Talos researcher Chris Neal discussed how the security problem evolved in a blog post.

“Starting in Windows Vista 64-bit, to combat the threat of malicious drivers, Microsoft began to require kernel-mode drivers to be digitally signed with a certificate from a verified certificate authority,” Neal wrote. “Without signature enforcement, malicious drivers would be extremely difficult to defend against as they can easily evade anti-malware software and endpoint detection.”

Beginning with Windows 10 version 1607, Neal said, Microsoft has required kernel-mode drivers to be signed by its Developer Portal. “This process is intended to ensure that drivers meet Microsoft’s requirements and security standards,” he wrote.

Still, there are exceptions – most notably, one for drivers signed with certificates that expired or were issued prior to July 29, 2015.

If a newly compiled driver is signed with non-revoked certificates that were issued before that date, it won’t be blocked. “As a result, multiple open source tools have been developed to exploit this loophole,” Neal wrote.

And while Sophos reported that it had uncovered more than 100 malicious drivers, Neal said Cisco Talos “has observed multiple threat actors taking advantage of the aforementioned Windows policy loophole to deploy thousands of malicious, signed drivers without submitting them to Microsoft for verification.”

Forged Timestamps

Neal said that two timestamp forging tools that are popular ways of developing game cheats are now being used by threat actors. The tools are FuckCertVerifyTimeValidity, which was launched in 2018; and HookSignTool, available since 2019.

“To successfully forge a signature, HookSignTool and FuckCertVerifyTimeValidity require a non-revoked code signing certificate that expired or was issued before July 29, 2015, along with the private key and password,” Neal wrote. “During our research, we identified a PFX file hosted on GitHub in a fork of FuckCertVerifyTimeValidity that contained more than a dozen expired code signing certificates frequently used with both tools to forge signatures.”

Both tools present a serious threat, Neal said, since malicious drivers can give attackers kernel-level access to a system.

“Microsoft, in response to our notification, has blocked all certificates discussed in this blog post,” he noted.

A Real-World Example

In a separate blog post, Neal described one example of the threat, a malicious driver named RedDriver that’s been active since at least 2021. “Bypassing the driver signature enforcement policies by using HookSignTool allows a threat actor to deploy drivers that would otherwise be blocked from running,” he wrote. “RedDriver is a real-world example of this tool being effectively used in a malicious context.”

“During our research into HookSignTool, Cisco Talos observed the deployment of an undocumented malicious driver utilizing stolen certificates to forge signature timestamps, effectively bypassing driver signature enforcement policies within Windows … RedDriver is a critical component of a multi-stage infection chain that ultimately hijacks browser traffic and redirects it to localhost (127.0.0.1),” Neal wrote.

“As of publication time, the end goal of this browser traffic redirection is unclear,” he added. “However, regardless of intent, this is a significant threat to any system infected with RedDriver, as this allows all traffic through the browser to be tampered with.”

Defending Against Signed Drivers

Neal recommended blocking the certificates in question, “as malicious drivers are difficult to detect heuristically and are most effectively blocked based on file hashes or the certificates used to sign them. Comparing the signature timestamp to the compilation date of a driver can sometimes be an effective means of detecting instances of timestamp forging. However, it is important to note that compilation dates can be altered to match signature timestamps.”

KnowBe4 data-driven defense evangelist Roger Grimes told eSecurity Planet by email that an even greater threat could be presented if an attacker were to create something highly wormable. “A wormable exploit using a bogus signing certificate could cause a lot of problems,” he said.

The good news, Grimes said, is that all of this is preventable. “Microsoft provides several ways, such as Windows Defender Application Control, to prevent unwanted installing of drivers and software,” he said. “Customers just have to research how they work and enable them. Then this entire threat is gone.”

Read next:

• Best Antivirus Software
• Top Endpoint Detection and Response (EDR) Solutions
• Best Patch Management Software & Tools

The post Malicious Microsoft Drivers Could Number in the Thousands: Cisco Talos appeared first on eSecurityPlanet.

SlashNext conducted research on the use of generative AI tools by malicious actors in collaboration with Daniel Kelley, a former black hat computer hacker and expert on cybercriminal tactics. They found a tool called WormGPT “through a prominent online forum that’s often associated with cybercrime,” Kelley wrote in a blog post. “This tool presents itself as a blackhat alternative to GPT models, designed specifically for malicious activities.”

The security researchers tested WormGPT to see how it would perform in BEC attacks. In one experiment, they asked WormGPT “to generate an email intended to pressure an unsuspecting account manager into paying a fraudulent invoice.”

“The results were unsettling,” Kelley wrote. “WormGPT produced an email that was not only remarkably persuasive but also strategically cunning, showcasing its potential for sophisticated phishing and BEC attacks” (screenshot below).

Kelley said WormGPT is similar to ChatGPT “but has no ethical boundaries or limitations. This experiment underscores the significant threat posed by generative AI technologies like WormGPT, even in the hands of novice cybercriminals.”

Just last week, Acronis reported that AI tools like ChatGPT have been behind a 464% increase in phishing attacks this year.

Also read: ChatGPT Security and Privacy Issues Remain in GPT-4

WormGPT and Generative AI Hacking Uses

WormGPT is based on the GPTJ language and provides unlimited character support, chat memory retention, and code formatting capabilities. The tool aims to be an unregulated alternative to ChatGPT, assuring that illegal activities can be done without being traced. WormGPT can be used for “everything blackhat related,” its developer claimed in the cybercrime forum.

Beyond WormGPT, Kelley and the SlashNext team discovered a number of concerning discussion threads while investigating cybercrime forums:

• Use of custom modules as unethical ChatGPT substitutes. The forums contain marketing of ChatGPT-like custom modules, which are expressly promoted as black hat alternatives. These modules are marketed as having no ethical bounds or limitations, giving hackers unrestricted ability to use AI for illegal activities.
• Refining phishing or BEC attack emails using generative AI. One discussion included a suggestion to write emails in the hackers’ local language, translate them, and then use interfaces like ChatGPT to increase their complexity and formality. Cybercriminals now have the power to easily automate the creation of compelling fake emails customized for specific targets, reducing the chances of being flagged and boosting the success rates of malicious attacks. The accessibility of generative AI technology empowers attackers to execute sophisticated BEC attacks even with limited skills.
• Promotion of jailbreaks for AI platforms. Cybercrime forums also contain a number of discussions centered on “jailbreaks” for AI platforms such as ChatGPT. These jailbreaks include carefully created instructions designed to trick AI systems into creating output that might divulge sensitive information, generate inappropriate material, or run malicious code.

While the specific sources and training methods weren’t disclosed, WormGPT was reportedly trained on diverse datasets, including malware-related information. The ability of AI tools to create more natural and tactically clever emails has made BEC attacks more effective, raising worries about the tools’ potential for supporting sophisticated phishing and spoofing attacks.

Some security researchers worry about the possibility of an AI-powered worm utilizing the capabilities of a large language model (LLM) to generate zero-day exploits on-demand. Within seconds, such a worm might test and experiment with thousands of different attack methods. Unlike traditional worms, it could constantly look for new vulnerabilities.

Such a never-ending hunt for exploits could leave system administrators with little to no time to fix vulnerabilities and keep their systems secure, leaving a wide range of systems vulnerable to exploitation, causing widespread and significant damage. The speed, adaptability, and persistence of an AI-powered worm increased the need for a vigilant, proactive approach to cybersecurity defenses.

Also read: AI Will Save Security – And Eliminate Jobs

Countering AI-Driven BEC Attacks

To counter the growing threat of AI-driven BEC attacks, organizations need to consider a number of security defenses:

• Implementing specialized BEC training programs
• Using email verification methods such as DMARC that detect external emails impersonating internal executives or vendors
• Email systems such as gateways should be capable of detecting potentially malicious communications, such as URLs, attachments and keywords linked with BEC attacks

Over the years, cybercriminals have continuously evolved their tactics, and the advent of OpenAI’s ChatGPT, an advanced AI model capable of generating human-like text, has transformed the landscape of business email compromise (BEC) attacks.And now the rise of unregulated AI technologies leaves organizations more vulnerable to BEC attacks.

To avoid the potentially catastrophic effects caused by the unrestrained use of AI tools for BEC attacks, timely discovery, quick response, and coordinated mitigation techniques are necessary. Efforts should concentrate on creating advanced security measures, promoting collaboration between cybersecurity and AI groups, and creating strong legal and regulatory frameworks to control and guarantee the responsible and ethical application of AI in the digital sphere.

Read next: How to Improve Email Security for Enterprises & Businesses

The post Black Hat AI Tools Fuel Rise in Business Email Compromise (BEC) Attacks appeared first on eSecurityPlanet.

“While some Patch Tuesdays focus on fixes for minor bugs or issues with features, these patches almost purely focus on security-related issues,” Cloud Range vice president of technology Tom Marsland said by email. “They should be pushed to vulnerable machines immediately.”

The July 2023 fixes include updates for 130 vulnerabilities, a significant increase from last month’s total of 78. Here are the details.

See the Top Patch Management Tools

Malicious Drivers Addressed by Advisory

Microsoft also released a pair of advisories. The first, ADV230001, warns that drivers certified by Microsoft’s Windows Hardware Developer Program (MWHDP) are being used maliciously by attackers who have gained admin privileges on compromised systems. The issue was first discovered by Sophos researchers on February 9.

“Microsoft has completed its investigation and determined that the activity was limited to the abuse of several developer program accounts and that no Microsoft account compromise has been identified,” Microsoft said. “We’ve suspended the partners’ seller accounts and implemented blocking detections for all the reported malicious drivers to help protect customers from this threat.”

In a blog post, SophosLabs principal researcher Andrew Brandt reported that the advisory was published following a Sophos research discovery of more than 100 malicious drivers that had been digitally signed by Microsoft and others, dating as far back as April 2021.

The second advisory, ADV230002, notes that Trend Micro released a patch in March for CVE-2023-28005, a secure boot bypass vulnerability in Trend Micro Endpoint Encryption Full Disk Encryption. “Subsequently Microsoft has released the July Windows security updates to block the vulnerable UEFI modules by using the DBX (UEFI Secure Boot Forbidden Signature Database) disallow list,” Microsoft said.

Actively Exploited Flaws

Microsoft identified five vulnerabilities that are being actively exploited:

• CVE-2023-32046, an elevation of privilege vulnerability in Windows MSHTML with a CVSS score of 7.8
• CVE-2023-32049, a security feature bypass vulnerability in Windows SmartScreen with a CVSS score of 8.8
• CVE-2023-36874, an elevation of privilege vulnerability in the Windows Error Reporting Service with a CVSS score of 7.8
• CVE-2023-36884, a remote code execution vulnerability in Office and Windows HTML with a CVSS score of 8.3
• CVE-2023-35311, a security feature bypass vulnerability in Microsoft Outlook with a CVSS score of 8.8

Ivanti vice president of security products Chris Goettl said by email that CVE-2023-32046 could be leveraged in a variety of ways, including email and web-based attacks. “If exploited, the attacker would gain the rights of the user that is running the affected application, so running least privilege would help to mitigate the impact of this vulnerability and force the attacker to take additional steps to take full control of the target system,” he wrote.

Action1 vice president of vulnerability and threat research Mike Walters observed in a blog post that CVE-2023-35311 requires user interaction but not elevated privileges. “It’s important to note that this vulnerability specifically allows bypassing Microsoft Outlook security features and does not enable remote code execution or privilege escalation,” he wrote. “Therefore, attackers are likely to combine it with other exploits for a comprehensive attack.”

CVE-2023-36874, Walters noted, can be exploited locally with low complexity and without requiring elevated privileges or user interaction. “To exploit this vulnerability, an attacker needs to gain access to the system using other exploits or harvested credentials,” he wrote. “The compromised user account must have the ability to create folders and performance traces on the computer, which is typically available to normal users by default.”

Unpatched RomCom Office Exploit

In an unusual move, CVE-2023-36884 was announced with no patch yet available.

“Microsoft is investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office products,” Microsoft said. “Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents.”

“Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers,” the company added. “This might include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.”

A separate Microsoft blog post links CVE-2023-36884 to a phishing campaign by a Russian hacker group named Storm-0978 or RomCom, which has been “targeting defense and government entities in Europe and North America” by “using lures related to the Ukrainian World Congress.” The campaign was first detected in June 2023.

Microsoft Defender for Office 365 protects users from attachments designed to exploit CVE-2023-36884. Microsoft said organizations who cannot that don’t have those protections can set the registry key FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION to avoid exploitation.

“Please note that while these registry settings would mitigate exploitation of this issue, it could affect regular functionality for certain use cases related to these applications,” the company added.

Rapid7 lead software engineer Adam Barnett told eSecurity Planet that a patch could be issued as part of next month’s Patch Tuesday, but admins should be alert for a potential earlier fix.

“Microsoft Office is deployed just about everywhere, and this threat actor is making waves; admins should be ready for an out-of-cycle security update for CVE-2023-26884,” Barnett said.

Remote Desktop Flaw

Cyolo head of research Dor Dali highlighted CVE-2023-35332, a security feature bypass flaw in Windows Remote Desktop Protocol with a CVSS score of 6.8. The issue is linked to the fact that the RDP Gateway enforces the use of Datagram Transport Layer Security (DTLS) version 1.0, which has been deprecated since March 2021 due to known flaws.

“This vulnerability not only presents a substantial security risk, but also a significant compliance issue,” Dali said by email. “The use of deprecated and outdated security protocols, such as DTLS 1.0, may lead to non-compliance with industry standards and regulations – like SOC2, FEDRAMP, PCI, HIPAA, and others.”

If it’s not possible to apply Microsoft’s update, Dali recommends simply disabling UDP support in the RDP Gateway. “This prevents the establishment of the secondary channel over UDP, eliminating the use of the deprecated DTLS 1.0 and thereby mitigating the vulnerability – a necessary step that could potentially impact performance, but that will ensure security and compliance until the server can be updated,” he said.

Also read: Secure Access for Remote Workers: RDP, VPN & VDI

The post Microsoft Patch Tuesday Addresses 130 Flaws – Including Unpatched RomCom Exploit appeared first on eSecurityPlanet.

Cymulate ran 3,107 assessments across 340 organizations recently to see if security controls were adequate against the Clop (sometimes called “Cl0p” with a zero) ransomware group’s exploitation of a MOVEit software vulnerability (CVE-2023-34362).

The continuous threat exposure management (CTEM) vendor tested to see if organizational controls would recognize the Indicators of Compromise (IoCs) of Clop ransomware attacks. What they found was alarming:

• Out of 14,438 payloads sent, 43% of organizations in the U.S. were penetrated by Cymulate’s Clop ransomware assessments
• Half of the endpoint detection and response (EDR) tools tested — 8 out of 16 tools — had a penetration rate of over 46%

Mike DeNapoli, Cybersecurity Architect and Director at Cymulate, told eSecurity Planet, “While the EDRs could possibly recognize the behavior of the attack if it was executed, which Cymulate can do in other modules, they did not recognize the known binaries used in the attacks. So … the EDR missed an indicator of compromise, and while it may have compensated for it later, the firewall should have stopped inbound/outbound traffic but failed to do so.”

Organizations can still be protected even if their EDR technologies only identify attack patterns rather than individual files, he said.

“The MOVEit vulnerability is shining a new light on exposure management because if the organization has an EDR tool that looks for the behaviors of these attacks but not the files themselves, then they’re still protected,” DeNapoli said.

He added, “If the organization does not have any of the software platforms targeted by these attacks, like the MOVEit platform, then they are also safe even if they didn’t block the indicators of compromise — the attackers don’t have anything to leverage in order for the attack to work in the first place.”

Clop, Others Continue MOVEit Attacks

The Clop ransomware gang’s exploitation of a vulnerability in Progress Software’s MOVEit managed file transfer (MFT) system has hit dozens of major organizations so far, among them.

Abbie, Aer Lingus, the BBC, British Airways, the California Public Employees’ Retirement System, Johns Hopkins University, New York City public schools, Schneider Electric, Shell, Siemens, UCLA, the University of Rochester, the U.S. Department of Energy, and the U.S. Department of Health and Human Services, among others.

However, instead of the typical ransomware tactics, Clop aka Lace Tempest has used the SQL injection vulnerability to steal sensitive data and threaten to release it unless a ransom is paid.

The U.S. Government has offered a $10 million reward for information on the threat actors.

Cybersecurity experts have discovered extensive use of the zero-day vulnerability in MOVEit Transfer. Multiple threat actors — many of whom overlap or are used interchangeably — have been linked to the vulnerability, including FIN11, TA505, and Lace Tempest. While FIN11 and TA505 have been used interchangeably in the past, Mandiant classifies FIN11 as a subset of activity inside the TA505 group. Additionally, Lace Tempest, which runs the Clop extortion site, is also affiliated with FIN11.

“Lace Tempest (Storm-0950, overlaps w/ FIN11, TA505) authenticates as the user with the highest privileges to exfiltrate files,” Microsoft notes.

The cybercriminals started exploiting the vulnerability on May 27th, during the U.S. Memorial Day holiday. Lace Tempest has a track record of exploiting different zero-day vulnerabilities to steal data and extort victims.

TA505 is well-known for its involvement in global phishing and malware dissemination. Their victims include hundreds of companies worldwide, and they engage in various illegal activities, including providing ransomware-as-a-service, acting as an initial access broker, and orchestrating large-scale phishing assaults and financial fraud. This recent exploitation expands their repertoire, highlighting their ability to hack and steal critical data through the MOVEit Transfer web applications with the LEMURLOOT web shell.

Another significant threat actor, FIN11, has been involved in a number of high-profile infiltration efforts that leverages zero-day vulnerabilities. The group has targeted pharmaceutical companies and other healthcare institutions during the COVID-19 pandemic. Their activities primarily target corporations in various industries in North America and Europe, with the goal of stealing data and deploying ransomware using Clop.

The Clop gang’s exploitation of the MOVEit vulnerability has become a critical issue, causing concerns among several organizations about their own security procedures as well as their vulnerability to similar cyber assaults.

Also read: Ransomware Protection: How to Prevent Ransomware Attacks

Key Steps to Mitigate MOVEit Risk

In light of the Clop ransomware attacks and similar threats, the FBI and CISA published a joint advisory recommending the following mitigation measures for organizations:

• Inventory and Asset Management: Conduct an asset and data inventory, differentiating between authorized and unauthorized equipment and software.
• Credential Protection: Prevent credential compromise by putting domain admin accounts in groups for protected users, avoiding plaintext credentials in scripts, and providing time-based access.
• Administrative Privileges and Software Control: Restrict administrative rights and access to just those that are absolutely necessary, and create a list of authorized software that only allows the execution of genuine programs.
• Backup and Restoration: Keep offline backups of data and execute backup and restore on a regular basis. Encrypt backup data to ensure the data infrastructure’s immutability and coverage.
• Endpoint Security: Install and update antivirus software on all hosts.
• Network Security: Monitor network ports, protocols, and services by activating security settings on network infrastructure devices such as firewalls and routers. Segment networks to regulate traffic flows and prevent ransomware outbreaks. To identify suspicious activity and malware traversal, use network monitoring tools. Unused ports should be disabled, email banners should be considered, and hyperlinks in received emails should be disabled.
• Password Policies: Enforce NIST password policy requirements, such as lengthier passwords and the use of password managers. Password suggestions should be disabled, and frequent password changes should be avoided.
• PowerShell Security: Restrict PowerShell usage and update to the latest version.
• Remote Access Security: Limit remote access from within the network to approved solutions (e.g., VPNs, VDIs). To detect instances of remote access software loaded in memory, use security software. Inbound and outbound connections to typical remote access software ports are blocked. Implement remote access program application controls and allowlisting. Limit your usage of RDP and adhere to recommended practices (for example, auditing, terminating unused ports, and MFA).
• Software and Patch Management: Consistently update and patch software and apps to the most latest versions, while performing vulnerability assessments on a regular basis. Patch operating systems, software, and firmware on a regular basis.

These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) established by CISA and NIST. The CPGs are based on current cybersecurity frameworks and recommendations, and they provide a set of minimum procedures and policies to defend against common and significant threats.

As cybercriminals continue to evolve their strategies, organizations must assess their security measures, minimize risks, and guarantee the efficiency of their defenses against growing ransomware and cyber attacks. Implementing a comprehensive and layered security approach will help strengthen organizations’ systems, secure critical data, and stop potentially disastrous ransomware assaults.

Read next: Network Protection: How to Secure a Network

The post Half of EDR Tools, Organizations Vulnerable to Clop Ransomware: Researchers appeared first on eSecurityPlanet.

The attack technique — identified by researchers at Security Joes — is a challenge to EDR vendors and security teams alike.

“To effectively counteract such attacks, security solutions need to employ a comprehensive and proactive approach that goes beyond static monitoring of specific DLLs or system calls,” the researchers wrote. “Behavioral analysis, anomaly detection, and machine learning techniques can enhance the ability to identify process injection techniques and detect malicious activities within the memory space of trusted processes.”

See the Top EDR Solutions

The Mockingjay Attack Explained

The Mockingjay attack targets trusted and legitimate processes running on the system and avoids or minimizes use of Windows APIs that EDR tools commonly associate with injection attacks. By secretly injecting malicious code into the memory space of the trusted process, Mockingjay hides its activities within a seemingly harmless process.

EDR tools typically monitor Windows APIs within the memory space of processes to detect injection attacks, so the researchers set about trying to find other methods to dynamically execute code within the memory space of Windows processes without relying on the monitored Windows APIs.

They detailed two such attack techniques in their blog post.

They explored trusted Windows libraries that contain sections with default protections set as RWX (Read-Write-Execute). “By misusing these libraries, we were able to successfully inject code into various processes and eliminate the need to execute several Windows APIs usually monitored by security solutions,” they wrote. “This approach reduces the likelihood of detection by defense software, as our application does not directly invoke Windows APIs typically associated with process injection techniques. The injection is executed without space allocation, setting permissions or even starting a thread. The uniqueness of this technique is that it requires a vulnerable DLL and copying code to the right section.”

Both attack techniques involve processes located within Visual Studio 2022 Community. The first is the DLL msys-2.0.dll, and the second attack technique targets the ssh.exe process located within the Visual Studio 2022 Community directory.

The msys-2.0 DLL contains a default RWX section that could potentially be exploited to load malicious code, the Security Joes researchers said. The report goes into great detail on the attack technique, which they summarized in six steps:

1. Custom application loads vulnerable DLL using LoadLibraryW
2. Location of the RWX section is resolved using the base address of the DLL and the offset of section
3. A clean copy of NTDLL.DLL is loaded from the disk, and the system call numbers for the desired syscalls are obtained
4. The addresses of the test instructions after the jmp added by the EDR are retrieved from the NTDLL.DLL in-memory copy (hooked by the EDR)
5. Using the addresses of the test instructions and the syscall numbers, the researchers assemble their stubs in the RWX area of the vulnerable DLL
6. When the stub is executed, it prepares the syscall number in the EAX register, as usual, and immediately jumps to the address of the corresponding test instruction for the chosen system call, bypassing the EDR verification step

Second EDR Attack Detailed

In the process of their work, the researchers noticed that the msys-2.0.dll library is “commonly utilized by applications that require POSIX emulation, such as GNU utilities or applications not originally designed for the Windows environment. We found relevant binaries with these characteristics within the Visual Studio 2022 Community subdirectory.”

For their proof of concept, they chose the ssh.exe process located within the Visual Studio 2022 Community directory as the payload target. “To accomplish this, we initiated the ssh.exe process as a child process of our custom application using the Windows API CreateProcessW,” they wrote, summarizing the attack technique as follows:

1. Custom application is executed
2. Trusted application (ssh.exe) using DLL msys-2.0.dll is launched as a child process
3. Custom application opens a handle to the target process (ssh.exe)
4. Code to be injected is copied into the RWX section of msys-2.0.dll
5. Trusted application executes the injected code during its normal execution flow
6. Additional DLL MyLibrary.dll is loaded by the shellcode injected in the RWX section
7. Back connect shell session is established

“The uniqueness of this technique lies in the fact that there is no need to allocate memory, set permissions or create a new thread within the target process to initiate the execution of our injected code,” they wrote. “This differentiation sets this strategy apart from other existing techniques and makes it challenging for endpoint detection and response (EDR) systems to detect this method.”

How to Defend Against a Mockingjay Attack

EDR systems with integrated behavioral analytics can stop a Mockingjay attack by broadening the scope of their monitoring to cover trusted processes. Such detection techniques can identify code injection and unauthorized changes by establishing baseline behavior patterns and conducting memory integrity checks. EDR technologies can improve their capacity to recognize and block Mockingjay attacks through contextual analysis and the application of machine learning methods that can detect anomalous patterns.

For security teams, Mockingjay is yet another argument for defense-in-depth; if one security tool misses an attack, a second one could potentially limit the damage.

Read next: Network Protection: How to Secure a Network

The post Mockingjay Attack Evades EDR Tools with Code Injection Technique appeared first on eSecurityPlanet.

The six critical vulnerabilities are as follows:

• CVE-2023-24897, a remote code execution vulnerability in .NET, .NET Framework, and Visual Studio, with a CVSS score of 7.8
• CVE-2023-29357, an elevation of privilege vulnerability in Microsoft SharePoint Server, with a CVSS score of 9.8
• CVE-2023-29363, CVE-2023-32014 and CVE-2023-32015, three remote code execution vulnerabilities in Windows Pragmatic General Multicast (PGM), each with a CVSS score of 9.8
• CVE-2023-32013, a denial of service vulnerability in Windows Hyper-V, with a CVSS score of 6.5

Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, noted in a blog post that this is the third month in a row in which Windows Pragmatic General Multicast (PGM) has had a flaw addressed with a CVSS score of 9.8. “While not enabled by default, PGM isn’t an uncommon configuration,” he wrote. “Let’s hope these bugs get fixed before any active exploitation starts.”

Action1 vice president of vulnerability and threat research Mike Walters separately observed that the three PGM flaws can be exploited over the network without requiring privileges or user interaction.

“To mitigate this vulnerability, consider checking if the Message Queuing service is running on TCP port 1801 and disable it if not needed,” Walters advised. “However, be cautious as this may impact system functionality. It is generally recommended to install the available patch instead of relying solely on mitigation strategies.”

Flaws in SharePoint, .NET, Visual Studio

Exploitation of the SharePoint Server flaw CVE-2023-29357, Walters noted, also requires no privileges or user interaction. “Customers using Microsoft Defender and the AMSI integration feature in their SharePoint Server farm(s) are protected against this vulnerability,” he wrote. “While there are no confirmed cases of exploitation yet, Microsoft warns that the likelihood of exploitation is high. It is essential for organizations using SharePoint 2019 to apply the patch to mitigate this serious vulnerability.”

Rapid7 lead software engineer Adam Barnett pointed out by email that while the FAQ provided with Microsoft’s advisory for CVE-2023-29357 states that both SharePoint Enterprise Server 2016 and SharePoint Server 2019 are vulnerable, no related patches are listed for SharePoint 2016.

“Defenders responsible for SharePoint 2016 will no doubt wish to follow up on this one as a matter of some urgency,” Barnett wrote. “Microsoft also explains that there may be more than one patch listed for a particular version of SharePoint, and that every patch must be installed to remediate this vulnerability (although order of patching doesn’t matter).”

Regarding CVE-2023-24897, Barnett observed that exploitation of the flaw in .NET, .NET Framework and Visual Studio requires the attacker to trick a victim into opening a specially-crafted malicious file.

“Although Microsoft has no knowledge of public disclosure or exploitation in the wild, and considers exploitation less likely, the long list of patches – going back as far as .NET Framework 3.5 on Windows 10 1607 – means that this vulnerability has been present for years,” he wrote.

See the Best Patch Management Software & Tools

Other Noteworthy Flaws

Ivanti vice president of security products Chris Goettl noted by email that two lower-severity flaws were also patched in Microsoft Exchange Server.

“CVE-2023-32031 could potentially trigger malicious code in the context of the server’s account through a network call,” Goettl wrote. “CVE-2023-28310 could allow the attacker to execute code via a PowerShell remoting session. Neither have been disclosed or exploited, but given the sophistication of threat actors who specialize in targeting Exchange Server, it is recommended not to let these linger for long.”

And Silverfort senior research tech lead Dor Segal said by email that CVE-2023-29362, a remote code execution vulnerability in Remote Desktop Client with a CVSS score of 8.8 is also worth noting.

“Using an RDP client can give admins a false sense of security: they can see what’s going on in a remote server or that client’s computer, but they believe themselves to be protected from malicious activity on the client’s end thanks to the RDP,” Segal said. “This vulnerability unfortunately proves that wrong.”

“CVE-2023-29362 allows an attacker who has compromised a Windows machine to attack and spread to any RDP client connected to that same machine,” Segal added. “In the case of admins or other privileged machines, this could potentially lead to compromise of the entire domain. It’s worth noting that patching is needed on the client’s side – not the server’s – so we recommend first patching privileged clients before moving on to the rest of the clients in the organization.”

Read more:

• Cybersecurity Agencies Release Guidance for PowerShell Security
• Secure Access for Remote Workers: RDP, VPN & VDI
• Top Vulnerability Management Tools

The post Windows PGM Accounts for Half of Patch Tuesday’s Critical Flaws appeared first on eSecurityPlanet.

This article explores:

• What Is Email Security
• Best Options to Secure Business Email
• Email Security Best Practices
• How Email Security Blocks Threats
• Bottom Line: Email Security

What Is Email Security

Email security is a concept that protects email accounts, servers, and communications from unauthorized access, data loss, or compromise. Email security consists of the policies, tools, and services deployed to protect against threats specific to email such as spam, phishing attacks, malware-infested attachments, impersonation, and email interception.

Microsoft estimates that 94% of cyberattacks begin with a malicious email — a horrific statistic that can be dramatically reduced by adopting email security standards, tools, and services. Cybercriminals target email because it is an easy entry point and a single misguided click can potentially enable access to an entire organization. Cybercriminals use email to deliver a host of attacks such as business email compromise (BEC) attacks, malware delivery, and credentials harvesting.

Email security solutions help to:

• Protect an organization’s brand and reputation by flagging spoofing emails trying to impersonate the brand
• Protect an organization’s bottom line by limiting the devastating recovery costs, business disruption losses, business reputation damages, and forensic investigation costs associated with a successful attack
• Enhance productivity by limiting potential disruptions to operations and downtime because of a cyberattack
• Ensure compliance with data protection laws such as the General Data Protection Regulation (GDPR) and avoid the legal fees and regulatory fines associated with the breach of regulated data

Key Features for Email Security

Different email security protocols, tools and services provide both critical and nice-to-have features to secure email. 

Critical features provide the base requirements of email security. Every organization should look for solutions that include:

• Antivirus and basic threat detection looks for and neutralizes known malware signatures within emails 
• Anti-spam filters unwanted email bulk emails and spam messages
• Attachment analysis examines attachments for malicious or suspicious links and malware to disarm potentially malicious content 
• Authentication systems evaluate the validity of senders using DMARC and other email protocols
• Reputation analysis analyzes the message header data and sender IP addresses to compare against IP and mail servers lists of known threat actors
• URL filtering provides uniform resource locator (URL) reputation analysis and some tools can even scan websites for malicious links, content, and attachments

Nice-to-have features provide additional security features at a cost that may be out of reach for some organizations:

• Account takeover protection attempts to detect and block attackers from obtaining credentials and accessing a user’s account to send spam, malware, BEC, or other types of attacks
• Advanced threat detection scans files for malicious code or other patterns associated with malicious threats beyond signature analysis
• Behavior analytics examine the content of emails and the behavior of users to detect unusual behavior that may indicate insider threats or compromised accounts
• Content analysis analyzes the text of the email for urgency terms or other words and phrases associated with phishing or BEC attacks
• Data encryption secures mail communications from interception by cybercriminals or from unintended recipients reading the message
• Data loss protection (DLP) technologies check outgoing emails for content or attachments that may include proprietary or regulated data to flag or even block intentional or accidental insider threat activities 
• Image and content control capabilities can scan attached or embedded images or content to block malware 
• Integrated threat protection can provide unified protection across apps, devices, email, identities, data, and cloud workloads
• Sandboxing provides detonation capabilities for malicious links and attachments within a controlled environment

Best Options to Secure Business Email

Email security may be critical, but every organization faces unique budget constraints, threat profiles, risk profiles, and labor capabilities. These aspects will define the type of tools, services, and protocols that the organization can realistically adopt to protect emails against threats.

Organizations typically select a combination of the following options to suit their email security needs. In some cases, the options will have overlapping capabilities, but redundancy isn’t typically a bad thing for security. Organizations seeking to bolster their email security should examine several options with features that fill in gaps in their current capabilities.

We will present these options in two categories: a priority tier and an advanced capability tier. Smaller organizations need to start with priority options and then adopt more advanced options as they grow and their needs and resources develop. We will cover main tool categories, but keep in mind that specialty tools exist for specialty roles such as attachment inspection that will often be features of more sophisticated tools.

The priority tier includes:

• Email authentication protocols
• Email security tools
• Next generation firewalls and unified threat management
• Secure access service edge
• Secure email gateway or secure web gateway

The advanced capability tier includes sandboxing, encryption, and secure browsers that can provide additional layers of protection for more sophisticated needs. 

The more sophisticated a solution, the more it tends to require expertise to install, configure, manage, and maintain. Organizations can offload some expertise requirements to managed IT service providers (MSPs) or managed IT security service providers (MSSPs). Keep in mind that each category also contains a spectrum of basic-to-advanced tools and capabilities and that service providers can often offer advanced capabilities to smaller organizations through service bundles.

Priority Tier to Improve Email Security

When starting out, organizations should focus on adopting these fundamental email security options. These options provide the basic security features needed for fundamental email security and often will offer options to even upgrade to more advanced security as well.

Email Authentication Protocols: SPF, DKIM, DMARC

The three mutually-reinforcing email authentication protocols, Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC) verify the authenticity of emails. Enforcing these protocols will block spam, help identify spoofing emails, and help with reputation analysis for security tools.

It is very affordable for an organization to enable their security tools and web servers to check for and enforce these protocols. It can be time consuming to establish these protocols on an organization’s DNS servers, but doing so will provide two key benefits. First, the protocols improve the reputation of an organization which boosts the deliverability of marketing emails. Second, email servers and security tools can use the protocols to flag emails that try to spoof the organization’s domain and brand.

The smallest organizations may not have the resources to establish these protocols. However, adoption of these protocols should be a priority for growing organizations and is already a federal requirement since 2018 as part of the Department of Homeland Security (DHS) 18-01 binding operational directive.

Email Security Tool

A number of tools present themselves as email security tools to protect local email applications and email servers. These tools are generally good options for smaller organizations with a limited number of on-prem email servers. More advanced versions of these tools can be installed on the cloud to extend their reach and puts them in direct competition with other cloud-based solutions (see below)..

An organization can select from a spectrum of tools from inexpensive and basic tools to robust, feature rich, and expensive tools. Email security tools offer features that screen emails for malicious content using antivirus, anti-spam, DNS, attachment, and other analytics. More advanced tools may include additional options such as threat feeds, sandboxing, and AI-enhanced analytics.

Next Generation Firewalls and Unified Threat Management Systems

Firewalls with advanced capabilities can typically perform application-layer packet inspection that allows for the tool to screen emails for malicious links, spam, and malicious attachments. Both Next Generation Firewalls (NGFW) and Unified Threat Management (UTM) tools will have some capabilities, but an organization will need to check the specific tools under consideration to check both the specific features available and how the tool will integrate with the existing security stack and IT environment.

As with email security tools, advanced firewalls tend to be placed at the edge of local networks and thus are more appropriate for protecting a small number of local email servers. For larger or geographically diverse organizations, cloud-based firewall-as-a-service (FWaaS) may provide more cost-effective and unified protection.

Secure Access Service Edge

Secure Access Service Edge (SASE) tools, also called security service edge (SSE) solutions, control access outside of the corporate network and tend to be cloud-based. Some tools only control access, but other tools also will incorporate secure web gateway (SWG) and firewall capabilities that permit the tools to detect and block spam as well as malicious websites and attachments. SASE solutions provide good solutions for large and geographically diverse organizations looking for centralized control and protection.

Secure Email Gateway or Secure Web Gateway 

Secure email gateway (SEG) or secure web gateway (SWG) solutions provide dedicated solutions to screen emails and website traffic. These tools scan attachments, check for malicious links, and can incorporate blacklists to block known-malicious domains. These tools can also include DLP capabilities to block insiders from intentionally or accidentally leaking sensitive information.

SEGs will focus more specifically on protecting email systems, particularly on-premises email servers, and SWGs may be better to protect SaaS environments. Both options can be installed locally to protect local email servers or in the cloud to enable broader coverage.

Advanced Email Security Capabilities Tier

Organizations with more sophisticated needs or more resources may consider additional capabilities to provide additional layers of security for email. Some of these capabilities will be obtained through specific, specialized tools, but others will be obtained through more advanced features or add-ons to tools listed in the priority tier above.

Email Sandboxing

The delivery of malware through email remains a high concern, even for organizations deploying layers of email security to prevent malware delivery. Attackers can modify code too easily and develop new types of attack too quickly for most IT security teams to put all of their faith in anti-malware solutions. 

Many email security solutions now provide sandboxing capabilities to enable security teams to launch attachments in a safer environment. However, while these capabilities can improve confidence in attachment analysis, IT security teams must also be aware that some malware will attempt to detect sandboxing environments to prevent analysis.

Encrypted email

Despite many advancements in email tools, the email format itself remains a text-based protocol. Many email tools will enable the encrypted delivery of emails, but some of these encryption options will be undone if the sending email server detects a receiving email server that may not support the option. For more ensured protection against the interception of emails, organizations can adopt an email encryption solution.

Secure Browser

A secure browser, also known as browser isolation, creates a sandboxed environment on the endpoint device. Within this sandboxed environment, the user can perform their normal business activities with less concern about malware and malicious attachments. If the user accidentally launches malware, the malware will affect the sandboxed environment and allow the user to simply close the sandbox with a greatly reduced risk for a long-term effect on the local endpoint or network.

Threat Feed

Attackers constantly develop new attacks and methods and new vulnerabilities are discovered regularly. Threat feeds provide security teams with the latest news and can be integrated with security tools to update malware signature files more frequently and provide indicators of compromise used by advanced analytics to detect new malware in action.

Email Security Best Practices

Ultimately, the point of any security is to reduce risk for the organization. Email security should fit into a broader security strategy to reduce the risks of attack on an organization and the related risks of data breaches, operational disruption, and financial loss.

The best practices for email security reflect these overarching risk reduction requirements of an organization. Although we will provide best practices for a generic organization, every manager with IT, security, and risk responsibilities must modify these best practices to fit the context of their specific needs. For example, even a very small stock broker will have US Security and Exchange Commission (SEC) or Financial Industry Regulatory Authority (FINRA) regulatory requirements for email security, monitoring, and retention.

Good, Better, and Best Security Best Practices

The Good, Better and Best levels of email security best practices reflect the adoption of increasing levels of sophistication and capabilities in the adoption of formal email policies, layers of email security, employee email security training, use of email for high-risk functions, and the related security stack.

Good Email Security Best Practices: 

• Adopt a written email security policy
• Enable security options in email software 
• Use at least one priority tier email security tool (email security tool, advanced firewall, SASE, or secure gateway) with basic functionality to reduce spam and inspect email and attachments for malware
• Have a basic security stack that includes hardened IT infrastructure and protected endpoints

Better Email Security Best Practices:

• Adopt a written email security policy and use it actively to measure success for email security through regular reports
• Enable security options in email software 
• Enable email authentication (SPF, DKIM, DMARC)
• Use at least one priority tier email security tool (email security tool, advanced firewall, SASE, or secure gateway) or multiple security tools that deliver stronger capabilities to reduce spam, inspect email and attachments for malware, and perform URL filtering
• Have an email security tool with capabilities for at least one advanced tier email security function (sandboxing, encrypted email, secure browser, threat feed) to protect against attacks
• Perform basic annual employee security training to reduce risk
• Limit your use of email for high-risk functions (financial transactions, regulated data exchange, etc.)
• Purchase a hardened security stack that includes DNS security, encryption at rest, hardened IT infrastructure, multi-factor authentication, and protected endpoints.

Best Email Security Best Practices:

• Adopt a written email security policy and use it actively to measure success for email security through regular reports that reflect risk reduction
• Enable security options in email software 
• Email authentication (SPF, DKIM, DMARC) enabled
• Use a robust priority tier email security tool or tools (email security tool, advanced firewall, SASE, or secure gateway) implemented with strong capabilities to reduce spam, inspect email and attachments for malware, perform URL filtering, perform reputation analysis, and several nice-to-have features such as behavioral analytics, advanced threat detection, or sandboxing
• Have an email security tool with capabilities for one or more advanced tier email security function (sandboxing, encrypted email, secure browser, threat feed) to protect against attacks
• Conduct regular employee security training to create a security-focused organization
• Highly restrict or block the use of email for high-risk functions (financial transactions, regulated data exchange, etc.)
• Have a robust security stack that provides a full spectrum of overlapping protection 

To understand the context of these best practices, we’ll explain the formal email policy, multilayered email security, employee security training, email use for high-risk functions, and related security stack in more detail.

Formal Email Policy

Organizations should have two types of formal email policies. A corporate email use policy for employees and an email security policy for the IT or IT security team.

Most organizations already have a corporate email use policy developed by the HR department to ensure that employees are aware of their responsibilities when using company email, guidelines on personal usage of corporate email, use of personal emails accounts, email use on corporate and personal devices. These policies also typically cover email retention, attachment guidance (permitted file types, file sizes), prohibited email content, regulated or confidential data in emails, and corporate monitoring of employee emails for compliance and other purposes. 

Many organizations have email security strategies in place, but without any written documentation or formalized reports that would help an IT security team to prove the implementation and ongoing functionality of an acceptable level of email security. A written email security policy for IT security formalizes the risk reduction expectations, minimum acceptable security features, and reporting requirements. 

Both types of email policies provide protections and penalties. As long as employees and IT teams conform to the requirements of the email policy, the organization and the employee will be protected in the event of a security incident or breach. However, both policies should also provide for penalties and processes to investigate employees and IT staff who actively undermine or simply choose not to comply with the security policies.

Employee Security Training

No security software is 100% effective or immune from breaches. Employee training can provide basic security skills for employees to use to avoid becoming victim to email attacks. 

Simple rules that should be taught include:

• Never click on links in emails received from unknown sources
• Never open attachments from unknown sources. If an unexpected attachment is received from a known sender, an employee should call the sender to verify the contents of the attachment before opening
• Never follow links to financial institutions contained within emails. Instead, type the address directly into a browser or use a search engine to locate the financial institution’s official websites
• Always consult a senior manager before transferring money on instructions in an email. Business email compromise scams often instill a sense of urgency and imply that the sender is out of phone contact but a wire transfer must be carried out immediately without telling other staff members for “reasons of confidentiality”
• Never connect to the corporate email system from a public Wi-Fi spot without using a VPN to ensure that the link is secure

Many organizations use third-party cybersecurity training programs to help minimize the risk of human error and ensure that employees understand the importance of email security.

Email Use for High-Risk Functions

Email can be difficult to secure and email servers can even undo some security features, such as encryption, if the receiving email server indicates that it cannot support the feature. High risk processes and transactions should be moved to systems with stronger authentication and security functions.

For example, the following processes should not be conducted via email and should only be performed using secured websites or applications after verifying the user’s identity:

• Requesting patient data (regulated by HIPAA)
• Obtaining credit card numbers (regulated by PCI DSS)
• Authorizing financial transactions (at least over a certain dollar amount)
• Authorizing payments to employees or vendors
• Delivering the results of medical exams or tests (regulated by HIPAA)

Related Security Stack

Email security cannot operate alone to protect an organization. Email security must fit into a security stack of related and overlapping network security controls that limit the impact of breached email security such as data loss protection, DNS security, data encryption, hardened IT infrastructure, identity and access management (IAM), multi factor authentication, and protecting endpoints.

Data Loss Protection

Data loss protection (DLP) monitors the use and movement of important or regulated data. Corporate secrets, personal identifying information (PII), personal health information, and other regulated information can be detected, monitored, or even blocked from inclusion in emails, chat applications, or file-sharing applications.

Email tools can offer limited capability DLP that focuses on the use of protected data in email. However, a more robust DLP solution will include many other applications outside of email to deliver more general protection.

DNS Security

DNS security involves two key aspects: the investigation of URLs and domains within emails, and protecting the corporate DNS from attack and corruption. Many email security programs will perform basic DNS security such as checking URLs against a blacklist of known-malicious websites. The email security programs should be further enhanced by tools and techniques applied to protect corporate DNS.

Encryption At Rest

Malicious emails, especially modern ransomware, use data exfiltration programs to steal data from local and network hard drives. The adoption of encryption at rest will limit the access and availability of data stolen from such attacks and provide an additional defense should email security fail.

Harden IT Infrastructure

Default installations of firewalls, networking equipment, server operating systems, and local operating systems will not block any protocols or ports to allow for maximum utility. Unfortunately, maximum utility also means maximum security risk.

Organizations should disable unneeded protocols, block unused ports, and enable options for improved security across the IT infrastructure. These hardening techniques limit the ability of successful email attacks to expand across the organization.

Identity and Access Management

Identity and access management (IAM) hardens the organization with regards to access by enabling an organization to apply the principle of least privilege access to limit unnecessary access by specific users and user groups. Effective use of IAM will limit the ability of attackers to use stolen credentials or compromised devices to expand an attack against the organization.

Multi-factor Authentication

Compromised credentials stolen from a phishing campaign can be quite dangerous. However, the adoption of two-factor (2FA) and multi-factor authentication (MFA) provides additional barriers for an attacker to navigate.

Protecting endpoints

A breached email security will often result in an attack on the end user’s computer. A strong antivirus or endpoint detection and response (EDR) solution protects the local machine against infection or even isolates a compromised local machine to protect the network.

How Email Security Blocks Threats

Email can contain a wide variety of potential threats including business email compromise, data exfiltration, impersonation, malware, and phishing and spam emails. Deploying various email security tools can detect, contain, or even block these threats using a variety of techniques and features.

Business Email Compromise

Business email compromise (BEC) attacks are a subcategory of phishing or impersonation attacks that attempt to impersonate trusted business partners or employees in order to trick the organization into sending products or cash payments to the attacker. Email security can block this type of attack because they:

• Use DMARC email authentication to catch discrepancies between the From field shown to email recipients and the From field in the header
• Analyze email sender reputation (URL, Domain)
• Apply text sentiment analysis looking for suspicious text trends such as urgency (reply now) or secrecy (do not contact others for verification)

Data Exfiltration

Data exfiltration occurs with the unapproved transfer of data from an organization. Email security tools use data loss prevention (DLP) technology to identify and track proprietary or regulated data within email text or attachments.

Most DLP programs will have a limited number of default detections such as US social security numbers and credit card numbers. Organizations may have to define other information for the DLP to track and monitor.

Impersonation

Attackers try to fake the “from” fields in emails to impersonate a trusted person or brand. Impersonation, also known as spoofing, lends credibility to phishing and can be accomplished through misleading graphics, text, and look-alike domains (ex: m1cr0s0ft.com). 

Email security tools can catch impersonation attempts because they:

• Use SPF email authentication to verify if the sending domain is an authorized email sending address (for spoofed domains)
• Use DMARC email authentication to catch discrepancies between the From field shown to email recipients and the From field in the header
• Analyze email sender reputation (URL, Domain)
• Apply text sentiment analysis looking for suspicious text trends such as urgency (reply now) or secrecy (do not contact others for verification)

Malware

Common types of malware include viruses, worms, ransomware, and spyware and email attacks will often attempt to disguise malware as PDF files or within compressed files (.zip, etc.). Email security tools detect malware using one of several features:

• Antivirus signature comparison against known malware
• Analysis of email sender reputation (URL, Domain)
• Open attachments in sandboxes to verify file contents
• Advanced malware detection by checking file content for malicious or suspicious programming

Phishing & Spam

Phishing attacks are a malicious subcategory of spam emails that can also include spear phishing, vishing, and whaling. The main difference between the phishing and spam is if the links and attachments of the unwanted email lead to malicious websites.

Email security tools detect phishing and spam emails because they:

• Use DMARC email authentication to catch discrepancies between the From field shown to email recipients and the From field in the header
• Analyze email sender reputation (URL, Domain)
• Analyze URLs and websites linked in the email for malicious code or credential stealing tactics using advanced malware detection capabilities 
• Appy text sentiment analysis looking for suspicious text trends such as urgency (reply now) or secrecy (do not contact others for verification)

Bottom Line: Email Security

Email security tools are available in a wide spectrum and variety that can meet the varied needs of an equally wide spectrum of organizations. As each organization grows, it will need to regularly check if their existing email security solution continues to satisfy the current needs of the organization now and for the next few quarters. If additional capabilities are needed, organizations should explore their options and adopt new tools before an attacker can exploit any gaps.

For additional insight into email security tools, consider reading:

• What Is DMARC Email Security Technology?
• 9 Best Next-Generation Firewall (NGFW) Solutions for 2023
• 8 Top Unified Threat Management (UTM) Software & Hardware Vendors
• Firewalls as a Service (FWaaS): The Future of Network Firewalls?
• Top Secure Access Service Edge (SASE) Providers
• Top Secure Email Gateway Solutions
• 9 Best Secure Web Gateway Vendors

This article was originally written and published by Paul Rubens on March 13, 2018 and updated by Chad Kime on June 8, 2023.

The post How to Improve Email Security for Enterprises & Businesses appeared first on eSecurityPlanet.

This article will explore how this works in more detail:

• Ransomware & Phishing — a Toxic Combination
• How DMARC Counters Phishing & Ransomware
• Bottom Line: Adopt DMARC as an Essential Part of Email Security

Ransomware & Phishing — a Toxic Combination

Ransomware attacks accounted for approximately one out of every five cyber crimes in 2022 even as the number of ransomware attacks dropped by 23% compared to 2021. However, the impact of ransomware continues to grow as ransoms increase and attackers increase the magnitude of their overall threat with the addition of data exfiltration, extortion, and distributed denial of service (DDoS) attacks.

The costs of ransomware attacks can be massive, including downtime, data loss, business reputation damage, recovery expenses, forensic investigation expenses, and significant psychological damages for the teams. Ransomware depends upon phishing for the majority of ransomware attacks, yet phishing also delivers other types of attacks. Phishing, in turn, often depends upon email spoofing to trick users into falling for the phishing attack.

Ransomware Depends on Phishing

A ransomware attack can spring from a single email, and phishing provides the most common entry point for ransomware. However, in most cases, clicking on a bad phishing link does not launch ransomware. Attacks that do launch immediately can usually only encrypt the computer for the phishing victim, which limits the ransom-earning potential. More insidious, news-worthy, and revenue generating ransomware attacks need widespread access to the organization for maximum impact.

To achieve the broader goal, 63% of phishing attacks seek to compromise credentials. By stealing credentials, the ransomware gang can then infiltrate the network, expand access, and attack the organization as a whole.

Other Phishing-Delivered Attacks

Although ransomware makes headlines because of their highly disruptive and obvious impact, phishing attacks can deliver a number of other highly harmful attacks such as business email compromise (BEC), credentials harvesting, keyloggers, remote access trojans (RATs), cryptojacking malware, and other spyware. RATs tend to be the malware of choice because they offer the flexibility of future attack options and the hackers can also resell their access to ransomware-as-a-service providers, cryptocurrency mining groups, bot farms, and more.

Phishing Depends on Spoofing

Spammers send an estimated 3.4 billion emails every day, and Google blocks around 100 million phishing emails daily. Attackers use phishing to perform 47% of the attacks against North and South American organizations, 43% of the attacks against Asian organizations, and 42% of the attacks against European organizations. Microsoft even estimates that 94% of cyberattacks begin with a malicious email.

Yet no one clicks on an unconvincing email. Most people will be tricked by emails that appear to be legitimate and sent by a familiar brand. LinkedIn, Microsoft, Adobe, and Google are top brands used in broad phishing attacks, but smaller brands will also be used in more targeted attacks.

It’s not so difficult to fake an email. Attackers forge the “From” address to target victims with a fraudulent, “spoofed” email that appears to be from a legitimate sender.

For example, perhaps an administrator at the law firm of GenericContracts.com clicks on a phishing link and the attackers scope out the firm. The attackers may find the firm too small to be worth a ransom attack but also realize that the firm does local work for dozens of larger corporations.

The ransomware attackers may choose to spoof the GenericContracts.com domain and send phishing emails to the stolen contact names for those larger corporations with “Overdue Invoice” PDF files laden with malware. With an existing working relationship with GenericContractors.com, the corporate clients are more likely to click on the phishing emails and enable future ransomware attacks.

How DMARC Works to Stop Ransomware

Fortunately, DMARC provides a way to stop email using fake “From” addresses and reduce spoofing email attacks. DMARC provides email authentication not only to validate official emails but also to invalidate imposter emails by enhancing other email authentication standards.

How Email Authentication Works

DMARC is published with an organization’s Domain Name Service (DNS) and depends on the prior establishment of two other email authentication standards. The Sender Policy Framework (SPF) lists all domains authorized to send emails on behalf of the organization. The DomainKeys Identified Mail (DKIM) standard enables an organization to digitally sign emails from their domain using public key cryptography to verify that an email is delivered unaltered.

DMARC builds on SPF and DKIM to:

• Check for alignment, or consistency, between the “from” field in the body of the email and the SPF and DKIM domains
• Instruct the email server how to handle (ignore, quarantine, or discard) emails that fail SPF, DKIM, or DMARC checks

DMARC Alignment Example

Extending the example above, hackers may forge a fake email spoofing the accounts payable department of GenericContracts.com in the “From” field of the text the reader can see. However, the email itself will be sent from their own domain of SpammyPhishing.com, which shows up only in the header of the email (normally hidden from the reader).

However, if GenericContract.com deployed an effective DMARC policy, their clients’ email server would perform a DMARC check. The DMARC check would fail the email for being sent from a non-authorized domain and for having misalignment (or non-matching) header and email “From” fields. The receiving email server would be notified that the spoofed emails are fraudulent and likely send the impersonating email to the SPAM folder or even discard them.

Additionally, GenericContracts.com would receive a report from their clients’ emails servers that detail the campaign of phishing emails from SpammyPhishing.com. GenericContracts can then proactively warn customers about the phishing attack, search for their data breach, and report SpammyPhishing.com as a malicious URL.

How to Use DMARC

Security specialists recommend using DMARC to help protect against ransomware attacks as an essential email security tool. While DMARC primarily protects other organizations receiving emails attempting to impersonate the organization, DMARC makes the task of spoofing emails significantly more complicated for hackers and helps preserve the organization’s brand image.

Of course, it’s not the ultimate protection, as there are many other techniques hackers can deploy. Additionally, organizations need to enforce DMARC on their email receiving servers to perform the DMARC check. However, every protection deployed adds an additional layer of defense, and deploying DMARC also adds other benefits to the organization, such as improving the delivery of marketing emails.

Bottom Line: Adopt DMARC as an Essential Part of Email Security

DMARC can be challenging to configure correctly; however, it provides powerful email protection against spoofing, phishing, and related attacks such as ransomware. Organizations need to adopt DMARC to protect themselves and others against spoofing attacks and to help erode the threat of spam, which accounted for 48% of all emails sent in 2022.

For further reading on tools to secure email:

• How to Improve Email Security for Enterprises and Businesses
• 9 Best Next-Generation Firewall (NGFW) Solutions for 2023
• Top Secure Access Service Edge (SASE) Providers
• Top Secure Email Gateway Solutions

This article was originally written and published by Julien Maury on September 21, 2021 and updated by Chad Kime on June 6, 2023.

The post How DMARC Can Protect Against Phishing & Ransomware appeared first on eSecurityPlanet.

• What is email spoofing?
• How to identify a spoofed email
• How to prevent email spoofing
• Bottom Line: Keep Ahead of the Constantly Evolving Threat of Email Spoofing

What Is Email Spoofing?

Email spoofing is a hacking technique that forges or manipulates email metadata such asthe display name and email address to mislead the intended recipient about the identity of the email sender. While not all SPAM or phishing attacks use spoofed identities, the use of email spoofing techniques enhances the capabilities of SPAM and phishing emails. Spoofing is often used in conjunction with:

• Social engineering phishing attacks pretending to be other employees or associates known to the recipient
• Business email compromise (BEC) attacks attempting to commit fraud while impersonating business executives or business partners
• Domain impersonation such as changing only one or two letters in a brand name or URL such “Arnazon” instead of “Amazon”

Phishing, social engineering, and other email based attacks that use stolen credentials to send fraudulent emails from legitimate accounts do not qualify as spoofed emails. The sending domain is not manipulated in those cases and the sender, while compromised, is legitimate.

How to Identify a Spoofed Email

To catch a spoofed email, first read the subject line as well as the sender’s name and email address. Next, open the email and determine whether the footer seems legitimate, then read the body of the email and note any unclear verbiage or grammatical issues. Finally, note whether your email client marked the message as spam, and inspect the email header if needed.

Consider the email in the screenshot below:

First, the subject line, sender email address, and footer are all indicators that the email is illegitimate. If it was a real email from Sam’s Club, the subject line should be free of errors and strange formatting. The domain of the sender email address would be samsclub.com or some variation thereof instead of blackboardninja.com, and the mailing address in the footer would be the Sam’s Club headquarters address instead of an address in Las Vegas.

Additionally, the body content of the email has a vague call to action—what is the “Loyalty Program” and what must one do to earn the so-called “prize”? Unless the recipient is expecting an email like this, there is very little context that indicates where the link leads. This is typical of phishing emails.

Finally, the fact that Gmail automatically categorized this email as Spam doesn’t necessarily mean it’s a spoof, but it’s definitely a red flag. Spam filters can be overzealous at times, which is why important emails like order confirmations and shipping updates sometimes end up in the wrong folder. However, the purpose of a spam filter is to prevent gullible recipients from falling into a spoofed email’s traps.

Not all spoofed emails will be so easily recognizable. Others may require an inspection of the email header to check for discrepancies between the supposed sender and the actual sending domain.

Keep in mind that most email programs do not verify or perform authentication checks on the identifying fields within the body of the email such as Mail From, Reply To, From, Subject, Date, or To. An attacker can claim to be one identity in the From field and a different identity in the header and it will be difficult for the user to notice.

How to Prevent Email Spoofing

Email spoofing, often used in conjunction with phishing attacks, threatens organizations of all sizes. Common security techniques such as encryption, firewalls, and antimalware software cannot stop spoofed emails from being delivered to an inbox or help a user that clicks on a phishing link to harvest credentials.

Although email spoofing techniques are becoming more sophisticated with each passing day, there are a few tactics that can help prevent a successful email spoofing attack. These include email authentication protocols, email security tools, email server settings, secure email gateways, and regular employee training.

Email Authentication Protocols

Protocols exist to help authenticate email senders to reduce the effectiveness of spoofing. The Sender Policy Framework (SPF), Domain Keys Identified Email (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) protocols provide effective defense through public posting of company email server information in the domain name services (DNS) records and servers. Together, these protocols reduce the ability of an attacker to spoof an organization’s domain from being used for malicious purposes.

Email Security Tools

Many vendors offer email security tools that specifically guard against spoofing, spam emails, and phishing attacks. These tools use threat feeds, artificial intelligence–enhanced algorithms, and other features to detect, block, quarantine, or flag suspicious emails. These tools can be delivered in various ways such as appliances, on-premises software, or cloud-based software-as-a-service solutions.

Email Server Settings

Many email servers default for more permissive delivery of suspicious emails to prevent missing emails from customers and vendors. However, given the onslaught of phishing attacks, an organization may wish to adjust email server settings to be more strict. For example, when an email fails email authentication checks (SPF, DKIM, DMARC), instead of allowing the email to be delivered to a SPAM folder or delivered to an inbox with a ‘suspicious’ flag, simply discard the email.

Secure Email Gateways

Secure Email Gateway solutions provide advanced email filtering and protection capabilities such as email authentication checks (using SPF, DKIM, DMARC), reverse DNS lookups, active scanning of emails for malicious files, and robust tracking tools for security teams to investigate specific emails. Secure email gateways can be deployed locally, in the cloud, or obtained as a service. These tools can not only protect local email servers, but also web-based services such as Outlook 365 and GMail.

Employee Training

As with most cybersecurity and network security efforts, employee training helps create a safeguard against attacks that are able to slip past technical defenses. Organizations should set aside time at least once per year (if not more frequently) to teach employees what to look for in a legitimate email as opposed to a spoofed one. Then, perform follow up tests to see who may still fall victim to a spoofing attack. This will help ensure everyone on a team can act appropriately when a spoofed email inevitably lands in their inbox.

Bottom Line: Keep Ahead of the Constantly Evolving Threat of Email Spoofing

As long as an organization uses email to communicate internally and externally, email spoofing will be a threat. In fact, email spoofing accounted for more than $216 million in losses in 2020 alone, according to the FBI’s IC3 2020 Internet Crime Report. However, while spoofed emails may look different from one day to the next, applying available solutions can dramatically reduce exposure to receiving spoofed emails as well as prevent an organization’s brand from being used in spoofed email attacks.

This article was originally written and published by Kaiti Norton on July 13, 2021 and updated by Chad Kime on May 23, 2023.

The post Email Spoofing: What it Is & How to Prevent It appeared first on eSecurityPlanet.

The vulnerabilities are caused by improper validation of requests sent to the switches’ web interfaces, the company said.

While the Cisco Product Security Incident Response Team (PSIRT) says it’s not aware of any malicious use of these flaws, it says proof-of-concept exploit code is available online.

Vulnerable products include 250 Series Smart Switches, 350 Series Managed Switches, 350X Series Stackable Managed Switches, 550X Series Stackable Managed Switches, Business 250 Series Smart Switches, Business 350 Series Managed Switches, Small Business 200 Series Smart Switches, Small Business 300 Series Managed Switches, and Small Business 500 Series Stackable Managed Switches.

Despite the severity of the flaws, Cisco says the last three products in the list above won’t be covered by software updates or by workarounds because they’ve entered the end-of-life process. “Cisco has not and will not release firmware updates to address the vulnerabilities described in the advisory for these devices,” the company stated.

Nine Independent Vulnerabilities

The flaws are not dependent on one another. “Exploitation of one of the vulnerabilities is not required to exploit another vulnerability,” the company explained. “In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerabilities.”

The flaws, according to Cisco, include the following:

• CVE-2023-20159, CVE-2023-20160, CVE-2023-20161, and CVE-2023-20189 – four vulnerabilities with a critical CVSS score of 9.8 that could enable an unauthenticated remote attacker to execute arbitrary code with root privileges.
• CVE-2023-20024, CVE-2023-20156, CVE-2023-20157, and CVE-2023-20158 – four vulnerabilities with a high CVSS score of 8.6 that could enable an unauthenticated remote attacker to cause a denial-of-service condition.
• CVE-2023-20162 – one vulnerability with a high CVSS score of 7.5 that could enable an unauthenticated remote attacker to access unauthorized information.

Also read:

• Network Protection: How to Secure a Network
• 34 Most Common Types of Network Security Protections

APT Group Targeting TP-Link Routers

Separately, the Check Point Research Threat Intelligence Team recently uncovered a malicious firmware implant for TP-Link routers that provides attackers with full control of infected devices.

The researchers say the implant’s firmware-agnostic design could allow it to be integrated into other brands of routers as well. “While we have no concrete evidence of this, previous incidents have demonstrated that similar implants and backdoors have been deployed on diverse routers and devices from a range of vendors,” the researchers noted.

Check Point attributes the custom MIPS32 ELF implant, named Horse Shell, to a Chinese state-sponsored advanced persistent threat (APT) group they’re calling Camaro Dragon.

The discovery was made while investigating a series of targeted cyber attacks against European foreign affairs entities, though the researchers noted that router implants are often installed arbitrarily in order to create a chain of infected nodes.

“We are unsure how the attackers managed to infect the router devices with their malicious implant,” the researchers wrote. “It is likely that they gained access to these devices by either scanning them for known vulnerabilities or targeting devices that used default or weak and easily guessable passwords for authentication.”

Ransomware Vulnerabilities Not Always Detected

In other vulnerability news, researchers from Securin, Ivanti and Cyware said that vulnerability scanning solutions from Tenable, Nexpose and Qualys are not detecting 18 high-risk vulnerabilities exploited by ransomware groups (see images below).

They also noted that while the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has prioritized 63% of vulnerabilities that are exploited by ransomware gangs in its Known Exploited Vulnerabilities (KEV) catalog, “there are still 131 vulnerabilities that are being exploited by ransomware that need to be included in the KEV catalog.”

Also read: How to Recover From a Ransomware Attack

The post Cisco Warns of Multiple Flaws in Small Business Series Switches appeared first on eSecurityPlanet.