Categories: Business
How much can you really save leveraging an outsourced SOC versus building your own in-house? How much ROI can MDR provide over the long-term? In this post, we’ll answer each of these questions and more.



(Read more...)




The post Is an outsourced SOC worth it? Looking at the ROI of MDR appeared first on Malwarebytes Labs.

In the turbulent world of cybersecurity, one thing is for certain: Threats are evolving in ways that make them harder for organizations to predict—and stop.

For businesses with scarce security staff resources and disconnected, complex toolsets, keeping up with today’s cyberthreats is even harder. That’s why an outsourced **Security Operations Center (SOC)** is a great option for resource-constrained organizations.

A SOC, or team of professionals who monitor and respond to threats for your business, is a staple of **Managed Detection and Response (MDR)** services. MDR is an outsourced service which provides organizations with 24x7 attack prevention, detection, and remediation, as well as targeted and risk-based threat hunting.

If you’re an organization wanting to reap the benefits of a 24/7 SOC, then MDR might just be the best bang for their buck. But hold up.

How much can you really save leveraging an outsourced SOC versus building your own in-house? How much ROI can MDR provide over the long-term? And are there any downsides to consider?

In this post, we’ll answer each of these questions and more.

**In-house SOC vs outsourced SOC costs****In-house SOC costs**

Spoiler alert: building an in-house SOC costs a heck of a lot more than partnering with an MDR provider. There’s quite a long (and expensive) checklist of things you’ll need to have, including:

*   **Hire a minimum of five, full-time employees** to provide 24/7 coverage.
*   **Identify effective avenues to find, hire, and replenish** high-caliber security talent.
*   **Develop an employee loyalty** and retention program.

If we really get down to the nitty-gritty, there’s a slew of other costs and logistical hurdles you’ll have to take on:

*   **Purchase, implement, and maintain** the hardware and software for your SOC.
*   **Project manage** the facility operations and day-to-day functions.
*   **Provide ongoing security training, certifications, and red team exercises** to expand staff expertise.
*   **Purchase and manage** third-party security intelligence feeds.
*   **Engage periodic outside consultation** to assess the caliber of your detection and response services and invest in appropriate items to make any recommended improvements

Some estimates place the capital costs to establish a SOC at close to $1.3 million USD—and annual recurring costs running up almost $1.5 million USD. Not exactly dirt-cheap, to say the least.

**Outsourced SOC costs**

Outsourced SOCs, such as those provided by MDR services, are much more cost-efficient than building out your own.

Pricing for MDR is typically calculated based on the number of assets in your environment, somewhere in the ballpark of **$8-12 USD per device/log source.**

Some vendors will look at additional factors for pricing, including number of ingress/egress points and the daily rate of ingestion for SIEM. Cost will also be influenced by any customer-specific pricing (including any discounts) and the breadth of services contracted (more features, for example).

Assuming the average number of endpoints (servers, employee computers, mobile devices) for a small to mid-sized company is 750, **you’re looking at dishing out a cool 6K to 9K a month for MDR.**

All in all, the cost of MDR comes out at around 100K annually—quite a difference from the 7 figures we talked about with in-house!

**Long-term ROI of MDR**

Sure, when it comes to reaping the benefits of a 24x7 SOC, MDR is cheaper than building out your own—but that’s only one part of the picture. We should also look at the ROI of MDR and break down any savings we can expect over the long-term.

The two most obvious examples of the ROI of MDR are:

1.  **It removes the full-time employee** staffing costs of hiring five analysts to run a 24/7 SOC, and;
2.  **It alleviates the capital expenditures** of purchasing a SIEM or other security tools.

But that’s not all. There’s several other aspects of cost avoidance with MDR, including:

*   **Reduced risk of data breach**: With a team of seasoned professionals monitoring your network 24x7, you’re less likely to get hit with a data breach. **In 2022 the average cost of a data breach was $4.35 million.**
*   **Savings attributed to reduction in security incidents**: Infected (and therefore inoperable) devices greatly impacted worker productivity. MDR can reduce worker downtime and reduce necessary IT resources for remediation.
*   **Savings on cyber insurance**: Cyber insurers want 24/7 detection and response in an environment. MDR satisfies this requirement for businesses, saving you potentially tens of thousands of dollars in premiums and other costs annually.

All this being said, there is one big factor to consider before jumping into MDR, and it has to do with control.

MDR providers will have access to sensitive network and endpoint data in order to monitor your infrastructure for threats. And although many MDR vendors have ways to secure/obfuscate that data, some organizations may still be wary of having their data handled by an outside organization.

**When it comes to great security and high ROI, MDR is tough to beat**

MDR is a cost-efficient way to reap the benefits of a 24/7 SOC for organizations who lack the budget to set one up themselves.

With MDR, organizations have access to a round-the-clock team of experts to threat hunt, stay on top of the latest adversary tools, techniques, and procedures (TTPs), and quickly remediate threats as necessary, among other things.

Get a deep dive into the Malwarebytes MDR service

Want to learn more MDR, but not sure where to start? We’ve got you covered. Here are list of resources we think you’ll find helpful:

*   Introducing Malwarebytes Managed Detection and Response (MDR)
*   How to choose an MDR vendor: 6 questions to ask
*   Cyber threat hunting for SMBs: How MDR can help 
*   A cyber threat hunter talks about what he’s learned in his 16+ year cybersecurity career

Is an outsourced SOC worth it? Looking at the ROI of MDR

Offensive security researchers found 63 previously unreported vulnerabilities in printers, phones, and network-attached storage devices in the Zero Day Initiative's latest hackathon.

Security researchers and hackers demonstrated 63 zero-day vulnerabilities in popular devices at the latest Pwn2Own, exploiting printers from Canon, HP, and Lexmark, and routers and network-attached storage device from Synology and Netgear.

According to Trend Micro's Zero Day Initiative (ZDI), which organized the competition last week, the collection of vulnerabilities earned $989,750 for the offensive cybersecurity specialists competing in the contest. While some attacks chained together a series of exploits to take control of the remote devices, including one that used five vulnerabilities, others found a single security weakness to target, such as the Pentest Limited team, which found a reliable single-click exploit in the Samsung Galaxy S22 mobile phone that required less than a minute to attack.

The Samsung exploit highlighted that significant vulnerabilities are out there to find, says Dustin Child, head of threat awareness at Trend Micro's Zero Day Initiative.

"Just click a link on an affected device and you get owned," he says. "It's a very reliable bug, too. Very impressive research and quite the effective demonstration of why clicking unknown links can be dangerous."

**Focusing on IoT and Mobile**

Pwn2Own started in 2007 as an annual contest connected with the annual CanSecWest conference, but has since branched out into two contests: one focused on computer operating systems and applications, and the other — which includes the latest contest — focused on devices and the Internet of Things.

Over the four days of the contest, offensive cybersecurity specialists discovered a significant number of vulnerabilities in printers and routers from major brands, but also targeted Bluetooth speakers and network-attached storage, ZDI stated in a summary of the contest results.

Because many of the devices are commonly used by small and medium-sized businesses (SMBs), companies should take the results of the competition as a warning, Child says.

"If anything, SMBs should understand that, while they may feel they aren't large enough to be a target, their devices can and will be targeted by threat actors," he says. "At \[this\] time, the attackers are just looking to add nodes to their botnet, but regardless of intent, the devices we rely on for business can be compromised if left undefended."

**Buffer Overflows Continue to Creep In**

Unfortunately, one of the classes of vulnerabilities that continues to represent a fertile field of exploitation for attackers is memory safety vulnerabilities, such as buffer overflows. While major software companies have begun using memory-safe programming languages to prevent memory-related issues, many device-makers are still behind the curve.

Many of the vulnerabilities discovered during the contest were buffer overflows, Child says.

"This form of memory corruption has been known for some time, so we were a bit surprised to see it still prevalent in multiple devices," he says.

Among the most targeted devices were printers, with Lexmark, HP, and Canon printers among those favored by participants. While routers also made up a significant share of targeted devices, they would have seen more abuse this year, except that last-minute patches from Netgear and TP-Link eliminated targeted weaknesses, forcing competitors to withdraw from the competition, Child says.

**Playing the Mario Theme on a Lexmark**

Some of the printer exploits showed additional creativity. In the past, hackers would settle for exploiting a system and forcing it to run Microsoft Paint or call up a calculator application as a demonstration of their potential to run arbitrary code. In the latest Pwn2Own, however, successful hackers displayed Pokemon or another anime character on the small printer control display. 

Perhaps most impressively, the Horizon3 AI team used the system alert sound on a Lexmark printer to play the theme from Mario, even though the device does not have that functionality.

"Since the printer doesn't have a speaker, we didn’t expect it to play a song, but they modulated the frequency of the beep to add the musical function," Child says.

Data management providers Synology and online giant Google both co-sponsored the contest.

Hackers Score Nearly $1M at Device-Focused Pwn2Own Contest

Categories: News
Categories: Ransomware
Tags: Silence

Tags:  TA505

Tags:  Clop ransomware

Tags:  Truebot

Tags:  Grace

Tags:  Cobalt Strike

Tags:  Teleport

Tags:  FIN11

Researchers have identified two new Truebot botnets that are using new versions of the Truebot downloader Trojan to infiltrate and explore a target's network.



(Read more...)




The post Silence is golden partner for Truebot and Clop ransomware appeared first on Malwarebytes Labs.

A recent rise in the number of Truebot infections has been attributed to a threat actor known as the Silence Group. The Silence Group is an initial access broker (IAB) that frequently changes tools and tactics to stay on top of the game. An IAB's primary task is to find a weakness or vulnerability, create a foothold in a network, and do some exploratory work to find out how attractive the target is. Once this is done they can sell the access to another threat actor, like a ransomware group. For these tasks Truebot is the tool of choice in the Silence Group.

The Silence Group seems to have a strong relation with the group behind Clop ransomware, often referenced as TA505. Which, in turn, has a large overlap with the FIN11 group.

**Truebot**

The researchers identified two separate Truebot botnets. One of which appears to be focused on the US, while the other is predominantly focused at Mexico, Pakistan, and Brazil.

We touched on the second one when we wrote about the recent activities of the Raspberry Robin worm. The use of this worm, in combination with an attack vector leveraging a Netwrix vulnerability, seems the have laid the ground work for the creation of a botnet of over 1,000 systems that is distributed worldwide.

The other botnet is almost exclusively composed of Windows servers, directly connected to the internet, and exposes several Windows services such as SMB, RDP, and WinRM. The attack vector that was used to establish this botnet has not yet been identified, although the researchers are confident that it is different from those used for the other botnet, Raspberry Robin and the Netwrix vulnerability (CVE-2022-31199).

**New version**

At its core, Truebot is a Trojan.Downloader. As such, it is an ideal malware for IAB groups that want to plant a backdoor on a system and do some basic reconnaissance of the network. For those purposes, this new version of Truebot collects this information: a screenshot, the computer name, the local network name, and active directory trust relations. Active Directory trust relations allow organizations to share users and resources across domains.

What’s also new is that this version is now capable of loading and executing additional modules and shellcodes in memory, making the payloads fileless malware which is less likely to be detected.

**Exfiltration**

Besides the usual suspects designed to act as a backdoor, Cobalt Strike and Grace, the researchers also found a new data exfiltration tool. Finding Grace as a payload seems to confirm the close ties between the Silence Group and TA505 since Grace was almost exclusively used by TA505.

The exfiltration tool, dubbed Teleport, was used extensively by the attackers to steal information from the network. It seems to be a custom data exfiltration tool built in C++ , containing several features that make the process of data exfiltration easier and stealthier. It has some features that are not commonly found in remote copying tools but which make it very useful to an attacker stealthily exfiltrating data.

*   It limits the upload speed, which can make the transmission go undetected by tools that monitor for large data exfiltration and avoids slowing down the network.
*   The communication is encrypted to hide what information is being transmitted.
*   Limiting the file size, which can maximize the number of stolen files by avoiding lengthy copies of files that may not be interesting.
*   The ability to delete itself after use, which is ideal to keep it as unknown as possible.

**Clop**

Ransom.Clop was first seen in February of 2019. Besides encrypting systems, the Clop ransomware also exfiltrates data that will be published on a leak site if the victim refuses to pay the ransom. In February of 2021, the group made headlines by targeting executives' systems specifically to find sensitive data.

**Mitigation**

The tools that are used by Silence are versatile, but there are a few logical steps you can take to protect yourself and your organization:

*   Do not insert USB drives of unknown or unreliable origin into your systems. 
*   In Windows, the autorun of USB drives is disabled by default. However, many organizations have widely enabled it through legacy Group Policy changes. If you enabled it, this is a policy worth re-thinking.
*   Install patches as soon as possible, especially for internet facing devices.
*   Run an anti-virus/anti-malware solution that actively monitors and scans your systems.

Malwarebytes blocks the download URLs and detects Truebot as Malware.AI.{id.nr.}. Clop ransomware is detected as Malware.Ransom.Agent.Generic.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Silence is golden partner for Truebot and Clop ransomware

Canon Medical Informatics Vitrea Vision 7.7.76.1 does not adequately enforce access controls. An authenticated user is able to gain unauthorized access to imaging records by tampering with the vitrea-view/studies/search patientId parameter.

CVE-2022-38765: Canon Medical Software Security Updates

Since August 2022, we have seen an increase in infections of Truebot (aka Silence.Downloader) malware. Truebot was first identified in 2017 and researchers have linked it to a threat actor called Silence Group that is responsible for several high-impact attacks on financial institutions in several countries around the world.

Breaking the silence - Recent Truebot activity

Categories: Business
Whether your business uses Office 365, Salesforce, Google Drive, or another SaaS app, this blog post will help guide your journey to SaaS security with five best practices.



(Read more...)




The post 5 SaaS security best practices appeared first on Malwarebytes Labs.

Just about anywhere you look, organizations are relying on Software-as-a-Service (SaaS) apps like Dropbox and Hubspot to help power their businesses. With more SaaS apps, however, comes increased security risks.

While SaaS is without a doubt the easiest and most accessible way for businesses to reap the benefits of the cloud, these services are delivered online—which can make it easier for data leaks to happen or threat actors to get a hold of sensitive data. **In fact, 43 percent of organizations have dealt with one or more security incidents caused by a SaaS misconfiguration**. 

You might be asking yourself though: Doesn’t my cloud provider take care of security for me? Well, yes and no.

Your cloud provider will protect your cloud infrastructure in some areas, but under the shared responsibility model, your business is responsible for handling things such as identity and access management, endpoint security, data encryption, and so on. 

The good news is that there’s a set of SaaS security best practices to help keep your business from becoming another statistic. 

Whether your business uses Office 365, Salesforce, Google Drive, or another SaaS app, this blog will help guide your journey to SaaS security with five best practices.

**1\. Manage SaaS sprawl **

You might be surprised to find that our journey into SaaS security begins not with an answer, but with a question: **are you suffering from SaaS sprawl?** 

SaaS sprawl is a situation where a business is bloated with so many different (and even duplicate) SaaS apps that IT can no longer manage them effectively. 

Most departments now have 40 – 60 SaaS tools each, with 200+ apps at the company level—**and for small businesses, only 32 percent of these apps are IT-approved**. Not only does SaaS sprawl waste money, but it has security risks as well. 

For one, SaaS sprawl makes it harder for IT and security teams to ensure compliance or identify security risks that expose sensitive data. Admins just don’t have the time (or the visibility) to individually check and update potential issues for each app. 

Another issue is that SaaS sprawl and “**shadow IT**” (i.e. SaaS apps that have bypassed IT’s typical vetting procedures) are closely related—the more shadow IT, the worse the SaaS sprawl. As if trying to manage a ton of authorized SaaS apps wasn’t enough, IT teams don’t even know about the unauthorized ones—and they definitely can’t fix what they can’t see!

All of this is to say: tackling SaaS sprawl before anything else will make it easier for you to get into the more granular aspects of SaaS security. Some best practices to manage SaaS sprawl include:

*   **Discover all apps**: Regularly audit all SaaS apps being used across the business, IT-approved or not.
    
*   **Create a vetting process**: Have a consistent method to audit app requests for security, compliance, and other details.
    
*   **Educate employees**: IT should regularly caution employees about the risks of using unauthorized apps. 
    
*   **Bridge the gap between IT and other departments**: Put a process in place that allows team members to freely approach IT with new apps they wish to use.
    

**2\. Use Single Sign-On (SSO) paired with Multi-Factor Authentication (MFA)**

SSO is a nonnegotiable security requirement for any company with more than five employees.

SSO solutions such as Okta, Duo, and Microsoft Azure Active Directory (AD) allow you to access all SaaS applications after entering your credentials just one time. Not only is SSO more convenient for end users, but it gives IT and Security teams the **ability to effectively manage user accounts across dozens or hundreds of vendors**. 

SSO also makes it much easier to enforce **Multi-Factor Authentication (MFA)**, a crucial extra level of SaaS security, across all of your accounts.  

After signing in using SSO, for example, a user is prompted with MFA to confirm the session using “something they have” (i.e by receiving a push notification or text on their phone). 

**3\. Manage identity and access to SaaS applications**

Each user in a cloud environment has their own roles and permissions governing the access they get to certain parts of the cloud, and because SaaS workloads are accessed online, all hackers need are your credentials to get the “keys to the kingdom.”

This is why strong identity and access management (IAM) policies are so essential to cloud security.

Identity and access management is a means of controlling the permissions and access for users of cloud resources. You can think of IAM less as a single piece of software and more of a framework of processes, policies, and technology. Some IAM best practices include:

*   **Removing dormant accounts**
    
*   **Only giving privileged access to those who truly need it**
    
*   **Enforcing strict password policies** 
    

According to Palo Alto Networks, most known cloud data breaches start with misconfigured IAM policies or leaked credentials.

Specifically, researchers found that **IAM misconfigurations cause 65 percent of detected cloud data breaches**, with the runners up being weak password usage (53 percent) and allowing password reuse (44 percent).

**4. Use a strong cloud malware scanner**

Did you know that malware delivered through cloud storage apps such as Microsoft OneDrive, Google Drive, and Box accounted for **69 percent of cloud malware downloads in 2021**?

It can be difficult to monitor and control all the activity in and out of SaaS cloud storage repositories, making it easy for malware to hide in the noise as it makes its way to the cloud. 

That’s where cloud storage scanning comes in.

Cloud storage scanning is exactly what it sounds like: it’s a way to scan for malware in cloud storage apps like Box, Google Drive, and OneDrive. And while most cloud storage apps have malware-scanning capabilities, it’s important to have a second-opinion scanner as well.

Reduce risk from cloud-based malware today

A second-opinion cloud storage scanner is a great second line of defense for cloud storage because it’s very possible that your main scanner will fail to detect a cloud-based malware infection that your second-opinion one catches. 

Look for a third-party cloud storage scanner that **aggregates threats across different vendor’s repositories and uses multiple anti-malware engines when scanning files**.

**5\. Define your Software Security Edge (SSE)**

In 2021, Gartner introduced the concept of “Security Service Edge” (SSE),  which they defined as an evolving stack of different cloud-based security tools to secure access to the internet, SaaS and specific internal applications. A subset of **Secure Access Service Edge (SASE)**, **SSE** can help you with SaaS security using tools such as: 

*   **Zero Trust Network Access (ZTNA)**:  ZTNA is an IT solution that secures boundaries around SaaS applications. With ZTNA, your business can enforce "least privilege" access to specific apps and ensure no users are given network access, eliminating unauthorized lateral movement.
    
*   **Cloud secure web gateway (SWG)**: SWGs filter unsafe content from web traffic and hence can help prevent your SaaS apps from being compromised through a phishing attack, for example. Features include URL Filtering, application control, Data Loss Prevention (DLP), and anti-malware detection and blocking.
    
*   **Cloud access security broker (CASB)**: A CASB sits between you and your SaaS provider, enforcing security policies and practices including authentication, authorization, alerts and encryption. CASBs offer feature sets across four pillars: data security, compliance, threat protection, and visibility.
    
*   **Firewall-as-a-service (FWaaS)**: FWaaS is a firewall delivered via the cloud, acting as a barrier to prevent unauthorized access to the network. FWaaS inspects all traffic coming into your network (including SaaS app traffic) to detect and address threats.
    

**SaaS security doesn’t have to be scary**

No doubt, SaaS is here to stay. At the same time that businesses are reaping enormous benefits from the cloud, however, SaaS security is top-of-mind. With everything from shadow IT, misconfigurations, access management, and cloud malware threatening the security of your SaaS environment at all times, it has never been more important to adhere to a few best practices.

But SaaS security doesn’t have to be scary.

The combination of processes, technologies, and outsourcing outlined here can vastly improve your SaaS security posture for SMBs, helping to prevent a much-dreaded data breach. 

**More resources**

Introducing Malwarebytes Cloud Storage Scanning: How to scan for malware in cloud file storage repositories

Cloud data breaches: 4 biggest threats to cloud storage security

Cloud-based malware is on the rise. How can you secure your business?

Case study: Cloud-based environment now vulnerable to cyber-attacks

****

5 SaaS security best practices

Users should manually update to the latest version now

Users should manually update to the latest version now

  

UPDATED A series of flaws in Tailscale, an open source mesh virtual private network (VPN) software, could allow attackers to stage remote code execution (RCE) attacks against VPN nodes.

Tailscale depends on multiple services. The main process, called tailscaled, does the work of connecting nodes and sending/receiving packets.

There is a separate process that provides a user interface and a tray icon to configure and monitor the services. This front-end interface communicates with the tailscaled service through an HTTP API called .

**From DNS rebinding to control plane takeover**

If a malicious website tries to send a JavaScript command to the Tailscale LocalAPI, the browser’s Same-Origin policy will prevent it.

However, according to the findings of security researcher Emily Trau and Jamie McClymont, if the attacker manages to perform a DNS rebinding attack on the Tailscale node, they will be able to map their malicious domain to the local IP and send arbitrary commands to the .

“Rebinding is a bug with very niche applicability (HTTP services listening on private networks with no explicit authentication), usually discussed in the context of IoT devices,” McClymont told The Daily Swig. “It’s the type of thing there are talks about it at hacker conferences and such, and yet I’ve never encountered a situation where it’s exploitable during a pentest job.”

The does not authenticate client requests aside from verifying that they’re coming from the same user that is running the Tailscale GUI.

The malicious website can exploit this feature to change the Tailscale “control plane” to an arbitrary server. The “control plane” is the server that stores the public keys of the VPN nodes (also called the tailnet).

**In a tailspin**

As the tailnet administrator, the attacker can now enable Taildrop, a feature that allows users to send files between their devices on a Tailscale network.

Using Taildrop, the attacker can then send an arbitrary executable to the victim’s desktop without marking it as originating from the web, which means Tailscale will be able to launch it without requiring user interaction.

To execute the payload, the attacker can use another feature of the control plane, which demands the Tailscale node to reauthenticate itself when trying to perform a privileged action. The re-authentication prompt includes an address that is forwarded to the GUI and runs it in the browser.

To run the file, the attacker will need to have its full path, which requires knowledge of the victim’s username. To obtain the victim’s username, the attacker can prompt for an SMB path through the Tailscale network. This will send the Windows username to the attacker-controlled tailnet server.

“For the Windows RCE chain, you just need to click a link to an attacker-controlled webpage, or for the malicious Javascript to be served up to you some other way (e.g. malicious JS embedded in an ad on a legit site, or an XSS bug in legit site being exploited to add the malicious code),” McClymont said.

If you were running a stable Tailscale version, the exploit will lie dormant until you next restart Tailscale or reboot your machine, at which point the RCE happens.

“You could argue this is still zero interaction since Windows Update will automatically reboot without interaction eventually,” McClymont said. “If you had the unstable pre-release Tailscale version from right before we found the bugs, we could trigger the exploit immediately without waiting for a reboot.”

**A catch on DNS rebinding**

A recent modification to the policy forbids rebinding a site that was hosted on a public IP to a private IP space. This prevents the attacker from rebinding an internet-hosted malicious website to a local IP address.

But it is still applicable if the attacker is on the same network as the victim. Also, the Firefox browser does not apply the private network address restriction, which makes it vulnerable to internet-hosted attacks.

Moreover, Trau found that PeerAPI, another Tailscale component, runs on the 100.100.100.100 IP and was vulnerable to rebinding, which would give the attacker another pathway to .

Also, if the attacker sends multiple files to the victim’s device through Taildrop, some of them will fail to reach their destination and will remain in a temporary location that is reachable through web calls without private network access restrictions.

Trau published a proof-of-concept video of the attack. Windows machines are especially vulnerable to different variations of the attack. Other operating systems can also be exploited under special circumstances.

The issues have been solved in the latest version of Tailscale. Since Tailscale does not automatically update itself, users should make sure they are running v1.32.3 or later.

“If you’re running HTTP services over Tailscale which rely on Tailscale for authentication (they don’t have their own login page etc.), you need to harden them against rebinding attacks, either by allowlisting Host headers or by running those services only on HTTPS,” McClymont said.

This article has been updated to include comment from researchers.

RECOMMENDED Intel disputes seriousness of Data Centre Manager authentication flaw

Tailscale VPN nodes vulnerable to DNS rebinding, RCE

When the headlines focus on breaches of large enterprises like the Optus breach, it's easy for smaller businesses to think they're not a target for hackers. Surely, they're not worth the time or effort?

Unfortunately, when it comes to cyber security, size doesn't matter.

Assuming you're not a target leads to lax security practices in many SMBs who lack the knowledge or expertise to put simple security steps in place. Few small businesses prioritise cybersecurity, and hackers know it. According to Verizon, the number of smaller businesses being hit has climbed steadily in the last few years – 46% of cyber breaches in 2021 impacted businesses with fewer than 1,000 employees.

**Cyber security doesn't need to be difficult**

Securing any business doesn't need to be complex or come with a hefty price tag. Here are seven simple tips to help the smaller business secure their systems, people and data.

****1 — Install anti-virus software everywhere****

Every organisation has anti-virus on their systems and devices, right? Unfortunately, business systems such as web servers get overlooked all too often. It's important for SMBs to consider all entry points into their network and have anti-virus deployed on every server, as well as on employees' personal devices.

Hackers will find weak entry points to install malware, and anti-virus software can serve as a good last-resort backstop, but it's not a silver bullet. Through continuous monitoring and penetration testing you can identify weaknesses and vulnerabilities before hackers do, because it's easier to stop a burglar at the front door than once they're in your home.

****2 — Continuously monitor your perimeter****

Your perimeter is exposed to remote attacks because it's available 24/7. Hackers constantly scan the internet looking for weaknesses, so you should scan your own perimeter too. The longer a vulnerability goes unfixed, the more likely an attack is to occur. With tools like Autosploit and Shodan readily available, it's easier than ever for attackers to discover internet facing weaknesses and exploit them.

Even organisations that cannot afford a full-time, in-house security specialist can use online services like Intruder to run vulnerability scans to uncover weaknesses.

Intruder is a powerful vulnerability scanner that provides a continuous security review of your systems. With over 11,000 security checks, Intruder makes enterprise-grade scanning easy and accessible to SMBs.

Intruder will promptly identify high-impact flaws, changes in the attack surface, and rapidly scan your infrastructure for emerging threats.

****3 — Minimise your attack surface****

Your attack surface is made up of all the systems and services exposed to the internet. The larger the attack surface, the bigger the risk. This means exposed services like Microsoft Exchange for email, or content management systems like Wordpress can be vulnerable to brute-forcing or credential-stuffing, and new vulnerabilities are discovered almost daily in such software systems. By removing public access to sensitive systems and interfaces which don't need to be accessible to the public, and ensuring 2FA is enabled where they do, you can limit your exposure and greatly reduce risk.

A simple first step in reducing your attack surface is by using a secure virtual private network (VPN). By using a VPN, you can avoid exposing sensitive systems directly to the internet whilst maintaining their availability to employees working remotely. When it comes to risk, prevention is better than cure – don't expose anything to the internet unless it's absolutely necessary!

****4 — Keep software up to date****

New vulnerabilities are discovered daily in all kinds of software, from web browsers to business applications. Just one unpatched weakness could lead to full compromise of a system and a breach of customer data; as TalkTalk discovered when 150,000 of its private data records were stolen.

According to a Cyber Security Breaches Survey, businesses that hold electronic personal data of their customers are more likely than average to have had breaches. Patch management is an essential component of good cyber hygiene, and there are tools and services to help you check your software for any missing security patches.

****5 — Back up your data****

Ransomware is on the increase. In 2021, 37% of businesses and organisations were hit by ransomware according to research by Sophos. Ransomware encrypts any data it can access, rendering it unusable, and can't be reversed without a key to decrypt the data.

Data loss is a key risk to any business either through malicious intent or a technical mishap such as hard disk failure, so backing up data is always recommended. If you back up your data, you can counter attackers by recovering your data without needing to pay the ransom, as systems affected by ransomware can be wiped and restored from an unaffected backup without the attacker's key.

****6 — Keep your staff security aware****

Cyber attackers often rely on human error, so it's vital that staff are trained in cyber hygiene so they recognise risks and respond appropriately. The Cyber Security Breaches Survey 2022 revealed that the most common types of breaches were staff receiving fraudulent emails or phishing attacks (73%), followed by people impersonating the organisation in emails or online (27%), viruses, spyware and malware (12%), and ransomware (4%).

Increasing awareness of the benefits of using complex passwords and training staff to spot common attacks such as phishing emails and malicious links, will ensure your people are a strength rather than a vulnerability.

****7** — **Protect yourself relative to your risk****

Cyber security measures should always be appropriate to the organisation. For example, a small business which handles banking transactions or has access to sensitive information such as healthcare data should employ far more stringent security processes and practices than a pet shop.

That's not to say a pet shop doesn't have a duty to protect customer data, but it's less likely to be a target. Hackers are motivated by money, so the bigger the prize the more time and effort will be invested to achieve their gains. By identifying your threats and vulnerabilities with a tool like Intruder, you can take appropriate steps to mitigate and prioritize which risks need to be addressed and in which order.

**It's time to raise your cyber security game**

Attacks on large companies dominate the news, which feeds the perception that SMBs are safe, when the opposite is true. Attacks are increasingly automated, so SMBs are just as vulnerable targets as larger enterprises, more so if they don't have adequate security processes in place. And hackers will always follow the path of least resistance. Fortunately, that's the part Intruder made easy…

**About Intruder**

Intruder is a cyber security company that helps organisations reduce their attack surface by providing continuous vulnerability scanning and penetration testing services. Intruder's powerful scanner is designed to promptly identify high-impact flaws, changes in the attack surface, and rapidly scan the infrastructure for emerging threats. Running thousands of checks, which include identifying misconfigurations, missing patches, and web layer issues, Intruder makes enterprise-grade vulnerability scanning easy and accessible to everyone. Intruder's high-quality reports are perfect to pass on to prospective customers or comply with security regulations, such as ISO 27001 and SOC 2.

Intruder offers a 14-day free trial of its vulnerability assessment platform. Visit their website today to take it for a spin!

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

7 Cyber Security Tips for SMBs

When the headlines focus on breaches of large enterprises like the Optus breach, it’s easy for smaller businesses to think they’re not a target for hackers. Surely, they’re not worth the time or effort? 
Unfortunately, when it comes to cyber security, size doesn’t matter. 
Assuming you’re not a target leads to lax security practices in many SMBs who lack the knowledge or expertise to put simple

When the headlines focus on breaches of large enterprises like the Optus breach, it's easy for smaller businesses to think they're not a target for hackers. Surely, they're not worth the time or effort?

Unfortunately, when it comes to cyber security, size doesn't matter.

Assuming you're not a target leads to lax security practices in many SMBs who lack the knowledge or expertise to put simple security steps in place. Few small businesses prioritise cybersecurity, and hackers know it. According to Verizon, the number of smaller businesses being hit has climbed steadily in the last few years – 46% of cyber breaches in 2021 impacted businesses with fewer than 1,000 employees.

**Cyber security doesn't need to be difficult**

Securing any business doesn't need to be complex or come with a hefty price tag. Here are seven simple tips to help the smaller business secure their systems, people and data.

****1 — Install anti-virus software everywhere****

Every organisation has anti-virus on their systems and devices, right? Unfortunately, business systems such as web servers get overlooked all too often. It's important for SMBs to consider all entry points into their network and have anti-virus deployed on every server, as well as on employees' personal devices.

Hackers will find weak entry points to install malware, and anti-virus software can serve as a good last-resort backstop, but it's not a silver bullet. Through continuous monitoring and penetration testing you can identify weaknesses and vulnerabilities before hackers do, because it's easier to stop a burglar at the front door than once they're in your home.

****2 — Continuously monitor your perimeter****

Your perimeter is exposed to remote attacks because it's available 24/7. Hackers constantly scan the internet looking for weaknesses, so you should scan your own perimeter too. The longer a vulnerability goes unfixed, the more likely an attack is to occur. With tools like Autosploit and Shodan readily available, it's easier than ever for attackers to discover internet facing weaknesses and exploit them.

Even organisations that cannot afford a full-time, in-house security specialist can use online services like Intruder to run vulnerability scans to uncover weaknesses.

Intruder is a powerful vulnerability scanner that provides a continuous security review of your systems. With over 11,000 security checks, Intruder makes enterprise-grade scanning easy and accessible to SMBs.

Intruder will promptly identify high-impact flaws, changes in the attack surface, and rapidly scan your infrastructure for emerging threats.

****3 — Minimise your attack surface****

Your attack surface is made up of all the systems and services exposed to the internet. The larger the attack surface, the bigger the risk. This means exposed services like Microsoft Exchange for email, or content management systems like Wordpress can be vulnerable to brute-forcing or credential-stuffing, and new vulnerabilities are discovered almost daily in such software systems. By removing public access to sensitive systems and interfaces which don't need to be accessible to the public, and ensuring 2FA is enabled where they do, you can limit your exposure and greatly reduce risk.

A simple first step in reducing your attack surface is by using a secure virtual private network (VPN). By using a VPN, you can avoid exposing sensitive systems directly to the internet whilst maintaining their availability to employees working remotely. When it comes to risk, prevention is better than cure – don't expose anything to the internet unless it's absolutely necessary!

****4 — Keep software up to date****

New vulnerabilities are discovered daily in all kinds of software, from web browsers to business applications. Just one unpatched weakness could lead to full compromise of a system and a breach of customer data; as TalkTalk discovered when 150,000 of its private data records were stolen.

According to a Cyber Security Breaches Survey, businesses that hold electronic personal data of their customers are more likely than average to have had breaches. Patch management is an essential component of good cyber hygiene, and there are tools and services to help you check your software for any missing security patches.

****5 — Back up your data****

Ransomware is on the increase. In 2021, 37% of businesses and organisations were hit by ransomware according to research by Sophos. Ransomware encrypts any data it can access, rendering it unusable, and can't be reversed without a key to decrypt the data.

Data loss is a key risk to any business either through malicious intent or a technical mishap such as hard disk failure, so backing up data is always recommended. If you back up your data, you can counter attackers by recovering your data without needing to pay the ransom, as systems affected by ransomware can be wiped and restored from an unaffected backup without the attacker's key.

****6 — Keep your staff security aware****

Cyber attackers often rely on human error, so it's vital that staff are trained in cyber hygiene so they recognise risks and respond appropriately. The Cyber Security Breaches Survey 2022 revealed that the most common types of breaches were staff receiving fraudulent emails or phishing attacks (73%), followed by people impersonating the organisation in emails or online (27%), viruses, spyware and malware (12%), and ransomware (4%).

Increasing awareness of the benefits of using complex passwords and training staff to spot common attacks such as phishing emails and malicious links, will ensure your people are a strength rather than a vulnerability.

****7** — **Protect yourself relative to your risk****

Cyber security measures should always be appropriate to the organisation. For example, a small business which handles banking transactions or has access to sensitive information such as healthcare data should employ far more stringent security processes and practices than a pet shop.

That's not to say a pet shop doesn't have a duty to protect customer data, but it's less likely to be a target. Hackers are motivated by money, so the bigger the prize the more time and effort will be invested to achieve their gains. By identifying your threats and vulnerabilities with a tool like Intruder, you can take appropriate steps to mitigate and prioritize which risks need to be addressed and in which order.

**It's time to raise your cyber security game**

Attacks on large companies dominate the news, which feeds the perception that SMBs are safe, when the opposite is true. Attacks are increasingly automated, so SMBs are just as vulnerable targets as larger enterprises, more so if they don't have adequate security processes in place. And hackers will always follow the path of least resistance. Fortunately, that's the part Intruder made easy…

**About Intruder**

Intruder is a cyber security company that helps organisations reduce their attack surface by providing continuous vulnerability scanning and penetration testing services. Intruder's powerful scanner is designed to promptly identify high-impact flaws, changes in the attack surface, and rapidly scan the infrastructure for emerging threats. Running thousands of checks, which include identifying misconfigurations, missing patches, and web layer issues, Intruder makes enterprise-grade vulnerability scanning easy and accessible to everyone. Intruder's high-quality reports are perfect to pass on to prospective customers or comply with security regulations, such as ISO 27001 and SOC 2.

Intruder offers a 14-day free trial of its vulnerability assessment platform. Visit their website today to take it for a spin!

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

For 6 months, the infamous Emotet botnet has shown almost no activity, and now it's distributing malicious spam. Let's dive into details and discuss all you need to know about the notorious malware to combat it.

**Why is everyone scared of Emotet?**

Emotet is by far one of the most dangerous trojans ever created. The malware became a very destructive program as it grew in scale and sophistication. The victim can be anyone from corporate to private users exposed to spam email campaigns.

The botnet distributes through phishing containing malicious Excel or Word documents. When users open these documents and enable macros, the Emotet DLL downloads and then loads into memory.

It searches for email addresses and steals them for spam campaigns. Moreover, the botnet drops additional payloads, such as Cobalt Strike or other attacks that lead to ransomware.

The polymorphic nature of Emotet, along with the many modules it includes, makes the malware challenging to identify. The Emotet team constantly changes its tactics, techniques, and procedures to ensure that the existing detection rules cannot be applied. As part of its strategy to stay invisible in the infected system, the malicious software downloads extra payloads using multiple steps.

And the results of Emotet behavior are devastating for cybersecurity specialists: the malware is nearly impossible to remove. It spreads quickly, generates faulty indicators, and adapts according to attackers' needs.

**How has Emotet upgraded over the years?**

Emotet is an advanced and constantly changing modular botnet. The malware started its journey as a simple banking trojan in 2014. But since then, it has acquired a bunch of different features, modules, and campaigns:

*   2014\. Money transfer, mail spam, DDoS, and address book stealing modules.
*   2015\. Evasion functionality.
*   2016\. Mail spam, RIG 4.0 exploit kit, delivery of other trojans.
*   2017\. A spreader and address book stealer module.
*   2021\. XLS malicious templates, uses MSHTA, dropped by Cobalt Strike.
*   2022\. Some features remained the same, but this year also brought several updates.

This tendency proves that Emotet isn't going anywhere despite frequent "vacations" and even the official shutdown. The malware evolves fast and adapts to everything.

**What features has a new Emotet 2022 version acquired?**

After almost half a year of a break, the Emotet botnet returned even stronger. Here is what you need to know about a new 2022 version:

*   It drops IcedID, a modular banking trojan.
*   The malware loads XMRig, a miner that steals wallet data.
*   The trojan has binary changes.
*   Emotet bypasses detection using a 64-bit code base.
*   A new version uses new commands:

Invoke rundll32.exe with a random named DLL and the export PluginInit

*   Emotet's goal is to get credentials from Google Chrome and other browsers.
*   It's also targeted to make use of the SMB protocol to collect company data
*   Like six months ago, the botnet uses XLS malicious lures, but it adopted a new one this time:

The Emotet's Excel lure

**How to detect Emotet?**

The main Emotet challenge is to detect it in the system quickly and accurately. Besides that, a malware analyst should understand the botnet's behavior to prevent future attacks and avoid possible losses.

With its long story of development, Emotet stepped up in the anti-evasion strategy. Through the evolution of the process execution chain and malware activity inside the infected system changes, the malware has modified detection techniques drastically.

For example, in 2018, it was possible to detect this banker by looking at the name of the process – it was one of these:

> eventswrap, implrandom, turnedavatar, soundser, archivesymbol, wabmetagen, msrasteps, secmsi, crsdcard, narrowpurchase, smxsel, watchvsgd, mfidlisvc, searchatsd, lpiograd, noticesman, appxmware, sansidaho

Later, in the first quarter of 2020, Emotet started to create specific key into the registry - it writes into the key HKEY\_CURRENT\_USER\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER value with the length 8 symbols (letters and characters).

Of course, Suricata rules always identify this malware, but detection systems often continue beyond the first wave because rules need to update.

Another way to detect this banker was its malicious documents - crooks use specific templates and lures, even with grammatical errors in them. One of the most reliable ways to detect Emotet is by the YARA rules.

To overcome malware's anti-evasion techniques and capture the botnet – use a malware sandbox as the most convenient tool for this goal. In ANY.RUN, you can not only detect, monitor, and analyze malicious objects but also get already extracted configurations from the sample.

There are some features that you use just for Emotet analysis:

*   reveal C2 links of a malicious sample with the FakeNet
*   use Suricata and YARA rulesets to successfully identify the botnet
*   Get data about C2 servers, keys, and strings extracted from the sample's memory dump
*   gather fresh malware's IOCs

The tool helps to perform successful investigations quickly and precisely, so malware analysts can save valuable time.

ANY.RUN sandbox has prepared incredible deals for **Black Friday 2022**! Now is the best time to boost your malware analysis and save some money! Check out special offers for their premium plans but for a limited time – from 22-29 November, 2022.

Emotet has not demonstrated full functionality and consistent follow-on payload delivery. Use modern tools like ANY.RUN online malware sandbox to improve your cybersecurity and detect this botnet effectively. Stay safe and good threat hunting!

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#samba