.

"Focus needs to be placed on reducing your attack surface to avoid the most common types of exploitation techniques, but also preparing to act quickly and effectively when a compromise inevitably happens," the report said.

The foundation of this strategy includes multifactor authentication (MFA), secure backups, and an incident response plan.

Source

DARKReading