A teenager on an airplane sent a photo of a replica gun via AirDrop to everyone who had their settings configured to receive unsolicited photos from strangers. This caused a three-hour delay as the plane — still at the gate — was evacuated and searched.
The teen was not allowed to reboard. I can’t find any information about whether he was charged with any of those vague “terrorist threat” crimes.
It’s been a long time since we’ve had one of these sorts of overreactions.
Architected for the cloud-first and remote-first deployments, MVISION Cloud Firewall secures access to applications and resources on the internet, accessed from every remote site and location, through a cloud-native service model. The solution inspects end-to-end user traffic – across all ports and protocols, enabling unified visibility and policy enforcement across the organizational footprint. Powered by McAfee Enterprise’s industry leading next-generation intrusion detection and prevention system, contextual policy engine and advanced threat detection platform, and supported by Global Threat Intelligence feeds, MVISION Cloud Firewall proactively detects and blocks emerging threats and malware with a high degree of accuracy, uniquely addressing the security challenges of the modern remote workforce. MVISION Cloud Firewall is an integral component of McAfee Unified Cloud Edge, offering organizations an all-encompassing, cloud-delivered Secure Access Service Edge (SASE) security solution for accelerating their business transformation.
Wherever networks went, firewalls followed
For a long time, firewalls and computer networks were like conjoined twins. Businesses simply could not afford to run an enterprise network without deploying a security system at the edge to create a secure perimeter around their crown jewels. The growing adoption of web-based protocols and their subsequent employment by cybersecurity adversaries for launching targeted malware attacks, often hidden within encrypted traffic, saw the emergence of next-generation firewall (NGFW) solutions. Apart from including stateful firewall and unified threat management services, NGFWs offered multi-layered protection and performed deep packet inspection, allowing organizations greater awareness and control over the applications to counter web-based threats.
Cloud computing changed the playing field
But things took a dramatic turn with the introduction of cloud computing. Cloud service providers came up with an offer the organizations could not refuse – unlimited computing power and storage volumes at significantly lower operating costs, along with the option to seamlessly scale business operations without hosting a single piece of hardware on-premises. Hence began the mass exodus of corporate data and applications to the cloud. Left without a fixed network perimeter to protect, the relationship between firewalls and networks entered complicated terms. While the cloud service providers offered a basic level of security functionality, they lacked the muscle power of on-premises firewalls, particularly NGFWs. This was further exacerbated by the ongoing pandemic and the overnight switch of the workforce to remote locations, which introduced the following challenges:
- Remote users were required to backhaul the entire outbound traffic to centralized firewalls through expensive MPLS connections, impacting the network performance due to latency and degrading the overall user experience.
- Remote users connecting direct-to-cloud often bypassed the on-premises security controls. With the firewalls going completely blind to the remote user traffic, security practitioners simply couldn’t protect what they couldn’t see.
- Deploying security appliances at each remote site and replicating the firewall policies across every site significantly increased the capital and operational expenditure. Additionally, these hardware applications lack the ability to scale and accommodate the growing volume of user traffic.
- On-premises firewalls struggled to integrate with cloud-native security solutions, such as Secure Web Gateways (SWG) and Cloud Access Security Brokers (CASB), creating a roadblock in Secure Access Service Edge (SASE) deployments.
The distributed workforce has expanded the threat landscape at an alarming rate. According to the latest McAfee Labs Threats Reports, the volume of malware threats observed by McAfee Labs averaged 688 threats per minute, an increase of 40 threats per minute (3%) in the first quarter of 2021. While SWGs and CASBs could address the security challenges for web and SaaS traffic, respectively, how could organizations secure the remaining non-web traffic? The answer lies in Firewall-as-a-Service, or FWaaS. FWaaS can be defined as a firewall hosted in the cloud, offering all the NGFW capabilities, including deep packet inspection, application-layer filtering, intrusion prevention and detection, advanced threat protection, among others. While, at the onset, FWaaS may give the impression of lifting and shifting NGFWs to the cloud, their business benefits are far more profound and relevant for the modern workforce, some of which include:
- Securing the remote workers and local internet breakouts, allowing direct-to-cloud connections to reduce network latency and improve user experience. Avoiding traffic backhauls from remote sites to centralized firewalls through expensive VPN and MPLS lines reduces the deployment costs.
- Significant cost savings by eliminating hardware installation at remote branch offices.
- Aggregating the network traffic from on-premises datacenters, clouds, remote branch offices and remote user locations, allowing centralized visibility and unified policy enforcement across all locations.
- Seamless scaling to handle the growing volume of traffic and the need for inspecting encrypted traffic for threats and malware.
- Centralizing the service management, such as patching and upgrades, reducing the operational costs for repetitive tasks.
Introducing MVISION Cloud Firewall
McAfee MVISION Cloud Firewall is a cutting-edge Firewall-as-a-Service solution that enforces centralized security policies for protecting the distributed workforce across all locations, for all ports and protocols. MVISION Cloud Firewall allows organizations to extend comprehensive firewall capabilities to remote sites and remote workers through a cloud-delivered service model, securing data and users across headquarters, branch offices, home networks and mobile networks, with real-time visibility and control over the entire network traffic.
The core value proposition of MVISION Cloud Firewall is characterized by a next-generation intrusion detection and prevention system that utilizes advanced detection and emulation techniques to defend against stealthy threats and malware attacks with industry best efficacy. A sophisticated next-generation firewall application control system enables organizations to make informed decisions about allowing or blocking applications by correlating threat activities with application awareness, including Layer 7 visibility of more than 2000 applications and protocols.
Fig. MVISION Cloud Firewall Architecture
What makes MVISION Cloud Firewall special?
Superior IPS efficacy: MVISION Cloud Firewall delivers superior IPS performance through deep inspection of network traffic and seamless detection and blocking of both known and unknown threats across the network perimeter, data center, and cloud environments. The next-generation IPS engine offers 20% better efficacy than competitive solutions than competitive solutions, while far exceeding the detection rates of open-source solutions. The solution combines with MVISION Extended Threat Detection and Response (XDR) to offer superior threat protection by correlating threat intelligence and telemetry across multiple vectors and proactively detecting and resolving adversarial threats before that can lead to any enterprise damage or loss. Additional advantages include inbound and outbound SSL decryption, signature-less malware analysis, high availability, and disaster recovery protection. and disaster recovery protection.
End-to-end visibility and optimization: The ability to visualize and control remote user sessions allows MVISION Cloud Firewalls to proactively monitor the end-to-end traffic flow and detect any critical issues observed across user devices, networks, and cloud. This offers network administrators a unified, organization-wide view of deployed assets to pinpoint and troubleshoot issues before the overall network performance and user productivity gets impacted. Optimizing network performance elevates the user experience through reduced session latency while keeping a check on the help desk ticket volumes.
Policy Sophistication: MVISION Cloud Firewall considers multiple contextual factors, such as the device type, security posture of devices, networks and users, and pairs that with application intelligence to define a robust and comprehensive policy lexicon that is more suitable for protecting the modern remote workforce. For example, most NGFWs can permit or block user traffic based on the configured rule set, such as permitting accounting users to access files uploaded on a Teams site. McAfee, on the other hand, utilizes its data protection and endpoint protection capabilities to create more powerful NGFW rules, such as permitting accounting users to access a third-party Teams site only if they have endpoint DLP enabled.
MVISION Cloud Firewall converges with MVISION Unified Cloud Edge to offer an integrated solution comprising of industry best Cloud Access Security Broker (CASB), Secure Web Gateway (SWG), Zero Trust Network Access (ZTNA), unified Data Loss Prevention (DLP) across endpoint, cloud and network, Remote Browser Isolation (RBI) and Firewall-as-a-Service, making McAfee one of the only vendors in the industry that solves the network security puzzle of the SASE framework. With the inclusion of MVISION Cloud Firewall, McAfee Enterprise customers can now utilize a unified security solution to inspect any type of traffic destined to the cloud, web, or corporate networks, while securing the sensitive assets and users across every location.
The post Introducing MVISION Cloud Firewall – Delivering Protection Across All Ports and Protocols appeared first on McAfee Blogs.
Co-written with Northwave’s Noël Keijzer.
For a long time, ransomware gangs were mostly focused on Microsoft Windows operating systems. Yes, we observed the occasional dedicated Unix or Linux based ransomware, but cross-platform ransomware was not happening yet. However, cybercriminals never sleep and in recent months we noticed that several ransomware gangs were experimenting with writing their binaries in the cross-platform language Golang (Go).
Our worst fears were confirmed when Babuk announced on an underground forum that it was developing a cross-platform binary aimed at Linux/UNIX and ESXi or VMware systems. Many core backend systems in companies are running on these *nix operating systems or, in the case of virtualization, think about the ESXi hosting several servers or the virtual desktop environment.
We touched upon this briefly in our previous blog, together with the many coding mistakes the Babuk team is making.
Even though Babuk is relatively new to the scene, its affiliates have been aggressively infecting high-profile victims, despite numerous problems with the binary which led to a situation in which files could not be retrieved, even if payment was made.
Ultimately, the difficulties faced by the Babuk developers in creating ESXi ransomware may have led to a change in business model, from encryption to data theft and extortion.
Indeed, the design and coding of the decryption tool are poorly developed, meaning if companies decide to pay the ransom, the decoding process for encrypted files can be really slow and there is no guarantee that all files will be recoverable.
Coverage and Protection Advice
McAfee’s EPP solution covers Babuk ransomware with an array of prevention and detection techniques.
McAfee ENS ATP provides behavioral content focusing on proactively detecting the threat while also delivering known IoCs for both online and offline detections. For DAT based detections, the family will be reported as Ransom-Babuk!. ENS ATP adds 2 additional layers of protection thanks to JTI rules that provide attack surface reduction for generic ransomware behaviors and RealProtect (static and dynamic) with ML models targeting ransomware threats.
Updates on indicators are pushed through GTI, and customers of Insights will find a threat-profile on this ransomware family that is updated when new and relevant information becomes available.
Initially, in our research the entry vector and the complete tactics, techniques and procedures (TTPs) used by the criminals behind Babuk remained unclear.
However, when its affiliate recruitment advertisement came online, and given the specific underground meeting place where Babuk posts, defenders can expect similar TTPs with Babuk as with other Ransomware-as-a-Service families.
In its recruitment posting Babuk specifically asks for individuals with pentest skills, so defenders should be on the lookout for traces and behaviors that correlate to open source penetration testing tools like winPEAS, Bloodhound and SharpHound, or hacking frameworks such as CobaltStrike, Metasploit, Empire or Covenant. Also be on the lookout for abnormal behavior of non-malicious tools that have a dual use, such as those that can be used for things like enumeration and execution, (e.g., ADfind, PSExec, PowerShell, etc.) We advise everyone to read our blogs on evidence indicators for a targeted ransomware attack (Part1, Part2).
Looking at other similar Ransomware-as-a-Service families we have seen that certain entry vectors are quite common amongst ransomware criminals:
- E-mail Spearphishing (T1566.001). Often used to directly engage and/or gain an initial foothold, the initial phishing email can also be linked to a different malware strain, which acts as a loader and entry point for the ransomware gangs to continue completely compromising a victim’s network. We have observed this in the past with Trickbot and Ryuk, Emotet and Prolock, etc.
- Exploit Public-Facing Application (T1190) is another common entry vector; cyber criminals are avid consumers of security news and are always on the lookout for a good exploit. We therefore encourage organizations to be fast and diligent when it comes to applying patches. There are numerous examples in the past where vulnerabilities concerning remote access software, webservers, network edge equipment and firewalls have been used as an entry point.
- Using valid accounts (T1078) is and has been a proven method for cybercriminals to gain a foothold. After all, why break the door if you have the keys? Weakly protected Remote Desktop Protocol (RDP) access is a prime example of this entry method. For the best tips on RDP security, we would like to highlight our blog explaining RDP security.
- Valid accounts can also be obtained via commodity malware such as infostealers, that are designed to steal credentials from a victim’s computer. Infostealer logs containing thousands of credentials are purchased by ransomware criminals to search for VPN and corporate logins. As an organization, robust credential management and multi-factor authentication on user accounts is an absolute must have.
When it comes to the actual ransomware binary, we strongly advise updating and upgrading your endpoint protection, as well as enabling options like tamper protection and rollback. Please read our blog on how to best configure ENS 10.7 to protect against ransomware for more details.
Summary of the Threat
- A recent forum announcement indicates that the Babuk operators are now expressly targeting Linux/UNIX systems, as well as ESXi and VMware systems
- Babuk is riddled with coding mistakes, making recovery of data impossible for some victims, even if they pay the ransom
- We believe these flaws in the ransomware have led the threat actor to move to data theft and extortion rather than encryption
Learn more about how Babuk is transitioning away from an encryption/ransom model to one focused on pure data theft and extortion in our detailed technical analysis.
The post Babuk: Biting off More than they Could Chew by Aiming to Encrypt VM and *nix Systems? appeared first on McAfee Blogs.
Every time there is another data breach, we are asked to change our password at the breached entity. But the reality is that in most cases by the time the victim organization discloses an incident publicly the information has already been harvested many times over by profit-seeking cybercriminals. Here’s a closer look at what typically transpires in the weeks or months before an organization notifies its users about a breached database.
Our continued reliance on passwords for authentication has contributed to one toxic data spill or hack after another. One might even say passwords are the fossil fuels powering most IT modernization: They’re ubiquitous because they are cheap and easy to use, but that means they also come with significant trade-offs — such as polluting the Internet with weaponized data when they’re leaked or stolen en masse.
When a website’s user database gets compromised, that information invariably turns up on hacker forums. There, denizens with computer rigs that are built primarily for mining virtual currencies can set to work using those systems to crack passwords.
How successful this password cracking is depends a great deal on the length of one’s password and the type of password hashing algorithm the victim website uses to obfuscate user passwords. But a decent crypto-mining rig can quickly crack a majority of password hashes generated with MD5 (one of the weaker and more commonly-used password hashing algorithms).
“You hand that over to a person who used to mine Ethereum or Bitcoin, and if they have a large enough dictionary [of pre-computed hashes] then you can essentially break 60-70 percent of the hashed passwords in a day or two,” said Fabian Wosar, chief technology officer at security firm Emsisoft.
From there, the list of email addresses and corresponding cracked passwords will be run through various automated tools that can check how many email address and password pairs in a given leaked data set also work at other popular websites (and heaven help those who’ve re-used their email password elsewhere).
This sifting of databases for low-hanging fruit and password re-use most often yields less than a one percent success rate — and usually far less than one percent.
But even a hit rate below one percent can be a profitable haul for fraudsters, particularly when they’re password testing databases with millions of users. From there, the credentials are eventually used for fraud and resold in bulk to legally murky online services that index and resell access to breached data.
Much like WeLeakInfo and others operated before being shut down by law enforcement agencies, these services sell access to anyone who wants to search through billions of stolen credentials by email address, username, password, Internet address, and a variety of other typical database fields.
So hopefully by this point it should be clear why re-using passwords is generally a bad idea. But the more insidious threat with hacked databases comes not from password re-use but from targeted phishing activity in the early days of a breach, when relatively few ne’er-do-wells have got their hands on a hot new hacked database.
Earlier this month, customers of the soccer jersey retailer classicfootballshirts.co.uk started receiving emails with a “cash back” offer. The messages addressed customers by name and referenced past order numbers and payment amounts tied to each account. The emails encouraged recipients to click a link to accept the cash back offer, and the link went to a look-alike domain that requested bank information.
“It soon became clear that customer data relating to historic orders had been compromised to conduct this attack,” Classicfootballshirts said in a statement about the incident.
Allison Nixon, chief research officer with New York City-based cyber intelligence firm Unit221B, recalled what happened in the weeks leading up to Dec. 22, 2020, when cryptocurrency wallet company Ledger acknowledged that someone had released the names, mailing addresses and phone numbers for 272,000 customers.
Nixon said she and her colleagues noticed in the preceding months a huge uptick in SIM-swapping attacks, a scheme in which fraudsters trick or bribe employees at wireless phone companies into redirecting the target’s text messages and phone calls to a device they control. From there, the attackers can reset the password for any online account that allows password resets via SMS.
“A week or two prior to that we were seeing a whole lot of SIM swapping activity,” Nixon said. “We knew the information was coming from some database but we couldn’t figure out what service they all had in common. After the Ledger database got leaked publicly, we started looking at the [SIM swapping] victims and found 100 percent of them were present in the Ledger database.”
In a statement about the breach, Ledger said the data was likely stolen in June 2020, meaning hackers had roughly six months to launch targeted attacks using extremely detailed information about customers.
“If you were to look [on cybercrime forums] at the past history of people posting about that Ledger database, you’d see people were selling it privately for months prior to that,” Nixon said. “It seems like this database was slowly percolating out wider and wider, until someone decided to remove a lot of its value by posting the whole thing publicly.”
Here are some tips to help avoid falling prey to incessant data breaches and increasingly sophisticated phishing schemes:
–Avoid clicking on links and attachments in email, even in messages that appear to be sent from someone you have heard from previously. And as the phishing examples above demonstrate, many of today’s phishing scams use elements from hacked databases to make their lures more convincing.
–Urgency should be a giant red flag. Most phishing scams invoke a temporal element that warns of negative consequences should you fail to respond or act quickly. Take a deep breath. If you’re unsure whether the message is legitimate, visit the site or service in question manually (ideally, using a browser bookmark so as to avoid potential typosquatting sites).
–Don’t re-use passwords. If you’re the kind of person who likes to use the same password across multiple sites, then you definitely need to be using a password manager. That’s because password managers handle the tedious task of creating and remembering unique, complex passwords on your behalf; all you need to do is remember a single, strong master password or passphrase. In essence, you effectively get to use the same password across all Web sites. Some of the more popular password managers include Dashlane, Keepass, LastPass and Roboform.
–Phone-based phishing uses hacked databases, too: A great many scams are perpetrated over the phone, leveraging personal and financial information gleaned from past data breaches to make them sound more believable. If you think you’d never fall for someone trying to scam you over the phone, check out this story about how a tech-savvy professional got taken for thousands of dollars by a fraudster masquerading as his credit union. Remember, When in Doubt: Hang Up, Look Up, & Call Back.
This is important:
Monsignor Jeffrey Burrill was general secretary of the US Conference of Catholic Bishops (USCCB), effectively the highest-ranking priest in the US who is not a bishop, before records of Grindr usage obtained from data brokers was correlated with his apartment, place of work, vacation home, family members’ addresses, and more.
The data that resulted in Burrill’s ouster was reportedly obtained through legal means. Mobile carriers sold — and still sell — location data to brokers who aggregate it and sell it to a range of buyers, including advertisers, law enforcement, roadside services, and even bounty hunters. Carriers were caught in 2018 selling real-time location data to brokers, drawing the ire of Congress. But after carriers issued public mea culpas and promises to reform the practice, investigations have revealed that phone location data is still popping up in places it shouldn’t. This year, T-Mobile even broadened its offerings, selling customers’ web and app usage data to third parties unless people opt out.
The publication that revealed Burrill’s private app usage, The Pillar, a newsletter covering the Catholic Church, did not say exactly where or how it obtained Burrill’s data. But it did say how it de-anonymized aggregated data to correlate Grindr app usage with a device that appears to be Burrill’s phone.
The Pillar says it obtained 24 months’ worth of “commercially available records of app signal data” covering portions of 2018, 2019, and 2020, which included records of Grindr usage and locations where the app was used. The publication zeroed in on addresses where Burrill was known to frequent and singled out a device identifier that appeared at those locations. Key locations included Burrill’s office at the USCCB, his USCCB-owned residence, and USCCB meetings and events in other cities where he was in attendance. The analysis also looked at other locations farther afield, including his family lake house, his family members’ residences, and an apartment in his Wisconsin hometown where he reportedly has lived.
Location data is not anonymous. It cannot be made anonymous. I hope stories like these will teach people that.