Cisco Talos discovered a new threat actor we’re calling “CoralRaider” that we believe is of Vietnamese origin and financially motivated. CoralRaider has been operating since at least 2023, targeting victims in several Asian and Southeast Asian countries.

**CoralRaider targets victims’ data and social media accounts**

Thursday, April 4, 2024 08:00

*   Cisco Talos discovered a new threat actor we’re calling “CoralRaider” that we believe is of Vietnamese origin and financially motivated. CoralRaider has been operating since at least 2023, targeting victims in several Asian and Southeast Asian countries. 
*   This group focuses on stealing victims’ credentials, financial data, and social media accounts, including business and advertisement accounts.
*   They use RotBot, a customized variant of QuasarRAT, and XClient stealer as payloads in the campaign we analyzed.
*   The actor uses the dead drop technique, abusing a legitimate service to host the C2 configuration file and uncommon living-off-the-land binaries (LoLBins), including Windows Forfiles.exe and FoDHelper.exe 

**CoralRaider operators likely based in Vietnam **

Talos assesses with high confidence that the CoralRaider operators are based in Vietnam, based on the actor messages in their Telegram C2 bot channels and language preference in naming their bots, PDB strings, and other Vietnamese words hardcoded in their payload binaries. The actor’s IP address is located in Hanoi, Vietnam. 

 Our analysis revealed that the actor uses a Telegram bot, as a C2, to exfiltrate the victim’s data. This allowed us to collect information and uncover several invaluable indicators about the origin and activities of the attacker. 

The attacker used two Telegram bots: A “debug” bot for debugging, and an “online” bot where victim data was received. However, a Desktop image in the “debug” bot had a similar desktop and Telegram to the “online” bot. This showed that the actor possibly infected their own environment while testing the bot. 

Analyzing the images of the actor’s Desktop on the Telegram bot, we found a few Telegram groups in Vietnamese named “Kiém tien tử Facebook,” “Mua Bán Scan MINI,” and “Mua Bán Scan Meta.” Monitoring these groups revealed that they were underground markets where, among other activities, victim data was traded. 

In an image from the “debug bot,” we spotted the Windows device ID (HWID) and an IP address (118\[.\]71\[.\]64\[.\]18), located in Hanoi, Vietnam, that is likely to be CoralRaider’s IP address.

Talos’ research uncovered two other images that revealed a few folders on their OneDrive. One of the folders had a Vietnamese name, “Bot Export Chiến,” which is the same as one of the folders in the PDB strings of their loader component. Pivoting on the folder path in the PDB string, we discovered a few other PDB strings having similar paths but different Vietnamese names. We analyzed the discovered samples with the PDB strings and found they belong to the same loader family, RotBot. The Vietnamese name in the PDB string of the loader binary further strengthens our assessment that CoralRaider is of Vietnamese origin.

D:\\ROT\\ROT\\Build rot Export\\2024\\Bot Export Khuê\\14.225.210.XX-Khue-Ver 2.0\\GPT\\bin\\Debug\\spoolsv.pdb

D:\\ROT\\ROT\\Build rot Export\\2024\\Bot Export Trứ\\149.248.79.205 - NetFrame 4.5 Run Dll - 2024\\ChromeCrashServices\\obj\\Debug\\FirefoxCrashSevices.pdb

D:\\ROT\\ROT\\Build rot Export\\2024\\Bot Export Trứ\\139.99.23.9-NetFrame4.5-Ver2.0-Trứ\\GPT\\bin\\Debug\\spoolsv.pdb

  

D:\\ROT\\ROT\\Build rot Export\\2024\\Bot Export Chiến\\14.225.210.XX-Chiến -Ver 2.0\\GPT\\bin\\Debug\\spoolsv.pdb

  

D:\\ROT\\ROT\\Build rot Export\\2024\\Bot Export Trứ\\139.99.23.9-NetFrame4.5-Ver2.0-Trứ\\GPT\\bin\\Debug\\SkypeApp.pdb

  

D:\\ROT\\ROT\\Build rot Export\\2024\\Bot Export Chiến\\14.225.210.XX-Chiến -Ver 2.0\\GPT\\bin\\Debug\\spoolsv.pdb

  

D:\\ROT\\ROT\\ROT Ver 5.5\\Source\\Encrypted\\Ver 4.8 - Client Netframe 4.5\\XClient\\bin\\Debug\\AI.pdb

  

Another image we analyzed is an Excel spreadsheet that likely contained the victims’ data. We have redacted the images to maintain confidentiality. The spreadsheet has several tabs in Vietnamese, and their English translation showed us the tabs “Employee salary spreadsheet,” “advertising costs,” “website to buy copies,” “PayPal related,” and “can use.” The spreadsheet seemed to have multiple versions — the first was created on May 10, 2023. We also spotted that they have logged into their Microsoft Office 365 account with the display name “daloia krag” while accessing the spreadsheet, and CoralRaider likely operates the account. 

CoralRaider’s payload, XClient stealer analysis, showed us a few more indicators. CoralRaider had hardcoded Vietnamese words in several stealer functions of their payload XClient stealer. The stealer function maps the stolen victim’s information to hardcoded Vietnamese words and writes them to a text file on the victim machine’s temporary folder before exfiltration. One example function we observed is used to steal the victim’s Facebook Ads account that has hardcoded with Vietnamese words for Account rights, Threshold, Spent, Time Zone, and Date Created, etc.

**The campaign  **

Talos observed that CoralRaider is conducting a malicious campaign targeting victims in multiple countries in Asia and Southeast Asia, including India, China, South Korea, Bangladesh, Pakistan, Indonesia and Vietnam. 

The initial vector of the campaign is the Windows shortcut file. We are unclear on the technique the actor used to deliver the LNKs to the victims. Some of the shortcut file filenames that we observed during our analysis are:

*   자세한 비디오 및 이미지.lnk
*   設計內容+我的名片.lnk
*   run-dwnl-restart.lnk
*   index-write-upd.lnk
*   finals.lnk
*   manual.pdf.lnk
*   LoanDocs.lnk
*   DoctorReferral.lnk
*   your-award.pdf.lnk
*   Research.pdf.lnk
*   start-of-proccess.lnk
*   lan-onlineupd.lnk
*   refcount.lnk

We also discovered a few notable unique drive serial numbers from the metadata of the Windows Shortcut files:

*   A0B4-2B36
*   FA4C-C31D
*   94AA-CEFB
*   46F7-AF3B

The attack begins when a user opens a malicious Windows shortcut file, which downloads and executes an HTML application file (HTA) from an attacker-controlled download server. The HTA file executes an embedded obfuscated Visual Basic script. The malicious Visual Basic script executes an embedded PowerShell script in the memory, which decrypts and sequentially executes three other PowerShell scripts that perform anti-VM and anti-analysis checks, bypass the User Access Controls, disables the Windows and application notifications on the victim’s machine, and finally downloads and run the RotBot. 

RotBot, the QuasarRAT client variant, in its initial execution phase, performs several detection evasion checks on the victim machine and conducts system reconnaissance. RotBot then connects to a host on a legitimate domain, likely controlled by the threat actor, and downloads the configuration file for the RotBot to connect to the C2. CoralRaider uses the Telegram bot as the C2 channel in this campaign. 

After connecting to the Telegram C2, RotBot loads the payload XClient stealer onto the victim memory from its resource and runs its plugin program. The XClient stealer plugin performs anti-VM and anti-virus software checks on the victim's machine. It executes its functions to collect the victim's browser data, including cookies, stored credentials, and financial information such as credit card details. It also collects the victim’s data from social media accounts, including Facebook, Instagram, TikTok business ads, and YouTube. It also collects the application data from the Telegram desktop and Discord application on the victim's machine. The stealer plugin can capture screenshots of the victim’s desktop and save them as a PNG file in the victim's machine’s temporary folder. With PNG files, the stealer plugin dumps the collected victim’s data from the browser and social media accounts in a text file and creates a ZIP archive. The PNG and ZIP files are exfiltrated to the attacker's Telegram bot C2.

Infection flow diagram.

**RotBot loads and runs the payload  **

RotBot, a remote access tool (RAT) compiled on Jan. 9, 2024, is downloaded and runs on the victim machine disguised as a Printer Subsystem application “spoolsv.exe.” RotBot is a variant of the QuasarRAT client that the threat actor has customized and compiled for this campaign. 

During its initial execution, RotBot performs several checks on the victim’s machine to evade detection, including IP address, ASN number, and running processes of the victim’s machine. It performs reconnaissance of system data on the victim machine. It also configures the internet proxy on the victim machine by modifying the registry key: 

Software\\Microsoft\\Windows\\CurrentVersion\\Internet 

Settings with the values:

ProxyServer = 127.0.0.1:80

ProxyEnable = 1

We observed that RotBot discovered in this campaign creates mutex in the victim machine as the infection markers​​ using the hardcoded strings in the binary.

RotBot loads and runs the XClient stealer module from its resources and uses the configuration parameters for its Telegram C2 bot from the downloaded configuration file. 

The XClient stealer sample we analyzed in this campaign is a .Net executable compiled on Jan. 7, 2024. It has extensive information-stealing capability through its plugin module and various modules for performing remote administrative tasks. 

XClient stealer has three primary functions that help it to avoid the radar. First, it will do virtual environment evasion if the victim’s machine runs in VMware or VirtualBox. It also checks if a DLL called sbieDll.dll exists in the victim machine file system to detect if it runs in the Sandboxie environment. XClient stealer also checks if anti-virus software, including AVG, Avast, and Kaspersky, is running on the victim’s machine. 

After bypassing all the checking functions, the XClient stealer captures the victim’s machine screenshot, saves it with the “.png” extension in the victim’s temporary user profile folder, and sends it to C2 through the URL “/sendPhoto.” 

XClient stealer steals victims’ social media web application credentials, browser data, and financial information such as credit card details. It targets Chrome, Microsoft Edge, Opera, Brave, CocCoc, and Firefox browser data files through the absolute paths of the respective browser installation paths. It extracts the contents of the browser database to a text file in the victim’s profile local temporary folder. 

XClient stealer hijacks and steals various Facebook data from the victim’s Facebook account. It sets custom HTTP header metadata along with the victim’s stolen Facebook cookie, and the username sends requests to Facebook APIs through the URLs below.

It checks if the victim’s Facebook is a business or ads account and uses regular expressions to search for access\_token, assetID, and paymentAccountID. Using Facebook graph API, XClient attempts to collect an extensive list of information from the victim’s account, shown in the table below.

Entities

Value place holders

facebook\_pages

verification\_status, fan\_count, followers\_count, is\_owned, name, is\_published,is\_promotable, parent\_page, promotion\_eligible, has\_transitioned\_to\_new\_page\_experience, picture, roles

Adaccounts, businesses

name, permitted\_roles, can\_use\_extended\_credit, primary\_page, wo\_factor\_type, client\_ad\_accounts, verification\_status, id, created\_time, is\_disabled\_for\_integrity\_reasons, sharing\_eligibility\_status, allow\_page\_management\_in\_www, timezone\_id, timezone\_offset\_hours\_utc

owned\_ad\_accounts

id, currency, timezone\_offset\_hours\_utc, timezone\_name,adtrust\_dsl

Business\_users

name, account\_status, account\_id, owner\_business, created\_time, next\_bill\_date, currency, timezone\_name, timezone\_offset\_hours\_utc, business\_country\_code, disable\_reason, adspaymentcycle{threshold\_amount}, has\_extended\_credit, adtrust\_dsl, funding\_source\_details, balance, is\_prepay\_account, owner

XClient stealer also collects the financial information from the victims’ Facebook business and ads accounts.

Payment related entities

Value Place holders

pm\_credit\_card

display\_string, exp\_month, exp\_year, is\_verified

payment\_method\_direct\_debits

address, can\_verify, display\_string, s\_awaiting, is\_pending,

status

payment\_method\_paypal

email\_address

payment\_method\_tokens

Current\_balance, original\_balance, time\_expire, type

amount\_spent, userpermissions

user, role

 Using the graph API, XClient stealer retrieves victims’ account friend list details and pictures. 

XClient stealer also targets the victim’s Instagram account and YouTube accounts through the URLs and collects various information, including username, badge\_count, appID, accountSectionListRenderer, contents, title, data, actions, getMultiPageMenuAction, menu, multiPageMenuRenderer, sections and hasChannel. It collects the application data from the Telegram desktop and Discord application on the victim’s machine. XClient also collects the data from the victim’s TikTok business account and checks for business ads. 

Talos compiled the hardcoded HTTP request header metadata the XClient stealer uses in this campaign while retrieving the victim’s information from Facebook, Instagram, and YouTube accounts. 

Facebook

*   sec-ch-ua-mobile: ?0
    
*   sec-ch-ua-platform: \\"Windows\\"
    
*   sec-fetch-dest: document
    
*   sec-fetch-mode: navigate
    
*   sec-fetch-site: none
    
*   sec-fetch-user: ?1
    
*   upgrade-insecure-requests: 1
    
*   user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
    
*   sec-ch-ua: \\"Not?A\_Brand\\";v=\\"8\\", \\"Chromium\\";v=\\"108\\", \\"Google Chrome\\";v=\\"108\\"
    
*   sec-ch-ua-mobile: ?0
    

  

Instagram

*   Sec-Ch-Prefers-Color-Scheme: light
    
*   Sec-Ch-Ua: "Google Chrome"; v = "113", "Chromium"; v = "113", "Not-A.Brand"; v = "24"
    
*   Sec-Ch-Ua-Full-Version-List: "Google Chrome"; v = "113.0.5672.127", "Chromium"; v = "113.0.5672.127", "Not-A.Brand"; v = "24.0.0.0"
    
*   Sec-Ch-Ua-Mobile: ?0
    
*   Sec-Ch-Ua-Platform: "Windows"
    
*   Sec-Ch-Ua-Platform-Version: "10.0.0"
    
*   Sec-Fetch-Dest: document
    
*   Sec-Fetch-Mode: navigate
    
*   Sec-Fetch-Site: none
    
*   Sec-Fetch-User: ?1
    
*   Upgrade-Insecure-Requests: 1
    
*   User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit / 537.36(KHTML, like Gecko) Chrome / 113.0.0.0 Safari / 537.36
    

  

Youtube

*   content-type: application/json
    
*   sec-ch-ua: "Google Chrome";v="113", "Chromium";v="113", "Not-A.Brand";v="24"
    
*   sec-ch-ua-arch: "x86"
    
*   sec-ch-ua-bitness: "64"
    
*   sec-ch-ua-full-version: "113.0.5672.127"
    
*   sec-ch-ua-full-version-list: "Google Chrome";v="113.0.5672.127", "Chromium";v="113.0.5672.127", "Not-A.Brand";v="24.0.0.0"
    
*   sec-ch-ua-mobile: ?0
    
*   sec-ch-ua-model: ""
    
*   sec-ch-ua-platform: "Windows"
    
*   sec-ch-ua-platform-version: "10.0.0"
    
*   sec-ch-ua-wow64: ?0
    
*   sec-fetch-dest: empty
    
*   sec-fetch-mode: same-origin
    
*   user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
    
*   x-goog-authuser: 0
    
*   x-origin: https://www.youtube.com
    
*   x-youtube-bootstrap-logged-in: true
    
*   x-youtube-client-name: 1
    

Finally, the XClient stealer stores the victim’s social media data, which is collected into a text file in the local user profile temporary folder and creates a ZIP archive. The ZIP files were exfiltrated to the Telegram C2 through the URL “/sendDocument”.

Talos’ research of this campaign focused on discovering and disclosing a new threat actor of Vietnamese origin and their payloads. Additional technical details of the attack chain components of this campaign can be found in the report published by the researchers at QiAnXin Threat Intelligence Center. 

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SID for this threat is 63192.

ClamAV detections are also available for this threat:

Lnk.Downloader.CoralRaider-10024620-0

Html.Downloader.CoralRaider-10025101-0

Win.Trojan.RotBot-10024631-0

Win.Infostealer.XClient-10025106-2

**Indicators of Compromise**

Indicators of Compromise associated with this threat can be found here.

CoralRaider targets victims’ data and social media accounts

While Singaporean organizations have adopted the majority of their government's cybersecurity recommendations, they aren't immune: More than eight in 10 experienced a cybersecurity incident over the course of the year.

Source: Cristophe Coat via Alamy Stock Photo

Singapore is leaving other countries in the dust when it comes to cybersecurity preparedness, according to a new government survey.

The Cyber Security Agency of Singapore's (CSA) Cybersecurity Health Report 2023 polled 2,036 small, medium, and large organizations, across 23 sectors, about various aspects of their cybersecurity — breaches faced, business impacts, measures implemented, and the like. It found that, on average, organizations have implemented just over 70% of the requirements necessary to obtain a "Cyber Essentials" certification. The certification includes five categories of national cybersecurity standards: "Assets," "Secure/Protect," "Update," "Backup," and "Respond."

Seventy percent is far from perfect, CSA emphasized, and some of its other results were a cause for further concern. But if graded on a curve, Singapore's organizations are doing quite well compared with the rest of the world.

"Governments and companies can take a page from Singapore's playbook and focus on proactive protection, education of the public, and discussion of cybersecurity initiatives at the highest levels of government," says Stephanie Boo, the Singapore-based senior vice president at Menlo Security.

**Why Singapore Is Ahead**

In contrast to the CSA's results, consider Cisco's 2024 Cybersecurity Readiness Index, released last week.

In a poll of 8,000 cybersecurity and business leaders across 30 countries, Cisco assessed that only 3% of organizations have a "mature" level of security readiness "needed to be resilient against modern cybersecurity risks." Seventy-one percent of organizations were graded as either in the "formative" stage (below average) or "beginner" (only just beginning to deploy security solutions).

When it comes to Singapore's vastly better results, Boo says, "Great government policies and ability to implement them across a small country are a couple contributing factors."

"However, credit also goes to a very computer-savvy population with a highly digitized economy, and a thoughtful, problem-solving approach to breaches. When the country experienced a breach in 2018, rather than continue business as usual, the government instituted an Internet separation where computers connecting to business applications are air-gapped from the Internet," she says. "For the many headline-grabbing breaches we have seen in the US, we have not seen a coordinated solution or mandate from other governments."

**Now the Bad News**

CSA's report also included some concerning results, however.

More than eight in 10 Singaporean organizations experienced a cybersecurity incident over the course of the year, and half experienced several. Among those, 99% experienced a business impact, with the most common consequences being business disruption, data loss, and reputational damage.

Singaporean business leaders were also found to suffer from the same recurring mental blocks that cyber professionals rail against no matter where they are in the world. When it came to why they haven't implemented security measures, besides a lack of knowledge and experience, respondents — 46% of businesses, 49% of nonprofits — most often expressed the belief that they were unlikely to be a target of a cyberattack. They also admitted that cybersecurity is a low priority at their organizations (38% and 44%, respectively), and cited a perceived lack of return on investment (36% and 31%).

CSA highlighted the irony in these arguments in a fact sheet, noting that the cost of meeting Singapore's Cyber Essentials threshold for a small business ranges from around $1,800 to $4,500.

"The amount is typically a small fraction of the cost of business disruptions or recovery procedures due to cyber incidents, the impact of which may also be extended beyond affected organizations to their customers and suppliers," according to the agency.

Boo notes that, in general, small businesses lack the resources to approach security from the business-case perspective.

"Small businesses focus on the must-haves to run their business and don’t have the bandwidth or forethought to look at business enablers from security," Boo says. "The best way to educate small businesses is to deliver the education through channels they already use — like their bank, credit card company, or their telecommunications provider. It is also important to keep it simple and focus on the business benefits rather than the complexity of cyber threats."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Singapore Sets High Bar in Cybersecurity Preparedness

PRESS RELEASE

Austin, TX – April 3, 2024 – CyberRatings.org (CyberRatings), the non-profit entity dedicated to providing confidence in cybersecurity products and services through its research and testing programs, has completed an independent test of eleven market leading Cloud Network Firewall vendors. Six products were Recommended, one product received a Neutral rating, and four received a Caution rating.

Cloud network firewalls are considered to be the first line of defense when deployed in public cloud providers such as Amazon Web Services, Google Cloud Platform and Microsoft Azure. But implementing security in the cloud can be complex, with multiple factors influencing effectiveness. 

CyberRatings tested the cloud firewall products to determine how they handled TLS/SSL (authentication) 1.2 and 1.3 cipher suites (algorithms), how they defended against 984 exploits (attacks that take advantage of a software flaw or install malware), and whether any of 1,645 evasions could bypass protection. At all times the devices needed to remain stable under adverse conditions. To provide a more realistic rating based on modern network traffic, both clear text (HTTP) and encrypted traffic (HTTPS) were measured. Amazon Web Services (AWS) was the public cloud service chosen to run the test.

The combination of Security Effectiveness and Value dictated where products landed on the Security Value Map™ (SVM). Six out of the eleven products were Recommended for their Security Effectiveness with scores ranging from 99.70% to 100%. Recommended ratings are based on threat prevention (how many exploits and evasions were blocked?), TLS/SSL functionality, routing and policy enforcement, and stability and reliability to achieve a final Security Effectiveness score. These same products also demonstrated competitive pricing in the Total Cost per Protected Mbps (Value). The product rated Neutral received a 48.44% Security Effectiveness score. Four products rated Caution had Security Effectiveness scores ranging from 5.39% to 48.37%. 

“We have been testing firewalls for years, and more recently cloud network firewalls,” said Vikram Phatak, CEO of CyberRatings.org. “All of the products chosen were market leaders and the range of scores clearly shows that building a product for the cloud is different than building a product on an appliance where you control the environment,” said Phatak. “We recommend that enterprises check with their service providers or IT teams to see which cloud firewall products are currently deployed in their networks.”

As part of the cloud firewall test, CyberRatings also checked to see if products were secure by default. It was discovered that some firewall evasion defenses are not on by default, potentially leaving customers at significant risk. In response, CyberRatings is providing a policy and configuration guide to help enterprises ensure that their firewalls are configured properly.

Encryption matters: roughly 80% of web traffic is encrypted. The top four cipher suites account for over 95% of HTTPS traffic. In some products, decryption was not on by default. Firewalls will not see attacks delivered via HTTPS unless configured to do so. Performance is significantly different when TLS/SSL is turned on. With the exception of one vendor that failed to handle TLS 1.3 despite claiming support, all other vendors supported encryption. 

Enterprises should monitor security and performance capabilities, and update firewalls regularly. With the everchanging cloud platform and agile development, something can go wrong even when the security vendor does not make a change. 

The following products were evaluated:

Cloud Network Firewall

Rating

Security

Effectiveness

Rated Throughput

(Mbps)

Price per Protected Mbps

Amazon Web Services (AWS) Network Firewall

Caution

5.39%

1,000

$601.34

Barracuda CloudGen Firewall

Caution

11.38%

441

$287.86 

Check Point CloudGuard

Recommended

99.80%

1,180

$12.70 

Cisco Secure Firewall Threat Defense Virtual 

Caution

20.86%

373

$76.91 

Forcepoint NGFW

Recommended

99.80%

698

$8.45 

Fortinet FortiGate-VM

Recommended

100%

1,458

$10.56 

Juniper Networks vSRX

Recommended

99.70%

1,228

$5.72 

Palo Alto Networks VM-Series Next-Generation Firewall w/ Advanced Threat Prevention

Recommended

100%

1,036

$5.83 

Sophos Firewall

Caution

48.37%

135

$83.16 

Versa Networks NGFW

Recommended

99.90%

2,553

$7.58 

WatchGuard Firebox Cloud

Neutral

48.44%

291

$27.06 

Additional Resources:

Cloud Network Firewall Comparative Report and Test Reports

2024 Best Practices for Cloud Network Firewall Deployment

Exploring the Landscape of Cloud Network Firewalls Available on AWS

Why Firewalls Should be Secure by Default

About CyberRatings.org 

CyberRatings.org is a 501(c)6 non-profit organization dedicated to providing confidence in cybersecurity products and services through our research and testing programs. We provide enterprises with independent, objective ratings of security product efficacy to make informed decisions. To become a member, visit www.cyberratings.org and follow us on LinkedIn.

CyberRatings.org Announces Test Results for Cloud Network Firewall

A federal review board demanded that the tech giant prioritize its "inadequate" security posture, putting the blame solely on the company for last year's Microsoft 365 breach that allowed China's Storm-0558 to hack the email accounts of key government officials.

Source: Wachirawit Lemlerkchai via Alamy Stock Photo

A federal review board has called on Microsoft to prioritize its approach to cloud security and stop pushing the burden of it onto customers in the wake of a July 2023 cyberattack that let Chinese threat actors breach Microsoft 365 accounts to spy on key US government officials.

A report released on April 2 by the independent Department of Homeland Security (DHS) Cyber Safety Review Board offered an incendiary review of Microsoft's security culture, putting the blame squarely on the company and a "cascade of security failures" for the cyber espionage attack by China-based threat group Storm-0558, which "never should have happened."

The board — which was investigating the breach at the behest of President Joe Biden — demanded that the technology giant put cybersecurity at the top of its agenda. It also should be held to strict account to make significant revisions to its cloud-security position, even prioritizing these changes ahead of new product features and development.

"To drive the rapid cultural change that is needed within Microsoft, the board believes that Microsoft’s customers would benefit from its CEO and Board of Directors directly focusing on the company's security culture and developing and sharing publicly a plan with specific timelines to make fundamental, security-focused reforms across the company and its full suite of products," officials said in the report.

**Put Security Before Product Innovation**

As part of its review, the board made a series of recommendations to this end, including that top executives not only develop this plan but also hold leaders at all levels across the company accountable for implementing it.

Microsoft leadership also should consider directing internal Microsoft teams to "deprioritize feature developments across the company's cloud infrastructure and product suite until substantial security improvements have been made," instead assessing and addressing security before deploying any new features, the board concluded.

Given the dependence on the security of Microsoft's cloud-based services and infrastructure, the software giant and other CSPs also need to take more accountability overall for the security outcomes of their customers. An action item at the top of this list is to halt the practice of making customers pay for security-related logging, making it "a core element" of cloud offerings instead of an add-on service for an extra fee.

Microsoft already relented and dropped fees associated with expanded logging access for all levels of 365 license holders shortly after the breach following complaints that it was effectively levying a logging tax on customers.

**This One Is on Microsoft**

The overall finding of the board is that the blame for the breach — which allowed Storm-0558 to gain access to email accounts across 25 government agencies in Western Europe and the US — is solely with Microsoft, and was directly due to a series of security failings on the part of the company.

As the fallout from the breach intensified in the weeks after its initial detection, Microsoft eventually in September 2023 owned up to a series of mistakes that led to Storm-0558 using a Microsoft account (MSA) consumer signing key to forge Azure AD tokens for accessing enterprise email accounts. MSA consumer keys are typically used to cryptographically sign into a Microsoft consumer application or service such as Outlook.com, OneDrive, and Xbox Live.

The company said at the time that a race condition resulted in the signing key being present either in a crash dump or a snapshot of the crashed system. The key eventually ended up with the debugging team on Microsoft's Internet-connected corporate network, where threat actors likely picked it off.

However, government officials held executives feet to the fire over the company's failure to detect the compromise of its "cryptographic crown jewels on its own," as it was a customer — a human rights organization who did not have access to advanced cloud security logging — that first alerted the company to a potential issue.

Moreover, Microsoft has never proven that the key used by attackers ended up in any crash dump or snapshot, and failed to correct statements claiming this as the root cause "in a timely manner." Indeed, Microsoft did not roll back its story on how the key got into the hands of Storm-0558 until last month, when it amended its blog post and acknowledged it never located a crash dump containing the key.

Finally, Microsoft is generally lax in comparison to other cloud service providers (CSPs) when it comes to cloud security, failing to keep security controls to a similar standard, the board found. The company must level up immediately given that its ubiquitously used products "underpin essential services that support national security, the foundations of our economy, and public health and safety," which in turn, requires Microsoft "to demonstrate the highest standards of security, accountability, and transparency," officials concluded.

A Microsoft spokesperson said that the company appreciates the work of the board to investigate the attack, and that in its aftermath the company has recognized a"a need to adopt a new culture of engineering security in our own networks."

To that end, Microsoft unveiled what it's calling a Secure Future Initiative, to mobilize its engineering teams to identify and mitigate legacy infrastructure, improve processes, and enforce security benchmarks.

"Our security engineers continue to harden all our systems against attack and implement even more robust sensors and logs to help us detect and repel the cyber-armies of our adversaries," the spokesperson said, adding that Microsoft will also take into consideration any additional recommendations by the board.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Feds to Microsoft: Clean Up Your Cloud Security Act Now

By cybernewswire
Silver Spring, United States / Maryland, April 3rd, 2024, CyberNewsWire The Leading Company for Securing Access Between Workloads…
This is a post from HackRead.com Read the original post: Aembit Selected as Finalist for RSA Conference 2024 Innovation Sandbox Contest

**Silver Spring, United States / Maryland, April 3rd, 2024, CyberNewsWire**

The Leading Company for Securing Access Between Workloads Recognized for the Aembit Workload IAM Platform

Aembit, the Workload Identity and Access Management (IAM) Company, has been named one of the Top 10 Finalists for the RSA Conference™ 2024 Innovation Sandbox contest for its platform that manages and secures access between critical software resources, like applications and services. Aembit will present its technology to a panel of renowned industry judges and a live in-person audience on May 6 at RSA Conference 2024 at the Moscone Center in San Francisco.

Since 2005, the RSAC Innovation Sandbox contest has served as a platform for the most promising young cybersecurity companies to showcase their groundbreaking technologies and compete for the title of “Most Innovative Startup.” The competition is widely recognized as a catapult for success as the Top 10 Finalists have collectively celebrated more than 80 acquisitions and received $13.5 billion in investments over the last 18 years. Aembit will have three minutes to pitch the panel of judges before a question-and-answer round.

> “The submissions for this year’s RSA Conference Innovation Sandbox contest were both dynamic and inspiring. Along with the rest of our entrepreneurial audience, I am excited to see these ideas come to life on stage,” said Linda Gray Martin, senior vice president of RSA Conference. “The evolution of global cyber threats is constant and there’s no better place to look for solutions and to help solve these challenges than in our own community.”

With the rapid expansion of automated software, cloud services, and APIs, enterprises are being met with an exploding number of workloads across their IT environments. Reflect on the now-outdated practice of jotting down user credentials on sticky notes. Similarly, the current method of securing interactions between workloads typically involves the use of static, long-lived credentials, which are prone to theft and often embedded directly within code.

This approach not only introduces security vulnerabilities but also complicates management and impedes prompt response during security incidents and compliance audits. Aembit shifts the model so enterprises can focus on managing access, instead of managing secrets.

> “Aembit automates and secures the entire workload-to-workload access workflow, from discovery, to enforcement, to audit – at scale,” said David Goldschlag, co-founder and CEO of Aembit. “Instead of building another dashboard showing you problems due to secrets and keys, we proactively fix the root cause of these challenges by systematically improving the way workloads are authorized access to your most sensitive resources, without code changes. You can think of us as Okta (or Azure AD), but between workloads instead of between users and services. The RSA Conference presents the ideal platform for us to demonstrate the significance and impact of our solution to the global security community.”

The RSAC Innovation Sandbox contest kicks off at 10:50 a.m. PT on May 6, and winners will be announced at approximately 1:30 p.m. the same day. The panel of renowned expert judges includes Asheem Chandna, partner at Greylock; Dorit Dor, chief technology officer at Check Point Software Technologies; Niloofar Howe, senior operating partner at Energy Impact Partners; Paul Kocher, independent researcher; and Nasrin Rezai, SVP & CISO at Verizon. Hugh Thompson, RSAC executive chairman and program committee chair of RSA Conference, will return to host the contest.

For more information regarding RSA Conference 2024, taking place at the Moscone Center in San Francisco from May 6 to 9, users can visit https://www.rsaconference.com/usa.

To learn more about the Aembit Workload IAM Platform, watch this demo video.

**About Aembit**

Aembit is the Workload Identity and Access Management platform that secures access between workloads across clouds, SaaS, and data centers. With Aembit’s identity control plane, DevSecOps can fully automate secretless, policy-based, and Zero Trust workload access. For more information, visit www.aembit.io and follow us on LinkedIn.

**About RSA Conference**

RSA Conference™ is the premier series of global events and year-round learning for the cybersecurity community. RSAC is where the security industry converges to discuss current and future concerns and have access to the experts, unbiased content, and ideas that help enable individuals and companies advance their cybersecurity posture and build stronger and smarter teams. Both in-person and online, RSAC brings the cybersecurity industry together and empowers the collective “we” to stand against cyberthreats around the world. RSAC is the ultimate marketplace for the latest technologies and hands-on educational opportunities that help industry professionals discover how to make their companies more secure while showcasing the most enterprising, influential, and thought-provoking thinkers and leaders in cybersecurity today. For the most up-to-date news pertaining to the cybersecurity industry visit www.rsaconference.com. Where the world talks security.

**Contact**

**CMO**  
**Apurva Dave**  
**Aembit**  
**\[email protected\]**

Aembit Selected as Finalist for RSA Conference 2024 Innovation Sandbox Contest

By Cyber Newswire
The Leading Company for Securing Access Between Workloads Recognized for the Aembit Workload IAM Platform.
This is a post from HackRead.com Read the original post: Aembit Finalist for RSA Conference 2024 Innovation Sandbox

Aembit, the Workload Identity and Access Management (IAM) Company, has been named one of the Top 10 Finalists for the RSA Conference™ 2024 Innovation Sandbox contest for its platform that manages and secures access between critical software resources, like applications and services.

Aembit will present its technology to a panel of renowned industry judges and a live in-person audience on May 6 at RSA Conference 2024 at the Moscone Center in San Francisco.

Since 2005, the RSAC Innovation Sandbox contest has served as a platform for the most promising young cybersecurity companies to showcase their groundbreaking technologies and compete for the title of “Most Innovative Startup.”

The competition is widely recognized as a catapult for success as the Top 10 Finalists have collectively celebrated more than 80 acquisitions and received $13.5 billion in investments over the last 18 years. Aembit will have three minutes to pitch the panel of judges before a question-and-answer round.

“The submissions for this year’s RSA Conference Innovation Sandbox contest were both dynamic and inspiring. Along with the rest of our entrepreneurial audience, I am excited to see these ideas come to life on stage,” said Linda Gray Martin, senior vice president of the RSA Conference. “The evolution of global cyber threats is constant and there’s no better place to look for solutions and to help solve these challenges than in our community.”

With the rapid expansion of automated software, cloud services, and APIs, enterprises are being met with an exploding number of workloads across their IT environments. Reflect on the now-outdated practice of jotting down user credentials on sticky notes.

Similarly, the current method of securing interactions between workloads typically involves the use of static, long-lived credentials, which are prone to theft and often embedded directly within code.

This approach not only introduces security vulnerabilities but also complicates management and impedes prompt response during security incidents and compliance audits. Aembit shifts the model so enterprises can focus on managing access, instead of managing secrets.

“Aembit automates and secures the entire workload-to-workload access workflow, from discovery to enforcement, to audit – at scale,” said David Goldschlag, co-founder and CEO of Aembit.

“Instead of building another dashboard showing you problems due to secrets and keys, we proactively fix the root cause of these challenges by systematically improving the way workloads are authorized access to your most sensitive resources, without code changes. You can think of us as Okta (or Azure AD) but between workloads instead of between users and services. The RSA Conference presents the ideal platform for us to demonstrate the significance and impact of our solution to the global security community.”

The RSAC Innovation Sandbox contest kicks off at 10:50 a.m. PT on May 6, and winners will be announced at approximately 1:30 p.m. the same day. The panel of renowned expert judges includes Asheem Chandna, partner at Greylock; Dorit Dor, chief technology officer at Check Point Software Technologies; Niloofar Howe, senior operating partner at Energy Impact Partners; Paul Kocher, independent researcher; and Nasrin Rezai, SVP & CISO at Verizon. Hugh Thompson, RSAC executive chairman and program committee chair of the RSA Conference, will return to host the contest.

For more information regarding RSA Conference 2024, taking place at the Moscone Center in San Francisco from May 6 to 9, users can visit rsaconference.com/usa. To learn more about the Aembit Workload IAM Platform, watch this demo video.

****About Aembit****

Aembit is the Workload Identity and Access Management platform that secures access between workloads across clouds, SaaS, and data centers. With Aembit’s identity control plane, DevSecOps can fully automate secretless, policy-based, and zero-trust workload access.

****About RSA Conference****

RSA Conference™ is the premier series of global events and year-round learning for the cybersecurity community. RSAC is where the security industry converges to discuss current and future concerns and have access to the experts, unbiased content, and ideas that help enable individuals and companies to advance their cybersecurity posture and build stronger and smarter teams.

Both in-person and online, RSAC brings the cybersecurity industry together and empowers the collective “we” to stand against cyber threats around the world. RSAC is the ultimate marketplace for the latest technologies and hands-on educational opportunities that help industry professionals discover how to make their companies more secure while showcasing the most enterprising, influential, and thought-provoking thinkers and leaders in cybersecurity today.

**Contact**

**CMO**  
**Apurva Dave**  
**Aembit**  
**\[email protected\]**

Aembit Finalist for RSA Conference 2024 Innovation Sandbox

Campaign distributes malware disguised as legitimate installers for popular workplace collaboration apps by abusing a traffic-tracking feature.

Source: Bits and Splits via Shutterstock

Attackers are once again abusing Google Ads to target people with info-stealing malware, this time using an ad-tracking feature to lure corporate users with fake ads for popular collaborative groupware such as Slack and Notion.

Researchers from AhnLab Security Intelligence Center (ASEC) discovered a malicious campaign that uses a statistical feature to embed URLs that distribute malware, including the Rhadamanthys stealer, they revealed in a blog post published this week. The feature lets advertisers insert external analytic website addresses into ads to collect and use their visitors' access-related data to calculate ad traffic.

However, instead of inserting a URL for an external statistics site, attackers are abusing the feature to enter sites for distributing malicious code, the researchers found.

Ads related to the campaign have already been deleted. But when they were still active, "clicking on the banner would take unsuspecting users to the address that would trick them into downloading a malicious file," according to ASEC.

In the campaign, Rhadamanthys is disguised as an installer for popular groupware often used by corporate teams for workplace collaboration. Once the malware is installed and executed, it downloads malicious files and payloads from the attacker's server.

**Redirects to Stealer Downloads**

The ASEC post breaks down how attackers crafted the campaign to show banner ads that contain tracking URLs invisible to the end user that redirect users to an attacker-created and -controlled URL. This ultimate landing page is similar to the actual website of a groupware tool such as Slack or Notion, and it prompts visitors to download and execute the malware, which is distributed in an installer form.

Typical installers used by the campaign are the Inno Setup installer or Nullsoft Scriptable Install System (NSIS) installer; specifically, attackers used the following executable files: Notion\_software\_x64\_.exe Slack\_software\_x64\_.exe; Trello\_software\_x64\_.exe; and GoodNotes\_software\_x64\_32.exe.

"Once it is executed, the malware uses websites that can save texts such as textbin or tinyurl to access the malicious payload addresses," ASEC said in its blog post, which lists the URLs attackers used to fetch these addresses, which are subsequently delivered to users.

The ultimate payload of the campaign is the Rhadamanthys stealer, which gets injected into legitimate Windows files via the "%system32%" path, according to ASEC. This allows the stealer to exfiltrate users' private data without their knowledge, the researchers noted.

Rhadamanthys is popular with attackers and is available for purchase on the Dark Web under a malware-as-a-service model. It acts as a typical stealer to collect system information, such as computer name, username, OS version, and other machine details. It also queries the directories of installed browsers — including Brave, Edge, Chrome, Firefox, Opera Software — to search for and steal browser history, bookmarks, cookies, auto-fills, login credentials, and other data.

**Pay Attention to Ad-Delivered URLs**

The campaign is certainly not the first time that attackers have abused Google Ads and its associated features to deliver Rhadamanthys and other malware, and it likely won't be the last. In fact, a campaign identified in January 2023 also used website redirects from Google Ads and fake-download lures for popular remote-workforce software, such as Zoom and AnyDesk to deliver Rhadamanthys.

Attackers have even abused the "dynamic search ads" feature of the service to amplify the effect of malicious campaigns by creating targeted ads to deliver a flood of malware.

Indeed, as "all search engines that provide tracking to calculate ad traffic can be used to distribute malware," users must stay vigilante when accessing links from ads delivered by Google, ASEC warned. Specifically, they should "pay attention to the URL that is seen upon accessing the website, not the URL that is shown on the ad's banner" to avoid falling for a malicious campaign, according to the post.

ASEC also posted a comprehensive list of URLs associated with various stages of the campaign to help administrators identify if any corporate users have been affected by it.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Attackers Abuse Google Ad Feature to Target Slack, Notion Users

While there are many legitimate uses for this software, adversaries are also finding ways to use them for command and control in their campaigns.

Tuesday, April 2, 2024 08:00

*   Remote system management/desktop access tools such as AnyDesk and TeamViewer have grown in popularity since 2020. While there are many legitimate uses for this software, adversaries are also finding ways to use them for command and control in their campaigns.
*   There is no easy way to effectively block all unauthorized remote management tools, but security can be greatly improved through a combination of policy and technical controls.
*   Early warning alerts can be configured to alert defenders to remote management software activity that may have circumvented the technical controls.

**The remote management/access software problem**

Since 2020, the use of remote system management/access tools such as AnyDesk and TeamViewer has exploded in popularity due to forced work-from-home during the COVID-19 pandemic.

Whether used by an IT help desk technician to fix a user’s remote system or by co-workers for collaboration, these tools play an essential role in most corporations’ digital functions. However, this convenience comes at a cost. These tools introduce the ability for an adversary to potentially take full remote control of a system, are easy to download and install, and can be very difficult to detect since they are considered legitimate software. 

Further complicating the task of recognizing the malicious use of these tools, many organizations struggle to combat “shadow IT” in which individual users or overly proactive IT personnel might install unauthorized remote management tools to accomplish a benign goal.

Cisco Talos Incident Response (Talos IR) is seeing adversaries capitalize on this opportunity in the wild. We recently noted in our Quarterly Trends report for the third quarter of 2023, “AnyDesk was observed in all ransomware and pre-ransomware engagements \[. . .\], underscoring its role in ransomware affiliates' attack chains.”

While AnyDesk is a legitimate application, it highlights the tremendous value that can be gained through a security program that intentionally focuses on preventing unauthorized use of these tools. Talos is referencing AnyDesk for the purposes of this blog post, but any remote management tool is at risk of these exploits. There are several policy changes, technical countermeasures and security alerts that admins and defenders can use to ensure that AnyDesk, and similar pieces of software, are only used for legitimate purposes when deployed.

Adopting one, or at most two, approved remote management solutions will allow the organization to thoroughly test and deploy in the most secure possible configuration.

If possible, integration with other organizational technology such as Active Directory or multi-factor authentication (MFA) will provide additional layers of protection and verification. Tying the approved remote management solutions into these already structured security solutions can make it easier to build “early warning” detections and alerts around unauthorized connectivity and use.

Once a solution is approved and championed for the organization, other remote management/access tools should be explicitly banned by policy. Ideally, this should be accompanied by a software inventory audit and published guidance on approved/non-approved software for the organization. Training and consistent enforcement of this policy will help reduce the “shadow IT” noise in the environment and leave network defenders with more time to investigate true anomalies.

**Technical controls**

While very worthwhile, preventing unauthorized use of these tools is not simple. First, the scores of commercially available remote access tools make it difficult to address every option an adversary might use. Many of those tools are frequently updated, meaning that blocking the executables by their hash value is not as effective. 

Adversaries also commonly rename the executables, meaning that filename blocks aren’t going to be helpful, either. 

Many popular solutions operate over common ports and protocols, such as ports 80 and 443, making them difficult to block at the firewall, and remote access tool creators often decline to publish their central server IP addresses due to frequently changing resolutions, which limits the effectiveness of static IP address blocks. A combination of approaches and techniques is necessary to limit the opportunity for an adversary to use remote access/management tools in any given environment.

**DNS security controls**

One of the most effective methods for detecting, and sometimes blocking, the activities of unauthorized remote management/access software, is by auditing and blocking DNS queries associated with these tools.

If your organization uses Cisco Umbrella for DNS security, it’s fairly easy to review and block DNS queries related to unauthorized traffic.

To review what might already be on your network, log into the Umbrella console and view “Reporting > App Discovery > Unreviewed Apps,” filtered by the “Collaboration” and “IT Services Management” categories, this is an excellent starting point to identify unexpected remote access software.

Simply clicking “Block this app” gives the administrator the ability to block future DNS requests associated with any particular result. If you prefer to take an even more proactive approach, going to “Policies > Policy Components > Application Settings” allows you to search all applications currently categorized by Umbrella, whether they have been seen on your network or not, and block them by policy. Again, the “Collaboration” and “IT Services Management” categories should be the areas of focus for policy review.

As with all of these technical controls, there are a few limitations. The first major caveat is that this only works if the DNS queries are evaluated by your security stack. In the case of DNS traffic from a home user’s system not traveling over the corporate network, the activity would be invisible. The second major caveat is that some remote management software has direct peer-to-peer capabilities, meaning the software might not send a DNS query to an easily identifiable domain when initiating a connection. 

**Firewall controls**

While less scalable and reliable, basic IP address blocking can be beneficial for preventing unauthorized remote software connections. Some vendors list static IP addresses for their central servers on their support sites that can be leveraged to control this access. However, many vendor IP addresses change periodically, making the task a bit challenging.

Another potentially fruitful approach to firewall traffic blocking is by port number. For example, TeamViewer prefers to use port 5938, although it can fall back on the practically unblockable port 443. While blocking port 5938 would not stop the connection, a properly configured alert would provide defenders with an early warning that TeamViewer was trying to connect out.

Some firewalls also provide additional functionality around session content, similar to Umbrella’s capabilities. Firewalls such as Cisco’s Meraki provide an allow/block URL listing that can be configured to prevent connectivity to unapproved remote management software sites. Cisco Meraki can provide content filtering options that may be helpful in blocking remote management/access sites.

Administrators should consider that firewall controls to combat unauthorized remote software management connections can have unintended consequences and should be heavily tested and piloted prior to implementation.

Verify that IP addresses are dedicated to that application prior to blocking in order to avoid blocking Content Delivery Network (CDN) nodes or other cloud computing shared resources. 

Finally, network segmentation or micro-segmentation can be useful in blocking unauthorized remote management software usage. For instance, categorizing and organizing server resources separate from workstation resources can allow for more tailored options around blocking all unnecessary traffic at the firewall, include that which may be associated with remote management tools. Some organizations already do this well by integrating with group policy configurations.

**Host-based controls****Windows Defender Application Control (WDAC) and AppLocker**

Of all the controls discussed in this post, WDAC and AppLocker are the only ones that can offer almost 100 percent protection against unauthorized remote management/access software execution.

In their most secure configuration, which allows only pre-approved software to run, users or adversaries can't run unexpected executables. However, this comes at a cost, as the approved software baseline maintenance level of effort can be high, and the user experience can be very limited if they are not allowed to install applications as needed.

WDAC and AppLocker offer considerable flexibility in their policies, so some organizations choose to only lock down their critical servers, such as domain controllers, which leaves user system policies more flexible. This approach has benefits far beyond simply blocking remote access/management software, as it will stop most malware from executing, as well.

Keep in mind that, while WDAC is currently more difficult to configure, it has more advanced capabilities and Microsoft is positioning it as the replacement for AppLocker. At the moment, AppLocker is receiving security updates, but no new feature updates.

**Registry filename blocks**

It is possible to block remote management/access software execution by filename via a registry “DisallowRun” key. However, Talos IR does not recommend this approach, except as a containment measure during incident response, since it is not scalable as a preventative measure and is trivially easy to bypass by renaming the executable or modifying the registry. 

**EDR blocks**

Almost every modern EDR can block file hashes, which gives defenders the capability to block the hashes associated with remote management/access software installers and/or installed executables. However, similarly to the filename GPO blocks, this is not scalable or reliable as a proactive measure, since every new version of every software distribution will have a new hash value. This measure should be restricted to containment during incident response only. 

Some EDR solutions offer methods to block vulnerable or unauthorized software, albeit with significant caveats regarding the limitations of those capabilities. The authors of this article have not tested those capabilities but note them here for the sake of completeness.

**Host-based firewalls**

The recommendations for host-based firewall rules are much the same as standalone firewalls, covered above. These can be useful where administrators expect users to roam outside of the boundary of the corporate network, such as home workers off the corporate VPN or using a split-tunnel VPN implementation. 

**Administrator permission restriction**

Restricting administrator permissions so that most users cannot conduct administrator actions on their work computer, such as installing remote access/management software, can help limit an adversary’s ability to install this software after the initial compromise.

Applying the principle of least privilege, which includes both locking down local administrator permissions and limiting the permissions of users’ domain accounts, is considered standard best practice.

**NAC controls**

While network access control (NAC) solutions do not directly block the use of remote management software, they can ensure that all other technical controls are working properly before admitting an endpoint to the network. If the device is a rogue system or lacks EDR, for example, NAC would prevent it from joining.

Another benefit offered by a NAC solution is software version enforcement through custom rules. In Cisco ISE, for example, there are Posture Checks. Organizations can use this to ensure that only the approved version(s) of their approved remote management tool are allowed on the network, directly addressing the threat of an adversary introducing an older version of the approved solution to the network for malicious purposes.

**Alerts and forensics**

Due to the complexity of implementing all these controls, detection rules can serve as a backup in case an adversary finds a way to circumvent the previous mitigations we discussed. The possibilities for these “tripwire” detections are endless, and SOCs/threat-hunting teams should continuously think of ways to improve them, but some ideas are listed below.

**Central log collection**

The first prerequisite for any successful detections is to have centralized log aggregation. At the very minimum, this should ingest firewall logs, EDR alerts and Windows Event logs for key servers. 

**SIEM alerts for suspicious strings**

Setting up a simple alert that triggers upon observation of strings associated with unauthorized remote access/management software product names (e.g., “AnyDesk”) can be an effective way to proactively identify unexpected product installations that were not otherwise blocked.

For example, an MSI installation would generate an Event 11707 entry in the Windows Application Event logs containing the software product name. If the SIEM were ingesting and evaluating those event logs, it would fire an alert, thereby alerting the SOC to a potential installation. This rule would need to be tuned to avoid excessive false positives, but it could result in a valuable early detection method. 

**SIEM alerts for firewall blocks on unique ports**

Enhanced alerting may be necessary to draw a SOC’s attention to firewall blocks associated with remote management/access traffic. Firewalls continuously block traffic, generally dropping thousands or millions of packets per hour. With that in mind, SOCs are not alerted every time a firewall rule drops traffic — especially if the rule that drops the traffic is the Implicit Deny rule blocking all traffic that was not specifically allowed. However, if an internal host attempts to communicate over a port dedicated to remote access/management software, that might merit attention from the SOC. 

It's worth considering creating an SIEM rule that alerts on any firewall block event involving outbound traffic to certain key ports, for example, 5938 (associated with TeamViewer). That alert, while an indication that the network blocks are working as intended, would be a good indication that the SOC needs to investigate the system originating the traffic.

The level of effort required to properly secure remote management/access software is daunting. However, the frequency of use by adversaries makes that effort a necessity. In the wrong hands, these tools serve as a ready-made command and control mechanism. If an organization can afford to secure its VPN solution, it should almost certainly devote resources to locking down unauthorized remote management software, as well.

Adversaries are leveraging remote access tools now more than ever — here’s how to stop them

Common Good Cyber is a global consortium connecting nonprofit, private sector, and government organizations to fund organizations focused on securing Internet infrastructure.

Source: Nico El Nino via Alamy Stock Photo

Much of our everyday lives, from banking to turning on the lights, would be impossible if the elaborate infrastructure underpinning the Internet were unavailable. However, unlike the electrical grid or financial institutions, there's no single entity responsible for maintaining and securing the Internet.

Instead, that task falls upon a diverse group of organizations and individuals that preserve this public utility with little funding or subsisting on tight budgets. The stakes are incredibly high, but the amount of resources available for keeping this infrastructure secure falls short.

"Everybody thinks it's somebody else's responsibility," says Philip Reitinger, president and CEO of the Global Cyber Alliance. "We agree that cybersecurity requires a whole-of-society effort, but the challenge for us is that there's so little funding available to keep the Internet trustworthy and secure."

**Exploring a New Funding Model**

In an effort to combat this dilution of responsibility and dearth of financial support, global policymakers and representatives from nonprofits, philanthropy, and fundraising organizations recently launched Common Good Cyber, an initiative aimed at building sustainable funding models to support those that secure the Internet for everyone. These stakeholders also took part in a February workshop in Washington, DC, to discuss the critical role of under-resourced organizations that safeguard the Internet. The workshop emphasized the need for collaboration and alignment in funding efforts to sustain cybersecurity initiatives.

"Key components of the Internet are maintained by volunteers, nonprofits, and NGOs, and others who work with razor-thin budgets and resources," said Kemba Walden, president of Paladin Global Institute and former US acting national cyber director, in her keynote address at the workshop. "Consider this: The underpinnings of our digital infrastructure, the infrastructure that enables civil society to thrive in our economy today and to grow, rest on a network of volunteers, nonprofits, NGOs and others.

The goal of Common Good Cyber is to find new ways to build adequate funding into law and policy, business policies and government, and other funding vehicles sufficient to meet the common need for cybersecurity. Supporting organizations include the Cyber Civil Defense Initiative, the Global Cyber Alliance, the Cyber Threat Alliance, the CyberPeace Institute, the Forum of Incident Response and Security Teams, the Institute for Security and Technology, and the Shadowserver Foundation.

Craig Newmark, philanthropist and founder of Craigslist and the Cyber Civil Defense Initiative, says funding and supporting Internet security projects is a patriotic duty.

"So many people have sacrificed a lot to defend us all. I have been pushing people like the folks at Global Cyber Alliance, the folks at the Aspen cybersecurity group, and people at Consumer Reports," Newmark says, listing three organizations that are part of the Cyber Civil Defense Initiative. "The notion is that we work together — to fight the fight together — to complement what the government does, kind of like what my parents did during World War II, when everyone was expected to play a role."

While governments can do some things very well, there are some areas where the government can’t do the whole job and citizens have to step up, Newmark adds.

"People like me who think of ourselves as genuine patriots, we need to help out the people who are doing the actual work, who are sometimes sacrificing a lot," he says. "In my case, while I'm trying to figure out how to mobilize the whole country, it's time to fund some organizations that are going to be doing the hard, tedious work, figuring out how regular people can protect themselves."

For Newmark, the greatest challenge lies in getting the message out and making people take action.

"The message is the big hard part — working together to protect the country," he said. "We need to protect our water and power supplies and transportation. We need to work together on making those things really happen, and I think that's a big contribution of Common Good Cyber."

**Four Action Items to Take**

Four actionable ideas came out of the workshop, Reitinger says.

Participants will seek to create joint funding organizations that have the capacity to collect money from multiple organizations and distribute them through a governance mechanism to organizations in need. Funding sources could come from government or private entities, he says, and be modeled after organizations that fight infectious diseases like HIV or malaria.

In line with the joint fund concept, nonprofits could be connected for federated fundraising, "a little like the United Way," Reitinger says. The fund could then be divided among the nonprofit entities, giving each "a little more bang for your buck, and a little bit stronger of an overall message."

Common Good Cyber also wants organizations to work together to build its business case by collecting data on who is doing what to support the Internet's infrastructure. There is a genuine need to understand the size of the sector "and the value that all these organizations provide … I think that's going to be essential," Reitinger says. "The business case to say, this is what this infrastructure does."

The creation of a hub or accelerator to provide resources to the groups securing the Internet was the final piece of the puzzle discussed. "All of these nonprofits that do critical things have to sort of start up from ground zero," Reitinger says. "And there are some resources that they can pull on. But maybe we start to aggregate those so we can help nonprofits do things like fundraising. Everybody wants to use money in the most effective way possible. So let's make that a little easier to do."

Common Good Cyber's next steps include producing a report on the workshop and speaking at this year's RSA Conference in San Francisco and a workshop in Europe in October. The group hopes to have a set of implemented solutions people can rely on in about a year.

"This is a problem that really needs solving, because we're all suffering from inadequate funding for cybersecurity supporting the common good. Cybersecurity really needs to be a fundamental human right," Rettinger says. "It's just a problem that really requires solving, and I hope we can continue to get the focus from government, industry, and nonprofit stakeholders. It's not going to get better on its own. It's going to get worse."

**About the Author(s)**

Contributing Writer

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

Funding the Organizations That Secure the Internet

To settle a years-long lawsuit, Google has agreed to delete “billions of data records” collected from users of “Incognito mode,” illuminating the pitfalls of relying on Chrome to protect your privacy.

If you still hold any notion that Google Chrome’s “Incognito mode” is a good way to protect your privacy online, now’s a good time to stop.

Google has agreed to delete “billions of data records” the company collected while users browsed the web using Incognito mode, according to documents filed in federal court in San Francisco on Monday. The agreement, part of a settlement in a class action lawsuit filed in 2020, caps off years of disclosures about Google’s practices that shed light on how much data the tech giant siphons from its users—even when they’re in private-browsing mode.

Under the terms of the settlement, Google must further update the Incognito mode “splash page” that appears anytime you open an Incognito mode Chrome window after previously updating it in January. The Incognito splash page will explicitly state that Google collects data from third-party websites “regardless of which browsing or browser mode you use,” and stipulate that “third-party sites and apps that integrate our services may still share information with Google,” among other changes. Details about Google’s private-browsing data collection must also appear in the company’s privacy policy.

Additionally, some of the data that Google previously collected on Incognito users will be deleted. This includes “private-browsing data” that is “older than nine months” from the date that Google signed the term sheet of the settlement last December, as well as private-browsing data collected throughout December 2023. Certain documents in the case referring to Google's data collection methods remain sealed, however, making it difficult to assess how thorough the deletion process will be.

Google spokesperson Jose Castaneda says in a statement that the company “is happy to delete old technical data that was never associated with an individual and was never used for any form of personalization.” Castaneda also noted that the company will now pay “zero” dollars as part of the settlement after earlier facing a $5 billion penalty.

Other steps Google must take will include continuing to “block third-party cookies within Incognito mode for five years,” partially redacting IP addresses to prevent re-identification of anonymized user data, and removing certain header information that can currently be used to identify users with Incognito mode active.

The data-deletion portion of the settlement agreement follows preemptive changes to Google’s Incognito mode data collection and the ways it describes what Incognito mode does. For nearly four years, Google has been phasing out third-party cookies, which the company says it plans to completely block by the end of 2024. Google also updated Chrome’s Incognito mode “splash page” in January with weaker language to signify that using Incognito is not “private,” but merely “more private” than not using it.

The settlement's relief is strictly “injunctive,” meaning its central purpose is to put an end to Google activities that the plaintiffs claim are unlawful. The settlement does not rule out any future claims—_The Wall Street Journal_ reports that the plaintiffs’ attorneys had filed at least 50 such lawsuits in California on Monday—though the plaintiffs note that monetary relief in privacy cases is far more difficult to obtain. The important thing, the plaintiffs’ lawyers argue, is effecting changes at Google now that will provide the greatest, immediate benefit to the largest number of users.

Critics of Incognito, a staple of the Chrome browser since 2008, say that, at best, the protections it offers fall flat in the face of the sophisticated commercial surveillance bearing down on most users today; at worst, they say, the feature fills people with a false sense of security, helping companies like Google passively monitor millions of users who've been duped into thinking they're browsing alone.

Tag

#cisco