Adobe and Microsoft each issued a bevy of updates today to plug critical security holes in their software. Microsoft’s release includes fixes for 112 separate flaws, including one zero-day vulnerability that is already being exploited to attack Windows users. Microsoft also is taking flak for changing its security advisories and limiting the amount of information disclosed about each bug.
Some 17 of the 112 issues fixed in today’s patch batch involve “critical” problems in Windows, or those that can be exploited by malware or malcontents to seize complete, remote control over a vulnerable Windows computer without any help from users.
Most of the rest were assigned the rating “important,” which in Redmond parlance refers to a vulnerability whose exploitation could “compromise the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources.”
A chief concern among all these updates this month is CVE-2020-17087, which is an “important” bug in the Windows kernel that is already seeing active exploitation. CVE-2020-17087 is not listed as critical because it’s what’s known as a privilege escalation flaw that would allow an attacker who has already compromised a less powerful user account on a system to gain administrative control. In essence, it would have to be chained with another exploit.
Unfortunately, this is exactly what Google researchers described witnessing recently. On Oct. 20, Google released an update for its Chrome browser which fixed a bug (CVE-2020-15999) that was seen being used in conjunction with CVE-2020-17087 to compromise Windows users.
If you take a look at the advisory Microsoft released today for CVE-2020-17087 (or any others from today’s batch), you might notice they look a bit more sparse. That’s because Microsoft has opted to restructure those advisories around the Common Vulnerability Scoring System (CVSS) format to more closely align the format of the advisories with that of other major software vendors.
But in so doing, Microsoft has also removed some useful information, such as the description explaining in broad terms the scope of the vulnerability, how it can be exploited, and what the result of the exploitation might be. Microsoft explained its reasoning behind this shift in a blog post.
Not everyone is happy with the new format. Bob Huber, chief security officer at Tenable, praised Microsoft for adopting an industry standard, but said the company should consider that folks who review Patch Tuesday releases aren’t security practitioners but rather IT counterparts responsible for actually applying the updates who often aren’t able (and shouldn’t have to) decipher raw CVSS data.
“With this new format, end users are completely blind to how a particular CVE impacts them,” Huber said. “What’s more, this makes it nearly impossible to determine the urgency of a given patch. It’s difficult to understand the benefits to end-users. However, it’s not too difficult to see how this new format benefits bad actors. They’ll reverse engineer the patches and, by Microsoft not being explicit about vulnerability details, the advantage goes to attackers, not defenders. Without the proper context for these CVEs, it becomes increasingly difficult for defenders to prioritize their remediation efforts.”
Dustin Childs with Trend Micro‘s Zero Day Initiative also puzzled over the lack of details included in Microsoft advisories tied to two other flaws fixed today — including one in Microsoft Exchange Server (CVE-2020-16875) and CVE-2020-17051, which is a scary-looking weakness in the Windows Network File System (NFS).
The Exchange problem, Childs said, was reported by the winner of the Pwn2Own Miami bug finding contest.
“With no details provided by Microsoft, we can only assume this is the bypass of CVE-2020-16875 he had previously mentioned,” Childs said. “It is very likely he will publish the details of these bugs soon. Microsoft rates this as important, but I would treat it as critical, especially since people seem to find it hard to patch Exchange at all.”
Likewise, with CVE-2020-17051, there was a noticeable lack of detail for bug that earned a CVSS score of 9.8 (10 is the most dangerous).
“With no description to work from, we need to rely on the CVSS to provide clues about the real risk from the bug,” Childs said. “Consider this is listed as no user interaction with low attack complexity, and considering NFS is a network service, you should treat this as wormable until we learn otherwise.”
Separately, Adobe today released updates to plug at least 14 security holes in Adobe Acrobat and Reader. Details about those fixes are available here. There are no security updates for Adobe’s Flash Player, which Adobe has said will be retired at the end of the year. Microsoft, which has bundled versions of Flash with its Web browsers, says it plans to ship an update in December that will remove Flash from Windows PCs, and last month it made the removal tool available for download.
Windows 10 users should be aware that the operating system will download updates and install them on its own schedule, closing out active programs and rebooting the system. If you wish to ensure Windows has been set to pause updating so you can back up your files and/or system, see this guide.
But please do back up your system before applying any of these updates. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.
As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.
It’s Cybersecurity Awareness Month! In keeping with that theme, if you (ab)use Microsoft Windows computers you should be aware the company shipped a bevy of software updates today to fix at least 87 security problems in Windows and programs that run on top of the operating system. That means it’s once again time to backup and patch up.
Eleven of the vulnerabilities earned Microsoft’s most-dire “critical” rating, which means bad guys or malware could use them to gain complete control over an unpatched system with little or no help from users.
Worst in terms of outright scariness is probably CVE-2020-16898, which is a nasty bug in Windows 10 and Windows Server 2019 that could be abused to install malware just by sending a malformed packet of data at a vulnerable system. CVE-2020-16898 earned a CVSS Score of 9.8 (10 is the most awful).
Security vendor McAfee has dubbed the flaw “Bad Neighbor,” and in a blog post about it said a proof-of-concept exploit shared by Microsoft with its partners appears to be “both extremely simple and perfectly reliable,” noting that this sucker is imminently “wormable” — i.e. capable of being weaponized into a threat that spreads very quickly within networks.
“It results in an immediate BSOD (Blue Screen of Death), but more so, indicates the likelihood of exploitation for those who can manage to bypass Windows 10 and Windows Server 2019 mitigations,” McAfee’s Steve Povolny wrote. “The effects of an exploit that would grant remote code execution would be widespread and highly impactful, as this type of bug could be made wormable.”
Trend Micro’s Zero Day Initiative (ZDI) calls special attention to another critical bug quashed in this month’s patch batch: CVE-2020-16947, which is a problem with Microsoft Outlook that could result in malware being loaded onto a system just by previewing a malicious email in Outlook.
“The Preview Pane is an attack vector here, so you don’t even need to open the mail to be impacted,” said ZDI’s Dustin Childs.
While there don’t appear to be any zero-day flaws in October’s release from Microsoft, Todd Schell from Ivanti points out that a half-dozen of these flaws were publicly disclosed prior to today, meaning bad guys have had a jump start on being able to research and engineer working exploits.
Other patches released today tackle problems in Exchange Server, Visual Studio, .NET Framework, and a whole mess of other core Windows components.
For any of you who’ve been pining for a Flash Player patch from Adobe, your days of waiting are over. After several months of depriving us of Flash fixes, Adobe’s shipped an update that fixes a single — albeit critical — flaw in the program that crooks could use to install bad stuff on your computer just by getting you to visit a hacked or malicious website.
Chrome and Firefox both now disable Flash by default, and Chrome and IE/Edge auto-update the program when new security updates are available. Mercifully, Adobe is slated to retire Flash Player later this year, and Microsoft has said it plans to ship updates at the end of the year that will remove Flash from Windows machines.
It’s a good idea for Windows users to get in the habit of updating at least once a month, but for regular users (read: not enterprises) it’s usually safe to wait a few days until after the patches are released, so that Microsoft has time to iron out any chinks in the new armor.
But before you update, please make sure you have backed up your system and/or important files. It’s not uncommon for a Windows update package to hose one’s system or prevent it from booting properly, and some updates even have known to erase or corrupt files.
So do yourself a favor and backup before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.
And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide.
As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.
Windows users looking to install a VPN app are in danger of downloading one that’s been bundled with a backdoor, Trend Micro researchers warn.
The trojanized package in this specific case is the Windows installer for Windscribe VPN, and contains the Bladabindi backdoor, which is able to:
- Execute commands from a remote malicious user (e.g., downloading, executing, and updating files)
- Log a user’s keystrokes
- Take screenshots of the user’s screen
- Collect information about the computer (OS, username, machine name), the running AV product(s), and passwords stored in browsers
The trojanized installer is offered on third-party download sites and users who download and run it are unlikely to notice that something is wrong with it.
“The bundled application drops three components to the user’s system: the legitimate VPN installer, the malicious file (named lscm.exe) that contains the backdoor, and the application that serves as the runner of the malicious file (win.vbs). The user sees an installation window on their screen, which possibly masks the malicious activity that occurs in the background,” the researchers explained.
Trojanizing legitimate software
Bundling malware with legitimate apps is a popular technique for compromising computers and mobile devices.
In Bladabindi’s case, there’s even a publicly available hacker tool (NJ Rat) that can help create variants sporting a “benign” icon designed to mislead users into running the file:
Users who don’t stick to official download centers and app stores are at greater danger of downloading malware, although attackers have been known to bypass app stores’ protections and compromise official developer sites to deliver malware.
“Enterprises and individual users alike employ VPNs to bolster their system’s protection. However, inadvertently downloading an installer bundled with malicious files does the exact opposite of this as it exposes systems to threats,” the researchers concluded.
Trend Micro announced Worry-Free XDR: a new version of its XDR platform designed to extend the power of correlated detection and response beyond the endpoint for smaller businesses. This unmatched channel offering is available now as a standalone or managed solution tailored for SMBs.
Today, 85% of organizations believe threat detection and response is getting tougher due to a lack of skilled security professionals and a rising volume of advanced attacks, according to analyst firm ESG.
It’s an acute problem for smaller firms with fewer resources and IT teams that are under extra pressure due to work-from-home orders. Even those with automated endpoint detection and response (EDR) are limited to endpoint detection only and are overwhelmed with alerts.
“Our partners are the first line of support for SMBs that are struggling to manage the uptick in cyber-attacks with stretched IT teams and little confidence in the fidelity of alerts coming in from existing tools,” said Louise McEvoy, vice president of U.S. channel, Trend Micro. “We are proud to be able to enable our partners with the broadest protection against ransomware and advanced attacks. We realize that small businesses are at risk and we’re helping them protect themselves from cyber threats early on to minimize any damage and preserve precious in-house resources.”
Worry-Free XDR enables smaller firms to consolidate all their detection, response and investigation capabilities onto a single agent from a single vendor, in order to reduce costs and streamline security.
There is automatic correlation, detection and activity data across endpoint and email – the number one threat vector – which provides advanced protection through cloud sandboxing. This allows IT admins to mitigate issues quickly with automated sweeping and recommended actions.
According to Gartner, “XDR is valuable to organizations because much of the hard work of correlating security event information is done at the platform level. It should remove the administrative burden and result in faster and improved visibility across both on-premises and cloud environments. XDR reduces the ‘noise’ of alerts and allows smaller IT teams to focus on root causes rather than chasing several alerts for the same incident.”2
Trend Micro also announced a new Worry-Free with Co-Managed XDR offering, designed to help Managed Service Providers (MSPs) improve threat protection for their customers, reduce operating costs and expand their business. This around-the-clock service run by Trend Micro threat experts provides MSPs with alert monitoring, incident response, personalized remediation steps for their customers, as well as cross-customer analysis to ensure MSPs proactively protect their entire customer base from similar attacks. This advanced security offering allows them to differentiate themselves from their competitors and to tap into new opportunities and customer profiles.
One early US-based MSP partner that uses Trend Micro’s Co-Managed XDR functionality with their customers is Workplace IT. “There were a few instances where Trend Micro took action across our customer base. For example, after a malicious email that started at one customer was sent out broadly, Trend Micro quarantined it for all users across our customer base immediately,” says Mike Lenz, network services engineer at Workplace IT. “Worry-Free XDR gives us the ability to manage security across all of our customers to offer better protection and allows all events to be viewed together.”
On this September 2020 Patch Tuesday:
- Microsoft has plugged 129 security holes, including a critical RCE flaw that could be triggered by sending a specially crafted email to an affected Exchange Server installation
- Adobe has delivered security updates for Adobe Experience Manager, AEM Forms, Framemaker and InDesign
- Intel has released four security advisories
- SAP has released 10 security notes and updates to six previously released notes
Microsoft has released patches for 129 CVEs, 23 of which are “critical”, 105 “important”, and one “medium”-risk (a security feature bypass flaw in SQL Server Reporting Services). None of them are publicly known or being actively exploited.
Trend Micro Zero Day Initiative’s Dustin Childs says that patching CVE-2020-16875, a memory corruption vulnerability in Microsoft Exchange, should be top priority for organizations using the popular mail server.
“This patch corrects a vulnerability that allows an attacker to execute code at SYSTEM by sending a specially crafted email to an affected Exchange Server. That doesn’t quite make it wormable, but it’s about the worst-case scenario for Exchange servers,” he explained. “We have seen the previously patched Exchange bug CVE-2020-0688 used in the wild, and that requires authentication. We’ll likely see this one in the wild soon.”
Another interesting patch released this month is that for CVE-2020-0951, a security feature bypass flaw in Windows Defender Application Control (WDAC). Patches are available for Windows 10 and Windows Server 2016 and above.
“This patch is interesting for reasons beyond just the bug being fixed. An attacker with administrative privileges on a local machine could connect to a PowerShell session and send commands to execute arbitrary code. This behavior should be blocked by WDAC, which does make this an interesting bypass. However, what’s really interesting is that this is getting patched at all,” Childs explained.
“Vulnerabilities that require administrative access to exploit typically do not get patches. I’m curious about what makes this one different.”
Many of the critical and important flaws fixed this time affect various editions of Microsoft SharePoint (Server, Enterprise, Foundation). Some require authentication, but many do not, so if you don’t want to fall prey to exploits hidden in specially crafted web requests, pages or SharePoint application packages, see that you install the required updates soon.
Satnam Narang, staff research engineer at Tenable, pointed out that one of them – CVE-2020-1210 – is reminiscent of a similar SharePoint remote code execution flaw, CVE-2019-0604, that has been exploited in the wild by threat actors since at least April 2019.
CVE-2020-0922, a RCE in Microsoft COM (Common Object Model), should also be patched quickly on all Windows and Windows Server systems.
He also advised organizations in the financial industry who use Microsoft Dynamics 365 for Finance and Operations (on-premises) and Microsoft Dynamics 365 (on-premises) to quickly patch CVE-2020-16857 and CVE-2020-16862.
“Impacting the on-premise servers with this finance and operations focused service installed, both exploits require a specifically created file to exploit the security vulnerability, allowing the attacker to gain remote code execution capability. More concerning with these vulnerabilities is that both flaws, if exploited, would allow an attacker to steal documents and data deemed critical. Due to the nature and use of Microsoft Dynamics in the financial industry, a theft like this could spell trouble for any company of any size,” he added.
Jimmy Graham, Sr. Director of Product Management, Qualys, says that Windows Codecs, GDI+, Browser, COM, and Text Service Module vulnerabilities should be prioritized for workstation-type devices.
Adobe has released security updates for Adobe Experience Manager (AEM) – a web-based client-server system for building, managing and deploying commercial websites and related services – and the AEM Forms add-on package for all platforms, Adobe Framemaker for Windows and Adobe InDesign for macOS.
The AEM and AEM Forms updates are more important than the rest.
The Adobe Framemaker update fixes two critical flaws that could lead to code execution, and the Adobe InDesign update five of them, but as vulnerabilities in these two offerings are not often targeted by attackers, admins are advised to implement them after more critical updates are secured.
None of the fixed vulnerabilities are being currently exploited in the wild.
Intel took advantage of the September 2020 Patch Tuesday to release four advisories, accompanying fixes for the Intel Driver & Support Assistant, BIOS firmware for multiple Intel Platforms, and Intel Active Management Technology (AMT) and Intel Standard Manageability (ISM).
The latter fixes are the most important, as they fix a privilege escalation flaw that has been deemed to be “critical” for provisioned systems.
SAP marked the September 2020 Patch Tuesday by releasing 10 security notes and updates to six previously released ones (for SAP Solution Manager, SAP NetWeaver, SAPUI5 and SAP NetWeaver AS JAVA).
Patches have been provided for newly fixed flaws in a variety of offerings, including SAP Marketing, SAP NetWeaver, SAP Bank Analyzer, SAP S/4HANA Financial Products, SAP Business Objects Business Intelligence Platform, and others.
Organizations’ on-premise and cloud-based servers are compromised, abused and rented out as part of a sophisticated criminal monetization lifecycle, Trend Micro research finds.
The findings come from a report looking at how the underground hosting market operates. The findings show that cryptocurrency mining activity should be the indicator for IT security teams to be on high alert.
Cryptomining activity used to monetize compromised servers
While cryptomining activity may not cause disruption or financial losses on its own, mining software is usually deployed to monetize compromised servers that are sitting idle while criminals plot larger money-making schemes. These include exfiltrating valuable data, selling server access for further abuse, or preparing for a targeted ransomware attack.
Any servers found to contain cryptominers should be flagged for immediate remediation and investigation.
“From dedicated bulletproof hosting to anonymizing services, domain name provision and compromised legitimate assets, the cybercriminal underground boasts a sophisticated range of infrastructure offerings to support monetization campaigns of all types,” said Bob McArdle, director of forward-looking threat research for Trend Micro.
“Our goal is to raise awareness and understanding of cybercriminal infrastructure to help law enforcement agencies, customers and other researchers block avenues for cybercrime and drive costs up for threat actors.”
Cloud servers particularly exposed
Cloud servers are particularly exposed to compromise and use in underground hosting infrastructure as they may be lacking the protection of their on-premises equivalents.
McArdle continued, “Compromised legitimate corporate assets can be infiltrated and abused whether on-premise or in the cloud. A good rule of thumb is that whatever is most exposed is most likely to be exploited.”
Cybercriminals might look to exploit vulnerabilities in server software, use brute-force attacks to compromise credentials, or steal logins and deploy malware via phishing attacks. They may even target infrastructure management software (cloud API keys), which allows them to create new instances of virtual machines or supply resources.
Once compromised, these cloud server assets could be sold on underground forums, dedicated marketplaces and even social networks for use in a range of attacks.
Trend Micro announced its upcoming Mobile Network Security solution, which will accelerate digital innovation at the network edge by offering comprehensive network and endpoint protection for a new era of IoT and 5G private networks.
Service providers and system integrators are increasingly using shared and unlicensed products to build private mobile networks for their enterprise customers—driving new 5G and IoT-powered business opportunities at the edge.
“From shopping malls to airports and smart factories to enterprise campuses, private networks are emerging as an increasingly popular way to deliver business-critical applications at the network edge. However, the sheer complexity involved can create dangerous security gaps,” said Akihiko Omikawa, executive vice president of IoT security for Trend Micro.
“Trend Micro leveraged its decades of cross-functional cybersecurity experience to create Mobile Network Security, a comprehensive platform for protecting cellular networks and distrusted IoT devices. We’re delighted to be collaborating with key industry stakeholders, like JCI US, to make this vision a reality.”
Private networks are a natural choice for many enterprises, offering the prospect of low latency, low interference and high-security environments. However, CISOs are challenged by a lack of in-house skills capable of combining expertise in information technology (IT), operation technology (OT) and communication technology (CT) security.
The answer is Trend Micro Mobile Network Security, which is comprised of two key elements:
- Network Protection (Trend Micro Virtual Network Function Suite): Built on the ETSI NFV framework to offer high-performance, low-latency virtualized network security across 4G/5G/NB-IoT/CAT-M. Network Protection offers north-south protection to secure all mobile and IoT devices on the private network and east-west protection to secure network traffic between edge computing apps and network segments. It features access control, virtual patching, intrusion prevention, URL filtering, malicious site/botnet C&C/malicious device blocking, app control and more.
- Endpoint Protection: Comprehensive endpoint security for IoT devices provided in two form factors — physical SIM card and software Java applet. Endpoint Protection provides device whitelisting, geofencing, firmware integrity, IMSI/IMEI lockdown, zero touch provisioning, mutual authentication, on-demand TLS key generation, device isolation, data encryption, blockchain crypto and more.
Trend Micro is already partnering with several service providers on proof-of-concept trials with Mobile Network Security.
JCI US President and COO Greg Deickman said: “The JCI Group has long recognized the importance of the SIM card in driving improved IoT security and innovation at the network edge. We are pleased to be working with Trend Micro to develop SIM card solutions to augment their layered suite of products and services to secure enterprise endpoints and networks.
“With the close collaboration between JCI US and Trend Micro, we successfully delivered a POC at Southlands, a highly popular outdoor shopping center in Denver, CO, to secure consumers’ mobile devices.”
R1 RCM Inc. [NASDAQ:RCM], one of the nation’s largest medical debt collection companies, has been hit in a ransomware attack.
Formerly known as Accretive Health Inc., Chicago-based R1 RCM brought in revenues of $1.18 billion in 2019. The company has more than 19,000 employees and contracts with at least 750 healthcare organizations nationwide.
R1 RCM acknowledged taking down its systems in response to a ransomware attack, but otherwise declined to comment for this story.
The “RCM” portion of its name refers to “revenue cycle management,” an industry which tracks profits throughout the life cycle of each patient, including patient registration, insurance and benefit verification, medical treatment documentation, and bill preparation and collection from patients.
The company has access to a wealth of personal, financial and medical information on tens of millions of patients, including names, dates of birth, Social Security numbers, billing information and medical diagnostic data.
It’s unclear when the intruders first breached R1’s networks, but the ransomware was unleashed more than a week ago, right around the time the company was set to release its 2nd quarter financial results for 2020.
R1 RCM declined to discuss the strain of ransomware it is battling or how it was compromised. Sources close to the investigation tell KrebsOnSecurity the malware is known as Defray.
Defray was first spotted in 2017, and its purveyors have a history of specifically targeting companies in the healthcare space. According to Trend Micro, Defray usually is spread via booby-trapped Microsoft Office documents sent via email.
“The phishing emails the authors use are well-crafted,” Trend Micro wrote. For example, in an attack targeting a hospital, the phishing email was made to look like it came from a hospital IT manager, with the malicious files disguised as patient reports.
Email security company Proofpoint says the Defray ransomware is somewhat unusual in that it is typically deployed in small, targeted attacks as opposed to large-scale “spray and pray” email malware campaigns.
“It appears that Defray may be for the personal use of specific threat actors, making its continued distribution in small, targeted attacks more likely,” Proofpoint observed.
A recent report (PDF) from Corvus Insurance notes that ransomware attacks on companies in the healthcare industry have slowed in recent months, with some malware groups even dubiously pledging they would refrain from targeting these firms during the COVID-19 pandemic. But Corvus says that trend is likely to reverse in the second half of 2020 as the United States moves cautiously toward reopening.
Corvus found that while services that scan and filter incoming email for malicious threats can catch many ransomware lures, an estimated 75 percent of healthcare companies do not use this technology.
Trend Micro enhances agility and automation in cloud security through integrations with Amazon Web Services (AWS). As a result, Trend Micro delivers flexible and scalable all-in-one security that helps DevOps engineers securely build and innovate as they migrate to and build in the cloud.
Trend Micro has demonstrated the strength of its collaboration with AWS since 2012 with a deep understanding of customer use cases and by integrating with leading AWS security services at launch. Most recently, Trend Micro Cloud One offerings have been natively integrated with AWS Control Tower and AWS Systems Manager Distributor.
These additions are designed to bring immediate benefit to security, cloud, and DevOps teams leveraging AWS by automating enforcement of security capabilities earlier in the account and resource provisioning process.
“Trend Micro is an Advanced Technology Partner in the AWS Partner Network (APN) with a long-standing history of providing security solutions to help customers address their portion of the shared responsibility model,” said Siva Padisetty, General Manager, AWS Systems Manager, Amazon Web Services, Inc.
“Trend Micro’s continuing investment in integrations with native AWS capabilities, such as AWS Control Tower and AWS Systems Manager Distributor, reduces onboarding and management friction while adopting an enhanced security posture.”
According to a recent report from IDC, “Trend Micro is the dominant leader in Software-Defined Compute (SDC) workload protection,” making up 29.5% of the worldwide hybrid cloud workload security market share, proving the company’s hybrid cloud security expertise, capabilities and trust by customers.
As the leading cloud security experts, Trend Micro engineers develop security solutions designed to meet the needs of cloud engineers.
“We understand that security teams don’t always have complete control or visibility into how cloud instances are being spun up, configured and used across the company,” said Sanjay Mehta, senior vice president of business development and alliances for Trend Micro.
“Listening to and understanding customer needs and feedback drives our innovations and collaboration with AWS. Having our solutions plug in natively with AWS offerings like AWS Control Tower and AWS Systems Manager Distributor adds visibility and automates security for our customers.”
Through this collaboration, Trend Micro Cloud One offers the broadest platform support and API integration to protect your AWS infrastructure whether building with Amazon Elastic Compute Cloud (Amazon EC2) instances, AWS Lambda, AWS Fargate, containers, Amazon Simple Storage Service (Amazon S3), or Amazon Virtual Private Cloud (Amazon VPC) networking.
New research from Trend Micro highlights design flaws in legacy languages and released new secure coding guidelines. These are designed to help Industry 4.0 developers greatly reduce the software attack surface, and therefore decrease business disruption in OT environments. The layers of the software stack (including automation task programs) and what their respective vulnerabilities could affect Conducted jointly with Politecnico di Milano, the research details how design flaws in legacy programming languages could lead to … More
The post Security analysis of legacy programming environments reveals critical flaws appeared first on Help Net Security.
Trend Micro unveiled new insights analyzing the market for underground hosting services and detailing how and where cybercriminals rent the infrastructure that hosts their business.
Over the past five years, increased use and abuse of compromised assets has formed a whole new market. There are varied types of underground hosting and associated services used by cybercriminals to operate their businesses, including bulletproof hosting, VPNs, anonymizers, and DDoS protection.
Such services could variously be used to protect availability, maintain anonymity, disrupt forensics, obfuscate physical location, and enable IP spoofing, among other things.
“For over a decade, Trend Micro Research has dug into how cybercriminals think, as opposed to focusing only on what they do, which is critical when it comes to protecting against them,” said Robert McArdle, director of forward-looking threat research at Trend Micro.
The cybercrime industry
Cybercrime is a highly professional industry, with sales and advertisements leveraging legitimate marketing techniques and platforms, all driven by cost to some extent. For example, one advertisement was found for dedicated, compromised servers based in the US starting at just $3, rising to $6 with guaranteed availability for 12 hours.
Although many of these services are traded on underground forums, some of which are invite-only, others are clearly advertised and sold via legitimate social media and messaging platforms such as Twitter, VK and Telegram.
In fact, the line between criminality and legitimate business behavior is increasingly difficult to discern. Some hosting providers have a legitimate clientele and advertise openly on the internet but may have resellers that sell exclusively to the criminal underground – either with or without the company’s knowledge.
In the case of bulletproof hosters, which are more definitively linked to cybercrime, they are generally regular hosting providers trying to diversify their business to cater to the needs of specific customers. For a premium price, they’re prepared to push to the absolute limit of what the law allows and prosecutes in their local jurisdiction.
Understanding where and how these services are sold, and consequently impacting the cost of these sales, is arguably our best strategy to help make a lasting and repeatable dent in the cybercriminal underground market.
A Trend Micro research is warning consumers of a major new wave of attacks attempting to compromise their home routers for use in IoT botnets. The report urges users to take action to stop their devices from enabling this criminal activity.
The importance of home routers for IoT botnets
There has been a recent spike in attacks targeting and leveraging routers, particularly around Q4 2019. This research indicates increased abuse of these devices will continue as attackers are able to easily monetize these infections in secondary attacks.
“With a large majority of the population currently reliant on home networks for their work and studies, what’s happening to your router has never been more important,” said Jon Clay, director of global threat communications for Trend Micro.
“Cybercriminals know that a vast majority of home routers are insecure with default credentials and have ramped up attacks on a massive scale. For the home user, that’s hijacking their bandwidth and slowing down their network. For the businesses being targeted by secondary attacks, these botnets can totally take down a website, as we’ve seen in past high-profile attacks.”
Force log-in attempts against routers increasing
The research revealed an increase from October 2019 onwards in brute force log-in attempts against routers, in which attackers use automated software to try common password combinations.
The number of attempts increased nearly tenfold, from around 23 million in September to nearly 249 million attempts in December 2019. As recently as March 2020, Trend Micro recorded almost 194 million brute force logins.
Another indicator that the scale of this threat has increased is devices attempting to open telnet sessions with other IoT devices. Because telnet is unencrypted, it’s favored by attackers – or their botnets – as a way to probe for user credentials.
At its peak, in mid-March 2020, nearly 16,000 devices attempted to open telnet sessions with other IoT devices in a single week.
Cybercriminals are competing with each other
This trend is concerning for several reasons. Cybercriminals are competing with each other to compromise as many routers as possible so they can be conscripted into botnets. These are then sold on underground sites either to launch DDoS attacks, or as a way to anonymize other attacks such as click fraud, data theft and account takeover.
Competition is so fierce that criminals are known to uninstall any malware they find on targeted routers, booting off their rivals so they can claim complete control over the device.
For the home user, a compromised router is likely to suffer performance issues. If attacks are subsequently launched from that device, their IP address may also be blacklisted – possibly implicating them in criminal activity and potentially cutting them off from key parts of the internet, and even corporate networks.
As explained in the report, there’s a thriving black market in botnet malware and botnets-for-hire. Although any IoT device could be compromised and leveraged in a botnet, routers are of particular interest because they are easily accessible and directly connected to the internet.
Recommendations for home users
- Make sure you use a strong password. Change it from time to time.
- Make sure the router is running the latest firmware.
- Check logs to find behavior that doesn’t make sense for the network.
- Only allow logins to the router from the local network.
Microsoft has released fixes for two remote code execution (RCE) vulnerabilities in the Microsoft Windows Codecs Library on Windows 10 machines.
CVE-2020-1425 could allow attackers to obtain information to further compromise the user’s system, and CVE-2020-1457 would allow them to execute arbitrary code, all by tricking users into opening an image file.
“To successfully exploit this vulnerability, an attacker would need to deliver a specially crafted image file, like a JPG or TIFF or PNG, and convince the targeted victim to open the file. Data hidden within the image would then be processed by the image rendering program, executing arbitrary code on the endpoint. This code could be used to install a backdoor, allowing an attacker to modify user credentials, execute more code, or navigate laterally through the corporate network,” Richard Melick, Senior Technical Product Manager, Automox, explained.
The vulnerabilities were discovered by Abdul-Aziz Hariri of Trend Micro’s Zero Day Initiative and they are not being actively exploited in the wild.
What initially seemed like critical out-of-band patches for Windows 10 and Windows Server 2019 systems turned out to be slightly less urgent patches since the flaws affect only Windows 10 systems and only those users who have installed the optional HEVC or “HEVC from Device Manufacturer” media codecs from Microsoft Store, limiting thusly the pool of machines open to attack.
Affected customers also didn’t have to do anything to receive the update, as they were automatically updated by (the consumer) Microsoft Store. Enterprise customers using Store for Business received the update in the same manner.
Microsoft has noted, though, that users who have turned off automatic updating for Microsoft Store apps should check for them with the Microsoft Store App or risk going without them.
72% of remote workers say they are more conscious of their organization’s cybersecurity policies since lockdown began, but many are breaking the rules anyway due to limited understanding or resource constraints, Trend Micro reveals.
The study is distilled from interviews with 13,200 remote workers across 27 countries on their attitudes towards corporate cybersecurity and IT policies. It reveals that there has never been a better time for companies to take advantage of heightened employee security awareness.
The survey reveals that the approach businesses take to training is critical to ensure secure practices are being followed.
High level of security awareness
The results indicate a high level of security awareness, with 85% of respondents claiming they take instructions from their IT team seriously, and 81% agree that cybersecurity within their organization is partly their responsibility. Additionally, 64% acknowledge that using non-work applications on a corporate device is a security risk.
However, just because most people understand the risks does not mean they stick to the rules.
- 56% of employees admit to using a non-work application on a corporate device, and 66% of them have actually uploaded corporate data to that application.
- 80% of respondents confess to using their work laptop for personal browsing, and only 36% of them fully restrict the sites they visit.
- 39% of respondents say they often or always access corporate data from a personal device – almost certainly breaking corporate security policy.
- 8% of respondents admit to watching / accessing porn on their work laptop, and 7% access the dark web.
Productivity still wins out over protection
Productivity still wins out over protection for many users. 34% of respondents agree that they do not give much thought to whether the apps they use are sanctioned by IT or not, as they just want the job done. Additionally, 29% think they can get away with using a non-work application, as the solutions provided by their company are ‘nonsense.’
Dr Linda Kaye, Cyberpsychology Academic at Edge Hill University explains: “There are a great number of individual differences across the workforce. This can include individual employee’s values, accountability within their organization, as well as aspects of their personality, all of which are important factors which drive people’s behaviors.
“To develop more effective cybersecurity training and practices, more attention should be paid to these factors. This, in turn, can help organizations adopt more tailored or bespoke cybersecurity training with their employees, which may be more effective.”
Rik Ferguson, Vice President of Security Research at Trend Micro, argues: “It’s really heartening to see that so many people take the advice from their corporate IT team seriously, although you have to wonder about the 15% who don’t… At the same time those people also accept their own role in the human firewall of any organization.
“The problem area seems to be translating that awareness into concrete behavior. To reinforce this, organizations to take into account the diversity across the organization and tailor training to identify and address these distinct behavioral groups.
“The time to do this is now, to take advantage of the new working environment and people’s newfound recognition of the importance of information security.”
The percentage of companies admitting to suffering a mobile-related compromise has grown, despite a higher percentage of organizations deciding not to sacrifice the security of mobile devices to meet business targets.
To make things worse, the C-suite is the most likely group within an organization to ask for relaxed mobile security protocols – despite also being highly targeted by cyberattacks.
In order to select a suitable mobile security solution for your business, you need to consider a lot of factors. We’ve talked to several industry professionals to get their insight on the topic.
Liviu Arsene, Global Cybersecurity Analyst, Bitdefender
A business mobile security solution needs to have a clear set of minimum abilities or features for securing devices and the information stored on them, and for enabling IT and security teams to remotely manage them easily.
For example, a mobile security solution for business needs to have excellent malware detection capabilities, as revealed by third-party independent testing organizations, with very few false positives, a high detection rate, and minimum performance impact on the device. It needs to allow IT and security teams to remotely manage the device by enabling policies such as device encryption, remote wipe, application whitelisting/blacklisting, and online content control.
These are key aspects for a business mobile security solution as it both allows employees to stay safe from online and physical threats, and enables IT and security teams to better control, manage, and secure devices remotely in order to minimize any risk associated with a compromised device. The mobile security solution should also be platform agnostic, easily deployable on any mobile OS, centrally managed, and allow users to switch from profiles covering connectivity and encryption (VPN) settings based on the services the user needs.
Fennel Aurora, Security Adviser at F-Secure
Making any choice of this kind starts from asking the right questions. What is your company’s threat model? What are your IT and security management capabilities? What do you already know today about your existing IT, shadow IT, and employees bring-your-own-devices?
If you are currently doing nothing and have little IT resources internally, you will not have the same requirements as a global corporation with whole departments handling this. As a farming supplies company, you will not face the same threats, and so have the same requirements, as an aeronautics company working on defense contracts.
In reality, even the biggest companies do not systematically do all of the 3 most basic steps. Firstly, you need to inventory your devices and IT, and be sure that the inventory is complete and up-to-date as you can’t protect what you don’t know about. You also need at minimum to protect your employees’ devices against basic phishing attacks, which means using some kind of AV with browsing protection. You need to be able to deploy and update this easily via a central tool. A good mobile AV product will also protect your devices against ransomware and banking trojans via behavioral detection.
Finally, you need to help people use better passwords, which means helping them install and start using a password manager on all their devices. It also means helping them get started with multi-factor authentication.
Jon Clay, Director of Global Threat Communications, Trend Micro
Many businesses secure their PC’s and servers from malicious code and cyber attacks as they know these devices are predominately what malicious actors will target. However, we are increasingly seeing threat actors target mobile devices, whether to install ransomware for quick profit, or to steal sensitive data to sell in the underground markets. This means is that organizations can no longer choose to forego including security on mobile devices – but there are a few challenges:
- Most mobile devices are owned by the employee
- Most of the data on the mobile device is likely to be personal to the owner
- There are many different device manufacturers and, as such, difficulties in maintaining support
- Employees access corporate data on their personal devices regularly
Here are a few key things that organizations should consider when looking to select a mobile security solution:
- Lost devices are one reason for lost data. Requiring users to encrypt their phones using a passcode or biometric option will help mitigate this risk.
- Malicious actors are looking for vulnerabilities in mobile devices to exploit, making regular update installs for OS and applications extremely important.
- Installing a security application can help with overall security of the device and protect against malicious attacks, including malicious apps that might already be installed on the device.
- Consider using some type of remote management to help monitor policy violations. Alerts can also help organizations track activities and attacks.
Discuss these items with your prospective vendors to ensure they can provide coverage and protection for your employee’s devices. Check their research output to see if they understand and regularly identify new tactics and threats used by malicious actors in the mobile space. Ensure their offering can cover the tips listed above and if they can help you with more than just mobile.
Jake Moore, Cybersecurity Specialist, ESET
Companies need to understand that their data is effectively insecure when their devices are not properly managed. Employees will tend to use their company-supplied devices in personal time and vice versa.
This unintentionally compromises private corporate data, due to activities like storing documents in unsecure locations on their personal devices or online storage. Moreover, unmanaged functions like voice recognition also contribute to organizational risk by letting someone bypass the lock screen to send emails or access sensitive information – and many mobile security solutions are not fool proof. People will always find workarounds, which for many is the most significant problem.
In oder to select the best mobile security solution for your business you need to find a happy balance between security and speed of business. These two issues rarely go hand in hand.
As a security professional, I want protection and security to be at the forefront of everyone’s mind, with dedicated focus to managing it securely. As a manager, I would want the functionality of the solution to be the most effective when it comes to analyzing data. However, as a user, most people favor ease of use and convenience at the detriment of other more important factors.
Both users and security staff need to be cognizant of the fact that they’re operating in the same space and must work together to strike the same balance. It’s a shared responsibility but, importantly, companies need to decide how much risk they are willing to accept.
Anand Ramanathan, VP of Product Management, McAfee
The permanent impact of COVID-19 has heightened attacker focus on work-from-home exploits while increasing the need for remote access. Security professionals have less visibility and control over WFH environments where employees are accessing corporate applications and data, so any evaluation of mobile security should be based on several fundamental criteria:
- “In the wild security”: You don’t know if or how mobile devices are connecting to a network at any given time, so it’s important that the protection is on-device and not dependent on a connection to determine threats, vulnerabilities or attacks.
- Comprehensive security: Malicious applications are a single vector of attack. Mobile security should also protect against phishing, network-based attacks and device vulnerabilities. Security should protect the device against known and unknown threats.
- Integrated privacy protection: Given the nature of remote access from home environments, you should have the ability to protect privacy without sending any data off the device.
- Low operational overhead: Security professionals have enough to do in response to new demands of supporting business in a COVID world. They shouldn’t be obligated to manage mobile devices differently than other types of endpoint devices and they shouldn’t need a separate management console to do so.
The increased use of mobile banking apps due to the COVID-19 pandemic is sure to be followed by an increased prevalence of mobile banking threats: fake banking apps and banking Trojans disguised as those apps, the FBI has warned.
The pandemic and the resulting social distancing brought about many changes. Among them is a preference for using payment cards and electronic funds transfers instead of cash and an increased use of mobile devices to conduct banking activities.
“Studies of US financial data indicate a 50 percent surge in mobile banking since the beginning of 2020. Additionally, studies indicate 36 percent of Americans plan to use mobile tools to conduct banking activities, and 20 percent plan to visit branch locations less often,” the FBI pointed out.
Cyber criminals go where the money goes, so the agency expects them to increase their efforts to surreptitiously deliver information-stealing apps and banking Trojans to mobile users.
Banking Trojans are usually disguised as other popular apps – mobile games, utility apps, contact-tracing apps, etc. – while fake banking apps are apps that are made to look like the real deal. Both will harvest login credentials and, increasingly, second authentication factors (one-time passcodes) delivered via SMS or authenticator apps.
The FBI advises users to be careful when installing new apps. Third-party app stores should be avoided, but even official ones like Google Play can harbor malicious apps that have made it through the vetting process by employing different tricks to hide their malicious nature.
If you want to be sure that you’ll download the right mobile banking app, your best bet is to visit you bank’s website and download the app from there or follow the link they provide to the official app store where it’s hosted.
When downloading any new app, users should check the reviews and the provided developer info. They should also critically evaluate the permissions the app requests and ditch it if it asks for permissions it shouldn’t have (e.g., a wallpaper app that wants to access the user’s contacts or SMS messages).
The FBI also advises users to choose unique, strong passwords for banking apps, a password manager or password management service to “remember” them, and to enable two-factor or multi-factor authentication on devices and accounts where possible.
“Use strong two-factor authentication if possible via biometrics, hardware tokens, or authentication apps,” the agency urged, and warned not to give two-factor passcodes to anyone over the phone or via text.
“If you encounter an app that appears suspicious, exercise caution and contact that financial institution. Major financial institutions may ask for a banking PIN number, but will never ask for your username and password over the phone,” the FBI added.
“Check your bank’s policies regarding online and app account security. If the phone call seems suspicious, hang up and call the bank back at the customer service number posted on their website.”
Trust has eroded among criminal interactions, causing a switch to e-commerce platforms and communication using Discord, which both increase user anonymization, Trend Micro reveals.
Popular underground goods and services
The report reveals that determined efforts by law enforcement appear to be having an impact on the cybercrime underground. Several forums have been taken down by global police entities, and remaining forums experience persistent DDoS attacks and log-in problems impacting their usefulness.
Trends for cybercrime products and services
The report also illustrates the changing market trends for cybercrime products and services since 2015. Commoditization has driven prices down for many items. For example, crypting services fell from $1,000 to just $20 per month, while the price of generic botnets dropped from $200 to $5 per day.
Pricing for other items, including ransomware, Remote Access Trojans (RATs), online account credentials and spam services, remained stable, which indicates continued demand.
However, there has been a high demand for other services, such as IoT botnets, with new undetected malware variants selling for as much as $5,000. Also popular are fake news and cyber-propaganda services, with voter databases selling for hundreds of dollars, and gaming accounts for games like Fortnite can fetch around $1,000 on average.
Other underground market trends
Other notable findings include the emergence of markets for:
- Deepfake services for sextortion or to bypass photo verification requirements on some sites.
- AI-based gambling bots designed to predict dice roll patterns and crack complex Roblox CAPTCHA.
- Access-as-a-Service to hacked devices and corporate networks. Prices for Fortune 500 companies can reach up to US$10,000 and some services include access with read and write privileges.
- Wearable device accounts where access could enable cybercriminals to run warranty scams by requesting replacement devices.
Underground market trends will likely shift further in the months following the global COVID-19 pandemic, as attack opportunities continue to evolve. To protect against the ever-changing threat landscape, it is recommended to implement a multi-layered defense approach to protect against the latest threats and mitigate corporate security risk.
Advanced hackers could leverage unconventional, new attack vectors to sabotage smart manufacturing environments, according to Trend Micro.
Industry 4.0 Lab, the system that Trend Micro analyzed during this research
“Past manufacturing cyber attacks have used traditional malware that can be stopped by regular network and endpoint protection. However, advanced attackers are likely to develop Operational Technology (OT) specific attacks designed to fly under the radar,” said Bill Malik, vice president of infrastructure strategies for Trend Micro.
“As our research shows, there are multiple vectors now exposed to such threats, which could result in major financial and reputational damage for Industry 4.0 businesses. The answer is IIoT-specific security designed to root out sophisticated, targeted threats.”
Smart manufacturing equipment relying on proprietary systems
Critical smart manufacturing equipment relies primarily on proprietary systems, however these machines have the computing power of traditional IT systems. They are capable of much more than the purpose for which they are deployed, and attackers are able to exploit this power.
The computers primarily use proprietary languages to communicate, but just like with IT threats, the languages can be used to input malicious code, traverse through the network, or steal confidential information without being detected.
Though smart manufacturing systems are designed and deployed to be isolated, this seclusion is eroding as IT and OT converge. Due to the intended separation, there is a significant amount of trust built into the systems and therefore very few integrity checks to keep malicious activity out.
The systems and machines that could be taken advantage of include the manufacturing execution system (MES), human machine interfaces (HMIs), and customizable IIoT devices. These are potential weak links in the security chain and could be exploited in such a way to damage produced goods, cause malfunctions, or alter workflows to manufacture defective products.
Defense and mitigation measures
- Deep packet inspection that supports OT protocols to identify anomalous payloads at the network level
- Integrity checks run regularly on endpoints to identify any altered software components
- Code-signing on IIoT devices to include dependencies such as third-party libraries
- Risk analysis to extend beyond physical safety to automation software
- Full chain of trust for data and software in smart manufacturing environments
- Detection tools to recognize vulnerable/malicious logic for complex manufacturing machines
- Sandboxing and privilege separation for software on industrial machines
Amazon AppFlow is a fully managed service that provides an easy, secure way for customers to create and automate bidirectional data flows between AWS and SaaS applications without writing custom integration code.
There are no upfront charges or fees to use Amazon AppFlow, and customers only pay for the number of flows they run and the volume of data processed.
Millions of customers run applications, data lakes, large-scale analytics, machine learning, and IoT workloads on AWS. These customers often also have data stored in dozens of SaaS applications, resulting in silos that are disconnected from data stored in AWS.
Organizations want to be able to combine their data from all of these sources, but that requires customers to spend days writing code to build custom connectors and data transformations to convert disparate data types and formats across different SaaS applications.
Customers with multiple SaaS applications end up with a sprawl of connectors and complex code that is time-consuming and expensive to maintain. Further, custom connectors are often difficult to scale for large volumes of data or near real-time transfer, causing delays between when data is available in SaaS and when other systems access the data.
In large enterprises, business users wait months for skilled developers to build custom connectors. In firms with limited in-house developer skills, users resort to manually uploading and downloading data between systems, which is tedious, error-prone and risks data leakage.
Amazon AppFlow solves these problems, and allows customers with diverse technical skills, including CRM administrators and BI specialists, to easily configure private, bidirectional data flows between AWS services and SaaS applications without writing code or performing data transformation.
Customers can get started using Amazon AppFlow’s simple interface to build and execute data flows between sources in minutes, and Amazon AppFlow securely orchestrates and executes the data transfer.
With just a few clicks in the Amazon AppFlow console, customers can configure multiple types of triggers for their data flows, including one-time on-demand transfers, routine data syncs scheduled at pre-determined times, or event-driven transfers when launching a campaign (e.g. converting a lead, closing an opportunity, or opening a case).
For example, customers can backup millions of contacts and support cases from Salesforce to Amazon Simple Storage Service (Amazon S3), add sales opportunities from Salesforce to forecasts in Amazon Redshift, and transfer marketing leads from Amazon S3 to Salesforce after using Amazon SageMaker to add lead scores.
Customers can also pull logs and metric data from monitoring tools like Datadog or Dynatrace for deep analytics in Amazon Redshift, or send customer engagement data from Slack, Marketo, Zendesk, Amplitude, or Singular to Amazon S3 for sentiment analysis.
Customers can transform and process the data by combining fields (to calculate new values), filtering records (to reduce noise), masking sensitive data (to ensure privacy), and validating field values (to cleanse the data).
Amazon AppFlow automatically encrypts data at rest and in motion using AWS or customer-managed encryption keys, and enables users to restrict data from flowing over the public Internet for applications that are integrated with AWS PrivateLink, reducing exposure to security threats.
“Our customers tell us that they love having the ability to store, process, and analyze their data in AWS. They also use a variety of third party SaaS applications, and they tell us that it can be difficult to manage the flow of data between AWS and these applications,” said Kurt Kufeld, Vice President, AWS.
“Amazon AppFlow provides an intuitive and easy way for customers to combine data from AWS and SaaS applications without moving it across the public Internet. With Amazon AppFlow, our customers bring together and manage petabytes, even exabytes, of data spread across all of their applications – all without having to develop custom connectors or manage underlying API and network connectivity.”
Amazon AppFlow availability
Amazon AppFlow is available today in US East (Northern Virginia), US East (Ohio), US West (Northern California), US West (Oregon), Canada (Central), Asia Pacific (Singapore), Asia Pacific (Toyko), Asia Pacific (Sydney), Asia Pacific (Seoul), Asia Pacific (Mumbai), Europe (Paris), Europe (Ireland), Europe (Frankfurt), Europe (London), and South America (São Paulo) with more regions to come.
“As the world’s largest employee benefits provider, Unum leverages a tremendous amount of structured and unstructured data to ensure a great customer experience,” Balaji Apparsamy, VP Data and Analytics, Unum Group. “Amazon AppFlow helps our data analytics team to simplify configuration allowing us to accelerate data-driven integrations and build data science applications at a much faster pace, which ultimately helps us enhance our customer satisfaction.”
“With Amazon AppFlow integrating directly with Salesforce Private Connect, joint customers will be able to establish a secure, private connection for passing data back and forth between the Salesforce and AWS platforms,” said Sarah Franklin, EVP & GM Platform, Trailhead & Developers, Salesforce. “And because these connections can be set up by Salesforce admins in just a few clicks, companies can cut down on costly and timely engineering resources, and begin doing more with their data faster than ever before.”
Trend Micro is a global cybersecurity solutions provider that provides layered security for data centers, cloud environments, networks, and endpoints. “The integration using Amazon AppFlow benefits our customers by reducing friction when distributing data from their Trend Micro Cloud One account to AWS services,” said Sanjay Mehta, SVP, Business Development & Alliances, Trend Micro. “This no-code capability enables continuous audit automation and gives our customers’ security and development teams a seamless and secure way to deliver data related to security agents.”
Human error and complex cloud deployments open the door to a wide range of cyber threats, according to Trend Micro.
Cloud security issues
Gartner predicts that by 2021, over 75% of midsize and large organizations will have adopted multi-cloud or hybrid IT strategy. As cloud platforms become more prevalent, IT and DevOps teams face additional concerns and uncertainties related to securing their cloud instances.
This report reaffirms that misconfigurations are the primary cause of cloud security issues. In fact, 230 million misconfigurations are identified on average each day, proving this risk is prevalent and widespread.
“Cloud-based operations have become the rule rather than the exception, and cybercriminals have adapted to capitalize on misconfigured or mismanaged cloud environments,” said Greg Young, vice president of cybersecurity for Trend Micro.
“We believe migrating to the cloud can be the best way to fix security problems by redefining the corporate IT perimeter and endpoints. However, that can only happen if organizations follow the shared responsibility model for cloud security.”
Criminals capitalizing on misconfigurations
The research found threats and security weaknesses in several key areas of cloud-based computing, which can put credentials and company secrets at risk. Criminals capitalizing on misconfigurations have targeted companies with ransomware, cryptomining, e-skimming and data exfiltration.
Misleading online tutorials compounded the risk for some businesses leading to mismanaged cloud credentials and certificates. IT teams can take advantage of cloud native tools to help mitigate these risks, but they should not rely solely on these tools, the report concludes.
Best practices to help secure cloud deployments
- Employ least privilege controls: Restricting access to only those who need it.
- Understand the Shared Responsibility Model: Although cloud providers have built-in security, customers are responsible for securing their own data.
- Monitor for misconfigured and exposed systems: Appropriate tools can quickly and easily identify misconfigurations in your cloud environments.
- Integrate security into DevOps culture: Security should be built into the DevOps process from the start.
Trend Micro has fixed two actively exploited zero-day vulnerabilities in its Apex One and OfficeScan XG enterprise security products, and advises customers to update to the latest software versions as soon as possible.
About the vulnerabilities
The two zero-days are:
- CVE-2020-8467, a critical flaw in the migration tool component of the two solutions that could allow remote attackers to execute arbitrary code on affected installations
- CVE-2020-8468, a high-risk content validation escape vulnerability affecting Apex One and OfficeScan agents, which could allow remote attackers to manipulate certain agent client components.
In both cases, attackers must authenticate to the target endpoint with valid, compromised credentials before attempting exploitation, which means that these flaws are likely to have been exploited by attackers who have already found their way into the enterprise network.
Affected versions Apex One 2019 (on premise) for Windows and OfficeScan XG SP1 and XG for Windows. Fixes have been implemented in:
- Apex One (on premise) CP 2117
- OfficeScan XG SP1 CP 5474
- OfficeScan XG CP 1988
In addition to these two zero-days, three additional critical security holes (CVE-2020-8470, CVE-2020-8598 and CVE-2020-8599) have been plugged in these updates. These allow remote attacks without authentication, but Trend Micro has not observed any attempted exploits of those vulnerabilities.
The company did not share the nature of the in-the-wild attacks.