Explore the features of the NAKIVO MSP backup solution. Choose the best MSP backup software to protect client…

Explore the features of the NAKIVO MSP backup solution. Choose the best MSP backup software to protect client data across multiple platforms efficiently. 

****The NAKIVO Backup Solution for MSPs: Data Protection for VMware, Microsoft 365, Proxmox and More** **

The growing demand for reliable data backup among individuals and organizations is simultaneously an opportunity and a challenge for managed service providers (MSPs). On one hand, finding the best MSP backup solution for multiple IT platforms can help expand the client base and increase revenue. On the other hand, the need to protect several environments can complicate management and impact the service quality.

MSPs need a comprehensive set of data protection functions with convenient management capabilities for multiple environments including VMware, Microsoft 365 and Proxmox. The NAKIVO backup solution for MSPs provides up-to-date functionality, extended compatibility, streamlined management, ultimate scalability, and flexible licensing.

****NAKIVO: The Best MSP Backup and Recovery Solution** **

The NAKIVO backup solution for MSP allows you to deliver robust data protection services, including backup-as-a-service (BaaS) and disaster-recovery-as-a-service (DraaS), for client infrastructures of any type, size and complexity. The features developed specifically for managed service providers enable seamless data protection and convenient management. Download the Free Trial and get 15 days to try the solution without feature or capacity limitations.

****MSP Backup and Recovery for VMware Environments****

NAKIVO backup solution for MSP enables you to provide efficient managed online backup services for VMware workloads. You can store backups of VMware VMs and data locally or send them offsite to Amazon S3, Wasabi, Azure Blob, Backblaze B2 or any other S3-compatible storage. NAS and tape destinations are also available.

The most noteworthy features are: 

*   Native integration with VMware’s Changed Block Tracking (CBT) for incremental backups.
*   Flash VM Boot – boot VMware virtual machines to original or custom hosts directly from backups for instant recovery.
*   Replication from backup – perform incremental replication from backups to offload production environments.
*   Real-Time ReplicationBETA – create exact copies of VMs and continuously update them to ensure near-instant RPOs.
*   Automated Failover – configure failover to replicas and launch presets once an incident occurs, achieving near-zero RTOs.
*   Physical-to-virtual recovery (P2V) – restore Windows and Linux machines as VMware vSphere VMs.
*   Cross-platform recovery – recover Hyper-V VMs as VMware workloads and vice versa. 

Use the NAKIVO Backup solution for MSPs to enable reliable backup and swift, flexible recovery of client VMware infrastructures, VMs and data items. 

****Microsoft 365 Data Protection: Backup as a Service for Office 365****

NAKIVO provides SaaS backup functionality to protect Microsoft 365 data. The solution enables: 

*   Backups of Microsoft 365 data, including Exchange Online, OneDrive for Business, SharePoint Online and Microsoft Teams.
*   Onsite Microsoft 365 backup storage for data availability and resilience to cyber threats.
*   Using Microsoft’s native change tracking technology for Exchange Online and Teams to accelerate backup workflows and optimize storage space usage.
*   Fast granular recovery – near-instant recovery of the required items without restoring an entire user account.
*   Retention flexibility – custom retention policies with recovery points rotated daily, weekly, monthly or yearly to store data for as long as you need

NAKIVO Backup solution for MSPs makes data protection in Microsoft 365 straightforward, ensuring SaaS data availability, business continuity and compliance for your clients.

****Proxmox Backup and Recovery: A New Frontier for MSPs****

With the latest update, NAKIVO’s backup as a service solution now supports agent-based backup and recovery for Proxmox VE. The available Proxmox data protection functionality includes the following: 

*   Fast, incremental and app-aware backups of Proxmox VMs.
*   Backup data tiering with multiple destinations including onsite, offsite, public cloud, NAS, deduplication appliances or tape storage.
*   Immutable storage, data encryption, role-based access control and two-factor authentication to protect Proxmox backup data from ransomware and unauthorized access.
*   Full VM recovery or granular recovery of individual files, folders and app objects to original or custom locations.

NAKIVO Backup for MSPs allows you to offer your clients several backups as a service benefit such as affordability and delegated administration combined with the free Proxmox hypervisor. This brings enhanced data availability and infrastructure resilience while maintaining the initial cost-efficiency of systems for clients.

****NAKIVO Backup Solution for MSPs: Versatility Across Environments****

With the NAKIVO solution, you can deliver managed backup as a service for physical, virtual, cloud, SaaS and hybrid environments, including:   

*   NAS
*   File shares
*   Proxmox VE
*   Nutanix AHV
*   Oracle RMAN
*   Microsoft Hyper-V
*   AWS EC2 instances
*   VMware vSphere and Cloud Director
*   Windows and Linux physical servers and workstations 

The wide range of supported environments allows you to easily and quickly cater to the unique needs of every client. With a single MSP backup solution to serve all clients, you can minimize management overhead, increase productivity and scale your business with ease. 

****Ransomware Protection and Advanced Security for MSPs****

Reliable solutions that offer backup and disaster recovery as a service should prioritize threat protection over prevention, enabling clients to restore data even in worst-case scenarios. The NAKIVO solution provides:

*   Immutable storage – enables immutability for local and cloud repositories to protect backup data from change or deletion by ransomware.
*   Malware scan – check your backups before recovery to ensure they don’t contain malware.
*   AES-256 encryption – enables encryption for backup data both during transfer and retention to prevent third-party access. 
*   Role-based access control (RBAC) – limit backup and recovery operations to specific users and ensure authorized access to data protection activities.
*   Direct Connect – connect to clients’ remote resources via a secure port channel without the need to establish and maintain a VPN.

With the NAKIVO backup solution for MSPs, you can ensure client data availability and recoverability when other cybersecurity measures fail. 

****Ease of Management and Automation for MSPs****

Streamlining management and workflow automation are key to efficient MSP backup and recovery. The solution from NAKIVO includes:

*   Multi-tenant mode – create isolated environments for up to 100 clients (tenants) with a single solution deployment.
*   Tenant resource allocation – flexibly allocate VMs, hosts, clusters, backup repositories and other resources in your infrastructure to tenants.
*   MSP Console – uses a unified and intuitive web interface to manage remote client environments from a single panel.
*   Self-service portal – allows clients to manage their own data protection activities.
*   Automation and scheduling – schedule custom backup and recovery workflows from the centralized panel to avoid overlaps and resource bottlenecks.
*   Policy-based data protection – set up policy rules to automatically back up or replicate machines that match the criteria you define.
*   Backup verification – receive verification reports or OS screenshots to verify that backups are recoverable. 
*   Site Recovery – create presets to automate and orchestrate complex disaster recovery sequences and restore entire environments in just a few clicks.
*   Non-disruptive DR testing – run disaster recovery tests by schedule or on demand without disrupting production networks.

Use the advanced management, automation and scheduling capabilities of the NAKIVO solution to adjust to every client’s needs. Ensure data security in the most dynamic and ramified environments.

****MSP Backup Pricing and Cost Efficiency****

NAKIVO offers convenient licensing for managed service providers. This means:

*   5 editions with different feature sets – pick the edition that suits your offering.
*   Perpetual or subscription-based license – choose the one that maximizes your profits.
*   Per-workload pricing – ensure there are no upfront fees or extra costs for unused capacity.
*   Monthly and annual subscription – pay monthly for added flexibility or annually for sizable discounts and additional savings.
*   24/7 vendor support – get in touch with NAKIVO experts whenever you need to guarantee service quality and meet SLAs. 
*   MSP Partner Program – receive certification, training and free marketing support from NAKIVO. 

You can leverage these benefits to increase your business efficiency and win more clients. Provide quality services at affordable costs to boost your revenue.

****Conclusion****

The NAKIVO solution enables efficient MSP backup and recovery for VMware, Microsoft 365, Proxmox VE and other platforms. Install the Free Trial to test the solution’s data protection management, recovery and cybersecurity capabilities in your environment. With NAKIVO, you can provide the best MSP backup solution, meet client needs, cut costs by up to 50%, increase productivity and grow your profit.  

1.  **How To Create a Complete GitHub Backup**
2.  **Recover Lost Data with Mac Data Recovery Software**
3.  **How to Recover Illustrator Files on Windows and Mac**
4.  **Microsoft Planner Backup – Restore: Guide to Data Protection**
5.  **Insights on Google Cloud Backup & Disaster Recovery Service**

NAKIVO Backup for MSP: Best Backup Solution for MSPs

The large-scale operation took advantage of open repositories, hardcoded credentials in source code, and other cloud oversights.

Source: Tithi Luadthong via Alamy Stock Photo

Earlier this week, researchers uncovered a major cybercriminal operation, dubbed EmeraldWhale, after the attackers dumped more than 15,000 credentials into a stolen, open AWS S3 bucket in a massive Git repository theft campaign. The incident is a reminder to tighten up cloud configurations and review source code for mistakes like the inclusion of hardcoded credentials.

Over the course of the onslaught, EmeraldWhale targeted Git configurations in order to steal credentials, cloned more than 10,000 private repositories, and extracted cloud credentials from source code. 

The campaign used a variety of private tools to abuse misconfigured Web and cloud services, according to the Sysdig Threat Research Team, which discovered the global operation. Phishing is the primary tool the campaign used to steal the credentials, which can be worth hundreds of dollars per account on the Dark Web. The operation also makes money by selling its target lists on underground marketplaces for others to engage in the same activity.

**EmeraldWhale's First Breach**

The researchers were initially monitoring Sysdig TRT cloud honeypot when it observed a ListBuckets call using a compromised account — an S3 bucket dubbed s3simplisitter.

The bucket belonged to an unknown account and was publicly exposed. After launching an investigation, the researchers found evidence of a multifaceted attack, including Web scraping of Git files in open repositories. A massive scanning campaign occurred between August and September, according to the researchers, affecting servers with exposed Git repository configuration files, which can contain hardcoded credentials.

"As security professionals, we cannot afford to be complacent, particularly when it comes to keeping sensitive secrets, API tokens, and authentication credentials out of our source code," Naomi Buckwalter, director of product security at Contrast Security, wrote in an emailed statement to Dark Reading. "Not only should infosec professionals be on the front lines educating their development teams on how to securely store, manage, and access secrets, they should also regularly scan their source code for hard coded credentials and monitor credential usage for anomalous activity."

**Always Have Your Guard Up**

In general, Git directories contain "all information required for version control, including the complete commit history, configuration files, branches, and references."

"If the .git directory is exposed, attackers can retrieve valuable data about the repository's history, structure, and sensitive project information," added the researchers. "This includes commit messages, usernames, email addresses, and passwords or API keys if the repository requires them or if they were committed."

The incident is clear reminder that it's critical for businesses and organizations to have visibility on all services and get a clear view on potential attack surfaces in order to consistently manage them and mitigate threats.

"Many breaches occur because internal services are inadvertently exposed to the public Internet, making them easy targets for malicious actors," Victor Acin, head of threat intel at Outpost24, wrote in an emailed statement to Dark Reading.

Acin recommended that enterprises implement a "proper external attack surface management (EASM) platform" to keep track of potential misconfigurations and shadow IT.

And even when private repositories are supposedly secure, it's worth adding additional protections and ensuring that information is locked down.

EmeraldWhale's Massive Git Breach Highlights Config Gaps

The sophisticated Chinese cyberattacks of today rest on important groundwork laid during the pandemic and before.

Source: Cinematic via Alamy Stock Photo

Chinese threat actors are operating at a higher level today than ever before, thanks to years of trial-and-error-style attacks against mass numbers of edge devices.

Networking devices are a known favorite of China's advanced persistent threats (APT), and why wouldn't they be? Sitting on the outer banks of an enterprise network, they not only allow threat actors a way in, they also double as useful nodes for botnets. They offer opportunities for lateral movement, they often store sensitive data, and network defenders have a harder time seeing into and securing them than they do other kinds of network computers. 

Over time, Chinese APTs have been improving on their edge attack capabilities. Since 2018, Sophos has traced a distinct evolution in tactics: from naive, low-level attacks came more sophisticated campaigns against massive numbers of devices, followed by a period of more targeted attacks against specific organizations.

**The First Salvo in a Long Cyber War**

On Dec. 4, 2018, Sophos analysts discovered a suspicious device running network scans against Cyberoam, a Sophos subsidiary based in India. In some ways the attack was run of the mill, using commodity malware and common living-off-the-land (LotL) tactics.

Other evidence, though, suggested that this was something different. For example, the attacker utilized a novel technique to pivot from on-premises devices to the cloud, via an overly permissive identity and access management (IAM) configuration to the Amazon Web Services Systems Manager (AWS SM).

Related:Dark Reading News Desk Live From Black Hat USA 2024

"AWS SM was quite a new technology, and it was quite a subtle misconfiguration," Sophos chief information security officer (CISO) Ross McKerchar recalls. "That was one of the first indicators that we were up against an interesting adversary." 

Later, the attackers deployed a novel rootkit called Cloud Snooper. Cloud Snooper was so stealthy that two third-party consultancies missed it in their analysis, before Sophos eventually picked up on its presence.

The goal of the attack, it seemed, was to collect information useful for future attacks against edge devices. It was a harbinger of what was to come.

**A Five-Year Evolution in Chinese TTPs**

Chinese cyber threats blossomed from roughly 2020 to 2022, as attackers focused on identifying and breaching edge devices en masse.

It worked thanks to the large quantity of devices in the wild that have Internet-facing portals. Typically, these interfaces are designed for internal use. With COVID-19, though, more and more companies were allowing employees to connect from the open Web. This provided a window for hackers with the right kind of credentials or vulnerabilities to get in.

Related:The Overlooked Importance of Identifying Riskiest Users

It helped, too, that around that same time — July 2021 — China's Cyberspace Administration passed the Regulations on the Management of Network Product Security Vulnerability Information rules. These mandates forced cybersecurity researchers to report vulnerabilities to the country's Ministry of Industry and Information Technology (MIIT) before disclosing to any other parties. "It was designed to co-opt the whole country — private citizens included — into being assets for PRC objectives," McKerchar says. Sophos argues with medium confidence that two notable campaigns during this period were facilitated by vulnerabilities responsibly disclosed by researchers at universities in the Chinese city of Chengdu.

Chinese APTs weren't only interested in using compromised devices to attack the companies from whence they came. With varying degrees of success, they would often try to incorporate the devices into broader operational relay box networks (ORBs). These ORBs, in turn, offered higher-level threat actors more sophisticated infrastructure from which to launch more advanced attacks and hide any trace of their origin.

Related:FBI, Partners Disrupt RedLine, Meta Stealer Operations

**What's Happening Now**

After this noisy period, around the middle of 2022, Chinese APTs shifted yet again. Ever since, they've been focused on much more deliberate and targeted attacks against organizations of high value: government agencies, military contractors, research and development firms, critical infrastructure providers, and the like.

These attacks follow no single pattern, involving known and zero-day vulnerabilities, userl and and UEFI bootkits, and whatever other elements pair with active, hands-on-keyboard-type attacks. They almost certainly wouldn't be as sophisticated as they are, though, without all of the years of trial and error that occurred before. Evidence to that is just how effective these threat actors are at overcoming cybersecurity defenses. In recent years, they've demonstrated an ability to sabotage hotfixes for vulnerable devices, and block evidence of their activity from reaching Sophos analysts.

"There's a clear arc of moving to stealthier and stealthier persistence in the activity that we've uncovered," McKerchar says.

He explains how "the first malware, whilst it was bespoke for our devices, it wasn't really trying to hide. They were just banking on nobody looking. In the second wave of attacks they learned a bunch of lessons, remarkably quickly. The malware wasn't explicitly trying to hide, it was just smaller, and naturally able to blend in a bit more. Then after that, they started kind of pulling out more interesting tactics: Trojan class files, memory-resident malware, rootkits, bootkits."

He concludes, "It'd be hard to speculate on what's next, except \[that\] they're going to be improving again."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Chinese APTs Cash In on Years of Edge Device Attacks

Operation EMERALDWHALE compromises over 15,000 cloud credentials, exploiting exposed Git and Laravel files. Attackers use compromised S3 buckets…

Operation EMERALDWHALE compromises over 15,000 cloud credentials, exploiting exposed Git and Laravel files. Attackers use compromised S3 buckets for storage, increasing the risks of phishing and cloud account breaches.

The Sysdig Threat Research Team discovered a global operation called EMERALDWHALE, which targeted Git configurations, resulting in over 15,000 cloud service credentials being stolen. The primary goal of stealing credentials was phishing and spam, with the credentials potentially worth hundreds of dollars per account.

****The Attack Chain****

The campaign used private tools to abuse misconfigured web services, allowing attackers to steal credentials, clone repositories, and extract cloud credentials from their source code. Over 10,000 private repositories were collected, and the stolen data was stored in a previous victim’s S3 bucket.

The Sysdig Threat Research Team reported that attackers used tools such as httpx and Masscan to scan large portions of the internet for servers with exposed Git configuration files (/.git/config) and Laravel environment files (.env). Upon finding exposed files, attackers leveraged tools like MZR V2 and Seyzo-v2 to extract sensitive information, including usernames, passwords, and API keys, using regular expressions to locate relevant data within the files.

The stolen credentials enabled attackers to clone private repositories, exposing additional sensitive data, such as source code. Verified credentials were then tested across various cloud services to find valid ones, which were afterwards used for malicious activities, including phishing, spam campaigns, or further compromises of cloud accounts. Ultimately, the attackers uploaded stolen data to compromised S3 buckets.

****EMERALDWHALE’s Tools of Choice****

The investigation identified two main tools used by EMERALDWHALE: MZR V2 (MIZARU) and Seyzo-v2. MZR V2, a suite of Python and shell scripts, supports target discovery, credential extraction, repository cloning, and credential validation. Similarly, Seyzo-v2 automates credential theft from exposed Git configurations through scripts, enabling attackers to locate and extract sensitive data efficiently.

In addition to Git configurations, EMERALDWHALE also targeted exposed Laravel environment files (.env). These files often contain sensitive information like database credentials and cloud service API keys. Multigrabber v8.5 is a popular tool used to exploit vulnerabilities in Laravel and steal this sensitive data.

Operation EMERALDWHALE is one of the examples of how the stolen credentials market has become a lucrative business for cybercriminals. For example, target lists of exposed Git configurations were found to be sold for around $100. Valid cloud service credentials can also be sold in bulk or through automated shops, fetching a huge profit for attackers.

Tools being sold on Telegram (Via Sysdig Threat Research Team)

The finding shows the importance of proper configuration management in securing sensitive information. Ensuring Git configuration files are not publicly accessible, limiting access to necessary variables, and conducting regular vulnerability scans are crucial to staying protected.

“This attack shows that secret management alone is not enough to secure an environment. There are just too many places credentials could leak from. Monitoring the behaviour of any identities associated with credentials is becoming a requirement to protect against these threats,” the report read.

Rom Carmel, Co-Founder and CEO at Apono, weighed in on the recent development stating “This is yet another example of how credentials remain a top target for hackers who follow the adage, ‘teach a man to phish, and he’ll have access for a lifetime.’_“_

“With the right credentials, attackers can access all resources an identity is privileged to, creating an endless list of potential targets. Given the rise in leaked credentials and the availability of phishing kits bypassing MFA, organizations must adopt an ‘assumed breach’ posture.”

1.  Best Practices for Cloud Computing Security
2.  Abandoned S3 Buckets Used for Malicious Payloads
3.  350 million credentials exposed on misconfigured AWS S3 bucket
4.  iOS and Android Users at Risk as Popular Apps Expose Cloud Keys
5.  AI Firm’s Misconfigured Server Leaked 5.3TB of Mental Health Records

EMERALDWHALE Steals 15,000+ Cloud Credentials, Stores Data in S3 Bucket

Stay ahead of cybercrime with proactive threat hunting. Learn how threat hunters identify hidden threats, protect critical systems,…

Stay ahead of cybercrime with proactive threat hunting. Learn how threat hunters identify hidden threats, protect critical systems, and prevent data breaches through data analysis, investigation, and real-time action.

Cybercrime is more sophisticated than ever, and organizations must stay one step ahead to protect their sensitive data and critical systems. One essential practice to prevent security and data breaches is threat hunting.

Unlike traditional cybersecurity practices that rely on automated systems to detect known threats, threat hunting is a proactive approach that seeks out hidden and unknown threats lurking within an organization’s network.

This guide breaks down the role of the threat hunter and how they help organizations remain protected.

****Step 1: Define Your Threat Hunting Objectives****

Before diving into the technical aspects, setting clear objectives is essential. Threat hunters should ask questions like, “What threats are we most concerned about?” or “Which parts of our network are most vulnerable?” Defining specific goals ensures that threat hunting efforts are directed where they matter most, and it helps in focusing on specific attack vectors.

****Step 2: Gather and Analyze Data****

The next step in threat hunting involves collecting data from various network sources, such as log files, network traffic, and endpoint activity. The goal here is to get a detailed view of network activity to identify anomalies that may indicate a potential threat. Advanced analytical tools, including security information and event management (SIEM) systems, provide threat hunters with centralized data to examine patterns and detect outliers.

****Step 3: Formulate Hypotheses****

Once data is collected and analyzed, threat hunters move on to creating hypotheses. These hypotheses are based on potential threat scenarios and help to guide the search for suspicious activities. For instance, if recent cybercrime reports indicate a surge in phishing attempts, a hypothesis might be, “Attackers could use phishing emails to gain initial access to the network.”

****Step 4: Investigate and Identify Threats****

Now comes the investigative stage, where threat hunters search the network for indicators of compromise (IoCs) based on the hypotheses they’ve formed. This may include looking for unusual login patterns, detecting irregular data flows, or identifying unauthorized access to sensitive files. Specialized tools and software, such as endpoint detection and response (EDR) solutions, can significantly aid this stage by providing real-time insights into network activity.

A crucial part of this step is separating false positives from legitimate threats. Not every anomaly is a cyberattack, so threat hunters must validate findings with caution to avoid unnecessary alarms.

****Step 5: Contain and Eradicate Threats****

If a threat is identified, the next step is containment and eradication. Containment measures prevent the threat from spreading, while eradication eliminates it from the system entirely. These actions might involve isolating infected machines, blocking malicious IPs, or removing compromised accounts.

****Step 6: Review and Improve****

Once the threat has been dealt with, it’s time to conduct a thorough review. This involves analyzing what worked, what didn’t, and how the threat could have been prevented or detected sooner. The insights gained from this review are invaluable, as they help strengthen future threat-hunting efforts and reduce the likelihood of similar incidents.

****The Importance of Proactive Threat Hunting****

Cybercrime is constantly evolving, and organizations cannot rely solely on automated tools to stay protected. By incorporating threat hunting into their cybersecurity strategy, organizations can better protect their data, ensure network security, and maintain a safe digital environment for all stakeholders.

1.  What Is Incident Management Software?
2.  What is OSINT – Best Paid and Free OSINT Tools for 2024
3.  Behavior-based vs IOC-based Threat Detection Approaches
4.  Python in Threat Intelligence: Analyzing – Mitigating Cyber Threats
5.  Enhancing Security Solutions through AWS Marketplace Integration
6.  ANY.RUN Upgrades Threat Intelligence to Identify Emerging Threats

A Step-by-Step Guide to How Threat Hunting Works

The Russian-backed group is using a novel access vector to harvest victim data and compromise devices in a large-scale intelligence-gathering operation.

Source: Funtap via Shutterstock

"Midnight Blizzard," a threat group linked to Russia's foreign intelligence service, is stoking more concern than usual for both its sheer scope and its use of a new tactic for harvesting information and gaining control of victim systems.

Microsoft this week said its threat intelligence group observed Midnight Blizzard actors sending out thousands of spear-phishing emails to targeted individuals at more than 100 organizations worldwide since Oct. 22.

**Large-Scale Campaign**

Besides its wide scope, the campaign is noteworthy for Midnight Blizzard's use of a digitally signed Remote Desktop Protocol (RDP) configuration file in its spear-phishing emails. The RDP file connects to a server controlled by a threat actor; when the file is opened, it allows the attacker to harvest user credentials and detailed system information to aid further exploit activity.

"The emails were highly targeted, using social engineering lures relating to Microsoft, Amazon Web Services (AWS), and the concept of zero trust," Microsoft said on its threat intelligence group blog this week. "Microsoft has observed this campaign targeting governmental agencies, higher education, defense, and non-governmental organizations in dozens of countries, but particularly in the UK, Europe, Australia, and Japan."

Midnight Blizzard — aka Cozy Bear, APT29, and UNC2452 — has been the proverbial thorn in the side of security organizations for some years now. The group's many victims include SolarWinds, Microsoft, HPE, multiple US federal government agencies, and diplomatic entities worldwide. Its well-documented tactics, techniques, and procedures (TTPs) include using spear phishing, stolen credentials, and supply chain attacks for initial access. Midnight Blizzard actors have also targeted vulnerabilities in widely used networking and collaboration technologies such as those from Fortinet, Pulse Secure, Citrix, and Zimbra to gain an initial toehold on a target network.

**Bidirectional Connection**

The RDP file in the Microsoft, AWS, and zero-trust themed emails in Midnight Blizzard's latest campaign allows the attacker to establish a quick, bidirectional connection with a compromised device. The threat actor is using it to harvest a range of information including user credentials, files, and directories on the victim system and connected network drives; information from connected smart cards and other peripherals; Web authentication credentials; and clipboard data. The RDF file is signed with a LetsEncrypt certificate to lend it an air of legitimacy. "This access could enable the threat actor to install malware on the target's local drive(s) and mapped network share(s), particularly in AutoStart folders, or install additional tools such as remote access Trojans (RATs) to maintain access when the RDP session is closed," Microsoft cautioned.

Stephen Kowski, field CTO at SlashNext, says Midnight Blizzard's use of signed RDP files in its current campaign is significant. Signed RDP files can bypass traditional security controls since they appear to come from a legitimate source, he points out.

"This technique is particularly cunning because RDP files are commonly used in business environments, making them less likely to raise immediate suspicion, while the legitimate signature helps evade standard malware detection systems," he says. He advocates that organizations scan all email attachments in real time, with a particular focus on RDP files and other seemingly legitimate Microsoft-related content. "The use of legitimately signed files creates a significant blind spot for conventional security tools that rely heavily on signature-based detection or reputation scoring," Kowski advises.

**Mitigating the Threat**

Microsoft has released a list of indicators of compromise for the new Midnight Blizzard campaign, including email sender domains, RDP files, and RDP remote computer domains. It has recommended that security teams review their organizational email security settings and antivirus and anti-phishing measures; turn on Safe Links and Safe Attachments settings in Office 365; and enable measures for quarantining sent email if needed. Other recommendations include using firewalls to block RDP connections, implementing multifactor authentication, and strengthening endpoint security configurations.

Venky Raju, field CTO at ColorTokens, says the campaign is a reminder why organizations need to maintain a tight rein over the use of Microsoft's remote desktop. While it can be useful to share devices, folders, and clipboard content over an RDP session, it gives attackers a way into a user's device. "Signing the RDP configuration file may prevent email security systems from classifying the email as having a suspicious link or attachment. It may also reduce the warnings presented by the RDP client," he points out.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

'Midnight Blizzard' Targets Networks With Signed RDP Files

PRESS RELEASE

LONDON, Oct. 28, 2024 /PRNewswire/ -- VIPRE Security Group, a global leader and award-winning cybersecurity, privacy, and data protection company, has released its Q3 2024 Email Threat Trends Report, shedding light on the evolving cybersecurity landscape. This comprehensive analysis of real-world data reveals the sophisticated strategies and techniques employed by cybercriminals, with a particular persistent focus on the highly lucrative tactic of business email compromise (BEC). VIPRE processed 1.8 billion emails globally, of which 208 million were malicious.

BEC impersonation weaponisation  

In this third quarter of 2024, cybercriminals intensified their efforts to exploit organisational vulnerabilities through employee deception. BEC scams surged, accounting for 58% of phishing attempts. Notably, 89% of these BEC attacks involved impersonation of authority figures, including CEOs, senior executives, and IT staff, underscoring the sophisticated tactics employed by malicious actors.

BEC aims for the manufacturing sector 

The manufacturing sector saw a significant rise in BEC attacks, potentially driven by financial fraud. These incidents increased from just 2% in Q1 to 10% in Q3 this year. This rise may be attributed to the industry's widespread use of mobile sign-ins at various worksites. Employees accessing systems "on the go", often under pressure to meet production deadlines, are more susceptible to phishing attempts.

Subtler tactics are a larger threat

Email threats in Q3 were dominated by scams (34%), commercial spam (30%), and phishing (20%). These email threats overshadowed ransomware and malware combined, which comprised less than 20% of all email attacks. Interestingly, despite their lower prevalence, ransomware and malware continue to receive disproportionate attention from the cybersecurity industry.

Sneakier attachments 

To counter advancing email security solutions, criminals are deploying increasingly more intricate methods to bypass defenses. Attackers are employing sneakier techniques such as disguising malicious attachments as voicemail recordings or critical security updates to lure unsuspecting users into downloading them.

Additionally, Microsoft PDFs and .DOCX files remain the most common forms of malicious attachments. In Q3 2024, 2.18 million emails were detected containing harmful attachments, marking a 30% increase from the previous quarter's 21% attachment-based attacks.

Phishing links and compromised websites

Cybercriminals continue to favour the URL redirection technique, a tactic that typically proves effective at evading security controls. This deceptive ploy utilises a "clean" URL within the body of the email, which then redirects unsuspecting users to a malicious one once inside. In Q3 2024, URL redirection accounted for 52% of such attacks, leading victims to meticulously crafted fraudulent websites designed to appear authentic, and gain trust.

Malspam pendulum swing from malicious links to attachments

When it comes to malspam, there is a pendulum swing from a preference for malicious links to attachments. During Q3, malspam efforts were centered on malicious attachments (64%), while only 36% employed a link. The attachment formats used were predominantly LNK, ZIP, and DOCX. Only a quarter ago, links were the tool of choice by a factor of nearly nine-to-one (86% links to 14%).

The 'Malware Family of the Quarter' goes to Redline

Redline is the top malspam family of Q3 2024, a spot it has maintained since the corresponding quarter in 2023. RedLine is designed to steal sensitive information from web browsers, such as credentials and payment data. Typically distributed via phishing emails or malicious websites, it sends stolen data to a command-and-control server controlled by the attacker. It can completely take over a compromised machine and uses multiple infiltration methods.

"The findings of this report yet again illustrate the sophistication of criminal tactics. BEC email and phishing attacks are becoming more targeted and convincing," Usman Choudhary, CPTO, VIPRE Security Group, says. "Additionally, malware distribution through malicious spam campaigns continues to pose a serious threat to organisations. These findings stress the critical need for robust cybersecurity measures and ongoing employee education to combat these evolving threats, especially as bad actors gear up for the upcoming holiday season – Black Friday, Thanksgiving, Christmas, and New Year."

To read the full report, click here: VIPRE's Email Threat Trends Report: Q3 2024. 

VIPRE leverages its vast understanding of email security to equip businesses with the information they need to protect themselves. This report is based on proprietary intelligence gleaned from round-the-clock vigilance of the cybersecurity landscape.

About VIPRE Security Group

VIPRE Security Group, part of Ziff Davis, Inc., is a leading provider of internet security solutions purpose-built to protect businesses, solution providers, and home users from costly and malicious cyber threats. With over 25 years of industry expertise, VIPRE is one of the world's largest threat intelligence clouds, delivering exceptional protection against today's most aggressive online threats. Our award-winning software portfolio includes next-generation antivirus endpoint cloud solutions, advanced email security products, along with threat intelligence for real-time malware analysis, and security awareness training for compliance and risk management. VIPRE solutions deliver easy-to-use, comprehensive layered defense through cloud-based and server security, with mobile interfaces that enable instant threat response. VIPRE is a proud Advanced Technology Partner of Amazon Web Services operating globally across North America and Europe.

Business Email Compromise (BEC) Impersonation: The Weapon of Choice of Cybercriminals

Russian state-sponsored hackers Cozy Bear are targeting over 100 organizations globally with a new phishing campaign. This sophisticated…

Russian state-sponsored hackers Cozy Bear are targeting over 100 organizations globally with a new phishing campaign. This sophisticated attack uses signed RDP files disguised as legitimate documents to gain remote access and steal sensitive data. Learn how to protect yourself and your organization from this threat.

Microsoft has revealed that the Russian state-sponsored threat actor Cozy Bear (or APT29, UNC2452, and Midnight Blizzard) has launched a new phishing campaign targeting over 100 organizations worldwide, especially Ukraine, the United States and Europe.

The campaign, active since October 22, 2024, involves highly targeted emails designed to trick users into opening malicious files, ultimately granting the attackers access to sensitive information.

The attackers are mainly focusing on organizations in critical sectors such as government, defence, academia, and non-governmental organizations. This aligns with Cozy Bear’s previous pattern of targeting entities holding valuable intelligence.

****What’s new this time?****

Cozy Bear is using a never-before-seen approach involving signed Remote Desktop Protocol (RDP) configuration files. These apparently harmless files are sent as attachments in phishing emails, often disguised with lures related to Microsoft, Amazon Web Services (AWS), and the concept of Zero Trust. The emails are composed with sophistication, even impersonating Microsoft employees to enhance their credibility.

****How does it work?****

According to Microsoft’s blog post shared with Hackread.com ahead of publishing, when a user opens the malicious RDP file, a connection is established to a server controlled by Cozy Bear.

This connection grants the attackers access to a wide range of resources on the victim’s device, including files, connected peripherals, clipboard data, and even authentication features. This access can be exploited to install malware, steal sensitive data, and maintain persistent access even after the RDP session is closed.

****What’s at risk?****

The potential consequences of a successful attack are significant. Cozy Bear could gain access to confidential government information, intellectual property, and sensitive data belonging to various organizations. The compromised devices could also be used as launchpads for further attacks, potentially spreading the infection to other connected systems.

Patrick Harr, CEO of Pleasanton, Calif.-based SlashNext Email Security+, commented on the recent developments, warning organizations about the increasing sophistication of phishing attacks.

_“_This attack once again highlights that phishing continues to be the most dangerous threat to your organization which is why companies must not only continuously train their users, they must also employ AI detection and phishing sandboxes for malicious links and files directly in their email, collaboration and messaging apps,_“_ Patrick advised.

_“_These new sophisticated attacks, many of them AI-generated, evade current secure email gateways (SEGs) and even Microsoft Defender for Office. The only way organizations can defend themselves is by using AI to prevent these attacks before successful breaches._“_

Microsoft, along with CERT-UA and Amazon, has confirmed the ongoing campaign and is working to notify affected customers. Cybersecurity experts urge organizations and individuals to be alert, especially when dealing with emails containing attachments or requests for remote access.

Additionally, enabling multi-factor authentication, using phishing-resistant authentication methods, and educating users about these phishing techniques are important steps in mitigating this attack.

1.  TeamViewer Confirms Breach by Midnight Blizzard
2.  Midnight Blizzard Hacked UK Home Office via Microsoft
3.  Midnight Blizzard Hackers Hit MS Teams in Precision Attack
4.  Iranian Hackers Hit Microsoft 365 Users with MFA Push Bombing
5.  Russian Malware Attack Hits Ukrainian Military Recruits via Telegram

Russian Cozy Bear Hackers Phish Critical Sectors with Microsoft, AWS Lures

Cybersecurity news can sometimes feel like a never-ending horror movie, can't it? Just when you think the villains are locked up, a new threat emerges from the shadows.
This week is no exception, with tales of exploited flaws, international espionage, and AI shenanigans that could make your head spin. But don't worry, we're here to break it all down in plain English and arm you with the

Cyber Security / Hacking News

Cybersecurity news can sometimes feel like a never-ending horror movie, can't it? Just when you think the villains are locked up, a new threat emerges from the shadows.

This week is no exception, with tales of exploited flaws, international espionage, and AI shenanigans that could make your head spin. But don't worry, we're here to break it all down in plain English and arm you with the knowledge you need to stay safe.

So grab your popcorn (and maybe a firewall), and let's dive into the latest cybersecurity drama!

**⚡ Threat of the Week**

**Critical Fortinet Flaw Comes Under Exploitation:** Fortinet revealed that a critical security flaw impacting FortiManager (CVE-2024-47575, CVSS score: 9.8), which allows for unauthenticated remote code execution, has come under active exploitation in the wild. Exactly who is behind it is currently not known. Google-owned Mandiant is tracking the activity under the name UNC5820.

 **🚢🔐 Kubernetes Security for Dummies**

How to implement a container security solution and **Kubernetes Security best practices** all rolled into one. This guide includes everything essential to know about building a strong security foundation and running a well-protected operating system.

Get the Guide**️🔥 Trending CVEs**

CVE-2024-41992, CVE-2024-20481, CVE-2024-20412, CVE-2024-20424, CVE-2024-20329, CVE-2024-38094, CVE-2024-8260, CVE-2024-38812, CVE-2024-9537, CVE-2024-48904

**🔔 Top News**

*   **Severe Cryptographic Flaws in 5 Cloud Storage Providers:** Cybersecurity researchers have discovered severe cryptographic issues in end-to-end encrypted (E2EE) cloud storage platforms Sync, pCloud, Icedrive, Seafile, and Tresorit that could be exploited to inject files, tamper with file data, and even gain direct access to plaintext. The attacks, however, hinge on an attacker gaining access to a server in order to pull them off.
*   **Lazarus Exploits Chrome Flaw:** The North Korean threat actor known as Lazarus Group has been attributed to the zero-day exploitation of a now-patched security flaw in Google Chrome (CVE-2024-4947) to seize control of infected devices. The vulnerability was addressed by Google in mid-May 2024. The campaign, which is said to have commenced in February 2024, involved tricking users into visiting a website advertising a multiplayer online battle arena (MOBA) tank game, but incorporated malicious JavaScript to trigger the exploit and grant attackers remote access to the machines. The website was also used to deliver a fully-functional game, but packed in code to deliver additional payloads. In May 2024, Microsoft attributed the activity to a cluster it tracks as Moonstone Sleet.
*   **AWS Cloud Development Kit (CDK) Account Takeover Flaw Fixed:** A now-patched security flaw impacting Amazon Web Services (AWS) Cloud Development Kit (CDK) could have allowed an attacker to gain administrative access to a target AWS account, resulting in a full account takeover. Following responsible disclosure on June 27, 2024, the issue was addressed by Amazon in CDK version 2.149.0 released in July 2024.
*   **SEC Fines 4 Companies for Misleading SolarWinds Disclosures:** The U.S. Securities and Exchange Commission (SEC) charged four public companies, Avaya, Check Point, Mimecast, and Unisys, for making "materially misleading disclosures" related to the large-scale cyber attack that stemmed from the hack of SolarWinds in 2020. The federal agency accused the companies of downplaying the severity of the breach in their public statements.
*   **4 REvil Members Sentenced in Russia:** Four members of the now-defunct REvil ransomware operation, Artem Zaets, Alexei Malozemov, Daniil Puzyrevsky, and Ruslan Khansvyarov, have been sentenced to several years in prison in Russia. They were originally arrested in January 2022 following a law enforcement operation by Russian authorities.

**📰 Around the Cyber World**

*   **Delta Air Lines Sues CrowdStrike for July Outage:** Delta Air Lines filed a lawsuit against CrowdStrike in the U.S. state of Georgia, accusing the cybersecurity vendor of breach of contract and negligence after a major outage in July caused 7,000 flight cancellations, disrupted travel plans of 1.3 million customers, and cost the carrier over $500 million. "CrowdStrike caused a global catastrophe because it cut corners, took shortcuts, and circumvented the very testing and certification processes it advertised, for its own benefit and profit," it said. "If CrowdStrike had tested the Faulty Update on even one computer before deployment, the computer would have crashed." CrowdStrike said "Delta's claims are based on disproven misinformation, demonstrate a lack of understanding of how modern cybersecurity works, and reflect a desperate attempt to shift blame for its slow recovery away from its failure to modernize its antiquated IT infrastructure."
*   **Meta Announces Secure Way to Store WhatsApp Contacts:** Meta has announced a new encrypted storage system for WhatsApp contacts called Identity Proof Linked Storage (IPLS), allowing users to create and save contacts along with their usernames directly within the messaging platform by leveraging key transparency and hardware security module (HSM). Until now, WhatsApp relied on a phone's contact book for syncing purposes. NCC Group, which carried out a security assessment of the new framework and uncovered 13 issues, said IPLS "aims to store a WhatsApp user's in-app contacts on WhatsApp servers in a privacy-friendly way" and that "WhatsApp servers do not have visibility into the content of a user's contact metadata." All the identified shortcomings have been fully fixed as of September 2024.
*   **CISA, FBI Investigating Salt Typhoon Attacks:** The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said the U.S. government is investigating "the unauthorized access to commercial telecommunications infrastructure" by threat actors linked to China. The development comes amid reports that the Salt Typhoon hacking group broke into the networks of AT&T, Verizon, and Lumen. The affected companies have been notified after the "malicious activity" was identified, CISA said. The breadth of the campaign and the nature of information compromised, if any, is unclear. Multiple reports from The New York Times, The Wall Street Journal, Reuters, Associated Press, and CBS News have claimed that Salt Typhoon used their access to telecommunications giants to tap into phones or networks used by Democratic and Republican presidential campaigns.
*   **Fraudulent IT Worker Scheme Becomes a Bigger Problem:** While North Korea has been in the news recently for its attempts to gain employment at Western companies, and even demanding ransom in some cases, a new report from identity security company HYPR shows that the employee fraud scheme isn't just limited to the country. The company said it recently offered a contract to a software engineer claiming to be from Eastern Europe. But subsequent onboarding and video verification process raised a number of red flags about their true identity and location, prompting the unnamed individual to pursue another opportunity. There is currently no evidence tying the fraudulent hire to North Korea, and it's not clear what they were after. "Implement a multi-factor verification process to tie real world identity to the digital identity during the provisioning process," HYPR said. "Video-based verification is a critical identity control, and not just at onboarding."
*   **Novel Attacks on AI Tools:** Researchers have uncovered a way to manipulate digital watermarks generated by AWS Bedrock Titan Image Generator, making it possible for threat actors to not only apply watermarks to any image, but also remove watermarks from images generated by the tool. The issue has been patched by AWS as of September 13, 2024. The development follows the discovery of prompt injection flaws in Google Gemini for Workspace, allowing the AI assistant to produce misleading or unintended responses, and even distribute malicious documents and emails to target accounts when users ask for content related to their email messages or document summaries. New research has also found a form of LLM hijacking attack wherein threat actors are capitalizing on exposed AWS credentials to interact with large language models (LLMs) available on Bedrock, in one instance using them to fuel a Sexual Roleplaying chat application that jailbreaks the AI model to "accept and respond with content that would normally be blocked" by it. Earlier this year, Sysdig detailed a similar campaign called LLMjacking that employs stolen cloud credentials to target LLM services with the goal of selling the access to other threat actors. But in an interesting twist, attackers are now also attempting to use the stolen cloud credentials to enable the models, instead of just abusing those that were already available.

**🔥 Resources & Insights****🎥 Infosec Expert Webinar**

**Master Data Security in the Cloud with DSPM**: Struggling to keep up with data security in the cloud? Don't let your sensitive data become a liability. Join our webinar and learn how Global-e, a leading e-commerce enabler, dramatically improved their data security posture with DSPM. CISO Benny Bloch reveals their journey, including the challenges, mistakes, and critical lessons learned. Get actionable insights on implementing DSPM, reducing risk, and optimizing cloud costs. Register now and gain a competitive edge in today's data-driven world.

**🛡️Ask the Expert**

**Q:** What is the most overlooked vulnerability in enterprise systems that attackers tend to exploit?

**A:** The most overlooked vulnerabilities in enterprise systems often lie in IAM misconfigurations like over-permissioned accounts, lax API security, unmanaged shadow IT, and poorly secured cloud federations. Tools like Azure PIM or SailPoint help enforce least privilege by managing access reviews, while Kong or Auth0 secure APIs through token rotation and WAF monitoring. Shadow IT risks can be reduced with Cisco Umbrella for app discovery, and Netskope CASB for enforcing access control. To secure federations, use Prisma Cloud or Orca to scan settings and tighten configurations, while Cisco Duo enables adaptive MFA for stronger authentication. Finally, safeguard service accounts with automated credential management through HashiCorp Vault or AWS Secrets Manager, ensuring secure, just-in-time access.

**🔒 Tip of the Week**

**Level Up Your DNS Security:** While most people focus on securing their devices and networks, the Domain Name System (DNS)—which translates human-readable domain names (like example.com) into machine-readable IP addresses—is often overlooked. Imagine the internet as a vast library and DNS as its card catalog; to find the book (website) you want, you need the right card (address). But if someone tampered with the catalog, you could be misled to fake websites to steal your information. To enhance DNS security, use a privacy-focused resolver that doesn't track your searches (a private catalog), block malicious sites using a "hosts" file (rip out the cards for dangerous books), and employ a browser extension with DNS filtering (hire a librarian to keep an eye out). Additionally, enable DNSSEC to verify the authenticity of DNS records (verify the card's authenticity) and encrypt your DNS requests using DoH or DoT (whisper your requests so no one else can hear).

**Conclusion**

And there you have it – another week's worth of cybersecurity challenges to ponder. Remember, in this digital age, vigilance is key. Stay informed, stay alert, and stay safe in the ever-evolving cyber world. We'll be back next Monday with more news and insights to help you navigate the digital landscape.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

THN Cybersecurity Recap: Top Threats, Tools and News (Oct 21 - Oct 27)

Operational Technology (OT) security has affected marine vessel and port operators, since both ships and industrial cranes are being digitalized and automated at a rapid pace, ushering in new types of security challenges.
Ships come to shore every six months on average. Container cranes are mostly automated. Diagnostics, maintenance, upgrade and adjustments to these critical systems are done

Operational Technology / Cybersecurity

Operational Technology (OT) security has affected marine vessel and port operators, since both ships and industrial cranes are being digitalized and automated at a rapid pace, ushering in new types of security challenges.

Ships come to shore every six months on average. Container cranes are mostly automated. Diagnostics, maintenance, upgrade and adjustments to these critical systems are done remotely, often by third-party vendor technicians. This highlights the importance of proper secure remote access management for industrial control systems (ICS).

Learn more in our Buyer's Guide for Secure Remote Access Lifecycle Management.

We at SSH Communications Security (SSH) have been pioneering security solutions that bridge the gap between IT and OT in privileged access management. Let's investigate how we helped two customers solve their critical access control needs with us.

****Secure Remote Access Around the Globe to 1000s of Ships****

In the maritime industry, ensuring secure and efficient remote access to OT systems is vital for maintaining vessel operations and safety. A prominent marine vessel operator, managing a fleet of advanced ships, faced significant challenges in this area. With operations spanning across the globe and an ever-expanding fleet of ships to manage, the company needed a robust solution to secure remote access for their engineers and vendor technicians.

****The Challenge****

The customer's existing security measures were inadequate for the complex and dynamic nature of their operations. The connections to ships were always on, it was hard to link an identity to each session, the lack of both granular access controls and comprehensive auditing capabilities posed a risk to both security and compliance, and the customer had scalability challenges with their existing solution.

****The Solution: PrivX OT Edition****

To overcome these challenges, the company implemented SSH's PrivX OT Edition. This solution provides a centralized, scalable, and user-friendly platform for managing remote access. Key features include:

*   Enabling the customer to **connect to their customers' 1000s of container ships globally over satellite links** to perform maintenance, monitoring and diagnostics.
*   **Just-in-Time (JIT) and Just Enough Access (JEA)**: Ensuring that engineers have the appropriate level of access only when needed and only for the duration required.
*   **Comprehensive auditing**: Offering detailed insights into access management.
*   **Centralized access**: Both internal and external technicians log into one centralized gateway regardless of the location of the ship or the technician.
*   **Automation**: The solution was deployed in the AWS cloud for satellite connections and automatic linking of an identity to a role for high performance.

As a result, the customer can now ensure the safety of the crew, prevent unscheduled and costly dock time, mitigate the risk of disruptions to ship operations, and fulfill the requirements and recommendations by the NIS2 Directive and IEC 62442 standards. All this while modernizing their operations to gain a competitive edge in the global maritime industry.

Read more about the case here.

****Vendor Technician Access to Industrial Cranes Restricted and Secured****

This customer is a leading global manufacturer of industrial equipment, with over a century of experience. Operating in around 50 countries, the company needed a robust solution to secure remote access to automated industrial cranes for their maintenance engineers.

****The Challenge****

The company's existing point solution based security controls were insufficient. They lacked the necessary granularity, functionality, and transparency, increasing the risk of cyberattacks and data breaches. As an example, the customer had difficulties in restricting access to cranes in a specific port, meaning that a maintenance engineer from Asia could access a port in Europe - and vice versa.

Additionally, the previous solution did not provide adequate auditing capabilities, making compliance and security regulation adherence difficult.

****The Solution: PrivX OT Edition****

To address these challenges, the company adopted SSH's PrivX OT Edition. This solution offers a centralized, scalable, and user-friendly platform to manage remote access. Key features include:

*   **Regional restrictions** on vendor technicians to access cranes at maritime ports.
*   **Just-in-Time (JIT) and Just Enough Access (JEA)**: Ensuring that engineers have the right level of access at the right time for the right crane only.
*   **Comprehensive Auditing**: Audit trail of activities, session monitoring and recording.
*   **Non-disruptive deployment**: Adding granular access control with minimal changes to existing VPN/Firewall/technology infrastructure.

As a result, the customer can now restrict access per region and per crane for proper segregation of duties. Both ad-hoc and scheduled technician access is secure and available within minutes - and with automatic off-boarding. What's more, this more granular access control was achieved with minimal disruption to the existing infrastructure.

Read more about the case here.

****Conclusion****

With PrivX OT Edition, companies can centralize access to all critical targets in IT and OT, regardless of the location of the user or the target. The solution removes the need for point solutions for access and offers a uniform, scalable, and coherent access for security needs at industrial scale.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#aws