DATA SECURITY

Cybereason Discovers Global Botnet Campaign Using Microsoft Exchange Vulnerabilities

Cybereason | April 23, 2021

Cybereason, the market leader in future-ready attack protection, reported today the discovery of a widespread, global campaign aimed at spreading the stealthy Prometei Botnet by attacking enterprises with a multi-stage attack to harvest computing power to mine bitcoin. To infiltrate networks, the threat actors, who tend to be Russian speakers, are exploiting previously disclosed Microsoft Exchange vulnerabilities used in the Hafnium attacks.

Prometei has a sophisticated infrastructure in place to guarantee its longevity on infected machines. Though Prometei was first reported in July 2020, Cybereason believes the botnet dates back to at least 2016, a year before the now-famous WannaCry and NotPetya malware attacks, which infected over 200 countries and caused billions of dollars in damage. Prometei is still evolving, with new features and tools being added daily.

“Because it has gone undetected, the Prometei Botnet poses a significant danger to companies. When attackers gain possession of infected machines, they can not only mine bitcoin by stealing processing power, but they can also exfiltrate classified information. The attackers may even inject the infected endpoints with other malware and work with ransomware groups to offer access to the endpoints if they so desire. To make matters worse, crypto mining consumes vital network computing power, adversely affecting business processes as well as the performance and reliability of sensitive servers,” said Assaf Dahan, Cybereason's senior director and head of threat research.

Key findings from the research, include:

• Wide range of Victims: Victims have been observed across a variety of industries, including Finance, Insurance, Retail, Manufacturing, Utilities, Travel, and Construction. Infected companies are based in countries around the world, including the United States, United Kingdom, Germany, France, Spain, Italy and other European countries, South America and East Asia.

• Russian Speaking Threat Actor: The threat actor appears to be Russian speaking and is purposely avoiding infections in former Soviet bloc countries.

• Exploiting SMB and RDP Vulnerabilities: The main objective of Prometei is to install the Monero crypto miner on corporate endpoints. To spread across networks, the threat actor is using known Microsoft Exchange vulnerabilities, in addition to known exploits EternalBlue and BlueKeep.

• Cross-Platform Threat: Prometei has both Windows-based and Linux-Unix-based versions, and it adjusts its payload based on the detected operating system on the targeted machines when spreading across the network.

• Cybercrime with APT Flavor: Cybereason assesses that the Prometei Botnet operators are financially motivated and intent on generating hefty sums of bitcoin, but is likely not backed by a nation-state.

• Resilient C2 Infrastructure: Prometei is designed to interact with four different C2 servers which strengthen the botnet’s infrastructure and maintain continuous communications, making it more resistant to takedowns.

Recommendations to companies for minimizing the Microsoft Exchange vulnerability include constantly scanning the environment for threats and imposing stricter patch management policies to ensure that all updates are deployed regularly. Sensitive network assets should also be hardened, multi-factor authentication implemented, and endpoint detection and response tools installed.

About Cybereason

Cybereason is a champion for today's cyber defenders, offering future-ready attack protection that unifies security from the endpoint to the enterprise and everywhere the battle moves. The Cybereason Defense Platform incorporates the industry's best detection and response (EDR and XDR), next-generation anti-virus (NGAV), and aggressive threat hunting to provide context-rich analysis of any component of a Malop (malicious operation). As a result, defenders will stop cyberattacks from endpoints to everywhere. Cybereason is a privately owned international company based in Boston that serves clients in over 30 countries.

Spotlight

Embrace cyber security from the start Many companies are pursuing digital transformation projects and growing connectivity is increasing the potential for cyber-attacks. Only 25% of NZ businesses are including proactive risk management 'fully from the start' of a digital transformation project.


Other News
DATA SECURITY

Dataprise Expands its DRaaS and Data Protection Offerings with Acquisition of Industry Leader Global Data Vault

Dataprise | January 18, 2022

Dataprise, a leading strategic IT managed service provider, today announced the acquisition of Global Data Vault, a leader in Disaster-Recovery-as-a-Service (DRaaS), Backup-as-a-Service (BaaS) and modern data protection solutions. The addition of Global Data Vault creates one of the industry's broadest portfolios of integrated data protection and cybersecurity offerings to solve client's toughest business resilience, risk mitigation and compliance challenges. "Clients turn to Dataprise to be their one strategic IT partner, which requires we bring the broadest portfolio of services powered by the best technology and deepest expertise. Today, the mandate for a holistic cybersecurity and data protection strategy is a top priority for our clients, Global Data Vault is a powerful addition as they bring industry leading cloud-based data protection solutions that bolster our premier cybersecurity portfolio, top-notch employees, a strong Veeam partnership, and relentless focus on client success." Steve Lewis, CEO of Dataprise Founded in 2004, Global Data Vault is a recognized leader in the BaaS and DRaaS industry and holds the distinction of being a Platinum Veeam Cloud & Service Provider. Global Data Vault's mission is to protect organizations' critical data with modern data protection strategies to ensure business continuity and eliminate downtime. Headquartered in Dallas, TX, Global Data Vault protects hundreds of clients across the United States, Canada, and the United Kingdom. "Our clients are facing new challenges driven by dramatic changes in the cybersecurity threat landscape and evolution of IT strategies including cloud adoption," said Anthony Galley, Chairman of Global Data Vault. "Dataprise has an enviable portfolio of cybersecurity, managed IT services, and cloud services that enhance the value of our modern data protection and DRaaS offerings. Together with Dataprise we are perfectly positioned to provide our clients even greater value." "We're excited for the opportunity that joining Dataprise presents for our clients, employees and partners. We now have a much broader set of services, capabilities and resources all aimed at protecting client data and ensuring business continuity," said Will Baccich, CEO of Global Data Vault. This marks Dataprise's second acquisition as the company executes on its strategy to build the broadest managed services portfolio and give clients one strategic IT partner to solve it all. The recent acquisition of Wireless Watchdogs added a comprehensive Mobility Managed Services (MMS) and Mobile Device Management (MDM) portfolio aimed at solving mobile device, Internet of Things (IoT) and endpoint management challenges. About Dataprise Founded in 1995, Dataprise believes that technology should enable our clients to be the absolute best at what they do. This commitment to client success is why Dataprise is recognized as the premier strategic managed service and security partner to strategic CIOs and IT leaders across the United States. Dataprise delivers best-in-class managed cybersecurity, disaster recovery as a service (DRaaS), managed infrastructure and managed end-user services that transform business, enhance user experiences, and eliminate risks.

Read More

PLATFORM SECURITY

Red Sift Partners with SMX to Provide End-to-End Cloud Email Security to Organizations in Australia and New Zealand

Red Sift | May 09, 2022

Red Sift, provider of the only integrated cloud email security and brand protection platform, today announced a strategic partnership with SMX, the cybersecure email specialist, to help enterprises in Australia and New Zealand strengthen their email security posture and threat protection. Through this exclusive arrangement, Red Sift’s best-in-class Reporting Platform integrates with SMX’s new Domain Protection Service (DPS) to deliver a new joint DMARC implementation offering, helping customers improve email threat monitoring and agility in responding to threats. Red Sift and SMX will be showcasing their joint offering at AusCERT 2022 in Broadbeach, Australia, May 10-13 (booth #B19). SMX’s DPS service enables enterprises to maintain an effective DMARC implementation, using Red Sift’s best-in-class Reporting Platform to identify, quantify, and respond in real-time to dynamic threats. Red Sift’s real-time reporting provides vital data that allows SMX to deliver their expertise in refining the security profile and manage SMX DPS deployments effectively across an enterprise’s domains. SMX’s expertise, coupled with Red Sift’s reporting capabilities, provides the level of agility and monitoring required to keep up with today’s email threat landscape. “Every company in Australasia has a unique threat environment and clients increasingly want a region-specific, locally designed and supported approach to cyber security,” says Richard Fraser, CEO of SMX. “Our DMARC managed service, DPS, made possible through this strategic partnership with Red Sift, provides clients with the tailored protection profile required to respond in real-time to dynamic threats, and will enhance email cyber-security throughout Australia and New Zealand.” According to Gartner, 90% of the Global 2000 will have DMARC in place by 2026. As email threats continue to evolve and become increasingly complex, it is more important now than ever before that enterprises establish a streamlined and sustainable DMARC implementation process that can be easily updated to reflect today’s dynamic digital environment. With the Red Sift and SMX partnership, enterprises now have access to an end-to-end email threat monitoring service, powered by real-time reporting with actionable insights that enable them to maximize their agility in quantifying and responding to threats. As a result, customers have greater confidence in their DMARC implementation and overall email security posture. “SMX shares our mission to provide enterprises with the solutions necessary to proactively protect their business and brand reputation from email security threats, rather than ‘mopping up’ after an attack. Our partnership with SMX enables us to help more organizations in Australia and New Zealand strengthen their DMARC implementations, and we’re excited to continue to scale globally in partnership with SMX.” Cameron McLean, Regional Manager, Asia Pacific, Red Sift Experts from Red Sift and SMX will be on hand at booth #B19 at AusCERT 2022 to showcase their joint DMARC managed service for enterprises. About Red Sift Red Sift enables security-first organizations to successfully communicate with and ensure the trust of their employees, vendors and customers. As the only integrated cloud email and brand protection platform, Red Sift automates BIMI and DMARC processes, makes it easy to identify and stop business email compromise, and secures domains from impersonation to prevent attacks. Founded in 2015, Red Sift is a global organization with international offices in the UK, Spain, Australia, and North America. It boasts a client base of all sizes and across all industries, including Wise, Telefonica, Pipedrive, ITV, Dominos, and top global law firms. Find out how Red Sift is delivering actionable cybersecurity insights to its global customers at redsift.com. About SMX SMX is a cyber security company with specialist expertise in email. It’s all we do. That means you get local expertise to help you secure your organisation’s email. And when you protect your email, you’re also protecting your brand reputation. For more than 17 years, our in-house development team has been delivering that to hundreds of public and private sector businesses, offering training, support and the latest in tech solutions.

Read More

SOFTWARE SECURITY

Illumio Collaborates with IBM Security to Bolster Cyber Resilience for Modern Organizations

Illumio | May 06, 2022

Illumio, Inc., the Zero Trust Segmentation company, today announced an expanded relationship with IBM Security and a new integration between the companies’ technologies for advanced end-to-end threat detection and response. The integration combines IBM Security QRadar XDR with Segmentation from Illumio to provide pre-attack protections for accelerated detection and automated containment and remediation capabilities to help defend against the impacts of aggressive cyberattacks, including ransomware. “In 2021, over half of organizations globally reported suffering a ransomware attack that blocked access to critical systems or data,” said Frank Dickson, Program Vice President at IDC. “As ransomware, and the attackers behind it, continues to plague every industry, organizations must act now to bolster cyber and business resiliency. The best way firms can safeguard their organizations is to address the five core elements of a ransomware attack: initial compromise, lateral movement, privilege escalation, data exfiltration and the encryption. Given the complexity and difficulty of the task, security tools should be adaptable, scalable and emphasize real-time visibility to enable real-time action.” The integration provides customers with enhanced visibility into network traffic and can help limit the potential spread of attacks by segmenting application networks. When an intrusion takes place, an attacker’s external communication and movement throughout an organization’s network can be quickly detected, denied, and analyzed with the help of Illumio and QRadar SIEM. This centralized visibility and analysis can help with the detection of threats and ransomware that moves, often undetected, throughout organizations. Beyond detection, Illumio’s integration with QRadar SOAR enables incident responders to activate Illumio’s emergency ransomware containment controls in near real time, helping them to reduce the impact of ransomware and accelerate the eradication and recovery process. “The onslaught of ransomware attacks demands end to end visibility, advanced analytics and automated actions based on an open platform – which are the foundational elements on which QRadar XDR was designed. “By leveraging its open architecture and segmentation platforms like Illumio, QRadar XDR helps customers achieve early detection, orchestration, and rapid, automated response to ransomware and other fast-moving attacks.” Chris Meenan, VP of Product Management at IBM Security “In February 2022, the Cybersecurity and Infrastructure Security Agency reported ransomware incidents against 14 of the 16 U.S. critical infrastructure sectors, which signals the urgent business resilience risk it poses,” said John Skinner, VP, Business Development at Illumio. “Not only is ransomware today becoming more sophisticated and targeted, but incident rates are climbing. Successful detection and response depends on segmentation aligned with Zero Trust principles to isolate and stop ransomware before it spreads. Together, Illumio and IBM Security are empowering organizations to minimize the business impact of devastating attacks by combatting known risks at every phase.” About Illumio Illumio, the Zero Trust Segmentation company, prevents breaches from spreading and turning into cyber disasters. Illumio protects critical applications and valuable digital assets with proven segmentation technology purpose-built for the Zero Trust security model. Illumio ransomware mitigation and segmentation solutions see risk, isolate attacks, and secure data across cloud-native apps, hybrid and multi-clouds, data centers, and endpoints, enabling the world’s leading organizations to strengthen their cyber resiliency and reduce risk.

Read More

PLATFORM SECURITY

Swimlane Extends Cloud-Based Security Automation into APJ Amid Momentous Growth in Region

Swimlane | April 19, 2022

Swimlane, the leader in low-code security automation, today announced the general availability of Swimlane Cloud in the Asia-Pacific Japan (APJ) region. This deployment is further evidence of Swimlane’s continued commitment to empowering APJ customers to enable new use cases previously not possible with traditional security orchestration, automation and response (SOAR). This includes unlocking the use of automation beyond the SOC, where Swimlane serves as the system-of-record for the entire security organization. Meeting the APJ Staffing Shortage Head-On with Swimlane Cloud The APJ region faces a significant cybersecurity talent shortage with an estimated 2.045 million open cybersecurity roles, accounting for 66% of the total global shortage, signaling the struggle to find qualified, skilled professionals to handle increasing security alerts. Without automation, these overburdened security administrators must manually perform repetitive and time-consuming tasks needed to track, mitigate and resolve security events across multiple security platforms. Despite significant time investments, security teams cannot realistically analyze and adequately prioritize security alerts and events at the rate necessary to protect networks. “In order to mature our security operations, we knew it was necessary to advance how we monitor and respond to threat intelligence by taking a more proactive approach to security operations,” said Tanajak Watanakij, CISO, R V Connex. “With our existing talent pool, we turned to Swimlane’s low-code security automation offering to create a centralized system of record for our Security Operations Center (SOC) and remove dependencies on a host of manual processes. Swimlane’s interactive dashboards and automated, easily customizable workflows reduced our mean time to respond and ultimately helped us ensure continuous compliance and prevent breaches across the entire R V Connex Corporation and our MSSP customers.” “Security teams across APJ need solutions that reduce the manual operations needed to respond to security threats and speed up incident response. We are a customer-focused company with a powerful platform for helping companies ease the burden security teams face daily. Swimlane is fully dedicated to supporting the region’s ongoing cybersecurity challenges through the adoption of low-code security automation.” Johan Wikenstedt, Vice President of Asia Pacific and Japan (APJ) for Swimlane Demand for Low-Code Automation Continues to Climb Swimlane’s current product initiatives in APJ continue to drive regional market traction highlighted by: 173% revenue growth of regional presence in the past four months, with more than 7x revenue growth in the past 6 months. 142% growth of regional employee headcount in the past six months. New sales offices established in Australia, Malaysia and South Korea. Net-new customer adoption in Australia, Bangladesh, India, Japan, Malaysia, Philippines, Singapore, Thailand, and New Zealand. Vertical expansion of customer adoption across banking, technology, financial services, government, MSSP, and manufacturing industries. 8 new go-to-market partners established in the region. Lumen Technologies turned to Swimlane after experiencing a rapid period of growth that challenged the company’s security team to capacity. Swimlane’s low-code security automation platform allowed the organization to maintain the integrity of its security operations and quickly adapt to business growth across its SecOps infrastructure. Within the first quarter of implementing the solution, Lumen achieved a 30% automation level. Today, 70% of security events hitting the Security Operations Center (SOC) can be fully automated without human intervention. “Swimlane was a partner from the start, helping us ensure the solution was easy to manage and operate and providing technical support whenever we needed,” said Wai Kit Cheah, Director of the Security Practice at Lumen Technologies. “With Swimlane’s robust automation engine, events can be processed from any source, enabling our security team to integrate security automation with user and entity behavior analytics (UEBA) and third-party threat intelligence feeds. This allowed us to achieve a holistic look at our ecosystem and has quickly made Swimlane’s platform an essential component of our SOC.” Swimlane Medley Partner Program Expands to Malaysia Swimlane has invested significantly in Malaysia due to the region’s robust national cybersecurity strategy and world-class talent. As part of its growth in the region, Swimlane recently announced a partnership with CyberSecurity Malaysia, the national cyber security specialist agency under the purview of the Ministry of Communications and Multimedia Malaysia (KKMM), to assist the organization on its mission to build a more resilient cyber ecosystem throughout Malaysia. “Our strategic partnership with Swimlane comes at an exciting time for CyberSecurity Malaysia as we seek to elevate a strategic cybersecurity vision for the region,” said Dato’ Ts. Dr. Haji Amirudin Abdul Wahab, CEO of CyberSecurity Malaysia. “Together, Swimlane and Cybersecurity Malaysia will leverage our combined experience, capabilities, and products to deliver innovative cybersecurity solutions across Malaysia and ensure companies in the region have access to the world’s most-capable low-code automation technology to safeguard their networks and data.” Join Swimlane at the SecOps Automation Summit 2022 Swimlane will hold the SecOps Automation Summit 2022 in South Korea, Malaysia and Australia in late April and early May. Presenters include Co-Founder and Chief Strategy Officer Cody Cornell and other members of the Swimlane team, along with various current partners and customers, to explore new and future innovations in the dynamic field of security automation. To learn more about the summit and Swimlane’s expansion in the APJ region, visit https://swimlane.com/swimlane-helps-address-asia-pacifics-security-skills-shortage. About Swimlane Swimlane is the leader in cloud-scale, low-code security automation. Supporting use cases beyond SOAR, Swimlane improves the ease with which security teams can overcome process and data fatigue, as well as chronic staffing shortages. Swimlane unlocks the potential of automation beyond the SOC by delivering a low-code platform that serves as the system-of-record for the entire security organization and enables anyone within the organization to contribute their knowledge and expertise to the protection of the organization.

Read More

Spotlight

Embrace cyber security from the start Many companies are pursuing digital transformation projects and growing connectivity is increasing the potential for cyber-attacks. Only 25% of NZ businesses are including proactive risk management 'fully from the start' of a digital transformation project.

Resources